Keyboard shortcuts are available for common actions and site navigation.
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
TLBleed leaks private keys with a 98%+ reliability. But it doesn't leak them the "right" way, so it's not in scope for their bug bounty. Also Intel isn't even assigning this a CVE. This will require a ton of work to mitigate (mostly app recompile). 1/n https://www.theregister.co.uk/2018/06/22/intel_tlbleed_key_data_leak/ …pic.twitter.com/LsRCjCerZD
First, it's ridiculous that this isn't eligible for a bug bounty. It's insane that Intel thinks it doesn't deserve a CVE. Second, it's hard to imagine that Intel won't make changes to their processors to fix this. TLB management has subtle nuances depending on the architecture 2/
Even if Intel's answer to TLBleed is "recompile" it's not clear how quickly compiler authors can work out the nuances to make the code safe across different processor models. 3/n
Finally, this is likely to require core OS changes. Hyperthreading is THE main reason Intel won the processor war over AMD. Pretending that OS developers are the problem is ridiculous. I remember people talking about theoretical attacks on hyperthreading from it's introduction 4/
But Intel assured OS developers that hyperthreading was safe, so they programmed to that spec. Nothing in the Intel programming docs says "don't hyperthread different processes on the same core." Wholesale changes will need to be made to scheduler subsystems. 5/n
This is likely going to be easier to exploit than Spectre variants. But from where I sit it's more evidence that we need to rethink our secure architecture design patterns. How we provision applications, VDI, and multi-tenant hypervisors needs to change. 6/n
I'm not jumping on a bandwagon either. I said the same thing in January when Meltdown and Spectre were released. The advice is just as sound now as it was then. Sure, apply patches when available, but this is about so much more than patching. 7/7 https://www.renditioninfosec.com/2018/01/meltdown-and-sceptre-enterprise-action-plan/ …
@IanColdwater get your work done this weekend but OOH SHINY NEW SPECTRE THING
Thanks Jessica, I wasn't distracted enough 
Given that the overwhelming majority of Intel processors don't have any cache isolation stuff anyway (it's only in certain Xeons), and that zero changes were made to prevent L1$ side channels with hyperthreading, I wouldn't expect any real response from Intel at all.
So are there ANY safe-ish CPU'S out there? Looking to start a new build but not on expert on this stuff.
So.... Are they gonna still feel that way when a fully documented PoC is released and it starts getting abused in the wild?
This rather looks like the recent flaws have caused a major damage in reputation for Intel. They won't admit anymore bugs now.
Monocultures suck. :(
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
