Intel Hack is NSA backdoor 'Discovered', NSA created BITCOIN - What's to worry?

[vapourminer]

So much FUD in this thread. I have written up a blog post explaining Meltdown and Spectre for the average person (who has some familiarity with computer terminology).

The NSA has no interest in stealing your Bitcoins. If they are stored on your PC and the NSA wanted to steal them, believe me, they could steal them and the Meltdown and Spectre attacks have nothing to do with how they'd take them. For most people, a hardware wallet is the best way to keep your coins secure. Hardware wallets are not vulnerable to the Meltdown/Spectre class of attacks.

You got any more info on this? What CPUs are hardware wallets using?
Spectre is pretty wide reaching, even some ARM chips are affected, so I am quite curious about architecture hardware wallets use, since there are not many CPU manufactures in the world.

doesnt make any difference what cpu the hardware wallet is using, its running signed trusted code from the manufacturer 100%. no way for the malware to get in.

trezor had a side channel attack (power draw analysis) a while back but thats been fixed for a long time.

[1713959714]

1713959714

[1713959714]

1713959714

[1713959714]

1713959714

[1713959714]

1713959714

[1713959714]

1713959714

[13abyknight]

If Bitcoin was NSA, this very forum where we are discussing about how NSA is behind everything wouldn't even exist. They've always been known to suppress everyone who talk about or against them and in this case, this forum is a place for rational discussions even about the accused organisation itself. It's all conspiracy and nothing more to it unless I see actual proof.

[Colorblind]

All the routers and stuff its same, Microsoft has been working with NSA since 1990's, all mobile phones are NSA, hell even PUTIN says "Google is NSA"

Where have PUTIN made that statement? Can you provide a link or something? That's curious!

BITCOIN is NSA, the white paper is NSA "How to mine a mint"(1996), SHA-256 is NSA,

More interesting is how the chinese/russian hackers will use this new information, its just another vector or path, into the bowels of Bitcoin.

You all have your wallet on your smart-phone (google-nsa), its not like they didn't have you all along, besides they created bitcoin to track&control your spending, your phones  job is your location, and what your saying, and doing

And this sounds a lot like racist paranoia honestly. First of all - if by hacker you mean criminal (that's racist on itself), then criminals will do with this what criminals always do with bugs - exploit them for maximum profit. Other hackers (security experts for example) will probably use it to explore measures they can take to prevent further breaches and leaks. Also nationality shouldn't matter, so calling them Russians, Chinese or Indians is nothing but pouring your emotions and hatred to the public.

[Tonyfredzy]

All of this is very possible, but let's not get ahead of ourselves like we have the proof already.
When people accept something as a fact without proof, even if they are right, they stop looking for proof as hard as they otherwise would.

Also there wasn't one "kid", there was a whole team of researchers.
And the "BITCOIN is NSA" part, a bit of an overreach, not that it would mean that Bitcoin is bad even if it was true.
Let's not forget that Tor was developed by US military and also the Internet and neither was a secret nor was bad for humanity.

Sometimes government agencies want to be anonymous as well. Especially if they like getting involved in other government's business.

It is not that black and white. Sometimes governments need to mask their operations by hiding in the crowd, so they gift the weapon to all, so no one knows when they use it and when their weaker enemies use it.
And when their weak enemies use it, it just gives them more justification for their existence.

Very insightful, not to take every news in hook, line and sinker.
NSA or not I guess we have not much to fear as long as you ain't harming no one or whatever

[aleksej996]

So much FUD in this thread. I have written up a blog post explaining Meltdown and Spectre for the average person (who has some familiarity with computer terminology).

The NSA has no interest in stealing your Bitcoins. If they are stored on your PC and the NSA wanted to steal them, believe me, they could steal them and the Meltdown and Spectre attacks have nothing to do with how they'd take them. For most people, a hardware wallet is the best way to keep your coins secure. Hardware wallets are not vulnerable to the Meltdown/Spectre class of attacks.

You got any more info on this? What CPUs are hardware wallets using?
Spectre is pretty wide reaching, even some ARM chips are affected, so I am quite curious about architecture hardware wallets use, since there are not many CPU manufactures in the world.

doesnt make any difference what cpu the hardware wallet is using, its running signed trusted code from the manufacturer 100%. no way for the malware to get in.

trezor had a side channel attack (power draw analysis) a while back but thats been fixed for a long time.

