
How Tier 2 cloud vendors banded together to cope with Spectre and Meltdown - edouardb
https://techcrunch.com/2018/01/06/how-tier-2-cloud-vendors-banded-together-to-cope-with-spectre
======
logronoide
The more I know about how Intel has managed the information, the less I trust
them. What a disaster. CEO and all the Press and Communication team of Intel
should be fired

~~~
discoursism
It's not clear to me what the best approach is here. The wider the circle of
those who know, the more likely it is that there will eventually be a leak.
Three can keep a secret if two are dead and all that.

~~~
hugo0384729109
Exactly. I assume if one of the smaller providers like Linode found an
internal vulnerability that they thought was a big security risk to have
widely know and had 3 giant customers and a large number of smaller customers,
they’d work directly with the giant customers in advance in the same way.

~~~
threeseed
I was a Linode customer back when there was a security incident where everyone
found out on Reddit before the company bothered to tell anyone. And then once
news did come out they never said (a) what happened or (b) what steps were
taken to prevent it happening again.

I am very reluctant now to trust the little guys with anything remotely
mission critical.

------
alainv
Saved you a click: by starting a shared Slack for their teams to collaborate.

Neat factoid but this article is not exactly information-dense.

~~~
jo909
I don't think the actual technical "how" is of much importance so the article
doesn't spend much time on it. They communicated effectively, and more
important openly, over company boundaries. Many tools would have worked for
that.

This is about "how" they banded together to reduce their disadvantage compared
to the big cloud providers that had advance warning and insider
knowledge/access to the vendors long before the rumors started.

~~~
alanpost
Correct. It's the ability to share documents and conversation snippets
provided by vendors, as well as curating and summarizing the significant
amount of information available.

I've never seen an exploit that involves microcode updates, compiler fixes,
kernel patches, and KVM/Xen updates all together. The number of moving parts
is staggering.

Being able to filter and summarize that across company boundaries has helped
me both understand and more effectively work to mitigate this problem.

------
alanpost
Prgmr.com has been participating on the Slack channel this article mentions.
Being able to share notes gleaned from reaching out to vendors and sort
through the information and mitigations for Spectre and Meltdown has been a
huge help.

~~~
paulzerkel
I work for a cloud computing company that would have benefitted (and hopefully
contributed) from being on that Slack. If you have the time, would you mind
reaching out to me with details? My email is in my profile.

~~~
alanpost
Here is where I asked to join:

[https://twitter.com/prgmrcom/status/949023633581592576](https://twitter.com/prgmrcom/status/949023633581592576)

Following up to @scaleway on Twitter in the same manner would hopefully work
out.

I've sent you an email with a bit of elaboration on this.

------
Blazespinnaker
I’ve said many times this is the best way to deal with the large monopolistic
companies - group up.

------
papermule
This is a great example of collaboration between competitors where there is
much to be gained and nothing to be lost!

------
jordanthoms
All this seems like a pretty compelling reason to move to using VMs and type
safety to provide process isolation instead of using the hardware, e.g.
[https://www.destroyallsoftware.com/talks/the-birth-and-
death...](https://www.destroyallsoftware.com/talks/the-birth-and-death-of-
javascript) or Microsoft's Singularity and Midori projects.

It's a shame there's so much inertia behind the current setup of hardware
memory management etc that it seems it'll be a long time before anything
actually happens here.

~~~
runeks
How would this approach have helped in this case?

As I understand it, the flaw in question allows reading kernel memory by
executing user space code. How can a layer of software, on top of this type of
buggy hardware, fix this issue?

In one sense, the issue has already been fixed by a layer of software on top —
which restricts a bunch of stuff, and reduces performance — but I assume this
isn’t what you’re looking for.

~~~
jordanthoms
Those systems don't use the buggy aspect of the hardware (memory protection)
at all. Instead, all code is run inside a VM which provides memory protection
and process isolation - there is no 'native' code at all.

Not using the hardware memory protection provides a ~20% performance boost,
which makes up for the ~20% overhead of running everything through VMs.

------
Moter8
FYI, the submitter is someone from Scaleway, so he perhaps would also answer
some questions on what infos they had or something.

~~~
mikmak
everything we have at Scaleway is on our blog
[http://blog.online.net](http://blog.online.net) things are calming down now,
we known what are the fixes for the known bugs and their limitations We can
probably expect more OS patches in the coming weeks to improve performances
and potentially fix new variants of these bugs that could come in the future

------
mythas
Then suddenly he said, “I have it! We are going to swim all together like 0.1%
of the biggest fish in the sea!”

~ Leo Lionni, Swimmy

------
peterwwillis
Note that Google released information a week early, giving attackers a leg up
in attacking these cloud providers, as opposed to Google giving the cloud
providers the information immediately, which would have helped them defend
themselves. But, surprise: Google is their competitor.

Google is basically the new Microsoft, except Microsoft could actually design
working products when it was evil.

~~~
Meai
What's with these random jabs at companies, you are just trying to create a
culture of irrational dislike. I don't even care if you attack Google but
everytime you do so, you have to cite exactly why you are doing it. Not some
nebulous "oh they cant even make a single working product" which is
objectively false and just provocation.

~~~
peterwwillis
One, you're attributing something I never said, and two, my actual claim is
not objectively false. Three, I don't _have_ to do anything, much less prove
what is otherwise easy to find out via Googling. And four, it's not irrational
dislike, it's dislike based on personal experience and observation. Five, it
should be pretty obvious exactly why i'm attacking Google, it doesn't need
citing (unless the reader can't put two and two together, vis a vie "Google
uses its privileged embargo status to disseminate sensitive information in a
way that harms its competitors")

