If this bug does go back years, and none of you have noticed yet, what is the big deal? If you don’t want to sacrifice the performance, don’t apply the patch. Wait until you get a new Mac with a new chip to update. The sky hasn’t fallen in the years this flaw has existed. Probably sill stay up there going forward.
I just bought a new MacBook Pro at the beginning of 2017, and every now and then I do use it for some serious scientific programming. For some things that take hours to run, a 30% hit is going to be painful. If the chip in that laptop is subject to this bug, then I'm sorry but your dismissive solution is not helpful. There will be numerous updates to the operating system prior to me being ready to purchase a brand new machine, and these OS updates will likely all contain the patch. So your solution would have me freeze my OS until such time as a new machine (without the bug) is available and I can afford to purchase it. That's not a good position to be in, IMO.
Make your own decision. But you don’t need to accept a software update that imposes an unacceptable performance penalty.
The sky isn't falling. There are many potential attack vectors both cyber and physical.
This is one that has a fix albeit with a sometimes hefty performance penalty. It's safer to do it this way even if the kernel protections worked...it's just slower.
Not sure you know what Luddite means or you didn't read what was said. Nothing was said about the sky falling. This is a very serious flaw in the actual hardware chip. That is nothing like software exploits. Yes is can be fixed with an external software bandaid, which itself will be vulnerable to exploit. That is what makes this so bad - the fix really isn't a fix. Thanks for trying to overstate what I didn't overstate.
You wrote this:
Computers were once seen as a panacea for so many things, and to a degree they are. But now they are a huge risk to world stability and have become a digital albatross around the world's neck. I love computers and what they do, but we have completely blown it when it comes to deploying them responsibly and with restraint.
The 2nd Luddite Congress wrote this:
”a leaderless movement of passive resistance to consumerism and the increasingly bizarre and frightening technologies of the Computer Age.”
To you computers are black magic to be feared or you’d understand that many hardware issues are permanently fixed in software and the fixes at the OS level treat the CPU as if the hardware protections don’t exist since in this case, they don’t.
we have created very secure operating systems on much more primitive hardware all in software with no hardware support.
as far as the risk to the us power grid from uber Russian hackers that exploited spear fishing to gather credentials, meh.
Google Metcalf sniper attack. A handful of goobers with semi auto rifles and bump-fire stocks can cause significantly disruptive damage in a night.
Russia could certainly map out key transformers and infiltrate enough agents to buy rifles, large capacity mags and bump stocks to take down the grid for much of the Eastern seaboard for days and some parts for weeks as the transformers get replaced. And if you don’t mind getting caught, most of the security features are too slow to stop you.
My god, electricity is an albatross around the neck of modern society and a huge risk to world stability! Well electricity and guns.
The fix is adding 1/2” steel plate and or concrete walls around everything.
This is why I keep multiple computers. Most notably I keep one in virtual lock-down status to use as a financial computer. It stores my financial records and only accesses a very few specific financial sites that I deal with. There is no web browsing on it and no email. Plus it's powered down unless I'm using it which is roughly about once a week.
That doesn't guarantee security of course, but it does improve the odds that my most valuable personal information will be safe from hackers.
Where do you buy your tin foil hats?
Tin Foil Hat? LOL... ... No, I just don't like putting my personal financial info out there for people to steal... .......You apparently don't care about yours. That's fine.
If you have financial information to steal it is out there. Hear about equifax? Target? Any number of other institutional hacks? That’s what the hackers target. Not your cute little “financial Mac” [edit: sorry, I mean Windows PC. {wait, is that more or less secure?}] with its air gap from the internet.
But it I guess you need to do something with your Y2K bunker, so have at it, friend.
This is why I keep multiple computers. Most notably I keep one in virtual lock-down status to use as a financial computer. It stores my financial records and only accesses a very few specific financial sites that I deal with. There is no web browsing on it and no email. Plus it's powered down unless I'm using it which is roughly about once a week.
That doesn't guarantee security of course, but it does improve the odds that my most valuable personal information will be safe from hackers.
Where do you buy your tin foil hats?
Tin Foil Hat? LOL... ... No, I just don't like putting my personal financial info out there for people to steal... .......You apparently don't care about yours. That's fine.
