Jump to content

Spectre and Meltdown


Rip_em

Recommended Posts

Full disclosure.... I am not a wire-head (and I use that term in a positive, endearing way - I wish I was one).  I'm just some dummy.  Is it possible that Spectre and/or Meltdown could release the following from the processor kernel... or from some other hardware? .... Secret keys, passphrases, exchange login/passwords, 2FA keys etc.... You know, just about everything that is securing my investments?  Its a hypothetical that I'm not tech-smart enough to distinguish if its theoretical.  Thx

Link to comment
Share on other sites

Well, if your computer is receiving normal updates from Microsoft (for windows), or whatever it is for mac, they have already released patches and will continue to fine tune these over time. You can also visit the website of your computer's manufacturer to see whether you need to download an update from them. From what I understand these security patches are to prevent hackers exploiting spectre / meltdown, and gaining info from your computer.

Link to comment
Share on other sites

Yes, but you need an attack vector.  No one has seen an attack in the wild, but their is POC exploit code on Github.

OS security patches are available and are thought to avoid the effects of Meltdown, but not Spectre.  Spectre is nasty because it allows one program to steal data from another program - something that shouldn't be possible in a modern user facing OS.  There are security updates for all the web browsers to mitigate the effects of Spectre, but the vulnerability is still present and could be exploited from other applications.

It's worth noting that these vulnerabilities do not of themselves allow access to encrypted data.  But if you have opened your encrypted data on a machine affected by either, there is a chance that an attacker will be able to read secrets (passwords etc.)

If your data is important, only access it when you are sure your computer isn't compromised.

Generally:

  • Keep up to date with security patches for the OS and your preferred browser.
  • Do not share your computer with others
  • Do not install random cr*@$p off the internet
  • Only have one browser tab open when accessing secure data online, eg. online banking, cryto wallets, etc.
Link to comment
Share on other sites

Now the 'Intel Inside' is more valuable than ever.   There is no known patch for Spectre - the chips have to be re-engineered.

I would advise using a VPN whenever you are doing crypto/banking operations.  Also, install an additional browser like Opera and

keep it totally bare bones, no add-ons or plug-ins.  Clear the cache before you begin.  The list goes on!

Edited by John_Buh
Link to comment
Share on other sites

8 hours ago, Rip_em said:

Is it possible that Spectre and/or Meltdown could release the following from the processor kernel... or from some other hardware? .... Secret keys, passphrases, exchange login/passwords, 2FA keys etc.... You know, just about everything that is securing my investments?

Yes (though "2FA keys" is a bit depending on the actual type of 2FA). This is why hardware wallets exist.

Link to comment
Share on other sites

6 hours ago, John_Buh said:

There is no known patch for Spectre - the chips have to be re-engineered.

keep it totally bare bones, no add-ons or plug-ins.

And you get the funny statements coming out of ARM at the IoT conferences saying "this only affects the high performance chips." Sorry can't remember who that was I read it on yahoo news.

Apparently there are trade-offs for performance!

The problem with Intel is they force all their older people into retirement. We can say that now that they've effed up.

Link to comment
Share on other sites

Oh my god basically the whole industry just messed up, and now we're all Ostriches. I mean messed it up to the core (pun). Whatever. We can say there are no known attack vectors in the wild. What's scary is to read the comments on the V8 engine's dev list about what is the minimal version of V8 that has protection against Spectre/Meltdown. I doubt that means there is a potential attack vector through javascript/web browsers, but god who knows anymore!

I think the positive aspect of this is that it will hopefully help people doing more niche chip development things to get more funding. Or whatever they need. Projects like this: https://en.wikipedia.org/wiki/Tabula_(company)

I've talked to engineer types in the industry about that and they all go "whoa that would be amazing if they can pull it off." One guy who worked for Intel on memory design, even.

 

Edited by Vader-DeWelt
Link to comment
Share on other sites

On 1/19/2018 at 9:38 PM, culyun said:

Generally:

  • Do not install random cr*@$p off the internet

Thanks for your replies, everyone.  Sincerely.  I'm using VPN and encryption, and will practice a few more things you mentioned.

 

A few more questions...

Random junk off the web..... what about desktop wallets?  Primary long-term coins are set; was looking for a pump-n-dump to diversify and begin a small revenue stream.  Noticed Digibyte and started research and downloading their wallet because they're listed on Poloniex (one of the few exchanges I'm comfortable working off).  Before beginning to purchase/trade, I downloaded their Win10x64 wallet.  It needed to sync with the server and download years worth of blocks.  After 16 hours of downloading it wasn't done.  I said f'it and quit, then uninstalled.  Starting to regret my decision for even starting out of concern I was downloading junk that would compromise my system.  Any concerns for this wallet, what is downloaded, and how to go about approaching alt-pumpndump-coins?  What's a good litmus test for investing in alt-coins to make sure junk isn't downloaded?  Thx

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...