techskies11
Posts: 73
Joined: Sat Apr 02, 2016 8:45 am

New raspberry pi big mistake (my opinion)

Tue Jun 25, 2019 5:31 pm

I’m excited for the release of the new raspberry pi but I’m sad that the CPU it has is vulnerable to meltdown and spectre as the previous pi was not, ya I know there’s patches and stuff but I feel raspberry should have waited for a newer or updated soc that has hardware fixed against spectre or meltdown such as the A76 I believe.

fruitoftheloom
Posts: 20905
Joined: Tue Mar 25, 2014 12:40 pm
Location: Delightful Dorset

Re: New raspberry pi big mistake (my opinion)

Tue Jun 25, 2019 5:39 pm

techskies11 wrote:
Tue Jun 25, 2019 5:31 pm
I’m excited for the release of the new raspberry pi but I’m sad that the CPU it has is vulnerable to meltdown and spectre as the previous pi was not, ya I know there’s patches and stuff but I feel raspberry should have waited for a newer or updated soc that has hardware fixed against spectre or meltdown such as the A76 I believe.

Already discussed :roll:

https://www.raspberrypi.org/forums/view ... 3&t=243416
Retired disgracefully.....

dl324
Posts: 122
Joined: Mon May 06, 2019 7:33 pm
Location: Pacific Northwest, USA

Re: New raspberry pi big mistake (my opinion)

Tue Jun 25, 2019 5:51 pm

techskies11 wrote:
Tue Jun 25, 2019 5:31 pm
I’m excited for the release of the new raspberry pi but I’m sad that the CPU it has is vulnerable to meltdown and spectre as the previous pi was not
Any microprocessor that employs speculative execution to improve performance is susceptible to those attacks. If you want to avoid that, then you need to go back to an architecture that doesn't perform out of order operations (OOO). That means Pentium III, maybe II, type of performance.

The Spectre and Meltdown exploits require allowing malicious code to run. A big hole is Javascript running in browsers. If you don't allow execution on untrusted sites and don't run untrustworthy applications, you limit your exposure.

There are risks everywhere and in all aspects of your life. You can let them control you, or you can deal with them by not doing dumb things.

cspan
Posts: 140
Joined: Sat Jun 10, 2017 1:03 pm
Location: Chattanooga, TN, USA

Re: New raspberry pi big mistake (my opinion)

Tue Jun 25, 2019 7:22 pm

dl324 wrote:
Tue Jun 25, 2019 5:51 pm

The Spectre and Meltdown exploits require allowing malicious code to run. A big hole is Javascript running in browsers. If you don't allow execution on untrusted sites and don't run untrustworthy applications, you limit your exposure.

There are risks everywhere and in all aspects of your life. You can let them control you, or you can deal with them by not doing dumb things.
How do you know in advance if a site or application is untrustworthy? The big hole - Javascript - is that not almost everywhere? If so, avoiding it would essentially require giving up the use of graphical internet browsers.

I can accept the change if it is indeed the case that the exploit is so difficult as to be impractical. [Apparently, no known exploits in the wild, despite proof of concept being published, so that's a reasonable justification]. And/or if there are firmware/software patches in place that neutralize the vulnerability, such that the performance with [Pi with speculative execution + patch] is greater than [Pi with no speculative execution].

But I don't know if this is the case. And it does seem a bit incongruous to publicly boast of invulnerability of your product line to an otherwise ubiquitous "catastrophic" security issue, and then 18 months later release a new version of your product that has given away that advantage. Again, I'm still waiting on confirmation of this from other than the source I previously cited. But if it's true, I'm surprised, and would hope for a persuasive line of reasoning that justifies the change ... other than the notion that more speed is inherently better. Such a design reversal deserves a bit of explanation, I think.

dl324
Posts: 122
Joined: Mon May 06, 2019 7:33 pm
Location: Pacific Northwest, USA

Re: New raspberry pi big mistake (my opinion)

Tue Jun 25, 2019 7:53 pm

cspan wrote:
Tue Jun 25, 2019 7:22 pm
How do you know in advance if a site or application is untrustworthy? The big hole - Javascript - is that not almost everywhere? If so, avoiding it would essentially require giving up the use of graphical internet browsers.
You can start by disabling Javascript in your browser. When some site needs it, you decide whether you want to whitelist it.

If you're going to a gaming site, assume it's untrustworthy. If you go to any sites offering up porn, assume it's untrustworthy.

Don't click on any links that purport to be connecting you to some seemingly valid site without checking the actual target. Including links in email. If you get mail that seems suspicious (not expected or from someone you know, but still unexpected or otherwise suspect). I check the email source for suspicious email. Not all email readers support this, but mine does. If someone sends an encoded message that I can't read in the source display, I just delete it. When I sign up for email, I request plain text whenever possible.

Disable macro execution in office type docs (docm, xlsm, etc). I tried renaming a spreadsheet with macros to .xlsx and Excel complained.

Disable Javascript in PDF readers. You may also be able to prevent any document from requesting access to the internet (mine does).

Don't click on links in email without looking at the source to see if they're being spoofed.
But I don't know if this is the case. And it does seem a bit incongruous to publicly boast of invulnerability of your product line to an otherwise ubiquitous "catastrophic" security issue, and then 18 months later release a new version of your product that has given away that advantage.
Workarounds are in the works. Product that is already shipped can be difficult to patch unless the manufacturer has a way to update microcode or OS vendors put up walls between applications. Some browsers are putting up walls (opening each tab in a separate virtual machine), so a malicious process can't snoop on memory used by other processes.

If do things intelligently, you can minimize your risk. But too many people fall for social engineering exploits and there's no protection against being dumb.
Last edited by dl324 on Tue Jun 25, 2019 8:00 pm, edited 3 times in total.

User avatar
bensimmo
Posts: 4182
Joined: Sun Dec 28, 2014 3:02 pm
Location: East Yorkshire

Re: New raspberry pi big mistake (my opinion)

Tue Jun 25, 2019 7:56 pm

techskies11 wrote:
Tue Jun 25, 2019 5:31 pm
I’m excited for the release of the new raspberry pi but I’m sad that the CPU it has is vulnerable to meltdown and spectre as the previous pi was not, ya I know there’s patches and stuff but I feel raspberry should have waited for a newer or updated soc that has hardware fixed against spectre or meltdown such as the A76 I believe.
A76 and A77 still have varient 1 and 4, as is the A72
varient 2 and 3a may or may not be on the A72 it depends on which revision they are using.
https://developer.arm.com/support/arm-s ... nerability

Heater
Posts: 13610
Joined: Tue Jul 17, 2012 3:02 pm

Re: New raspberry pi big mistake (my opinion)

Tue Jun 25, 2019 8:50 pm

Whenever there is talk of Spectre and Meltdown always people are quick to blame Javascript.

I'd like to point out that Javascript is not the problem. Running unknown/untrusted code in any language is.

If you happen to be running a cloud server with a dozen clients renting VMs on your machines then there is the possibility one bad client exploiting Spectre and Meltdown to get at the memory of other clients on the same machine.

If you happen to be running untrusted code on your personal machine that you have downloaded from some random place it may well exploit Spectre and Meltdown to get at your secrets. No matter what language it is written in.

Arguably Javascript in your browser is the most likely candidate here. But I'm here to tell you it's much worse than that. Browsers can now run code that is written in almost any language. Thanks to the new technology of Web Assembly. For example C++ compiled to WASM "byte codes" and run in your browser. For example here: https://otaniemi.conveqs.fi:3000/public/fibo.html I have web page that contains a Fibonacci Number calculator that can calculate Fibonacci numbers of one million digits or more. In your browser. It uses my C++ big number arithmetic routines.

