Page 1 of 1

New raspberry pi big mistake (my opinion)

Posted: Tue Jun 25, 2019 5:31 pm
by techskies11
I’m excited for the release of the new raspberry pi but I’m sad that the CPU it has is vulnerable to meltdown and spectre as the previous pi was not, ya I know there’s patches and stuff but I feel raspberry should have waited for a newer or updated soc that has hardware fixed against spectre or meltdown such as the A76 I believe.

Re: New raspberry pi big mistake (my opinion)

Posted: Tue Jun 25, 2019 5:39 pm
by fruitoftheloom
techskies11 wrote:
Tue Jun 25, 2019 5:31 pm
I’m excited for the release of the new raspberry pi but I’m sad that the CPU it has is vulnerable to meltdown and spectre as the previous pi was not, ya I know there’s patches and stuff but I feel raspberry should have waited for a newer or updated soc that has hardware fixed against spectre or meltdown such as the A76 I believe.

Already discussed :roll:

https://www.raspberrypi.org/forums/view ... 3&t=243416

Re: New raspberry pi big mistake (my opinion)

Posted: Tue Jun 25, 2019 5:51 pm
by dl324
techskies11 wrote:
Tue Jun 25, 2019 5:31 pm
I’m excited for the release of the new raspberry pi but I’m sad that the CPU it has is vulnerable to meltdown and spectre as the previous pi was not
Any microprocessor that employs speculative execution to improve performance is susceptible to those attacks. If you want to avoid that, then you need to go back to an architecture that doesn't perform out of order operations (OOO). That means Pentium III, maybe II, type of performance.

The Spectre and Meltdown exploits require allowing malicious code to run. A big hole is Javascript running in browsers. If you don't allow execution on untrusted sites and don't run untrustworthy applications, you limit your exposure.

There are risks everywhere and in all aspects of your life. You can let them control you, or you can deal with them by not doing dumb things.

Re: New raspberry pi big mistake (my opinion)

Posted: Tue Jun 25, 2019 7:22 pm
by cspan
dl324 wrote:
Tue Jun 25, 2019 5:51 pm

The Spectre and Meltdown exploits require allowing malicious code to run. A big hole is Javascript running in browsers. If you don't allow execution on untrusted sites and don't run untrustworthy applications, you limit your exposure.

There are risks everywhere and in all aspects of your life. You can let them control you, or you can deal with them by not doing dumb things.
How do you know in advance if a site or application is untrustworthy? The big hole - Javascript - is that not almost everywhere? If so, avoiding it would essentially require giving up the use of graphical internet browsers.

I can accept the change if it is indeed the case that the exploit is so difficult as to be impractical. [Apparently, no known exploits in the wild, despite proof of concept being published, so that's a reasonable justification]. And/or if there are firmware/software patches in place that neutralize the vulnerability, such that the performance with [Pi with speculative execution + patch] is greater than [Pi with no speculative execution].

But I don't know if this is the case. And it does seem a bit incongruous to publicly boast of invulnerability of your product line to an otherwise ubiquitous "catastrophic" security issue, and then 18 months later release a new version of your product that has given away that advantage. Again, I'm still waiting on confirmation of this from other than the source I previously cited. But if it's true, I'm surprised, and would hope for a persuasive line of reasoning that justifies the change ... other than the notion that more speed is inherently better. Such a design reversal deserves a bit of explanation, I think.

Re: New raspberry pi big mistake (my opinion)

Posted: Tue Jun 25, 2019 7:53 pm
by dl324
cspan wrote:
Tue Jun 25, 2019 7:22 pm
How do you know in advance if a site or application is untrustworthy? The big hole - Javascript - is that not almost everywhere? If so, avoiding it would essentially require giving up the use of graphical internet browsers.
You can start by disabling Javascript in your browser. When some site needs it, you decide whether you want to whitelist it.

If you're going to a gaming site, assume it's untrustworthy. If you go to any sites offering up porn, assume it's untrustworthy.

Don't click on any links that purport to be connecting you to some seemingly valid site without checking the actual target. Including links in email. If you get mail that seems suspicious (not expected or from someone you know, but still unexpected or otherwise suspect). I check the email source for suspicious email. Not all email readers support this, but mine does. If someone sends an encoded message that I can't read in the source display, I just delete it. When I sign up for email, I request plain text whenever possible.

Disable macro execution in office type docs (docm, xlsm, etc). I tried renaming a spreadsheet with macros to .xlsx and Excel complained.

Disable Javascript in PDF readers. You may also be able to prevent any document from requesting access to the internet (mine does).

Don't click on links in email without looking at the source to see if they're being spoofed.
But I don't know if this is the case. And it does seem a bit incongruous to publicly boast of invulnerability of your product line to an otherwise ubiquitous "catastrophic" security issue, and then 18 months later release a new version of your product that has given away that advantage.
Workarounds are in the works. Product that is already shipped can be difficult to patch unless the manufacturer has a way to update microcode or OS vendors put up walls between applications. Some browsers are putting up walls (opening each tab in a separate virtual machine), so a malicious process can't snoop on memory used by other processes.

