So uh, "Use Signal. Use Tor," is still good advice, but also.... *gestures vaguely at computers*
-
-
Show this thread
-
If your threat model is basically the Mossad model you should definitely be concerned. If your threat model is "it will be an inconvenience if I have to get identity theft monitoring" then maybe move along merrily.
Show this thread
End of conversation
New conversation -
-
-
what's the news? sorry just not up on what's happening
-
A processor-level bug common to a staggering number of processors (ie almost all intel processors from 1995 on) has been discovered that in theory allows an attacker into the rendering of a process, among other things. Basically they can read what your system is displaying.
-
It's not just Intel. Spectre is scarier and affects basically all out-of-order-execution cpu designs including modern ARM (Android & iOS phones), AMD, even some RISC-Vs.
-
Is that confirmed? Last I read, the researchers hadn't tested it that far.
-
AMD only confirms variation one is in effect (but patches are here) / variation two has near zero risk / variation three has zero risk. Just my 2cents
-
"Variant 1" in the P0 blog notation? That's the attack that makes any kind of JIT'd embedded language (JS, Lua, etc.) unsafe and is probably the most likely to be exploited in the wild right away.
-
For Firefox users, this should largely mitigate it for now:https://twitter.com/RichFelker/status/948963143195267073 …
- 1 more reply
New conversation -
-
-
As an insider, I must protest. Yes, it’s bad. But not “the sky falls” bad. Patches/updates are being deployed, mitigation is handled.
#Shellshock was worse. Far worse IMHO. -
Yes and until those patches are deployed it's fair to say that people with high risk profiles should be super, super wary.
-
Yes. And people with high-risk profiles should update, update, update. Apple silently fixed one attack vector in December. The big 3 clouds (Amazon, Google, Azure) also claim fixes are in place. The unmaintained, outdated boxes are the real problem.
-
Ah yes, precisely the kind of devices that activists have to often work with.
-
Yep. And they possibly are still wide open to heartbleed, shell shock, stagefright etc. We really must change that. Bugs will always come at surprising moments.
-
I was just thinking, on the way home, that it would be handy to have a tool that verified your susceptibility to all these bugs.
-
Could you trust such a thing?
-
I would trust it, if it was FOSS certainly. Would RedHat sponsor such a project?
End of conversation
New conversation -
-
-
Just update, patch, and preferably block Javascript from sources you don't trust until mitigations are in place (ScriptSafe, NoScript), and don't panic.
-
A little panic is warranted! The servers we connect to (and trust our information will be kept secure on!) are compromised.
-
It's terrifying, but unless you actually are a tech user, the panic and the PR is going to be difficult to sort through. Most cloud services are already patched (Azure, AWS, Google Cloud), and Meltdown patches have been/are being deployed.
-
It is terrifying, but telling people it's the end of the world as we know it isn't going to do anything to help. Telling them to update their computer, and maybe block JS will.
-
I didn't say it was the end of the world. I said computers are fucked which is true until patches are widespread, which they are not yet, nor does any user have control over most of the devices that affect them.
-
I wasn't blaming you, and patches for most devices are becoming widespread (Windows deployed, macOS deployed, Fedora deployed, I dunno about Ubuntu/Arch/etc.). But most devices that don't receive updates will be fucked, permanently. And that's been a long-tome coming.
-
*time. Although tome feels weirdly appropriate here...
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.