If you have financial information to steal it is out there. Hear about equifax? Target? Any number of other institutional hacks? That’s what the hackers target. Not your cute little “financial Mac” [edit: sorry, I mean Windows PC. {wait, is that more or less secure?}] with its air gap from the internet.
But it I guess you need to do something with your Y2K bunker, so have at it, friend.
LOL... So if there is a possibility of something being stolen, then everything can be stolen as easily? Really?
If you follow your own advice, then you probably shouldn't bother to lock your house or car doors.... After all: Target!
From Reuters: “Intel has begun providing software and firmware updates to mitigate
these exploits,” Intel said in a statement. “Contrary to some reports,
any performance impacts are workload-dependent, and, for the average
computer user, should not be significant and will be mitigated over
time.”
This is why I keep multiple computers. Most notably I keep one in virtual lock-down status to use as a financial computer. It stores my financial records and only accesses a very few specific financial sites that I deal with. There is no web browsing on it and no email. Plus it's powered down unless I'm using it which is roughly about once a week.
That doesn't guarantee security of course, but it does improve the odds that my most valuable personal information will be safe from hackers.
Where do you buy your tin foil hats?
Tin Foil Hat? LOL... ... No, I just don't like putting my personal financial info out there for people to steal... .......You apparently don't care about yours. That's fine.
If you have financial information to steal it is out there. Hear about equifax? Target? Any number of other institutional hacks? That’s what the hackers target. Not your cute little “financial Mac” [edit: sorry, I mean Windows PC. {wait, is that more or less secure?}] with its air gap from the internet.
But it I guess you need to do something with your Y2K bunker, so have at it, friend.
LOL... So if there is a possibility of something being stolen, then everything can be stolen as easily? Really?
If you follow your own advice, then you probably shouldn't bother to lock your house or car doors.... After all: Target!
You’re trading ease of use against the risk of random drive by attacks.
I guess it depends on how often you need/want to access your financial sites whether this is worth the effort but the major risk of loss of financial and personal information is your bank or equivalent or the government.
Mostly you’re protecting yourself from getting ransomwared on your important files. So his point is that you’re defending yourself from a minor risk that doesn’t really impact your total risk of loss at all. Your information is probably already floating around the dark net. If the cost (including annoyance) is low enough, that’s probably worthwhile.
For most folks probably not.
Today, the best bang for the buck defense is freezing your accounts at eqifax, transunion and experian. Even there you have annoyances like being unable to get on Apple’s trade up program without temporarily unfreezing from the relevant credit reporting agency.
Then just monitoring your financial accounts often...you know, like from your phone...
So you’re taking something that is created to be easily accessed from anywhere anytime (financial website) and limiting it to just one machine in one location.
That isn’t “locking your house or car” but putting a lock on your front door that only opens on Tuesdays. Which is fine if you only go in and out of your house on Tuesdays and ignores that most vulnerable part of your house are your windows...
It applies to Intel, AMD, and ARM. Pretty much any CPU of the past 20 years. If it has a data cache and does speculative execution then it could be vulnerable to one of the described exploits or a similarly crafted future exploit.
Bottom line is that nobody imagined that the evidence of a failed speculative branch left in the data cache could be used to recover privileged data.
Supposedly Apple has already patched it in MacOS 10.13.2:
This is why I keep multiple computers. Most notably I keep one in virtual lock-down status to use as a financial computer. It stores my financial records and only accesses a very few specific financial sites that I deal with. There is no web browsing on it and no email. Plus it's powered down unless I'm using it which is roughly about once a week.
That doesn't guarantee security of course, but it does improve the odds that my most valuable personal information will be safe from hackers.
Where do you buy your tin foil hats?
Tin Foil Hat? LOL... ... No, I just don't like putting my personal financial info out there for people to steal... .......You apparently don't care about yours. That's fine.
If you have financial information to steal it is out there. Hear about equifax? Target? Any number of other institutional hacks? That’s what the hackers target. Not your cute little “financial Mac” [edit: sorry, I mean Windows PC. {wait, is that more or less secure?}] with its air gap from the internet.
But it I guess you need to do something with your Y2K bunker, so have at it, friend.
LOL... So if there is a possibility of something being stolen, then everything can be stolen as easily? Really?
