Very good presentation. AMD processors aren’t affected by the Meltdown bug. Chips from Intel, AMD, and ARM are susceptible to Spectre attacks. Run your OS, security, and internet browser updates regularly. Developers are rushing to patch them.
To extend the analogy used in the video. The unwanted meal is left on the counter before it is thrown away, and can be picked up for free by another customer.
Jackson Shelton speed, if you flush the entire cache that would so much time to re-add everything else now if you wanted to somehow tag the execution that wasn't suppose to happen and clear part of the cache then maybe idk though main thing here is speed
I still don't understand why the data being thrown away isn't secured. Considering how connected everything is that seems like a very strange oversight.
The data can't be accessed directly. It's already "in the trash". No one thought it needed to be secured. Reading this data isn't just something you can do as if it were normal data. You have to ask the CPU to perform some operation, and time it to see if it's hitting the cache or not.
Sad that this makes like the slow down will affect all computers, which is a hidden lie. Only Intel PC's will be slowed down. Why is it so difficult to be honest????
+Paul Frederick But Intel ones do it in a particularly aggressive way and are vulnerable to all three types of attack. Other ones are not so badly affected. This article fails to make the distinction, which is disappointing for a Red Hat video.
The bottom line is a proof of concept is still not proof that a genuine threat exists. As there is no known exploit to take advantage of this vector. Besides that there is nothing on my PC that someone can't download off github anyways. So I just don't care. No one is going to steal the launch codes out of any of my PCs.
Paul Frederick you miss that only Intel is affected by Meltdown, not any other CPU maker. It is the most serious of the bugs, also causes the most performance loss with the patch. That is the issue. Just do some research on it.
1:37 You just said speculative execution was created in the 1960s. Odd that you'd not only suggest that but implicitly compare it to Intel's adoption of it in the late 90s. This video makes me doubt the reliability of Red Hat. Good thing I have absolutely nothing to do with servers or enterprise use of computers and processors. Maybe you should be a bit more careful what you say and how you say it. Otherwise people who have some knowledge of computers, such as myself, might think you're a little cuckoo for comparing mainframe computers in the 1960s to the Meltdown/Spectre security vulnerabilities in modern computers or computers just five years ago.
I think this video was done cheaply and without much thought as a kind of wimpy placebo to ignorant people so they don't panic. Instead of coming from a place of understanding, it comes from a place of wanting to comfort others as with a teddy bear or a thick comforter. Google's ads for Chromebooks are more honest and straightforward than this ad suggesting we should relax and do what technology companies tell us. At least this is far enough in the past that it's already been dealt with. Because if it were up to Red Hat, we'd all be told fairy tales and sung lullabies while a mainstream and critical vulnerability puts our computers and data at constant risk of theft and corruption.
I just discovered your channel with this video and I think its just incredible, very easy to understand and beautiful, but there is not enough other vidéo of this kind on the channel. Your work is so good !
Just because you say it can be done does not mean it can be done. If you want me to believe it you're going to have to tell me how it is done. Otherwise it is just words. Plus who thought it was a good idea to cache flushed out branch data anyways? Why was that done? Also if I have no sensitive data on a system why should I care? If someone wants anything on any of my systems they can download most of it from github pretty easily now. Why should they go through the trouble of cracking my system to get it? A lot of this is striking me as an elaborate scheme to get people to upgrade. Oh bogieman you'd better get the latest whizbang so and so to protect yourself.
If the data is discarded because its un-used/un-needed. Why is it saved in cache? Why not just periodically purge the cache if it for-some-reason needs to be saved.
Cache will be overwritten when new memory is read so it is unnecessary to ever clear the cache. To purge for security purposes, requires writing over that portion of the cache which impacts performance
A nice scary cartoon to frighten the children but grossly oversimplified with no attempt to differentiate between Meltdown and the two different variants of Spectre. No mention that some architectures are less vulnerable than others. This is muddying the water, just like Intel's press release.
johnm2012 ya but this is more geared towards the average user not someone familiar with the craft. You can argue we've been muddying the sophistication of computers for a while now but that's how it's always been make it simple for the average person to use one.
Vezon-7 I'm not against clear explanations for non-technical people but what this video says is only partly true. On the one hand, Meltdown only affects Intel and some ARM processors but can be mitigated by a patch. On the other hand, Spectre affects pretty much all current processors but has no patch. The video ought to have said that.
A lie is still a lie, whether you tell it to the learned in a complicated way or the general public in a simple way. This is clearly Intel propaganda machine at work.
For those interested, I gave a keynote about the technical specifics of these vulnerabilities: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-2kCDPCgjlJ4.html
Just as an expansion on the Diner reference: What was/is supposedly happening is that Speculative Execution was/is causing *sensitive information* to be processed before the command that the processor shouldn't be processing that information for security reasons. *Since the processor doesn't need the sensitive info it's already processed, it was thrown away into the cache he talked about above.*
Well, in the whole video I did not hear the words Meltdown and Spectre. Video is a bunch of misinformation. RedHat, advice: "Hi, all, Spectre is......... and Meltdown is.......". that what I expect when I read such titles...
