CPU Exploits Meltdown And Spectre Could Potentially Affect Nintendo Switch

Hey Mambo, Mambo Jumboliano...

@sillygostly I understand that.

Basically the feature in CPUs lets you access temporarily stored data and get in via that when you shouldnt, in laymans terms.

Use temp data to go through a backdoor and see how things work.

I think the biggest performance hit was Intel CPUs though at an estimated 10%.

Hope things get sorted out. Since this is a chip-level vulnerability, performance loss is somewhat expected since fixes would have to be at the software level which in turn puts more load on the CPU. I'm guessing the SoC design for a potential Switch XL will change dramatically.

@YummyHappyPills : I get it. I'm not tech-illiterate, nor would I describe myself as an expert by any stretch, but to the commonfolk that comprise much of the Switch user base, this information is meaningless.

@Zyph depends.

This wont change the architecture, as its partly an architecture level problem and you dont just revise your chips in that way quickly. It completely changes how they work.

More likely all future prints of the chips will have the fix as standard.

@YummyHappyPills Agreed. Though at the very least, for what I can tell, the only thing that needs to change is how the CPUs manage memory. Architecture could stay the same for the most part.

This isn't accurate. They've issued patches for Meltdown, Spectre is a different case altogether. They can't fix it currently.

http://www.theregister.co.uk/2018/01/05/spectre_flaws_explained/

Just stay offline on ya Switch??? Lol

@Zyph Aa it stands Switxh will remain using the Tegra X1. Whether they stop underclocking it or not is a matter of battery really.

The future is the X2 and then on to the next chips.

By the time that comes around Nvidia will likely have baked in any available solutions if possible at the time.

@YummyHappyPills Well X2 which is Pascal is basically just a more power efficient chip. The "tock" in Intel terms if you will. I'm actually hoping Nintendo would adopt something beyond Pascal. Of course with the fixes already in there. Volta would be good but I won't hold my breath. But it's beneficial for both battery, performance, and vendor support, regardless of clock speeds.

@Zyph Depends when Switch 2 happens and how far down the price is on the chips. Nvidia will no doubt be looking to give them a good deal anyway.

Also depends on how battery tech has evolved, as it's stagnated in recent years. If we get better capacity batteries in smaller forms by that time I can see them jumping to use Volta or X2 with less underclocking.

Please Nintendo make a Direct soon... they need it.

I'm of the opinion that I'd rather this had been kept quiet instead of advertising this to the world at large, ya know that group that will contain the people with malicious intent. Computers have been fine for over 10 years with this in it's current state, if the big companies hadn't made so much noise about it we could have just gone on without taking any performance hit on devices that use these processors. Future computers could have just been fixed on the hardware level and it would have eventually been fixed that way.

I hope this doesn't hurt the Switche's snappy fast home screen/games.

@CorvoRevo And what does a Nintendo Direct has to do with CPU vulnerabilities? Zero. Nintendo is quite a traditional company that focuses on selling its games and console. On top of that if they actually patch the OS they won't announce it.

Meltdown: Possible access to data in the memory of the CPU can access. Imagine Facebook having rights to anything that goes trough your CPU. You might not want that.

Spectre: Apps can access other Apps “Secret/Important” Data. Meaning if you install corrupted or “bad” Apps, they can spy on your other apps potentially.

Remember those flaws exist since 22 Years. Only meltdown was allegedly getting patched, since spectre is much harder to get a software patch out. For us average consumer it won't kill us, if we don't go mess around in the wrong places of the internet and start accepting candy from strangers.

On consoles: You would first to be hacked/infected in some way for anyone to be able to access your console. At that point you have to ask yourself: why? What's on my console i don't want a hacker to see? My terrible SMO skills?

Smartphone/PC: Windows10 should already have a patch for meltdown in the updater. Smartphones can only pray to get one, if they are a bit older. I mean just look at how bad android version support is in the industrie. Some cheaper models don't even get 1 security patch per year and let's not talk about big version updates.

That stuff existed for years, hacker know it probably MUCH longer than intel. Of all the possible targets, how would we worthless (in a business way) normies be affected? Currently only if we do patch our stuff, and get big performance hits.

@WillTheLion multiple groups found these exploits independently of each other. so there's reason to believe that people with malicious intent also already found them and may or may not have been using them already. so your statement "computers have been fine for over 10 years" is not accurate. no one knows if anyone has used these exploits already.

I just hope the fixes don't lead to any performance hits on consoles. 30/60 fps locked games on consoles are firmly tuned to the exact console spec and ANY decrease in available performance would probably destroy the lock for many games which would then all needed to be patched.

Switch will definitely be affected as the A57 CPU supports speculative execution (i.e. it guesses what it's going to do next and if the CPU resources are available it does them early, if the guess is wrong the result is just discarded with a small performance penalty of having to do it again).

