Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Fri 22 Jun 2018, 02:23
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Intel, AMD, ARM--all chips found to pose huge security risk
Post new topic   Reply to topic View previous topic :: View next topic
Page 2 of 2 [28 Posts]   Goto page: Previous 1, 2
Author Message
prehistoric


Joined: 23 Oct 2007
Posts: 1733

PostPosted: Tue 09 Jan 2018, 11:00    Post subject:  

ZDnet has a useful explanation of the problem.

Their Vatican library analogy is not perfect, but it could be. Once you have made the request, the time required to process a later request drops dramatically. This is because the librarian now knows that the book exists, and that you are not allowed to see it. In this case the librarian's short-term memory plays the part of the cache.

Trying to use this at the real Vatican would raise suspicions about the reason for so many requests, but computer hardware has no such suspicions. If you can get one bit of information from one request, nothing stops you from playing 20 questions to get more detailed information. Because the memory protection operations take place after data has been fetched for speculative execution you can choose any instruction you like to execute on data you should not be allowed to see. Doing this billions of times a second can suck up all kinds of data.
Back to top
View user's profile Send private message 
jamesbond

Joined: 26 Feb 2007
Posts: 3149
Location: The Blue Marble

PostPosted: Tue 09 Jan 2018, 12:39    Post subject:  

<sarcasm>Just can't wait for WASM to arrive. It will be ... wonderful Twisted Evil </sarcasm>
_________________
Fatdog64, Slacko and Puppeee user. Puppy user since 2.13.
Contributed Fatdog64 packages thread.
Back to top
View user's profile Send private message 
prehistoric


Joined: 23 Oct 2007
Posts: 1733

PostPosted: Thu 11 Jan 2018, 12:47    Post subject:  

Here's another article on how to check if you are protected from Meltdown and Spectre.

The BIOS/UEFI updates are another problem to deal with. What is going on here is motherboard firmware loading new microcode into a writable microcode store used for patching bugs in the hardware. In my experience Intel security about how their microcode works is tighter than government security about major weapons systems. If this has been compromised it is quite possible attackers would use this opportunity to install their own backdoors into computers at a level that would be hard to avoid. A more subtle attack would be to provide bogus updates that do nothing, leaving the machine vulnerable to known attacks.

The major suppliers are providing updates to their BIOS/UEFI code for machines made in the last 5 years. Older machines will remain at risk, and the natural recommendation is to replace all such. This is the way companies can turn a profit from a major blunder. Read licensing and terms of service to see how little legal liability they have.

It is a safe bet that these measures will not be applied to large numbers of systems, leaving attackers the opportunity to find weakest links into organizations. Even if every machine in an organization is protected, it is a safe bet that some employees will have machines at home that are not protected. We can also expect to discover people storing their passwords for secure systems on insecure smart phones.

This will play out over a period of years.

How did we get in this mess?

The answer is that software architects were assuming that hardware protection would isolate processes running untrusted code from the most trusted kernel processes. This meant they did not have to worry about what code might be doing in those processes or containers. Knowing this is not true means you have to worry about every kind of code that might be downloaded, uploaded or compiled in an untrusted process. That covers a lot of territory.

(Many years ago, I showed someone how his neat trick with Word macros could be used to execute arbitrary code via a script. I had sat on this knowledge for about a year to allow a fix. M$ Office greatly expands the possibilities. At the time I first thought of this M$ Office did not exist, and that is really prehistoric.)

The vulnerability also applies to things run in virtual machines, and that means one hell of a lot of the Internet.
Back to top
View user's profile Send private message 
Sailor Enceladus

Joined: 22 Feb 2016
Posts: 1512

PostPosted: Thu 11 Jan 2018, 15:15    Post subject:  

My Pentium M is safe from Meltdown. The kernel should disable kpti if CPU is <=Core2Duo or <BayTrailAtom (see SA-00088).

Prove me wrong hackers Smile
Back to top
View user's profile Send private message 
B.K. Johnson

Joined: 12 Oct 2009
Posts: 653

PostPosted: Thu 11 Jan 2018, 17:28    Post subject:  

Hi guys and gals

Ask Leo (Leo Notenboom) provides a very good understandable analogy on this page: What Do I Need to Do About Spectre and Meltdown
:
Don't give up before you get to: OK, but, what are these two things?

_________________
B.K. Johnson
tahrpup-6.0.5 PAE (upgraded from 6.0 =>6.0.2=>6.0.3=>6.0.5 via quickpet/PPM=Not installed); slacko-5.7 occasionally. Frugal install, pupsave file, multi OS flashdrive, FAT32 , SYSLINUX boot, CPU-Dual E2140, 4GB RAM

Back to top
View user's profile Send private message 
8Geee


Joined: 12 May 2008
Posts: 1570
Location: N.E. USA

PostPosted: Thu 11 Jan 2018, 22:26    Post subject:  

I saw on Bloomberg this afternoon AMD officially announced some of their CPU's were vunerable. The TV segment did not go into detail.

rhetoric: Whoever knew "Atom" would actualy live up to its name? /rhet

Regards
8Geee

_________________
Linux user #498913

Some people need to reimagine their thinking.
Back to top
View user's profile Send private message 
prehistoric


Joined: 23 Oct 2007
Posts: 1733

PostPosted: Fri 12 Jan 2018, 09:49    Post subject:  

AMD has been vulnerable to some forms of Spectre from day one, so that is not news. AMD used a different implementation than Intel for the memory protection and caching exploited in Meltdown. This means that Intel exploits will not necessarily work on AMD chips, but it does not say there will not be AMD specific Meltdown exploits. There probably will be.

