[rarestia]

LMAO! My boss is already going gray(er) over Spectre/Meltdown. Now this?

I wonder if the FBI knew about this and didn’t tell anyone... /sarc

[Swordmaker]

New variants of the Spectre and Meltdown hardware hitting malware that crosses all platforms has been shown in proof of concept form that demonstrates that the proposed hardware fixes will not work as proposed. Deeper and more fundamental changes will most likely have to be made. Very worrisome. —PING!

pinging dayglored, ThunderSleeps, and ShadowAce for their ping list attention.

Spectre Prime and Meltdown Prime Malware Ping!

If you want on or off the Mac Ping List, Freepmail me.

[Skywise]

I’m still amazed this went on for so long without anybody noticing.

I’ve worked with embedded systems doing high performance coding and we always just assumed that once the cache path was invalidated that it was inaccessible.

[Bratch]

[TheBattman]

If your automobile manufacturer is discovered to have included (even by accident) a flaw that allows theives to take your car at-will, or to hijack your car remotely and put you and the general public at risk - who would be held accountable for that flaw? The manufacturer - no matter the cost.

If your bank runs software that has a security gap that allows thieves to take money from them at-will - who is accountable for that flaw? Your bank and their tech suppliers.

So - with millions and millions of computers across platforms likely targeted because of a FLAW (think design flaw when it comes to some states and their product liability law) who should be held accountable for fixing and repairing what they left (accidentally or otherwise) open because of a design flaw?

[palmer]

They were always side channel. Such side channel attacks have been proposed for years but were never viable. Nothing has changed, fixes or not.

The important point, as it has always been, is that the attacker has to run arbitrary code on your CPU to even start the attack. The only case on a PC where somewhat arbitrary code is run (other than user error) is javascript in a web browser and it is quite easy to protect browsers against that. On Mac there are protections built into firmware that would preclude OS level attacks (e.g. would preclude persistence)

The other case is where people are running arbirary code on virtual machines that they are renting in the cloud. Those are obviously more concerning to cloud vendors and cloud users, but only to those people.

[BTerclinger]

How long before some kids pacemaker is hacked, the kid dies, and the father tracks down and takes out the hacker,