All current gen consoles will be affected (as would the Wii U), but the 360 and PS3 wouldn't be as they didn't support out-of-order execution (I'm pretty sure the PS3 didn't support it anyway).

The Xbox One is probably the most seriously affected as it has a browser and the Spectre variants of this design flaw look to be exploitable using Javascript. The Switch and PS4 are pretty well locked down without a browser so actually getting something running on one of those devices that could exploit this is much harder.

While the mitigations do cause performance hits on things like disk and network I/O I'm not sure if Nintendo need to fix this as there's no browser on the Switch and only authorised applications are allowed to be run. A fix to the dev kit compiler is probably all that is needed to avoid any malicious games attempting to exploit the flaw.

Thankfully 3DS is not affected as it's an older ARM design.

I wouldn't patch it on switch to be honest. I'd make sure compiled games are checked to be properly sandboxed.

No big deal for them, really.

@BulkSlash a lot of what you wrote is wrong.
Why would the Wii U be affected? It uses basically the same CPU type as the Wii and GC: a PowerPC CPU. No one has said anything yet about PowerPCs being affected.
and both the Switch and PS4 have browsers.

@Dan_Dan "At that point you have to ask yourself: why? What's on my console i don't want a hacker to see?" umm..your credit card data maybe?!

It's good that Nintendo doesn't ship the Switch with a built in browser otherwise, they could easily be left vulnerable to these types of flaws. As it is, the hacker will need to be able to get software into your system to exploit these flaws. Let just hope Nintendo will be diligent and make sure every software that get added to their eShop doesn't have a Trojan.

@manu0 The Power PCs in the Wii U are affected as it supports out-of-order execution, that was a specific enhancement made to it over the Wii/GC design (and I had hoped would allow it to keep up with the 360/PS3 CPUs which sadly wasn't the case). Any chip that supports OOOE is potentially at risk (although the Wii U is a very unlikely target for hackers).

As for the Switch and PS4 having browsers, I apologise I wasn't aware of them, are they installed by default? I don't remember seeing a browser on either system, but then I wasn't really looking! If they do have default browsers they will definitely need to be patched.

So wait, my Nintendo devices aren't stable?!
Quick I need more updates to stabilize my systems!

No one will be affected by Meltdown, since it's a Intel problem.
Spectre however, some variants can impact it maybe.

It would be fun if not so sad, if the jailbreak comes to switch with this vulnerability.
Technically, you can read all kernel memory in hot state exploiting it.

Edit: Yeah, Tegra X1 is a 4xCortex-A57 (affected) and 4xCortex-A53 (not affected).
ARM website says that the 3 variants affect it ._.

https://developer.arm.com/support/security-update

I cannot install updates on my Windows PC and haven't been able to do so for ages. "Fails on the second boot" every time no matter what fixes are applied. Have even installed a brand new clean copy of Windows 10 to clear any problems with the free update from previous operating system, same issue of being stuck on an earlier build.

I wouldn't mind so much if I could update. I don't want to be forced into buying a new system and I won't unless absolutely necessary. Too much software to lose.

I hate these types of issue.

@cobalto It's only been confirmed on Intel CPUs. It could still effect others.

OK.... so does this exploit makes hacking Switch easier now? Did the Homebrew guys use this exploit?

If Nintendo patched this exploit, it's going to slow the Switch by 30%... that's not good.

@Nincompoop Well, if it did, it would also slow PS4 Pro and XBox One X by 30% as well, so a 30% CPU utilization cut across all games on all platforms would be essential....those are x86 CPUs more directly affected at this point. PC gaming probably takes the hit right on the nose for this one, though it doesn't affect GPUs so "muh 4k" will be fine. It affects AI and such more. The beauty of this being a broad scale architecture bug is everything from Switch to flagship smartphones to defense supercomputers get affected and get their appropriate slowdown. Virtually a complete down-clock of all computing. Fun!

@YummyHappyPills Battery tech has stagnated since the 1970's, but it's a viscous circle. Sure they've managed to extend serviceable life of the cells and charge retention of the cells but that's about all that's changed.

The problem with batteries in personal electronics goes beyond coming up with more energy storage. The problem is a battery is energy storage. At what point is there too much stored energy being held in everyone's pocket, or in locations that can be frozen, burned, crushed, or punctured? Even if we could store 5 hours of 230W draw at 120v in our pants without a harness for 20lb of SLA batteries.....there really isn't a scenario where that sounds like a good plan, let alone having thousands of said devices in one building at one time.

The future of electronics really has to be using less energy, not finding ways to store more energy on our persons.

...As the tech world turns. Another day, another technological anomaly.

@BulkSlash Yes, the Switch has a browser. It is installed by default because it is used to display the eShop, Login Screens for public Wifi and Twitter and Facebook (for linking accounts and posting screenshots). The only thing that is missing is a user interface that allows you to access other websites.

