Researchers Discover Two Major Flaws in the World’s Computers
#1
I was always suspicious of 'The Cloud' (and anything 'Google') and I am now pleased I never went there.



Quote:Link to Original Article

 
Researchers Discover Two Major Flaws in the World’s Computers
Cade Metz and Nicole Perlroth


[Image: 04chipflaw2-master768.jpg]
Paul Kocher, left, moderating the RSA Conference 2016 in San Francisco. Mr. Kocher is an independent researcher who was an integral part of the team that discovered the flaws. Jim Wilson/The New York Times
SAN FRANCISCO — Computer security experts have discovered two major security flaws in the microprocessors inside nearly all of the world’s computers.
The two problems, called Meltdown and Spectre, could allow hackers to steal the entire memory contents of computers, including mobile devices, personal computers and servers running in so-called cloud computer networks.
There is no easy fix for Spectre, which could require redesigning the processors, according to researchers. As for Meltdown, the software patch needed to fix the issue could slow down computers by as much as 30 percent — an ugly situation for people used to fast downloads from their favorite online services.
“What actually happens with these flaws is different and what you do about them is different,” said Paul Kocher, a researcher who was an integral member of a team of researchers at big tech companies like Google and Rambus and in academia that discovered the flaws.
Meltdown is a particular problem for the cloud computing services run by the likes of Amazon, Google and Microsoft. By Wednesday evening, Google and Microsoft said they had updated their systems to deal with the flaw.
Amazon told customers of its Amazon Web Services cloud service that the vulnerability “has existed for more than 20 years in modern processor architectures.” It said that it had already protected nearly all instances of A.W.S. and that customers must update their own software running atop the service as well.
To take advantage of Meltdown, hackers could rent space on a cloud service, just like any other business customer. Once they were on the service, the flaw would allow them to grab information like passwords from other customers.
That is a major threat to the way cloud-computing systems operate. Cloud services often share machines among many customers — and it is uncommon for, say, a single server to be dedicated to a single customer. Though security tools and protocols are intended to separate customers’ data, the recently discovered chip flaws would allow bad actors to circumvent these protections.
The personal computers used by consumers are also vulnerable, but hackers would have to first find a way to run software on a personal computer before they could gain access to information elsewhere on the machine. There are various ways that could happen: Attackers could fool consumers into downloading software in an email, from an app store or visiting an infected website.
According to the researchers, the Meltdown flaw affects virtually every microprocessor made by Intel, which makes chips used in more than 90 percent of the computer servers that underpin the internet and private business operations.
Customers of Microsoft, the maker of the Windows operating system, will need to install an update from the company to fix the problem. The worldwide community of coders that oversees the open-source Linux operating system, which runs about 30 percent of computer servers worldwide, has already posted a patch for that operating system. Apple had a partial fix for the problem and is expected to have an additional update.
The software patches could slow the performance of affected machines by 20 to 30 percent, said Andres Freund, an independent software developer who has tested the new Linux code. The researchers who discovered the flaws voiced similar concerns.
This could become a significant issue for any business running websites and other software through cloud systems.
There is no evidence that hackers have taken advantage of the vulnerability — at least not yet. But once a security problem becomes public, computer users take a big risk if they do not install a patch to fix the issue. A so-called ransomware attack that hit computers around the world last year took advantage of machines that had not received a patch for a flaw in Windows software.
The other flaw, Spectre, affects most processors now in use, though the researchers believe this flaw is more difficult to exploit. There is no known fix for it, and it is not clear what chip makers like Intel will do to address the problem.
It is not certain what the disclosure of the chip issues will do to Intel’s business, and on Wednesday, the Silicon Valley giant played down the problem.
“Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed,” the company said in a statement. “Intel believes these exploits do not have the potential to corrupt, modify or delete data.”
The researchers who discovered the flaws notified various affected companies. And as is common practice when such problems are identified, they tried to keep the news from the public so hackers could not take advantage of the flaws before they were fixed.
But on Tuesday, news of the Meltdown flaw began to leak through various news websites, including The Register, a science and technology site based in Britain. So the researchers released papers describing the flaws on Wednesday, much earlier than they had planned.
For now, computer security experts are using a patch, called Kaiser, that was originally discovered by researchers at the Graz University of Technology in Austria to respond to a separate issue last year.
Spectre will be much more difficult to deal with than issuing a software patch.
The Meltdown flaw is specific to Intel, but Spectre is a flaw in design that has been used by many processor manufacturers for decades. It affects virtually all microprocessors on the market, including chips made by AMD that share Intel’s design and the many chips based on designs from ARM in Britain.
Spectre is a problem in the fundamental way processors are designed, and the threat from Spectre is “going to live with us for decades,” said Mr. Kocher, the president and chief scientist at Cryptography Research, a division of Rambus.
“Whereas Meltdown is an urgent crisis, Spectre affects virtually all fast microprocessors,” Mr. Kocher said. An emphasis on speed while designing new chips has left them vulnerable to security issues, he said.
“We’ve really screwed up,” Mr. Kocher said. “There’s been this desire from the industry to be as fast as possible and secure at the same time. Spectre shows that you cannot have both.”
The Meltdown flaw was discovered by Jann Horn, a security analyst at a Google-run security research group called Google Project Zero, last June. Mr. Horn was the first to alert Intel. The chip giant then heard from other researchers who had also discovered the flaw, including Werner Haas and Thomas Prescher, at Cyberus Technology; and Daniel Gruss, Moritz Lipp, Stefan Mangard and Michael Schwarz at the Graz University of Technology.
The researchers had been working through the Christmas holiday on a patch, and coordinating with companies like Microsoft and Amazon to roll out the fix.
The second flaw, Spectre, was also discovered by Mr. Horn at Google and separately by Mr. Kocher, in coordination with Mike Hamburg at Rambus, Mr. Lipp at Graz University and Yuval Yarom at the University of Adelaide in Australia.
A fix may not be available for Spectre until a new generation of chips hit the market.
“This will be a festering problem over hardware life cycles. It’s not going to change tomorrow or the day after,” Mr. Kocher said. “It’s going to take a while.”
One should have an open mind; open enough that things get in, but not so open that everything falls out
Art Bell
 
