+- Linux Lite Forums (https://www.linuxliteos.com/forums)
+-- Forum: General (https://www.linuxliteos.com/forums/forumdisplay.php?fid=4)
+--- Forum: Security & Bug Fixes (https://www.linuxliteos.com/forums/forumdisplay.php?fid=16)
+--- Thread: Meltdown & Spectre Information and Discussion (/showthread.php?tid=4813)
Re: Meltdown & Spectre Information and Discussion - rokytnji - 01-04-2018
Meh,
Code:
~$ inxi -f
CPU: Single core AMD Athlon 64 3800+ (-UP-) cache: 512 KB
speed/max: 1000/2400 MHz
CPU Flags: 3dnow 3dnowext 3dnowprefetch apic clflush cmov
cr8_legacy cx16 cx8 de extapic extd_apicid fpu fxsr fxsr_opt
lahf_lm lm mca mce mmx mmxext msr mtrr nopl nx pae pat pge pni pse
pse36 rdtscp rep_good sep sse sse2 svm syscall tsc vme vmmcall
$ inxi -S
System: Host: biker Kernel: 4.4.0-104-generic x86_64 (64 bit)
Desktop: Xfce 4.12.3 Distro: Ubuntu 16.04 xenial
$ cat /etc/llver
Linux Lite 3.6Edit: Just to explain myself. In my area. I am more likely to have have my car stereo stolen stolen than this exploit to take hold on my computers.
I care more about the stereo.
Re: Meltdown & Spectre Information and Discussion - Valtam - 01-05-2018
(01-04-2018, 10:45 PM)rokytnji link Wrote: Just to explain myself. In my area. I am more likely to have have my car stereo stolen stolen than this exploit to take hold on my computers.
I care more about the stereo.
Indeed. Are hackers going to target Joe Nothing living at 123 Who Cares Street or do they have juicer targets?
Sent from my Mobile phone using Tapatalk
Re: Meltdown & Spectre Information and Discussion - Valtam - 01-05-2018
Ubuntu plan to release Kernel updates early next week, in or around the 9th.
Sent from my Mobile phone using Tapatalk
Re: Meltdown & Spectre Information and Discussion - ian_r_h - 01-05-2018
An update on (hopefully) reputable and authoritative information sources this morning regarding Meltdown and Spectre.
Personally I agree with Jerry: Don't panic - there is no known malware exploiting these yet. Meltdown looks specific to Intel, and is the "easier" both to exploit and to patch; Spectre affects many more processors (including ARM and AMD as well as Intel), and is both harder to exploit and patch. At least according to these websites.
BBC News has two articles which may be of interest (the second if you are also an Apple user):
http://www.bbc.co.uk/news/technology-42562303
http://www.bbc.co.uk/news/technology-42575033
Leading cryptography expert Bruce Schneier says he plans to write more soon on his blog, and has a brief summary of the technical issue that is easy to read:
https://www.schneier.com/
4.4.x series updated in Kernel 4.4.109 (among other versions):
https://fullcirclemagazine.org/2018/01/04/linux-kernels-4-14-11-4-9-74-4-4-109-3-16-52-and-3-2-97-patch-meltdown-flaw/
The Department of Homeland Security (USA) website contains additional information on the general problem, as well as links to vendor-specific information:
https://www.us-cert.gov/ncas/alerts/TA18-004A
Threatpost has details on ARM and AMD chips not affected by Spectre (according to the manufacturers) among other things:
https://threatpost.com/vendors-share-patch-updates-on-spectre-and-meltdown-mitigation-efforts/129307/
Happy Computing!
Re: Meltdown & Spectre Information and Discussion - rokytnji - 01-05-2018
If you wanna do a quick check on your own. Just for piece of mind I guess.
Code:
dd if=/dev/zero of=/tmp/testfile bs=512 count=5000000Linus Torvalds thoughts on all of this hoopla.
https://lkml.org/lkml/2018/1/3/797
[color=inherit ! important][size=13px ! important][/size][/color]
Re: Meltdown & Spectre Information and Discussion - trinidad - 01-05-2018
To sum up myself: a nuisance with a price tag in manhours and compute time and a bad business practice from a company (Intel) that continues to operate above the law, and a community wide bandwagon of denial that everyone has been riding on for at least 10 years that I know of in the name of progress, Ethically speaking akin to testing drugs on people without having to pay them for the use of their body, claimed to be for the greater good of humanity. Driving at high speed is fun as long your brakes work properly, Ethics are the brakes.
TC
https://www.intel.com/content/www/us/en/policy/policy-code-conduct-corporate-information.html
Read the section on privacy.
Re: Meltdown & Spectre Information and Discussion - Jocklad - 01-05-2018
So....If I am reading this right,We are going to get a software fix for a faulty hardware problem...?. :
Re: Meltdown & Spectre Information and Discussion - richtea - 01-05-2018
The Linus Torvalds email message is well worth reading; quote:
"I think somebody inside of Intel needs to really take a long hard look
at their CPU's, and actually admit that they have issues instead of
writing PR blurbs that say that everything works as designed."
Designed. Yes, in this instance the company is telling the truth.
Re: Meltdown & Spectre Information and Discussion - trinidad - 01-06-2018
(Intel CEO) Krzanich said the entire industry was planning to publish the data security issue once the fix was in place — but the problem leaked early.
"Why did it leak ahead of time? Somebody was doing some updates on a Linux kernel and they improperly posted that this was due to this flaw," Krzanich said.
Exaclty who is the "entire industry" that so agreeably decided not to publish? Why is it "improper" to publish concerning a vulnerability, especially one that has been speculated about for years? Why would the US government drag its feet all this time? In fact Amazon (the only one that admits it "officially") was aware nearly two years ago. Suse Enterprise and RHEL well before that (which could aguably mean the whole Linux community). Why not publish? Proof of concept was obvious long ago. A working exploit was unneccessary. Why would the whole "white hat" community be coerced and/or intimidated by Intel not to publish? Intel's system of partnerships and non-disclosure agreements violates so many laws in the US that it is literally an issue for the ACLU, yet no one ever attempts to call them out. They are in general a national security issue for the US. Enough is enough. Funny how the annoncement didn't leak until after the Christmas buying season, a shame too. A good deep public panic would have given the WWW a much needed enema.
http://www.techradar.com/news/computing-components/processors/need-for-speed-a-history-of-overclocking-540671/2
I honestly remember being aware of this issue sometime around 2001 and having a discussion about it with some other hobbyists from that era. We considered it trivial at the time, but I reported it via e-mail to Suse. I can't remember what ISP I had at the time (the one from Ohio not AOL and not Prodigy) I wish I could because other hobbyist over-clockers at the time were aware of it as well. There is a history of awareness of this flaw that goes back at least 15 years and eventually it's going to appear taking away Intel's hope of any plausible denial.
TC
Re: Meltdown & Spectre Information and Discussion - JmaCWQ - 01-07-2018
As interesting as all this is, and no doubt will become more interesting now as it all unfolds in the future, I can't say I'm surprised.
Big business usually doesn't give a sh*t about anything but big business.
I'd near bet if they weren't caught with their pants down it wouldn't have been published at all.