Two days ago, an industry/academic team released a terrifying alert about a pair of CPU bugs called Spectre and Meltdown that allowed one program to steal data from another, even with the best memory-management and isolation techniques -- news that meant that virtually all the mission-critical computers in the world could no longer be trusted to handle sensitive data securely.
Both bugs attack "speculative execution" -- a performance-enhancing technique used in microprocessors, in which the processor makes shrewd predictions about operations it will be asked to undertake in the near future and does that work pro-actively, discarding the results when it guesses wrong. Because speculative execution is so important to processor speed, the initial news alerts warned that mitigation would impose up to 30% performance-hits on processors.
Yesterday, the Google Security Blog featured an analysis of two new techniques for guarding against Spectre-style speculative execution attacks: "Retpoline" ("a binary modification technique that protects against 'branch target injection' attacks") and "Kernel Page Table Isolation" ("a general purpose technique for better protecting sensitive information in memory from other software running on a machine"), both of which had been deployed to all of Google's worldwide Linux systems, which power the majority of Google's services.
On these systems, the mitigation techniques imposed "negligible impact on performance" -- a far cry from the 30% we were warned of the day before. Google warns that your mileage may vary: since these techniques guard against interference with speculative execution, they may be highly application-specific, so Google advises "thorough testing in your environment before deployment; we cannot guarantee any particular performance or operational impact."
Google’s Mitigations Against CPU Speculative Execution Attack Methods [Google Help]
More details about mitigations for the CPU Speculative Execution issue [Matt Linton/Google Security Blog]
(via The Verge)
Twenty years ago, the US Patent and Trademark Office granted patent number 6,368,268: "Method and device for interactive virtual control of sexual aids using digital computer networks," a minor classic of a majorly fucked-up genre, the bullshit tech patent that simply adds "with a computer" to some absolutely obvious and existing technology or technique.
Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies won the Distinguished Paper prize at this year's Usenix Security Conference; its authors, researchers at Belgium's Catholic University in Leuven, revealed a host of devastating, never-seen tracking techniques for identifying web-users who were using privacy tools supplied by browser-vendors and third-party tracking-blocking […]
After a week of blockbuster security revelations from Defcon it's important to take a step back and address the ongoing battle by companies to seize a veto over who can reveal defects in their products.
The Adobe Creative Cloud suite is the foundation on which many creatives build their careers, but some of its programs, like Photoshop and InDesign, are notoriously complex, making it difficult for aspiring designers, photographers, and the like to break into their field. But, don’t get discouraged. The Pay What You Want: Adobe CC A-Z Lifetime Bundle […]
From self-driving cars to Siri, we’ve already gotten a taste of what AI can do, and now this groundbreaking technology is making its way to education and revolutionizing the way we learn new languages. Mondly uses state-of-the-art speech recognition to help you speak foreign languages like a true local. Lifetime subscriptions are on sale for […]
We’ve all used Excel at some point in our careers, but chances are most of us have only scratched the surface of what this ubiquitous program can do. From automating simple tasks to presenting data through beautiful charts and PivotTables, Excel brings a ton of utility to the table that can make a huge impact […]