 Welcome back to the Cyber Underground, I'm sorry I couldn't be here last week, but of course you had Jeff Milford, president of the ISC2 chapter here in Hawaii, a big shout out to Jeff and his friend for being here and hosting the show for us, so I certainly appreciate that. Today, I have Hal, the networking guy with me, back, welcome. Welcome to the Cyber Underground, great to have you on the show. We're going to follow up from what Jeff did last week and talk about Specter and Meltdown. Have you heard about him? I've heard a little else. Little else? Talk of the town, right? So tell me what you know so far, what you've been reading, because like you said we've been getting conflicting accounts, right? People write different stuff. Yeah, there's been some conflicting information, but generally what everybody seems to agree on is that this is a problem that can expose the sense of information that causes it to be shared between processes between different programs when it shouldn't be. It's actually a hardware problem, but because it would be so hard to replace everyone's hardware all at the same time, we have to have a software fix. So there's the updates and things that are coming out are actually a software fix for what is really a hardware problem that's in the chip itself and the way that the chip works. On the central processing unit of a computer, right, the CPU, and we can't just go changing those out, especially in laptops they're soldered right to the motherboard. So it's really changing this out would be an expensive endeavor, I mean way beyond our budget. There's no return on investment on that. Yeah, it would take quite a long time too. And hopefully they're manufacturing chips without this problem going forward. It should be now, yeah. It should be now. They are now, I'm sure. Well, Intel, give us a statement. They don't want to live this again. Intel is committed, they say, committed to providing updates for 90% of CPUs produced in the last five years. Now you've read up to 10 years, but it depends on your source. I read somewhere that it might not be, I had read that some of the fixes will go back as far as 10 years. That doesn't mean that every chip going back 10 years will be, this sounds like they're saying 90% of the CPUs that were produced in the last five years will be fixed. Who knows what it is in 10 years? It might be 10% of the chips going back 10 years will be fixed. It could be the chip type though. I mean we're talking about say Windows 10, I have some examples here. Windows 10 running the Skylake and Kaby Lake for newer CPUs. Now if you implement this fix, it's going to slow you down a little bit. Yes. Now it's going to be negligible on these CPUs, but the reason I wanted to discuss the reason it's slowing us down, these shared arrays that are the problem. They're shared pieces of memory that are supposed to be isolated by default, but sometimes are not. So if you use one of these shared arrays, it's possible right now with this Spectre and Meltdown to speculate what could be in that array to a level of accuracy that might be able to let you predict what that data is so you could steal that data. That's a problem and some people don't realize when you host in the cloud. You could have one big physical server with a bunch of virtual servers that's called shared hosting. You could have your own server in the cloud and somebody else has a virtual server next to yours and memory could wash back and forth. Now you could read somebody else's private data. This is a big problem. So the fix is supposed to make the software check that array for size and availability and content before it actually puts data in that array. That adds another step, which is going to slow things down. So faster CPUs aren't going to feel this as heavily as older CPUs. So if you've got a system that's five, six years old, which let's face it, most of us Mac users really push that way out there, you know, at laptops you want to get the best life out of them. But you're going to see a slowdown on your system when you implement these fixes and not just on the CPU. So Intel is going to provide fixes. And I think what they're saying is for their firmware. So there's a BIOS or the new set version of the BIOS on a motherboard, which helps it read all the systems on the board as it boots into the operating system. So before even like Windows or Mac starts, you're looking at your CPU and all your other systems, the USB bus and so forth, video card, what have you. And after it does that, then it will allow your operating system to run. But the operating system has the same amount of flaws. So you have to patch Windows. And then we're finding out that later on, browsers, applications that run on your operating system have to be patched as well and put into isolated mode. And every one of those steps that you're patching is going to slow it down just a little bit more. So the Windows 10, when we're talking about Skylake, Kabylake or newer CPUs, Intel says there's going to be a negligible difference in benchmark performance. But it doesn't count for the Windows operating system or your browser or say Microsoft Office or something else that's running on your CPU. So every little step can slow you down. They did say that Windows 10 running Haswell or older CPUs will see some significant slowdowns. And you'll notice a decrease in system performance. So that's probably going to spur a new generation of computer buyers. What do you think? Do you think this is going to be good for hardware purchases in the future? It's certainly good. Now, the only reason I'm saying that is because I just bought a new iPhone because the iOS 11 came out. And of course, my iPhone 6 slowed down to a crawl. And I didn't know about the battery problem. So now I have a new iPhone. So I think a lot of people are going to go out there and buy new hardware. The problem is, I haven't heard Intel say we fixed this problem on all our hardware going forward. I haven't heard that yet. But I'm just waiting. I mean, they almost, I mean, they have to do that. They can't. They don't want to relive this over again. I mean, they have to release. And they may see it as marketing for new hardware. Buy our new one that doesn't have this great marketing tool. The whole reason in the first place that they designed the chips to do this was to speed them up. They gave them this predictive behavior so they could look into memory and try to predict what the next instructor was to try to speed them up. So now by taking this away, I mean, clearly, it's going to take away a little bit of speed. But now they can market their new chip as specter-free. Yes. Not only specter-free, but as fast as the old chip used to be. The old chip used to be. Without the fix. Yeah, everything old is new again. Well, thankfully, Microsoft is coming out with the January security updates. And this should be in them, according to Microsoft. Mac OS has already released, what is it? Hi, Sierra, 10.13.2. The .2 is a minor fix which takes care of this problem on the Mac OS. And Windows has January updates. But we're also talking about our phones because they have the ARM process, the ARM processes, right? Which is also a vulnerable too. So iOS, which is Apple for the iPhone, they've already released the patch. This is 11.2. It's a minor release, not a revision. So the major is 11.2 is the minor. Point anything else is the revision number after that. So this is a major or a minor release. And it includes these security updates. But let's talk about Android for a minute. So Android builds are specific to their vendor. So Android, being an open source system, has to be customized for the LG phone, for the Samsung phone, for whoever the manufacturer is. And sadly, Samsung is nine to 10 months back from issuing updates for their older phones. That's their average. I really am. It's terrible. Really surprised to get it. LG's a little bit faster. There's some other faster vendors out there. Samsung is at the bottom of the list. This is a curiously powerful vulnerability that has not been taken advantage of yet. You have a Samsung phone. I do, that's good. Yeah, has it been a release yet? No, I've heard exactly what you said. Because Android is kind of fractured with all these different versions for different vendors, you get a wait for your vendor to come out with it. I had assumed that Samsung would be up there with everyone out releasing an update very soon. I hadn't heard anything so far. Hopefully it will change. And I wonder why they're so far behind all the other vendors. No, for a marketing US vendor? From a marketing perspective. If you want to make the most money, because you have to customize your Android kernel, your Android system for your phone, if you really wanted to move people into newer phones, you would stop releasing updates for the older phones. Now, Apple, I think, had a different strategy. We'll update all your phones. We'll just slow the old ones way down, right? And they got caught doing that. But the Android phones, they have no motivation, really, to update the Samsung Galaxy, what, five. Why would they when they're coming out with a nine? Still out of three. It works great, right? Just waiting for it to die. You're really getting the return on it, doesn't it? It's the last drop in life out of a thing. But look, it hasn't blown up. It's been a reliable device, right? It does what you need it to. And I've seen it operate pretty quick, so it's not slowed down. But I think that strategy could backfire on them, because if they don't release patches for this, I, for one, I'm not going to trust them in the future. And I'm not going to buy another one of their phones if they're going to leave me vulnerable for this until I buy a completely new device. So that could backfire. The manufacturers really have some advantage over us right now. And with these fixes, I'm hoping they change their tune, because I think security fixes move faster than they want to market new devices. Oh, absolutely. So they need to look back. And I think Microsoft did some good stuff. They're actually patching Windows 8.1 and Windows 7, which is tremendous, because Windows 7 end of life a couple of years back. And we know that WannaCry was one of the reasons that people got so hammered over in England. Their whole medical system went down, because they were using Windows 7, trying to get every last drop from that investment, right? And so Windows realized, oh, well, people are really using the systems. Better put the big security fixtures on the old one. Let's patch everything. And they did it this time, which I'm, thank you, Microsoft. I'm impressed by that. I'm impressed. It gives me a little more confidence. I think it's got a more global view than just their shareholder price. And that's what I'm saying, is that that confidence won't be there with Samsung if they're not going to release updates for this for some time. And they've had some bad PR in the past just recently with the battery thing, yeah? Yeah, they've had some really. You still can't get onto a plane with a 7. With a 7. Yeah, yeah. The Galaxy Note 8, though, we have friends that use the Galaxy Note 8 and seems great. I mean, it's a great device. Physically, it's a great device. But we're victims of the Android build that they put on there. And we're waiting for that update to come out. Do you have the latest Android on your phone? Did they come out with a release of the latest Android operating system? I don't believe that my phone's been updated yet. No, I've been kind of waiting for it. No, I'm an iOS user, so I don't know what the latest Android is, Oreo? Not 100% sure. I wish we had callers right now. You can call in an 808-370. 2014 and join our conversation. Hopefully, you'll call in and say, it's Oreo or whatever is the latest Android. It's just a hoi. It's some food. We had jelly bean and ice cream, right? Yeah, so what are you going to do now? I mean, you have the three. If it dies, how is this going to change your perspective going forward? Well, it might accelerate my need to get a new phone. I've just been waiting to get a new phone. Anyway, just kind of waiting to get as much life out of this as I could. But this might give me a little push when they release phones that are completely invulnerable to this exploit, then maybe that will be the moment when I decide, OK, it's time to get a new phone. Wouldn't that be nice? So when you get the hardware, you just wait till they fix all the chips on the phone. And just get a new phone with a chip that is not vulnerable to it. I wish I could do that, but I just invested in a new phone and I'm stuck with the fix. So I'm not sitting in such a bad spot that I'm right on the cusp of getting that new device. So if I just wait a little while longer, I can probably get one with a new chip that's not going to be. I kept saying that about this phone that I have in my pocket, because I used the iPhone 6 for three and a half years. And I just kept going, well, just wait a little bit longer. Just a little bit longer. OK, now's the time. Then this happens. And I horrible to think about what if you buy a new phone and something else happens. Because these securities, this is every day that something comes out. This is unbelievable how many people are out there looking for exploits right now. All these bug hunts going on. And they're big, big money bug hunts. You can make a lot of money finding bugs and selling them. But well, we're going to take a little break. We're going to come back, make a little money for commercials. And then we're going to talk about how we can fix our systems to compensate for this fix. We'll be right back. Stay safe. Aloha, I'm Winston Welch. And every other Monday at 3 PM, you can join me at Out and About, a show where we explore a variety of topics, organizations, events, and the people who fuel them in our city, state, country, and world. So please join us every other Monday at 3. And we'll see you then. Aloha. Hello, everyone. I'm DeSoto Brown, the co-host of Human Humane Architecture, which is seen on Think Tech, Hawaii every other Tuesday at 4 PM. And with the show's host, Martin Desbang, we discuss architecture here in the Hawaiian Islands and how it not only affects the way we live, but other aspects of our life, not only here in Hawaii, but internationally as well. So join us for Human Humane Architecture every other Tuesday at 4 PM on Think Tech, Hawaii. As a short break, we couldn't even leave the room. Welcome back to the Cyber Underground. I'm Dave Stevens, your host. And here with me today is Hal, the networking guy. Hal, welcome back. Let's talk about how we can protect ourselves from this horrible new vulnerability. I got to emphasize, though, I have not read of anyone exploiting this vulnerability. This is highly unusual that we're catching this ahead of time. So hopefully, if everybody patches and uses all the updates, we're going to have the least amount of damage from any of the vulnerabilities that plagued us in the last year, including WannaCry and Petya and all those things. So let's talk about updates. Now, most businesses will update on, say, a monthly basis. Microsoft, Patch Tuesdays or whatever. You might think about updating more often now once a month. Is that enough? It kind of depends what you're updating for when it's just minor little bug fixes and things that's probably fine. When there's something major like this and it's just kind of waiting. It's kind of like a ticking time bomb. We're just waiting. We know sooner or later someone's going to release an exploit for this in the wild that can be used against people to attack their systems. Then it might be worth moving that update schedule up a little bit to make sure that this is one last thing you have to worry about. Because this is pretty major. You can read complete memory, which can include all kinds of sensitive information, passwords, encryption keys, certificates, all kinds of things that are in memory. So this could cause a lot of damage once there's an actual exploit out in the wild. I don't think people understand that memory is a virtual state on a chip. The electrons are suspended there in the chip in a certain state in a configuration that represents your data. And it will stay there even if you close, say, Microsoft Word or your browser. It will stay there until another application needs that memory. So it'll be in residence in memory until you shut off your system and there's no more electricity flowing through there. So that data, highly sensitive, and just sitting there waiting to be attacked. And it could be any number of applications. And even then, even after the power is off, I've actually seen research where that they've used liquid nitrogen to freeze memory chips. And the data stays there. They can take those memory, they can freeze them, take them out of one computer, store them into another computer and access that data. Wow. Because it stays for, like, 10 minutes or something if it's completely frozen. This is amazing stuff. So you really got to drain it. And that's another thing that people don't realize. On the motherboard of any system and in most electronic devices, we have these things called capacitors that hold an electric charge. And the reason we do that is because electricity fluctuates. It's not all perfectly clean current, all at the same level, all at the same time. So you have these capacitors to compensate, to fill in the gaps when there's a drop, and to suck up more power when there's a peak. And so you do get that clean flow through your system, but these capacitors can charge up to 10 seconds. So when you turn off your system, those capacitors, they slowly bleed out. But what's the longest you've seen a capacitor last? Depends how big the capacitor is. You can have huge ones. Huge capacitor that can hold a charge. The big CRT monitors that had big, big capacitors, those could hold a charge for a week. Oh, the old bubble screen that looked like a TV. But I mean, generally, if you look at your motherboard, there's usually a light that shows that this power is still on the motherboard. And when you shut it off, it takes 10 to 15 seconds, because that light slowly goes up. That's the capacitors all discharging. And so on a typical motherboard, it's probably not more than a few seconds. Now, this is why when you call your cable company and you say, something's wrong with my internet service. And the first thing you say is, well, you've got to reset your router. So unplug it. And then they tell you, wait, you've got to wait. Give it a full minute. And people don't understand why. Like, I unplugged the lights out. I'm going to plug it back in. You have not let everything erase itself so you're starting from scratch. And it's stuff that's still in the memory as long as electricity is there. So these things can really corrupt the system. And you can lose a lot of your data just by these shared memory arrays, which is a big problem. So let's talk about what we can do. We've already discussed upgrading your operating system. So if you're out there, look at your operating system, get the latest patches. macOS, you can go to the app store under updates. And all of the updates that are relevant to your system will come up. Even if you're using the old Al Capitan or just regular Sierra, you'll still get patches that are relevant to this. Microsoft is the same. 8.1 and 7. If you went to update Windows, you get the same stuff, right? But they're not quite out yet, right? As you say earlier that the Windows patches should still... It should be available this month. It should be available this month. They're compensating now. It could have happened today, but I don't know. I didn't check my Windows system today, but I know Mac has already issued this and they've already taken care of their mobile devices, which includes iPads and iPhones and iPods. You bump up to 11.2 for iOS and you're covered. I've not heard anything about Android yet. Nathan, yeah? Linux and Android because so many different distributions and I guess it's dependent on each distribution. Not thought about Linux, that's right. Linux, how many distributions do we have? Android is based on Linux. Right, right. So Android, we have two major distributions, right? We have the Debian line and we have the Red Hat line with all their different sub-distributions. And there's so many different distributions. Right. That probably each one has to be independently updated, you know, has to have its own patches. So in the next show, we'll see. It could take a while. We'll come back and we'll say, here's the distributions we've seen with updates and here's the ones without updates. Because there's some really popular distributions of Linux, Ubuntu, right up there at the top of the stack. Mint's becoming really popular. What's another of? Kali, Linux, and Security Union. Getting pretty popular. Those are distributions all Debian though, right? And we have CentOS, CentOS from Red Hat. Super popular and of course Red Hat itself. So we'll come back and we'll tell people about those fixes next show. In the meantime, let's talk about browsers. So we have, I think there's four major browsers out there. Microsoft's got Internet Explorer still running on their systems and they also have the new Edge browser. Now they get updated automatically when you update your system in Windows. So you're a recent Windows user. What's your experience with these browsers? Do you use them a lot or do you stick to the other? Honestly, I don't use the Microsoft browsers at all. I use Chrome and I use Firefly. And I believe I've seen updates for both of them. So those should be. I can't speak to the Internet Explorer or the Edge updates, but I would assume if those are not already, those would be part of this Windows update that's coming as you said this month and they won't say exactly when. Actually, Microsoft did say Internet Explorer 11 will be included in that update. So as long as you're not running IE8. Yeah, which you shouldn't be doing anyway for a thousand other reasons. Dozen other reasons, easily like dozens and dozens. So let's talk about Firefox and Chrome. Now Firefox has a huge distribution that you use for educational institutions and some Linux distributions called ESR. So ESR has had an isolated shared buffer array for quite a while. So that one's done. If you were using Firefox ESR, you take care of it. The update for the regular Firefox for the rest of us users, 57.0.4. So it's a revision number all the way down. Two decimal places over. And if you use 57.0.4, you are out of the woods. Now Chrome did not come out with an update. Instead, they said, how did they say this? You have to patch it or let me look at this. You gotta go to strict site isolation and enable it. So that's kind of tough. And you have to put something in the browser bar and you should look this up. Chrome strict site isolation. And Google will tell you how to do this. I can't put this up. So this will disable the shared memory arrays that are at the core of this problem. Although you would think that at the very least, they would release some kind of update that would just enable that by default. I would have hoped. It's scary when I went to my browser and enabled this, strict site isolation. If you read the description, the first line says a highly experimental memory. Highly experimental. Highly experimental. Maybe that's why. Oh, that's a dangerous first three words to put in there but then to recommend that people have to do this. And I'll tell you, if you're a business and you have applications that depend on browsers and certain applications will say you must use Chrome. You must use Internet Explorer. I actually am doing some work for a company that has a software application that was written specifically for Chrome. And when we changed that setting, it broke. Well, now we have to get in touch with a vendor and say, that's the problem with experimental settings. It's gonna break some stuff. So this is one of those reasons that companies don't roll out software updates so quickly. You know, at home, oh, it's an update, click, I'm done. But at a company, there's a lot of things to consider. You gotta test all this stuff out. I mean, have you worked for those before? And if your systems go down, you lose a lot of productive time because of this, you're losing money. At home, you're just frustrated and you're aggravated, but you're hopefully not losing money every minute that your system is down. But yeah. If you depend on computers, if you're a stock brokerage, yeah, if you're an oil company, if you're an airline, oh my gosh, airline. Don't ever take them down. They run 24 seven. Yeah, there's no break, right? So anytime you see, I need an update, you have to pick the lowest traffic time for your update window and you have to tell people you can't get on our site during that time. Not only. A lot of considerations. Not only that, but change management, hopefully, you know, these IT departments in these big companies are doing change management, where they've got a sandbox system and they're testing these updates off first to make sure that they're not gonna break anything. That's vital, and that takes time. That takes time and money. And then when they're confident that, okay, it's not gonna break anything, then they release it out to the rest of the company. Yeah, a lot of things to consider. And it takes time for that whole process to kind of run through. We're out of time. Unbelievably, we're out of time again. Ladies and gentlemen, go out there and update your devices. If you got a phone, you got an iPad, iPod, you got an Android device, if there's an update for it, go out there and update it. If you have Mac, you have Windows, go out there and update. If you're a pro Linux user out there and you know how to use the YUM Updater in Red Hat, see if there's an update up there for your system and if you're in a Debian situation, go out there and use the apt libraries to see if you can update your Linux system that way. And by all means, come back next week. We're gonna give you some Linux updates. Until then, stay safe.