Spectre and Meltdown

[Rip_em]

Full disclosure.... I am not a wire-head (and I use that term in a positive, endearing way - I wish I was one).  I'm just some dummy.  Is it possible that Spectre and/or Meltdown could release the following from the processor kernel... or from some other hardware? .... Secret keys, passphrases, exchange login/passwords, 2FA keys etc.... You know, just about everything that is securing my investments?  Its a hypothetical that I'm not tech-smart enough to distinguish if its theoretical.  Thx

[battered_lifer]

Well, if your computer is receiving normal updates from Microsoft (for windows), or whatever it is for mac, they have already released patches and will continue to fine tune these over time. You can also visit the website of your computer's manufacturer to see whether you need to download an update from them. From what I understand these security patches are to prevent hackers exploiting spectre / meltdown, and gaining info from your computer.

[culyun]

Yes, but you need an attack vector.  No one has seen an attack in the wild, but their is POC exploit code on Github.

OS security patches are available and are thought to avoid the effects of Meltdown, but not Spectre.  Spectre is nasty because it allows one program to steal data from another program - something that shouldn't be possible in a modern user facing OS.  There are security updates for all the web browsers to mitigate the effects of Spectre, but the vulnerability is still present and could be exploited from other applications.

It's worth noting that these vulnerabilities do not of themselves allow access to encrypted data.  But if you have opened your encrypted data on a machine affected by either, there is a chance that an attacker will be able to read secrets (passwords etc.)

If your data is important, only access it when you are sure your computer isn't compromised.

Generally:

• Keep up to date with security patches for the OS and your preferred browser.
• Do not share your computer with others
• Do not install random cr*@$p off the internet
• Only have one browser tab open when accessing secure data online, eg. online banking, cryto wallets, etc.

[Vader-DeWelt]

*crickets*

[John_Buh]

Now the 'Intel Inside' is more valuable than ever.   There is no known patch for Spectre - the chips have to be re-engineered.

I would advise using a VPN whenever you are doing crypto/banking operations.  Also, install an additional browser like Opera and

keep it totally bare bones, no add-ons or plug-ins.  Clear the cache before you begin.  The list goes on!

Edited January 20, 2018 by John_Buh

[Sukrim]

8 hours ago, Rip_em said:

Is it possible that Spectre and/or Meltdown could release the following from the processor kernel... or from some other hardware? .... Secret keys, passphrases, exchange login/passwords, 2FA keys etc.... You know, just about everything that is securing my investments?

Yes (though "2FA keys" is a bit depending on the actual type of 2FA). This is why hardware wallets exist.

[Vader-DeWelt]

6 hours ago, John_Buh said:

There is no known patch for Spectre - the chips have to be re-engineered.

keep it totally bare bones, no add-ons or plug-ins.

And you get the funny statements coming out of ARM at the IoT conferences saying "this only affects the high performance chips." Sorry can't remember who that was I read it on yahoo news.

Apparently there are trade-offs for performance!

The problem with Intel is they force all their older people into retirement. We can say that now that they've effed up.

[Vader-DeWelt]

Oh my god basically the whole industry just messed up, and now we're all Ostriches. I mean messed it up to the core (pun). Whatever. We can say there are no known attack vectors in the wild. What's scary is to read the comments on the V8 engine's dev list about what is the minimal version of V8 that has protection against Spectre/Meltdown. I doubt that means there is a potential attack vector through javascript/web browsers, but god who knows anymore!

I think the positive aspect of this is that it will hopefully help people doing more niche chip development things to get more funding. Or whatever they need. Projects like this: https://en.wikipedia.org/wiki/Tabula_(company)

I've talked to engineer types in the industry about that and they all go "whoa that would be amazing if they can pull it off." One guy who worked for Intel on memory design, even.

 

Edited January 20, 2018 by Vader-DeWelt

[Rip_em]

On 1/19/2018 at 9:38 PM, culyun said:

Generally:

• Do not install random cr*@$p off the internet

Thanks for your replies, everyone.  Sincerely.  I'm using VPN and encryption, and will practice a few more things you mentioned.

 

A few more questions...

Random junk off the web..... what about desktop wallets?  Primary long-term coins are set; was looking for a pump-n-dump to diversify and begin a small revenue stream.  Noticed Digibyte and started research and downloading their wallet because they're listed on Poloniex (one of the few exchanges I'm comfortable working off).  Before beginning to purchase/trade, I downloaded their Win10x64 wallet.  It needed to sync with the server and download years worth of blocks.  After 16 hours of downloading it wasn't done.  I said f'it and quit, then uninstalled.  Starting to regret my decision for even starting out of concern I was downloading junk that would compromise my system.  Any concerns for this wallet, what is downloaded, and how to go about approaching alt-pumpndump-coins?  What's a good litmus test for investing in alt-coins to make sure junk isn't downloaded?  Thx