Originally posted by nanonyme
View Post
Announcement
Collapse
No announcement yet.
KPTI + Retpoline Linux Benchmarking On Old Laptops
Collapse
X
-
Originally posted by cybertraveler View PostThis setup I use also means I can keep my main system free of proprietary software (games, mods and drivers) which may contain naughty stuff.
- Likes 1
Comment
-
Originally posted by cybertraveler View PostIf smartalgorithm uses a system to serve up static files over http, from what I've read about these vulnerabilities, there would be no risk to disabling these mitigation features. As I understand it, it is in instances where untrustworthy sources are able to run code on a system, that this untrustworthy user could exploit these vulnerabilities and gain access to memory which they should not have access to. So web browsers, rented virtual machines, shared web hosting with CGI are all potential targets. Private static-file serving web servers and many other privately controlled servers may be able to perfectly safely operate with these features disabled and not receive a performance hit.
It is my understanding, too. So unless you let someone execute arbitrary code on your computer, how could this be exploited? The browser with JS (always nice to have a selective whitelist here) would be the only thing coming to mind here. Especially with slower CPUs I think it will be difficult to achieve the necessary timing precision in JS to extract useful data. Given that browsers are being patched to lower timing resolution (https://blog.mozilla.org/security/20...timing-attack/), what exacty is the remaining attack vector for a single-user desktop PC?
Comment
-
Originally posted by cybertraveler View PostI do. I have a gaming PC that I use only for gaming.
Is your gaming rig on linux? Because if you have a separate gaming rig there are so much good reasons to just use Windows on it, and the point of smartalgorithm becomes quite weak.
Last edited by starshipeleven; 11 January 2018, 05:43 PM.
- Likes 1
Comment
-
Originally posted by MeFri View PostTHIS
It is my understanding, too. So unless you let someone execute arbitrary code on your computer, how could this be exploited? The browser with JS (always nice to have a selective whitelist here) would be the only thing coming to mind here. Especially with slower CPUs I think it will be difficult to achieve the necessary timing precision in JS to extract useful data. Given that browsers are being patched to lower timing resolution (https://blog.mozilla.org/security/20...timing-attack/), what exacty is the remaining attack vector for a single-user desktop PC?
Malware is modular, serious ones have 2 stages or more and you can have them deliver your payload of choice.
Comment
-
Originally posted by wsxy162 View PostThis seems silly, even with your gaming PC, sometimes you still need to sign in gaming accounts. You are no way to avoid from the risk.
For Steam for example I can buy stuff with just a web browser and a Paypal account, and Steam is set to not remember my Paypal password so I have to authorize any transaction by authenticating into Paypal. Even if they managed to steal my steam account (I have also connected a phone number because of recovery purposes), my money would still be inaccessible.
Maybe this won't work for Pay2Win games with an in-game store, but that's crap I don't buy (or play) anyway.
- Likes 1
Comment
-
There are many scenarios where you would consider disabling KPTI, retpoline, and other security measures that have a runtime cost.- A PC which is used exclusively for gaming
- A PC which is occasionally used for browsing, but the web browser's (PDF reader's, ...) JavaScript JIT is disabled.
- A HPC node which runs only trusted code
- A server which does not execute user code
- Likes 1
Comment
Comment