Memory management bug in Intel CPUs threatens massive performance hits.

[BravoV]

Interesting to see how this will affect video rendering like Dave does, as he must be aware or at least feel it, as he did it a lot if there is say a 20% impact.

[GeorgeOfTheJungle]

Yep, moar syscalls => moar slowdown, because after the patch syscalls may take up to twice longer than before, IIANM.

[andersm]

Video rendering is almost entirely compute-bound, so the effects should be small.

[bd139]

Apart from the massive IO...

[Decoman]

Meanwhile on twitter:


https://twitter.com/misc0110/status/948706387491786752

Why lots of people are using password managers in the first place, I don't know (Correction: I guess what had me wondering was, why would people think a password manage to be secure?). Seems wildly insecure to me, though I am ofc no expert. Maybe I am being weird, but why put all your important "eggs" in one big digital basket?

https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)



Also.. Reconstructing images from the memory apparently:
https://twitter.com/mlqxyz/status/950378419073712129

[wraper]

Why lots of people are using password managers in the first place, I don't know. Seems wildly insecure to me, though I am ofc no expert.

Because otherwise you'll need to recycle your passwords which is much worse. You cannot remember 10's of them and remember from which particular website they are.

[Jeroen3]

Why lots of people are using password managers in the first place, I don't know. Seems wildly insecure to me, though I am ofc no expert. Maybe I am being weird, but why put all your important "eggs" in one big digital basket?

There is a trade-off between convenience and security. You can't have both.
A password manager is convenient and somewhat safe compared to only one password, easy passwords or post-its.
Looking at the system and compatibility with humans, password managers are an acceptable solution.

It's bad news that the meltdown bug is this easy to exploit. With prefabricated victim software...

[Decoman]

Hm, it looks to me that my win 7 computer has MAYBE been updated by 'windows update' to patch the known vulnerabilities for 'Meltdown' and 'Spectre', with KB4056894. The Microsoft article about this update, doesn't spell it out, and I have to freaking read other people's articles about KB4056894, which might not even be correct.

https://support.microsoft.com/en-us/help/4056894/windows-7-update-kb4056894

[Decoman]

Why lots of people are using password managers in the first place, I don't know. Seems wildly insecure to me, though I am ofc no expert.

Because otherwise you'll need to recycle your passwords which is much worse. You cannot remember 10's of them and remember from which particular website they are.

Are you saying that a password manager re-creates new passwords? That sounds unlikely, as I would think that you would have to manually change the passwords for all your websites anyway. Am I perhaps missing something here? (Edit: I guess a password manager could generate a random string of characters, but I would think that you would still do some manual work to start the process of changing passwords for every single website.)


Btw, I am thinking that professionally, so called 'key management' is an important aspect to say the military afaik, which has to issue new keys around so that they this way won't allow re-using old keying material, which presumably would be bad for anything to do with operational security. For civilian use, with the poor infrastructure of the internet, and computing in general, I can't imagine that it is a good idea to keep re making your passwords if the passwords were long and complicated in the first place. I would think that anyone having placed a keylogger on your keyboard or in your computer, like say some organization, would then be able to round up all your new passwords in a much shorter period of time.

[andtfoot]

Why lots of people are using password managers in the first place, I don't know. Seems wildly insecure to me, though I am ofc no expert.

Because otherwise you'll need to recycle your passwords which is much worse. You cannot remember 10's of them and remember from which particular website they are.

Are you saying that a password manager re-creates new passwords? That sounds unlikely, as I would think that you would have to manually change the passwords for all your websites anyway. Am I perhaps missing something here?


Btw, I am thinking that professionally, so called 'key management' is an important aspect to say the military afaik, which has to issue new keys around so that they this way won't allow re-using old keying material, which presumably would be bad for anything to do with operational security. For civilian use, with the poor infrastructure of the internet, and computing in general, I can't imagine that it is a good idea to keep re making your passwords if the passwords were long and complicated in the first place. I would think that anyone having placed a keylogger on your keyboard or in your computer, like say some organization, would then be able to round up all your new passwords in a much shorter period of time.

You have to go around to the different websites to change the passwords, but the creation of the password can be randomly generated and usually can be auto-filled into the relevant fields. It means you can have a complicated unique password for each site without having to remember all of them.

[wraper]

Are you saying that a password manager re-creates new passwords? That sounds unlikely, as I would think that you would have to manually change the passwords for all your websites anyway. Am I perhaps missing something here?

You have one master password for password manager and separate password for each website. I can say from my own experience that using the same password on multiple websites is a very bad idea (I'm registered on at least 40 websites). I had my password stolen from one hacked website, I became aware of it when my skype account which had the same password started sending spam links. Then I changed that password where I remembered. But like after a year I got a call from airline company because someone tried to spend my bonus miles. And yep, I forgot to change my password there. Just in case to not look that stupid - I had separate passwords for things that involved money.

EDIT: I certainly know that password was stolen from a hacked website as I checked my email in pwned database. And Skype spam came from login via website, not my computer. Also I've seen same skype spam coming from few other people, guess their passwords were stolen the same way.

