cosocial.ca is one of the many independent Mastodon servers you can use to participate in the fediverse.
A co-op run social media server for all Canadians. More info at https://blog.cosocial.ca

Server stats:

146
active users

Tim Bray

My reading of this is that for this (truly horrible) attack to get you, you'd need to run an app in which it's embedded for an extended period of time on your computer. So the bad guys could hack me if I downloaded an app from a sketchy source (unlikely) or they managed to hack any one of Adobe or Mozilla or Microsoft Office or Chrome or Safari or Apple Music or Emacs or YouTube or or or … (less unlikely).

mastodon.social/@arstechnica/1

MastodonArs Technica (@arstechnica@mastodon.social)Attached: 1 image Hackers can extract secret encryption keys from Apple’s Mac chips Fixing newly discovered side channel will likely take a major toll on performance. https://arstechnica.com/security/2024/03/hackers-can-extract-secret-encryption-keys-from-apples-mac-chips/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social

@timbray It seems like a difficult thing to do. It is still something to keep an eye on because some of the other side-channel attacks not related to Apple's chips have been demonstrated with JS or WASM code.

@timbray Note that the problem is ironically exacerbated by regulatory moves to permit third-party app stores, which are pretty much guaranteed to result in more malware apps being installed by far more people.

@lauren @timbray People have always been able to run code from random internet sources on desktop Macs, though. How would a third-party App Store (such as Steam or GOG which already exist on Mac) make that worse?

@freeagent @timbray Because (a) it brings in the entire iOS ecosystem including vast numbers of iPhone users who only minimally understand this stuff, and (b) third party app stores give an impression of safety that users have always associated with the Apple App Store but are likely to be far less safe. That's just two.

@lauren @timbray The article mentions that this vulnerability only exists or is exploitable in M-series chips running full MacOS, so iOS and iPadOS may not be relevant.

@freeagent @timbray I'm not talking about this particular vulnerability, I'm talking about the overall problem of more malware once there are multiple app stores.

@lauren @timbray Sure, but then one could argue we were all safer back in the days when our carriers controlled 100% of the software on “our” phones. People can still choose to only install software through Apple’s store, or install no software at all if that is their overriding concern.

@freeagent @timbray Most people just assume what's in official stores is safe. One you have 3rd party stores popping up the opportunities for confusion become immense.

@timbray @arstechnica Attacks only get better, so cryptographers should definitely worry about this, but…

I would like a lot more details on just how practical it is now. It says it takes an hour…presumably the target system needed to be actively using the secret key the entire time? In what circumstances does that happen? Seems rare for https, but maybe disk encryption keys? Did they make the rest of the system artificially quiet, or were a full set of normal processes running?

@DirkK @arstechnica MacOS doesn't prevent any program from spinning off a background thread to silently do computation without any effect on the user interface, whether it's being used or not. And the M-series chips have plenty of high-powered CPUs so you'd likely never even notice it was happening.

@timbray @arstechnica The question isn’t about the attacking program, it’s about the target. Am I wrong that the target needs to be continually using the same key for that hour? Does that routinely happen? Can the attacker force it to happen?