On Topic: This will probably help hackers a lot to hack the Switch, but they still need some other exploit to run their own software first. The successful hack that was reported currently only works with a specific and old firmware version.

@AlexOlney Technically the whole business is shady, despite Intel coming under pressure for it and the CEO in hot water. This wasn't something developed by Chinese hackers and used to compromise NORAD. This was an attack developed by "researchers" sponsored by Google. More and more attacks are "discovered" by "researchers" who claim to be operating for defense of the greater good, but ultimately it's they are are creating the actual attacks. It's like saying "I invented the atomic bomb because sooner or later someone else would have, so it's best if I just did it first, and by the way, here's the instructions, posted worldwide, on how to make one, and instructions, to select 'in the know' parties, on how to make uranium storage containers that can't be used to make bombs in the future, after the current 800,000,000 of them in the world no longer exist. I'm a hero!"

This is frequently becoming a problem, when compromises are discovered by the industry/academics itself and the information on using it is then supplied to actual attackers, rather than discovering them as real world attacks. The question is if the real world would ever find these exploits without having millions in funding to do so. Arguably governments like China and Russia would do so, but these vulnerabilities aren't network attacks, they are local attacks, so are they really different from spyware and malware based attacks and on-site compromises that already existed and could in most cases glean the same information in a much easier, more direct way? j

And conveniently Intel/AMD/Qualcomm/Apple/Google/Microsoft/Dell/HP/Samsung/etc now needs to tell almost the entire world, and more importantly the ever lucrative enterprise & government world that their hardware, and in particular their multi-billions of dollars in datacenter servers need to be 100% bought from scratch RIGHT NOW to be secure. This is a few trillion dollar boon to the industry that has been sagging due to commodity pricing. They're keeping us "safe." They're keeping their shareholders safer.

What's amusing is we keep congratulating tech and big data, and the automation of all things, yet it seems every month there's some new risk, security hole, or crisis that requires another billion dollars to fix the problem when simple paper document storage solved this problem 3,000 years ago. It hasn't really solved any particular problem and seems to keep creating its own problems. For communication, media, and computation computing is a great tool. For important data storage, while the whole world praises it's convenience everyone seems to ignore the fact that it creates 20 problems for every one it solves, and we seem to have ever more expensive, complicated workarounds for problems that exist only to keep the tech going and for no other reason. "Data breach" is now a multi-annual reality for almost the whole population, and is a problem exclusively caused by the use of computerized data storage and was all but impossible without. All it assists is centralization and consolidation of all information to easily harvestable archives for a handful of parties. Computers aren't a problem, but computerized, networked, sensitive data storage/transfer is a rabbit hole even Alice couldn't hit the bottom of and seems clearly the entirely wrong use for the technology based on the fact that the depth of problems continues worsening instead of improving with ever more fundamental flaws coming up with no end in sight. Networked data storage has now been around for over 2 decades, and the holes are getting bigger, not smaller.

@NEStalgia All these problems started with Apple, purposely slowed down their iPhone... it got the entire industry thinking 'Hey lets all slow down our hardware too!' So they came up with this bullpoo exploit that's been around for over a decade.

@Nincompoop Samsung had the market cornered on slowing your phone over time long before Apple (And I'm not even an Apple fan (at all))

I half agree, but it's not about wanting to slow down the devices....that doesn't help them. You have to think of the enterprise/government angle. These people have multi-million dollar annual datacenter budgets and accept ZERO security risk. If you were in charge of a corporate network that needs to (for liability purposes) take security (or the appearance of taking security) as the most important, cost is no object, central issue, say, CTO of Citicorp, or Boeing, or Visa-Mastercard, or even Blizzard-Activision, and you hear about this "exploit" and that the only way to secure it is to buy all new processors, you go in and tell the budgeting authorities that your already approved $10M It budget needs to IMMEDIATELY be increased to $730M because the entire network needs to be replaced in the next 8 months, and you also need to hire a swarm of employees to deploy, migrate, and integrity check the migration. If you're a government, replace the "M" with "B in those figures.

Spectre: It prints money! (and was formulated by the industry it will print money for....)

Perfect excuse for a Switch console revision.

@NEStalgia That's what I meant, you slowed down the hardware so the customers need to upgrade. The entire IT industry conspired to ripoff the consumers. It will generate so much revenue for the IT industry this year, similar to that bullpoo Y2K millennium bug that made everyone buy new computers.

@Nincompoop Yep. It's not about the slowdown though (Even Google that "discovered" the exploit has downplayed the performance impact saying they're applying the "fixes" to all their datacenters and haven't seen a measurable impact.

Definitely not about the speed hit. It's about planting the bug in everyone's mind that "our infrastructure isn't really secure unless we replace everything." It's the security aspect that will drive the very profitable enterprise buyers.