If you follow your own advice, then you probably shouldn't bother to lock your house or car doors.... After all: Target!
You’re trading ease of use against the risk of random drive by attacks.
I guess it depends on how often you need/want to access your financial sites whether this is worth the effort but the major risk of loss of financial and personal information is your bank or equivalent or the government.
Mostly you’re protecting yourself from getting ransomwared on your important files. So his point is that you’re defending yourself from a minor risk that doesn’t really impact your total risk of loss at all. Your information is probably already floating around the dark net. If the cost (including annoyance) is low enough, that’s probably worthwhile.
For most folks probably not.
Today, the best bang for the buck defense is freezing your accounts at eqifax, transunion and experian. Even there you have annoyances like being unable to get on Apple’s trade up program without temporarily unfreezing from the relevant credit reporting agency.
Then just monitoring your financial accounts often...you know, like from your phone...
So you’re taking something that is created to be easily accessed from anywhere anytime (financial website) and limiting it to just one machine in one location.
That isn’t “locking your house or car” but putting a lock on your front door that only opens on Tuesdays. Which is fine if you only go in and out of your house on Tuesdays and ignores that most vulnerable part of your house are your windows...
I suspect I am doing a lot more financial management than most people or what you are thinking of. Using a financial management app, I am doing far more than checking an occasional balance -- but managing and tracking every penny that goes into or out each of my accounts.
But no, there is no loss of convenience. Since I have no need to access a financial site on the fly, there is no need (or loss of convenience) for me to use a dedicated financial machine.
And, since I will not use money management software that moves my data into the cloud (like many financial packages do), it's a choice between managing my financial info on a separate laptop or from my general laptop that I use for web browsing, email and the like both from home and via public WiFi's. Essentially, I don't see my "everyday" laptop as being much more secure than, say, a public use computer in a library -- so storing financial information and using critical IDs & passwords on it just ain't gonna happen -- no more than I would do that on a public computer.
As for securing the financial data: It's not just securing the data but securing the passwords to my accounts and even what accounts I have since I only use and access them from a secured environment.
If this bug does go back years, and none of you have noticed yet, what is the big deal? If you don’t want to sacrifice the performance, don’t apply the patch. Wait until you get a new Mac with a new chip to update. The sky hasn’t fallen in the years this flaw has existed. Probably sill stay up there going forward.
I just bought a new MacBook Pro at the beginning of 2017, and every now and then I do use it for some serious scientific programming. For some things that take hours to run, a 30% hit is going to be painful. If the chip in that laptop is subject to this bug, then I'm sorry but your dismissive solution is not helpful. There will be numerous updates to the operating system prior to me being ready to purchase a brand new machine, and these OS updates will likely all contain the patch. So your solution would have me freeze my OS until such time as a new machine (without the bug) is available and I can afford to purchase it. That's not a good position to be in, IMO.
You don’t know that the tasks you’re talking about are going to take a wholesale 30% hit either. So speculating on how bad the software fix is going to be at this point isn’t helpful either. Especially since it’s already been partially fixed and nobody noticed a massive slowdown in their genome sequencing or whatever it is you’re doing.
I'm not complaining (yet). My point was only that the previous poster's dismissive attitude and solution (to the problem we don't know exists yet) was completely unhelpful.
If this bug does go back years, and none of you have noticed yet, what is the big deal? If you don’t want to sacrifice the performance, don’t apply the patch. Wait until you get a new Mac with a new chip to update. The sky hasn’t fallen in the years this flaw has existed. Probably sill stay up there going forward.
I just bought a new MacBook Pro at the beginning of 2017, and every now and then I do use it for some serious scientific programming. For some things that take hours to run, a 30% hit is going to be painful. If the chip in that laptop is subject to this bug, then I'm sorry but your dismissive solution is not helpful. There will be numerous updates to the operating system prior to me being ready to purchase a brand new machine, and these OS updates will likely all contain the patch. So your solution would have me freeze my OS until such time as a new machine (without the bug) is available and I can afford to purchase it. That's not a good position to be in, IMO.
Make your own decision. But you don’t need to accept a software update that imposes an unacceptable performance penalty.
People & companies make mistakes.
Its quite possible you’ve made some yourself.
Move on.
