Linux Lite Forums

General => Security & Bug Fixes => Topic started by: Ottawagrant on January 03, 2018, 11:36:05 AM

Title: Meltdown & Spectre Information and Discussion
Post by: Ottawagrant on January 03, 2018, 11:36:05 AM
Happy New Year Everyone:
What better way to ring in 2018 than to scramble and fix a ten-year-old security flaw in the processor.
There is a kernel memory leak in Intel processors design that now put Windows and Linux users in harms ways as programmers rush to apply patches as quickly as possible.

https://www.onmsft.com/news/intels-kernel-memory-leak-flaw-forces-microsoft-others-to-apply-performance-slowing-patch (https://www.onmsft.com/news/intels-kernel-memory-leak-flaw-forces-microsoft-others-to-apply-performance-slowing-patch)

But wait!
As for Linux users, there are patches for the Linux kernel available now.
Title: Re: Meltdown & Spectre Information and Discussion
Post by: newtusmaximus on January 03, 2018, 11:54:09 AM
Which means?
Just  keep loading LL updates and all will be solved??
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Jerry on January 03, 2018, 06:48:13 PM
A good, simple breakdown:

https://www.youtube.com/watch?v=lsQAGqMaXi0
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Jerry on January 03, 2018, 06:55:10 PM
(https://img.memecdn.com/saw-a-video-benchmarking-an-amd-and-intel-cpu-s-where-the-later-obtained-a-higher-score_o_4444517.jpg)
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Coastie on January 03, 2018, 11:55:42 PM
@Jerry, watched video but it was beyond my understanding.  :-[ Glad my main computer is AMD based on the recommendations of the ghost formerly know as Spatry.  ;)
Title: Re: Meltdown & Spectre Information and Discussion
Post by: TMG1961 on January 04, 2018, 04:48:36 AM
The video lost me about 10 seconds after it started. I have no idea what he is talking about.
Title: Re: Meltdown & Spectre Information and Discussion
Post by: ian_r_h on January 04, 2018, 06:50:16 AM
Thanks for this.  Though I'm not sure how well I understand some parts.

In essence, and from technical news posts, my understanding is that (anyone has better knowledge may correct me):-


I'm presuming that using Intel processors with the current kernel 4.4.x series in Linux Lite leaves it theoretically vulnerable; though I understand that at present there is no malware exploiting the problem?

Title: Re: Meltdown & Spectre Information and Discussion
Post by: JmaCWQ on January 04, 2018, 07:01:01 AM
This may or may not help explain things......https://thehackernews.com/2018/01/meltdown-spectre-vulnerability.html
Title: Re: Meltdown & Spectre Information and Discussion
Post by: ian_r_h on January 04, 2018, 10:11:57 AM
OK.

I've had a few minutes to research this further, since coming to it myself first time first thing this morning.

There are two bugs reported:  MELTDOWN and SPECTRE.  According to Wikipedia:-

"The Meltdown vulnerability can be thought of as a particularly easy and efficient-to-implement special case of Spectre."  Note that there is no citation and it is reported as needing one; indeed citation is lacking in the Spectre entry at this time.

"Two Common Vulnerabilities and Exposures IDs related to Spectre, CVE-2017-5753 and CVE-2017-5715, have been issued."

Spectre affects Intel, AMD and ARM processors.

"[Meltdown] was issued a Common Vulnerabilities and Exposures ID of CVE-2017-5754."

Meltdown affects Intel processors and "does not seem to affect AMD microprocessors".

The Wikipedia entries are at:-

https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)
https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)

There is a website for Meltdown and Spectre (which both Wikipedia articles label as the "official website") at:

https://meltdownattack.com/

Hope this helps, though I'm still reading up on it at the moment.
Title: Re: Meltdown & Spectre Information and Discussion
Post by: trinidad on January 04, 2018, 11:35:49 AM
I have two Windows 10 machines that have been already patched (both originally developer/insider mode) and have had no problems so far, and no noticeable performance issues though there are reports of some VM complications elsewhere. In the case of Linux this is another OEM hardware nuisance which like all such nuisances diffuses down to ordinary users with some over-reaction. Spectre is a threat to ordinary users but only on multi-user boxes i/e - do you trust your wife? I played around with this issue some years back on a Suse Linux system I administrated. It has been known in some form or another for quite a while, but developers never looked at it as particularly threatening. It's the nature of CPUs themselves to not be secure, and again this problem lies within the the whole idea of low level proprietary code. It should be a legal issue with tart recourse to the courts, but who's big enough to sue, maybe Google, or Amazon. Big business is a strangely esoteric political beast here in the US - The government bails out GM but upholds a billion dollar penalty against Ford for bad tires. I can't think of a company in recent history that deserved a class action suit against them more than Intel. As far as civil disobedience perhaps a well organized boycott of Google and Amazon would do the trick but in a lot of ways consumerism is an addiction so that would be awfully hard to organize. Buying a computer for your kids to use is a lot like taking your kids to the doctor. The difference is that most doctors live by a code of ethics, while OEM hardware is produced with an eye to insulating the developers from any liability. Intel developers don't need malpractice insurance. Intel is so big and internationalized that the US government must cast a wary eye on their hardware to protect itself. I have often thought that the first line of recourse for the government is to use the SEC to suspend trading of Intel, and then go from there.

TC

Additionally: "News" of this is hardly new. Only the exploit news part of it, which was held back by Google in agreement with Intel. I highly doubt that AMD is not vulnerable with a modified version. Any 64bit multt-core cached cpu is vulnerable. This has always been known of speculative processes. The bigger the processor the greater the possibility of stealing information. That is the only reason this has suddenly become important. CPUs are finally big enough to cough up and spew considerable information via the hack. Hilariously the hack will still work even with the patch by simply falling back to the old kernel address system. It is not a permanent solution. The permanent solutuion is full and complete free access to CPU microcode.

   
Title: Re: Meltdown & Spectre Information and Discussion
Post by: rokytnji on January 04, 2018, 05:45:05 PM
Meh,

Code: [Select]
~$ inxi -f
CPU:       Single core AMD Athlon 64 3800+ (-UP-) cache: 512 KB
           speed/max: 1000/2400 MHz
           CPU Flags: 3dnow 3dnowext 3dnowprefetch apic clflush cmov
           cr8_legacy cx16 cx8 de extapic extd_apicid fpu fxsr fxsr_opt
           lahf_lm lm mca mce mmx mmxext msr mtrr nopl nx pae pat pge pni pse
           pse36 rdtscp rep_good sep sse sse2 svm syscall tsc vme vmmcall

$ inxi -S
System:    Host: biker Kernel: 4.4.0-104-generic x86_64 (64 bit)
           Desktop: Xfce 4.12.3 Distro: Ubuntu 16.04 xenial
$ cat /etc/llver
Linux Lite 3.6


Edit: Just to explain myself. In my area. I am more likely to have have my car stereo stolen stolen than this exploit to take hold on my computers.
I care more about the stereo.
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Jerry on January 05, 2018, 02:32:11 AM



Just to explain myself. In my area. I am more likely to have have my car stereo stolen stolen than this exploit to take hold on my computers.
I care more about the stereo.

Indeed. Are hackers going to target Joe Nothing living at 123 Who Cares Street or do they have juicer targets?

Sent from my Mobile phone using Tapatalk

Title: Re: Meltdown & Spectre Information and Discussion
Post by: Jerry on January 05, 2018, 02:40:03 AM
Ubuntu plan to release Kernel updates early next week, in or around the 9th.

Sent from my Mobile phone using Tapatalk

Title: Re: Meltdown & Spectre Information and Discussion
Post by: ian_r_h on January 05, 2018, 03:59:02 AM
An update on (hopefully) reputable and authoritative information sources this morning regarding Meltdown and Spectre.

Personally I agree with Jerry:  Don't panic - there is no known malware exploiting these yet.  Meltdown looks specific to Intel, and is the "easier" both to exploit and to patch; Spectre affects many more processors (including ARM and AMD as well as Intel), and is both harder to exploit and patch.  At least according to these websites.

BBC News has two articles which may be of interest (the second if you are also an Apple user):
http://www.bbc.co.uk/news/technology-42562303
http://www.bbc.co.uk/news/technology-42575033

Leading cryptography expert Bruce Schneier says he plans to write more soon on his blog, and has a brief summary of the technical issue that is easy to read:
https://www.schneier.com/

4.4.x series updated in Kernel 4.4.109 (among other versions):
https://fullcirclemagazine.org/2018/01/04/linux-kernels-4-14-11-4-9-74-4-4-109-3-16-52-and-3-2-97-patch-meltdown-flaw/

The Department of Homeland Security (USA) website contains additional information on the general problem, as well as links to vendor-specific information:
https://www.us-cert.gov/ncas/alerts/TA18-004A

Threatpost has details on ARM and AMD chips not affected by Spectre (according to the manufacturers) among other things:
https://threatpost.com/vendors-share-patch-updates-on-spectre-and-meltdown-mitigation-efforts/129307/

Happy Computing! :)
Title: Re: Meltdown & Spectre Information and Discussion
Post by: rokytnji on January 05, 2018, 06:51:54 AM
If you wanna do a quick check on your own. Just for piece of mind I guess.


Code: [Select]
dd if=/dev/zero of=/tmp/testfile bs=512 count=5000000

<use sudo in Linux Lite>

Linus Torvalds thoughts on all of this hoopla.

https://lkml.org/lkml/2018/1/3/797 (https://lkml.org/lkml/2018/1/3/797)



[color=inherit ! important][size=13px ! important][/size][/color]
Title: Re: Meltdown & Spectre Information and Discussion
Post by: trinidad on January 05, 2018, 07:22:51 AM
To sum up myself: a nuisance with a price tag in manhours and compute time and a bad business practice from a company (Intel) that continues to operate above the law, and a community wide bandwagon of denial that everyone has been riding on for at least 10 years that I know of in the name of progress, Ethically speaking akin to testing drugs on people without having to pay them for the use of their body, claimed to be for the greater good of humanity. Driving at high speed is fun as long your brakes work properly, Ethics are the brakes.

TC 

https://www.intel.com/content/www/us/en/policy/policy-code-conduct-corporate-information.html

Read the section on privacy.
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Jocklad on January 05, 2018, 08:54:22 AM
So....If I am reading this right,We are going to get a software fix for a faulty hardware problem...?.  ::)
Title: Re: Meltdown & Spectre Information and Discussion
Post by: richtea on January 05, 2018, 10:03:24 AM
The Linus Torvalds email message is well worth reading; quote:


"I think somebody inside of Intel needs to really take a long hard look
at their CPU's, and actually admit that they have issues instead of
writing PR blurbs that say that everything works as designed."


