Re: [NF] Meltdown and Spectre CPU Flaw Information
On Tue, Jan 9, 2018 at 1:24 PM, Ted Rochewrote: > On Sun, Jan 7, 2018 at 5:27 AM, AndyHC wrote: > >> Having read El Reg's pretty good article [ >> http://www.theregister.co.uk/2018/01/04/intel_amd_arm_cpu_vulnerability/ ] I >> would just take issue with the suggestion that the vulnerability could be >> breached by Javascript (malign code in e.g. a jpg maybe, but not just >> javascript in a browser). > > Thanks for the reference. Linux machines were all updated Friday, > Windows machines under my supervision Friday and again Saturday. > Client LAMP boxes onsite were updated Friday, and VPS machines still > seem to be getting updates. Rebooted Friday and again Sunday > afternoon. And my hosting provider (Linode, good experience) has updated their host machines, requiring another very brief restart on each of my hosted boxes. > >> If you've got a home PC don't worry about state-level actors - if they want >> you they'll get you. Oh but don't let your browser remember important >> passwords, and try to remember to switch off each time after doing your >> online banking. > > And... right on time: "Windows Meltdown and Spectre patches: Now > Microsoft blocks security updates for some AMD based PCs:" > "Microsoft has paused nine operating system security updates after > complaints that they rendered some AMD PCs unbootable." > > http://www.zdnet.com/article/meltdown-and-spectre-now-microsoft-blocks-security-updates-for-some-amd-based-devices/ > And, apparently, security never sleeps, as Microsoft released an updated advisory on Friday night (~5 PM Seattle time, hmmm...) that it was okay to patch AMD machines again. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002 Perhaps I'll wait a while on this one, and find out how it works for others... -- Ted Roche Ted Roche & Associates, LLC http://www.tedroche.com ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/CACW6n4veeSrNOQ10htBaUMSp__6mooARf1j=+gqcE++m=yp...@mail.gmail.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] Meltdown and Spectre CPU Flaw Information
On Sun, Jan 7, 2018 at 5:27 AM, AndyHCwrote: > Having read El Reg's pretty good article [ > http://www.theregister.co.uk/2018/01/04/intel_amd_arm_cpu_vulnerability/ ] I > would just take issue with the suggestion that the vulnerability could be > breached by Javascript (malign code in e.g. a jpg maybe, but not just > javascript in a browser). Thanks for the reference. Linux machines were all updated Friday, Windows machines under my supervision Friday and again Saturday. Client LAMP boxes onsite were updated Friday, and VPS machines still seem to be getting updates. Rebooted Friday and again Sunday afternoon. > Putting on my very battered old security consultant's hat I would say it's > time to evaluate actual risk on a per situation basis: > If you are a company that has foolishly put the family jewels on someone > else's computer because you believed in Clouds - then hope that someone up > in the clouds can fix it! I think clouds have been over-promised and people misunderstand what they are supposed to be. A redundant array of inexpensive services with graceful failover and no loss of data-in-motion is a great idea, but only an idea for most. On the other hand, I have web servers on the internet ("Don't call it a cloud") that are hosted on VPS that are right in the middle of the target, so I've been working on those. > If you are running heavily VM'd in-house then look out for your own > villains and try to air-gap your internet facing servers. I'm thinking that air-gapping your internet facing servers is a good idea. > If you've got a home PC don't worry about state-level actors - if they want > you they'll get you. Oh but don't let your browser remember important > passwords, and try to remember to switch off each time after doing your > online banking. And... right on time: "Windows Meltdown and Spectre patches: Now Microsoft blocks security updates for some AMD based PCs:" "Microsoft has paused nine operating system security updates after complaints that they rendered some AMD PCs unbootable." http://www.zdnet.com/article/meltdown-and-spectre-now-microsoft-blocks-security-updates-for-some-amd-based-devices/ -- Ted Roche Ted Roche & Associates, LLC http://www.tedroche.com ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/CACW6n4s4KLJOm1t0hcqGh4Nhj7_nM=gea3kgmqz3z451dtb...@mail.gmail.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] Meltdown and Spectre CPU Flaw Information
