PIA is probably safe from this. It's a little similar to TeLeScope vulnerability in that it allows unprivileged users to escape a VM and access kernel memory. As long as PIA is using bare metal servers, like they say they are, there should be no reason for undue concern.
PIA is probably safe from this. It's a little similar to TeLeScope vulnerability in that it allows unprivileged users to escape a VM and access kernel memory. As long as PIA is using bare metal servers, like they say they are, there should be no reason for undue concern.
Yup, exactly what I was thinking of replying when I read the title! These exploits requires code execution for the attacker, which in our case they don't so they'd need to break OpenVPN/*swan/pptpd first before they can do anything. It's one of the less common cases where desktop systems are more impacted than servers. Servers typically run trusted code from the company or other companies, so there needs to be a remote code execution exploit first before an attacker can do anything with the machine while by default browsers happily runs code from practically every website without asking. This is normally safe because Javascript is heavily sandboxed in modern browsers, except of course this exploit bypasses sandboxes and kernel boundaries...
Of course we're patching it (if not already done), but there is no need to panic in this situation. Make sure to patch your systems tho!
PIA is probably safe from this. It's a little similar to TeLeScope vulnerability in that it allows unprivileged users to escape a VM and access kernel memory. As long as PIA is using bare metal servers, like they say they are, there should be no reason for undue concern.
PIA is probably safe from this. It's a little similar to TeLeScope vulnerability in that it allows unprivileged users to escape a VM and access kernel memory. As long as PIA is using bare metal servers, like they say they are, there should be no reason for undue concern.
Yup, exactly what I was thinking of replying when I read the title! These exploits requires code execution for the attacker, which in our case they don't so they'd need to break OpenVPN/*swan/pptpd first before they can do anything. It's one of the less common cases where desktop systems are more impacted than servers. Servers typically run trusted code from the company or other companies, so there needs to be a remote code execution exploit first before an attacker can do anything with the machine while by default browsers happily runs code from practically every website without asking. This is normally safe because Javascript is heavily sandboxed in modern browsers, except of course this exploit bypasses sandboxes and kernel boundaries...
Of course we're patching it (if not already done), but there is no need to panic in this situation. Make sure to patch your systems tho!
Thank you both for answering my question! A special thanks to @Max-P for the extended explanation. I always feel safe using PIA!
Hi,
I'm not expert in PC stuff. I'm not sure if I understood your comments well.
Using internet via PIA is safer than doing without PIA and the patches for the vulnerabilities?
Of course I don't expect 100% safety, though.
PIA doesn't have any effect on whether you can be exploited or not using Meltdown. In both cases, your browser will load a malicious website and execute the malicious code to exploit Meltdown. The only difference is that it will be loaded over PIA or through your ISP. This is not something PIA can do anything to help you with, so make sure you install all the updates!
This discussion and my comment is more about if PIA's servers are vulnerable and could be exploited by an attacker to see every PIA user's traffic. So as I explained in my comment, no, the servers are thankfully safe!
Hi Max-P,
Thank you for your explanation.
I think I figured it out.
It might be out of the topic but may I ask a silly question? because many members here seem tech savvy.
Is it not enough to install only the security patches of Internet browser(say, Firefox) to prevent from being exploited?
I mean, I am planning to forgo installing the security patches of OS(Windows) until many people repot how much severe the vulnerability is or how much the actual CPU performance hit is.
Now I have kept my main PC disconnected just in case.
Hi Max-P,
Thank you for your explanation.
I think I figured it out.
It might be out of the topic but may I ask a silly question? because many members here seem tech savvy.
Is it not enough to install only the security patches of Internet browser(say, Firefox) to prevent from being exploited?
I mean, I am planning to forgo installing the security patches of OS(Windows) until many people repot how much severe the vulnerability is or how much the actual CPU performance hit is.
Now I have kept my main PC disconnected just in case.
No, it's definitely not enough to only patch the browser. This would only plug one hole. Everything else on your system still could read kernel memory it's not supposed to be able to.
I don't have first hand experience with it yet, but as far as I know the performance hit is negligible for most uses. There are many companies reporting huge increase in CPU load but all of these also have workloads that are heavily dependent on many small syscalls like game servers, databases, I think file servers. For most uses, especially things that try to be energy efficient (for laptop users), they are going to use few syscalls which also reduces the CPU hit. Games are also mostly unaffected given GPU rendering sends very large buffers at a time to feed the highly parallel GPU. Modern graphics APIs like Vulkan and DirextX 12 also optimizes this further and are mostly unaffected. The vast majority of people get nowhere close to the reported 30%+ performance hit.
Given the severity of that one I would highly recommend looking at your performance before, take a backup/restore point, install the update and see how much you are affected and if it's too much for you. If it's really bad, you can always restore or disable the update. Meltdown gives any code, in any form even in a sandbox, the possibility to read the entirety of your computer's memory.
I use my main PC for creating music which requires a sheer amount of CPU power.
So, I was hesitated to install the patches.
But your explanation made me realize this is a severe issue.
I will try out the patches and see what happens. (Of course, I won't forget to take a backup and make a restore point before doing them)
Comments
Of course we're patching it (if not already done), but there is no need to panic in this situation. Make sure to patch your systems tho!
I'm not expert in PC stuff. I'm not sure if I understood your comments well.
Using internet via PIA is safer than doing without PIA and the patches for the vulnerabilities?
Of course I don't expect 100% safety, though.
This discussion and my comment is more about if PIA's servers are vulnerable and could be exploited by an attacker to see every PIA user's traffic. So as I explained in my comment, no, the servers are thankfully safe!
Thank you for your explanation.
I think I figured it out.
It might be out of the topic but may I ask a silly question? because many members here seem tech savvy.
Is it not enough to install only the security patches of Internet browser(say, Firefox) to prevent from being exploited?
I mean, I am planning to forgo installing the security patches of OS(Windows) until many people repot how much severe the vulnerability is or how much the actual CPU performance hit is.
Now I have kept my main PC disconnected just in case.
I don't have first hand experience with it yet, but as far as I know the performance hit is negligible for most uses. There are many companies reporting huge increase in CPU load but all of these also have workloads that are heavily dependent on many small syscalls like game servers, databases, I think file servers. For most uses, especially things that try to be energy efficient (for laptop users), they are going to use few syscalls which also reduces the CPU hit. Games are also mostly unaffected given GPU rendering sends very large buffers at a time to feed the highly parallel GPU. Modern graphics APIs like Vulkan and DirextX 12 also optimizes this further and are mostly unaffected. The vast majority of people get nowhere close to the reported 30%+ performance hit.
Given the severity of that one I would highly recommend looking at your performance before, take a backup/restore point, install the update and see how much you are affected and if it's too much for you. If it's really bad, you can always restore or disable the update. Meltdown gives any code, in any form even in a sandbox, the possibility to read the entirety of your computer's memory.
Thank you for your clear explanation!
I use my main PC for creating music which requires a sheer amount of CPU power.
So, I was hesitated to install the patches.
But your explanation made me realize this is a severe issue.
I will try out the patches and see what happens.
This is a kernel patch so all regions are currently rebooting. Please hold tight for the next hour or so while everything settles!