Is the danger of Meltdown and Spectre exaggerated

Chat about anything related to Linux Mint
Post Reply
Darroch
Level 1
Level 1
Posts: 28
Joined: Tue Sep 17, 2013 4:06 am

Is the danger of Meltdown and Spectre exaggerated

Post by Darroch » Sun Jan 07, 2018 11:26 am

My understanding is that the Meltdown and Spectre exploits require local access via an application, e.g., virus or piece of purpose built malware, running on a host computer to steal information. Since most Linux users get their software from official repositories and, hopefully, other respectable and reputable sources, such users rarely get infected by rogue software which could do this. if Linux users are careful surely the danger posed by Meltdown and Spectre represents a minimal although ever present danger hardware-wise?

Could an application designed to pilfer data by means of Meltdown and Spectre be run as a non-root user or not? I've read that Javascript can be used in web pages to make use of these exploits but don't know what privileges browsers might need to do such a thing.

(Incidentally I run Linux Mint 18.1 on a Lenovo T420 laptop and have updated my kernel and installed all recommended level 5 security updates, via the update manager, whenever listed for over twelve months without any problem. So when the time comes I recommend that users of Linux Mint should at least update their kernels and firmware etc., via the update manager to get the best available protection when the time comes.)

User avatar
Flemur
Level 16
Level 16
Posts: 6187
Joined: Mon Aug 20, 2012 9:41 pm
Location: Potemkin Village

Re: Is the danger of Meltdown and Spectre exaggerated

Post by Flemur » Sun Jan 07, 2018 12:01 pm

Is the danger of Meltdown and Spectre exaggerated
Probably - "FUD" sells page views. I'm not worried about it because I'm not a bank database or nuclear weapons system admin, etc.
Firefox 57.0.4 has some sort of fix about this issue, though.

Edit: keep in mind that I don't know anything.
Please edit your original post title to include [SOLVED] if/when it is solved!
Your data and OS are backed up....right?
Mint 18.3 Xfce/fluxbox/pulse-less
Xubuntu 17.10/fluxbox/pulse-less

User avatar
thx-1138
Level 6
Level 6
Posts: 1247
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: Is the danger of Meltdown and Spectre exaggerated

Post by thx-1138 » Sun Jan 07, 2018 12:42 pm

...this post here by rene is by far the most balanced description i've personally read (on those forums) so far:
viewtopic.php?p=1409565#p1409565

...If referring to the various online media though, yes, for the most part of it, as Flemur said, fud sells page views.

User avatar
Spearmint2
Level 15
Level 15
Posts: 5734
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: Is the danger of Meltdown and Spectre exaggerated

Post by Spearmint2 » Sun Jan 07, 2018 1:07 pm

Yes for the moment, but not for the near future.
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....

User avatar
Pepi
Level 5
Level 5
Posts: 716
Joined: Wed Nov 18, 2009 7:47 pm

Re: Is the danger of Meltdown and Spectre exaggerated

Post by Pepi » Sun Jan 07, 2018 1:32 pm

The year 2000 was a total disaster :mrgreen:

User avatar
Schultz
Level 6
Level 6
Posts: 1337
Joined: Thu Feb 25, 2016 8:57 pm

Re: Is the danger of Meltdown and Spectre exaggerated

Post by Schultz » Sun Jan 07, 2018 3:19 pm

It's not exaggerated according to the author of the linked article below. I'm not saying I agree or disagree with him. My knowledge is too limited to form an opinion worth sharing. I'm just throwing it out there. :)

https://www.schneier.com/blog/archives/ ... mel_1.html

Mr_Reed
Level 3
Level 3
Posts: 186
Joined: Tue Dec 23, 2014 12:27 am

Re: Is the danger of Meltdown and Spectre exaggerated

Post by Mr_Reed » Sun Jan 07, 2018 3:33 pm

What is the status of AMD chips and chips made by VIA? I haven't heard much about AMD and really nothing about VIA.

User avatar
BigEasy
Level 6
Level 6
Posts: 1173
Joined: Mon Nov 24, 2014 9:17 am
Location: Chrząszczyżewoszyce, powiat Łękołody

Re: Is the danger of Meltdown and Spectre exaggerated

Post by BigEasy » Sun Jan 07, 2018 4:33 pm

Meltdown and Spectre is dangerous as any other vulnarables. But there is good news for someone. Before 2018 there was new working malwares, then after some time vulnarables fixes came. Now we have no real malware, only idea. And now fixes come first.
Windows assumes I'm stupid but Linux demands proof of it

User avatar
majpooper
Level 5
Level 5
Posts: 653
Joined: Thu May 09, 2013 1:56 pm
Location: North Carolina, USA

Re: Is the danger of Meltdown and Spectre exaggerated

Post by majpooper » Sun Jan 07, 2018 4:47 pm

Mr_Reed wrote:What is the status of AMD chips and chips made by VIA? I haven't heard much about AMD and really nothing about VIA.
Most of the technical explanation went way over my head but what I did get was that AMD is not vulnerable.

tuxer
Level 1
Level 1
Posts: 23
Joined: Thu Jan 12, 2012 1:07 pm

Re: Is the danger of Meltdown and Spectre exaggerated

Post by tuxer » Sun Jan 07, 2018 5:01 pm

majpooper wrote:
Mr_Reed wrote:What is the status of AMD chips and chips made by VIA? I haven't heard much about AMD and really nothing about VIA.
Most of the technical explanation went way over my head but what I did get was that AMD is not vulnerable.
From my understanding, Intel, AMD and ARM are all affected. Intel by both Meltdown and Spectre. AMD is affected by spectre. Not sure if ARM is affected by both or just spectre. Glad I am a fan of AMD over Intel at the moment lol.