Consumer will come later and will come from Windows 11 or 12 and Mac OSX 13.x or whatever version requiring a "2018 or later CPU" as a minimum install requirement. Phones probably won't hit the consumer market with this bug in a big way beyond the speed hit, but they don't need the speed hit to do that, they already have the built in obsolescence.

@NEStalgia It's still too early to know how much speed impact, but disabling speculative execution will definitely slow down a little depending on the applications. You're right about the paranoia created by this exploit, security is number one in government and big corporations. This will be a good year for computer hardware business.

@countzero Thanks, I did know about that browser but as it can't be used to access any other web pages I assumed there must have been some other browser available I wasn't aware of. Without any ability to visit other websites with potentially malicious JS code it's not a huge security hole (at least as long as Nintendo don't get hacked!)

@Nincompoop It does depend on what environment. For Meltdown (Intel x86 only) they're not disabling speculative, they're just releasing OS patches to isolate user space and kernel space so the cache can't be accessed from user space....basically just "whitelisting" secure OS's that disallow access. Not a terrible workaround, and no meaningful impact from the OS layer, and any exploit that works around that would be overkill versus easier exploits that could already be used, all of it local. Spectre on the other hand, is the one that could yield disabling speculative. In consumer space I can't imagine it really happening, it would likely be a BIOS/UHCI level fix and most consumer machines stop receiving firmware support within a year or two, and the exploit doesn't really affect consumers so much security wise (a focused local attack is pretty unlikely, and a malware based attack would compromise them with or without the bug.) But giving enterprise/government a choice of "you can either buy all new hardware, or cut performance 30% and still technically be insecure...."....yep....it will be a very good year for hardware. Riiiight when hardware sales were in a rut.

I still think the forced consumer upgrade will come in 1-3 years when OSes disallow the use of chips older than 2018 due to "extreme security vulnerability". They'll probably find some corporate or government lacky who was attacked via the exploit on his 2012 laptop left at a cafe to make a big 2 week long media blitz on the importance of the vulnerability to drive up support for disallowing use of older CPUs. Windows 10 already cut off some older CPUs, not because they weren't fast enough but "lacked essential instruction sets."

A first pass emergency fix would have the most out-sized impact on performance--subsequent patches would mitigate any potential performance loss.

@NEStalgia: That's something I've never entirely understood: Why broadcast vulnerabilities like this to the masses, and as a result give the dangerous hackers this info? I have no problem with these vulnerabilities being discovered and patched without all of this pomp and preamble, but by actually disclosing the methods of how these things are done, they're more or less handing black and gray hat hackers the tools they need.

@Tyranexx There's an almost religious ideology among the tech elite that "information wants to be free" and that by hiding the bug, they're just opening it up to be quietly used by nefarious forces without people knowing about it, and by exposing it, it enhances the risk that someone will use it but also alerts the public and in particular software vendors to rapidly resolve it. That in itself is the bizarre hubris that comes from the tech elite.

But beyond that, in cases like this one, it's intentionally found by expensive, time consuming digging, then announced to the world by one or more of the companies that stands to benefit from everyone being forced to replace everything to fix it....I'm pretty convinced that just comes down to having something to gain. (Plus updated hardware replacing all that old hardware means the latest and greatest spyware and datamining can be pushed. Wouldn't want any old BIOS systems still in use when UEFI is a much more effective spy tool (not referring just to NSA type spying but Google, Apple, Microsoft etc mining as well) with all the backdoors built in!

Meanwhile outside the oft alien bubble of the tech elite, when financial breaches happen nobody discloses that it happened unless the company itself announces it. Often it's listed as a "big breach they are aware of and working with the FBI and authorities" and won't be named so long as they are resolving it with authorities as it "could cause public panic and lack of faith in infrastructure" I.E., I think it's a pretty safe bet Amazon and/or Google have been hacked, at least once, and we will never be told about it to "prevent panic" and every credit card in existence gets cancelled with nobody knowing why. And the companies get to hide behind the illusion that they are impenetrable fortresses impervious to breach.

But some rare, difficult to utilize, exploit that's been part of CPU design since the Windows Vista era? That we'll broadcast to the world so it becomes a lot easier to utilize, but only until absolutely every computer, tablet, and phone made in the last 10 years is discarded (i.e. stripped of all gold and dumped on a barge rammed into the coast of Mali to be scavenged by locals and turned into jewelry (seriously that's what "recycling" computer hardware often means, no joke!) They usually take apart the barge and use the sheet metal for housing, as well...so....win win? ) and replaced with brand spanking new ones!

@Dan_Dan That's what I was thinking. I doubt the hacking community would be able to keep something like Meltdown secret for that long if it were really that easy to exploit and was practical for them.

It's impact on Switch owners will probably be minimal at best especially considering Nintendo's own privacy and security policies.

