|
Samizdata posted:Well, so far as I can tell, my old Core 2 Quad seems immune. So yay for my kitbashed old crap. That's a vulnerable CPU for sure...
|
# ? Jan 11, 2018 23:08 |
|
|
# ? May 29, 2024 21:05 |
|
Samizdata posted:Well, so far as I can tell, my old Core 2 Quad seems immune. So yay for my kitbashed old crap. For anyone wondering, here's the complete list of Intel x86 cores from the last 20 years which don't do out-of-order processing with speculative execution: Bonnell (First-gen Atom) Saltwell (Die-shrink of Bonnell) Knights Corner (First-gen Xeon Phi) Lakemont (Quark) Pentium Pro, Pentium II, III, 4, M, Celeron, Xeon, and Core lines are all vulnerable as are the later Atoms and Xeon Phis. On the AMD side of the fence it's everything from the K5 on up as far as I'm aware.
|
# ? Jan 12, 2018 02:42 |
|
feedmegin posted:Itanium doesn't (in the hardware sense, anyway). Not doing OoO type stuff is/was literally that CPU's whole schtick. Cortex A8 is in-order with branch prediction (like IA64), and is vulnerable to Spectre (unlike IA64).
|
# ? Jan 12, 2018 08:50 |
wolrah posted:For anyone wondering, here's the complete list of Intel x86 cores from the last 20 years which don't do out-of-order processing with speculative execution: And outside of x86, it's most newer SPARC from Fujitsu, LSI, TI, Weitek and others as well as as POWER7 through POWER9.
|
|
# ? Jan 12, 2018 10:06 |
|
D. Ebdrup posted:You forgot about Transmeta Efficion, if there's still any of those around. Lol everything is hosed
|
# ? Jan 12, 2018 10:20 |
|
I'm looking forward to perimeter systems running shelves upon shelves of 80486.
|
# ? Jan 12, 2018 13:44 |
|
Potato Salad posted:I'm looking forward to perimeter systems running shelves upon shelves of 80486. Beowulf clusters shall rise again!
|
# ? Jan 12, 2018 14:22 |
|
Absurd Alhazred posted:Beowulf clusters shall rise again! I see an upturn in the used PS3 market.
|
# ? Jan 12, 2018 14:27 |
The Cell CPU has both branch prediction and at least limited out-of-order execution along with caches (PDF). There's no reason to believe it'll be safe from this, either.
|
|
# ? Jan 12, 2018 17:08 |
|
Is my Powerbook G4 safe
|
# ? Jan 12, 2018 17:14 |
|
Hungry Computer posted:Is my Powerbook G4 safe The battery might explode, but that's only tangentially related.
|
# ? Jan 12, 2018 17:23 |
|
D. Ebdrup posted:The Cell CPU has both branch prediction and at least limited out-of-order execution along with caches (PDF). There's no reason to believe it'll be safe from this, either. I see an upturn in the used PS2 market
|
# ? Jan 12, 2018 17:25 |
Supposedly the Cortex-a55 is not vulnerable (it's in-order, but does do branch prediction so that may not be true), and if so is definitely in the running for the fastest chip that isn't.
|
|
# ? Jan 12, 2018 17:34 |
|
I'm confused, is this a new issue? Not the one from last year? https://thehackernews.com/2018/01/intel-amt-vulnerability.html https://business.f-secure.com/intel-amt-security-issue
|
# ? Jan 12, 2018 19:45 |
|
It's a new one. Joy of joy, 2018 is off to a great start. Last year was a remotely accessible auth bypass vuln to AMT. This one requires local access but is really bad for protecting from state actors.
|
# ? Jan 12, 2018 19:52 |
|
BangersInMyKnickers posted:It's a new one. Joy of joy, 2018 is off to a great start. Last year was a remotely accessible auth bypass vuln to AMT. This one requires local access but is really bad for protecting from state actors. aahahahahaha gently caress everything
|
# ? Jan 12, 2018 19:56 |
And just in case that wasn't enough, microcode from both Intel and AMD are causing some platforms to experience instability.
|
|
# ? Jan 12, 2018 20:20 |
|
D. Ebdrup posted:And just in case that wasn't enough, microcode from both Intel and AMD are causing some platforms to experience instability. more more MORE
|
# ? Jan 12, 2018 20:21 |
|
Just when I thought the week couldn't get any longer...
|
# ? Jan 12, 2018 20:26 |
|
Also https://twitter.com/GossiTheDog/status/951897817429299200
|
# ? Jan 12, 2018 20:28 |
|
2018 is the year of desktop Raspberry Pi.
|
# ? Jan 12, 2018 20:30 |
|
Microsoft has been very open and honest that antivirus providers will need to fix their poo poo before any future security patches are applied.
