• This is a political forum that is non-biased/non-partisan and treats every person's position on topics equally. This debate forum is not aligned to any political party. In today's politics, many ideas are split between and even within all the political parties. Often we find ourselves agreeing on one platform but some topics break our mold. We are here to discuss them in a civil political debate. If this is your first visit to our political forums, be sure to check out the RULES. Registering for debate politics is necessary before posting. Register today to participate - it's free!

The CPU catastrophe will hit hardest in the cloud [W:14]

Rogue Valley

Rogue Valley

Lead or get out of the way
DP Veteran
Joined
Apr 18, 2013
Messages
94,039
Reaction score
82,283
Location
Barsoom
Gender
Male
Political Leaning
Independent
Re: The CPU catastrophe will hit hardest in the cloud

Rogue Valley said:
The CPU catastrophe will hit hardest in the cloud

It's quite a bit beyond my technical expertise, but it seems a German scientist has discovered and demonstrated that every computer chip (Intel, AMD, etc) made in the past 20 years has a security flaw dealing with the protection of the computer kernel.

Related: Spectre and Meltdown are massive security flaws that affect almost every PC on Earth. Here’s what you need to know.

All About That Big Chip Security Weakness: QuickTake Q&A
Click to expand...

And this is how Trump won the election...right? :roll:
 
Re: The CPU catastrophe will hit hardest in the cloud

Rogue Valley said:
The CPU catastrophe will hit hardest in the cloud

It's quite a bit beyond my technical expertise, but it seems a German scientist has discovered and demonstrated that every computer chip (Intel, AMD, etc) made in the past 20 years has a security flaw dealing with the protection of the computer kernel.

Related: Spectre and Meltdown are massive security flaws that affect almost every PC on Earth. Here’s what you need to know.

All About That Big Chip Security Weakness: QuickTake Q&A
Click to expand...

I thought AMD has stated that the flaw didn't exist in their CPU's?
 
Re: The CPU catastrophe will hit hardest in the cloud

Potential for Performance Degradation
In updating assets, and in some cases having to update BIOS, significant performance impact may result. The level of impact will depend on the specific processor used, the nature of the workload, and the remediation method selected by the manufacturer.

Security teams should assess the exposure and potential impact to their environments before proceeding with updates that could negatively impact performance.

To better understand the potential for performance impact to specific application environments, security teams are encouraged to seek information from their application vendors. In all cases, it is recommended to deploy required updates into a validation environment for testing before proceeding general deployment plans
Click to expand...
https://securityintelligence.com/cp...-read-privileged-kernel-memory-and-leak-data/

Super.
 
Re: The CPU catastrophe will hit hardest in the cloud

iliveonramen said:
I thought AMD has stated that the flaw didn't exist in their CPU's?
Click to expand...

Not exactly, from the OP article

In a post on the company's website Wednesday night, AMD said that one variant of the Spectre vulnerability was resolved by software and operating system updates. Another variant of Spectre, the company said, has “a near zero risk of exploitation” on its processors.
Click to expand...
 
Re: The CPU catastrophe will hit hardest in the cloud

WCH said:
And this is how Trump won the election...right? :roll:
Click to expand...

Must you always troll?

This is just a heads up for the DP membership.
 
Re: The CPU catastrophe will hit hardest in the cloud

Need to be very diligent, thoughtful, and carefully consider just exactly how much of a vulnerability this really represents, and just what the probability of these exploits being used to actually compromise data security to any sort of a significant extent.

If your intent to read someone else's virtual memory snooping for meaningful data (that's already one needle in haystack), it's going to be comprised of a large amount of chaff data to get a small amount of wheat, and you are going to have to ship all that data to home base before you can determine if its wheat or chaff.

This may be much ado about next to nothing.
 
Re: The CPU catastrophe will hit hardest in the cloud

eohrnberger said:
Need to be very diligent, thoughtful, and carefully consider just exactly how much of a vulnerability this really represents, and just what the probability of these exploits being used to actually compromise data security to any sort of a significant extent.

If your intent to read someone else's virtual memory snooping for meaningful data (that's already one needle in haystack), it's going to be comprised of a large amount of chaff data to get a small amount of wheat, and you are going to have to ship all that data to home base before you can determine if its wheat or chaff.

This may be much ado about next to nothing.
Click to expand...

It does though prove out my extreme paranoia when it comes to computer security. If you want it secure don't put it on a network.
 
