As you may be aware, two significant technical vulnerabilities have been discovered and were publicly announced recently.
They are called Meltdown and Spectre.
Unlike most technical vulnerabilities, which are caused by poorly written software, Meltdown and Spectre are caused by the way computer chips work. In other words, they aren’t code mistakes; they reside in the actual brain of the computer. So they are very widespread and much harder to fix.
Using these vulnerabilities, an attacker with access to a computer or server (including remote access) can read information used by other programs on the computer or server. This could include very sensitive information that should and usually is protected.
As you can imagine, this is a first class disaster for computers around the world and is something we are paying very close attention to.
One bright spot (if we can call it that): the problem is mitigated by the fact that you must already have access to a computer in order to exploit the vulnerability. So, while technologists are working to respond to these problems, we are May First can take a few steps.
At May First/People Link, our greatest threat is via compromised web sites and user accounts. These compromises can be used by an outsider to get access to the server your site is on and, once they have that, they can exploit the vulnerabilities. The best steps you can take to help are:
Ensure your WordPress and Drupal sites are updated. If you are not sure, ask someone in your organization or your tech volunteer or consultant. This is the number 1 way that malicious users gain access to our servers.
Review your list of hosting orders. If there are any that are not in use, you can disable them without losing any data.
Review your list of users. Disable all users that are not actively working with your organization. This step reduces the chances that a user with an easy to guess password can be compromised.
Be prepared for downtime. In the coming days we will be updating and rebooting all servers to better protect ourselves against these vulneratbilities. We will send a service announcement (see https://status.mayfirst.org/) when we have the definitive time.
If you have any questions, please don’t hesitate to contact us at firstname.lastname@example.org. Our techies are happy to answer any query however small.
If you would like more information - below are two excellent articles.
The Guardian has a simple, non-technical explanation:
For a more technical explanation, see: