Hacker News new | past | comments | ask | show | jobs | submit login

For me as a home user, taking a performance hit of any kind in response to threats which haven't yet been seen in the wild simply isn't good math.

I don't think that anybody can know whether this is true, since exploitation leaves little evidence. Even before this is witnessed in the wild for the first time, you can't really know which secrets of yours have already been exfiltrated.

Everything that can't be fixed with a ten minute phone call to my bank is already public knowledge thanks to Experian, so I really don't have anything left to fear.

You have no conversations that'd you prefer not be sold on the darknet? With friends, family, therapists, doctors, lawyers, consultants?

No pictures of your kids that they might not want spilled into a searchable database and used for machine learning to sell them things later in life?

No private or symmetric keys which might be used to impersonate you or eavesdrop on you later?

No in-progress documents which you aren't ready to publish?

No conversations with political allies that you might not want the state to peruse?

No intimate conversations with sexual partners?

If that's true, then I think you have a very different attack surface than most people. I think most people are willing to take a small performance hit not to open up access to much of the data that goes across their CPU, which is not an exaggeration for the combination of attacks which have been published against Intel CPUs over the past 3 years.

If someone wants to leverage speculative-execution vulnerabilities to get that sort of information off of my PC, it's not a problem that can be solved by yet another security patch. Don't reduce my PC's performance for the sake of somebody else's security concern.

At the end of the day the only secure computer is one that's turned off and locked up in a supply closet.

Not on any x86 device, no. Not that I'd be a particularly easy target since I use NoScript with a whitelist and keep my router's firewall very strict. I suppose someone could come at me with a malicious Steam game.

"Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say." -E. Snowden

Did you miss the "for me" part? I highly encourage everyone to install the patch, especially since the more people do the less I'll need it.

If that is so, please leave your email and password here...

I'd really like to be given a choice, at least. My gaming PC is used exclusively for gaming, so it needs to be performant, but does not need to be secure.

If running Linux you can disable the meltdown/spectre mitigations with the nopti option [1].

1. https://yux.im/posts/technology/security/disable-meltdown-an...

Here is a similar windows tool: https://www.grc.com/inspectre.htm

'nopti' only disables the Meltdown mitigation. To disable all the mitigations (including Spectre, Meltdown, L1TF, and now MDS) you can use mitigations=off on newer kernels.

If you use Steam, it’s in the best interests of you and probably Valve not to worry about attacks to steal your library or get you banned.

Your public clouds at AWS probably use them too... and they won't disable HT ;)

It certainly doesn't feel good. But if the home market remained unpatched with a public POC, they would be attacked. The most likely avenue is by writing malicious web pages to steal bitcoin wallets, etc.

Didn't they already have a proof of concept Spectre or Meltdown exploit via a web page? Malicious ads seem like the best way to spread ransomware, etc.

No. There has been nothing shown that would exploit in real-world conditions. All Spectre exploits have required assistance from the target.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact