Spectre! Meltdown! Ahhhhhhh!

That's the reaction by the media every time they decide something should be a story. Sometimes a vulnerability or new attack vector should be huge news, but whatever "sex appeal" the media is looking for isn't there, so little coverage is given. This time it's sexy and serious. Regardless of the hype, when a new security event occurs, I always look forward to hearing what Bruce Schneier has to say about it. He's always a voice of reason in a world full of shitty soundbites and opportunistic advertising. And this time...

"Throw it away and buy a new one" is ridiculous security advice, but it's what US-CERT recommends. It is also unworkable. The problem is that there isn't anything to buy that isn't vulnerable. Pretty much every major processor made in the past 20 years is vulnerable to some flavor of these vulnerabilities. Patching against Meltdown can degrade performance by almost a third. And there's no patch for Spectre; the microprocessors have to be redesigned to prevent the attack, and that will take years.

Yeah... it is pretty serious. And Schneier sees this as a sort of Pandora's box being opened. Now that microprocessor based vulnerabilities have some attention, a focus shift will likely occur making 2018 ". . .the year of microprocessor vulnerabilities, and it's going to be a wild ride." Yay.

Spectre and Meltdown Attacks Against Microprocessors

I don't often read anything in the Vice universe of crap, but this was actually pretty good.

The Motherboard Guide to Not Getting Hacked

Interesting comments from Bruce Schneier on the Equifax breach. He testified before the Subcommittee on Digital Commerce and Consumer Protection (Committee on Energy and Commerce) of the US House of Representatives.

Witness statement document (pdf)