On Wed, May 15, 2019 at 01:53:45PM -0500, Dale wrote: > Nikos Chantziaras wrote: > > […] > > If your system is on, how is it going to replace vulnerable kernels > > with patched ones?
> […] > > While I want to keep the bad CPU code from being used, they first have > to get past other things. My DSL modem has protections, my router adds > yet another layer of it. I use adblock, noscript and such on all my > browsers as well. I’m kinda on the same train of thought. All those vulnerabilities of recent years are about data exfiltration through cross-process memory reads or exploitation of caching mechanisms for instruction optimisations. The threat scenario is mostly relevant for servers which run unverified processes of any number of users which may be trying to attack other users’ processes. On a personal computer, nowadays the most common point of entry for malware is the browser (or a manipulated data file for any kind of parser bug such as Adobe or M$ Office). And in the browser, the threat comes from active elements, IOW, Ecma Script. I use uMatrix with strict defaults, scripts are only enabled when actually needed. And opposed to often-heard street talk, you can still use many corners of the Web without JS in many cases. And of course I don’t blindly extract any ace archive that pretends to be a rar. Linux doesn’t “support” Windows crapware, and as long as you are careful about where you get your programs from (i.e. package manager and other trustworthy sources), you are reasonably safe, as opposed from Joe Average-Windows-User who loads Adobe Reader and Google Chrome from free-full-version-software.com instead of the developer’s official website because he simply doesn’t know any better. So I might not be as safe as technically possible, but right now I’m grown tired of following which fix incurs what performance penalty and don’t really give a crap. I set mitigations=off to my cmdline and watch the Tech media burn itself down in a spiral of hysteria. In the meantime I protect myself by (hopefully) knowing what each of my actions does and by using software that uses common sense and provides a small attack surface, for example mutt and vim instead of HTML mail and a text editor based on an entire browser engine. At some point in the future, my stationary PC will require a hardware refresh. At that point I will say goodbye to Intel. This is the only language companies understand. They’ve been getting ahead by developing features without due diligence and by cutting corners. And this is biting them in their behind now all the way back. -- Gruß | Greetings | Qapla’ Please do not share anything from, with or about me on any social network. There is only one way to the lung and it must be tarred.
signature.asc
Description: PGP signature
