Meltdown and Spectre exploits
 

https://meltdownattack.com/
2 exploits in intel/amd/arm cpus. Most linux distributions already have patches (albiet that slow down the system a bit).

I wouldn't want to be a VPS provider right now :thumbsup

As far as I know meltdown works only on Intel.. the second one - spectre is for all three.

Correct. I'm surprised no one is talking about this on here - it's literally the largest security hole ever.

ha jokes on INTEL , i use AMD,

who knows, how many reputable apps have already stolen shotloads of data., and this day data = money.,

Fix yet?

Nah first the Intel CEO had to sell some of his stocks before it hit the news :)

https://www.cnbc.com/2018/01/04/inte...ity-flaws.html
Intel CEO Brian Krzanich sold off a large chunk of his stake in the company after the chipmaker was made aware of serious security flaws, according to multiple reports

"2 exploits in intel/amd/arm cpus"

And how fix it?

Meltdown via software patches that slow down cpu 5-30%. Spectre supposidely unfixable.

Sell them stocks..

How do computer get the aids? Not remotely attack like heart bleed? Not by visiting website?

Maybe have to put exploit on executable? Put code with a bejewdled game then bad guy gives computer aids and reads your password?

Pretty crazy right. It won't really effect home users much but it's going to be a big problem at the server level. :helpme

Spectre is executable via javascript.

Hmm, Note just Node.js problem? Look like possible to escape browser sandbox? Ignore Same Orgy Policy on websites.

https://www.react-etc.net/entry/expl...via-javascript

I was wondering the other day if a major crypto exchange I use is "in the cloud", and if so, what that may mean for security.

My mild concern becomes more serious after learning of these new attack vectors, considering that it may be possible for another customer to access arbitrary memory on the same host. To steal funds from a Bitcoin address all you need is a 32 byte private key.

To elaborate further: that is really all you need to steal someone's Bitcoin balance. You don't need to be able to control the victim's computer/VPS in any way, nor do you need access to the file system. You just need to grab those 32 bytes of private key (for each address) from the victim's (running) Bitcoin client, then import them into your own wallet. The victim no longer has control of the funds once you move them to your own address.

You don't even need to know if any given 32 byte string is a Bitcoin key. You can just import it and let the client figure out if it owns any funds.

This only applies to someone that?s running bitcoin on a vps/cloud server which is less then 1% of users

How many exchanges do you think run on bare metal? I bet a lot of them rely heavily on cloud instances in order to scale.

Consider also that even a dedicated server could be attacked via another vector. A process which is running chrooted/jailed, such as a coin daemon, could be examined by an exploit in another part of the server.

Yes it?s possible but there have always been exploits un known out there I have a system that has kept me and my customers safe for along time that I won?t be posting here 🙃

I think most of them are running on bare metal, with CDN's in front. Bittrex is behind cloudflare. Cloudflare would be vulnerable, and it acts like a proxy for requests between you and bittrex. Besides that, this could be used to steal google authenticator tokens for the two-factor logins on sites.

This page has a good technical-but-not-excessively-technical explanation of how the attacks work. It's on the Raspberry Pi site but it's not really Pi specific.

https://www.raspberrypi.org/blog/why...e-or-meltdown/