Tech Meltdown and Spectre exploits - GoFuckYourself.com

k0nr4d · 01-04-2018, 04:53 AM

https://meltdownattack.com/
2 exploits in intel/amd/arm cpus. Most linux distributions already have patches (albiet that slow down the system a bit).

I wouldn't want to be a VPS provider right now

Paul&John · 01-04-2018, 05:44 AM

As far as I know meltdown works only on Intel.. the second one - spectre is for all three.

k0nr4d · 01-04-2018, 08:17 AM

Correct. I'm surprised no one is talking about this on here - it's literally the largest security hole ever.

freecartoonporn · 01-04-2018, 08:37 AM

ha jokes on INTEL , i use AMD,

who knows, how many reputable apps have already stolen shotloads of data., and this day data = money.,

Phoenix · 01-04-2018, 08:21 PM

Fix yet?

Paul&John · 01-05-2018, 08:29 AM

Quote:

Originally Posted by Phoenix

Fix yet?

Nah first the Intel CEO had to sell some of his stocks before it hit the news

https://www.cnbc.com/2018/01/04/inte...ity-flaws.html
Intel CEO Brian Krzanich sold off a large chunk of his stake in the company after the chipmaker was made aware of serious security flaws, according to multiple reports

Bladewire · 01-05-2018, 08:42 AM

Quote:

Originally Posted by freecartoonporn

ha jokes on INTEL , i use AMD,

"2 exploits in intel/amd/arm cpus"

Sarn · 01-05-2018, 09:55 AM

And how fix it?

k0nr4d · 01-05-2018, 11:04 AM

Quote:

Originally Posted by Sarn

And how fix it?

Meltdown via software patches that slow down cpu 5-30%. Spectre supposidely unfixable.

GAMEFINEST · 01-05-2018, 11:17 AM

Sell them stocks..

deonbell · 01-05-2018, 12:50 PM

How do computer get the aids? Not remotely attack like heart bleed? Not by visiting website?

Maybe have to put exploit on executable? Put code with a bejewdled game then bad guy gives computer aids and reads your password?

shake · 01-05-2018, 01:05 PM

Quote:

Originally Posted by k0nr4d

https://meltdownattack.com/
2 exploits in intel/amd/arm cpus. Most linux distributions already have patches (albiet that slow down the system a bit).

I wouldn't want to be a VPS provider right now

Pretty crazy right. It won't really effect home users much but it's going to be a big problem at the server level.

k0nr4d · 01-05-2018, 01:15 PM

Quote:

Originally Posted by deonbell

How do computer get the aids? Not remotely attack like heart bleed? Not by visiting website?

Maybe have to put exploit on executable? Put code with a bejewdled game then bad guy gives computer aids and reads your password?

Spectre is executable via javascript.

deonbell · 01-05-2018, 03:35 PM

Quote:

Originally Posted by k0nr4d

Spectre is executable via javascript.

Hmm, Note just Node.js problem? Look like possible to escape browser sandbox? Ignore Same Orgy Policy on websites.

https://www.react-etc.net/entry/expl...via-javascript

rowan · 01-05-2018, 04:29 PM

I was wondering the other day if a major crypto exchange I use is "in the cloud", and if so, what that may mean for security.

My mild concern becomes more serious after learning of these new attack vectors, considering that it may be possible for another customer to access arbitrary memory on the same host. To steal funds from a Bitcoin address all you need is a 32 byte private key.

rowan · 01-05-2018, 11:51 PM

Quote:

Originally Posted by rowan

To steal funds from a Bitcoin address all you need is a 32 byte private key.

To elaborate further: that is really all you need to steal someone's Bitcoin balance. You don't need to be able to control the victim's computer/VPS in any way, nor do you need access to the file system. You just need to grab those 32 bytes of private key (for each address) from the victim's (running) Bitcoin client, then import them into your own wallet. The victim no longer has control of the funds once you move them to your own address.

You don't even need to know if any given 32 byte string is a Bitcoin key. You can just import it and let the client figure out if it owns any funds.

sandman! · 01-06-2018, 12:01 AM

This only applies to someone that?s running bitcoin on a vps/cloud server which is less then 1% of users

Quote:

Originally Posted by rowan

To elaborate further: that is really all you need to steal someone's Bitcoin balance. You don't need to be able to control the victim's computer/VPS in any way, nor do you need access to the file system. You just need to grab those 32 bytes of private key (for each address) from the victim's (running) Bitcoin client, then import them into your own wallet. The victim no longer has control of the funds once you move them to your own address.

You don't even need to know if any given 32 byte string is a Bitcoin key. You can just import it and let the client figure out if it owns any funds.

rowan · 01-06-2018, 12:07 AM

Quote:

Originally Posted by sandman!

This only applies to someone that?s running bitcoin on a vps/cloud server which is less then 1% of users

How many exchanges do you think run on bare metal? I bet a lot of them rely heavily on cloud instances in order to scale.

Consider also that even a dedicated server could be attacked via another vector. A process which is running chrooted/jailed, such as a coin daemon, could be examined by an exploit in another part of the server.

sandman! · 01-06-2018, 12:09 AM

Yes it?s possible but there have always been exploits un known out there I have a system that has kept me and my customers safe for along time that I won?t be posting here 🙃

Quote:

Originally Posted by rowan

How many exchanges do you think run on bare metal? I bet a lot of them rely heavily on cloud instances in order to scale.

Consider also that even a dedicated server could be attacked via another vector. A process which is running chrooted/jailed, such as a coin daemon, could be examined by an exploit in another part of the server.

k0nr4d · 01-06-2018, 12:21 AM

Quote:

Originally Posted by rowan

How many exchanges do you think run on bare metal? I bet a lot of them rely heavily on cloud instances in order to scale.

Consider also that even a dedicated server could be attacked via another vector. A process which is running chrooted/jailed, such as a coin daemon, could be examined by an exploit in another part of the server.

I think most of them are running on bare metal, with CDN's in front. Bittrex is behind cloudflare. Cloudflare would be vulnerable, and it acts like a proxy for requests between you and bittrex. Besides that, this could be used to steal google authenticator tokens for the two-factor logins on sites.

rowan · 01-06-2018, 12:23 PM

This page has a good technical-but-not-excessively-technical explanation of how the attacks work. It's on the Raspberry Pi site but it's not really Pi specific.

https://www.raspberrypi.org/blog/why...e-or-meltdown/

01-04-2018, 04:53 AM	#1
k0nr4d Confirmed User Industry Role: Join Date: Aug 2006 Location: Poland Posts: 9,229	Meltdown and Spectre exploits https://meltdownattack.com/ 2 exploits in intel/amd/arm cpus. Most linux distributions already have patches (albiet that slow down the system a bit). I wouldn't want to be a VPS provider right now __________________ Mechanical Bunny Media Mechbunny Tube Script \| Mechbunny Webcam Aggregator Script \| Custom Web Development

01-04-2018, 05:44 AM	#2
Paul&John Confirmed User Industry Role: Join Date: Aug 2005 Location: YUROP Posts: 8,614	As far as I know meltdown works only on Intel.. the second one - spectre is for all three. __________________ Use coupon 'pauljohn' for a $1 discount at already super cheap NameSilo! Anal Webcams \| Kinky Trans Cams Live \| Hotwife XXX Tube \| Get your Proxies here

01-04-2018, 08:17 AM	#3
k0nr4d Confirmed User Industry Role: Join Date: Aug 2006 Location: Poland Posts: 9,229	Correct. I'm surprised no one is talking about this on here - it's literally the largest security hole ever. __________________ Mechanical Bunny Media Mechbunny Tube Script \| Mechbunny Webcam Aggregator Script \| Custom Web Development

01-04-2018, 08:37 AM	#4
freecartoonporn Confirmed User Industry Role: Join Date: Jan 2012 Location: NC Posts: 7,683	ha jokes on INTEL , i use AMD, who knows, how many reputable apps have already stolen shotloads of data., and this day data = money., __________________ SSD Cloud Server, VPS Server, Simple Cloud Hosting \| DigitalOcean

01-04-2018, 08:21 PM	#5
Phoenix BACON BACON BACON Industry Role: Join Date: Nov 2002 Location: Poems everybody, the laddie fancies himself a poet Posts: 35,465	Fix yet? __________________ Skype Phoenixskype1 Telegram PhoenixBrad https://quantads.io

01-05-2018, 09:55 AM	#8
Sarn Lest we forget Industry Role: Join Date: Sep 2015 Location: Russia Posts: 12,036	And how fix it?

01-05-2018, 11:17 AM	#10
GAMEFINEST Make STACK$ Industry Role: Join Date: Nov 2006 Location: sexy time Posts: 14,439	Sell them stocks.. __________________ Compound interest.

01-05-2018, 12:50 PM	#11
deonbell Confirmed User Industry Role: Join Date: Sep 2015 Posts: 1,045	How do computer get the aids? Not remotely attack like heart bleed? Not by visiting website? Maybe have to put exploit on executable? Put code with a bejewdled game then bad guy gives computer aids and reads your password? __________________ Fake Naked Celebrity Sex Gallery

01-05-2018, 04:29 PM	#15
rowan Too lazy to set a custom title Join Date: Mar 2002 Location: Australia Posts: 17,393	I was wondering the other day if a major crypto exchange I use is "in the cloud", and if so, what that may mean for security. My mild concern becomes more serious after learning of these new attack vectors, considering that it may be possible for another customer to access arbitrary memory on the same host. To steal funds from a Bitcoin address all you need is a 32 byte private key.

01-06-2018, 12:23 PM	#21
rowan Too lazy to set a custom title Join Date: Mar 2002 Location: Australia Posts: 17,393	This page has a good technical-but-not-excessively-technical explanation of how the attacks work. It's on the Raspberry Pi site but it's not really Pi specific. https://www.raspberrypi.org/blog/why...e-or-meltdown/