In short, stop blaming Javascript. JS is just a language like any other.

On the other hand... I think all this fuss over Spectre and Meltdown is overblown. Has anyone yet heard of an actual case of Spectre and Meltdown being used for an actual exploit in the wild?

Given the thousands of other exploits that are made use of everyday, in all kinds of software, I think concentrating on Spectre and Meltdown is misplacing priorities.

Don't let concern over Spectre and Meltdown divert your mind from all the other possible, and far more likely, ways others can get at your data.
Memory in C++ is a leaky abstraction .

techskies11
Posts: 73
Joined: Sat Apr 02, 2016 8:45 am

Re: New raspberry pi big mistake (my opinion)

Wed Jun 26, 2019 8:27 pm

I wonder if using the pi for a more offline based setup with limited online functionality would this help with these attacks, I know nothing in life is secure or guaranteed but maybe if a use a limited internet access via a website based firewall that blocks the majority of the internet but allowe to access only the important things such as updates etc

fruitoftheloom
Posts: 20905
Joined: Tue Mar 25, 2014 12:40 pm
Location: Delightful Dorset

Re: New raspberry pi big mistake (my opinion)

Wed Jun 26, 2019 8:33 pm

techskies11 wrote:
Wed Jun 26, 2019 8:27 pm
I wonder if using the pi for a more offline based setup with limited online functionality would this help with these attacks, I know nothing in life is secure or guaranteed but maybe if a use a limited internet access via a website based firewall that blocks the majority of the internet but allowe to access only the important things such as updates etc

You are being seriously over cautious, where is the evidence to support we should not use a RPi 4B for surfing the internet ??
Retired disgracefully.....

techskies11
Posts: 73
Joined: Sat Apr 02, 2016 8:45 am

Re: New raspberry pi big mistake (my opinion)

Thu Jun 27, 2019 2:11 am

Well maybe just a bit cautious, only because there seems to be new versions of certain exploits recently, plus i was planning on creating a audio type project and it would be nice to secure things if it becomes a commercial project

wren
Posts: 73
Joined: Mon May 28, 2018 9:06 pm

Re: New raspberry pi big mistake (my opinion)

Thu Jun 27, 2019 2:29 am

The Raspberry Pi foundation cashed in on the spectre hysteria so they deserve criticism. Every single Cortex A7X core is vulnerable.

echmain
Posts: 239
Joined: Fri Mar 04, 2016 8:26 pm

Re: New raspberry pi big mistake (my opinion)

Thu Jun 27, 2019 2:59 am

wren wrote:
Thu Jun 27, 2019 2:29 am
The Raspberry Pi foundation cashed in on the spectre hysteria so they deserve criticism. Every single Cortex A7X core is vulnerable.
Ah, so it IS just hysteria...

wren
Posts: 73
Joined: Mon May 28, 2018 9:06 pm

Re: New raspberry pi big mistake (my opinion)

Thu Jun 27, 2019 3:06 am

echmain wrote: Ah, so it IS just hysteria...
Considering every desktop CPU on the market is vulnerable, I would say so. It can be worked around in software.

User avatar
Gavinmc42
Posts: 3894
Joined: Wed Aug 28, 2013 3:31 am

Re: New raspberry pi big mistake (my opinion)

Thu Jun 27, 2019 4:04 am

Considering every desktop CPU on the market is vulnerable, I would say so. It can be worked around in software.
Considering we do have control over which software we put on Pi's, we have more control than any Windows user.
Don't have to connect to the net either.

FUD it, it's too late I have already turned my 1st Pi4 on, I am doomed ;)
But wait, I can yank the SD card.
I'm dancing on Rainbows.
Raspberries are not Apples or Oranges

techskies11
Posts: 73
Joined: Sat Apr 02, 2016 8:45 am

Re: New raspberry pi big mistake (my opinion)

Thu Jun 27, 2019 11:56 am

Oh well i guess it is what it is

Return to “General discussion”