You are Here:
Linux Lite 6.6 FINAL Released - Support for 22 Languages Added - See Release Announcement Section



Meltdown & Spectre Information and Discussion

Author (Read 167696 times)

0 Members and 11 Guests are viewing this topic.

Re: Meltdown & Spectre Information and Discussion
« Reply #23 on: January 07, 2018, 08:19:17 AM »
 

trinidad

  • Platinum Level Poster
  • **********
  • 1461
    Posts
  • Reputation: 212
  • Linux Lite Member
    • View Profile
    • dbts-analytics.com

  • CPU: i7 4 cores 8 threads

  • MEMORY: 16Gb

  • VIDEO CARD: Intel HD graphics

  • Kernel: 5.x
Ultimately the issue of computer security, in any sense whatsoever, is open source code. Speculative execution would not be a security issue at all if the processor code was open source. You cannot compare for bit parity for binaries you cannot access. We banged this around years ago and recommended dual CPU's and one bank of protected memory for low level binary comparisons. As long as OEM vendors refuse access to binary setups there is no solution that will ever be secure. The amount of patching in Debian is probably headed for fifty different specific application instances. At the high end, giant service providers are going to absorb a big hit and be forced to purchase more rack space to deal with the performance issues this ridiculous proprietary policy has caused. Intel's partnerships are just extortion in this sense and always have been. 

TC 
All opinions expressed and all advice given by Trinidad Cruz on this forum are his responsibility alone and do not necessarily reflect the views or methods of the developers of Linux Lite. He is a citizen of the United States where it is acceptable to occasionally be uninformed and inept as long as you pay your taxes.
 

Re: Meltdown & Spectre Information and Discussion
« Reply #22 on: January 07, 2018, 07:54:49 AM »
 

bitsnpcs

  • Platinum Level Poster
  • **********
  • 3237
    Posts
  • Reputation: 305
    • View Profile
    • Try to Grow

  • Kernel: 4.x
(Intel CEO) Krzanich said the entire industry was planning to publish the data security issue once the fix was in place — but the problem leaked early.
"Why did it leak ahead of time? Somebody was doing some updates on a Linux kernel and they improperly posted that this was due to this flaw," Krzanich said.
TC     

I like the quote, it'll be good for paraphrasing - "(Intel CEO) Krzanich said, everything was fine until those rebellious Linux geeks moved their fingers"
 

Re: Meltdown & Spectre Information and Discussion
« Reply #21 on: January 07, 2018, 07:33:14 AM »
 

bitsnpcs

  • Platinum Level Poster
  • **********
  • 3237
    Posts
  • Reputation: 305
    • View Profile
    • Try to Grow

  • Kernel: 4.x
As interesting as all this is, and no doubt will become more interesting now as it all unfolds in the future, I can't say I'm surprised.
Big business usually doesn't give a sh*t about anything but big business.
I'd near bet if they weren't caught with their pants down it wouldn't have been published at all.
« Last Edit: May 23, 2018, 06:06:22 AM by bitsnpcs »
 

Re: Meltdown & Spectre Information and Discussion
« Reply #20 on: January 06, 2018, 09:40:11 PM »
 

JmaCWQ

  • Forum Regular
  • ***
  • 227
    Posts
  • Reputation: 44
    • View Profile
As interesting as all this is, and no doubt will become more interesting now as it all unfolds in the future, I can't say I'm surprised.
Big business usually doesn't give a sh*t about anything but big business.
I'd near bet if they weren't caught with their pants down it wouldn't have been published at all.
 

Re: Meltdown & Spectre Information and Discussion
« Reply #19 on: January 06, 2018, 09:56:53 AM »
 

trinidad

  • Platinum Level Poster
  • **********
  • 1461
    Posts
  • Reputation: 212
  • Linux Lite Member
    • View Profile
    • dbts-analytics.com

  • CPU: i7 4 cores 8 threads

  • MEMORY: 16Gb

  • VIDEO CARD: Intel HD graphics

  • Kernel: 5.x
(Intel CEO) Krzanich said the entire industry was planning to publish the data security issue once the fix was in place — but the problem leaked early.
"Why did it leak ahead of time? Somebody was doing some updates on a Linux kernel and they improperly posted that this was due to this flaw," Krzanich said.