[Decoman]

I like having huge random chars large passwords for anything remotely important, but on a piece of paper.

[wraper]

I like having huge random chars large passwords for anything remotely important, but on a piece of paper.

And you need to carry this piece of paper with you everywhere in the world. Someone else can steal a password from it, like your wife who is checking if you are cheating  . Also it becomes completely impractical once there are more than a few passwords or when you need to change them.

[nfmax]

I use a box of filing cards...

[medical-nerd]

Hiya

Just gone through this thread - does the problem affect UltraSparc 4+ processors??
Is it time to power up my Sparc V490 servers??  (noisy beasts though) 

Cheers

[Ampera]

There may be problems with any CPUs that have speculative execution as part of the design, but you would have to test it out to see for sure, or go looking for someone who already has.

[langwadt]

Why lots of people are using password managers in the first place, I don't know. Seems wildly insecure to me, though I am ofc no expert. Maybe I am being weird, but why put all your important "eggs" in one big digital basket?

There is a trade-off between convenience and security. You can't have both.
A password manager is convenient and somewhat safe compared to only one password, easy passwords or post-its.
Looking at the system and compatibility with humans, password managers are an acceptable solution.

It's bad news that the meltdown bug is this easy to exploit. With prefabricated victim software...

post-its seems like the safest option

[paulca]

Apart from the massive IO...

But would that not be accomplished via a few memory map DMA calls.  Map the input files into memory, map the output file to memory, compute between the two.  The actual IO is handled by the kernel, DMA controller and MMU via page faults.

[andersm]

Apart from the massive IO...

It's about the amount of work per syscall. I assume a video encoder would read and write fairly large chunks of data while spending a lot of time processing each one, meaning the overhead would be low. A GPU-decelerated codec would be impacted more due to having to frequently call into the graphics driver.

[bd139]

Depends as much on the filesystem implementation as the load profile. Consider nasty shit like MFT fragmentation on NTFS.

[bd139]

Apart from the massive IO...

But would that not be accomplished via a few memory map DMA calls.  Map the input files into memory, map the output file to memory, compute between the two.  The actual IO is handled by the kernel, DMA controller and MMU via page faults.

Depends on how the privilege separation works. If you’re working through a hypervisor this may make no difference.

[andersm]

Depends as much on the filesystem implementation as the load profile. Consider nasty shit like MFT fragmentation on NTFS.

Fragmentation doesn't concern the application.

[paulca]

To be honest I'm not all that concerned.  I mostly live in Linux.  Linux is vunerable of course, but it is far less likely to be running malicious code than your average home Windows box.  About 99% of my Linux software is open source and compiled from source.  Therefore if it has malware in it it would be spotted and removed.

There is still a risk, but it's much less than your average Windows box which are metaphorically like a Saigon hooker.  So much nasty stuff in it you can see them crawling down the desktop's legs!  (sorry you got that image).

I do have a Windows laptop and a gaming machine which will now be put on quarantine, so no online banking, no sensitive stuff etc.

[Mr. Scram]

Meanwhile on twitter:


https://twitter.com/misc0110/status/948706387491786752

Why lots of people are using password managers in the first place, I don't know (Correction: I guess what had me wondering was, why would people think a password manage to be secure?). Seems wildly insecure to me, though I am ofc no expert. Maybe I am being weird, but why put all your important "eggs" in one big digital basket?

https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)

Also.. Reconstructing images from the memory apparently:
https://twitter.com/mlqxyz/status/950378419073712129

Sensible people don't put all their eggs in one basket. Using a password manager doesn't mean putting every single last password in there. However, we live in a world where you literally need an account to go to the barber and you can't realistically remember loads of different passwords. That's why you use a manager to keep track of passwords.

A sensible password strategy uses tiers for passwords of different values.  It's also good to realize that experts are aware passwords aren't ideal, but that we also haven't found the perfect replacement yet. There isn't one golden strategy, just incremental insights into what are bad ideas. Using the same password in multiple places is a bad idea. Using weak passwords is a bad idea. That's where password management comes in.

[Mr. Scram]

To be honest I'm not all that concerned.  I mostly live in Linux.  Linux is vunerable of course, but it is far less likely to be running malicious code than your average home Windows box.  About 99% of my Linux software is open source and compiled from source.  Therefore if it has malware in it it would be spotted and removed.

There is still a risk, but it's much less than your average Windows box which are metaphorically like a Saigon hooker.  So much nasty stuff in it you can see them crawling down the desktop's legs!  (sorry you got that image).

I do have a Windows laptop and a gaming machine which will now be put on quarantine, so no online banking, no sensitive stuff etc.

Your hubris might be expensive. You browse the web, I presume? Javascript is seen as a major possible vector and will run just as happily on your box as it does on Windows. You can compile from source until the cows come home and still have your passwords taken from under your nose. Security through obscurity never works.

Fanboy stances on this OS or that also don't help. The problem almost always is the user and rarely ever the OS. If it really were the OS, Windows wouldn't be so dominant in the very security concious enterprise market.