Why are Spectre and Meltdown So Dangerous?
Вставка
- Опубліковано 27 вер 2024
- Squarespace link: Visit squarespace.com... and use offer code TECHQUICKIE to save 10% off your first order.
Spectre and Meltdown are security flaws that, between them, affect nearly all of the world's PCs and smartphones! How did this happen, and what makes these bugs so sinister?
Techquickie Merch Store: www.designbyhu...
Techquickie Movie Poster: shop.crowdmade...
Follow: / linustech
Leave a reply with your requests for future episodes, or tweet them here: / jmart604
Join the community: linustechtips.com
Intro Theme: Showdown by F.O.O.L from Monstercat - Best of 2016
Video Link: • Monstercat - Best of 2...
iTunes Download Link: itunes.apple.c...
Listen on Spotify: open.spotify.c...
Why do vulnerabilities always get such cool names?
there was once a worm called "conficker". in german, "ficker" means "fucker" :)
Like aids?
And why did they get such pretty logos?
Probably the same reason as why storms get Human names. Easy to remember
Yeah, CVE-2018-7600 is a really cool name.
Wow, someone finally actually explained what the fucking bugs do. Thank you. I was getting tired of people just saying "Oh it's bad" and not actually caring about what it really does
you are more likely to encounter a dinosaur than a meltdown or spectre exploit
@@m3talgame20 how do you know?
@@m3talgame20 can you explain how
@@m3talgame20 *Last Online 3 years ago*
@@VeryBigExplosion hmm old video it seems. I'd be more worried about china
It's a good thing my bank account is always empty
1stfloorguy I feel ya
fucking steam
Dr Megaman more like fucking mundaine life shit to buy
Lou D yeah, I said Steam because I thought that'd be funnier but it really is amazing how much little random stuff adds up
That is normal. (For ~8/10 Americans -Dave Ramsey)
This was probably the best Techquickie video. I actually learned something instead of just getting a lot superficial knowledge
I think this is still superficial knowledge
I learned more about how the exploits work, but nothing to change my mind about how useless it is to obsess about them. Fact is we're screwed if anyone truly talented decides to come after our info. Vulnerabilities >>> Fixes for them
Really, because this was the most useless video I've watched yet.
What does knowing how these work do for anyone that isn't working to fix them?
I'd much rather learn all the discrepancies between file types than how a bug that will never effect 99% of people works.
@@jeffbrownstain You obviously didn't understand the video then.
mcrsit Year old video dude gtfo
You didn't give enough ram to chrome, ffs Linus!
He closed the tabs in chrome's task manager
Chrome 💕 RAM
And the internet Tabs get super tiny with no text, so I'll never leave Firefox.
Good thing my school uses MacBooks *AND CHROME* and the teachers are always wondering why the laptops are so slow
matthigast that’s every teacher but they only have 2gigs of ram XD
what the heck is specter and meltdown ?
One important thing that was not mentioned: Meltdown (Intel specific) allows a program to read memory from anywhere on the CPU, included protected system memory. The 2 main spectre vulnerabilities can only read from the currently executing program or another program running in userspace (not system).
As I expected Modern Technology is dangerous, nothing beats my old but realiable Abacus
Franz Tinuviel how bout them space probes orbiting jupiter?
Comet Streak
Probably just trash we found in space
Yeah but can it run Crysis
It is dangerous. Depends on acceleration.
Abacus is a bit advanced for me
*4:26** the barking cpu, I'm dead.* 😂
normie
BlackHat Visions REEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
I'm not sure what's going on, but: REEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEST IN PEACE.
BlackHat Visions REEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEST IN PEACE.
BlackHat Visions
REEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
i aint afraid of no ghost
aR0ttenBANANA96 GHOSTBUSTERS
aR0ttenBANANA96 I ain't afraid of no sleep
I ain't afraid of no bed
My server doesn't have this vulnerability, but my Gaming PC does :(
Banking on server
Fapping on battlestation
Not that hard
Who you gonna call...
So, the CPUs are like:
"Your next line will be..."
Oh ho
@@deki9827 josef joster
This is one of the best readers digest explanations of the Spectre and Meltdown exploits I've seen so far. Bravo, Linus and the Techquickie team!
As a guy who just had a subject dedicated to building processors from scratch, all of these terms seem very familiar to me, and I loved how well described the problems are in this video, just as always, Techquickie delivers!
The whole schematic to explain the vulnerabilities is very well put together. Nice work!
Checked my steam like 10 times whilst watching this video
Could you enlighten me? Also have Steam, just be online there once a month for new games.
And then just single player rpg, as I am married 😂
Have no clue why someone even would go online on steam once a day...
