Placeholder Image

字幕列表 影片播放

  • - Hey guys, this is Austin.

  • If you use a PC, it's time to listen up.

  • Put your nerd pants on and let's take a little adventure

  • into Danger Town.

  • There's a new group of exploits going around

  • that can cause some serious damage to your PC.

  • So they take advantage of what is known

  • as speculative execution, and it's similar to

  • some of the bugs we saw last year,

  • including Spectre as well as Meltdown.

  • Something as simple as visiting a website

  • with malicious JavaScript

  • or a little bit of a sketchy download

  • could mean losing control over all kinds of stuff

  • which should be very sensitive and private.

  • So I'm talking about passwords, encryption keys.

  • As far as bugs go, this is about as bad as it gets.

  • Now I do want to stress that

  • all this is theoretical right now,

  • so researchers have found these vulnerabilities

  • and a lot of them have been patched

  • so it's not out in the wild.

  • But with these things, it's only a matter of time

  • before a plane goes overhead,

  • and they start to make it into the wild.

  • So last year brought us Spectre and Meltdown,

  • and at first, it seemed like a major vulnerability.

  • But of course, they were patched before too much longer.

  • However, at this point, it is very clear that this is

  • a new class of things that everyone has to worry about.

  • It's no longer just software.

  • There's actual hardware vulnerabilities,

  • which can cause major problems.

  • So this actually boils down

  • to a few different vulnerabilities

  • that were all announced at the same time.

  • So there's the super scary name of,

  • oh god, do I have to say it?

  • ZombieLoad, yes, ZombieLoad is something

  • you have to be afraid of,

  • or the much nicer name of MDS,

  • because that sounds safe and generic.

  • - I'm not, that's why I don't want to say it.

  • I don't want to say ZombieLoad.

  • So what separates this from traditional bugs

  • that are much more software focused

  • is that it of course is in hardware.

  • So there are some patches and some BIOS updates and stuff,

  • and I'll get into that in just a minute,

  • that helps to mitigate this.

  • But at the end of the day, we now live in a different era

  • where hardware itself is being attacked

  • on a very regular basis,

  • which means that sure you can always download a new patch,

  • but if there's something that's super fundamental

  • to the actual hardware itself, it means,

  • oh I need to buy a new processor or upgrade my computer.

  • Now we're not quite to that point yet,

  • but it is becoming a very scary time.

  • So we're definitely going to get into Nerd Town here,

  • but the way that this all works is taking advantage of

  • a feature known as speculative execution.

  • So essentially what this means is that

  • modern processors, specifically on the Intel side,

  • are always constantly trying to figure out

  • what you're going to do before you actually do it.

  • So instead of saying, waiting for you to say, open Twitter,

  • it might have portions of that loaded

  • or on a much, much smaller scale,

  • like little tiny bits and pieces.

  • But the issue here is a lot of times when it's wrong,

  • it just throws out that data.

  • Normally no problem, no harm, no foul,

  • and your computer's faster.

  • However, people have found that you actually

  • can take some of that junk data,

  • which on a massive scale can end up being

  • full of passwords or all kinds of stuff,

  • and actually harvest it and then send it off

  • to who knows where.

  • It's a really scary thing.

  • And the problem here is that it's taking advantage

  • of very fundamental things

  • which legitimately mean that we get a lot of performance

  • out of our systems,

  • or well, we lose a lot of performance

  • if they're patched and deleted and removed.

  • Nothing like a bug, which not only can compromise your data

  • but the only way to fix it

  • is to make your computer way slower.

  • That's not good.

  • That's not good at all.

  • Because this bypasses traditional software things

  • such as antivirus as well as all kinds of different

  • operating system level security features,

  • what this means is it's just pulling data

  • straight off of the CPU.

  • And while a lot of it is garbage,

  • like I said, if you have enough of this stuff

  • and you kinda parse through it,

  • you can very regularly pull a lot of things

  • that you absolutely do not want to get leaked.

  • This is something that is a big deal.

  • So right now, this affects pretty much

  • any Intel processor made in the last decade.

  • However, if you are using a phone with an ARM processor

  • or if you have an AMD CPU, it actually doesn't seem to be

  • affected just yet, but don't get too comfortable.

  • There are definitely more of these things

  • that are coming in the future.

  • So Apple, Microsoft, and Google have all released patches,

  • and a lot of the stuff is doing things like

  • patching the JavaScript and patching the browsers themselves

  • as well as operating system level tweaks,

  • but at the end of the day, you still do need

  • an actual BIOS update, which is coming from Intel,

  • they've updated a lot of microcode,

  • but still relies on your actual hardware vendor

  • delivering a brand new BIOS update

  • and for you to install it.

  • It's not as simple as turning on Microsoft Update

  • and being done.

  • You actually have to make sure that

  • everything is properly updated

  • from browser to OS to BIOS.