Meltdown and Spectre vulnerabilities are due to hardware implementation, that is why they are such a big deal now.
It doesn't matter if you are running Windows, Ubuntu, Android or the OS of your router, the problem is not in the code it is the hardware that has the vulnerability.

The problem however is local privilege escalation, so I guess you have a point, since code would have to be executed on them. The problem is that code wasn't built with this in mind, so it is maybe allowing some low privilege access to something that wouldn't be a problem if it wasn't for these vulnerabilities.

[AGD]

All of this is very possible, but let's not get ahead of ourselves like we have the proof already.
When people accept something as a fact without proof, even if they are right, they stop looking for proof as hard as they otherwise would.

Also there wasn't one "kid", there was a whole team of researchers.
And the "BITCOIN is NSA" part, a bit of an overreach, not that it would mean that Bitcoin is bad even if it was true.
Let's not forget that Tor was developed by US military and also the Internet and neither was a secret nor was bad for humanity.

Sometimes government agencies want to be anonymous as well. Especially if they like getting involved in other government's business.

It is not that black and white. Sometimes governments need to mask their operations by hiding in the crowd, so they gift the weapon to all, so no one knows when they use it and when their weaker enemies use it.
And when their weak enemies use it, it just gives them more justification for their existence.

It's even more effective, when you let your enemy (and everyone else) think, he could use these tools anonymously, while you only have the key to decrypt all traffic.

[Cryptophobia]

Everything is spying dont worry

[haltingprobability]

So much FUD in this thread. I have written up a blog post explaining Meltdown and Spectre for the average person (who has some familiarity with computer terminology).

The NSA has no interest in stealing your Bitcoins. If they are stored on your PC and the NSA wanted to steal them, believe me, they could steal them and the Meltdown and Spectre attacks have nothing to do with how they'd take them. For most people, a hardware wallet is the best way to keep your coins secure. Hardware wallets are not vulnerable to the Meltdown/Spectre class of attacks.

You got any more info on this? What CPUs are hardware wallets using?

It doesn't really matter because hardware wallets are not running applications - the hardware wallet is a "closed ecosystem".

Spectre is pretty wide reaching, even some ARM chips are affected, so I am quite curious about architecture hardware wallets use, since there are not many CPU manufactures in the world.

Try reading the summary of the linked blog post. It's crucial to keep in mind that Meltdown and Spectre are (timing) side-channel attacks. This means there has to be something that's living "on the side", some applications or something. Since a hardware wallet is only running the wallet software (it literally can't run anything else), there is no side-channel. Really exotic side-channels like power-draw analysis still require physical access to the wallet. If you can't keep your wallet physically secure, you have bigger problems.

Security is a holistic problem and keeping this in mind is key to shutting down all this FUD.

[haltingprobability]

It doesn't matter if you are running Windows, Ubuntu, Android or the OS of your router, the problem is not in the code it is the hardware that has the vulnerability.

No, your router is not vulnerable to Meltdown/Spectre because it's not running any applications, it's a standalone device.

[pebwindkraft]

@hardwarewallet: I think you are over a bit here. I have read your blog post explaining Meltdown and Spectre for the average person. Nice summary. I wonder how you can say, router OS or hardware wallets are secure. I cannot see how you derive this.

On your statement:

No, your router is not vulnerable to Meltdown/Spectre because it's not running any applications, it's a standalone device."

this wording creates wrong expectations. Even as non-expert in security one could easily create a linux box with two network cards, and then on top of the operating system run an application, which routes data from one network to the other. And also it is not at all stand alone...

With your words one would think to be secure. But the opposite is true! Even worth, reality is doing it exactly this way:
Looking at the providers, e.g. AT&T is asking for Open Network Automation Platform, which is exactly an OS with apps on top. And Cisco operating system is the same (only old IOS maybe... IOS-XE extended IOS and it's monolithic problems by abstracting some modules, with an underlying operating system is based on a Linux distro, IOS XR uses QNX, ...), Juniper uses FreeBSD, and you will find similiar on Nortel/Nokia/...

I have no proof that these systems are vulnerable or not, and I also have no proof, that the hardware wallets are secure or not.
Maybe best wording is, that up until today, no security issues (side channel attacks like Meltdown/Spectre) have been found in the wild for these systems (or at best are difficult to implement, cause attack vectors are limited...).

In security the wording is more decent. Statements are linked to specific environments and test cases, and do not derive "general security" for others from the observations. Security is a beast... You cannot only predict security, only when you have a fully deterministic machine.

