Do you disable hyperthreading? (poll)

[moproblems99]

I see it totally opposite of that. The attic vent is located on the extreme outer perimeter of my home. And while my attic vent may be open, the extreme outer perimeter of my computer network is my router and it definitely is NOT open for anyone to crawl through.

A more applicable "house" analogy for me with this flaw would be if I left a stack of $20s in a lock box hidden in one of the 6 closets in my home. But the "flaw" is that the lock is broken on the box and a badguy can easily open it with a screwdriver - no key required. But to get those $20 he would have to breach my outer perimeter, crawl very quietly through the attic access panel to drop down (again very quietly) into the living area, get past my puppy dawgs without waking them, find the correct closet, find the lock box hidden in that closet, take the money then escape out of the house - all without running into me and my Glock 17 hollow-points waiting to remove the entire back of his skull. If he can do that, he can have the money.

I wasn't looking for an exact analogy, honestly. The gist of what I was saying is that turning a door handle or sliding up (or sideways) a window is much easier than climbing stucco and going through my relatively small attic vent.

Even so, I made the bigger mistake in even referencing a house because no attacker is going to go through this much trouble for you (or me) when they could simply go through one of the shittiest protocols we have - http.

This attack is only going to target government and financial targets. So for that analogy, I should have used: This means the attacker doesn't have to trick the security guard because an hvac grate isn't on so they can sneak through the hvac ducting if they can figure out the maze.

 

[Bill_Bright]

Even so, I made the bigger mistake in even referencing a house because no attacker is going to go through this much trouble for you (or me) when they could simply go through one of the shittiest protocols we have - http.

Fortunately, we are finally moving on to https - not the cure-all but much better. But your point is still the same. Unless a hacker is targeting you specifically (and then you likely have bigger security issues to deal with) this flaw is not a problem.

 

[dirtyferret]

No, those Intel bastards turned off the HT on my 8600k in manufacturing without my vote!

 

[Metroid]

You should disable hypertreading only if you dont know how to secure yourself from the internet and you use your computer for financial transactions. Remember that , using online banking even if you secure yourself from the internet is not 100% safe so be just like me, never use the computer for online banking. Better be safe than sorry.

 

[Bill_Bright]

using online banking even if you secure yourself from the internet is not 100% safe so be just like me, never use the computer for online banking.

I think that is a bit extreme and going overboard.

I am much more worried about my bank being hacked than my system. So I will continue to pay my bills on-line, purchase from Amazon and NewEgg and Walmart on-line. Just as I will use secure messaging to contact my doctor and order prescription refills from my pharmacy on-line. But I will keep Windows and my security current. And I will avoid being "click-happy" on unsolicited links, downloads, attachments and popups.

I note, however - to your paranoid side - I do this only on my "Ethernet" connected PC. Not with my wireless connected notebook and never over my cell phone - even though I feel those two methods can be adequately secured too.

 

[trparky]

That's assuming they even could - which is unlikely since it assumes the bad guys can just slip on past all the other computer and network defenses, plant and execute the code to exploit the vulnerability - while remaining undetected.

Considering that your web browser is essentially running untrusted code (in this case, Javascript) a web browser can be the doorway into your system. Granted, if you use an ad blocker you generally reduce this potential threat by a significantly large amount but the threat is technically still there.

As for me turning off Hyperthreading? Nope, I would demand a check from Intel first before I turn off a feature that I paid for.

 

[moproblems99]

Fortunately, we are finally moving on to https - not the cure-all but much better.

Yes, https is better. But the foundation of https is still critically flawed which leaves the whole building shaky. We'll get it right eventually.

 

[R-T-B]

I did not. I used the mitigations though.

Something to keep in mind is all you have to do is execute malicious javascript on a webpage to be affected by this one in a useful way... that alone makes it bother me far more than meltdown/spectre.

I'm More worried about the CIA Telapaths accessing my organic CPU than these Speculative Vector attacks

I think you are safe there. I do genuinely worry about this vulnerability for clients and spectreclass ones in the cloudspace. There, they all have massive potential for havoc if ignored.

 

[Deleted member 50521]

I see it totally opposite of that. The attic vent is located on the extreme outer perimeter of my home. And while my attic vent may be open, the extreme outer perimeter of my computer network is my router and it definitely is NOT open for anyone to crawl through.

A more applicable "house" analogy for me with this flaw would be if I left a stack of $20s in a lock box hidden in one of the 6 closets in my home. But the "flaw" is that the lock is broken on the box and a badguy can easily open it with a screwdriver - no key required. But to get those $20 he would have to breach my outer perimeter, crawl very quietly through the attic access panel to drop down (again very quietly) into the living area, get past my puppy dawgs without waking them, find the correct closet, find the lock box hidden in that closet, take the money then escape out of the house - all without running into me and my Glock 17 hollow-points waiting to remove the entire back of his skull. If he can do that, he can have the money.

Good to see some fellow proud gun owners for home defense.

 

[R-T-B]

The difference here is these are silicon level vulnerabilities, that further more allow privilege escalation as far as SYSTEM. SYSTEM is god, like linux root. So you may have your glock, but the intruder is suddenly God, Jesus, Buddah, Thanos with the Infinity Gauntlet, [Insert infinite list of bullet immune dieties here]

Once he's in, you better reinstall or hide, depending on analogy. Or you/your system may be a pile of ash soon.

 

[Bill_Bright]

a web browser can be the doorway into your system

"Can be" and "is" are two different things. There will always be "what ifs" to illustrate exceptions and extremes to the norm. That does not mean it is likely to happen.
"IF" you connect to a network that has internet access, you are exposed and vulnerable at some level.

Good to see some fellow proud gun owners for home defense.

Not sure "proud" is the right word. I wish I never felt I might need one (and I live in a nice neighborhood). But when there are scumbags like these running around, not sure we have much choice.

I did not spend 24 years in the military defending our rights only to have others trample on mine. But I don't, for example, agree with most of what the NRA stands for.

I sure am not ashamed to be a gun owner. But I did it the right way - I took several basic, intermediate, and advanced classes before I bought mine. I am fully, and willingly CCW licensed, and I have gone through several 1000 rounds at the range to get into and remain practiced. And most importantly, I am willing, able, and ready to use it - "IF" necessary - and won't hesitate to either.

 

[Mr.Scott]

Not sure "proud" is the right word. I wish I never felt I might need one (and I live in a nice neighborhood). But when there are scumbags like these running around, not sure we have much choice.

I did not spend 24 years in the military defending our rights only to have others trample on mine. But I don't, for example, agree with most of what the NRA stands for.

I sure am not ashamed to be a gun owner. But I did it the right way - I took several basic, intermediate, and advanced classes before I bought mine. I am fully, and willingly CCW licensed, and I have gone through several 1000 rounds at the range to get into and remain practiced. And most importantly, I am willing, able, and ready to use it - "IF" necessary - and won't hesitate to either.

Wow, there IS something I like about you after all.

 

[bogmali]

Thread topic is HT yes or no and why.....that should be the only response and nothing more. Next off topic poster gets thread-banned

 

[FordGT90Concept]

If I were running VMs with multiple clients that handle sensitive information, yes, I would disable it because I have an obligation to keep VMs secure. But I don't, so I don't. HT doesn't expose anything that software running on the machine doesn't already have access to. There's no security gating I need to worry about on my systems.

I expect Microsoft/Intel to come up with a solution and will inevitably get that. Beyond that, don't really care.


My biggest concern is that software gets pushed to me (e.g. by Steam) that does side channel attacks but that's always been a risk. MDS doesn't really represent any new threat outside of the context of VMs. Malware gonna malicious.

 

[lexluthermiester]

My vote is no. Here's why; These vulnerabilities are very similar to the Spectre/Meltdown problems from last year. They are VERY(read near impossible) to pull off remotely and they are difficult even when an attacker has direct physical access to the system in question. Taking precautions is always wise, however it's not always practical for every vulnerability, and these latest series of them simply will not affect the end user any more than the previous lot.

Considering that your web browser is essentially running untrusted code (in this case, Javascript) a web browser can be the doorway into your system. Granted, if you use an ad blocker you generally reduce this potential threat by a significantly large amount but the threat is technically still there.