Designed. Yes, in this instance the company is telling the truth.
Title: Re: Meltdown & Spectre Information and Discussion
Post by: trinidad on January 06, 2018, 09:56:53 AM
(Intel CEO) Krzanich said the entire industry was planning to publish the data security issue once the fix was in place — but the problem leaked early.
"Why did it leak ahead of time? Somebody was doing some updates on a Linux kernel and they improperly posted that this was due to this flaw," Krzanich said.

Exaclty who is the "entire industry" that so agreeably decided not to publish? Why is it "improper" to publish concerning a vulnerability, especially one that has been speculated about for years? Why would the US government drag its feet all this time? In fact Amazon (the only one that admits it "officially") was aware nearly two years ago. Suse Enterprise and RHEL well before that (which could aguably mean the whole Linux community). Why not publish? Proof of concept was obvious long ago. A working exploit was unneccessary. Why would the whole "white hat" community be coerced and/or intimidated by Intel not to publish? Intel's system of partnerships and non-disclosure agreements violates so many laws in the US that it is literally an issue for the ACLU, yet no one ever attempts to call them out. They are in general a national security issue for the US. Enough is enough. Funny how the annoncement didn't leak until after the Christmas buying season, a shame too. A good deep public panic would have given the WWW a much needed enema.

 http://www.techradar.com/news/computing-components/processors/need-for-speed-a-history-of-overclocking-540671/2 (http://www.techradar.com/news/computing-components/processors/need-for-speed-a-history-of-overclocking-540671/2)

I honestly remember being aware of this issue sometime around 2001 and having a discussion about it with some other hobbyists from that era. We considered it trivial at the time, but I reported it via e-mail to Suse. I can't remember what ISP I had at the time (the one from Ohio not AOL and not Prodigy) I wish I could because other hobbyist over-clockers at the time were aware of it as well. There is a history of awareness of this flaw that goes back at least 15 years and eventually it's going to appear taking away Intel's hope of any plausible denial.
 
TC     
Title: Re: Meltdown & Spectre Information and Discussion
Post by: JmaCWQ on January 06, 2018, 09:40:11 PM
As interesting as all this is, and no doubt will become more interesting now as it all unfolds in the future, I can't say I'm surprised.
Big business usually doesn't give a sh*t about anything but big business.
I'd near bet if they weren't caught with their pants down it wouldn't have been published at all.
Title: Re: Meltdown & Spectre Information and Discussion
Post by: bitsnpcs on January 07, 2018, 07:33:14 AM
As interesting as all this is, and no doubt will become more interesting now as it all unfolds in the future, I can't say I'm surprised.
Big business usually doesn't give a sh*t about anything but big business.
I'd near bet if they weren't caught with their pants down it wouldn't have been published at all.
Title: Re: Meltdown & Spectre Information and Discussion
Post by: bitsnpcs on January 07, 2018, 07:54:49 AM
(Intel CEO) Krzanich said the entire industry was planning to publish the data security issue once the fix was in place — but the problem leaked early.
"Why did it leak ahead of time? Somebody was doing some updates on a Linux kernel and they improperly posted that this was due to this flaw," Krzanich said.
TC     

I like the quote, it'll be good for paraphrasing - "(Intel CEO) Krzanich said, everything was fine until those rebellious Linux geeks moved their fingers"
Title: Re: Meltdown & Spectre Information and Discussion
Post by: trinidad on January 07, 2018, 08:19:17 AM
Ultimately the issue of computer security, in any sense whatsoever, is open source code. Speculative execution would not be a security issue at all if the processor code was open source. You cannot compare for bit parity for binaries you cannot access. We banged this around years ago and recommended dual CPU's and one bank of protected memory for low level binary comparisons. As long as OEM vendors refuse access to binary setups there is no solution that will ever be secure. The amount of patching in Debian is probably headed for fifty different specific application instances. At the high end, giant service providers are going to absorb a big hit and be forced to purchase more rack space to deal with the performance issues this ridiculous proprietary policy has caused. Intel's partnerships are just extortion in this sense and always have been. 

TC 
Title: Re: Meltdown & Spectre Information and Discussion
Post by: kissbaby3 on January 08, 2018, 02:53:24 AM
 8)  i am not too freaked out by all this , a flaw since what ?, 1995 ?, wow, ok. i suffered viruses through the years since windows 98SE, so again, not to freaked out by this .

 ???  any ways , has Linux Lite released some updates on this issue for Linux lite 3.6 ?.

my windows 10 machine has been fixed by me, ha  ha , it was a outdated driver issue, now ready to bring back down my Linux machine from upstairs and plug it back in........ i miss my Linux.
windows is for my Husband, he so far has no problems with my machine , but he is a cave man and needs  more how to attention.............
Title: Re: Meltdown & Spectre Information and Discussion
Post by: trinidad on January 08, 2018, 07:25:26 AM
Class Action investigation against Intel, the first taker.

https://www.bgandg.com/intc (https://www.bgandg.com/intc)

A pdf copy of the action is available on the page.

From 2005 MIT:

https://ocw.mit.edu/courses/electrical-engineering-and-computer-science/6-823-computer-system-architecture-fall-2005/lecture-notes/l13_brnchpred.pdf

TC
Title: Re: Meltdown & Spectre Information and Discussion
Post by: elelme on January 08, 2018, 11:12:41 AM
Interesting catch! Thanks, Trinidad, for both of these.
Title: Re: Meltdown & Spectre Information and Discussion
Post by: richtea on January 08, 2018, 03:21:33 PM
Krzanich talks his book, but will he walk the (perp) walk?


https://www.zerohedge.com/news/2018-01-08/it-doesnt-look-good-intel-ceo-jeopardy-selling-stock-after-learning-staggering-flaw (https://www.zerohedge.com/news/2018-01-08/it-doesnt-look-good-intel-ceo-jeopardy-selling-stock-after-learning-staggering-flaw)

Bring Comey back - why, he wiped the floor with Martha Stewart!
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Vera on January 11, 2018, 06:21:59 AM
Ubuntu plan to release Kernel updates early next week, in or around the 9th.

Do we have any news on the status of Ubuntu kernel updates to fix this issue?
Title: Re: Meltdown & Spectre Information and Discussion
Post by: trinidad on January 11, 2018, 07:39:47 AM
Kernel 4.4.0-109.132 is out for LTS. Fix for meltdown began at .131 I believe. This is not a complete fix all for Ubuntu OS. Older hardware will not respond to the update in many cases because of incomplete firmware. This whole thing is an ugly ugly mess for Debian. The main issue will be for people who run older hardware without firmware updates, and connect to virtual server instances that have firmware updates. They may find they cannot connect to their server. The exploit 1 of spectre is already mitigated in firefox but exploit 2 will not be fully mitigated for quite some time and people with older hardware may find themselves out of luck. If you are running anit-virus your provider will have had to issue a flag to your system to install the changes. I have some reticence about installing the meltdown mitigations at all, given other issues with Intel. I am slowly working my way through all the documentation on the exploits, but a cursory examination makes me a little itchy, given the impact on some common server administration tools, and given Intels other issues I am not so sure that the mitigation for meltdown will not open a wider door for specter exploit 2 due to a lack of pointer obfuscation. I don't think there's any need for home users to rush into this at this point other than the virtual server connection issues. Let the industry giants worry about it, and let Debian run its course through the mess the Debian way -- slowly via the community. There may be a worst case scenario for all of this akin to emmision testing for automobiles.

TC
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Jerry on January 11, 2018, 08:51:08 AM
Thanks TC :)
Title: Re: Meltdown & Spectre Information and Discussion
Post by: newtusmaximus on January 11, 2018, 10:30:24 AM
Tks Trinidad.  For the uninitiated, such as myself
Does this Virtual Server vulnerability mean?
a) Contacting/using cloud storage is a possible vulnerability.
B) Connection to online banking  could be vulnerable
c) Ditto online payment transaction such as Amazon, Paypal etc even though they are supposedly "locked" = https://
d) The connection process to "home" wifi is vulnerable  even with proper WPA/WPA2 activated?

Is this another case of Year 2000  "panic" or a realistic potential threat?

Thanks
Title: Re: Meltdown & Spectre Information and Discussion
Post by: TheDead on January 11, 2018, 10:45:49 AM
I read one article referred to me about the whole issue but it only mentions Intel/AMD "Server" CPUs and ARM CPUs. Atoms are not affected(?).
@trinidad , from your readings, are standard desktop/laptop CPUs affected are not?
This whole issue went kaboom all over the place... hard to find clear info.

Nothing better for something to get popular than big companies trying to keep it quiet. ;)

Cheers!
Title: Re: Meltdown & Spectre Information and Discussion
Post by: trinidad on January 11, 2018, 05:28:06 PM
Certainly not a panic issue for home users of any OS, at least in the present definition of what security is. There is no doubt that it could prove to be a real pain down the road (depending on the provider) for small businesses using older Intel hardware who have purchased virtual space on a server, in that there is a real possibilty that their hardware will no longer be able to log onto their server space which is likely to have the Intel firmware updates, kind of like the changes made to Firefox last summer involving secure connections. If there is no Intel firmware update available for your hardware you may find yourself not able to log onto virtual server space you have paid for that has the Intel firmware updates. That is just the first problem users of Ubuntu, Windows 7, 8.1, Debian, Mac OS, and others running on Intel older hardware will run up against. It is a security issue for industry leaders using Intel hardware to run big server arrays. People like RHEL, Suse Enterprise, Microsoft, and Ubuntu and Debian as well. However, and it's a big however, I would argue at this point that is a rush toward an appearance of better security, but not as grave as it seems in the news. Furthermore given the security measures available to most good administrators, it is a highly unlikely hack unless of course you operate with seriously unvetted administrators. The winners here are likely to turn out to be Intel and Microsoft in the end, given the planned obselescence model of business they use. Want to use our Intel servers? Upgrade your firmware. It seems too brilliant of a business ploy to be anything other than a business ploy. That aside I am not satisfied at all with the mitigations in Linux for meltdown as I and a lot of other people think the action is too extreme, given the neccessity of then having to deal with propietary firmware updates. We all need to take a deep breath here and take the time to study the mitigations thorougly. It has been proved time and time again that computing security is best enabled via the open source community, period.

