Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Fri 23 Feb 2018, 22:56
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Intel, AMD, ARM--all chips found to pose huge security risk
Post new topic   Reply to topic View previous topic :: View next topic
Page 2 of 2 [24 Posts]   Goto page: Previous 1, 2
Author Message
prehistoric


Joined: 23 Oct 2007
Posts: 1724

PostPosted: Tue 09 Jan 2018, 11:00    Post subject:  

ZDnet has a useful explanation of the problem.

Their Vatican library analogy is not perfect, but it could be. Once you have made the request, the time required to process a later request drops dramatically. This is because the librarian now knows that the book exists, and that you are not allowed to see it. In this case the librarian's short-term memory plays the part of the cache.

Trying to use this at the real Vatican would raise suspicions about the reason for so many requests, but computer hardware has no such suspicions. If you can get one bit of information from one request, nothing stops you from playing 20 questions to get more detailed information. Because the memory protection operations take place after data has been fetched for speculative execution you can choose any instruction you like to execute on data you should not be allowed to see. Doing this billions of times a second can suck up all kinds of data.
Back to top
View user's profile Send private message 
jamesbond

Joined: 26 Feb 2007
Posts: 3144
Location: The Blue Marble

PostPosted: Tue 09 Jan 2018, 12:39    Post subject:  

<sarcasm>Just can't wait for WASM to arrive. It will be ... wonderful Twisted Evil </sarcasm>
_________________
Fatdog64, Slacko and Puppeee user. Puppy user since 2.13.
Contributed Fatdog64 packages thread.
Back to top
View user's profile Send private message 
prehistoric


Joined: 23 Oct 2007
Posts: 1724

PostPosted: Thu 11 Jan 2018, 12:47    Post subject:  

Here's another article on how to check if you are protected from Meltdown and Spectre.

The BIOS/UEFI updates are another problem to deal with. What is going on here is motherboard firmware loading new microcode into a writable microcode store used for patching bugs in the hardware. In my experience Intel security about how their microcode works is tighter than government security about major weapons systems. If this has been compromised it is quite possible attackers would use this opportunity to install their own backdoors into computers at a level that would be hard to avoid. A more subtle attack would be to provide bogus updates that do nothing, leaving the machine vulnerable to known attacks.

The major suppliers are providing updates to their BIOS/UEFI code for machines made in the last 5 years. Older machines will remain at risk, and the natural recommendation is to replace all such. This is the way companies can turn a profit from a major blunder. Read licensing and terms of service to see how little legal liability they have.

It is a safe bet that these measures will not be applied to large numbers of systems, leaving attackers the opportunity to find weakest links into organizations. Even if every machine in an organization is protected, it is a safe bet that some employees will have machines at home that are not protected. We can also expect to discover people storing their passwords for secure systems on insecure smart phones.

This will play out over a period of years.

How did we get in this mess?

The answer is that software architects were assuming that hardware protection would isolate processes running untrusted code from the most trusted kernel processes. This meant they did not have to worry about what code might be doing in those processes or containers. Knowing this is not true means you have to worry about every kind of code that might be downloaded, uploaded or compiled in an untrusted process. That covers a lot of territory.

(Many years ago, I showed someone how his neat trick with Word macros could be used to execute arbitrary code via a script. I had sat on this knowledge for about a year to allow a fix. M$ Office greatly expands the possibilities. At the time I first thought of this M$ Office did not exist, and that is really prehistoric.)

The vulnerability also applies to things run in virtual machines, and that means one hell of a lot of the Internet.
Back to top
View user's profile Send private message 
Sailor Enceladus

Joined: 22 Feb 2016
Posts: 1453

PostPosted: Thu 11 Jan 2018, 15:15    Post subject:  

My Pentium M is safe from Meltdown. The kernel should disable kpti if CPU is <=Core2Duo or <BayTrailAtom (see SA-00088).

Prove me wrong hackers Smile
Back to top
View user's profile Send private message 
B.K. Johnson

Joined: 12 Oct 2009
Posts: 651

PostPosted: Thu 11 Jan 2018, 17:28    Post subject:  

Hi guys and gals

Ask Leo (Leo Notenboom) provides a very good understandable analogy on this page: What Do I Need to Do About Spectre and Meltdown
:
Don't give up before you get to: OK, but, what are these two things?

_________________
B.K. Johnson
tahrpup-6.0.5 PAE (upgraded from 6.0 =>6.0.2=>6.0.3=>6.0.5 via quickpet/PPM=Not installed); slacko-5.7 occasionally. Frugal install, pupsave file, multi OS flashdrive, FAT32 , SYSLINUX boot, CPU-Dual E2140, 4GB RAM

Back to top
View user's profile Send private message 
8Geee


Joined: 12 May 2008
Posts: 1363
Location: N.E. USA

PostPosted: Thu 11 Jan 2018, 22:26    Post subject:  

I saw on Bloomberg this afternoon AMD officially announced some of their CPU's were vunerable. The TV segment did not go into detail.

rhetoric: Whoever knew "Atom" would actualy live up to its name? /rhet

Regards
8Geee

_________________
Linux user #498913

Good God!, by the stars in the sky we are lost!
And into the breach we got tossed!
And the world is comin' on fast! --Florence Welch
Back to top
View user's profile Send private message 
prehistoric


Joined: 23 Oct 2007
Posts: 1724

PostPosted: Fri 12 Jan 2018, 09:49    Post subject:  

AMD has been vulnerable to some forms of Spectre from day one, so that is not news. AMD used a different implementation than Intel for the memory protection and caching exploited in Meltdown. This means that Intel exploits will not necessarily work on AMD chips, but it does not say there will not be AMD specific Meltdown exploits. There probably will be.

One interesting tidbit about these vulnerabilities is that they were discovered independently by four different individuals or groups. None of these, with the exception of Google, were what I would call the powerhouses of the microcomputer world. None of the security companies involved appear to be closely associated with national intelligence agencies like NSA, CIA, GCHQ, FSB or GRU. (It is easy to name some that are close.)

Google's Project Zero has previously caused intelligence agencies problems by disclosing vulnerabilities they were able to use. My inference from this is that neither the intelligence agencies nor the major suppliers of chips and software were interested in finding this. That makes me wonder if they already knew. Since these exploits do not leave malware code in the system or evidence in kernel logs it would be pure gold for an intelligence agency that wanted to exploit it without being detected.
Back to top
View user's profile Send private message 
prehistoric


Joined: 23 Oct 2007
Posts: 1724

PostPosted: Sat 13 Jan 2018, 21:30    Post subject:  

The New York Times has an opinion piece about IT security, or lack of accountability for same. The author has an obvious personal interest in the subject, but begins to make a valid point.

The question this article raises in my mind is: just how much are companies and governments currently spending for IT security neither they nor we, the users of these systems, are getting?

Isn't it time to approach the subject in a markedly different way?
Back to top
View user's profile Send private message 
ozsouth

Joined: 01 Jan 2010
Posts: 274
Location: S.E Australia

PostPosted: Sun 14 Jan 2018, 01:28    Post subject:  

Since my patching attempts failed & I can't see puppy updates coming soon, got a cheap tablet (Lenovo Tab 3 Essential 7"). Apparently Cortex-A7 chips tho slow, are immune to meltdown/spectre. After testing, not bad for AUD 96 - can even use low-res Foxtel (pay tv) app.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 2 of 2 [24 Posts]   Goto page: Previous 1, 2
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0788s ][ Queries: 14 (0.0099s) ][ GZIP on ]