tl:dr I'm to r-slurred to understand this but you will probably be affected by this
Hertzbleed Attack: New CPU Vulnerability
- 51
- 52
Top Poster of the Day:
Thirtythirst4sissies
Current Registered Users: 28,720
tech/science swag.
Guidelines:
What to Submit
On-Topic: Anything that good slackers would find interesting. That includes more than /g/ memes and slacking off. If you had to reduce it to a sentence, the answer might be: anything that gratifies one's intellectual laziness.
Off-Topic: Most stories about politics, or crime, or sports, unless they're evidence of some interesting new phenomenon. Videos of pratfalls or disasters, or cute animal pictures. If they'd cover it on TV news, it's probably lame.
Help keep this hole healthy by keeping drama and NOT drama balanced. If you see too much drama, post something that isn't dramatic. If there isn't enough drama and this hole has become too boring, POST DRAMA!
In Submissions
Please do things to make titles stand out, like using uppercase or exclamation points, or saying how great an article is. It should be explicit in submitting something that you think it's important.
Please don't submit the original source. If the article is behind a paywall, just post the text. If a video is behind a paywall, post a magnet link. Fuck journos.
Please don't ruin the hole with chudposts. It isn't funny and doesn't belong here. THEY WILL BE MOVED TO /H/CHUDRAMA
If the title includes the name of the site, please leave that in, because our users are too stupid to know the difference between a url and a search query.
If you submit a video or pdf, please don't warn us by appending [video] or [pdf] to the title. That would be r-slurred. We're not using text-based browsers. We know what videos and pdfs are.
Make sure the title contains a gratuitous number or number + adjective. Good clickbait titles are like "Top 10 Ways to do X" or "Don't do these 4 things if you want X"
Otherwise editorialize. Please don't use the original title, unless it is gay or r-slurred, or you're shits all fucked up.
If you're going to post old news (at least 1 year old), please flair it so we can mock you for living under a rock, or don't and we'll mock you anyway.
Please don't post on SN to ask or tell us something. Send it to [email protected] instead.
If your post doesn't get enough traction, try to delete and repost it.
Please don't use SN primarily for promotion. It's ok to post your own stuff occasionally, but the primary use of the site should be for curiosity. If you want to astroturf or advertise, post on news.ycombinator.com instead.
Please solicit upvotes, comments, and submissions. Users are stupid and need to reminded to vote and interact. Thanks for the gold, kind stranger, upvotes to the left.
In Comments
Be snarky. Don't be kind. Have fun banter; don't be a dork. Please don't use big words like "fulminate". Please sneed at the rest of the community.
Comments should get more enlightened and centrist, not less, as a topic gets more divisive.
If disagreeing, please reply to the argument and call them names. "1 + 1 is 2, not 3" can be improved to "1 + 1 is 3, not 2, mathfaggot"
Please respond to the weakest plausible strawman of what someone says, not a stronger one that's harder to make fun of. Assume that they are bad faith actors.
Eschew jailbait. Paedophiles will be thrown in a wood chipper, as pertained by sitewide rules.
Please post shallow dismissals, especially of other people's work. All press is good press.
Please use Slacker News for political or ideological battle. It tramples weak ideologies.
Please comment on whether someone read an article. If you don't read the article, you are a cute twink.
Please pick the most provocative thing in an article or post to complain about in the thread. Don't nitpick stupid crap.
Please don't be an unfunny chud. Nobody cares about your opinion of X Unrelated Topic in Y Unrelated Thread. If you're the type of loser that belongs on /h/chudrama, we may exile you.
Sockpuppet accounts are encouraged, but please don't farm dramakarma.
Please use uppercase for emphasis.
Please post deranged conspiracy theories about astroturfing, shilling, bots, brigading, foreign agents and the like. It degrades discussion and is usually mistaken. If you're worried about abuse, email [email protected] and dang will add you to their spam list.
Please don't complain that a submission is inappropriate. If a story is spam or off-topic, report it and our moderators will probably do nothing about it. Feed egregious comments by replying instead of flagging them like a pussy. Remember: If you flag, you're a cute twink.