While that is true, a web browser can not be configured to run in such a way that would make it a gateway to take advantage of these types of vulnerabilities and become an attack vector.

 

[FordGT90Concept]

...they are difficult even when an attacker has direct physical access to the system in question.

That's what is different with this one: HTT grants near real-time access to the other executing thread on the core (security layers be damned). It's not just snatching a bit once in a while; it's practically a verbatim copy. That's why Intel itself recommended disabling HTT.

 

[Aquinus]

That's what is different with this one: HTT grants near real-time access to the other executing thread on the core (security layers be damned). It's not just snatching a bit once in a while; it's practically a verbatim copy. That's why Intel itself recommended disabling HTT.

The buffers still contain data from the last process that ran on the CPU... sometimes. So basically, you would have to be lucky enough for the CPU to switch contexts at just the right moment and on top of that, your process would need to be the next one to be executed. On top of that, the PoC doesn't always expose the hole and they suggest you force the CPU to full clocks and stuff to make it work. So, you would need to know exactly what to look for and when to look for it and the stars would have to align for everything to occur in a way for it to be useful while putting the machine into a state where it's likely under full load. So not only are you not likely to find what you're looking for, you're going to be letting people know you're doing something.

To me, this isn't a vulnerability, it's errata.

 

[moproblems99]

They are VERY(read near impossible) to pull off remotely

Why do people still say this when it is not even remotely true?

 

[Aquinus]

Why do people still say this when it is not even remotely true?

Because for MDS, it is? In Linux you need to be logged in to the system as root to exploit MDS. If you're malware and you have root access, that's definitely not the low hanging fruit.

 

[biffzinker]

No for me because Ryzen 5 2600X.

 

[moproblems99]

Because for MDS, it is? In Linux you need to be logged in to the system as root to exploit MDS. If you're malware and you have root access, that's definitely not the low hanging fruit.

It is no where near impossible.

Edit: Like I said before, I agree that this is not going to be the first hammer they pull out of their tool bag.

 

[Aquinus]

It is no where near impossible.

Edit: Like I said before, I agree that this is not going to be the first hammer they pull out of their tool bag.

Just look at all of those software examples of real usage of how to exploit spectre v1 for malicious intent.

Seriously, the difficulty of exploiting MDS for anything other than a mere PoC makes it not feasible as a vector for attack, even if you do have root access. Literally anything else is lower hanging fruit.

Exploiting it also means exposing yourself. You try an attack like this and the clock will start ticking very quickly before a sysadmin realizes what you're doing because they'll be wondering why the load average is abnormally high for this exploit to even work properly. So, good luck with that.

 

[moproblems99]

Just look at all of those software examples of real usage of how to exploit spectre v1 for malicious intent.

Seriously, the difficulty of exploiting MDS for anything other than a mere PoC makes it not feasible as a vector for attack, even if you do have root access. Literally anything else is lower hanging fruit.

Exploiting it also means exposing yourself. You try an attack like this and the clock will start ticking very quickly before a sysadmin realizes what you're doing because they'll be wondering why the load average is abnormally high for this exploit to even work properly. So, good luck with that.

I'm not disputing the feasibility of the attacks. I'm disputing the notion that you need physical access and/or root is nearly impossible to get. As my edit implies, there are many, many, many paths an attacker would take before even thinking of using this one.

 

[lexluthermiester]

Why do people still say this when it is not even remotely true?

Because some of us understand how these problems work and know enough to know that remote implementation of an attack that can exploit these types of vulnerabilities is not going to be anywhere near easy. "Dubious at best" would be a better way of putting it.

Please keep in mind, there is still no known exploits in the wild for any of the Spectre/Meltdown type vulnerabilities. This fact alone should be enough of an indication of how difficult it is to use such an attack.

 

[Aquinus]

I'm not disputing the feasibility of the attacks. I'm disputing the notion that you need physical access and/or root is nearly impossible to get. As my edit implies, there are many, many, many paths an attacker would take before even thinking of using this one.

..and that is hard and this exploit is harder. That's my point. Why disable SMT when using the exploit is more difficult than circumventing root access on a Linux machine?