Meltdown and Spectre

Friday, January 5, 2018 

I find the Meltdown/Spectre drama a bit amusing.  Years ago, I was miffed that Intel (allegedly?) made a backroom deal with server manufacturers to exclude AMD and made an effort (which wasn’t trivial) to find an IBM x3655 7943 (I couldn’t, but I got an Intel-based x3650 and a x3655 mobo on ebay, then some QC AMD Opterons, heat sink compound, and off I went.)

Kind of a frankencomputer, but less so than my previous Netfinity 5500 M20 quad socket home server with some homebuilt mods and custom EIDE cables to support the internal (full height! 5.25″!) backup drives.  Ohh… 500GB drives were big back then.

Anyhow, for no better reason than because I was offended by Intel’s tactics a decade ago, my server isn’t vulnerable to “Meltdown” or, according to AMD’s recently posted status, “Spectre 2.”  As it doesn’t have a GUI, nobody is browsing compromised Java-bearing websites, Spectre 1 is unlikely to cause any problems, though I’m keeping an eye on the LLVM updates.

I have, however, updated my phones and laptop and you should too.  Stay on top of this one for a while as the updates are still coming.  I’ve seen Meltdown-mitigating updates on my Samsung, but not Huawei, on Linux but not (yet) on Microsoft.  Apple says their December updates not only crippled your older iPhones so you’d make the pilgrimage to the Apple store for your cool aide, but also patched them (if you accepted the slowdown penalty).  Update.  Everything.  Spectre is going to be harder: OS and Application and possibly microcode updates may be required, depending on platform.  Be extra cautious about opening unknown attachments or visiting unfamiliar websites.  Run noscript or another code blocker.  Remember, ads that sites run can also carry malicious code, and blockers not only make the web run faster, but safer too.  Of course they break the advertising funded web model you rely on.

However, if you’re dumb enough to have any important data (as an individual or a company) on anyone else’s hardware (e.g. AWS, Google, Azure, etc), good luck.  All anyone has to do to get your datas is run their own VM instance on the same server you’re on.   And while they’re all saying they “only” cost you 5-30% of your performance to isolate kernel memory to protect against meltdown attacks, there does not seem to be a really viable patch for Spectre yet, and perhaps not without new hardware.  If you were running your own server without unknown guests, you wouldn’t need to worry about this.  I will never fail to be astonished at how utterly incompetent most companies are that they can’t run a mail server.  If you can’t afford an IT department, I get it, but if you have IT staff and they can’t run a mail server, are they really IT staff?

Posted at 16:36:40 GMT-0700

Category: HowToSecurityTechnology