We might be able to find out if the corrupt weasels in the EPA would publish this research. But no.
Actually it's pretty simple if you know there are expected to be 174,250 cases in US in 2018 and there are 327 million US citizens then the odds of contracting Leukemia sometime in a given person's life is maybe close to 4% (though effectively a bit less for actually detecting it etc).
Of course, that says nothing about the effects of one or any toxic chemical. That's just the overall average risk to all US citizens.
In all fairness. If javascript wasn't being JIT compiled for extra performance, this would not have been remote read of everything by every browser on the planet with scripting enabled.
As it is, the fixes will probably mostly work for things like OS management of processes but exporting that level of access to every website you visit, that's really bad.
Not that we can really blame Intel when every single web browser developer decided to JIT compile their javascript and rely on obscure processor features for their only security because the bunny MUST dance faster!
But embedded Wifi KVM in every CPU. That brilliance falls squarely on Intel.
Breakable encryption is no encryption at all. I guess the 3 letter agencies want to back-door themselves to indeterminism along with the whole world just because they think it'll give them that last 2% of control. Perhaps they don't realize what an asymptote maximizing control is. (With an emphasis on the as)
Wow! See, now that's the kind of detail we need in these articles. I had NO IDEA this could be exploited from Java Script.
And yet it's the old Sun Java sandbox that was too insecure to survive and "addons" and "extensions" that are the security problem in modern web browsers. Right.
Which browser? Or are you claiming Chrome, Internet Explorer, and Firefox all fell down on this one?
There appears to be a flaw in modern processors that let attackers bypass kernel access protections so that regular apps can read the contents of kernel memory.
So, yes it's a processor flaw, but the only problem is that some application processes may get to read some kernel memory that they aren't supposed to read. That's the very definition of privilege escalation, and not even total privilege escalation, just being able to take one more privilege than normal temporarily.
This is a Microsoft Windows patch. Who in their right mind thinks that breaking the user / kernel boundary will be impossible after this patch? Why would it be important to rush to plug a tiny hole in a dam that's been dry and broken for years?
If this were, say, Android OS I could see why cross-process exploits would be important because that is an important strong and relied on feature on Android but this is Microsoft Windows. When have they EVER had a strong track record with privilege escalation attacks? Ok, maybe they've been better with the user / kernel boundary than they have been in other areas but that doesn't mean the track record in that area is actually good.
DRM seems clearly the most likely application of this flaw especially since it doesn't need a perfect boundary to get some use from it. You could argue this also might affect the security of using your banking website but if you've got one bad executable, a key logger is pretty trivial with or without this flaw.
Maybe you think I'm wrong about applications of this exploit, but if you can't understand why this might be related to privilege escalation, maybe you should re-read the article.
Every OS has holes in this area, many of them known and unpatched for years. Why is this layer that won't be secure after the patch anyway suddenly important?
Seriously, this is an escalation flaw on Windows and it's a "priority patch"?!!!
I don't really care how many processors the "same bug" might affect, how can any version of Windows come close to saying that the most humble executable can't own the whole system if written correctly?
Linux can't say this, Apple can't say this, OpenBSD won't even try to say this and yet suddenly plugging one such hole in Windows requires an out of band patch that also trashes performance? What, did someone's digital restrictions management break?
Java got ousted from the browser when people suddenly started looking at their sandbox again after 10 years of applets. If Microsoft "userland" was so safe, then we wouldn't even need the Java sandbox, we'd just run browser plugins in a separate process.
GZIP is more like a factor of 3-4 times for text. The only way they could get a factor of 10 compression ratio would be if they were using something like PAQAR 4.5, which I kinda doubt...
I don't know about London, but here in the states university research generally manages to get in bed with corporations and none of the useful results ever make it back to the public domain anyways...
Is that the sound of the world's smallest violin I hear?
IMDB is the search for movies we should all be using.
The only problem is now you can't go to blockbuster to get the latest movies on video, instead you have to check 10 different services to see which one might have it this week.
The way things are going, the fragmentation is only set to get worse. I'd hope for copyright reform, but after the DMCA making security research a criminal offense I shudder to think what the next round of "reforms" might bring.
Could it be the major movie studios quit selling movie rights to Netflix and greatly delayed release to Netflix past normal home releases? Oh my goodness, is that why Netflix had to start making their own content? Looks like someone woke up a sleeping giant.
