Post
Topic
Board Development & Technical Discussion
Re: Intel Hack is NSA backdoor 'Discovered', NSA created BITCOIN - What's to worry?
by
haltingprobability
on 15/01/2018, 14:46:38 UTC
@hardwarewallet: I think you are over a bit here. I have read your blog post explaining Meltdown and Spectre for the average person. Nice summary. I wonder how you can say, router OS or hardware wallets are secure. I cannot see how you derive this.

On your statement:
Quote
No, your router is not vulnerable to Meltdown/Spectre because it's not running any applications, it's a standalone device."
this wording creates wrong expectations. Even as non-expert in security one could easily create a linux box with two network cards, and then on top of the operating system run an application, which routes data from one network to the other. And also it is not at all stand alone...

This is why you shouldn't be running untrusted user-code on a router. A router is (ought to be, anyway) a standalone device for this very reason.

Quote
Looking at the providers, e.g. AT&T is asking for Open Network Automation Platform, which is exactly an OS with apps on top.

Who is using a network platform for browsing the web? Please name names so they can be fired immediately.

Quote
Maybe best wording is, that up until today, no security issues (side channel attacks like Meltdown/Spectre) have been found in the wild for these systems (or at best are difficult to implement, cause attack vectors are limited...).

No, that's not the best wording because Meltdown/Spectre require the presence of malicious, user-space code in order to operate. If your kernel is compromised, for example, you have no need to worry about Meltdown/Spectre because the software that has compromised your kernel can do far worse things than anything that Meltdown/Spectre attacks can do. The level of FUD on this particular news story is astounding to me. This is my field, I worked for one of the companies involved in this for nearly a decade, in computer architecture.

Quote
Security is a beast... You cannot only predict security, only when you have a fully deterministic machine.

Meltdown/Spectre are very specific attacks. The security problem is separate. Any self-contained hardware/software environment is oblivious to Meltdown/Spectre, as long as it really is self-contained.

Quote
So stating that hardware wallets or Routers are secure, is most probably overdoing it (if not wrong, but that will only be shown by the future  Grin).

No, stating that they are insecure is overdoing the FUD.