@@EREMIT-DE Because they play a lot of games?
@@NobbsAndVagene
Cool answer, so they play a lot of games
and that is why they checking steam 10 times a day instead of playing a lot of games...
so... if someone has a real answer... still no clue ^^ are you watching comments on games or have some forums I still not know about...?
@@EREMIT-DE because the video had a lot of sound effects similar to that of which steam uses.
bro i have no steam friends i dont have such weaknesses
Hands down, this was pretty amazing. Great job, Linus.
Cant expect an assembly spectre exploit in a 10 min vid
One consolation about Spectre & Meltdown. We've been hearing (a lot) about these vulns that will end life as we know it, but so far, (as far as I know), there has not been a single malicious example used in the wild, anywhere, any time, by anyone against anyone. The Y2K bug was lot more real and present and easy to demonstrate...
I'm not saying they can't be used in the wild, but we've heard a hell of a lot about them, but after 4 or 5 months, there's still not been a single case of anyone catching gonorrhoea off a toilet seat.
Lol, my name really is Jeff and I live in N.Y. I own an i7 4770k though, not an i5 4670k.😋
Sure it’s not Rémi?
Qyndryx
Yeah because my Surname would be *Rooms* ...
My name jeff
Could you talk about the Cambridge analytica scandal?
Bas 7 its more a political topic than anything else
We have all known about facebook selling our personal info for years, yet only now do people seem to care...
It's just Facebook, Twitter selling data to a company that then does shit.. Thats what I understood 🙂
nigga what yeah that's true
T.S that’s not the issue, it’s the fact that Cambridge will also take your friends info and sell it. It’s like your friend had sex with a skank and you got their aids as well. It’s probably worth for them but not for you
Spectre is incredibly impractical to exploit. It can really only be used effectively against task-specific machines since the standard home user machine has so much junk data. This supposedly makes it a very useful exploit to steal hashing addresses and wipe out crypto wallets though. Enterprise servers that process payments are ripe targets as well.
6:01 Speaking of plugging holes.....buttplu.....ahem....tunnel bear!! Wanna plug the holes where your ISP can peek at your data? Use a vpn to plug your data holes.
LMAO!
Russ Orler tunnelbear was bought by mcafee so no more tunnelbear ads lol
Dadda Purple speaking of no more ads..... ADVERTISEMENT HERE!
its all pia ads now.
Although I've started using IPVanish and am comfy.
My comp is protected by Drax! His reflexes are so fast nothing would go over his head!
"Why are Spectre and Meltdown so dangerous?"
Mindustry players: indeed they are
Dont say the forbidden names!
laughs in meltdown wall
laughs in infinite wall health
I was watching this on my newly bought Sceptre monitor and freaking out until I realized it's just an anagram.
"Knock knock!"
*Branch prediction*
"Who's there?"
The power of christ compels you - spectre the ghost flys out of pc -
Wasn't quite sure of the scope, whether it meant fishing with half a chance, or if it could target particular data.
One thing that seems clear, the two vulnerabilities will not help to gain access initially, but could be used by malware that has already entered, or by a malicious user on a shared system
At 4:22, “This guy really likes x+y” LOL! And the barking CPU
Thank you for developing meltdown and spectre, NSA
Good job, can't imagine how hard this was to make, simplifying and compressing technical information like this is truly impressive. Give my regards to the script writer.
You say I'll notice when my bank account is empty, but that's my secret. My bank account is *always* empty.
Those noises from the viruses are enough to give me nightmares and make me not download anything off the web again...
Great explanation!
Watching this after taran said he gave the malwares their own "personalities"...great touch :)
photoshop using less ram than chrome? 🤣
Both of these require a persistent threat that has already defeated any security features (AV, IDS, IPS) installed. So the threat is there...but if an attacker has already compromised your device or network....Spectre and Meltdown will be the hard way to get what they already have access to.
4:21 Who else checked Steam??
2:10 i checked steam xD
It's not really the same Sound
Change your name asshole
@@DacLMK no I don't think I will
@@V0TION Change it, it disrupts scrolling on the page
A smartphone trick is to close down all your programes already assigned ram by hitting the square on the left bottom of most devices and hitting the x on the right top of the pages that come up looking like open apps. It is often called closing your recnt apps but I wanted to wxplain it in a way a newbie should be able to understand.
Welp, time to bust out the old 486!
"Here's what you won't get on your 486!"
Actual question here: how do specter and meltdown know how fast certain data from certain memory addresses get loaded in if they don't have access to the data in the first place, and so, don't know when they would otherwise get it?
This is the best explanation of these vulnerabilities I have heard! Nice job!