If Netflix had a problem with *only* getting $10.00 per subscriber per month, I think they'd find a way to ask for more. I get the feeling they're not too concerned about it though seeing they have a spare $8 billion to throw around making content every year.
You're aware that just by following cell-tower protocols you're uniquely identifiable and trackable right? The cell network knows which towers you're connected to and the command sets are insecure and built to give control to the phone companies. Unless you're carrying around 10 different burn-phones and swapping them all out daily you're definitely still trackable.
You may have raised the bar just a bit for random website X to track you, but it's hardly a hiccup to your phone carrier.
Note: The X-UIDH header discussed in the article is injected into any HTTP request by the cell network before it hits the web. HTTPS may help a bit but it's no guarantee.
Where does my ISP get the info from where I go from
Read TFA. From your cell phone vendor and geolocating your ISP, wifi hangouts etc. You may post pictures of rock climbing the Himalayas but they can see you doing it from your living room. (In your boxers if you have a web-cam, probably even if it's disabled in bios...)
Which is pretty funny considering no self-respecting sports fan is going to want to pay their "sports tax" either because they don't actually show the games people want to watch. Take the NFL for instance. At most you can choose to watch 1/3 of all the games played. So depending on your favorite team you may only get to see 1/3 of all their games. Even with DirectTV's competing service you can get most of the NFL games, but not all of them.
They put up with this garbage from the sports associates then wonder why no one wants to buy their service...
Slashdot Mirror
What exactly is the risk?
We might be able to find out if the corrupt weasels in the EPA would publish this research. But no.
Actually it's pretty simple if you know there are expected to be 174,250 cases in US in 2018 and there are 327 million US citizens then the odds of contracting Leukemia sometime in a given person's life is maybe close to 4% (though effectively a bit less for actually detecting it etc).
Of course, that says nothing about the effects of one or any toxic chemical. That's just the overall average risk to all US citizens.
The "general public" can use high end 486 chips or Atom processors. They'll never notice the difference.
In all fairness. If javascript wasn't being JIT compiled for extra performance, this would not have been remote read of everything by every browser on the planet with scripting enabled.
As it is, the fixes will probably mostly work for things like OS management of processes but exporting that level of access to every website you visit, that's really bad.
I certainly do NOT want " improved connectivity".
exactly:
https://popularresistance.org/...
https://meltdownattack.com/
How about some "improved security".
Not that we can really blame Intel when every single web browser developer decided to JIT compile their javascript and rely on obscure processor features for their only security because the bunny MUST dance faster!
But embedded Wifi KVM in every CPU. That brilliance falls squarely on Intel.
Ever talk with anyone who grew up in foster care?
Or even just someone who's parents had a very nasty divorce?
Should be some very simple AI. return "no". all done.
Maybe it would be a good idea to let Google help process the footage to see who and what got blown up?
Seriously though, the data is already there, now suddenly it's a big moral dilemma to process it and understand what's going on?
That's awesome! How can I help this get written into the standard where it belongs?
Seems like a <blink>GREAT</blink> idea!
It's sad.
Breakable encryption is no encryption at all. I guess the 3 letter agencies want to back-door themselves to indeterminism along with the whole world just because they think it'll give them that last 2% of control. Perhaps they don't realize what an asymptote maximizing control is. (With an emphasis on the as)
They probably did it because it's a flaw and at their tempo, it wasn't out of band...
Wow! See, now that's the kind of detail we need in these articles. I had NO IDEA this could be exploited from Java Script.
And yet it's the old Sun Java sandbox that was too insecure to survive and "addons" and "extensions" that are the security problem in modern web browsers. Right.
Which browser? Or are you claiming Chrome, Internet Explorer, and Firefox all fell down on this one?
I don't know why I'm bothering to respond to anonymous cowards but...
This is a patch for a privilege escalation attack on Microsoft Windows.
From the article:
There appears to be a flaw in modern processors that let attackers bypass kernel access protections so that regular apps can read the contents of kernel memory.
So, yes it's a processor flaw, but the only problem is that some application processes may get to read some kernel memory that they aren't supposed to read. That's the very definition of privilege escalation, and not even total privilege escalation, just being able to take one more privilege than normal temporarily.
