Two days ago, an industry/academic team released a terrifying alert about a pair of CPU bugs called Spectre and Meltdown that allowed one program to steal data from another, even with the best memory-management and isolation techniques -- news that meant that virtually all the mission-critical computers in the world could no longer be trusted to handle sensitive data securely.
Both bugs attack "speculative execution" -- a performance-enhancing technique used in microprocessors, in which the processor makes shrewd predictions about operations it will be asked to undertake in the near future and does that work pro-actively, discarding the results when it guesses wrong. Because speculative execution is so important to processor speed, the initial news alerts warned that mitigation would impose up to 30% performance-hits on processors.
Yesterday, the Google Security Blog featured an analysis of two new techniques for guarding against Spectre-style speculative execution attacks: "Retpoline" ("a binary modification technique that protects against 'branch target injection' attacks") and "Kernel Page Table Isolation" ("a general purpose technique for better protecting sensitive information in memory from other software running on a machine"), both of which had been deployed to all of Google's worldwide Linux systems, which power the majority of Google's services.
On these systems, the mitigation techniques imposed "negligible impact on performance" -- a far cry from the 30% we were warned of the day before. Google warns that your mileage may vary: since these techniques guard against interference with speculative execution, they may be highly application-specific, so Google advises "thorough testing in your environment before deployment; we cannot guarantee any particular performance or operational impact."
Google’s Mitigations Against CPU Speculative Execution Attack Methods [Google Help]
More details about mitigations for the CPU Speculative Execution issue [Matt Linton/Google Security Blog]
(via The Verge)
Hackers working for China’s government targeted firms working on coronavirus vaccines, and stole hundreds of millions of dollars worth of intellectual property and trade secrets, claims the Justice Department in a statement Tuesday announcing criminal charges.
This is quite a major hack. Now is a good time to change your Twitter password, if you are a user. Hackers pumping a cryptocurrency giveaway scam appear to have compromised the Twitter accounts of leading exchanges, prominent individuals, major corporations, and at least one news organization.
The mobile phones of a number of politicians in Spain, including the president of Catalonia’s parliament, were recently hacked. The government of Spain has been an NSO customer since 2015, reports Motherboard on Tuesday. NSO Group is an Israeli company that sells surveillance and hacking tools to governments around the world.
Building blocks are among a child’s first, and arguably, most important, toys. Once they start stacking one tentatively on top of another, the blocks not only spark waves of creativity, but actual real-world understanding of scientific principles like engineering and physics. It wouldn’t even be a stretch to call blocks on of the first true […]
Time management and self-motivation, the ability to stay on task and achieve in the office or when you’re working with home, is the true test of any person’s professional mettle. While that’s easier said than done, those skills can be taught and developed as you’ll find in The 2020 Work From Anywhere Hacker Bundle. The […]
It’s easy to be instantly dismissive about most Bluetooth speakers, especially small travel-sized units. Over the past few years, makers of every shape, size, and variety have started pounding out Bluetooth speakers, many barely able to sound much better than your smartphone speaker, let alone provide the bass and volume heft of legitimate portable speakers […]