New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Time passes, and there's still no patches for FreeBSD.
Doesn't make one feel confident about focusing on that OS for future projects...
a) Actually I saw some noise at FreeBSD re. patches/fixes being available or coming very soon.
b) So what? intel and some distros had to call back and pull back quite some of the urgently pushed out stuff (plus many do not change anyway due to performance concerns).
So, maybe the FreeBSD guys did the right thing (or at least what now turns out to be the right thing).
And btw. because it's really important: Let us avoid the error to think k := {known problems } == a := { all problems }!
Let us instead always be aware of the fact that a) the vast majority of potentially disastrous problems are quite old (which translates to "have stayed unknown for a long time"), and b) that the set of known problems is probably a mere subset, and highly likely a very small one, of all existing problems.
A reasonable attitude re. safety/security strongly suggest to assume that the set of known problems is very small and that even a 100% S/M patch does not somehow magically make our boxen safe and secure.
Thanks for your detailed answer.
Patches should be available "soon", as per last news on the mailing lists, but it's still way longer than the fix on the linux kernel which, afaik, works.
But yeah I guess it's OK as you're probably right a > by a huge margin k!
They're doing what they can to get patches out as quick as they can...https://wiki.freebsd.org/SpeculativeExecutionVulnerabilities (they received notice later then everyone else) and after using FreeBSD for most of my servers now I don't think I could go back to using Linux...my webservers on FreeBSD have been rock solid, perform really well, and it's just a joy to manage a BSD server :-).
https://arstechnica.com/information-technology/2018/01/the-impromptu-slack-war-room-where-net-companies-unite-to-fight-spectre-meltdown/
OpenBSD sent a mail on earlier this month saying they were starting from scratch when the public announcements came out. Apparently, they're not part of the privileged elite who get to see embargo'd bugs...which is so ironic it makes me laugh.
I suspect that's what the BSD camp is fighting: big Linux distros (read: companies) got a preview and could start work weeks earlier...BSD was out in the cold until the public release of the bug info.
https://marc.info/?l=openbsd-misc&m=151522749523849&w=2
Frankly the way the "elite" have handled this is abysmal.
My primary Mac just got updates because I'm running a slightly older OS. My Mac Mini (running the latest OS) has been running horribly since it got updated. Some vendors are reverting their patches because of issues.
Then there's Intel who actually has the nerve to release new products knowing full well they're vulnerable (and, yes, I do understand that a fix is not exactly something that can be dropped into a chip already being manufactured, but it still presents itself poorly and I'm sure could have been executed a bit better). Their CEO sold off his shares just before the public announcement (timing seems questionable based on the date of his SEC filing and Intel's being made aware of the issue).
The entire ordeal is a mess.
The problem with this bit of conspiracy thinking is that INTC's price hasn't dropped dramatically since the Meltdown revelation. It was 47-ish in December, it's 45ish now, and its low was 42.70 or thereabouts. The CEO sold his shares for $44.05-$44.56 per share. He'd actually be ahead if he'd held.
Generally, public corporation officers can't just call their broker and say "sell my Intel stock!" They have to schedule the sale in advance. I suppose how far in advance would be relevant here...I believe the execution date is public but the request date is not.
Yeah, it's public. But the actual date Intel found out isn't exactly know. It seems like the dates of his filing and discovery of the vulnerability are pretty close.
I admit it's a bit of a conspiracy. And like you said, Intel stock is actually doing fine. But! Think about it from the executive's point of view: This was bad news and public reaction could have caused stock issues. It would have seemed like a smart move to sell. Plus he sold exactly what he was allowed to. Seems suspect. We'll probably never know for sure though.
Yeah that's the main "problem" with BSD after a while using it it's difficult to consider using Linux again... everything appears so messy!
The fact that they haven't been informed as early as other projects is pretty bad, I assume they do their best. Well, as long as those OSes aren't dead...
Spectre and Meltdown Published Application Performance
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown/PublishedApplicationData
>
Spectre is a new class (type) of attacks, not a single one. We currently know of 2 different attacks that belong to thing class.
One of then is remotely executable, by means of you visiting a website that has javascript code that runs the exploit. That easy. Fortunately, browsers have released patches that mostly resolved this by various means (i.e. Firefox did it a different way than Chrome because their browsers are architectured differently, but maybe there are edge cases or an evolution of the original attack method).
The other one is local only but practically undetectable and there is no full patch yet.
Worst is that the patches (when we have them) only fix those specific two attacks, NOT the whole class (which is probably not going to be fixed without hardware design changes or abysmal speed penalties).
https://newsroom.intel.com/news/security-issue-update-progress-continues-firmware-updates/
So, Intel will soon push Micro codes updates only for SkyLake after that disaster and the users should test it.
Why brother with testing? let the users fry there hardware.
Dicks.
Signed.
Still waiting for the updates for my 2 Thinkpad laptops. They have already postponed the updates 2 times. They told me they are still waiting for Intel. What a total mess!
Also for who is also using Lenovo you can check all the updates status at:
https://support.lenovo.com/pt/en/solutions/len-18282
https://www.reuters.com/article/us-cyber-intel-lawsuit/intel-hit-with-32-lawsuits-over-security-flaws-idUSKCN1G01KX
Revenge
Finally there's the update for FreeBSD: https://www.freebsd.org/security/advisories/FreeBSD-SA-18:03.speculative_execution.asc
Oh, 8 flaws, in Intel processors discovered, 4 of them are highly risky.
Thats gonna be goood.
CEV's have been already created.
https://www.reddit.com/r/Amd/comments/8go6eq/eight_new_spectre_bugs_found_in_intel_cpus/
"I already wrote it, but because some might over-read it. The bugs were confirmed on Intel and are still tested on ARM and AMD Systems (and maybe others). Right now only Intel is affected, until we know about the finished tests of the other platforms. And don't you start to cheer against Intel. Those bugs suck and we will all have problems with it in the longer run."
Waiting for the AMD results ...
Oh, 8 flaws, in Intel processors discovered, 4 of them are highly risky.
8 new ways to exploit Spectre, much of the same.
Not bad, not bad.
http://www.guru3d.com/news-story/eight-new-spectre-variant-vulnerabilities-for-intel-discovered-four-of-them-critical.html
Reportedly the only fix for new vulnerabilities is to permanently switch CPUs into the Virtual 8086 mode. Only MS-DOS will be able to run on the patched CPUs, but OS vendors are said to be already porting their systems to run on top of the DOS environment.
DUMMY MODE ON
Apparently, Intel is affected/fucked., they need to Delay the Spectre-NG patches:
http://www.guru3d.com/news-story/intel-has-to-delays-patches-for-new-spectre-ng-vulnerabilities.html
Still no news on AMD.
Agreed
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html
"expected 8% performance loss", #rekt.
"expected 8% performance loss", #rekt.
Is that 8% total thus far, or 8% for variant 3a & 4?
https://www.theregister.co.uk/2018/07/19/intels_management_engine_patches/
Another security issue, this time Intel ME remote exploit, old cpu's will not be patched.
isn't there anyway like update or downgrade to help ?