TC         
Title: Re: Meltdown & Spectre Information and Discussion
Post by: trinidad on January 12, 2018, 07:48:33 AM
Few new things:
Have not tested this but the script should work on normal Linux OS. Those of you who want to check kernels may want to try it.

https://github.com/speed47/spectre-meltdown-checker

So far it seems that the version of the LTS 4.4 kernel 109.132 does not brick some older boards the way .108 does. I am running it on a six year old Intel Dell. Will be looking at Qemu this afternoon to see how broken it is. MS patches have been bricking things all over the place and literally locking Windows 7 and 10 on older harware to junk. If you are on Windows 7 do NOT install the patch. The patching for this mess in general is running below 50% success rate on older hardware. Best to be patient. This whiz kids who published this worked from a 2005 research paper to begin with. The generation gap is obvious concerning this. If you are just a home user, and do not maintain a server presence, I wouldn't bother with a patch just yet. This vulnerability affects the core infrastructure of the web and there is little you can do about that. IMHO I think it may turn out to be the biggest tech bloodbath in history by the end of the year with a myriad of on again off again failed fixes. If you are just a home user take heart, you are a consumer, and that is what built it all.

TC 
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Jerry on January 12, 2018, 08:10:29 AM
IMHO I think it may turn out to be the biggest tech bloodbath in history by the end of the year...

TC 

It already is.
Title: Re: Meltdown & Spectre Information and Discussion
Post by: newtusmaximus on January 12, 2018, 08:49:24 AM
Any idea which Intel chips are considered to be vulnerable to updates.?
Title: Re: Meltdown & Spectre Information and Discussion
Post by: trinidad on January 12, 2018, 08:55:59 AM
No comprehensive info on that yet. MS patches have cooked a bunch of different boards already, and withdrew some patches. Early losses will be unpredictable, about like a blind machine gunner firing into a crowd.

TC
Title: Re: Meltdown & Spectre Information and Discussion
Post by: newtusmaximus on January 12, 2018, 09:02:29 AM
So are we safe in  continuing to update LL; i.e no chance of "junking" our older hardware??
Title: Re: Meltdown & Spectre Information and Discussion
Post by: newtusmaximus on January 12, 2018, 09:53:56 AM
If you wanna do a quick check on your own. Just for piece of mind I guess.


Code: [Select]
dd if=/dev/zero of=/tmp/testfile bs=512 count=5000000

<use sudo in Linux Lite>
RESULT
-Ultra-slim-Desktop:~$ sudo dd if=/dev/zero of=/tmp/testfile bs=512 count=5000000
[sudo] password for linuxlite:
5000000+0 records in
5000000+0 records out
2560000000 bytes (2.6 GB, 2.4 GiB) copied, 21.1723 s, 121 MB/s
-Ultra-slim-Desktop:~$


So what does this mean in the scheme of things please?






Title: Re: Meltdown & Spectre Information and Discussion
Post by: rokytnji on January 12, 2018, 10:24:40 AM
If you wanna do a quick check on your own. Just for piece of mind I guess.


Code: [Select]
dd if=/dev/zero of=/tmp/testfile bs=512 count=5000000

<use sudo in Linux Lite>
RESULT
-Ultra-slim-Desktop:~$ sudo dd if=/dev/zero of=/tmp/testfile bs=512 count=5000000
[sudo] password for linuxlite:
5000000+0 records in
5000000+0 records out
2560000000 bytes (2.6 GB, 2.4 GiB) copied, 21.1723 s, 121 MB/s
-Ultra-slim-Desktop:~$


So what does this mean in the scheme of things please?

For starters. Simple answer. 121 MB/s is OK and means no memory leak.

I have been busy changing kernels in my gear and using patched kernels from Debian and AntiX to make the point of this thread moot in my case usage.

Like on this IBM T23 Laptop that Linux Lite won't run on. Due to age of gear and hardware limitations. Posting this reply in Netsurf browser. No Java or Flashplayer Plugin touches this laptop.

Code: [Select]
harry@biker:~
$ inxi -M
Machine:   Device: laptop System: IBM product: 26474MU serial: N/A
           Mobo: IBM model: 26474MU serial: N/A
           BIOS: IBM v: 1AET64WW (1.20 ) date: 10/18/2006
harry@biker:~
$ inxi -f
CPU:       Single core Mobile Intel Pentium III - M (-UP-) cache: 512 KB
           CPU Flags: cmov cx8 de eagerfpu fpu fxsr mca mce mmx msr mtrr pae pge pse
           pse36 sep sse tsc vme
harry@biker:~
$ uname -a
Linux biker 4.9.75-antix.2-486-smp #2 SMP Tue Jan 9 15:22:47 EST 2018 i686 GNU/Linux
harry@biker:~
$

Ubuntu will make this thread moot also when their patched kernels are available also.

Your gear is untouched from what I can tell from your readout. I'll run that command on my IBM T23 Laptop. Which is way way slower and weaker than your gear. It uses a intel cpu also though.

Code: [Select]
# dd if=/dev/zero of=/tmp/testfile bs=512 count=5000000
5000000+0 records in
5000000+0 records out
2560000000 bytes (2.6 GB, 2.4 GiB) copied, 68.3041 s, 37.5 MB/s

as you can tell from my readout I gave as a comparison. Mine is fine also for the age of this gear. If I got something like 5 MB/s. Then I'd worry. If it took like 10 mintues to copy. That would concern me also. s

 

 



Title: Re: Meltdown & Spectre Information and Discussion
Post by: trinidad on January 12, 2018, 11:13:52 AM
I heard you on the wireless back in fifty two
Lying awake intent at tuning in on you
If I was young it didn't stop you coming through

They took the credit for your second symphony
Rewritten by machine and new technology
And now I understand the problems you can see

Oh-a oh
I met your children
Oh-a oh
What did you tell them?

Video killed the radio star
Video killed the radio star

Pictures came and broke your heart
Oh-a-a-a oh

And now we meet in an abandoned studio
We hear the playback and it seems so long ago
And you remember the jingles used to go

Oh-a oh
You were the first one
Oh-a oh
You were the last one

Video killed the radio star
Video killed the radio star

In my mind and in my car
We can't rewind we've gone too far

Oh-a-aho oh
Oh-a-aho oh

Video killed the radio star
Video killed the radio star

In my mind and in my car
We can't rewind we've gone to far
Pictures came and broke your heart
Put the blame on VTR

https://www.youtube.com/watch?v=Iwuy4hHO3YQ

Don't look back. You're not going that way.
TC
Title: Re: Meltdown & Spectre Information and Discussion
Post by: newtusmaximus on January 12, 2018, 06:29:02 PM
Hey T what are you on :)   All this blown your circuits??   :)
Title: Re: Meltdown & Spectre Information and Discussion
Post by: rokytnji on January 12, 2018, 07:10:35 PM
Hey T what are you on :)   All this blown your circuits??   :)

My take  and sense of humor is his clever way on how video killed my the function of my IBM T23 laptop.

Only way I can watch watch youtube on a Pentium 3 is with livestreamer tied into streamlight-antix

Quote
Livestreamer is a Command Line Interface that extracts video
streams from various services and hands them to a video player,
such as VLC. The main purpose of Livestreamer is to allow the
user to avoid buggy and CPU heavy flash plugins but still
be able to enjoy various streamed content.

Currently most of the big streaming services are supported
(e.g. Dailymotion, Livestream, Justin.tv, Twitch, YouTube Live
and UStream) and more specialized content providers can be
added easily using Livestreamer’s plugin system.
Quote

streamlight-antix

Quote
An easy way to play or download antiX help videos from Youtube without using a modern, heavyweight, web browser.
Quote

Hope I guessed right.  Kinda off topic. But I don't care.  :P

Title: Re: Meltdown & Spectre Information and Discussion
Post by: trinidad on January 13, 2018, 09:39:58 AM
Acutally if we consider the fundamental ethical business model of the proprietary computer industry we can derive the creedo: "Don't look back. You're not going that way." though Roks take is perfectly funny too. Rush to development is what this mess is all about. I believe a cautionary approach is better, given that this flaw involves proprietary code that has such a cross platform impact and scope. The best approach would be for Intel to release open source CPU code, not expect software modification. Some say Linux in general would be better off to drag its feet a little with this issue and consider a little more in depth what the suggested mitigations might open a door to. Could be a bad moon rising.

TC
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Jerry on January 15, 2018, 02:19:56 AM
FYI - Ubuntu making some head way here:

(https://i.imgur.com/d3bd6Ik.png)
Title: Re: Meltdown & Spectre Information and Discussion
Post by: newtusmaximus on January 15, 2018, 03:58:51 AM
https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html?sf178994854=1
Title: Re: Meltdown & Spectre Information and Discussion
Post by: trinidad on January 15, 2018, 05:25:10 PM
Nasty little side effects. With the meltdown mitigations on both kernels .109 in Ubuntu LTS base system, and .110 in LL running in Qemu I'm running a right around a 38% increase in RAM usage with heavy IO (noted while updating from .109 to .110 in LL running in Qemu) CPU bouncing between 70% and 90%. RAM usage never exceeded 50% before.

Settled back a bit after rebooting both. Only about 15% higher that before running Firefox in both systems simultaneously.

TC
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Jerry on January 16, 2018, 12:02:46 AM
View from DW - https://distrowatch.com/weekly.php?issue=20180115#qa
Title: Re: Meltdown & Spectre Information and Discussion
Post by: trinidad on January 16, 2018, 09:47:18 AM
I've read them both before Jerry. Glad Distrowatch has made the info easy to access. Spectre is a threat to high end propietary security meaures like AV and anti-malware deployments that use CPU sandboxing, and is also able to produce DOS exploits via bit flipping exploits akin to the rowhammer concept. Every existing CPU protection/monitoring gadget is open to exploit this way. It is the ultimate back door. I am avoiding being technical until I'm ready with my own conclusions.

TC 
Title: Re: Meltdown & Spectre Information and Discussion
Post by: newtusmaximus on January 16, 2018, 11:00:01 AM
https://community.sophos.com/kb/en-us/128053 -  Its relevance to LL or  Debian distros is beyond me I am afraid.  May be of help to our "knowledgeable ones" though
Title: Re: Meltdown & Spectre Information and Discussion
Post by: trinidad on January 16, 2018, 11:51:03 AM
I've tested the Meltdown Spectre checker from github and the Ubuntu commands on this page and they work.

https://www.ostechnix.com/check-meltdown-spectre-vulnerabilities-patch-linux/

TC

Title: Re: Meltdown & Spectre Information and Discussion
Post by: trinidad on January 16, 2018, 05:00:56 PM
This whole post was wrong. I've wortked on 38 different machines in the last four days and my head is is tired and my laptop notes completely jumbled. So far I can say that the meltdown mitigation (KPTI) has yet to roll out for LTS 32bit, and the spectre v1 mitigation has yet to roll out for Ubuntu LTS 64bit though it is in place in LL 32bit. Some 32bit machines I have tested have 800 code ops in place for Specter v1. I expect this number is excessive for big 64bit systems thus the delay. So generally : 32bit is safe from specter v1 so far, and 64bit has KPTI mitigation. Sorry for the previous error. I'm stopping for today now.   

