In message <0bb7ffc6-fa51-98db-9dc1-1bd49e1c7b44 at metricspace.net>,
Eric McCorkle <eric at metricspace.net> wrote:
>Given enough skill, resources, and motivation, it's likely that an
>attacker could craft a javascript-based version of the attack, then
>every javascript website (aka all of them) is a potential attack vector.
While I can only agree with the essence of what you've said, I feel
compelled
to take issue with your use of future tense in this context.
Unless you have access to the innermost compartmentalized data sources of
at least all of NSA, FSB, and Mossad, I think it qualifies as being, at best,
speculation to believe that none of the proverbial "state actors" have
managed
to stumble upon any of these horrendous security problems which are alleged
to have been present already for a good decade or more, in chips used in and
distributed throughout the entire world.
Data isolation between unrelated user-level processes and between user-level
processes and the kernel is, as I understand it, the bedrock upon which
essentially all computer security rests. As such, it would seem to be
a thing that would likely have been poked and prodded, relentlessly, by any
actor which, during the past ten years or more, has yearned for unlimited
knowledge about friends, enemies, or both. Can we know that none of them
"crafted a javascript-based version of the attack" against any of
these
several issues already, and perhaps even years ago? (They might have done
so and then, realizing the value of what they found, compartmentalized the
information in a place where even Snowden would never have been aware of it.)
Alright. So call me paranoid, if you like. But I seem to dimly recall that
there was some executive at some Silicon Valley based semiconductor company
who, years ago, advised people that paranoia might actually be an admirable
quality, at least for those wishing to survive.
Regards,
rfg