[keldaris]

The conversation was about the (nominally technical as well as more mainstream) press, not the experts. My remark regarding "wild hysteria" was made in that context. Experts and competent users will do the same thing they always do - evaluate any and all mitigations in the context of the threat models relevant to their usecases and act accordingly. Whether depriving the mass of less technically inclined users of the performance they are used to with all the implications that entails (including for energy efficiency and other externalities) is a wise decision only time will tell.

[coldtea]

>My remark regarding "wild hysteria" was made in that context.

Considering we are referring to attacks that can bypass your PC's security, "prudence" is a better word than hysteria.

Yes, if they are left alone, it is the "end of the world".

They can be used to make any modern OS and browser as full of holes as Windows 98.

[keldaris]

> Considering we are referring to attacks that can bypass your PC's security, "prudence" is a better word than hysteria.

That statement can be made about any vulnerability whatsoever. The merit of any mitigation can only be determined by a cost/benefit analysis that takes into account the potential impact of the vulnerability as well as the very real costs of mitigating it.

> Yes, if they are left alone, it is the "end of the world".

No offense, but this is exactly why the word "hysteria" seems far more appropriate than "prudence". Not a single one of these vulnerabilities has been used to cause any measurable damage anywhere that we know of, whereas the mitigations deployed have significant costs that everyone must pay. Despite this, emotional "the sky is falling" type pronouncements are far more common in the media - even the ostensibly technical press - than attempts to rationally weigh the costs and benefits of any particular approach to the problem.

[coldtea]

>Not a single one of these vulnerabilities has been used to cause any measurable damage anywhere that we know of, whereas the mitigations deployed have significant costs that everyone must pay.

That's like saying: "nobody was drowned that we know of, whereas there was a significant cost to building the dam that everyone paid". (And also not dissimilar to arguments about doing no major industry/lifestyle changes regarding climate change).

It's exactly because there were mitigations relatively quickly deployed that we didn't have a "hack em all" exploit doing the rounds in hundreds of millions of devices. The difficulty of exploiting also gave some leeway to deploying those mitigations.

[keldaris]

> That's like saying: "nobody was drowned that we know of, whereas there was a significant cost to building the dam that everyone paid". (And also not dissimilar to arguments about doing no major industry/lifestyle changes regarding climate change).

It is very dissimilar indeed - the sentence you quoted does not constitute an argument by itself. It is an observation regarding the present state of affairs (which you have not disputed), which to me indicates a need to take a breath and do a reasoned cost/benefit analysis as opposed to the hysterical "this must be fixed at any cost, externalities be damned" mindset that is fairly common in many circles.

If you really want a climate change analogy, though, consider this - however many mitigating workarounds you invent, as long as speculative execution exists there will always be side channel attacks, and eventually some of them will probably succeed to some extent. Perhaps, as you noted, some major industry/lifestyle changes are indeed in order - people could stop living in the delusion that a perfect sandbox is possible and realize that arbitrary code execution will always entail risks. Rather than turning every website into a potential security risk, perhaps it is our approach to software (rather than hardware) that needs re-evaluation.

[wtallis]

> The difficulty of exploiting also gave some leeway to deploying those mitigations.

That's putting it lightly. Exploiting Spectre to get private data is difficult. Turning that into a privilege escalation is exponentially harder, so any "hack em all" exploit on hundreds of millions of devices would have needed an entirely unrelated mechanism for spreading.