TC
Title: Re: Meltdown & Spectre Information and Discussion
Post by: TheDead on January 16, 2018, 09:14:04 PM
@trinidad - I also concur that the Distrowatch article is one of the easiest on the brain! ;)
Also, I must say trinidad that you are quite the "machine" on this technical subject! ;) again.

Cheers!
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Jerry on January 16, 2018, 11:33:45 PM
Even easier script. Download - https://github.com/linuxlite/Spectre-Meltdown-Checker-Automated (https://github.com/linuxlite/Spectre-Meltdown-Checker-Automated)
Extract and double click on sm-start to run the checker. Let me know how this goes.

(https://i.imgur.com/iByFcgd.gif)
Title: Re: Meltdown & Spectre Information and Discussion
Post by: bfb on January 17, 2018, 08:36:23 AM
I have this with kernel 4.10 (Lite)
Should I go back to Kernel 4.4.0?
(http://i253.photobucket.com/albums/hh80/bfb_album/Screenshot_2018-01-17_14-19-28_zpsacu6tfpv.png) (http://s253.photobucket.com/user/bfb_album/media/Screenshot_2018-01-17_14-19-28_zpsacu6tfpv.png.html)
Title: Re: Meltdown & Spectre Information and Discussion
Post by: trinidad on January 17, 2018, 08:45:43 AM
4.4 LTS has KPTI rev -109 and above. LL is on rev -111 now.

TC
Title: Re: Meltdown & Spectre Information and Discussion
Post by: trinidad on January 17, 2018, 08:52:12 AM
News: Write to the congressman.

https://imgur.com/a/4IoTC (https://imgur.com/a/4IoTC)

TC
Title: Re: Meltdown & Spectre Information and Discussion
Post by: trinidad on January 17, 2018, 09:14:08 AM
If you want to know how technically bad this is going to get follow this guy.

https://twitter.com/aionescu

TC
Title: Re: Meltdown & Spectre Information and Discussion
Post by: trinidad on January 17, 2018, 09:26:48 AM
This is where the fun begins.

https://arstechnica.com/gadgets/2018/01/spectre-and-meltdown-patches-causing-trouble-as-realistic-attacks-get-closer/ (https://arstechnica.com/gadgets/2018/01/spectre-and-meltdown-patches-causing-trouble-as-realistic-attacks-get-closer/)

For MS ... " If you are using VMware ESXi to update your microcode, VMware says you should revert to an earlier version."

TC
Title: Re: Meltdown & Spectre Information and Discussion
Post by: newtusmaximus on January 17, 2018, 10:40:27 AM

  (http://imgur.com/lb2KLZ9l.png)
 (http://i.imgur.com/lb2KLZ9.png)

Just after latest update.  Beforehand vulnerable throughout.  So some improvement.
Great tool Jerry !!
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Jocklad on January 17, 2018, 10:52:12 AM
Linux lite 3.8 beta updated.

(https://i.imgur.com/Dh1lrRr.png)
Title: Re: Meltdown & Spectre Information and Discussion
Post by: UltraCookie on January 17, 2018, 12:45:09 PM
Doesn't look too good for me  :-\ but I'm still on -109
How do I get -111
I already ran updates
(https://i.imgur.com/9qa0wMV.png)
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Ottawagrant on January 17, 2018, 04:05:00 PM
Similar results as others Variant #1- Not vulnerable, Variant #2-vulnerable, Variant #3-not vulnerable. This is on a new (for me) computer. Only computer that I have with an AMD processor. Good & simple way to check. Will check again after next kernel update.
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Jerry on January 17, 2018, 04:08:37 PM

How do I get -111


Just have to wait for your local repo to push updates. Or you could try another repo.
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Jerry on January 17, 2018, 04:36:49 PM
:o

http://news.softpedia.com/news/linux-lite-developer-creates-automated-spectre-meltdown-checker-for-linux-oses-519431.shtml
Title: Re: Meltdown & Spectre Information and Discussion
Post by: TheDead on January 17, 2018, 05:25:32 PM
:o

http://news.softpedia.com/news/linux-lite-developer-creates-automated-spectre-meltdown-checker-for-linux-oses-519431.shtml

Wow, grats Jerry! Alexa says Softpedia is bigger than MajorGeek and TechSpot. Check that web hit-counter fly! ;)

Cheers!
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Searchernow on January 18, 2018, 07:36:45 AM
Hi everyone,

I've been trying to follow this thread, with gratitude for the knowledgeable work being done by you all. Thanks.

What I have done is to Install Updates at least once a day, and keep my LL system as up-to-date as possible. Here is a copy of (some of) my system info

 -Version-
Kernel      : Linux 4.4.0-111-generic (x86_64)
Compiled      : #134-Ubuntu SMP Mon Jan 15 14:53:09 UTC 2018
C Library      : Unknown
Default C Compiler      : GNU C Compiler version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.5)
Distribution      : Linux Lite 3.6

I am hoping (aren't we all!) that LL will be patched enough to continue safe browsing - subject of course to staying off sites of unknown security as usual.

I run a Win 7 laptop also, very similar i5 specs, for work, cad programmes.  I don't go online much with that Win 7 laptop, (and haven't at all in the past week I think) using my LL for almost all my browsing, email etc.  So my plan is to stay off-line completely on the Windows 7 laptop until it's known to be "safe" out there! Or should I chance "Windows updates"?

I do have a netbook with an Atom processor - did someone say the Atom is not affected?
Title: Re: Meltdown & Spectre Information and Discussion
Post by: trinidad on January 18, 2018, 08:03:23 AM
A simple spectre-meltdown-checker for Windows systems that deals with the registry key permissions. You must have up to date AV that allows the regkey flag.

https://www.grc.com/inspectre.htm

TC
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Vera on January 18, 2018, 08:26:04 AM
Similar results as others Variant #1- Not vulnerable, Variant #2-vulnerable, Variant #3-not vulnerable.

Exactly the results that I got too on my laptop when I checked it this morning. I haven't looked at my main machine yet.

A huge Thank You to @Jerry for making this user-friendly script to get and run the checker. I honestly don't think I would have bothered checking for vulnerabilities if it wasn't for Jerry's script. This was so easy to install and use. I just downloaded from GitHub, then right click on package and go "extract here", then go in folder and mark both scripts as executable and double-click on the "start" script. Then it opens up a window and runs and gives the results. It was so fast and uncomplicated.
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Jerry on January 18, 2018, 08:28:43 AM
@Vera great to hear :)
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Ottawagrant on January 18, 2018, 08:36:00 AM
To Searchernow: I have 2 Acer netbooks. Both have the Intel Atom processor, version N455, made in 02/2011. According to an article I read the Intel Atom (made before 2013) is one of only 2 processors unaffected. That's what I read. (humor intentional). I will install LL 3.6 32-bit on it today & run Jerry's test. I'll post the results here as well as the netbook's spec's. Both netbooks have Windows 7 starter on them now, so no loss there.
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Searchernow on January 18, 2018, 08:54:59 AM
Thanks Trinidad - I'll update my Win7 laptop AVG free then try the Win check you posted.

Thanks too Ottawa - I since looked at my netbook (Samsung) - it has Atom N450, pretty sure it's pre-2013, and presumably pre - N455.
It's spec is 1.67Ghz and 2gb ram - so comfortably within LL recomended.
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Searchernow on January 18, 2018, 09:42:00 AM
Sorry, I meant to add:

tweaktown's list, reportedly an official Intel list, is shown below.
My netbook (32 bit, Win7 Home Prem) doesn't give "series" - just Atom N450, but looking at the Atom wikipedia entry, my date of purchase Feb. 2011, logo sticker etc. then the series is N (obvious now) so appears not to be on the vulnerable list, as you suggest!


from https://www.tweaktown.com/news/60411/heres-list-intel-cpus-affected-spectre-meltdown/index.html   "12 days ago"

"Intel has finally released a full list of all of their processors that are open to the Spectre and Meltdown security flaws, with virtually all Intel CPUs at risk.

heres-list-intel-cpus-affected-specture-meltdown_06

The chipmaker has worked closely with AMD, ARM Holdings, and multiple operating system makers in order to push an industry-wide approach to fixing this problem.
Intel will soon have an update for 90% of their processors, something that should drop in the next few days.

Intel® Core™ i3 processor (45nm and 32nm)
Intel® Core™ i5 processor (45nm and 32nm)
Intel® Core™ i7 processor (45nm and 32nm)
Intel® Core™ M processor family (45nm and 32nm) 2nd generation
Intel® Core™ processors 3rd generation
Intel® Core™ processors 4th generation
Intel® Core™ processors 5th generation
Intel® Core™ processors 6th generation
Intel® Core™ processors 7th generation
Intel® Core™ processors 8th generation
Intel® Core™ processors Intel® Core™ X-series Processor Family for Intel® X99 platforms
Intel® Core™ X-series Processor Family for Intel® X299 platforms
Intel® Xeon® processor 3400 series
Intel® Xeon® processor 3600 series
Intel® Xeon® processor 5500 series
Intel® Xeon® processor 5600 series
Intel® Xeon® processor 6500 series
Intel® Xeon® processor 7500 series
Intel® Xeon® Processor E3 Family
Intel® Xeon® Processor E3 v2 Family
Intel® Xeon® Processor E3 v3 Family
Intel® Xeon® Processor E3 v4 Family
Intel® Xeon® Processor E3 v5 Family
Intel® Xeon® Processor E3 v6 Family
Intel® Xeon® Processor E5 Family
Intel® Xeon® Processor E5 v2 Family
Intel® Xeon® Processor E5 v3 Family
Intel® Xeon® Processor E5 v4 Family
Intel® Xeon® Processor E7 Family
Intel® Xeon® Processor E7 v2 Family
Intel® Xeon® Processor E7 v3 Family
Intel® Xeon® Processor E7 v4 Family
Intel® Xeon® Processor Scalable Family
Intel® Xeon Phi™ Processor 3200, 5200, 7200 Series
Intel® Atom™ Processor C Series
Intel® Atom™ Processor E Series
Intel® Atom™ Processor A Series
Intel® Atom™ Processor x3 Series
Intel® Atom™ Processor Z Series
Intel® Celeron® Processor J Series
Intel® Celeron® Processor N Series
Intel® Pentium® Processor J Series
Intel® Pentium® Processor N Series

Read more: https://www.tweaktown.com/news/60411/heres-list-intel-cpus-affected-spectre-meltdown/index.html "
Title: Re: Meltdown & Spectre Information and Discussion
Post by: bfb on January 18, 2018, 11:11:46 AM
I reverted to the 4.4.0 available in the Lite Kernels list in Lite Tweaks, as 4.10 is vulnerable, but still get this.
How can I get to the 111 version of Lite 4.4.0 ?

