D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Spectre was Re: Email service

 


So are intel going to be able to  fix this at the CPU level and bring out a new series of cpus at some point,  or perhaps when iirc we have i3,i5 and i7.  so if say i9 comes out at some point would they be looking at fixing the issue?

Paul
On 09/03/18 06:09, Simon Waters wrote:
On Sunday, 4 March 2018 15:57:33 GMT Nick wrote:
One thing I am a little concerned over: on a scale of 'recommended' to
'insane', how sensible is it in the Spectre era to trust a VPS to
remain secure?
Realistically you are more likely to mess up running your own server than be 
attacked by bugs like Spectre. Maybe a rookie mistake like running Exim as a 
mail server ;)

Of course it is possible that attacks using Spectre will become routine, but 
this is going to be quite challenging as it depends on CPU version of the 
machine being attacked, kernel version and mitigation's in place. 

This week's latest enhancement for Software Guard Extensions requires physical 
access to the machine, and if attackers have that your hosting company have 
already failed.

Even if it becomes routine, they will still need to execute code on the same 
host server as the victim, which could be expensive if the hosting company 
have a lot of servers. It is also likely the hosting company is vulnerable to 
something much more mundane.

There will be more CPU side channel attacks, modern CPUs are that complex.

There will also be more bugs in whatever virtualisation technology is in use, 
but before this lots of companies relied on file permissions to keep website 
owners apart, and as dreadful a model as that was it was "good enough" for 
many web hosts, because your site or service just isn't worth punting up the 
money to become a customer in the hopes of being on the same server, and 
finding a hole.

There are loads of dreadful security bugs no one talks about much on the 
Internet, we just ultimately accept the risk. Just look at how widely DNSSEC 
is deployed, versus how difficult it is to do cache poisoning. Heck I see people 
who should know better throwing their DNS to services like Google's recursive 
DNS with no particular protections.



-- 
Paul Sutton
http://www.zleap.net

Torbay Tech Jam - 2nd Saturday of the Month at Paignton Library
-- 
The Mailing List for the Devon & Cornwall LUG
https://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq