Not ideal...
"The researchers demonstrated the capability to extract various cryptographic keys, including a 2048-bit RSA key within an hour and a 2048-bit Diffie-Hellman key in just over two hours."
GoFetch: a significant vulnerability in Apple's M-series.
this is why we linux
#Linux runs on Apple M, and i think would not be safe from this, because it’s a hardware design flaw.
software doesn't solve hardware level issues
true but FOSS enables hardware optionality
doesn't really change anything, unless you're manufacturing / assembling the hardware yourself.
you're still trusting chip manufacturers, supply lines, etc.
my point is not of "trust but verify" variety
i own apple and non apple products.
in light of this news my apple devices are compromised and i must wait for apple hardware to catch up.
if hardware for my non apple products suffered such an issue i could easily move to another piece of hardware
fair enough.
my point is that these sorts of issues happen to non apple hardware all the time. e.g. https://arstechnica.com/information-technology/2023/08/data-leaking-downfall-bug-affects-six-generations-of-intel-pc-and-server-cpus/
many people seem to believe that simply running linux will protect them from such vulnerabilities.
this is a major oversight. one worth acknowledging and correcting, in my view.
fair. yes there is nuance here
Is this for iphones or mac computers??
Makes you wonder if it's intentional.
Dang. I would have thought the key would be loaded with greater memory safety. Is the key something hard coded on-chip? It's be really odd, but I could see Apple hard coding the keys into their chips, since "proprietary" is their SOP.
As far as I understand it, you will need physical access to the machine and know what you are doing.
If someone has physical access to my machine, breaking encryption is probably not my biggest problem right now.
No 😢 the article suggests any code running in user mode can attempt, sounds like indirect access to memory via cache, so just a matter of waiting and watching for long enough to collect what you need. If a browser running js can trigger it …. sounds pretty bad/deliberate regardless
#notyourkeys