I'm curious... I wonder who discovered speculative execution exploit. Pretty smart; it's been overlooked for many years. If they would of kept it secret, they coulda did quite a bit.
is this video made by intel? the info is indeed right but not everything is told. Since this is a hardware problem, all those patches are useless, they cant change hardware and hackers will find a way to reeingineer the patch and do harm to computers. So es, patches are temporary solutions, but they WILL NEVER fix the problem.
there is no patch for it, do not mislead people, not software wise, you blacklist one version of it, a programmer will just change one small thing, and it will become a different thing.
It is pretty easy to disable javascript. If that is the only attack vector I think we can all do that. Then the dumb ass web developers will just have to figure out another way to collectively annoy us.
As an IT Security Analyst i find that most videos tell us that an issue exist but it doesn't say on how to fix it. Image how people feel when they find out that someone can come and take your shit. Try it out. Talk to non tech people and fear them with all the shit that could happen and just walk away. It will be funny for sure because they are super paranoid and have no idea on how to protect themselves. I wish this video explained more on how to patch with software, firmware or things to look for.
well everything come out after leak, but if you good hacker you never tell share your knowlegde.there is allways way get in system and grab data. it should work like that lol. and why it throw unused data away! password all thing lol. why NOT DELETE it LOL. why password is unnessessary data. just keep it there VOLA fixed
Jari Sipilainen No data is truly "deleted" on a computer the computer just flags it up to be overwritten. If another program needs it. But the data technically is still there till overwritten
I’m not totally getting this point. I thought that the CPU just did the processes commanded by the operating system and then once processed, the operating system would carry out the rest of the task. I’m knowledgeable with computers but not with more in-depth topics like this.
Still don't get it. How the "cyber criminal" enter my computer then? Is this flaw make it easy for hackers to get into my computer or they still need to make a virus to exploit it? If I use my computer "normally" I shouldn't have any issues or there is something I'm missing about?
Current information indicates that you still have to get malicious code from somewhere for the exploits to be significant. That can be websites, programs, etc. Let's set up an example where you use your computer normally (don't pirate, don't go to malicious websites) and can still be affected if the design flaw doesn't get addressed: Say someone gets into Oracle's system - or any other software provider for that matter (recent example of this is CCleaner) - and sends out a software update with a virus in it based on one of the speculative execution exploits. You update the software (or it's set to automatically update) and thus get the malicious code with it. The program then starts to instruct your processor to send the data that it "trashed" into it's unprotected cache (aka. "very short term memory") partition to the hacker. This can be basically any type of data including the user's password, credit card numbers, etc. The reason the data is dumped into that unprotected part is because the program that the processor "pre-calculated" it for didn't end up using it.
+Deb J Intel's branch prediction is more aggressive than AMD's - an architectural difference that increases performance but, as an unforeseen side effect, also compromises security. The Meltdown patch will restore security to Intel PCs but there is a performance hit. For most home users this will probably not be noticed but server admins in data centres will notice a measurable loss of performance on Intel systems. AMD systems do not need the patch. Spectre is a different but related set of vulnerabilities that affect all modern processors to a greater or lesser degree. It's rather more obscure and there is no patch for it. Intel is affected and so is AMD, but to a lesser extent due again to differences of architecture.
sklgromek AMD aren't affected because they don't implement the optimization function that makes the exploit possible, but they didn't knew about that, they just didn't optimized their models.
sklgromek you ppl need to be thankful for Intel, they’re the ones trying to protect your ass, it’s a good thing it was discovered now it’s time to work on it
Nope, far from it, Intel knew about it long ago, the word is that they were aware of it as back as a decade ago, yet ignored it. Some experts even warned the public decades ago that it might become a serious issue later on, which now it is.
Unfortunately most people are clueless and gullible for this kind of Intel lies being spread. They'll keep on buying Intel's garbage and eat up the lies. The world is in a bad place!
back in the 1960s it wasn't a issue? shouldn't you plan and future proof anything as much as possible? looks to me they got lazy and wasn't really thinking ahead with their engineering.
no one knew? i highly doubt it that. it was said that it effect certain or most cpu in the last 15 years or so. i'm sure someone knew for a long time now and just did not say to the public. who to say it was not known til recently?
I'm sure you would've thought of that problem if you were a microarchitecture designer in the 60's instead of "getting lazy and not thinking ahead with your engineering"
if it had back door access then yes. you might not able to plug every hole but the not checking the important one throughout its research and development cycle over the decades is not helping.
+miLk2k no one? there's 7.6 billion people around the world. computer technology got bigger and bigger in the 1980's and 1990's. the internet didn't get better til after early 2000's. so don't say no one knew. bullshit!
This is something that lasted for years. And it is done on purpose. When someone found out, it suddenly came out in broad daylight. So, hackers didn't used it, someone else did. Now I wonder who. I can presume, but someone used this.
No, how would the computer know ahead of time what parts of code or function calls not to execute without a serious performance hit? Maybe, they could pass a token to indicate these blocks, but I think I that would require a hardware revision and definitely an OS patch. That is probably a bad idea too because you might still get a performance hit with that too. i am sure they have thought of something better by now.