Category: Features

Jan 11 2018

Here’s how, and why, the Spectre and Meltdown patches will hurt performance

Enlarge (credit: Aurich / Getty)

As the industry continues to grapple with the Meltdown and Spectre attacks, operating system and browser developers in particular are continuing to develop and test schemes to protect against the problems. Simultaneously, microcode updates to alter processor behavior are also starting to ship.

Since news of these attacks first broke, it has been clear that resolving them is going to have some performance impact. Meltdown was presumed to have a substantial impact, at least for some workloads, but Spectre was more of an unknown due to its greater complexity. With patches and microcode now available (at least for some systems), that impact is now starting to become clearer. The situation is, as we should expect with these twin attacks, complex.

To recap: modern high-performance processors perform what is called speculative execution. They will make assumptions about which way branches in the code are taken and speculatively compute results accordingly. If they guess correctly, they win some extra performance; if they guess wrong, they throw away their speculatively calculated results. This is meant to be transparent to programs, but it turns out that this speculation slightly changes the state of the processor. These small changes can be measured, disclosing information about the data and instructions that were used speculatively.

Read 47 remaining paragraphs | Comments

Jul 08 2017

How I learned to stop worrying (mostly) and love my threat model

Enlarge / We are not Batman. But you get the idea. (credit: Tiffany Liu, MIT)

I have a healthy level of paranoia given the territory I inhabit. When you write things about hackers and government agencies and all that, you simply have a higher level of skepticism and caution about what lands in your e-mail inbox or pops up in your Twitter direct messages. But my paranoia is also based on a rational evaluation of what I might encounter in my day-to-day: it's based on my threat model.

In the most basic sense, threat models are a way of looking at risks in order to identify the most likely threats to your security. And the art of threat modeling today is widespread. Whether you're a person, an organization, an application, or a network, you likely go through some kind of analytical process to evaluate risk.

Threat modeling is  a key part of the practice people in security often refer to as "Opsec." A portmanteau of military lineage originally meaning "operation security," Opsec originally referred to the idea of preventing an adversary from piecing together intelligence from bits of sensitive but unclassified information, as wartime posters warned with slogans like "Loose lips might sink ships." In the Internet age, Opsec has become a much more broadly applicable practice—it's a way of thinking about security and privacy that transcends any specific technology, tool, or service. By using threat modeling to identify your own particular pile of risks, you can then move to counter the ones that are most likely and most dangerous.

Read 36 remaining paragraphs | Comments

May 26 2017

How to build your own VPN if you’re (rightfully) wary of commercial options

Enlarge (credit: Aurich / Thinkstock)

(In the wake of this spring's Senate ruling nixing FCC privacy regulations imposed on ISPs, you may be (even more) worried about how your data is used, misused, and abused. There have been a lot of opinions on this topic since, ranging from "the sky is falling" to "move along, citizen, nothing to see here." The fact is, ISPs tend to be pretty unscrupulous, sometimes even ruthless, about how they gather and use their customers' data. You may not be sure how it's a problem if your ISP gives advertisers more info to serve ads you'd like to see—but what about when your ISP literally edits your HTTP traffic, inserting more ads and possibly breaking webpages?

With a Congress that has demonstrated its lack of interest in protecting you from your ISP, and ISPs that have repeatedly demonstrated a "whatever-we-can-get-away-with" attitude toward customers' data privacy and integrity, it may be time to look into how to get your data out from under your ISP's prying eyes and grubby fingers intact. To do that, you'll need a VPN.

The scope of the problem (and of the solution)

Before you can fix this problem, you need to understand it. That means knowing what your ISP can (and cannot) detect (and modify) in your traffic. HTTPS traffic is already relatively secure—or, at least, its content is. Your ISP can't actually read the encrypted traffic that goes between you and an HTTPS website (at least, they can't unless they convince you to install a MITM certificate, like Lenovo did to unsuspecting users of its consumer laptops in 2015). However, ISPs do know that you visited that website, when you visited it, how long you stayed there, and how much data went back and forth.

Read 81 remaining paragraphs | Comments

Apr 17 2017

Lawyers, malware, and money: The antivirus market’s nasty fight over Cylance

Enlarge / Is it "fresh malware"? Or is it something else repackaged? (credit: from an image by Sarah Shuda)

Last November, a systems engineer at a large company was evaluating security software products when he discovered something suspicious.

One of the vendors had provided a set of malware samples to test—48 files in an archive stored in the vendor's Box cloud storage account. The vendor providing those samples was Cylance, the information security company behind Protect, a "next generation" endpoint protection system built on machine learning. In testing, Protect identified all 48 of the samples as malicious, while competing products flagged most but not all of them. Curious, the engineer took a closer look at the files in question—and found that seven weren't malware at all.

That led the engineer to believe Cylance was using the test to close the sale by providing files that other products wouldn't detect—that is, bogus malware only Protect would catch.

Read 61 remaining paragraphs | Comments