Please don't complain about tangential annoyances—things like article or website formats, name collisions, or back-button breakage. That's too boring, even for HN users.
Please seethe about how your posts don't get enough upvotes.
Please don't post comments saying that rdrama is turning into ruqqus. It's a nazi dogwhistle, as old as the hills.
Miscellaneous:
The quality of posts is extremely important to this community. Contributors are encouraged to provide high-quality or funny effortposts and informative or entertaining comments. Please refrain from posting the following:
Boring wingcucked nonsense nobody cares about that belongs in chudrama
Normie shit everyone already knows about
Anything that doesn't gratifify one's intellectual laziness
Bimothy-tier posts
Anything that the jannies don't like
We reserve the right to exile you for whatever reason we want, even for no reason at all! We also reserve the right to change the guidelines at any time, so be sure to read them at least once a month. We also reserve the right to ignore enforcement of the guidelines at the discretion of the janitorial staff. This hole is a janny playground, participation implies enthusiastic consent to being janny abused by unstable alcoholic bullies and loser nerds who have nothing better to do than banning you for any reason or no reason whatsoever.
[[[ To any NSA and FBI agents reading my email: please consider ]]]
[[[ whether defending the US Constitution against all enemies, ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
/h/slackernews SETTINGS /h/slackernews LOG /h/slackernews MODS /h/slackernews EXILEES /h/slackernews FOLLOWERS /h/slackernews BLOCKERS
Jump in the discussion.
No email address required.
wake up babe, new unpatchable speculative execution side channel vuln just dropped
Jump in the discussion.
No email address required.
must be a tuesday
Jump in the discussion.
No email address required.
I hate mondays
Jump in the discussion.
No email address required.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
Don't worry, it's not like this caused major issues in the past!
Jump in the discussion.
No email address required.
More options
Context
More options
Context
this can easily be fixed by locking the core frequency for the duration of sensitive cryptographic calculations
Jump in the discussion.
No email address required.
shut up nerd
Jump in the discussion.
No email address required.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
easier said than done, hurts performance too
Jump in the discussion.
No email address required.
you can force speed boost on for those moments and get the same security fix
Jump in the discussion.
No email address required.
the whole reason the dynamic scaling exists is that the cpu often cannot remain at the maximum clock speed forever, often for heat reasons
Jump in the discussion.
No email address required.
it's only for the duration of the decryption calculation just lock for a short burst, not at all times, and only on that physical core.
at worst it would mildly degrade effectiveness of dynamic scaling wasting some power/heat
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
There's already stuff in place for protected memory. You can just assume that whenever those syscalls get run that they want to run in a stable frequency
Jump in the discussion.
No email address required.
More options
Context
More options
Context
Wouldn't adding random delays work too?
Jump in the discussion.
No email address required.
that would hurt performance a lot worse than telling the CPU to "finish this calculation before you speed step again"
Jump in the discussion.
No email address required.
depends tbh, 1 or 2 nanoseconds should do it well enough?
Jump in the discussion.
No email address required.
maintaining a supply of sufficiently random data for padding is somewhat costly
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
More options
Context
More options
Context
What the frick did I just read and how does It affect me
Jump in the discussion.
No email address required.
when faced with serious autism, your computer may leak secret information to an attacker because the content of secrets can influence cpu frequency. It may be possible to perform the attack via Javascript, but most likely it will never happen. Most likely, you will never be targeted with this unless you are a cloud provider or you enjoy finding and running extremely sophisticated malware. This attack seems difficult to mitigate and the only known protection for now is to fix a constant cpu frequency, which is bad for performance and power consumption.
Jump in the discussion.
No email address required.
No, following MELTDOWN/SPECTRE browser people tried to make their hardest to disable millisecond-accurate time measurements, so no.
Cloud providers could be targeted in theory.
Jump in the discussion.
No email address required.
I have no idea who is right, but the user
fpoling
on orange site says:Jump in the discussion.
No email address required.