@NEStalgia See that's the weird thing though. Intel and AMD released new CPUs not too long ago and apparently those are also affected by the exploits. Especially, in Spectre they'd have to change their whole process for chip manufacturing. That's REALLY EXPENSIVE and announcing the exploits in advance without any chips in the works could be counterproductive. I think it's more likely that the information was going to come to light soon anyways so the companies opted to give this information out "freely" by their hands rather it come from someone else.

@AlexOlney Lots of problems would go away!

Don't Nintendo brick your system if you go online with a modded system anyway?

@NEStalgia

Damn, you might be on to something.

@Ernest_The_Crab In this case it was the "vendor" side rather than the manufacturer side that did the research and released the information. Intel and AMD didn't do the announcing, the research firm that found it on behalf of Google (and a few smaller firms) did the announcing. My favorite was the lead researcher prefaced it that he "hope[s] it will take long enough for hackers to exploit because it must be tailored to the target hardware [that the fix can be wide spread enough] to make it difficult to utilize" We're hanging hats on hope on this one. Maybe if it takes years to deploy we'll wisely ween off cloud-everything in the mean-time. One can hope. The security risk on your laptop is minimal for any reasonable hack. It's not a network based vector so not many people are going to have local access to attack you. But cloud security is going to be a joke until 100% of the "cloud" is replaced. Which is so awful it's hysterical.

Intel will take a hit for a while, especially as the scapegoat due to Meltdown, which is a shame as that involves an all software fix only, but long-term they will heavily benefit. Releasing the info wasn't their doing, but they do stand to benefit. Dell, HP, Apple, Google, Microsoft etc. stand to benefit quite a bit more however. Hardware sales have been in a severe slump and these firms have had a hard time dealing with that. This is a much needed shot in the arm for their bottom lines, even if it hurts the first year. It's not too expensive to change the fab process or announce it too early when you now have GUARANTEED mass scale sales to make up for it with a waiting list ocean deep of buyers as soon as new units are ready faster than you can make them. I doubt they're sweating the finances on this one.

@NEStalgia It really depends since both Intel and AMD are the ones that make chips. I'm guessing this was not a pleasant surprise for them (their partners coming out with these investigation results).

They stand to benefit from the end results but I feel between the potential litigation/brand damage (especially in Europe which has stronger laws in place) and the damages they will need to pay out (more of a gesture really) they may be a bit pissed at their partners. Those two pretty much control the entire chip market, they'll definitely ask for some concessions from their partners and are definitely in a bargaining position for it.

We might see a change in the landscape depending on how these relationships turn out after the fallout.

Could end up being a plus for the consumer if some more large companies get into the business of chip making (potentially Google?)

I feel that if anything major happens in the industry it'll still be quite a ways off.

@Ernest_The_Crab all very true. Though honestly litigation against them would be hard to prove A case for. The chips aren't defective, they function as intended and to our knowledge so far they didn't hide a problem they knew about. Their vendors simply spent tons of research money to find a way to exploit and break their product and succeeded over a decade after the products were introduced and the design was standard across the industry. It's not looking like negligence, merely a new way to pick a lock was invented.

@NEStalgia: "Bizarre hubris" is one way to put it. While I sort of understand the logic that goes into play there, I still sometimes wonder if these announcements do more harm than good in the short run. This reaction makes a little more sense with Meltdown since they're already patching it, less so in regards to Spectre.

I'm glad I'm not the only one who raises questions about the security of data out there on the web. I think that having it out there creates way more problems than it solves in some cases. I received word a while back that GameStop was subjected to a data breach, thankfully I didn't find any evidence that my credit card had been tampered with.

I find stuff like this interesting from a technological perspective. I'm a programmer, though I really don't do much in the way of servers and security; I have messed a little with Linux servers through the likes of Digital Ocean, however.

Unless Nintendo puts out a browser I don’t see how this would be an issue. Seems like you’d still have to execute malicious code to exploit the issue. I only download games from the eShop or play cartridges. Nothing to worry about for me.

Am I the only one who feels like this was purposely put in place so hardware manufacturers have an excuse to sell new hardware?

@Nincompoop enough with the profanity please.

Meltdown will not affect the switch, or at least it is very very unlikely to. The X1 has 4 A57s and 4 A53 cores. (See https://developer.arm.com/support/security-update) None are effected. To date most ARM processors effected are those Designed by Apple and Apple has taken many short cuts in its chip design with the intent of avoiding paying licence fees. You also need to run code on the system to exploit, so another reason not to expect, or want, a full browser on the Switch.

@Zyph You people who think that their will be a "Switch XL" or mini are asinine. The whole concept of the Switch is removable, two player, one controller, portable/dockable console. An XL version would negate that as would a mini because they would 95% most likely have attached controllers... It's not Happening. Trust me they are going to go the route of Switch two, while keeping old controllers AKA Joycons. They have done it with most of their consoles... Made a different iteration of them... It won't happen this time. They are going to go the route of pack ins and then the next console.