|
# ? Jan 12, 2018 20:47 |
|
ufarn posted:2018 is the year of desktop Raspberry Pi. https://twitter.com/Mythic_Beasts/status/948859240042647553
|
# ? Jan 12, 2018 20:53 |
|
AV remains terrible
|
# ? Jan 12, 2018 20:53 |
|
apseudonym posted:AV remains terrible
|
# ? Jan 12, 2018 20:57 |
|
Again, any PowerPC 604e and onward should be vulnerable.
|
# ? Jan 13, 2018 02:56 |
|
Hey fun fact, all of Cisco's recent routers running IOS-XE and the current generation of ASAs are all using modern Intel CPUs for multiple planes. I don't know what's in the new Catalyst 9000 series but I'd bet there's some Intel in those too. gently caress everything, let's go back to the days of shoving a 68030 into every device under the sun.
|
# ? Jan 13, 2018 03:39 |
|
Kazinsal posted:Hey fun fact, all of Cisco's recent routers running IOS-XE and the current generation of ASAs are all using modern Intel CPUs for multiple planes.
|
# ? Jan 13, 2018 03:56 |
|
Hungry Computer posted:Is my Powerbook G4 safe Lain Iwakura posted:Again, any PowerPC 604e and onward should be vulnerable. Here's someone who ran a ported version of the Spectre PoC on older PowerPC platforms. G3 and 7400 G4 appear safe, everything else was vulnerable to varying degrees. My G4 is a 7455 so So the only non-vulnerable computer I have is a Mac Plus.
|
# ? Jan 13, 2018 04:26 |
|
anthonypants posted:What is your threat model where you are worried about Spectre/Meltdown privilege escalation on a networking appliance. What would your infrastructure even look like for that to be a concern. There have been multiple ASA patches in the past year for remote code execution.
|
# ? Jan 13, 2018 05:13 |
|
Kazinsal posted:There have been multiple ASA patches in the past year for remote code execution.
|
# ? Jan 13, 2018 05:36 |
|
anthonypants posted:Were any of those due to Intel CPU bugs? No, but imagine a combination of the two. Remote code execution + a kernel mode exfiltration bug. Same kind of implications as RCE on a desktop, except on a router or security appliance.
|
# ? Jan 13, 2018 05:39 |
|
Kazinsal posted:No, but imagine a combination of the two. Remote code execution + a kernel mode exfiltration bug. Same kind of implications as RCE on a desktop, except on a router or security appliance.
|
# ? Jan 13, 2018 05:53 |
|
anthonypants posted:Okay, so let's go back to my original question: If you've already got an existing buffer overflow, and you can remotely exploit that buffer overflow to execute arbitrary code, what attacker is going to spend time trying to trigger a CPU bug afterward? The kind who wants to exfiltrate secure data from kernel space and from other processes like encryption keys and passphrases.
|
# ? Jan 13, 2018 06:00 |
|
Kazinsal posted:The kind who wants to exfiltrate secure data from kernel space and from other processes like encryption keys and passphrases.
|
# ? Jan 13, 2018 06:28 |
|
anthonypants posted:Right, and once they have that why are they going to bother exploiting a CPU bug believe it or not, not every remote execution bug gives you immediate root privileges
|
# ? Jan 13, 2018 07:15 |
|
Jabor posted:believe it or not, not every remote execution bug gives you immediate root privileges
|
# ? Jan 13, 2018 07:59 |
|
Hungry Computer posted:Here's someone who ran a ported version of the Spectre PoC on older PowerPC platforms. G3 and 7400 G4 appear safe, everything else was vulnerable to varying degrees. My G4 is a 7455 so That is pretty cool. If you can get your hands on Rhapsody and a developers kit, you can test it out on the pre-G3 processors too. Or you could run XPostFacto too. Lain Iwakura fucked around with this message at 08:03 on Jan 13, 2018 |
# ? Jan 13, 2018 08:00 |
|
Crossposting:Mystic Stylez posted:Re: cookies, is it bad to delete all cookies but keep session cookies from a couple logged sites like Google and Facebook? Because two-step authentication is great, but having to get a code in my phone and input it every time I want to check my email or something is not Atomizer posted:That's the whole point of 2FA though. It's supposed to require that extra step to reduce the likelihood that an intruder can gain access to your account. The moment you decide to get lazy and forego that 2nd step is the moment you compromise your account security. Mystic Stylez posted:I mean yeah, but if I keep accounts logged in only in my home desktop, wouldn't people still need to go through 2 steps to get into those accounts, unless they specifically got access to that computer? Or I'm dumb, which is probably the case. Can anyone help?
|
# ? Jan 14, 2018 23:56 |
|
|
# ? May 29, 2024 21:05 |
|
Help with what? Yes, they will still need to use 2FA when logging into your account from a device that hasn't been remembered. It is more secure to require 2FA every login regardless of device, but having something remember you, or remember you for a set period of time, is a good balance between security and convenience.
|
# ? Jan 15, 2018 00:21 |