Huh, I didn't know it was ever re-enabled. I honestly doubt that, because SPECTRE was actually two very different things: one was a bunch of genuine bugs in Intel (and possibly AMD) process isolation, for example if you tried to read memory you didn't have the right to, the instruction would set the exception flag but still return an actual value instead of say 0, which you could then leak by reading from an address dependent on the value thus loading it into the cache, before the whole speculative execution branch was discarded.
And the other half was that you can't provide memory isolation in software. Like, if you don't have your javascript interpreter in a separate process then the javascript code can use this shit to read your memory, no ifs, buts, or bugs required.
So either that was mitigated by making sure that javascript interpreters live in their own processes with no sensitive information, or by preventing them from obtaining accurate enough timing data (including via indirect means, like having workers have data races), but either way a new side channel can't break it.
Jump in the discussion.
No email address required.
nerd
Jump in the discussion.
No email address required.
At least I don't cut off my entire country's internet by tossing in my sleep.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
More options
Context
This is correct, stuff like setInterval gets r*ped in the progress and basically all timing events
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
your intel/amd CPU is getting another nerf like what happened with heartbleed and spectre (those led to a 10-15% performance drop).
Jump in the discussion.
No email address required.
mitigations=off
Jump in the discussion.
No email address required.
It truly never began for security strags
Jump in the discussion.
No email address required.
More options
Context
More options
Context
Internet jews want to steal my hz
Jump in the discussion.
No email address required.
More options
Context
More options
Context
yes
Jump in the discussion.
No email address required.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
Some esoteric bullshit that will never affect anyone.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
Interesting a spectre-like exploit that can be used for timing attacks during cryptographic operations.
Still obviously requires running malicous code on your machine. Can't see how it can be done over a network.
Jump in the discussion.
No email address required.
jabascript stay winning
Jump in the discussion.
No email address required.
More options
Context
Yeah they insist multiple times this can be done remotely, and I have absolutely no idea how that could be feasible
Jump in the discussion.
No email address required.
If someone's running a server that will encrypt arbitrary messages, then you can send them chosen plaintexts to encrypt, measure how long it takes for them to respond, and derive the key that way.
Jump in the discussion.
No email address required.
Shouldn't the real difference be miniscule compared to the noise? This sounds entirely impractical for all but the most advanced threats
Jump in the discussion.
No email address required.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
I've tried timing attacks over a network and the latency always screws it up. Too much variation when you're measuring fractions of a millisecond.
Jump in the discussion.
No email address required.
More options
Context
You know SSL also exists right? That utilizes cryptography thus making the whole channel vulnerable
Jump in the discussion.
No email address required.
More options
Context
More options
Context
SSL or chat encryption
Jump in the discussion.
No email address required.
I understand things can be encrypted over a network. But it's just impossible to measure that kind of precise timing over a normal connection.
Jump in the discussion.
No email address required.
data sends in packets, if the packet is small enough itll get read in all at once
but it seems like to craft malware itll take more effort
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
More options
Context
More options
Context
I have no clue what this is but I am now afraid and angry.
Jump in the discussion.
No email address required.
More options
Context
Jump in the discussion.
No email address required.
More options
Context
Look at the cutie trying to protect our computers, marsey should team up
Jump in the discussion.
No email address required.
More options
Context
As if I would use Intel.
But with my luck, somebody will probably publicize a similar one for AMD a few months down the road.
Jump in the discussion.
No email address required.
tell us you didnt read the article but use different words
Jump in the discussion.
No email address required.
How about "I am a r-slur?"
Turns out it is also in AMD. Well, can't say I'm surprised. Time to unplug.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
ngl this seems like a non-issue issue, it's just fricking with speed and ofc mitigations will be horrendous
Hopefully kernel level patches to these exist so software devs dont have to mitigate them
Jump in the discussion.
No email address required.
More options
Context
Did you know that the bathtub was first marketed in north america as a horse trough and hog scalder?
Snapshots:
archive.org
archive.ph (click to archive)
ghostarchive.org (click to archive)
Jump in the discussion.
No email address required.
More options
Context