(http://i253.photobucket.com/albums/hh80/bfb_album/Screenshot_2018-01-18_17-02-28_zpszgfjbud4.png) (http://s253.photobucket.com/user/bfb_album/media/Screenshot_2018-01-18_17-02-28_zpszgfjbud4.png.html)
Title: Re: Meltdown & Spectre Information and Discussion
Post by: trinidad on January 18, 2018, 11:39:44 AM
Remove kernel 4.10 and then update kernel 4.4. You must be running on 4.4 to delete 4.10. If you are running 4.4 now try updating. I think LL will only update the running kernel, though not sure. In any case 4.4 in LL will update to -111.

TC
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Ottawagrant on January 18, 2018, 12:02:30 PM

Acer Aspire One netbook D255E
Intel Atom n455 1.66GHz processor
Manufactured 02/2011
Linux Lite 3.6 32-bit
Fresh install on kernel 4.4.0-93 #116
Variant #1 - no
             #2 - yes
             #3 - yes


updated kernel to 4.4.0-111 #134

Variant #1 - no
             #2 - yes
             #3 - yes
A different article that I read seems to suggest that it is the Intel Atom 32-bit only that is OK. It's suggested that any chip that is x86_64 is vulnerable. I installed LL on the netbook with Windows 7 starter, so no loss there. But if anyone wants to try it on a netbook/laptop/desktop without installing LL, just boot into a live environment via USB, download Jerry's zip file, extract, & then double-click the 'sm-start'. No password required. It'll be an older kernel, but it'll give you an idea for your device.
Title: Re: Meltdown & Spectre Information and Discussion
Post by: newtusmaximus on January 18, 2018, 12:18:46 PM
https://mobile.twitter.com/verge/status/954025667137540096/video/1
Title: Re: Meltdown & Spectre Information and Discussion
Post by: trinidad on January 18, 2018, 12:50:03 PM
v1 Spectre is partially mitigated against timing attacks, by Firefox 57 and ESR

https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/

TC
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Middleman. on January 18, 2018, 03:07:40 PM
hello im new to the party.
i have downloaded and installed the latest microcode from the lite repo.is this enough to mitigate.?
my browser is google chrome.

thank you.
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Mart on January 18, 2018, 07:06:53 PM
Thanks Jerry for the Automated Spectre/Meltdown Checker.

http://news.softpedia.com/news/linux-lite-developer-creates-automated-spectre-meltdown-checker-for-linux-oses-519431.shtml (http://news.softpedia.com/news/linux-lite-developer-creates-automated-spectre-meltdown-checker-for-linux-oses-519431.shtml)

Ran the script and my results were the same.

"Spectre Variant 1"  Status: Not Vulnerable

"Spectre Variant 2"  Status: Vulnerable

"Meltdown aka Variant 3"  Status: Not Vulnerable

(Results with latest Intel microcode update and updated Linux kernel 4.4.0-111)

In respect to "Spectre Variant 2"  the following article - Ubuntu Preparing Kernel Updates With IBRS/IBPB For Spectre Mitigation - may be reassuring.

https://www.phoronix.com/scan.php?page=news_item&px=Ubuntu-Preps-Spectre-Kernels (https://www.phoronix.com/scan.php?page=news_item&px=Ubuntu-Preps-Spectre-Kernels)
Title: Article - Ubuntu Preparing Kernel Updates With IBRS/IBPB For Spectre Mitigation
Post by: Mart on January 18, 2018, 08:33:18 PM
Thanks Jerry for the Automated Spectre/Meltdown Checker.

http://news.softpedia.com/news/linux-lite-developer-creates-automated-spectre-meltdown-checker-for-linux-oses-519431.shtml

Ran the script and my results were the same.

"Spectre Variant 1"  Status: Not Vulnerable

"Spectre Variant 2"  Status: Vulnerable

"Meltdown aka Variant 3"  Status: Not Vulnerable

(Results with latest Intel microcode update and updated Linux kernel 4.4.0-111)

In respect to "Spectre Variant 2"  the following article - Ubuntu Preparing Kernel Updates With IBRS/IBPB For Spectre Mitigation - may be reassuring.

https://www.phoronix.com/scan.php?page=news_item&px=Ubuntu-Preps-Spectre-Kernels
Title: Re: Meltdown & Spectre Information and Discussion
Post by: bfb on January 19, 2018, 04:20:12 AM
Remove kernel 4.10 and then update kernel 4.4. You must be running on 4.4 to delete 4.10. If you are running 4.4 now try updating. I think LL will only update the running kernel, though not sure. In any case 4.4 in LL will update to -111.

TC
I took your advice, for which I am grateful, but the 4.4 from the Lite Tweaks  doesn't update to -111 for some reason.
1)Does this mean that all the kernels from there are vulnerable? Remember I had 4.10 running before and that was vulnerable 2)how can I install the -111 version if 4.4 doesn't update to it automatically?
Title: Re: Article - Ubuntu Preparing Kernel Updates With IBRS/IBPB For Spectre Mitigation
Post by: Ottawagrant on January 19, 2018, 09:39:21 AM
Does anyone read this article the same way I do. (and it doesn't surprise me if I'm wrong) That the kernel update coming on Monday the 22nd is for computers with Intel processors only. Nothing done with AMD at this time.
Title: Re: Meltdown & Spectre Information and Discussion
Post by: trinidad on January 19, 2018, 04:52:51 PM
@bfb  Run -  sudo apt-get update first in the terminal, then exit and update normally via lite updates.

TC
Title: Re: Meltdown & Spectre Information and Discussion
Post by: bfb on January 20, 2018, 12:00:20 AM
Thank you. I have done all that,  but I still get this.
I wonder if there is a problem with kernels from the Lite tweaks 'Instal kernel' option?

(http://i253.photobucket.com/albums/hh80/bfb_album/Screenshot_2018-01-20_05-51-59_zpsbn5ald4b.png) (http://s253.photobucket.com/user/bfb_album/media/Screenshot_2018-01-20_05-51-59_zpsbn5ald4b.png.html)
Title: Re: Meltdown & Spectre Information and Discussion
Post by: trinidad on January 20, 2018, 11:20:08 AM
During this past week I have had two Sandy Bridge firmware updates go completely haywire, one massive slowdown, the other blue screen, then cook the board. (Intel has adjusted the firmware but with disclaimers) If you are on Windows 10 do not update the firmware on your Sandy Bridge CPU, and do not use the recommended MS patches for Meltdown if on Windows 7 or 8. There are charcteristics of this CPU that make the Intel update and MS patch together basically crippling in some cases. Several OEMs including DELL are highly unlikely to ever patch this CPU for the MS kernel. However If you dual boot Ubuntu with Windows 10, the KPTI adjustments in Ubuntu work fine, with little impact on performance, but there are several differences in the MS kernel functions in CPU space and some ugly MS and Intel tweaks to this CPU running Windows.

The officai MS response: "If you are using a pre-2016 Intel CPU with Windows 10, there is nothing much you can do except consider upgrading to a newer processor or, you could possibly just live with the performance impact of the Meltdown and Spectre patches."

Probably the ultimate cause of the slowdowns: "With Sandy Bridge, Intel has tied the speed of every bus (USB, SATA, PCI, PCI-E, CPU cores, Uncore, memory etc.) to a single internal clock generator issuing the basic 100 MHz Base Clock (BClk). With CPUs being multiplier locked, the only way to overclock is to increase the BClk, which can be raised by only 5–7% without other hardware components failing."

Another issue that is certain to become a security issue: "Sandy and Ivy Bridge processors with vPro capability have security features that can remotely disable a PC or erase information from hard drives. This can be useful in the case of a lost or stolen PC. The commands can be received through 3G signals, Ethernet, or Internet connections. AES encryption acceleration will be available, which can be useful for video conferencing and VoIP applications."

Leave your Windows 10 unpatched on Sandy Bridge, but go ahead and update your Ubuntu if you dual boot.

TC
Title: Re: Meltdown & Spectre Information and Discussion
Post by: firenice03 on January 20, 2018, 11:41:10 AM
The other day had a couple vulnerability updated aand for kicks tried again this morn... All Good :)
4.4.0-111 on the 32bit mini..


  (http://imgur.com/lcq5i2xl.png)
 (http://i.imgur.com/lcq5i2x.png)


  (http://imgur.com/ci3tX8Dl.png)
 (http://i.imgur.com/ci3tX8D.png)
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Ottawagrant on January 22, 2018, 01:13:02 PM
Read last Friday that Ubuntu was releasing a new kernel today. They did. 4.4.0-112 #135. I wanted to test it on an Intel computer. So I used my HP compaq 7900 SFF. I'll test a few other computers but for the HP it still shows Variant #2 as vulnerable. Variant #1 & 3, not. Time to boot up another computer.
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Vera on January 22, 2018, 02:37:23 PM
I updated my Toshiba laptop just now, rebooted and ran the checker. Got the same results as @Ottawagrant , so the #2 is not mitigated for me yet either. Haven't checked my main machine yet, just the Toshiba laptop.
Title: Re: Meltdown & Spectre Information and Discussion
Post by: trinidad on January 22, 2018, 04:50:58 PM
v2 Spectre vulnerabilities may never be fully identified or patched. These creatures evolve into thousand armed spiders,
Ubuntu has made a lot of progress no thanks to Intel or AMD though. Stick with your LL. The waters are much dirtier elsewhere.

https://usn.ubuntu.com/usn/xenial/

TC

Title: Re: Meltdown & Spectre Information and Discussion
Post by: Searchernow on January 22, 2018, 05:24:19 PM
I'm checking for updates twice a day.  Just now  4.4.0-112 #135.

