![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
![Zarathustra[H]](https://cdn.hardforum.com/data/avatars/m/9/9298.jpg?1707758471){kind=avatar}
And controlled network access.
Gonna put on my conspiracy theory hat on and say that these CPU exploits are either discovered by competitors or by the CPU manufacturers themselves because it tends to effect older CPU's worse than newer ones. The problem I have with this is that no malware or virus yet uses them. So why slow down my CPU to avoid this?
Nah there’s just so much money out there hiding on these that there’s significant incentive for bad people to do the bad things to make the dirty money.
Considering how complicated it is to find them and CPU trying to avoid them and learning from the past, how effecting older CPU's worse than newer ones is not the natural expectation ? M1/2/3-AM5 are not particularly old chips here.
Well for every dollar spent by the good guys finding these exploits, there $10 being spent by the bad guys to do the same.
Between PaloAlto, HPE Aruba, and the others license fees are half my budget.You could accomplish that with pfSense or OPNSense, a badass NIC and at least two VLAN's and firewall rules between them, but the content/state aware enterprise solutions seem a little easier.
I just stuck a cheap old Intel X520 two port fiber NIC into my OPNSense box (Rocket Lake Xeon E-2314), and it does a great job of routing between VLAN's when I need it to.
Relatively low cost, and never any license fees
I mean... that's always been the best answer but it is hard if you want functionality and flexibility. To have only trusted code would require going to something like the Apple/Microsoft store and only being able to install things the OS vendor deems safe. Even then those stores would need to be curated much better than they are, which means not only more cost but also just less things getting approved. Also websites would have to go back to the old static HTML content, no more interactive JavaScript as that is literally code running on your machine.
Newer AV solutions can also also scan and report on known vulnerabilities. Playing with the stuff from SentinelOne right now so probably going on the list of yet another subscription service my budget goes toward.
But it is worse for older CPU's, and Apple did used to have Intel chips in their machines. It's not like every Intel Mac user just dropped their machines and immediately switched over to M1's. It also doesn't take long for mitigations to be created and immediately implemented into OS's. There's no agreement on your end to enable these mitigations. Who wants to lose 1% to 6% CPU performance for something that no malware or virus uses?
But why would it not (CPU try get better at this over time + people trying to find flaw had more time on the older model, everything naturally point in the direction that the situation would be worst on the older cpu than the newer, at least for what it is known)
For sure, but that's not only running trusted code, that's scanning the system and the code on it to try and filter out code that might be malicious. That's a good thing and we all should do it, but it is still basically blacklisting whereas only allowing trusted code to run is whitelisting. Whitelisting works REALLY WELL if you can do it. In a corporate environment if you turn on AppLocker (or use another solution) that right there stops over 90% of exploits cold according to ACIS. Combine that with whitelisting only websites needed for business and man, you are exceedingly hard to attack, even if you do nothing else. Even when there's an unauthenticated remote code exploit that usually stops it as the code itself is just not allowed to run.
Are you at liberty to post info about your security spend? I assume that you are working for a corporate.
The specifics get a bit tricky because they don't charge us per head, we get charged per FTE, so we might have some 80 staff but it currently only counts as 58 FTE as the part-time employees are lumped up into a bulk seating agreement, so 3, 0.6 FTE employees would consume 2 FTE allotments.
Wow. All that must keep you very busy. "Idleness is the Devil's handiwork." That won't be your worry.
I just want to paint my Warhammers and play video games :'(
I feel that
If an exploit is only on two architectures by default without much funding and you spend a large amount of effort targeting a more resilient architecture at some point it becomes more of a tech demo. Reverse engineering anything takes A LOT of resources more than your average hacker. So yeah chances are they are funded by a competitor.
Or maybe a bad state actor. Like, Russia, North Korea, China. The usual suspects.