@YummyHappyPills You can't just simply eliminate the problem from future prints of the chips. The chip would have to be completely redesigned.

Last I checked, the Switch's CPU is made by nVidia with an ARM architecture.

Meltdown affects x86 chips like those made by Intel and AMD.

Meltdown therefore has no impact on the Switch, unless a derivative appears that affects the ARM instruction set.

@DEZn00ts Sigh Well sorry if I wasn't being clear. I meant "XL" because I was just comparing it to how the 3DS moved up to a "XL" iteration. What I really meant was the next iteration for Switch. Either a Switch 2 or a Switch Pro. If my wording made you assume I literally wanted a big-ass Switch then my bad. You really didn't need to say it like that. It may be my fault this time but you can't just assume that if someone said "XL" they mean it literally and just go on a big rant and shoving it in their faces. Jeez...

@AlexOlney Isn't that like most of the problems in the world?

@DEZn00ts @Zyph Actually, I want a Switch XL. It'd be less portable, but it'd be better for local co-op via Tabletop mode (+ presumably larger more comfortable joycons). I don't see this as being a problem as a variant for some people who enjoy Docked and Tabletop mode more than portable. The old joycons could stick work, just not attach, that's not too difficult. The main issue would be waiting for a better CPU likely, but that's why it's a second iteration of Switch.

You're welcome to disagree if you want, but it's a viable and not too farfetched Want, as Switch encourages local co-op/comp play on the go.

@Tyranexx (late reply is late....)

Yeah, it astounds me how in the past 10 years or so in particular everyone has jumped on whatever tech bandwagon is marketed to them, and embraced "the cloud" for all things. I realize it stems from total ignorance....on the surface it all seems trustworthy, and if you don't understand the real inside of how it all works there's little reason to doubt appearances, but we're constantly told how tech savvy the population today is. If that were true, "the cloud" wouldn't be terribly profitable.

Most people can use a microwave oven. Most people don't understand the dynamics of microwave energy radiation. I feel that's where we are in tech. The population is no more "tech savvy" than the clueless masses were when they were first introduced to computers and email in the 90's. They just better know how to push buttons to get a result they want without needing to know what pushing those buttons actually does.

I'm sufficiently in the know and still find myself horrified and flabbergasted when I learn of yet some other insidious mechanism that I never contemplated could exist, but does.

Certainly it adds convenience, it can be useful in places, but it's a massive flaw in most other places. To date, nearly every state government, has been hacked. The Pentagon has been hacked. We'd never know if the CIA were hacked but we can guess. Nearly ever consumer service from shopping carts to cloud storage to credit applications has been hacked (once or more than once).....why are we still trusting everything behind a lock that is proven time and time again to be unlockable. If everyone put all their information in a bank safe, and every few months a new masked robber walked in and cracked the safe, would they still keep putting everything in the same bank safe? The issue isn't that file cabinets with metal locks are better locks than AES encryption. It's that only one person at a time can try picking the lock on the cabinet and odds are someone will be there and see them trying. Whereas in the cloud a few million people including entire governments can be working on picking the lock simultaneously from the other end of the planet, or from space, or simply monitor the layout of the key that goes in and copy it, and instead of having millions of locked cabinets each with a few people's information, we have a few dozen locks all of them with everything in it. It doesn't take a genius to figure out the best plan isn't to keep trying to fortify the lock which has been a failed strategy for a few hundred years now, but to simply present many more locks each guarding far less valuable information. Every locksmith in the 19th century knew that building a better lock just meant thieves will build better lockpicks. Somehow tech hubris believed that a $3bn lock wouldn't net a $2bn lockpick that can pick it. And every time it fails the throw another $1bn at the next stronger model lock hoping that THIS time is the time centuries old wisdom is finally obsolete! Big tech never learns from the past because they believe their arrival marked a new beginning.

And all that only covers intentional hacks and "lockpicking" without even touching on the intentional backdoors and spyware where the "theives" aren't considered thieves but "all part of the system"

If people were followed around all day by a creepy mole-like bureaucrat in hornrims and a lab coat jotting down the tiniest minutiae of everything they do, say, or look at, and mailing it off to government/corporate HQ, people would freak out, and society would break down. And yet that is precisely what happens to everyone, every day....except they never see the guy with the clipboard....he's possibly on the other side of the world....but still monitoring and recording everything we look at and every word we say.

GameStop...not surprising, a few years ago they lost my whole order history suddenly, then things changed in their cart system....I assumed something big happened. My old card was compromised but I never learned who lost it. Since then I mostly only buy from places PayPal accepts. They've been breached too, of course, but at least I keep my information behind only a few locks now rather than under every single lock out there no matter how soft a target. The current system, and the credit card system just doesn't work.