I ran tool v.0.32 with same result as others above - variant 2 vulnerable.

on another mitigation -

My main browser is FF 57, and I have it blocking insecure sites (this setup from before the Intel catastrophe!) - but some of these sites I want to view (articles etc., but I don't send and login or other info - not intentionally!) and these I view on Chromium, also customized to be reasonably secure, but a bit more permisssive.

Anyway, for those who don't already know there is a trial mitigation tool from the Chromium project which seeks to isolate sites you are accessing from each other. This will hopefully close a route for a rogue page to infect other open pages.

details here   https://www.chromium.org/Home/chromium-security/site-isolation#TOC-1-Isolating-All-Sites

go to the tool here    chrome://flags/#enable-site-per-process   and scroll down to Strict Site Isolation and enable.  (do this in Chromium!).

Title: Re: Article - Ubuntu Preparing Kernel Updates With IBRS/IBPB For Spectre Mitigation
Post by: m654321 on January 23, 2018, 04:34:31 AM
I'm sure like me, a few on the LL forum are stuck as to how to run the Spectre/Meltdown checker.

I went to https://github.com/linuxlite/Spectre-Meltdown-Checker-Automated

then downloaded the script:

Code: [Select]
wget https://github.com/linuxlite/Spectre-Meltdown-Checker-Automated.git
What do I do next ... ?
Title: Re: Article - Ubuntu Preparing Kernel Updates With IBRS/IBPB For Spectre Mitigation
Post by: UltraCookie on January 23, 2018, 05:05:27 AM
Extract the folder -> open it -> double click on sm-start.
Title: Re: Article - Ubuntu Preparing Kernel Updates With IBRS/IBPB For Spectre Mitigation
Post by: m654321 on January 23, 2018, 08:58:05 AM
Extract the folder -> open it -> double click on sm-start.

I don't have a folder to extract from  :o
When I used the wget command  in post #2, an HTML file is downloaded, named Spectre-Meltdown-Checker-Automated.git ...

 :(
Title: Re: Article - Ubuntu Preparing Kernel Updates With IBRS/IBPB For Spectre Mitigation
Post by: Jerry on January 23, 2018, 09:03:50 AM
I'm sure like me, a few on the LL forum are stuck as to how to run the Spectre/Meltdown checker.

I went to https://github.com/linuxlite/Spectre-Meltdown-Checker-Automated (https://github.com/linuxlite/Spectre-Meltdown-Checker-Automated)

then downloaded the script:

Code: [Select]
wget https://github.com/linuxlite/Spectre-Meltdown-Checker-Automated.git
What do I do next ... ?


I don't know why you are using the wget command, that instruction isn't there. https://github.com/linuxlite/Spectre-Meltdown-Checker-Automated (https://github.com/linuxlite/Spectre-Meltdown-Checker-Automated) shows the exact instructions under Instructions. Click on the green 'Clone or download' button, Download zip.
Title: Re: Article - Ubuntu Preparing Kernel Updates With IBRS/IBPB For Spectre Mitigation
Post by: m654321 on January 23, 2018, 02:37:16 PM
@Jerry
Many thanks - got it sorted, worked fine in LL3.6
I guess though, that the spectre-meltdown checker wont work in some other distros, where sudo is not a recognised command, e.g. PCLinuxOS.
Title: Re: Article - Ubuntu Preparing Kernel Updates With IBRS/IBPB For Spectre Mitigation
Post by: trinidad on January 23, 2018, 03:27:46 PM
@m654321 Below is the list of updated kernels for PClinuxOS and even though this a LL forum and I don't use PClinuxOS maybe just create a directory in your home directory to hold the shell script and run the commands in a root terminal without the sudo added in to the last.

http://www.pclinuxos.com/forum/index.php/topic,144844.msg1237197.html#msg1237197
We also need to ask these things all in the same thread and not spread this out all over the place.

TC

Title: Re: Meltdown & Spectre Information and Discussion
Post by: Jerry on January 23, 2018, 06:03:50 PM
Topics merged and title of this thread renamed.
Please keep all posts on this topic in this thread. Cheers :)
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Moltke on January 23, 2018, 08:08:26 PM
Here's a nice article I just found while surfing the web https://insights.ubuntu.com/2018/01/17/spectre-mitigation-updates-available-for-testing-in-ubuntu-proposed

It says:
Quote
You are invited to test and provide feedback for the following updated Linux kernels.  We have also rebased all derivative kernels such as the public cloud kernels (Amazon, Google, Microsoft, etc) and the Hardware Enablement (HWE) kernels.

It provides links for the proposed kernels for Ubuntu 14.04, 16.04, 17.04, 17.10.
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Jerry on January 29, 2018, 06:47:51 AM
For advanced users. Do not try this on your actual machine unless you have god powers -https://www.sentinelone.com/blog/sentinelone-releases-free-linux-tool-detect-meltdown-vulnerability-exploitations/ (https://www.sentinelone.com/blog/sentinelone-releases-free-linux-tool-detect-meltdown-vulnerability-exploitations/) Play with in an up to date LL VM.
Title: Re: Meltdown & Spectre Information and Discussion
Post by: trinidad on January 31, 2018, 10:41:34 AM
I will try this out sometime this week Jerry. Thanks.

TC
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Moltke on January 31, 2018, 06:49:09 PM
Here's another nice article I just found on the web, it describes another way to check on meltdown-spectre http://kroah.com/log/blog/2018/01/19/meltdown-status-2/

:)
Title: Re: Meltdown & Spectre Information and Discussion
Post by: trinidad on February 06, 2018, 01:02:02 PM
Bad news is that now more than 200 different forms of malware have turned up in the "wild" modified to attempt to exploit the Spectre vulnerability, which indicates the probability that some sophisticated sleeper applications may evolve to pose a huge threat to Microsoft Windows.

Good news is that this week I will be posting several different alternative ways to monitor for the vulnerabilities besides the already available spectre-meltdown-checker. Debian has now backported the spectre-meltdown-checker for stretch.

TC
Title: Re: Meltdown & Spectre Information and Discussion
Post by: TheDead on February 06, 2018, 06:23:28 PM
"Once its weaponized to run evil things, we're doomed, DOOMED! Dooooooomed! ;) - Tim the Enchanter!

We'll need Coconut computers!
Title: Re: Meltdown & Spectre Information and Discussion
Post by: ian_r_h on February 07, 2018, 06:26:01 AM
Hmmm... off to live in a cave in the middle of a forest (next to a river with plenty of fish)...  ;)

Will launch my secret nuclear weapons at Intel first...
Title: Re: Meltdown & Spectre Information and Discussion
Post by: supergamer on February 08, 2018, 09:03:30 AM
It seems the new kernel 4.13.33 fixes the variant 2 version on an older amd at least.


(https://imgur.com/a/uE0lx)
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Moltke on February 08, 2018, 10:12:55 AM
It seems the new kernel 4.13.33 fixes the variant 2 version on an older amd at least.
(https://imgur.com/a/uE0lx)

I'm using latest kernel 4.15 on an AMD CPU too and I see this message on boot I can't just now remember. However, running
Code: [Select]
$ grep . /sys/devices/system/cpu/vulnerabilities/*
shows this:
Code: [Select]
/sys/devices/system/cpu/vulnerabilities/meltdown:Not affected
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline

I believe message on boot has something to do with last line of that output; full generic reptoline.
Title: Re: Meltdown & Spectre Information and Discussion
Post by: supergamer on February 08, 2018, 11:09:02 AM
I used the script to check. Here is the report from your command:


Code: [Select]
/sys/devices/system/cpu/vulnerabilities/meltdown:Not affected
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: OSB (observable speculation barrier, Intel v6)
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full AMD retpoline
Title: Re: Meltdown & Spectre Information and Discussion
Post by: The Repairman on February 09, 2018, 12:14:42 PM
 8)
Title: Re: Meltdown & Spectre Information and Discussion
Post by: supergamer on February 09, 2018, 02:28:31 PM
I'm running a highly modified version of Linux Lite and some modified Xubuntu stuff. I am assuming the kernel updates will be pushed out by Ubuntu as that is how I got them as I am running a HWE kernel.


Code: [Select]
System:    Host: supergamer Kernel: 4.13.0-33-generic x86_64 (64 bit gcc: 5.4.0)
           Desktop: Xfce 4.12.3 (Gtk 2.24.28) Distro: Ubuntu 16.04 xenial
Machine:   System: TOSHIBA (portable) product: Satellite L505D v: PSLV6U-00K001
           Mobo: TOSHIBA model: Portable PC
           Bios: Insyde v: 1.00 date: 09/07/2009
CPU:       Dual core AMD Athlon II M300 (-MCP-) cache: 1024 KB
           flags: (lm nx sse sse2 sse3 sse4a svm) bmips: 7979
           clock speeds: max: 2000 MHz 1: 1400 MHz 2: 800 MHz
Graphics:  Card: Advanced Micro Devices [AMD/ATI] RS880M [Mobility Radeon HD 4100]
           bus-ID: 01:05.0
           Display Server: X.Org 1.18.4 drivers: ati,radeon (unloaded: fbdev,vesa)
           Resolution: [email protected]
           GLX Renderer: AMD RS880 (DRM 2.50.0 / 4.13.0-33-generic, LLVM 5.0.0)
           GLX Version: 3.0 Mesa 17.2.8 Direct Rendering: Yes
Audio:     Card Advanced Micro Devices [AMD/ATI] SBx00 Azalia (Intel HDA)
           driver: snd_hda_intel bus-ID: 00:14.2
           Sound: Advanced Linux Sound Architecture v: k4.13.0-33-generic
Network:   Card-1: Realtek RTL8187SE Wireless LAN Controller
           driver: rtl818x_pci port: 7000 bus-ID: 02:00.0
           IF: wlp2s0 state: up mac: <filter>
           Card-2: Realtek RTL8101/2/6E PCI Express Fast/Gigabit Ethernet controller
           driver: r8169 v: 2.3LK-NAPI port: 6000 bus-ID: 03:00.0
           IF: p5p1 state: down mac: <filter>
Drives:    HDD Total Size: 250.1GB (36.2% used)
           ID-1: /dev/sda model: TOSHIBA_MK2555GS size: 250.1GB
Partition: ID-1: / size: 227G used: 82G (38%) fs: ext4 dev: /dev/sda1
           ID-2: swap-1 size: 2.95GB used: 0.00GB (0%) fs: swap dev: /dev/sda5
RAID:      No RAID devices: /proc/mdstat, md_mod kernel module present
Sensors:   System Temperatures: cpu: 67.0C mobo: N/A
           Fan Speeds (in rpm): cpu: N/A
Info:      Processes: 165 Uptime: 13 min Memory: 875.9/2746.7MB
           Init: systemd runlevel: 5 Gcc sys: 5.4.0
           Client: Shell (bash 4.3.481) inxi: 2.2.35
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Moltke on February 09, 2018, 02:56:52 PM
Quote
Do the new meltdown / spectre kernels update automatically or is this something I have to manually do using Synaptic Package Manager

For kernel updates follow this link and read through the thread.

https://www.linuxliteos.com/forums/linux-lite-software-development/linux-lite-kernel/msg38277/#msg38277

Quote
Is the kernel posted above secure enough or is there a new more secure kernel which I should update to

run this command to find out

Code: [Select]
$ grep . /sys/devices/system/cpu/vulnerabilities/*
Title: Re: Meltdown & Spectre Information and Discussion
Post by: trinidad on February 09, 2018, 03:46:37 PM
I run this kernel in Ubuntu 16,04 and it is mitigated against Meltdown with KPTI and mitigated against Spectre variant 1, and Firefox 58 is in the LTS version. You're good enough.