One interesting tidbit about these vulnerabilities is that they were discovered independently by four different individuals or groups. None of these, with the exception of Google, were what I would call the powerhouses of the microcomputer world. None of the security companies involved appear to be closely associated with national intelligence agencies like NSA, CIA, GCHQ, FSB or GRU. (It is easy to name some that are close.)

Google's Project Zero has previously caused intelligence agencies problems by disclosing vulnerabilities they were able to use. My inference from this is that neither the intelligence agencies nor the major suppliers of chips and software were interested in finding this. That makes me wonder if they already knew. Since these exploits do not leave malware code in the system or evidence in kernel logs it would be pure gold for an intelligence agency that wanted to exploit it without being detected.
Back to top
View user's profile Send private message 
prehistoric


Joined: 23 Oct 2007
Posts: 1733

PostPosted: Sat 13 Jan 2018, 21:30    Post subject:  

The New York Times has an opinion piece about IT security, or lack of accountability for same. The author has an obvious personal interest in the subject, but begins to make a valid point.

The question this article raises in my mind is: just how much are companies and governments currently spending for IT security neither they nor we, the users of these systems, are getting?

Isn't it time to approach the subject in a markedly different way?
Back to top
View user's profile Send private message 
ozsouth

Joined: 01 Jan 2010
Posts: 333
Location: S.E Australia

PostPosted: Sun 14 Jan 2018, 01:28    Post subject:  

Since my patching attempts failed & I can't see puppy updates coming soon, got a cheap tablet (Lenovo Tab 3 Essential 7"). Apparently Cortex-A7 chips tho slow, are immune to meltdown/spectre. After testing, not bad for AUD 96 - can even use low-res Foxtel (pay tv) app.
Back to top
View user's profile Send private message 
prehistoric


Joined: 23 Oct 2007
Posts: 1733

PostPosted: Sat 31 Mar 2018, 12:58    Post subject: And the beat goes on
Subject description: M$ fixes previous fixes for W7
 

We have new evidence that supporting W7 was not really high on Microsoft's list of priorities. I'm having trouble tallying the number of problems introduced versus those eliminated.

My own take is that all these companies have managed to complicate matters to such an extent they cannot support any system that has been used long enough to be considered reliable and secure. Efforts to vacuum up as much information about user activities as possible have continued to advance. People stunned by revelations about information acquired via Facebook or Google, then sold and reused for purposes those users would never have agreed to, have simply not been paying attention. If you are using a service you aren't paying for, it should be axiomatic that you are the product they are selling.

This is not simply a rant about M$. I have an Android tablet that is unlikely to ever be updated from Android 4.4, and a 4th generation iPad which is only fairly secure running iOS 10.3.3.

New devices are mainly considered secure because they have not been tested as extensively, and thus show fewer known vulnerabilities. Some of those discovered have been hard to imagine. Mac OS High Sierra 10.13.1 was rolled out with a lapse that allowed administrator login with no password.
Back to top
View user's profile Send private message 
belham2

Joined: 15 Aug 2016
Posts: 1520

PostPosted: Sat 31 Mar 2018, 13:13    Post subject:  

Boy, Prehistoric, I sure hope this all doesn't give the world's hardware gang (Intel, AMD, Qualcomm, even Google & its chips, plus MSFT's hardware, etc) any ideas about a possible "new & improved" business model:

1. Release something

2. Hope that massive holes & bugs & problems are found less than a year or two down the road.

3. Release something new that supposedly fixes it all

4. Lather, rinse, repeat...... Confused
Back to top
View user's profile Send private message 
prehistoric


Joined: 23 Oct 2007
Posts: 1733

PostPosted: Sat 31 Mar 2018, 20:28    Post subject:  

@belham2,

At least the chips are things you can hold in your hand, and can be demonstrated to actually do something. Massive software is much harder to categorize in terms of how it behaves, thinking of it as a black box. When a new version comes out, how do you know if it addresses your problems better, or introduces new problems that benefit those selling?

There is a considerable business of selling things that are even less tangible. Consider this movie about massive fraud currently happening in U.S. stock markets. Pay attention to how major auditing firms like Price-Waterhouse have dramatically failed to uncover this because they only checked the paperwork. (To be even-handed, I remind people that Ernst & Young totally failed to warn investors about the looming collapse of Lehman Brothers in 2008. They remain in business today, unlike Arthur Anderson, which lost credibility by failing to detect massive fraud by Enron in 2001. Quis custodiet ipsos custodes?)

Just how far can criminals get before various institutional checks prevent them from going further? Consider Operation Odessa. They may not even be the biggest crooks out there, though they certainly are colorful.
Back to top
View user's profile Send private message 
8Geee


Joined: 12 May 2008
Posts: 1570
Location: N.E. USA

PostPosted: Tue 03 Apr 2018, 19:18    Post subject:  

That Chinese fraud had inadvertantly popped-up its head in at least two ways that I'm aware of.

The first was reported by 60-Minutes 3-4 years ago about the huge condo-cities that have owners, yet are empty. Even the huge parking facilities.

The second was the Macau rob you blind gaming. No one cared how much was won or lost, but rather, who was losing, and how many employees/pertners/friends of the subject were involved. A case of Gang-economics and laundering.

Belham2... Ahh, yes, the addiction syndrome. "may I have another, sir?"

Regards
8Geee

_________________
Linux user #498913

Some people need to reimagine their thinking.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 2 of 2 [28 Posts]   Goto page: Previous 1, 2
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0647s ][ Queries: 12 (0.0155s) ][ GZIP on ]