Exaclty who is the "entire industry" that so agreeably decided not to publish? Why is it "improper" to publish concerning a vulnerability, especially one that has been speculated about for years? Why would the US government drag its feet all this time? In fact Amazon (the only one that admits it "officially") was aware nearly two years ago. Suse Enterprise and RHEL well before that (which could aguably mean the whole Linux community). Why not publish? Proof of concept was obvious long ago. A working exploit was unneccessary. Why would the whole "white hat" community be coerced and/or intimidated by Intel not to publish? Intel's system of partnerships and non-disclosure agreements violates so many laws in the US that it is literally an issue for the ACLU, yet no one ever attempts to call them out. They are in general a national security issue for the US. Enough is enough. Funny how the annoncement didn't leak until after the Christmas buying season, a shame too. A good deep public panic would have given the WWW a much needed enema.

 http://www.techradar.com/news/computing-components/processors/need-for-speed-a-history-of-overclocking-540671/2

I honestly remember being aware of this issue sometime around 2001 and having a discussion about it with some other hobbyists from that era. We considered it trivial at the time, but I reported it via e-mail to Suse. I can't remember what ISP I had at the time (the one from Ohio not AOL and not Prodigy) I wish I could because other hobbyist over-clockers at the time were aware of it as well. There is a history of awareness of this flaw that goes back at least 15 years and eventually it's going to appear taking away Intel's hope of any plausible denial.
 
TC     
« Last Edit: January 06, 2018, 10:45:22 AM by trinidad »
All opinions expressed and all advice given by Trinidad Cruz on this forum are his responsibility alone and do not necessarily reflect the views or methods of the developers of Linux Lite. He is a citizen of the United States where it is acceptable to occasionally be uninformed and inept as long as you pay your taxes.
 

Re: Meltdown & Spectre Information and Discussion
« Reply #18 on: January 05, 2018, 10:03:24 AM »
 

richtea

  • Occasional Poster
  • **
  • 57
    Posts
  • Reputation: 5
  • Linux Lite Member
    • View Profile

  • CPU: E3815 @ 1.46 GHz

  • MEMORY: 4Gb

  • VIDEO CARD: Intel Atom Z36xxx/Z37xxx Series
The Linus Torvalds email message is well worth reading; quote:


"I think somebody inside of Intel needs to really take a long hard look
at their CPU's, and actually admit that they have issues instead of
writing PR blurbs that say that everything works as designed."


Designed. Yes, in this instance the company is telling the truth.
Terry Davis Command Line video cracks me up.
Quod delere vos ego faciam permanens.
 

Re: Meltdown & Spectre Information and Discussion
« Reply #17 on: January 05, 2018, 08:54:22 AM »
 

Jocklad

  • Banned
  • Gold Level Poster
  • *******
  • 508
    Posts
  • Reputation: 67
  • Linux Lite Member
    • View Profile

  • MEMORY: 8Gb
So....If I am reading this right,We are going to get a software fix for a faulty hardware problem...?.  ::)
 

Re: Meltdown & Spectre Information and Discussion
« Reply #16 on: January 05, 2018, 07:22:51 AM »
 

trinidad

  • Platinum Level Poster
  • **********
  • 1461
    Posts
  • Reputation: 212
  • Linux Lite Member
    • View Profile
    • dbts-analytics.com

  • CPU: i7 4 cores 8 threads

  • MEMORY: 16Gb

  • VIDEO CARD: Intel HD graphics

  • Kernel: 5.x
To sum up myself: a nuisance with a price tag in manhours and compute time and a bad business practice from a company (Intel) that continues to operate above the law, and a community wide bandwagon of denial that everyone has been riding on for at least 10 years that I know of in the name of progress, Ethically speaking akin to testing drugs on people without having to pay them for the use of their body, claimed to be for the greater good of humanity. Driving at high speed is fun as long your brakes work properly, Ethics are the brakes.

TC 

https://www.intel.com/content/www/us/en/policy/policy-code-conduct-corporate-information.html

Read the section on privacy.
« Last Edit: January 05, 2018, 07:51:31 AM by trinidad »
All opinions expressed and all advice given by Trinidad Cruz on this forum are his responsibility alone and do not necessarily reflect the views or methods of the developers of Linux Lite. He is a citizen of the United States where it is acceptable to occasionally be uninformed and inept as long as you pay your taxes.
 

Re: Meltdown & Spectre Information and Discussion
« Reply #15 on: January 05, 2018, 06:51:54 AM »
 

rokytnji

  • Friganeer
  • Platinum Level Poster
  • **********
  • 1255
    Posts
  • Reputation: 139
    • View Profile

  • CPU: Intel Core2 Duo U9600

  • MEMORY: 4Gb

  • VIDEO CARD: Intel Mobile 4
If you wanna do a quick check on your own. Just for piece of mind I guess.


Code: [Select]
dd if=/dev/zero of=/tmp/testfile bs=512 count=5000000

<use sudo in Linux Lite>

Linus Torvalds thoughts on all of this hoopla.

https://lkml.org/lkml/2018/1/3/797



[color=inherit ! important][size=13px ! important][/size][/color]
LL 3.6,2.8
Dell XT2 > Touchscreen Laptop
Dell 755 > Desktop
Acer 150 > Desktop
I am who I am. Your approval is not needed.
 