If do things intelligently, you can minimize your risk. But too many people fall for social engineering exploits and there's no protection against being dumb.

Re: New raspberry pi big mistake (my opinion)

Posted: Tue Jun 25, 2019 7:56 pm
by bensimmo
techskies11 wrote:
Tue Jun 25, 2019 5:31 pm
I’m excited for the release of the new raspberry pi but I’m sad that the CPU it has is vulnerable to meltdown and spectre as the previous pi was not, ya I know there’s patches and stuff but I feel raspberry should have waited for a newer or updated soc that has hardware fixed against spectre or meltdown such as the A76 I believe.
A76 and A77 still have varient 1 and 4, as is the A72
varient 2 and 3a may or may not be on the A72 it depends on which revision they are using.
https://developer.arm.com/support/arm-s ... nerability

Re: New raspberry pi big mistake (my opinion)

Posted: Tue Jun 25, 2019 8:50 pm
by Heater
Whenever there is talk of Spectre and Meltdown always people are quick to blame Javascript.

I'd like to point out that Javascript is not the problem. Running unknown/untrusted code in any language is.

If you happen to be running a cloud server with a dozen clients renting VMs on your machines then there is the possibility one bad client exploiting Spectre and Meltdown to get at the memory of other clients on the same machine.

If you happen to be running untrusted code on your personal machine that you have downloaded from some random place it may well exploit Spectre and Meltdown to get at your secrets. No matter what language it is written in.

Arguably Javascript in your browser is the most likely candidate here. But I'm here to tell you it's much worse than that. Browsers can now run code that is written in almost any language. Thanks to the new technology of Web Assembly. For example C++ compiled to WASM "byte codes" and run in your browser. For example here: https://otaniemi.conveqs.fi:3000/public/fibo.html I have web page that contains a Fibonacci Number calculator that can calculate Fibonacci numbers of one million digits or more. In your browser. It uses my C++ big number arithmetic routines.

In short, stop blaming Javascript. JS is just a language like any other.

On the other hand... I think all this fuss over Spectre and Meltdown is overblown. Has anyone yet heard of an actual case of Spectre and Meltdown being used for an actual exploit in the wild?

Given the thousands of other exploits that are made use of everyday, in all kinds of software, I think concentrating on Spectre and Meltdown is misplacing priorities.

Don't let concern over Spectre and Meltdown divert your mind from all the other possible, and far more likely, ways others can get at your data.

Re: New raspberry pi big mistake (my opinion)

Posted: Wed Jun 26, 2019 8:27 pm
by techskies11
I wonder if using the pi for a more offline based setup with limited online functionality would this help with these attacks, I know nothing in life is secure or guaranteed but maybe if a use a limited internet access via a website based firewall that blocks the majority of the internet but allowe to access only the important things such as updates etc

Re: New raspberry pi big mistake (my opinion)

Posted: Wed Jun 26, 2019 8:33 pm
by fruitoftheloom
techskies11 wrote:
Wed Jun 26, 2019 8:27 pm
I wonder if using the pi for a more offline based setup with limited online functionality would this help with these attacks, I know nothing in life is secure or guaranteed but maybe if a use a limited internet access via a website based firewall that blocks the majority of the internet but allowe to access only the important things such as updates etc

You are being seriously over cautious, where is the evidence to support we should not use a RPi 4B for surfing the internet ??

Re: New raspberry pi big mistake (my opinion)

Posted: Thu Jun 27, 2019 2:11 am
by techskies11
Well maybe just a bit cautious, only because there seems to be new versions of certain exploits recently, plus i was planning on creating a audio type project and it would be nice to secure things if it becomes a commercial project

Re: New raspberry pi big mistake (my opinion)

Posted: Thu Jun 27, 2019 2:29 am
by wren
The Raspberry Pi foundation cashed in on the spectre hysteria so they deserve criticism. Every single Cortex A7X core is vulnerable.

Re: New raspberry pi big mistake (my opinion)

Posted: Thu Jun 27, 2019 2:59 am
by echmain
wren wrote:
Thu Jun 27, 2019 2:29 am
The Raspberry Pi foundation cashed in on the spectre hysteria so they deserve criticism. Every single Cortex A7X core is vulnerable.
Ah, so it IS just hysteria...

Re: New raspberry pi big mistake (my opinion)

Posted: Thu Jun 27, 2019 3:06 am
by wren
echmain wrote: Ah, so it IS just hysteria...
Considering every desktop CPU on the market is vulnerable, I would say so. It can be worked around in software.

Re: New raspberry pi big mistake (my opinion)

Posted: Thu Jun 27, 2019 4:04 am
by Gavinmc42
Considering every desktop CPU on the market is vulnerable, I would say so. It can be worked around in software.
Considering we do have control over which software we put on Pi's, we have more control than any Windows user.
Don't have to connect to the net either.

FUD it, it's too late I have already turned my 1st Pi4 on, I am doomed ;)
But wait, I can yank the SD card.

Re: New raspberry pi big mistake (my opinion)

Posted: Thu Jun 27, 2019 11:56 am
by techskies11
Oh well i guess it is what it is