What a start to the year...

It's been a crazy couple days on a couple fronts, but the most material front has certainly been Spectre and Meltdown.

There are lots of sources, and the trick is that while distinctly the root cause lies in the CPU domain and with the CPU manufacturers- the impact touches nearly everything.

It's been keeping the team here busy for a while.

For Dell customers - here's the main place for aggregation of the latest official information and updates - for everything from clients, storage, network, data protection, and CI/HCI.   This page also links to key partner ecosystem official landing pages.

One that I want to call out specifically - VMware customers have some benefits naturally, but updates are still critical, and you can read more on that here.

Yes CI and HCI customers there will be formal system level updates (and they will be on that page) including RCM updates for VxBlock and VxRack FLEX, as well as automated updates for VxRail and VxRack SDDC.   We're aggregating up all the impact assessment and rolling everything into a common update.

For those seeking to understand what this is all about, I would start:

  • Here if you want "just the facts" and are of a comp-sci bent - the Project Zero blog from Google is pretty authoritative on the root cause and how the exploits work (though it was discovered by several groups nearly simultaneously)
  • Here if you want the summary, with some added commentary/snark (in classic El Reg style).

A little bit of personal perspective:

  • IMHO, this falls into the "failure of imagination" error category - like the fire in Apollo 1.   It's so obvious now how speculative execution could be exploited, but it's a facepalm moment.  My 2 cents - witch-hunts don't help, learning does.  We will pick ourselves up, learn, and get better from the failure.
  • I know it's hard - but try to pragmatically work the problem, not guess.  Since the cause is with the CPUs, but the impact is industry wide, lean on your partner ecosystem to help you (certainly not limited to Dell Technologies, there's a lot coming from Intel, ARM, AMD, Microsoft, Google, Apple and others)

To continue the space program metaphor, and to quote the one and only Gene Krantz: "Let's work the problem people. Let's not make things worse by guessing."   

It's only logical that the fixes and workarounds for these 3 exploits will have some degree of performance impact (since they are fixing/working around a flaw in something that is a performance optimization, namely speculative execution).    But - the impact will vary.   I've seen people latch on to early data, or data from one workload or another, or one test that they read online somewhere.   Let's not panic, let's pragmatically work the problem together.

Welcome to 2018!

Powered by WPeMatico

I'm The Hammer - Startup Security Weekly #68

This week, Bam Azizi of NoPassword joins us for an interview! In the article discussion, we talk about why not to brainstorm in groups, the real reasons companies are so focused on short term, and how to break bad business habits! In the news, we discuss Barracuda Networks acquiring PhishLine for an undisclosed amount, and more on this episode of Startup Security Weekly!

Full Show Notes: https://wiki.securityweekly.com/SSWEpisode68

Visit https://www.securityweekly.com/ssw for all the latest episodes!

Powered by WPeMatico

Where's My Starbucks - Application Security Weekly #00

Paul Asadoorian and Keith Hoodlet bring you our brand new show, Application Security Weekly! On our first episode, Paul and Keith will discuss the history of application security and software security! In the news, what you need to know about CPU vulnerabilities, negative results testing Intel CPU design, Mozilla Firefox patches, and Starbucks Wi-Fi mines Monero via CoinHive! All that and more, on the first episode of Application Security Weekly!


Full Show Notes: https://wiki.securityweekly.com/ASW_Episode00


Visit https://www.securityweekly.com/psw for all the latest episodes!

Powered by WPeMatico

Snowmageddon - Paul's Security Weekly #542

Marcello Salvati of Coalfire Labs joins us for our featured interview. John Strand delivers another killer Tech Segment about the new mimikatz event log clearing feature. Then in the security news, 10 things in cybersecurity that you might have missed in 2017, a flaw in major browsers, a critical flaw in phpMyAdmin, beware of a VMWare VDP remote root issue, how to protect your home router, Meltdown and Spectre explain how chip hacks work, and Intel is in the security Hot Seat over a serious CPU design flaw! We also hear from Keith Hoodlet about our brand new show! All that and more on this episode of Paul's Security Weekly!

Full Show Notes: https://wiki.securityweekly.com/Episode542


Visit https://www.securityweekly.com/psw for all the latest episodes!

Powered by WPeMatico