Thread - Nostr Hypermedia

Not ideal... "The researchers demonstrated the capability to extract various cryptographic keys, including a 2048-bit RSA key within an hour and a 2048-bit Diffie-Hellman key in just over two hours." GoFetch: a significant vulnerability in Apple's M-series.

TFTC – Truth for the Commoner

GoFetch: Critical Vulnerability in Apple's M-Series Chips

This is not ideal. It's probably not a good idea to create bitcoin private keys with Apple M-Series chips.

Replies (16)

zhenya zhenya@primal.net 1 year ago

this is why we linux

2 replies ↓

Alex Strenger 1 year ago

Is this for iphones or mac computers??

2 replies ↓

Jonathan 1 year ago

Makes you wonder if it's intentional.

James A Lewis @theologyofcommerce.com 1 year ago

Dang. I would have thought the key would be loaded with greater memory safety. Is the key something hard coded on-chip? It's be really odd, but I could see Apple hard coding the keys into their chips, since "proprietary" is their SOP.

sms 1 year ago

#asknostr How does this affect access to password managers on M Apples?

1 replies ↓

sms 1 year ago

#Linux runs on Apple M, and i think would not be safe from this, because it’s a hardware design flaw.

1 replies ↓

stacktoshi 🚀 ∞/21m stacktoshi@nostr.fan 1 year ago

Mac computers and iPads have the M-series chips. iPhones have A-series chips.

ThyLobster thylobster@zaps.lol 1 year ago

As far as I understand it, you will need physical access to the machine and know what you are doing. If someone has physical access to my machine, breaking encryption is probably not my biggest problem right now.

npub1csa2...89np 1 year ago

Tim Apple: “Whoops, they found the backdoor we put into our $1500+ machines for you guys” NSA: “Meh, won’t matter, they’ll keep buying your overpriced laptops, add a couple of new colors next year and say revolutionary a few extra times during the presentation “

Niall Young bluemouse1@primal.net 1 year ago

No 😢 the article suggests any code running in user mode can attempt, sounds like indirect access to memory via cache, so just a matter of waiting and watching for long enough to collect what you need. If a browser running js can trigger it …. sounds pretty bad/deliberate regardless #notyourkeys

Meridian meridian@getalby.com 1 year ago

software doesn't solve hardware level issues

1 replies ↓

zhenya zhenya@primal.net 1 year ago

true but FOSS enables hardware optionality

1 replies ↓

Meridian meridian@getalby.com 1 year ago

doesn't really change anything, unless you're manufacturing / assembling the hardware yourself. you're still trusting chip manufacturers, supply lines, etc.

1 replies ↓

zhenya zhenya@primal.net 1 year ago

my point is not of "trust but verify" variety i own apple and non apple products. in light of this news my apple devices are compromised and i must wait for apple hardware to catch up. if hardware for my non apple products suffered such an issue i could easily move to another piece of hardware

1 replies ↓

Meridian meridian@getalby.com 1 year ago

fair enough. my point is that these sorts of issues happen to non apple hardware all the time. e.g.

Ars Technica

“Downfall” bug affects years of Intel CPUs, can leak encryption keys and more

Researchers also disclosed a separate bug called "Inception" for newer AMD CPUs.

many people seem to believe that simply running linux will protect them from such vulnerabilities. this is a major oversight. one worth acknowledging and correcting, in my view.

1 replies ↓

zhenya zhenya@primal.net 1 year ago

fair. yes there is nuance here