On 07-Jan-2018 9:57 PM, Paul Hill wrote: Old cheesy related joke: Knock knock! Branch prediction Who's there? Like! --- StripMime Report -- processed MIME parts --- multipart/alternative text/plain (text body -- kept) text/html --- ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/1ee53486-8f62-1bb3-74ab-e8084e17b...@hawthorncottage.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] Meltdown and Spectre CPU Flaw Information
Old cheesy related joke: Knock knock! Branch prediction Who's there? -- Paul ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/cadwx0+jgvdfo16xjpq2pb9snkrrsopdhx7jqc-xvyvwvn6t...@mail.gmail.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] Meltdown and Spectre CPU Flaw Information
Having read El Reg's pretty good article [ http://www.theregister.co.uk/2018/01/04/intel_amd_arm_cpu_vulnerability/ ] I would just take issue with the suggestion that the vulnerability could be breached by Javascript (malign code in e.g. a jpg maybe, but not just javascript in a browser). Putting on my very battered old security consultant's hat I would say it's time to evaluate actual risk on a per situation basis: If you are a company that has foolishly put the family jewels on someone else's computer because you believed in Clouds - then hope that someone up in the clouds can fix it! If you are running heavily VM'd in-house then look out for your own villains and try to air-gap your internet facing servers. If you've got a home PC don't worry about state-level actors - if they want you they'll get you. Oh but don't let your browser remember important passwords, and try to remember to switch off each time after doing your online banking. ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/1fe853ad-bd91-a9e0-54ec-886a07a35...@hawthorncottage.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] Meltdown and Spectre CPU Flaw Information
Can software fix a hardware design fault? No, but you can work potentially around it by causing the processor to work in a different way. Also connecting a C64 to the internet is easier than you might think. -- Alan Bourke alanpbourke (at) fastmail (dot) fm On Sat, 6 Jan 2018, at 3:20 PM, Ted Roche wrote: > > On Sat, Jan 6, 2018 at 4:38 AM, AndyHCwrote: > > > >> Well ... if you *need* to believe that software can patch hardware design > >> faults > > > > It turns out, Microsoft very much agrees with Andy: > > "6. Why aren't Windows Server 2008 and Windows Server 2012 platforms > getting an update? When can customers expect the fix?" > > "Addressing a hardware vulnerability with a software update presents > significant challenges with some operating systems requiring extensive > architectural changes. Microsoft continues to work with affected chip > manufacturers and investigate the best way to provide mitigations." > > from: > > https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002 > > > I encourage you to re-read the two questions and the non-answer. > > -- > Ted Roche > Ted Roche & Associates, LLC > http://www.tedroche.com > [excessive quoting removed by server] ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/1515263266.2084174.1226422968.74c50...@webmail.messagingengine.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] Meltdown and Spectre CPU Flaw Information
Yes - I guess I could have answered my own question. I was mostly shocked at the concept. And - no - its SO Damn Cold up here in the NorthEast right now - that even Google is Frozen and doesn't work!!! :-) -K- On 1/6/2018 12:39 PM, Ed Leafe wrote: On Jan 6, 2018, at 10:57 AM, Kurt at VR-FXwrote: Will admit - I never heard of this RowHammer concept! Is it for Real? I suspect so... Oh, they don't have Google in your area? Too bad! http://lmgtfy.com/?q=rowhammer -- Ed Leafe --- StripMime Report -- processed MIME parts --- multipart/signed text/plain (text body -- kept) application/pgp-signature --- [excessive quoting removed by server] ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/fb559a43-6747-455d-cc3a-d8ad94d8d...@optonline.net ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] Meltdown and Spectre CPU Flaw Information
