Originally posted by ALRBP
View Post
The very important difference with Spectre and Meltdown is that especially on the currently so fancied rented "cloud" computer instances, you can steal data from VMs sharing the same physical host, without leaving any evidence that the victim could see.
Unlike Trojans/Viruses or exploits of network protocol interfaces, the attacker does not need to change any byte on the victims (virtual) machine, he does not need to rely on any specific software bug on the attacked system, and there won't be any log entries or such providing evidence of intrusion to the victim.
Much unlike you, I am pretty convinced that Spectre and especially Meltdown have been exploited, big time. Whether the attackers already evaluated and made use of or money from the data they extracted from victim systems - well, maybe not yet. Will they tell the victims how they got to their data? Certainly not. Will Cloud providers admit such attacks were executed? Of course not, why would they?
Your arguments towards not fixing security bugs for the sake of performance are convincing only for single-player, non-networked gaming machines. And that is not the predominant domain of Linux as an operating system.
Comment