I moved on within 5 minutes of reading about this, and my decision is (of course) to keep my laptop up-to-date with OS releases as Apple provides them... for many reasons, not just the security. If I ultimately endure some performance degradation due to the patch, I may grumble a little bit, but I will survive.
Your idea about avoiding performance degradation by not accepting OS updates is a pretty ridiculous suggestion IMO, except in cases where machines are solely dedicated to number crunching.
Comments
People & companies make mistakes.
Its quite possible you’ve made some yourself.
Move on.
The 2nd Luddite Congress wrote this:
”a leaderless movement of passive resistance to consumerism and the increasingly bizarre and frightening technologies of the Computer Age.”
https://nowheremag.com/2014/01/revolutions-luddites/
To you computers are black magic to be feared or you’d understand that many hardware issues are permanently fixed in software and the fixes at the OS level treat the CPU as if the hardware protections don’t exist since in this case, they don’t.
we have created very secure operating systems on much more primitive hardware all in software with no hardware support.
as far as the risk to the us power grid from uber Russian hackers that exploited spear fishing to gather credentials, meh.
Google Metcalf sniper attack. A handful of goobers with semi auto rifles and bump-fire stocks can cause significantly disruptive damage in a night.
Russia could certainly map out key transformers and infiltrate enough agents to buy rifles, large capacity mags and bump stocks to take down the grid for much of the Eastern seaboard for days and some parts for weeks as the transformers get replaced. And if you don’t mind getting caught, most of the security features are too slow to stop you.
My god, electricity is an albatross around the neck of modern society and a huge risk to world stability! Well electricity and guns.
The fix is adding 1/2” steel plate and or concrete walls around everything.
But it I guess you need to do something with your Y2K bunker, so have at it, friend.
If you follow your own advice, then you probably shouldn't bother to lock your house or car doors.... After all: Target!
“Intel has begun providing software and firmware updates to mitigate these exploits,” Intel said in a statement. “Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.”
I guess it depends on how often you need/want to access your financial sites whether this is worth the effort but the major risk of loss of financial and personal information is your bank or equivalent or the government.
Mostly you’re protecting yourself from getting ransomwared on your important files. So his point is that you’re defending yourself from a minor risk that doesn’t really impact your total risk of loss at all. Your information is probably already floating around the dark net. If the cost (including annoyance) is low enough, that’s probably worthwhile.
For most folks probably not.
Today, the best bang for the buck defense is freezing your accounts at eqifax, transunion and experian. Even there you have annoyances like being unable to get on Apple’s trade up program without temporarily unfreezing from the relevant credit reporting agency.
Then just monitoring your financial accounts often...you know, like from your phone...
So you’re taking something that is created to be easily accessed from anywhere anytime (financial website) and limiting it to just one machine in one location.
That isn’t “locking your house or car” but putting a lock on your front door that only opens on Tuesdays. Which is fine if you only go in and out of your house on Tuesdays and ignores that most vulnerable part of your house are your windows...
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
It applies to Intel, AMD, and ARM. Pretty much any CPU of the past 20 years. If it has a data cache and does speculative execution then it could be vulnerable to one of the described exploits or a similarly crafted future exploit.
Bottom line is that nobody imagined that the evidence of a failed speculative branch left in the data cache could be used to recover privileged data.
Supposedly Apple has already patched it in MacOS 10.13.2:
If so then it seems nobody has noticed a performance hit.
But no, there is no loss of convenience. Since I have no need to access a financial site on the fly, there is no need (or loss of convenience) for me to use a dedicated financial machine.
And, since I will not use money management software that moves my data into the cloud (like many financial packages do), it's a choice between managing my financial info on a separate laptop or from my general laptop that I use for web browsing, email and the like both from home and via public WiFi's. Essentially, I don't see my "everyday" laptop as being much more secure than, say, a public use computer in a library -- so storing financial information and using critical IDs & passwords on it just ain't gonna happen -- no more than I would do that on a public computer.
As for securing the financial data: It's not just securing the data but securing the passwords to my accounts and even what accounts I have since I only use and access them from a secured environment.
Your idea about avoiding performance degradation by not accepting OS updates is a pretty ridiculous suggestion IMO, except in cases where machines are solely dedicated to number crunching.