So stating that hardware wallets or Routers are secure, is most probably overdoing it (if not wrong, but that will only be shown by the future  ).

[olubams]

A lot of controversy have surrounded the creation of bitcoin with several school of thoughts and even aside the ones we have read about, some are still coming and in all, they have been debunked for those who have not read about it, some are as follows;

1. Satoshi is a group of people

2. Bitcoin was created by China others said its from Korea, some even said Russia

3. Roger Ver is the creator of Bitcoin some even said its the Twins etc. Anyhow they make it seems, its does not matter.

[vapourminer]

@hardwarewallet: I think you are over a bit here. I have read your blog post explaining Meltdown and Spectre for the average person. Nice summary. I wonder how you can say, router OS or hardware wallets are secure. I cannot see how you derive this.

youre kinda missing the point.

at least on the trezor, it only runs its own code in its firmware. it never executes foreign code, so there is no way to get something to run on it to exploit something.

now if the firmware gets compromised then it could steal stuff via exploits, but at that point the compromised code can do anything it wants anyway, it hardly need to use an exploit.

meltdown and spectre need to get code on the device to run to exploit them.

[haltingprobability]

@hardwarewallet: I think you are over a bit here. I have read your blog post explaining Meltdown and Spectre for the average person. Nice summary. I wonder how you can say, router OS or hardware wallets are secure. I cannot see how you derive this.

On your statement:

No, your router is not vulnerable to Meltdown/Spectre because it's not running any applications, it's a standalone device."

this wording creates wrong expectations. Even as non-expert in security one could easily create a linux box with two network cards, and then on top of the operating system run an application, which routes data from one network to the other. And also it is not at all stand alone...

This is why you shouldn't be running untrusted user-code on a router. A router is (ought to be, anyway) a standalone device for this very reason.

Looking at the providers, e.g. AT&T is asking for Open Network Automation Platform, which is exactly an OS with apps on top.

Who is using a network platform for browsing the web? Please name names so they can be fired immediately.

Maybe best wording is, that up until today, no security issues (side channel attacks like Meltdown/Spectre) have been found in the wild for these systems (or at best are difficult to implement, cause attack vectors are limited...).

No, that's not the best wording because Meltdown/Spectre require the presence of malicious, user-space code in order to operate. If your kernel is compromised, for example, you have no need to worry about Meltdown/Spectre because the software that has compromised your kernel can do far worse things than anything that Meltdown/Spectre attacks can do. The level of FUD on this particular news story is astounding to me. This is my field, I worked for one of the companies involved in this for nearly a decade, in computer architecture.

Security is a beast... You cannot only predict security, only when you have a fully deterministic machine.

Meltdown/Spectre are very specific attacks. The security problem is separate. Any self-contained hardware/software environment is oblivious to Meltdown/Spectre, as long as it really is self-contained.

So stating that hardware wallets or Routers are secure, is most probably overdoing it (if not wrong, but that will only be shown by the future  ).

No, stating that they are insecure is overdoing the FUD.

[haltingprobability]

meltdown and spectre need to get code on the device to run to exploit them.

Precisely. What really makes Meltdown/Spectre so dangerous is that user-space code (read: "web browser") can potentially image your kernel memory. Secrets like passwords or keys may be stored in memory while it is being siphoned out to some remote party who is exploiting your machine and these secrets may, in turn, be useful in further breaking into your network, your system, your emails/logins, spoofing (certificates, public-keys), or - for crypto-holders - even your wallet. So, that's the risk profile for Meltdown/Spectre. These are strictly read-only attacks. Folks, go read the whitepapers and the official announcements from the affected companies (I have) before spreading FUD.

[aleksej996]

It seems like we are getting into a discussion on what is secure here. The point we can all agree on is that all devices, hardware wallets and routers as well, are vulnerable, but not necessarily exploitable as these attacks are strictly local privilege attacks only.

The question of exploitability is still an open one and depends on case to case basis. As some devices might allow a certain level of unprivileged code execution, that might be only contained to few parties or something. Either way, this vulnerability was not being accounted in development of these devices and can not be considered to have same level of security as before the disclosure of these vulnerabilities.

The point is that at it's core, on the CPU level, all of these devices are vulnerable and the only question that remains is if someone can exploit it.
For routers, I am certain that some are exploitable as these apps that are running on it can get quite complicated allowing many features. As for the hardware wallets, I don't know, but it is not impossible.