Being a guy that plays Mindustry, a Factorio-like game, I got confused like "Wait are we really analyzing these 2 end-game turrets" and I got dragged into just as informative a rabbit hole
Mindustry V1 wasn't even a thing at the time this was uploaded, haha
Brought to you by the good folks at the NSA (and the University of Wisconsin). A feature, not a bug.
About 12 years ago the company I worked at my former boss, had his credit account hacked, from a website he bought parts for a shop off of!!! Since then I ONLY USE prepaid credit cards online and NEVER use my own personal bank card or credit cards for transactions on the internet!!! For an extra layer of security I buy two or three prepaid cards and switch up which one I use every couple of months, and then when they are about to expire, I buy new prepaid credit cards!!! And when I DO use them I put just the money on them I need to make a purchase!! Call me paranoid, but it hasn't been an issue for me for almost 16 years now!!! In the end if you are buying $200 worth of stuff on eBay, then you keep $220 on the card (to cover any shipping and the cost of the items). Then in a lot of cases just before they expire you yank out your old cards use up the $5 balances before you use your next card!! It confuses the snot out of the hackers, because they see you are using 3 different cards for one purchase and not any of the numbers match!!! And ALSO use different four digit password numbers on each card as long as you can remember what the password is for each card it shouldn't be a problem and I write my last four card numbers down in a small note book, with the four digit pass code next to it, on my desk!!!! If you pick it up YOU CAN NEVER figure out what the 8 digit strings of numbers mean and without the security code number off the back of the prepaid credit card in most cases they are completely worthless as well too!!! Even if somebody steals the notebook!!! Like I say I might be a little paranoid, but this system has worked for me over the course of 16 years and NOBODY has ever hacked my bank account or run up my credit cards without my knowledge!!! So it DOES work!! And even if the hackers get your prepaid credit card number there is never a balance on them either until you are ready to actually use them, so they can't get anything either!!! And it only costs $5 to put money on the cards which is what I consider as money well spent for the "insurance value" of being secure!! And still in a pinch you can use the cards at ANY ATM without fear as well in case you need the money back off of them as well!!! So in most cases it is far more secure then ANY bank will offer you too!!! Lastly in a given month I use between 3 to 5 different prepaid cards, constantly switching between them randomly.....so this week I might use card number 1234 and card 4321, and card 2134 even on the same website!!! All are called out to my name......but my personal information on the prepaid cards are almost totally limited to just my name and address and not much more!!
1:19 But what about consoles and refrigerators?
There have been windows patches pushed it to essentially disable the gesture that enables the hole. It had a performance penalty in some applications, but it's not horrible.
Wrote a paper on this, so it's interesting to understand what he's talking about in this case. These flaws are game-changing for microarchitecture design.
6:25 - That really needs more explanation. Are you saying it would load into memory and then delete the executable, and then maybe put the executable back on the hard drive if it detected the system was being shut down?
So, if I understand well this is like those ram attacks before it was protected and randomized, but instead of just passing an addres, it tells windows to fetch the slippers.
Could those exploits be used on game consoles to run homebrew?
Yes, but it would require some customization.
no... that's not how any of this works... this is reading memory, not running an os
Only if you are connected to the internet.
6:22 - "All you can really do is be careful what you click on out there."
That's all we can ever really do. (Well, sanitizing with script blockers also helps.) Security holes spring up faster than the plugs for them.
I'm still wondering why my name was used for a security bug.
Cus it sound cool
Sam Wansitdabet that's why I picked it
CommanderRE I also have an AMD processor. Coincidence?
SpectreFour I think not.
glad i learned more about assembly and internal operations of a CPU. all of this makes a ton of sense. it's a way of deducting data at a memory address instead of asking for it directly (which will give a segmentation fault because the memory address it's asking for is outside of the program's "virtual memory", basically its partitioned area / sandbox that it plays in). seems to exploit cpu registers, wouldn't surprise me if this video explains it a little off just so that it's easier to explain. it'd be hard to write an assembly-level bug that utilizes any kind of inference of data, but then again it could probably be done in C, but i doubt it would be
Who the hell cares about someone being the first of a video
4:20
I think I've done this before. Right after my PC turns on, if i try to open explorer, it won't open immediately because it just turned on. But, if I try to open it again, it immediately opens 2 windows of it. I'm not sure if this would fall into this "pattern" category, but It's something I noticed.
that's just lag. you hit the button twice, so it will open two windows. if you hit it once, and wait, it will only open once.
after you turn on your pc. your disk usage will reach about 100% that's because windows memory management, cache, and all that stuff to keep your windows running. because of that, you cant access your windows explorer immediately, there's alot of data to process. here's a tip : Replace your current hdd with ssd, this will solve your problem.
