Given you are browsing Steemit, it would be fair to assume you have a decent understanding of computer bugs and the dangers they cause. In the modern technological environment we live in, bugs leak our passwords and steal our sensitive data. To combat this, we deploy countermeasures such as virus scanners, firewalls, and software best-practice, which aim to keep us safe in this hyper-connected world.
Unfortunately, Meltdown and Spectre are not your bog-standard software bug or virus - Meltdown and Spectre are hardware bugs. They exploit critical vulnerabilities in modern processors, including all Intel, AMD and ARM computer chips. This means you are almost certainly affected.
Meltdown and Spectre allows programs to steal data from your machine that is currently being processed or used by another application - including your Steemit password. While under normal circumstances programs are not permitted to read data from other programs, exploiting Meltdown and Spectre allows a malicious program to circumvent this limitation. The result is a potent attack vector that can pull your passwords stored in a password manager or browser, or any other files being accessed, including your cryptocurrency wallet keys.
What is Meltdown?
The Meltdown bug enables an attack vector that circumvents the fundamental isolation between your Operating System (OS) and any program running on your machine. As a result, ANY program running on your machine can use the bug to access the memory of the OS.
This means that until your operating system is patched, it is impossible to work with ANY sensitive information without risking it being leaked to a third party. To highlight the severity of the situation, Bitcoin Core contributor Jonas Schnelli said:
"a browser plugin or even a website may access your private keys"
Don't take this lightly.
Meltdown was discovered and reported independently by 3 teams of researchers. These were from Google Project Zero, Cyberus Technology and Graz University of Technology. You can read the academic article detailing Meltdown here.
What is Spectre?
Spectre is a lot like Meltdown, but breaks the barriers between individual programs as opposed to between a program and the OS. It is far harder to mitigate than Meltdown, as it actually benefits from the increased attack surface generated by safety checks meant to maintain this barrier. Further, there is no known way to patch this as of yet, with the only solution appearing to be new hardware.
Spectre was discovered and reported independently by 2 people. These were Jann Horn from Google Project Zero and Paul Kocher. You can read the academic article detailing Spectre here.
What Should You Do?
For general computer users, the best that you can do right now is patch your OS. Patches have been released already against Meltdown for Linux, Windows and OS X in the form of KAISER, which is a kernel modification to not have the kernel mapped in the user space. Unfortunately, the KAISER patch brings with it an estimated 30% degradation in processor speeds. Furthermore, Spectre is much harder to mitigate, and work on potentially patching this is ongoing. This may prove impossible, which could lead to an insane world-wide CPU recall that we do not have the manufacturing capability to handle.
For crypto users - this is a good time to invest in a hardware wallet. The two most commonly used cryptocurrency hardware wallets, Trezor and Ledger, have both stated explicitly that their products are not vulnerable to either Meltdown or Spectre. Pavol Rusnak, CTO of Satoshi Labs, the manufacturer of Trezor said:
" @TREZOR is not vulnerable to recent Meltdown and Spectre hardware attacks, because it has processor not affected by these. Also our firmware is always signed, so the device never runs untrusted code. Using a hardware wallet is now more important than ever.”
To revisit the scale of this attack vector, I will close with a comment by Nicole Perlroth - NYT Cybersecurity Analyst:
“Meltdown and Spectre show that it is possible for attackers to exploit these design flaws to access the entire memory contents of a machine. The most visceral attack scenario is an attacker who rents 5 minutes of time from an Amazon or Google or Microsoft cloud server and steals data from other customers renting space on that same cloud server.”
Act now.
Content Credit:
Meltdown & Spectre, Techcrunch