On Jan 6, 2018, at 10:57 AM, Kurt at VR-FXwrote: > Will admit - I never heard of this RowHammer concept! Is it for Real? I > suspect so... Oh, they don't have Google in your area? Too bad! http://lmgtfy.com/?q=rowhammer -- Ed Leafe --- StripMime Report -- processed MIME parts --- multipart/signed text/plain (text body -- kept) application/pgp-signature --- ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/664ede64-7279-4e76-a1aa-15544253c...@leafe.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] Meltdown and Spectre CPU Flaw Information
Ed - that comic is pretty wild! Will admit - I never heard of this RowHammer concept! Is it for Real? I suspect so... -K- On 1/5/2018 3:20 PM, Ed Leafe wrote: On Jan 5, 2018, at 9:00 AM, Ed Leafewrote: Here’s an excellent explanation of the problem, and how the exploits work: https://twitter.com/gsuberland/status/948907452786933762 It’s a long thread, but then again, it’s a complex issue. And, of course, the required xkcd take on things: https://xkcd.com/1938/ -- Ed Leafe [excessive quoting removed by server] ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/8243e4d4-94e3-2afe-3f6d-2fc4a05e1...@optonline.net ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] Meltdown and Spectre CPU Flaw Information
> On Sat, Jan 6, 2018 at 4:38 AM, AndyHCwrote: > >> Well ... if you *need* to believe that software can patch hardware design >> faults > It turns out, Microsoft very much agrees with Andy: "6. Why aren't Windows Server 2008 and Windows Server 2012 platforms getting an update? When can customers expect the fix?" "Addressing a hardware vulnerability with a software update presents significant challenges with some operating systems requiring extensive architectural changes. Microsoft continues to work with affected chip manufacturers and investigate the best way to provide mitigations." from: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002 I encourage you to re-read the two questions and the non-answer. -- Ted Roche Ted Roche & Associates, LLC http://www.tedroche.com ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/cacw6n4vwkejg4vwr+umf1cb1jtczdfxxlmmxkdqsikcnhr9...@mail.gmail.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] Meltdown and Spectre CPU Flaw Information
Well, actually, he geek-splains... On Sat, Jan 6, 2018 at 4:38 AM, AndyHCwrote: > On 06-Jan-2018 1:50 AM, Ed Leafe wrote: >> >> On Jan 5, 2018, at 9:00 AM, Ed Leafe wrote: >> And, of course, the required xkcd take on things: >> >> https://xkcd.com/1938/ >> >> >> -- Ed Leafe >> >> > > > Well ... if you *need* to believe that software can patch hardware design > faults It's a thumb in the dike, not a fix. Firmware updates and eventually new chip designs are necessary. > and you also believe that these clever patches have either (a) been written > in 48 hours No, under the rules of limited disclosure, the discoverers notified the hardware and software vendors some time ago, and the disclosure has been under embargo until such time as Microsoft and Google and Mozilla and Apple had patches ready to go. or (b) been written well in advance *and* that's not > sinister While it's getting a bit long in the tooth (2014), "Countdown to Zero Day" by Kim Vetter has a good layperson's description of the zero day marketplace, and the white-, black- and grey-hat hackers who make serious money ($100,000 USD or more for root-level exploit, in some cases). Is it sinister? Absolutely. Like all marketplaces, there are good guys, there are bad guys and there are seriously-scary bad guys (and governments). In this case, some geeks figured out an obscure way to poke through the garbage pile that CPUs discard and build it into an exploit. And chose to make white-hat money. > - - - - -now I know I've got a Sinclair Scientific calculator and a abacus > around here somewhere. Once I get my C=64 hooked up to the internet, I'll be all set! -- Ted Roche Ted Roche & Associates, LLC http://www.tedroche.com ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/CACW6n4tWJH-R=bodrza4u0e7_pctmx5ca1qxgh+3vtgzjv6...@mail.gmail.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] Meltdown and Spectre CPU Flaw Information