TC
Title: Re: Meltdown & Spectre Information and Discussion
Post by: The Repairman on February 09, 2018, 04:13:21 PM
 8)
Title: Re: Meltdown & Spectre Information and Discussion
Post by: trinidad on February 09, 2018, 05:30:22 PM
Here are my results on Ubuntu 16.04 LTS with your listed kernel. The long command is correct for Ubuntu and/or LL. The unpatched frowny face is for no exiting Intel microcode updates as yet.

https://imgur.com/a/wX54Z (https://imgur.com/a/wX54Z)

TC
Title: Re: Meltdown & Spectre Information and Discussion
Post by: The Repairman on February 09, 2018, 05:54:40 PM
 8)
Title: Re: Meltdown & Spectre Information and Discussion
Post by: The Repairman on February 09, 2018, 06:41:50 PM
 8)
Title: Re: Meltdown & Spectre Information and Discussion
Post by: humdinger70 on February 23, 2018, 06:07:34 PM
The 4.4.0-116 kernel now fixes everything. I ran the checker after install and boot of the new kernel and now all three variants say 'NOT VULNERABLE'.
Title: Re: Meltdown & Spectre Information and Discussion
Post by: The Repairman on February 24, 2018, 10:30:48 AM
 8)
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Jerry on February 24, 2018, 10:39:29 AM
(https://i.imgur.com/b5oEKhZ.png)
Title: Re: Meltdown & Spectre Information and Discussion
Post by: TheDead on February 25, 2018, 10:07:06 AM
Sooo, if I’m on 4.10, I have to revert to 4.4.0-116 to get the fix?
Title: Re: Meltdown & Spectre Information and Discussion
Post by: The Repairman on February 25, 2018, 05:06:34 PM
 8)
Title: Re: Meltdown & Spectre Information and Discussion
Post by: TheDead on February 26, 2018, 07:16:52 PM
Sooo, if I’m on 4.10, I have to revert to 4.4.0-116 to get the fix?
I would think that you would be able to use the 4.15 kernel which you can download and install from the Synaptic Package Manager aka Install/Remove Software.

Go into Synaptic Package Manager / Install/Remove Software center and install linux-headers 4.15 first and then install linux-image 4.15 second.

Do a reboot and you should boot into the new 4.15 kernel.

Do not remove existing kernel in case the new kernel fails to boot.

--------------------------------------------------------------------------------------------------------------------------------

Update
It appears that Lite Tweaks in the Menu under System has a kernel installer so you might want to give that a look at also.


Don't hold me to this as I'm only a Linux Lite user and not a Linux Guru.

Thanks and yep,  I'm gonna keep older kernels because last time I tried 4.13, got a kernel panic on boot. ;)
If 4.15 breaks, I'll go the 4.4.0-116 route.

Now time to read if those fixes slow CPUs down or not, whick was the big worry in the beginning. :-O

Cheers!
Title: Re: Meltdown & Spectre Information and Discussion
Post by: The Repairman on February 26, 2018, 09:42:37 PM
 8)
Title: Re: Meltdown & Spectre Information and Discussion
Post by: newtusmaximus on February 27, 2018, 08:57:32 AM
Vulnerabilities resolved :)
Speed?? has it been reduced.  Tests below.


-Computer-
Processor      : 2x Intel(R) Core(TM)2 CPU          6300  @ 1.86GHz
Memory      : 4037MB (2138MB used)
-Version-
Kernel      : Linux 4.4.0-116-generic (x86_64)

Distribution      : Linux Lite 3.6
-Current Session-
Computer Name      : linuxlite-HP-Compaq-dc7700p-Ultra-slim-Desktop
Desktop Environment      : XFCE 4
-Misc-
Uptime      : 6 hours, 10 minutes
Load Average      : 0.42, 0.56, 0.38


-CPU Blowfish-
<big><b>This Machine</b></big>   1867 MHz   9.806   
Intel(R) Celeron(R) M processor         1.50GHz   (null)   26.1876862   
PowerPC 740/750 (280.00MHz)   (null)   172.816713

-CPU CryptoHash-
<big><b>This Machine</b></big>   1867 MHz   137.318   

-CPU Fibonacci-
<big><b>This Machine</b></big>   1867 MHz   5.082   
Intel(R) Celeron(R) M processor         1.50GHz   (null)   8.1375674   
PowerPC 740/750 (280.00MHz)   (null)   58.07682   

-CPU N-Queens-
<big><b>This Machine</b></big>   1867 MHz   17.196   

-FPU FFT-
<big><b>This Machine</b></big>   1867 MHz   4.524   
   
-FPU Raytracing-
<big><b>This Machine</b></big>   1867 MHz   11.347   
Intel(R) Celeron(R) M processor         1.50GHz   (null)   40.8816714   
PowerPC 740/750 (280.00MHz)   (null)   161.312647

No idea what the above means.  perhaps those more knowledgeable can comment??
Title: Re: Meltdown & Spectre Information and Discussion
Post by: TheDead on February 27, 2018, 01:42:21 PM
Thanks @newtusmaximus but  I have no clue what the benchmark numbers mean either. ;)
Guess I'll have to bench the machine before and after all the patches.

Cheers!
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Ottawagrant on February 27, 2018, 06:00:21 PM
My HP compaq is 9 years old, 3.33MHz, duo core w/8gb RAM. Absolutely no slowdown with the patch installed. My Windows 10 computers, with whatever patch Microsoft has issued, all show slowdown. I only have one computer with an AMD processor, so I use that if I have to use Windows. Next month is Microsoft's Spring update to Windows 10. Better check the drug store flyers for antacid.
Title: Re: Meltdown & Spectre Information and Discussion
Post by: newtusmaximus on February 28, 2018, 04:42:54 AM
Re Speed / performance tests. as per my previous post, is there a simple "idiots" guide as to what the results means in real life for the average  computer user?  Thanks
Title: Re: Meltdown & Spectre Information and Discussion
Post by: trinidad on February 28, 2018, 09:51:44 AM
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown/TechFAQ

I doubt microcode updation will ever appear for anything older than Skylake, and though Intel is already facing over 30 litigations I expect class actions to branch out to include OEMs Dell, HP, Lenovo, and Asus. We've only just begun in Linux with retpoline and it's going to be an application by application case instance without microdode updation for older CPUs. Worse off MS is riddled with potential sleeper applications and the Spring update is probably going to kill off hordes of current Windows 10 users on machines older than Skylake who will find themselves unable to connect to their financial institutions.

TC
Title: Re: Meltdown & Spectre Information and Discussion
Post by: trinidad on March 03, 2018, 07:21:47 AM
The spectre-meltdown-checker received an update today on my Debian machines. I'm going to look now if LL or Ubuntu versions were updated.

Okay checked LL and Ubuntu. LL/Ubuntu version is v0.33 Debian version is v0.35. The only differences in the script I could find is how variant 1 mitigation detection is handled in Debian. Ubuntu uses the original Red Hat patch and Debian does not. v0.33 is okay for LL/Ubuntu even though v0.35 is newer.

TC
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Jerry on March 03, 2018, 04:16:51 PM
Debian have their own fork based on their own kernels. Not applicable to LL here which uses Ubuntu kernels. I'd like to keep this LL focused so newbies don't start posting questions about how they are confused. Cheers :)
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Searchernow on March 09, 2018, 06:38:54 PM
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown/TechFAQ

I doubt microcode updation will ever appear for anything older than Skylake, and though Intel is already facing over 30 litigations I expect class actions to branch out to include OEMs Dell, HP, Lenovo, and Asus. We've only just begun in Linux with retpoline and it's going to be an application by application case instance without microdode updation for older CPUs. Worse off MS is riddled with potential sleeper applications and the Spring update is probably going to kill off hordes of current Windows 10 users on machines older than Skylake who will find themselves unable to connect to their financial institutions.

TC


Thanks for all this info, some of which I think (!) I understand, a bit.

I'm using 2 laptops. My i5 CPUs are pre-Skylake ... not sure about the meaning of microcode issues, but I think you're saying it may become a serious problem for those on pre-Skylake cpu computers. Soon?

I use an i5 laptop (1) (single partition) windows 7 ( to run windows-based cad) and so far this year I've not had to go online with it and I don't intend to.

But it does get some files transferred to it (on SD cards or usb) from my i5 linux Lite laptop (2) (dual-boot) which I use online - Firefix & Chromium. I'm not sure if a Windows bug can get onto LL (2) then over to the other laptop (1) running win7?

Longer term - should I be putting money in a piggy-bank for a new computer? Or could I fit new CPU?
Title: Re: Meltdown & Spectre Information and Discussion
Post by: newtusmaximus on March 10, 2018, 05:13:17 AM
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown/TechFAQ

I doubt microcode updation will ever appear for anything older than Skylake, and though Intel is already facing over 30 litigations I expect class actions to branch out to include OEMs Dell, HP, Lenovo, and Asus. We've only just begun in Linux with retpoline and it's going to be an application by application case instance without microdode updation for older CPUs. Worse off MS is riddled with potential sleeper applications and the Spring update is probably going to kill off hordes of current Windows 10 users on machines older than Skylake who will find themselves unable to connect to their financial institutions.

TC

So what are we saying here please?  Are we saying, even with the patches from the recent Kernel update for LL, because of thepre skylake CPUs, our  older machines are still vulnerable  even when J's  test reports no vulnerabily.

I.e ALL older hardware is now "junk" if used "online".

Can not the anti virus / malware boys evolve their products to screen for "code" that  would exploit these vulnerabilities.?