Re: Meltdown & Spectre Information and Discussion
« Reply #14 on: January 05, 2018, 03:59:02 AM »
 

ian_r_h

  • Merchandise Supporter
  • Forum Regular
  • *****
  • 103
    Posts
  • Reputation: 10
  • Linux Lite Member
    • View Profile
An update on (hopefully) reputable and authoritative information sources this morning regarding Meltdown and Spectre.

Personally I agree with Jerry:  Don't panic - there is no known malware exploiting these yet.  Meltdown looks specific to Intel, and is the "easier" both to exploit and to patch; Spectre affects many more processors (including ARM and AMD as well as Intel), and is both harder to exploit and patch.  At least according to these websites.

BBC News has two articles which may be of interest (the second if you are also an Apple user):
http://www.bbc.co.uk/news/technology-42562303
http://www.bbc.co.uk/news/technology-42575033

Leading cryptography expert Bruce Schneier says he plans to write more soon on his blog, and has a brief summary of the technical issue that is easy to read:
https://www.schneier.com/

4.4.x series updated in Kernel 4.4.109 (among other versions):
https://fullcirclemagazine.org/2018/01/04/linux-kernels-4-14-11-4-9-74-4-4-109-3-16-52-and-3-2-97-patch-meltdown-flaw/

The Department of Homeland Security (USA) website contains additional information on the general problem, as well as links to vendor-specific information:
https://www.us-cert.gov/ncas/alerts/TA18-004A

Threatpost has details on ARM and AMD chips not affected by Spectre (according to the manufacturers) among other things:
https://threatpost.com/vendors-share-patch-updates-on-spectre-and-meltdown-mitigation-efforts/129307/

Happy Computing! :)
Don't worry about artificial intelligence.  Worry about natural stupidity.  :)
 

Re: Meltdown & Spectre Information and Discussion
« Reply #13 on: January 05, 2018, 02:40:03 AM »
 

Jerry

  • Linux Lite Creator
  • Administrator
  • Platinum Level Poster
  • *****
  • 8775
    Posts
  • Reputation: 801
  • Linux Lite Member
    • View Profile
    • Linux Lite OS

  • CPU: Intel Core i9-10850K CPU @ 3.60GHz

  • MEMORY: 32Gb

  • VIDEO CARD: nVidia GeForce GTX 1650

  • Kernel: 5.x
Ubuntu plan to release Kernel updates early next week, in or around the 9th.

Sent from my Mobile phone using Tapatalk

 

Re: Meltdown & Spectre Information and Discussion
« Reply #12 on: January 05, 2018, 02:32:11 AM »
 

Jerry

  • Linux Lite Creator
  • Administrator
  • Platinum Level Poster
  • *****
  • 8775
    Posts
  • Reputation: 801
  • Linux Lite Member
    • View Profile
    • Linux Lite OS

  • CPU: Intel Core i9-10850K CPU @ 3.60GHz

  • MEMORY: 32Gb

  • VIDEO CARD: nVidia GeForce GTX 1650

  • Kernel: 5.x



Just to explain myself. In my area. I am more likely to have have my car stereo stolen stolen than this exploit to take hold on my computers.
I care more about the stereo.

Indeed. Are hackers going to target Joe Nothing living at 123 Who Cares Street or do they have juicer targets?

Sent from my Mobile phone using Tapatalk

 

Re: Meltdown & Spectre Information and Discussion
« Reply #11 on: January 04, 2018, 05:45:05 PM »
 

rokytnji

  • Friganeer
  • Platinum Level Poster
  • **********
  • 1255
    Posts
  • Reputation: 139
    • View Profile

  • CPU: Intel Core2 Duo U9600

  • MEMORY: 4Gb

  • VIDEO CARD: Intel Mobile 4
Meh,

Code: [Select]
~$ inxi -f
CPU:       Single core AMD Athlon 64 3800+ (-UP-) cache: 512 KB
           speed/max: 1000/2400 MHz
           CPU Flags: 3dnow 3dnowext 3dnowprefetch apic clflush cmov
           cr8_legacy cx16 cx8 de extapic extd_apicid fpu fxsr fxsr_opt
           lahf_lm lm mca mce mmx mmxext msr mtrr nopl nx pae pat pge pni pse
           pse36 rdtscp rep_good sep sse sse2 svm syscall tsc vme vmmcall

$ inxi -S
System:    Host: biker Kernel: 4.4.0-104-generic x86_64 (64 bit)
           Desktop: Xfce 4.12.3 Distro: Ubuntu 16.04 xenial
$ cat /etc/llver
Linux Lite 3.6


Edit: Just to explain myself. In my area. I am more likely to have have my car stereo stolen stolen than this exploit to take hold on my computers.
I care more about the stereo.
« Last Edit: January 04, 2018, 06:28:25 PM by rokytnji »
LL 3.6,2.8
Dell XT2 > Touchscreen Laptop
Dell 755 > Desktop
Acer 150 > Desktop
I am who I am. Your approval is not needed.
 