The individual is handicapped by coming face to face with a conspiracy so monstrous that he cannot believe it exists.
J Edgar Hoover

 
I don't need a good memory, because I always tell the truth.
Jessie Ventura

 
Its no wonder truth is stranger than fiction.
Fiction has to make sense
Mark Twain

If history doesn't repeat itself, it sure does rhyme.
Mark Twain
Reply
#2
The cloud is a funny thing. It makes sense for smaller businesses who don't want to have to buy massive servers, keep them on site somewhere, and hire IT people to keep them functional. However, this comes at the cost at not having your data on site and in the hands of a company who you have to hope are keeping your data secure and not also not looking at/tampering with it. As the article says, if a provider is using a single server to share among multiple customers, a single security breach can compromise the data of multiple companies and those companies' customers as well. Cloud is all the rage right now, but I honestly don't see why massive companies who have the money prefer it to on premise solutions.
Blood of Christ, relief of the burdened, save us.

“It is my design to die in the brew house; let ale be placed in my mouth when I am expiring, that when the choirs of angels come, they may say, “Be God propitious to this drinker.” – St. Columbanus, A.D. 612
Reply
#3
(01-04-2018, 12:11 PM)GangGreen Wrote: The cloud is a funny thing. It makes sense for smaller businesses who don't want to have to buy massive servers, keep them on site somewhere, and hire IT people to keep them functional. However, this comes at the cost at not having your data on site and in the hands of a company who you have to hope are keeping your data secure and not also not looking at/tampering with it. As the article says, if a provider is using a single server to share among multiple customers, a single security breach can compromise the data of multiple companies and those companies' customers as well. Cloud is all the rage right now, but I honestly don't see why massive companies who have the money prefer it to on premise solutions.

Because most "massive" companies like two things: Trends, and cutting IT staff. Software-as-a-Service and Infrastructure-as-a-Service...these cloud-based technologies simply replace a room full of servers and a team of server engineers to maintain them. Being in the cloud makes the "edgy", but most importantly it saves a boatload of money for them and passes the buck of responsibility of maintaining data to another company.
Reply




Users browsing this thread: 1 Guest(s)