From: nospam <nospam@nospam.invalid>
Subject: Re: Your computer will be slllowwwwing dooowwwnnnnnn....
Full headers:
Path: news.netfront.net!goblin2!goblin1!goblin.stu.neva.ru!eternal-september.org!feeder.eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: nospam <nospam@nospam.invalid>
Newsgroups: rec.photo.digital
Subject: Re: Your computer will be slllowwwwing dooowwwnnnnnn....
Date: Sun, 21 Jan 2018 12:14:02 -0500
Organization: A noiseless patient Spider
Lines: 136
Message-ID: <210120181214020969%nospam@nospam.invalid>
References: <8e70b980-876c-4911-b43a-86bc976726cc@googlegroups.com> <p3qk14$e58$1@dont-email.me> <e3b9e67a-71a6-4a1b-b3e2-df3b9f36b25d@googlegroups.com> <p42bh5$qrr$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Injection-Info: reader02.eternal-september.org; posting-host="3c911a14f6ec84f6642d0abc109f8023";
logging-data="5901"; mail-complaints-to="abuse@eternal-september.org";posting-account="U2FsdGVkX18GPu8rrUvH+OITgudH8nMZ"
User-Agent: Thoth/1.9.0 (Mac OS X)
Cancel-Lock: sha1:K+9nlbYfFFEH/LpW22tC7kJUq6M=
Print Article
Forward Article
In article <p42bh5$qrr$1@dont-email.me>, Mayayana<mayayana@invalid.nospam> wrote:

> | I switched to AMD when the 386DX-40 came out.  But other devices have 
> Intel in them besides home computers so you may have one and not even know 
> it.
> 
>   You haven't bothered to answer my question, but
> I've been trying to keep up on this issue. It turns
> out you're right:
> 
> https://www.techarp.com/articles/intel-amd-arm-cpu-bug-4/
> 
>    That site even lists known CPUs at risk. With
> Apple it's pretty much everything. Android doesn't
> seem to be much better.

it affects just about everything from everyone. 

also note that amd initially said it wasn't a problem and then changed
their tune. they're being sued over that bit of misrepresentation, btw.

at least the apple watch is safe. 

the real problem is that older devices are unlikely to be patched, a
very big problem for android. most android devices currently in use
will remain vulnerable, making for a *huge* target surface, more so
than it already is.

other devices, such as routers and nases are also at risk, however,
they don't normally run third party apps, so although the flaw exists,
it's unlikely to be used. that is, unless one installs a compromised
app on one. 

>   That adds a whole new wrinkle. For anyone
> on a computer, especially using AMD, the actual
> risks are very slight: An attacker has to go
> through a browser, or similar Internet-connected
> software, or be installed. Installed software can
> already access data, so the real issue is script
> in the browser or malware. Script can be
> limited. Malware is already a risk. And browsers
> are being updated.

it's more than slight and not just scripting, but yes, everything is
being updated. 

except for windows xp, so you're screwed.

>   Even if you allow script and get attacked, there's
> very little risk. An attack on AMD can only read
> random memory from other programs. An attack
> on Intel can read all memory, but there still has
> to be something worth reading.

the problem is there's no way to know what data you're going to get.

it might have passwords or other useful data, or it could be a couple
of frames of a youtube cat video. it might even be one of your usenet
posts.

>    So a running password manager with your banking
> password might have a longshot chance of giving
> up that password.
> 
>  On the other hand, even if you're reckless enough
> to do online banking, what nut would put that
> password into a password manager? There is a
> tiny chance that your credit card number could
> be stolen if you shop with multiple browser windows
> open. Don't do that. There's no need.

online banking and shopping is not reckless and using a password
manager is a *very* *good* idea, one which makes you *less* at risk. 

there's also no need to enter in a credit card number anymore for most
sites (although it often remains an option for the unaware).

as usual, you don't understand how things work.

the actual risk is how secure the merchant's system is, not yours, as
the merchant is a *much* bigger and far more valuable target.

one exploit can net a *lot* of card numbers, as it did with oneplus:

<https://www.tomsguide.com/us/oneplus-credit-card-fraud,news-26466.ht...
  OnePlus is investigating complaints from at least 170 customers who
  encountered fraudulent charges on their credit accounts shortly after
  buying items on the OnePlus website. Earlier today (Jan. 16), OnePlus
  said it's temporarily halting credit card payments at its website
  while it continues to investigate.

just three days later:
<https://forums.oneplus.net/threads/jan-19-update-an-update-on-credit...
rd-security.752415/>
  We are deeply sorry to announce that we have indeed been attacked,
  and up to 40k users at oneplus.net may be affected by the incident.
  We have sent out an email to all possibly affected users.
....
  Some users who entered their credit card info on oneplus.net between
  mid-November 2017 and January 11, 2018, may be affected.






>   You have to remember context in general. A
> "smart" door lock? It might be vulnerable, but
> there's nothing there to exploit it. 

other than the contents of your house, you mean.

but there's no need to have a smart lock to be vulnerable. just about
every lock is easily picked in just seconds. including the one on your
front door.

or just break a window and climb in. even the strongest lock won't
prevent that.

> A "smart"
> frig? Again, it's running alone. Even if such an
> item could be exploited, will Chinese hackers
> profit by knowing you're low on mayo? This is
> not a takeover bug. It's a data stealing bug. 

at least one smart fridge has a camera inside it that identifies what
food you have in it and lets you know when you're running low on stuff.

it's a marketer's dream, because now they know what brands you buy
*and* when and how often you open the fridge.

and since the fridge is on your local network, there may be other stuff
it can find out...

of course, this is easily secured, but most people don't bother.