Re: Meltdown & Spectre Information and Discussion
« Reply #10 on: January 04, 2018, 11:35:49 AM »
 

trinidad

  • Platinum Level Poster
  • **********
  • 1461
    Posts
  • Reputation: 212
  • Linux Lite Member
    • View Profile
    • dbts-analytics.com

  • CPU: i7 4 cores 8 threads

  • MEMORY: 16Gb

  • VIDEO CARD: Intel HD graphics

  • Kernel: 5.x
I have two Windows 10 machines that have been already patched (both originally developer/insider mode) and have had no problems so far, and no noticeable performance issues though there are reports of some VM complications elsewhere. In the case of Linux this is another OEM hardware nuisance which like all such nuisances diffuses down to ordinary users with some over-reaction. Spectre is a threat to ordinary users but only on multi-user boxes i/e - do you trust your wife? I played around with this issue some years back on a Suse Linux system I administrated. It has been known in some form or another for quite a while, but developers never looked at it as particularly threatening. It's the nature of CPUs themselves to not be secure, and again this problem lies within the the whole idea of low level proprietary code. It should be a legal issue with tart recourse to the courts, but who's big enough to sue, maybe Google, or Amazon. Big business is a strangely esoteric political beast here in the US - The government bails out GM but upholds a billion dollar penalty against Ford for bad tires. I can't think of a company in recent history that deserved a class action suit against them more than Intel. As far as civil disobedience perhaps a well organized boycott of Google and Amazon would do the trick but in a lot of ways consumerism is an addiction so that would be awfully hard to organize. Buying a computer for your kids to use is a lot like taking your kids to the doctor. The difference is that most doctors live by a code of ethics, while OEM hardware is produced with an eye to insulating the developers from any liability. Intel developers don't need malpractice insurance. Intel is so big and internationalized that the US government must cast a wary eye on their hardware to protect itself. I have often thought that the first line of recourse for the government is to use the SEC to suspend trading of Intel, and then go from there.

TC

Additionally: "News" of this is hardly new. Only the exploit news part of it, which was held back by Google in agreement with Intel. I highly doubt that AMD is not vulnerable with a modified version. Any 64bit multt-core cached cpu is vulnerable. This has always been known of speculative processes. The bigger the processor the greater the possibility of stealing information. That is the only reason this has suddenly become important. CPUs are finally big enough to cough up and spew considerable information via the hack. Hilariously the hack will still work even with the patch by simply falling back to the old kernel address system. It is not a permanent solution. The permanent solutuion is full and complete free access to CPU microcode.

   
« Last Edit: January 04, 2018, 03:17:28 PM by trinidad »
All opinions expressed and all advice given by Trinidad Cruz on this forum are his responsibility alone and do not necessarily reflect the views or methods of the developers of Linux Lite. He is a citizen of the United States where it is acceptable to occasionally be uninformed and inept as long as you pay your taxes.
 

Re: Meltdown & Spectre Information and Discussion
« Reply #9 on: January 04, 2018, 10:11:57 AM »
 

ian_r_h

  • Merchandise Supporter
  • Forum Regular
  • *****
  • 103
    Posts
  • Reputation: 10
  • Linux Lite Member
    • View Profile
OK.

I've had a few minutes to research this further, since coming to it myself first time first thing this morning.

There are two bugs reported:  MELTDOWN and SPECTRE.  According to Wikipedia:-

"The Meltdown vulnerability can be thought of as a particularly easy and efficient-to-implement special case of Spectre."  Note that there is no citation and it is reported as needing one; indeed citation is lacking in the Spectre entry at this time.

"Two Common Vulnerabilities and Exposures IDs related to Spectre, CVE-2017-5753 and CVE-2017-5715, have been issued."

Spectre affects Intel, AMD and ARM processors.

"[Meltdown] was issued a Common Vulnerabilities and Exposures ID of CVE-2017-5754."

Meltdown affects Intel processors and "does not seem to affect AMD microprocessors".

The Wikipedia entries are at:-

https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)
https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)

There is a website for Meltdown and Spectre (which both Wikipedia articles label as the "official website") at:

https://meltdownattack.com/

Hope this helps, though I'm still reading up on it at the moment.
Don't worry about artificial intelligence.  Worry about natural stupidity.  :)
 

 

-->
X Close Ad

Linux Lite 6.6 FINAL Released - Support for 22 Languages Added - See Release Announcement Section