Corporate security....all I can say having worked with some very very big corporate names....names you know....and the usually off-shored sub-contracted project-based consulting firms......all the supposedly "really smart" people that run these networks.....are purple unicorns. They don't exist. I'm sure they each have one or two that started or run the programs that truly know what they're doing. The people ACTUALLY running these corporate networks that have your most private information stored very clearly are in many cases wholly incompetent. I've had to explain how basic security mechanisms operate to them when it was clear they really had no idea what I was talking about. These people make 5x what I make no doubt, and have much fancier titles. They don't even understand the basics, and I'm no security expert. After seeing WHO is responsible for installing the locks.....it should be simply expected that you can just knock the lock out of the hole and get in. The "security" is an illusion at many many firms that give the illusion of security. If most people understood what the cloud really is and saw all the duct tape and staples holding it together backstage, I don't think we'd be clamoring to move everything online It's one of those things that the more you know about it, the less you want to use it.

@NEStalgia: (Apologies, read your reply yesterday but never found the time to respond. RL sucks sometimes. XD)

I can agree with the fact that usually the more I find out about the inner workings of some pieces of technology (like the cloud), the less I like that particular thing. With how elaborate cyber criminals are getting, I agree that, if vital information should be available out there on the net, then we need to find better and more efficient ways of storing that information. Unfortunately, more and more things are going digital, and IMO I'm not sure the world is completely ready for that.

I like your metaphor for the lack of privacy for the average user nowadays, something that's also a concern of mine. While there are perks to having a custom-tailored browsing, marketing, etc. experience, I find that to be (for lack of a better term) invasive; I'm not sold on the idea of my activities being sniffed out and sold to ad generators and data collectors. In many cases, there are ways to turn this stuff off (literally one of the first things I did with my new Win10 laptop was lock down a lot of the privacy settings), but in some cases those settings are either reset or a few things can't truly be turned off. Achieving a state of complete privacy online (unless there's something I haven't come across yet) is borderline impossible.

PayPal...Funnily enough, I've been thinking of trying it out, and after seeing your reasoning for using it and doing some of my own research, I may go that route as well. Another motivation is that more and more websites seem to make you sign up and enter your information before you make a purchase; the less places my credit card can be found, the better. I don't often buy things online, but sometimes it's a given when you live in Nowhere, Lower Midwest and don't want to drive to the nearest major city .

@Tyranexx Such is the nature of being a windbag and writing TLDR narratives in forums.

Sadly not being ready for things going digital is a vast understatement. Forget the bulkheads not working in the event of a lateral port side impact on the Titanic. OUR Titanic left port without any bulkheads at all assuming the concept of impact was mythical and the hull would protect us in any event because it's metal!

It's one of those things that it's not the solutions to the problem, or the readiness that's suspect. It's the actual goal itself that's simply a nonworkable design. I can forgive the nievite of the 90's. Fine, nobody understood just how unimaginable the lengths hackers could go could be. But now we know. And we know it gets ever more sophisticated. Any data stored intentionally in the public view, with as many points of access as possible, and accessible from anywhere in the world, by anyone in the world, is inherently not ever going to actually be secure. It's not about building better tech to secure it. It's about not presenting such a vulnerability from the start. The Internet was designed by military....I'm starting to think it should be turned over to them to secure. No general would ever support the idea of centrally locating all priority assets in one location under heavy fortification, let alone trying to do so behind enemy lines. Of course the Internet was just designed for communication, not commerce and information security. ARPANET was never intended to house field strategies and troop deployments. The weren't that stupid back then.

Meanwhile in reality, after the Experian breach, every SINGLE adult in the US has had their full identity information leaked and thus is high risk for identity theft. EVERY adult. Because we had 3 companies that keep full profiles on every individual, and they centrally gather that information and have openings to access it planet wide. How can they ever go after anyone for bad credit or make it difficult to recover from a stolen identity when everyone is likely to have multiple dopplegangers? But they'll over a free year to everybody of monitoring.... Sure. That'll help. You just need to put your information in their same central database AGAIN to sign up. "Sorry I lost your Picasso. If you just give me your Rembrandt I'll make sure nobody takes your Van Goh."

Yeah, we're soooo not ready for digital anything. (Fun fact, there are multiple sheets of your credit report. The top sheet is you. The other sheets are the other people using your SSN. You can't see the other sheets. A lender can. But a lender may not acknowledge the others exist, and it's actually a criminal offense to tell you they exist at all. But they have to factor the other sheets into your rating. That result is politically motivated as the "other yous" are often "undocumented" individuals and stopping that stops the status quo in place. And now EVERYONE'S information is leaked! Hows that superyacht you bought last month in Morocco for $800M? Oh...whoops...that's on your OTHER sheet....

Funny, never had that problem with all our records weren't in one place you can access from any other country.