Re: The CPU catastrophe will hit hardest in the cloud

PirateMk1 said:
It does though prove out my extreme paranoia when it comes to computer security. If you want it secure don't put it on a network.
Click to expand...

Worked for Galactica! :)
 
Re: The CPU catastrophe will hit hardest in the cloud

PirateMk1 said:
It does though prove out my extreme paranoia when it comes to computer security. If you want it secure don't put it on a network.
Click to expand...

From the information prevention methodology of information security.

Fair enough, not putting a computer on a network does make securing it far easier, but then there'd be none of the benefits that networking systems bring.

From my present understanding of these exploits, which may change without notice based on new information, a piece of code that already has buried itself into your system to be executing there, your data integrity has already been compromised. Then, executing tailored rogue code to manifest the exploit and collect snippets of mostly noise data rather than the wheat being sought; there are other far more effective and efficient means for gaining the data that would be exposed, at least on the personal PC.

If taken to the cloud space, yes, in theory a compromised virtual machine running the rogue code could extract snippets of data not only from other processes running in that same VM, but also access the data from other VMs running on that physical host as well as data from the physical host itself. Once accessing that, the wheat would be the SSL keys that allows for privileged access the cloud infrastructure itself, gaining access to everything inside and out. There in lies the real threat.

Well, if you ask me, and while I may have a great deal of professional IT experience, I don't pretend to be an Information Security specialist.
 
Re: The CPU catastrophe will hit hardest in the cloud

Roger!

Let me add that I was informed that there never has been such a thing as a secure smartphone. Also some companies have allowed the government to put holes in their security.

This is less news than an admission.
 
Re: The CPU catastrophe will hit hardest in the cloud

iliveonramen said:
I thought AMD has stated that the flaw didn't exist in their CPU's?
Click to expand...
My understanding is that it affects Intel processors only.
 
Re: The CPU catastrophe will hit hardest in the cloud

Moderator's Warning:
Folks, if you think someone is trolling ignore them and use the report function to let mods deal with it. Don't further derail a thread by engaging
 
Re: The CPU catastrophe will hit hardest in the cloud

I read through the technical discussion of Spectre, it sure sound like a risk item.
I often see security notifications that state thing like "a local unauthenticated user could,....",
and know that almost any system can be compromised by a local user.
Here is the Spectre description.
https://arstechnica.com/gadgets/201...el-apple-microsoft-others-are-doing-about-it/
While this speculative execution does not alter program behavior at all, the Spectre and Meltdown research demonstrates that it perturbs the processor's state in detectable ways. This perturbation can be detected by carefully measuring how long it takes to perform certain operations. Using these timings, it's possible for one process to infer properties of data belonging to another process—or even the operating system kernel or virtual machine hypervisor.
Click to expand...
It sounds like a weak thread, the timing in the pre fetch cache, could be used to infer properties of the data belonging to another process.
In the world of VM this could be exploited, but I have trouble seeing how this could be much of an issue in stand alone machines.
 
Re: The CPU catastrophe will hit hardest in the cloud

Mach said:
Worked for Galactica! :)
Click to expand...

yeah except the guy running the whole network was a frackin cylon
 
Re: The CPU catastrophe will hit hardest in the cloud

eohrnberger said:
From the information prevention methodology of information security.

Fair enough, not putting a computer on a network does make securing it far easier, but then there'd be none of the benefits that networking systems bring.

From my present understanding of these exploits, which may change without notice based on new information, a piece of code that already has buried itself into your system to be executing there, your data integrity has already been compromised. Then, executing tailored rogue code to manifest the exploit and collect snippets of mostly noise data rather than the wheat being sought; there are other far more effective and efficient means for gaining the data that would be exposed, at least on the personal PC.

If taken to the cloud space, yes, in theory a compromised virtual machine running the rogue code could extract snippets of data not only from other processes running in that same VM, but also access the data from other VMs running on that physical host as well as data from the physical host itself. Once accessing that, the wheat would be the SSL keys that allows for privileged access the cloud infrastructure itself, gaining access to everything inside and out. There in lies the real threat.

Well, if you ask me, and while I may have a great deal of professional IT experience, I don't pretend to be an Information Security specialist.
Click to expand...

The decision on whether to network to a computer is solely dependent on what its intended use is. In high-security situations dealing with sensitive information networking is more detriment than anything, see the DOD. I don't put sensitive information on systems networked to the outside. I don't put secure information on networked computers whether the network is internal or external. It may be inconvenient but it is most definitely the most secure you can get from OUTSIDE attack or exploit, and definitely make internal exploits and attacks far more difficult to pull off clandestinely. That's the main thing making it extremely difficult to steal the information without it being known and who did the thieving.
 
Re: The CPU catastrophe will hit hardest in the cloud

PirateMk1 said:
The decision on whether to network to a computer is solely dependent on what its intended use is. In high-security situations dealing with sensitive information networking is more detriment than anything, see the DOD. I don't put sensitive information on systems networked to the outside. I don't put secure information on networked computers whether the network is internal or external. It may be inconvenient but it is most definitely the most secure you can get from OUTSIDE attack or exploit, and definitely make internal exploits and attacks far more difficult to pull off clandestinely. That's the main thing making it extremely difficult to steal the information without it being known and who did the thieving.
Click to expand...

Fair enough. It does depend a lot on what the information is, how sensitive it is, and what the intended use is.

From what I recall, high security governmnet networks have a 2 network setup, an internal only secure network, or an insecure network which can access the outside, for the very reasons you cite.
 
Re: The CPU catastrophe will hit hardest in the cloud

My understanding from an article I read earlier today that there are two major security flaws, one of which has no clear solution.

As for the Cloud, I am not sure why anyone would ever assume that information is safe and secure given the current legal mindset that nothing shared with others requires a warrant. I shudder to think of how many law firms might be using cloud storage in which the government is snooping on their work product.
 
Re: The CPU catastrophe will hit hardest in the cloud

Rogue Valley said:
From the highly regarded Ars Technica...

Meltdown and Spectre: Here’s what Intel, Apple, Microsoft, others are doing about it
Click to expand...

I can sort of grasp the general idea behind this, but what I lack is the how. What I'm used to is the idea that for every line of attack there is a high risk behavior by the user that allows the attack to get in. The three biggest user errors is 1)logging onto an unsecure network (including public wifi and http), and downloading files from untrusted/unknown senders or vendors. With meltdown and spectre, what are the high risk behaviors a user has to engage in to succumb to meltdown and spectre.

I've read several articles on this and I also remain baffled by how long meltdown and spectre has been out, who's been attacked and what the consequences of those attacks have been.
 
Re: The CPU catastrophe will hit hardest in the cloud

Cardinal said:
I can sort of grasp the general idea behind this, but what I lack is the how. What I'm used to is the idea that for every line of attack there is a high risk behavior by the user that allows the attack to get in. The three biggest user errors is 1)logging onto an unsecure network (including public wifi and http), and downloading files from untrusted/unknown senders or vendors. With meltdown and spectre, what are the high risk behaviors a user has to engage in to succumb to meltdown and spectre. I've read several articles on this and I also remain baffled by how long meltdown and spectre has been out, who's been attacked and what the consequences of those attacks have been.
Click to expand...

From the little I understand, it seems a computer to some degree can infer (guess) what you are going to ask it to do next, and this inference begins a process of allowing a dormant program to communicate with the kernal before it is actually ordered/called-upon to do so. This methodology [understandably] speeds up computer tasking. The computer kernal is supposed to be isolated from programs, but in order to maximize speed (see above) programs can share information with the kernal under certain conditions [inferences]. This is the flaw. Such inference sharing can allow a [purposefully designed] malicious program to breach the kernal security perimeter. If such a malicious program gains authority over the kernal, it then controls the entire machine.

This is basically how I understand it. But I am not an IT perrson.
 
Re: The CPU catastrophe will hit hardest in the cloud

Rogue Valley said:
From the little I understand, it seems a computer to some degree can infer (guess) what you are going to ask it to do next, and this inference begins a process of allowing a dormant program to communicate with the kernal before it is actually ordered/called-upon to do so. This methodology [understandably] speeds up computer tasking. The computer kernal is supposed to be isolated from programs, but in order to maximize speed (see above) programs can share information with the kernal under certain conditions [inferences]. This is the flaw. Such inference sharing can allow a [purposefully designed] malicious program to breach the kernal security perimeter. If such a malicious program gains authority over the kernal, it then controls the entire machine.

This is basically how I understand it. But I am not an IT perrson.
Click to expand...

So if I understand you correctly, the user error (high risk behavior) issue is the same, but the consequences are more dire than your average bear.
 
You must log in or register to reply here.
Back
Top Bottom