Very confused as to what all this will mean for the average user.  Does it mean online shopping/ banking etc is potentially now a nono!! ??
Title: Re: Meltdown & Spectre Information and Discussion
Post by: trinidad on March 15, 2018, 09:02:52 AM
The link below is one of the better explanations of the retpoline mitigation.

https://support.google.com/faqs/answer/7625886

This link is the "claimed" status of Intel's micocode updation which should be taken sceptically not optimistically.

https://newsroom.intel.com/wp-content/uploads/sites/11/2018/03/microcode-update-guidance.pdf

This is from my 5year old AMD A8 HP.

https://imgur.com/a/bWhLr

TC
Title: Re: Meltdown & Spectre Information and Discussion
Post by: trinidad on March 27, 2018, 01:22:59 PM
News

1) Well Intel has made stable microcode available now as far back as Sandy Bridge, however OEM's Dell and HP are still lagging behind in the implementations. Microsoft continues to be ahead of the curve on the whole issue though the latest updations have install issues as well due to the lagging OEM implementations. I have succeeded with a couple of W10 Dell Sandy Bridge boxes but it cannot be done without resorting to the CLI so everyday users are unlikely to install the mc mitigations.

2) New security studies from AMD are dismal for some of their CPU's. See the link below.

https://www.amdflaws.com/

3) Being a regular Debian user I am a bit spoiled when it comes to updates. Debian stable is slow and methodical about such things. But I also use both Ubuntu and LL where update schedules are far denser and hectic. I have to remind myself that so many of the current issues are linked to S/M and Intel. Ubuntu has been on top of the issues since they began and the devs have worked very hard to deal with the changes for their users. Updation was not always so intense with Linux in general, but it is good to remember that Linux is a community and as such more in touch with its own reality in more diverse ways than any corporate entity could ever hope to be. It is discouraging what corporate OEMs have done to everyday people, but it is wonderful to watch the Linux community respond.

TC
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Searchernow on March 28, 2018, 12:33:08 PM
Trinidad - thanks for keeping us up-to-date!!  Much appreciated.
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Jerry on March 28, 2018, 10:39:54 PM
(https://i.imgur.com/O4EHqi3.png)
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Searchernow on March 29, 2018, 05:46:02 PM
Hi Jerry,
for me your post is blank. Maybe my firefox settings are detecting something considered insecure and blocking it.
Title: Re: Meltdown & Spectre Information and Discussion
Post by: firenice03 on March 29, 2018, 06:01:38 PM
Hi Jerry,
for me your post is blank. Maybe my firefox settings are detecting something considered insecure and blocking it.

It's an image, I can see... maybe slow loading or FF??


(https://i.imgur.com/O4EHqi3.png)
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Jocklad on March 29, 2018, 06:17:08 PM
Loading ok on Chrome
Title: Re: Meltdown & Spectre Information and Discussion
Post by: bitsnpcs on March 29, 2018, 06:22:33 PM
Loading quickly for me on Firefox and Opera browsers.
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Searchernow on March 30, 2018, 07:11:48 AM
Hi all,

thanks for your responses. I use FF (more strict blocking of tracking content etc.) and that's where I interact with this forum; and for others, e.g. non-https sites where I will not be logging in, I use Chromium (less strict blocking, though still blocks javascript by default).

I re-opened this page on Chromium, it said javascript was blocked, so I un-blocked for this page, but still no image. I allowed protected content, still no image.

All I can suggest is:
a) I have more secure browser environments which see reasons to block the content
or
b) I am missing something in the way I have things set up. Though I do normally use FF to read e.g. The Guardian and I'm used to blank spaces/content or ads blocked. That's the way I like it.

Another factor may be my use of plug-ins Privacy Badger, HTTPS Everywhere, and Disconnect.

Anyway, I am assuming Jerry's posted image is not vital for me, I can live without it. I'm curious of course!
Title: Re: Meltdown & Spectre Information and Discussion
Post by: bitsnpcs on March 30, 2018, 07:59:58 AM
Hello Searchernow,

In your browsers do -
other images hosted on imgur display?
other png file type images ?
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Searchernow on March 30, 2018, 05:33:29 PM
Hello Searchernow,

In your browsers do -
other images hosted on imgur display?
other png file type images ?

I'm not aware of what images might be hosted by imgur, either shown or blocked! What I did do just now was to try to open the imgur site, and both browsers block it, it is unsafe! Maybe there's the answer.

Not sure about other png images, how would I know?
Title: Re: Meltdown & Spectre Information and Discussion
Post by: bitsnpcs on March 31, 2018, 09:18:06 AM
Hello Searchernow,

I thought it could be the case, I had looked at imgur before it looked a bit snoopy to me, I use a different image host. https://imgbb.com/

You could check this post
https://www.linuxliteos.com/forums/other/is-there-a-way-to-make-the-desktop-taskbar-always-on-top/msg39982/#msg39982
and see if the png images I added display in your browsers, to determine if your browsers are blocking png image file type at other hosts, or whether it is only blocking imgur.
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Searchernow on March 31, 2018, 10:28:11 AM
Hello Searchernow,

I thought it could be the case, I had looked at imgur before it looked a bit snoopy to me, I use a different image host. https://imgbb.com/

You could check this post
https://www.linuxliteos.com/forums/other/is-there-a-way-to-make-the-desktop-taskbar-always-on-top/msg39982/#msg39982
and see if the png images I added display in your browsers, to determine if your browsers are blocking png image file type at other hosts, or whether it is only blocking imgur.

Thanks,
I opened that page and I do see your pic of a bee on flowers and a screenshot of "Panel window".

More generally, the wikipedia page for imgur reported a serious potential user data breach, though unlike yahoo they did notify users straight away.

Title: Re: Meltdown & Spectre Information and Discussion
Post by: Searchernow on March 31, 2018, 10:50:49 AM
Re-reading my posts - I mentioned blank spaces n the Guardian, I should add that these are the exception, most images in the Guardian I can see ok.
Title: Re: Meltdown & Spectre Information and Discussion
Post by: bitsnpcs on March 31, 2018, 11:52:28 AM
Do you have a link for the imgur wikipedia page please, so I can read the detail of it ?

The blank spaces in the Guardian may be blocked adverts ?
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Searchernow on March 31, 2018, 03:46:21 PM
yes, at least some blanks are ads, I try to live an ad-less life.

https://en.wikipedia.org/wiki/Imgur (https://en.wikipedia.org/wiki/Imgur)
Title: Re: Meltdown & Spectre Information and Discussion
Post by: bitsnpcs on April 01, 2018, 02:54:53 AM
Thank You  :) , I'll have a read of it
Title: Re: Meltdown & Spectre Information and Discussion
Post by: m654321 on April 02, 2018, 01:03:23 PM
I had looked at imgur before it looked a bit snoopy to me, I use a different image host. https://imgbb.com/ (https://imgbb.com/)
Very many thanks for this useful tip  8)

Title: Re: Meltdown & Spectre Information and Discussion
Post by: bitsnpcs on April 03, 2018, 06:58:59 AM
I had looked at imgur before it looked a bit snoopy to me, I use a different image host. https://imgbb.com/ (https://imgbb.com/)
Very many thanks for this useful tip  8)

Glad it was useful :)
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Searchernow on April 03, 2018, 09:00:11 AM
News

1) Well Intel has made stable microcode available now as far back as Sandy Bridge, however OEM's Dell and HP are still lagging behind in the implementations. Microsoft continues to be ahead of the curve on the whole issue though the latest updations have install issues as well due to the lagging OEM implementations. I have succeeded with a couple of W10 Dell Sandy Bridge boxes but it cannot be done without resorting to the CLI so everyday users are unlikely to install the mc mitigations.

2) New security studies from AMD are dismal for some of their CPU's. See the link below.

https://www.amdflaws.com/

3) Being a regular Debian user I am a bit spoiled when it comes to updates. Debian stable is slow and methodical about such things. But I also use both Ubuntu and LL where update schedules are far denser and hectic. I have to remind myself that so many of the current issues are linked to S/M and Intel. Ubuntu has been on top of the issues since they began and the devs have worked very hard to deal with the changes for their users. Updation was not always so intense with Linux in general, but it is good to remember that Linux is a community and as such more in touch with its own reality in more diverse ways than any corporate entity could ever hope to be. It is discouraging what corporate OEMs have done to everyday people, but it is wonderful to watch the Linux community respond.

TC


I'd been wondering about your comment re OEMs lagging ... in implementations - and would I need to do anything myself.

But today I did Install Updates and it includes "intel-microcode: microcode will be updated at next boot" - I presume this will apply to my i5 cpu.
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Jerry on May 17, 2018, 10:01:55 AM
LL meltdown Checker on Linux Lite 4.0 (latest kernel)

(https://i.imgur.com/NQoDU0n.gif)

Title: Re: Meltdown & Spectre Information and Discussion
Post by: TheDead on May 18, 2018, 03:58:03 PM
Yo!

I didnt use the Checker tool... yet, since using other computer for banking stuff, etc.
But is it / will it be available in Lite Tweaks or Lite Software in LiLi 4.0 ?
Planning to ditch those 'dows when 4 is out.

Cheers and keep it up! ;)
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Searchernow on July 27, 2019, 04:29:40 PM
It's been a long time since I looked at this issue, I had frankly forgotten it!

I keep my Updates up-to-date each week, so am I safe to assume the vulnerabilities are no longer a threat?

LL 4.4, 64bit, i5 processor.
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Jerry on July 27, 2019, 04:38:57 PM
Security is a fallacy, there is no such thing in computing.

As long as you own the architecture, you will always be at risk. The attack vector for Meltdown is extremely unlikely. If you trust everyone that uses your pc locally, then you have nothing to worry about, do you...


(https://i.ytimg.com/vi/RhlXqYiTz2Q/hqdefault.jpg)
Title: Re: Meltdown & Spectre Information and Discussion
Post by: Searchernow on July 27, 2019, 04:50:16 PM
Agreed.
Title: Re: Meltdown & Spectre Information and Discussion
Post by: TheDead on July 29, 2019, 12:13:39 AM
If you trust everyone that uses your pc locally, then you have nothing to worry about, do you...

But, can you REALLY thrust anyone? Your familly could have been infitrated years ago and your life a lie.
(reference to a 2001 movie called "Antithrust", was pretty cool ;) )
 
Thrust no one! (insert X-File music)

(http://cdn.shopify.com/s/files/1/0770/1289/products/unisex_tno2_grande.jpg?v=1509566855)