Back on the non-critical privacy snooping.....if it were ONLY tailored marketing at a surface level "oh you were shopping for Switch Pro Controllers, we think you might like Playstation ads", as most people think of it, that would be one thing. But it's worse. They're gathering points of data from all avenues...the surface level ones like supermarket loyalty clubs and browsing history, plus the hidden ones....DNS monitoring, embedded scripts watching your cursor movements, your physical location at all times and proximity to all other individuals at those times, then aggregating that info for sale to the point they have both a complete history, itinerary, relationship flowchart with everyone you've encountered, and overall psychological profile to the point they know how your brain works and how to manipulate it to varying degrees of accuracy. Of course the only reason the effect hasn't been worse yet is the people exploiting it are usually so narrowly focused on what they want to do they miss the full potential of what they have. But when, not if, that changes, we're in trouble. Imagine what they're seeding AIs with? Some days I think the only solution is go live in a cave in the mountains somewhere. Then I realize they're probably watching the cave with thermal imagers and drones anyway.... China's introducing facial recognition as a national rollout. It's funny the press makes a big deal of that since the US and UK have been working on that for years and even deploying it. Imagine when they have GPS data on everyon'es positions at all times, and visual confirmation to back it up. Plus everything you've ever read, wrote, bought, seen, or believed in, AND your whole medical history, all tied together.

Between the profile building, and the data security weakness, we get a new problem. Those personality profiles that were meant for companies and governments to own and control us........we also know can easily be obtained by anyone. So by the time DC and Google are vying to decide who's property we are......Beijing and Anonymous may actually be our puppeteers the whole time anyway!

Win10 doesn't allow you to really turn of "phoning home"....but that's probably red herring. Do you know Windows 7 REALLY didn't either? They were caught phoning home in '98.... Lenovo was already caught with spyware in BIOS that would reinstall into windows with every clean format. Three times. it phoned home to Beijing. And now we have UEFI replacing BIOS that has all kinds of junk baked in at low level. Spying has become much more sophisticated to the point of being done at the hardware level. And it's all in the cloud. And anyone can breach the cloud from anywhere.....

Have your ticket ready?

(Heck even when you live in urbania just GETTING to that "nearby" shopping center takes longer than it does in Nowhere, Lower Midwest!)

@NEStalgia: I did read your whole post, and while my initial reply was a lot longer, some of it got lost somehow....

Oh yeah, I know that a lot of the data collection that goes on whenever you hit the internet (or even boot up your PC or other electronic device) isn't wholly benevolent. In fact, the Lenovo spyware in their BIOS is what convinced me to NOT go with them when I was laptop shopping....I opted for Windows out of preference/convenience (Though I'm not a big fan of Win10, I despise Macs more), but I almost went with Linux. I don't really trust any manufacturer or OS provider at this point.

But yep! I got my ticket ready! I'm ready for the inevitable meltdown that will happen....Hopefully I'm long gone by then. Skynet, anyone?

@NEStalgia Turn over control of personal products to the military? I don't think that's such a good idea:

https://www.wired.com/story/meltdown-spectre-bug-collision-intel-chip-flaw-discovery/

In particular, under the "Quadruple Collision" section:

"In fact, the bizarre confluence of so many disparate researchers making the same discovery of two-decade-old vulnerabilities raises the question of who else might have found the attacks before them—and who might have secretly used them for spying, potentially for years, before this week's revelations and the flood of software fixes from practically every major tech firm that have rushed to contain the threat.

The synchronicity of those processor attack findings, argues security researcher and Harvard Belfer Center fellow Bruce Schneier, represents not just an isolated mystery but a policy lesson: When intelligence agencies like the NSA discover hackable vulnerabilities and exploit them in secret, they can't assume those bugs won't be rediscovered by other hackers in what the security industry calls a "bug collision."

...

So when the NSA finds a so-called zero-day vulnerability—a previously unknown hackable flaw in software or hardware—Schneier argues that tendency for rediscovery needs to factor into whether the agency stealthily exploits the bug for espionage, or instead reports it to whatever party can fix it. Schneier argues bug collisions like Spectre and Meltdown mean they should err on the side of disclosure: According to rough estimates in the Harvard study he co-authored, as many as one third of all zero-days used in a given year may have first been discovered by the NSA."

Handing over security to "the military" means handing it over to the NSA. Of whom are denying (read: most likely lying) that they had previous knowledge of the exploits, which they would greatly benefit from using without telling anyone about their existence. If true, it would be yet another massive violation of the Constitution, breaching citizens' privacy under the 4th Amendment, which prohibits unreasonable searches and seizures. The NSA has been given carte blance to flagrantly violate the 4th Amendment with their mass data collection (read: domestic spying) programs, which is then used by the military apparatus. (Granted, one hand doesn't know what the other is doing.)

So yeah, I wouldn't trust them.