Specter, CPU, Russell discussed on The Vergecast

The Vergecast


Has a bunch of sensitive information all running in the same process your web browser and you can do specter they've done specter with job the script wa wow so right now as far as i know russell please correct me if i'm wrong a rogue actor could create a job script specter attack by some ads space on a bad website the doesn't vet its ads and um in hack whatever else it confined in that running process is that correct so a lot of people are saying that they've patched against specter and were sort of evaluating those claims it's kind of tricky a lot of people are patching but then the patch is not really any clearer than the bug so but i mean i do the the scenario you describe where like there's a a weird javascript thing that's running on your computer and then suddenly it gets all of your passwords is exactly the thing people are worried about because it has to for this to work it has to be running on your computer but it can be running at the sort of lowest possible privilege level as long as it can get stuff into the processor then he can find out the other stuff that's in the process is it would so scary about these this is really an attack on the basic building blocks of what makes computer secure like the whole reason your browser secure is because it's an isolated processes wall wise an isolated process because the cpu doesn't allow that isolated process to look at memory outside of it it's protected of at the cpu gpu and this is an attack on that basic foundation of secured yeah and i think that's why it's so hard to predict exactly what the implications are because it's sort of this was this basic logical building block that we had for for computer systems that like there's memory o like there's this colonel and you can't get into the colonel but you can ask questions and like that's just a basic sort of move that we thought we knew how to do and now it turns out we've been doing it wrong as whole time.

Coming up next