  • According to Intel, these patches mean

  • that you're going to lose a little bit of performance.

  • So for the most part, it should be somewhere between

  • three and nine percent which is certainly not insignificant.

  • However, according to Apple, it shouldn't be anything

  • that's all that noticeable in a browser such as Safari,

  • so it's kinda hard to say exactly

  • how big of an impact this will have.

  • But there's no doubt that this is not speeding anything up.

  • It's going to make things just a little bit slower.

  • However, that is not the full story.

  • So according to the security researchers

  • who actually found this, that's actually not even going

  • to do the entire fixing job that we need.

  • They actually recommend to turn off hyper-threading,

  • and that is a big deal,

  • as hyper-threading delivers a ton of performance to a CPU

  • and if you lose that, well, you're losing like

  • up to 40% of your processing power, so not good.

  • Now, according to Intel, this is not that big of an exploit

  • where you have to turn off hyper-threading

  • and lose that much performance.

  • But Apple does disagree.

  • So while by default when you do all the most recent updates

  • to macOS it still leaves it on,

  • but they have introduced a feature where you can

  • not only harden the code a little bit more

  • but importantly you can turn off hyper-threading,

  • which is great to make it a super, super secure system.

  • And then you say it's for people who are at elevated risk of

  • keeping state secrets on your laptop or something,

  • but it does mean that if you do it,

  • you're going to lose a ton of performance.

  • And it just so happens that I have a MacBook in my bag

  • that we can test with right now.

  • Yeah, see.

  • You were wondering why I had the backpack on the whole time.

  • It's because I was waiting for it.

  • So to take advantage of this, you do need a Mac

  • which is fully up to date with either Sierra,

  • High Sierra, or Mojave.

  • What you can do is you can restart the system

  • into recovery mode.

  • This is the point where I realize that

  • my Mac is not up to date.

  • So it turns out that trying to do a three gigabyte download

  • while tethering is not the greatest idea,

  • so it's the next day, I have my MacBook

  • completely up to date now.

  • So we'll see if the security patch

  • actually makes any kind of real difference to performance.

  • To do this, you will need to boot your Mac

  • into recovery mode and then you'll need to put

  • these two commands into Terminal,

  • which I will have listed in the description.

  • But with that, we should now have

  • multi-threading turned off.

  • So if I restart the system.

  • So the way you tell if this actually worked

  • is to open up System Report.

  • In the Hardware, you will see that

  • Hyper-Threading now shows Disabled.

  • If you're running an earlier version of macOS,

  • that won't even be an option.

  • So now, let's actually see

  • how much performance we lose by hardening the system.

  • I just like saying hardening, it's just fun.

  • So we'll let Geekbench do its thing.

  • Now I do want to stress this is not by any means

  • a super scientific test,

  • so obviously you would need to do this multiple times,

  • I would want to use multiple systems.

  • I'm running on battery for consistency sake.

  • So take all of this stuff with a grain of salt.

  • But if hyper-threading makes as big of a difference

  • as I know it should, it won't be like,

  • oh it's like two percent off or something.

  • We should be losing, again according to Apple,

  • up to 40% of our multi-threading performance

  • by doing something like this.

  • So our new score is 5,708 on single core

  • which is basically identical.

  • And the multi score only went down to 23,000

  • as opposed to 25,000.

  • So they had quoted a much, much bigger performance impact.

  • I almost feel like I want to spend more time with this

  • because one slight advantage to this would be that,

  • especially with the MacBooks, given how much they throttle,

  • this actually might make a bigger difference.

  • Okay, I feel like this is getting

  • way outside the scope of this video,

  • but even doing something like disabling hyper-threading

  • in a very much best case scenario, not a big deal.

  • Wow, I'm legitimately really surprised.

  • That's crazy.

  • MDS and ZombieLoad are absolutely a new page

  • in what will certainly be years

  • of these brand new hardware vulnerabilities

  • that everyone really needs to stay on top of.

  • My advice, as always, keep your operating system up to date,

  • keep your browser up to date,

  • and even pay attention to things like

  • keeping your BIOS up to date.

  • All of this stuff will make a big difference

  • and just pay attention.

  • There's a lot of this stuff that will be coming out,

  • and we will be doing as many videos as possible

  • as these things kind of approach.

  • But I don't know.

  • It's not a good time for security.

  • There's a lot of really scary stuff that's coming up.

  • And I know it's all fearmongering and stuff,

  • but it is legitimately something to keep in mind,

  • keep that stuff up to date, for real.

- Hey guys, this is Austin.

字幕與單字

單字即點即查 點擊單字可以查詢單字解釋

B1 中級

Zombieload會殺死你的電腦 (Zombieload Will Kill Your PC)

  • 2 0
    林宜悉 發佈於 2021 年 01 月 14 日
影片單字