This is a Microsoft Windows patch. Who in their right mind thinks that breaking the user / kernel boundary will be impossible after this patch? Why would it be important to rush to plug a tiny hole in a dam that's been dry and broken for years?
If this were, say, Android OS I could see why cross-process exploits would be important because that is an important strong and relied on feature on Android but this is Microsoft Windows. When have they EVER had a strong track record with privilege escalation attacks? Ok, maybe they've been better with the user / kernel boundary than they have been in other areas but that doesn't mean the track record in that area is actually good.
DRM seems clearly the most likely application of this flaw especially since it doesn't need a perfect boundary to get some use from it. You could argue this also might affect the security of using your banking website but if you've got one bad executable, a key logger is pretty trivial with or without this flaw.
Maybe you think I'm wrong about applications of this exploit, but if you can't understand why this might be related to privilege escalation, maybe you should re-read the article.
I don't think you get it.
Every OS has holes in this area, many of them known and unpatched for years. Why is this layer that won't be secure after the patch anyway suddenly important?
Seriously, this is an escalation flaw on Windows and it's a "priority patch"?!!!
I don't really care how many processors the "same bug" might affect, how can any version of Windows come close to saying that the most humble executable can't own the whole system if written correctly?
Linux can't say this, Apple can't say this, OpenBSD won't even try to say this and yet suddenly plugging one such hole in Windows requires an out of band patch that also trashes performance? What, did someone's digital restrictions management break?
Java got ousted from the browser when people suddenly started looking at their sandbox again after 10 years of applets. If Microsoft "userland" was so safe, then we wouldn't even need the Java sandbox, we'd just run browser plugins in a separate process.
GZIP is more like a factor of 3-4 times for text. The only way they could get a factor of 10 compression ratio would be if they were using something like PAQAR 4.5, which I kinda doubt...
I don't know about London, but here in the states university research generally manages to get in bed with corporations and none of the useful results ever make it back to the public domain anyways...
Is that the sound of the world's smallest violin I hear?
IMDB is the search for movies we should all be using.
The only problem is now you can't go to blockbuster to get the latest movies on video, instead you have to check 10 different services to see which one might have it this week.
The way things are going, the fragmentation is only set to get worse. I'd hope for copyright reform, but after the DMCA making security research a criminal offense I shudder to think what the next round of "reforms" might bring.
Could it be the major movie studios quit selling movie rights to Netflix and greatly delayed release to Netflix past normal home releases? Oh my goodness, is that why Netflix had to start making their own content? Looks like someone woke up a sleeping giant.
If Netflix had a problem with *only* getting $10.00 per subscriber per month, I think they'd find a way to ask for more. I get the feeling they're not too concerned about it though seeing they have a spare $8 billion to throw around making content every year.
You're aware that just by following cell-tower protocols you're uniquely identifiable and trackable right? The cell network knows which towers you're connected to and the command sets are insecure and built to give control to the phone companies. Unless you're carrying around 10 different burn-phones and swapping them all out daily you're definitely still trackable.
You may have raised the bar just a bit for random website X to track you, but it's hardly a hiccup to your phone carrier.
Note: The X-UIDH header discussed in the article is injected into any HTTP request by the cell network before it hits the web. HTTPS may help a bit but it's no guarantee.
Where does my ISP get the info from where I go from
Read TFA. From your cell phone vendor and geolocating your ISP, wifi hangouts etc. You may post pictures of rock climbing the Himalayas but they can see you doing it from your living room. (In your boxers if you have a web-cam, probably even if it's disabled in bios...)
It's what layered security is for, sounds like yours is working if you use VPN tunneling over your Wifi...
It's still good to fix that bad layer before something else fails though.
There's a difference between a difficult subject and obfuscation for a pretense of erudition.
Do you believe a human is somehow less "entitled" to what he makes for himself than the above examples?
How do you measure that exactly without dumping someone naked in the wilderness?
Which is pretty funny considering no self-respecting sports fan is going to want to pay their "sports tax" either because they don't actually show the games people want to watch. Take the NFL for instance. At most you can choose to watch 1/3 of all the games played. So depending on your favorite team you may only get to see 1/3 of all their games. Even with DirectTV's competing service you can get most of the NFL games, but not all of them.
They put up with this garbage from the sports associates then wonder why no one wants to buy their service...