LeMoog
Posts: 38
Joined: Thu Jun 18, 2015 1:29 pm

Re: RPI4, out of order and Spectre vulnerabilities

Tue Jul 02, 2019 5:41 am

bensimmo wrote:
Mon Jul 01, 2019 1:30 pm
Heater wrote:
Mon Jul 01, 2019 12:45 pm
LeMoog,
With a vulnerable PI with it's single hardware base then it is going to be hit harder than even the x86 especially with the emphasis upon IOT and other always on services.
Nonsense.

Firstly are you suggesting that that x86 systems used by MS, Google, Amazon and most other cloud service providers aren't allways on? It's news to me that they turned them off at night :)

Anyone building IoT boxes should not be running any code random code of unkown origin that the device thinks is a good idea to download and run. If it is then there are bigger more easily exploited vulnerabilities in store for it.

Despite the amazing sales of the Pi it's still a drop in the ocean compared to x86 for PCs, laptops, servers. It's a drop in the ocean compared to all the other IoT systems out there.

If you want to forgo the Pi and stay with your far more insecure PC then go ahead.
It's a drop in the ocean compared to these portable computer things I'm holding in my hand typing this on.
Which I believe is Linux right at the bottom of it all.
I'm assuming there are a couple of them around, and some powerful one must use the same processor, lucky for me mine only has 8 of the lowly A53
No I am not suggesting that there are less x86 always on systems but I am saying that since the x86 hardware is diverse then it adds attack complexity.

If you are talking about cloud services they are going to invest more time/resources in monitoring for attack that someone who just wants their electronics connected to the internet.

As to IOT and "unknown code" including the OS, APPS and extensions in the standard build then it is all about who you trust to put your security first.

I seem to remember that when Spectre first became a known issue, ARM stated that none of their effected designs were in production and yet here we have a spectred SOC that, it must be said, has been put into production since Spectre became common knowledge.

For me, the worst thing about spectre was not that it breaks memory protection, rather it was the sheer amount of BS posted by shills about how significant the threat was. Given that the majority of internet sites require client side processing then the chances of being able to run only known good code are minimal if you want to use a system on the web. Any server accessible via the web is going to be scanned multiple times daily and pretending that you are safe where you haven't even bothered to look at the source running on that system is just asking for trouble.

So your PI gets rooted, so what? well who's door are the police going to be kicking in when your server starts downloading kiddy porn? when they take away all your electronics for, at a minimum, months are you still going to be saying how that doesn't matter then too? how about when your friends find out about it, are they going to trust that you are 100% innocent?

You want to play dangerous games then go ahead, I will be watching the press for the first victim and waiting for the resulting belief that every RPi owner is suspect.

Spectre was always writting off security for a significant performace boost, which intel used to lead the CPU market for decades, they knew is was dodgy but since people didn't know it was a problem they kept buying. Now people do know it is a problem and to keep selling now is unforgivable.

User avatar
Gavinmc42
Posts: 3897
Joined: Wed Aug 28, 2013 3:31 am

Re: RPI4, out of order and Spectre vulnerabilities

Tue Jul 02, 2019 5:55 am

You want to play dangerous games then go ahead, I will be watching the press for the first victim and waiting for every RPi owner to be tarred with the same brush.
Or get a Pi4 and start designing your own RISC-V system?
Nothing is safe unless you make your own custom system that no one can access.

So what system is 100% safe and are you using it?
If even PLC's can be hacked to destroy centrifuges and Netcams hacked for DDoS, what is safe these days?
I'm dancing on Rainbows.
Raspberries are not Apples or Oranges

LeMoog
Posts: 38
Joined: Thu Jun 18, 2015 1:29 pm

Re: RPI4, out of order and Spectre vulnerabilities

Tue Jul 02, 2019 6:05 am

Gavinmc42 wrote:
Tue Jul 02, 2019 5:55 am
You want to play dangerous games then go ahead, I will be watching the press for the first victim and waiting for every RPi owner to be tarred with the same brush.
Or get a Pi4 and start designing your own RISC-V system?
Nothing is safe unless you make your own custom system that no one can access.

So what system is 100% safe and are you using it?
If even PLC's can be hacked to destroy centrifuges and Netcams hacked for DDoS, what is safe these days?


100%, unqualified, "safe" anything never existed however not removing known vectors can only reduce how safe a system is

Return to “General discussion”