Both are triggered by malicious code running on the same hardware as you.
Mitigation means don't put anything important on shared hardware (read: avoid VPSes) and run NoScript or the equivalent in your browser.
Weren't those security best practices already?
Yes, this is a nightmare for VPS providers and worrying for those who placed their trust in virtualization. But the tinfoil-hat brigade has been assuming such bugs existed for ages.
Am I missing anything?
@HerraBRE One OS instance per hardware has been a "security best practice"? No. I don't think it was. And ordinarily it shouldn't be.
@paco The security best practice I speak of is:
"Don't share hardware with untrusted strangers who can run arbitrary code and try to attack your hypervisor or local network."
Of course you should use all the compartmentalization tech that is appropriate for your use case. Even if they can be attacked, it raises the bar.
@HerraBRE Never share hardware with strangers? Seems too blunt.
At face value that would prevent using any cloud infrastructure at all wouldn't it? Seems like it might make SaaS services problematic too.
I don't think I've seen that sort of principle put forward as a best practice. I don't see how you could follow that principle in 2018.
@rysiek @HerraBRE The date on this advisory is yesterday, and note that at that time 90+% were already done worldwide. Who patches faster than that? https://aws.amazon.com/security/security-bulletins/AWS-2018-013/
The point is not how fast AWS patched their systems for this. The point is since we were using bare metal in the first place, we were basically not affected in any way.
As in, there was no possible malicious co-tenant on the same hardware that could have extracted anything from our memory space.
Because all memory space is our memory space.
On our bare metal.
@rysiek @HerraBRE I understand it was there for 20 years. Like the OpenSSL and bash bugs that were old when they were discovered. Do you think it was being actively exploited but somehow nobody knows? It's all been hushed up? Or was it perhaps not actually exploited? I have no idea, myself. But it seems hard to believe that it was being exploited a lot for 6 months, but nobody knew.
@rysiek @HerraBRE It's impressive that you've built a data centre that withstands the NSAs and FSBs of this world. If that's your threat model and you've countered it, that's pretty impressive. You must be confident that you've countered that threat better than the cloud providers can, too, which is all the more impressive. I don't know many smal businesses that run data centres capable of resisting the 3-letter-agencies.
Nor are we confident we can always protect stuff (on the technical level) better than large providers. Not using their services, however, solves other (non-technical) issues.
My point is this: security people often reach for the agency threat when they talk about reasons to use bare metal. It's the ONE threat that bare metal seemingly solves. But bare metal ONLY solves that threat if you ALSO do a long list of other expensive security controls. So, given that you probably AREN"T defeating the agencies, what's the point of bare metal? The NSA/FSB threat isn't an interesting security discussion. Nobody (on here) is really designing to defeat them.
@rysiek @paco @HerraBRE all jokes aside you guys all made some valid points. In the end i use cloud services to move traffic around and keep services up, but yes i'm paranoid to make sure some of our more sensitive data stays at 'home'. I'm personally of the opinion that most of the attacks we face are not coming from someone dedicated to pwning us, but just pwning something
Your statement is true for lots and lots of people, but obviously not everybody.
Binary thinking in security is usually wrong. Being a little bit insecure is usually fine, nothing is perfect. Which threats you address first and how depends on your needs.
@HerraBRE @rysiek @paco generally speaking our threats are really no different from anyone else managing consultants on the road, however from time-to-time that changes depending on the client. Basically it's important to remember that 'every individual is an exception to the rule' - stolen from Jung but it works
@HerraBRE @finux @rysiek Right. That's why I get annoyed at the NSA/FSB argument for avoiding cloud. Nobody is really thinking that way. Very few orgs are engineering their data centres or their clouds with defeating an agency as a primary goal. So when I ask "why avoid the cloud?" and the answer comes back "Spooks" it's frustrating. That's not a reasonable conversation. The person saying that is usually not doing enough to avoid spooks on premises. So there's no point bringing it up WRT cloud
There will be more bugs like this.
Security professionals know this and have known for a long time. Thus my claim it was a standard best practice, albeit one that has costs not everyone could justify.
That math has shifted now, more people will justify the expense. Not all, but more.
General purpose mastodon instance