User avatar
trytip
Level 8
Level 8
Posts: 2393
Joined: Tue Jul 05, 2016 1:20 pm

Re: Is the danger of Meltdown and Spectre exaggerated

Post by trytip » Sun Jan 07, 2018 5:08 pm

BigEasy wrote:
... Now we have no real malware, only idea. And now fixes come first
the malware we face are third party apps offering FREE content only as a lure and then exploit the device with the permissions given to it. it's legit if you agree to the long terms of privacy which not many read they make no sense it's just technobabble in a loop to make it sound fancy.

one thing i always found so efin ANNOYING in installing anything is that ALL the SUDDEN the new application wants to run your whole damm computer and soon after installing 20 more applications with the same greedy conquest of the startup session, you have a system controlled by all these peeny minions with whole purpose being to distract into interacting with them "ME ME ME Click ME!!!"
Image

Darroch
Level 1
Level 1
Posts: 28
Joined: Tue Sep 17, 2013 4:06 am

Re: Is the danger of Meltdown and Spectre exaggerated

Post by Darroch » Mon Jan 08, 2018 6:10 am

Thing is, as far as I can see, the danger is much the same as that represented by viruses and malware, i.e., a piece of software running locally on a computer accesses data which it shouldn't. (The only real difference being that the software uses flaws in the microcode of the CPU to do so.) So for careful Linux users the only avenue of attack for hackers who want to take advantage of Meltdown and Spectre is via a browser, email client or network connection.

The browser and email client developers - in my case Opera 50.0 and Thunderbird - will harden their applications to stop this and if users are vigilant as far as their personal security is concerned when on connected to a LAN/WAN and are not silly enough to install dodgy software (which a lot of Windows and Android users do all the time) the dangers posed by Meltdown and Spectre should be minimal.

As far as I can see updating your kernel, firmware and applications should be enough to cut risks posed by the new exploits to next to nothing on personal computers, especially with those running Linux.

As far as BIOS updates go I don't even know if INTEL intend to make these available for older processors - like the i5 CPU in the Lenovo laptop I'm writing these words with and so the foregoing updating may well be the only things that many of us can do. I certainly don't intend to scrap and replace all my PCs because of CPU exploits like those under discussion here.

User avatar
Spearmint2
Level 15
Level 15
Posts: 5734
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: Is the danger of Meltdown and Spectre exaggerated

Post by Spearmint2 » Mon Jan 08, 2018 11:02 am

As far as BIOS updates go I don't even know if INTEL intend to make these available for older processors - like the i5 CPU in the Lenovo laptop I'm writing these words with and so the foregoing updating may well be the only things that many of us can do.
Technically, BIOS updates are the responsibility of the motherboard manufacturer. However, many major computer manufacturers do use motherboards from Intel, so I'd expect those would also get a BIOS update from Intel, but for how many years backward? What then of the motherboard manufacturers other than Intel, like Asus, Gigabyte, MSI, Biostar, ECS, et al?I doubt my 10 yr old Gigabyte motherboards will see an updated BIOS issued for them. Thankfully I use AMD processors exclusively. I never could see paying more to intel for basically the same provided by less expensive AMD.

I predict the next really big hack will be someone figuring out a way to use Microsoft windows 10 new peer to peer sharing of updates between their users to infect thousands, possibly millions of computers. To me that seems just too obvious a target for some determined hackers to already be working on accomplishing. There are ways to turn that off, but few W10 users even know how. For those who may use W10 or have someone in their home who does, I'll give these links to help them.

https://www.howtogeek.com/224981/how-to ... -internet/

https://www.howtogeek.com/226722/how-wh ... indows-10/

https://www.howtogeek.com/262477/how-to ... -8-and-10/

Also, the metered setting ONLY works if connected by wifi and disengages if at any time the connection is changed, or the computer is plugged by cable to a router. Satellite service users have been hit by this hard, being they have limited monthly allotments of bandwidth and finding it all gone in a couple weeks now when using W10 instead of lasting the entire month. My youngest received a windows 10 laptop as high school graduation gift toward college use from her older siblings and that's the first things I had her do to it. That also saved her from the last big update that corrupted so many W10 computers who then had to reinstall their manufacturer drive files, particularly the video files, which had been "updated" with Microsoft's "newer" driver files.
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....

Mr_Reed
Level 3
Level 3
Posts: 186
Joined: Tue Dec 23, 2014 12:27 am

Re: Is the danger of Meltdown and Spectre exaggerated

Post by Mr_Reed » Fri Jan 12, 2018 12:51 am

Still no word from VIA technologies?

User avatar
Pierre
Level 17
Level 17
Posts: 7566
Joined: Fri Sep 05, 2008 5:33 am
Location: Perth, AU.

Re: Is the danger of Meltdown and Spectre exaggerated

Post by Pierre » Fri Jan 12, 2018 1:15 am

it's more of an Laboratory Grade Hack, than anything else.
:o
but, there is still, some small risk, that it may work outside of that Laboratory,
and so, this issue needs to be addressed.
8)
Image
Please edit your original post title to include [SOLVED] - when your problem is solved!
and DO LOOK at those Unanswered Topics - - you may be able to answer some!.

Post Reply

Return to “Chat about Linux Mint”