Only one of you were first.
First
First
Galvatron I said it for a joke here
*Blue shell*
well thats one of the reason i'm using adblock and pop up blocker
you'll never know what ads on some website can harm your devices.
"Speculative execution" or "branch prediction" are not "bugs", they're features, and they're burned into intel, Sun, HP, DEC, AMD and ARM silicon, since 1995.
*Laughs in AMD*
Marcuss2 AMD master race
AMD budget race
*cries in coffee lake*
Hans Von Witzland that's still 50% less major vulnerability issues than intel
Laughs in RYZEN
How much you want to bet Specter and Meltdown were intentionally implemented at the direction of the NSA and only got fixed because OOPS cats out of the bag
time to change my passwords to some 10 word sentences
Don't say that or attackers will know the method to crack you.
Dominik Goslawski Problem is they get cached anyway...
6:41 you can see he's ridiculously proud of the segway he just came up with.
When Spectre and meltdown start trying to steal each other's information
Techquickie: it infects computer CPU’s
Me around 1:00: good thing im watching this on a tablet ;-;
Techquickie: IT EVEN INFECTS SMARTPHONES
Me: NOOOOOOOOOOOOOOOOOOOO
This was so simpified and and comprhensive thanks lmg
I like how at 2:35 PhotoShop eats up more RAM than Chrome ;))))
That squarespace segue was gold.
My CompTIA teacher would say how he only uses telephone banking on a separate line and would only plug it in when he needed to use it. I can see why now.
This video is the best one about processor security
I was under the impression to get any information out, you needed local access. As opposed to "clicking on something bad".
I love "Dr. No's" kinky shiny black PVC hands! (mentioned at the start of the video, in case you weren't paying attention) 👍😜🤣
Why has this channel not tackled the important issues like slime and it's effectiveness as a thermal paste?
You should take a Look at Branchscope, it's as devastating as Spectre but not mentioned in mainstream media for some reason.
That just blows my mind. So even if I do something as simple as:
if(false) {dothis()} it will still 'dothis()' even though the code literally renders it impossible because of the possibility of having to 'dothis()'?
The gold is best mylar to drone sheets over triple meltdowns plutonium concoction.keep change bagged good defence.weapon..
So um why the whole Spectre and Meltdown viruses seem worrying this also explained to me why my applications seem to just speed up in loading times over a few days.... weird.
This is why I do all my computing with an enormous roll of toilet paper and a vast quantity of pebbles.
The tech quickie intro is so good. I forgot about it, since I've been watching all vids in Floatplane
Way to change moods...
"And that's why, all of your data can be stolen and you should be afraid. Also, check out squarespace to make your very own website!!"
Ah well good luck trying to extract bank account from my computer that doesn’t even have a bank account.
Linus didn't mention the way these vulnerabilities affect cloud hosts the most.
Linus could you please make a video talking about differences between C++ and C# and which one is better.
woah this video is far better than the rest on this channel (I want to see more videos like this)
and no mention of the spectre microcode updates... well done linus..
2:25 Missed chrome joke opportunity there
Spectre: Affects Intel, AMD, and even phone CPUs.
Watch Dogs 2:
It is so clever to figure this bug out. So much fun understanding Meltdown!
You may have done this already, but if not: I'd really love to see a vlog or WAN Show segment regarding these vulns. Aside from wanting your personal opinion(s) on the whole spectacle, I want to know if you've any tips for us, because I'm sure I'm not alone in having less-than-savvy relatives and friends who are damn near guaranteed to achieve said meltdown in record time, and I really don't know how to begin explaining this to them.
When Linus explains a topic better than a university lecturer.
The Spectre! One of my favorite son- Oh.. you are talking about that other Spectre...
Wow I'm impressed, this video actually got down into pretty technical subjects
As requested, AsRock made a microcode-Update for the good old Z77Pro3. SandyBridge is safe for now. Good thing.
Is it not possible to to code a software that tells the processor to check for a certain code before allowing it to do anything whatsoever?
Well then... I guess I'll add this to the list of things that keep me up at night...
Thank for the explaination Linus
Why did it take until now to be discovered? 1995 bro.... Also i heard that for Spectre you have to be physically next to someone's PC, while Meltdown can be exploited remotely. Is it true?
Thank you for actually explaining what it does in detail.
I got a kick out of how you guys made Meltdown sound like a Breen...
Linus: Meltdown affects every intel CPU made since 1995
Me: *gets a 1994 intel Celeron* YEET
*Footage of technical explanation of the ICUP Joke, 2000-something, Colorized*
now that, was a good rectangular space advert!