/ security

This Meltdown is Just a Spectre...

Oh, where to start. You probably heard about Spectre and Meltdown vulnerabilities, and might be freaking out that the world is coming to an end. Well it's not. Even though the reports are far and varied, many state that everything is compromised by these two. That the problem is in hardware and that the investment is great to fix the issue, and while we could implement a workaround in software, it's not ideal (and believe me, it is not).

Should I Care?

There is no need for the Meltdown that is going on in the media. For the not-technically savvy, or those whose eyes glaze over when I say "how much RAM do you have?", you just need to keep your Anti-Virus up-to-date and install all of your Windows/macOS patches (See Disclaimer). No need to keep reading unless you really want to know more.

Link to Microsoft Update Guide for Windows Vista/7/8/8.1

Link to Microsoft Update Guide for Windows 10

Link to Apple Update Guide for macOS Software

If you run Linux, you are probably thinking, hey, you forgot about me! To that I say, "No, you just don't get to fall into the not-technically savvy group, eh, savvy?!"

But the WORLD IS ENDING!!!

Stop, just stop. If someone told you that everything in the Industrial-sector, Automotive-sector, Nuclear-sector, IoT-sector, or Smart-toasters was vulnerable, you should probably not trust their technical advice. First, and most important, thing is that the only things that this vulnerability could really be exploited in are Personal Computers and Servers (herein, "PC"), or places where non-administrators can run code.

The sectors listed above used "constrained" devices and commonly are what is classified as "Realtime," meaning that they are ~100% predictible and only run code that was placed on them by the manufacturer (See Disclaimer #2). These systems normally run on microcontrollers that don't generally use or have the functionality that a PC has, so there would be more easier and/or less complicated attacks that an attacker might be able to use. Generally, this would require physical access for these devices, which at that point, they could just destroy the computer...it's an option, y'know...

But my financial data is all compromised!!!

Yep, it's gone, all gone. Feel free to just send it all to my Bitcoin address, I'll take good care of it.

On a serious note, take a deep breath. If you are that worried about this, go get cash, but don't fret about your house burning down, or the safe it's stored in getting stolen, or anything else that might...you know, just keep it in the bank.

Why did someone find this!!!

My question is, "Why didn't someone find this earlier!?" This has been around for at least 20 years, how are we just now seeing the issue. I thank the folks that do this research, they improve the security of our systems, as the world relies on them quite a lot. Imagine if this person had been malicious, they would likely keep this to themselves, weaponize it, and use it to compromise systems.


Disclaimer

All statements made are accurate to the best of my knowledge and in alignment with the security industry standards and best-practices as of January 2018. I provide no warranty that anything stated will keep you from ever getting "hacked," and I also make no warranties (expressed or implied) that the guidance will actually fix the problem or make you less annoyed with your computer.

Disclaimer #2

There are some realtime systems in which aren't perfectly predictable, but I am ignoring them because they are far and few between. Also, a lot of them have terrible security, but it would require the attacker to have physical access to the device, and if they had that, then it's a bit late, since none of these devices really separate privileged code from unprivileged code, so really they are just wasting time if the adversary decides to launch Spectre/Meltdown based exploits.

Expert Disclaimer

Sorry to other experts. I was trying to simplify down the material to make it more accessible.