[NinjaKitten]

"Intel has a bug that lets some software gain access to parts of a computer’s memory that are set aside to protect things like passwords."

Seems like very little got through to the media about the details regarding this flaws effects and costly workaround.

[dspillett]

Very little by way of details has been made public yet. Not even the technical press. Even relevant comments in the Linux source are redacted at the moment. Hopefully, further details will be released in good time (in the next month?) when people have had time to install the patches that are going out RealSoonNow (i.e. the huge plan of updates on Azure's VM hosts).

[teraflop]

> Even relevant comments in the Linux source are redacted at the moment.

People keep repeating this claim because it sounds dramatic, but I'm not sure it's a fair description. The original source appears to be a single snide tweet from @grsecurity [1] referencing this comment [2].

It's far from obvious that the comment was even "redacted" at all. It seems more likely that "stay tuned" is either a reference to the more detailed comments elsewhere in the patch (in arch/x86/kernel/ldt.c), or a reflection of the fact (which is clearly spelled out in the commit message) that future patches are likely to change the location of the LDT mapping.

I've skimmed through the commit messages and comments from the latest patchset [3] and couldn't find anything else that even hinted at redaction, nor could I find any mention of redactions on the linux-kernel mailing list.

Furthermore, it's worth bearing in mind that @grsecurity has been involved in numerous public feuds with the Linux security folks. So in the absence of concrete evidence, I'm not particularly inclined to assume his tweet was made in good faith.

[teraflop]

D'oh, I left out the links from this comment.

[1]: https://twitter.com/grsecurity/status/947147105684123649

[2]: https://github.com/torvalds/linux/commit/f55f0501cbf65ec41cc...

[3]: https://tglx.de/~tglx/patches-pti-184.tar.bz2

[grigjd3]

Bloomberg is not going to focus on technical detail too much (at all) given their readership. Follow the link to the register for more detail.

[Dotnaught]

https://www.theregister.co.uk/2018/01/02/intel_cpu_design_fl...

[nmat]

This reddit thread has more information on the bug https://www.reddit.com/r/sysadmin/comments/7nl8r0/intel_bug_...

[Someone1234]

That Reddit thread is repeating back information from previous hacker news threads.

[bpchaps]

Spreading of information is a good thing.

[chrisper]

It's not information. It's speculation.

[bpchaps]

Er, no.. what? There's a lot of non-speculative information in that reddit post..

[willvarfar]

in this particular case, will the generalization help their readership?

I actually think it will - it would be easy to give more accurate details that cause many readers to glaze over.

[marmaduke]

That was my reaction. How to ELI5 the risk in multitenant VM environment? It could steal passwords

[blattimwind]

> How to ELI5 the risk in multitenant VM environment? Some other guy paying EC2 steals your customers passwords by sheer force of will

> How to ELI5 the risk in desktop PC? A piece of JavaScript in some 0x0 pixel iframe in a tab you're not even looking at stealing your passwords and SSH keys

(Although nothing is proven in the latter regard, I wouldn't be per se surprised to see something in that direction once the exact nature of the issue is more widely known)