This is similar to the old "What came first, viruses or antivirus software?" Laurie On 6 January 2018 at 09:38, AndyHCwrote: > On 06-Jan-2018 1:50 AM, Ed Leafe wrote: > >> On Jan 5, 2018, at 9:00 AM, Ed Leafe wrote: >> And, of course, the required xkcd take on things: >> >> https://xkcd.com/1938/ >> >> >> -- Ed Leafe >> >> >> > > Well ... if you *need* to believe that software can patch hardware design > faults > and you also believe that these clever patches have either (a) been > written in 48 hours or (b) been written well in advance *and* that's not > sinister > - - - - -now I know I've got a Sinclair Scientific calculator and a abacus > around here somewhere. > [excessive quoting removed by server] ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/CAMvTR9f54ik9dM1bd=+7vjHSYm9=nm1syzfpwzawk1+cpgv...@mail.gmail.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] Meltdown and Spectre CPU Flaw Information
On 06-Jan-2018 1:50 AM, Ed Leafe wrote: On Jan 5, 2018, at 9:00 AM, Ed Leafewrote: And, of course, the required xkcd take on things: https://xkcd.com/1938/ -- Ed Leafe Well ... if you *need* to believe that software can patch hardware design faults and you also believe that these clever patches have either (a) been written in 48 hours or (b) been written well in advance *and* that's not sinister - - - - -now I know I've got a Sinclair Scientific calculator and a abacus around here somewhere. ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/7a3dcfdf-930f-638f-5c5e-fe176f999...@hawthorncottage.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] Meltdown and Spectre CPU Flaw Information
At 00:28 2018-01-05, Alan Bourkewrote: These exploits are nasty but if they've been in Intel chips ever since they started implementing out-of-order execution in 1995 then surely if there was a serious real-world threat we would have seen it long ago? No. It is possible that the Black Hats do not know every weakness of systems. [snip] Sincerely, Gene Wirchenko ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/ecaffe3b1b10da625b4da661c4b9c9e5@mtlp85 ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
RE: [NF] Meltdown and Spectre CPU Flaw Information
My thoughts exactly. I usually read what the media says ("A! REPLACE ALL COMPUTERS TODAY!") and know that the reality is more like "Keep Calm And Patch On!" Paul H. Tarver Tarver Program Consultants, Inc. -Original Message- From: ProfoxTech [mailto:profoxtech-boun...@leafe.com] On Behalf Of Alan Bourke Sent: Friday, January 05, 2018 2:28 AM To: profoxt...@leafe.com Subject: Re: [NF] Meltdown and Spectre CPU Flaw Information These exploits are nasty but if they've been in Intel chips ever since they started implementing out-of-order execution in 1995 then surely if there was a serious real-world threat we would have seen it long ago? -- Alan Bourke alanpbourke (at) fastmail (dot) fm On Thu, 4 Jan 2018, at 7:46 PM, Ken Dibble wrote: > Virtually everything we do here involves HIPAA-sensitive information, > but we have very robust perimeter defenses. I'm much more concerned > about a potential 30%+ performance loss in systems that are constantly > used by nearly a hundred people every day. > > >The exploit allows VMs to go into the memory space of other VMs. > >Very bad. Unless you don't have any sensitive info that needs to stay > >that way. > > > >-- > > > >rk > > > >-Original Message- > >From: ProfoxTech [mailto:profoxtech-boun...@leafe.com] On Behalf Of > >Ken Dibble > >Sent: Thursday, January 04, 2018 1:35 PM > >To: profoxt...@leafe.com > >Subject: Re: [NF] Meltdown and Spectre CPU Flaw Information > > > >I just can't wait to see what it's going to do to my highly > >virtualized network--if I ever decide to let it through. Probably a > >smaller version of what it's already started to do to some commercial > >cloud systems. > > > >Windows Automatic Updates: Just Say No. (TM) > > > > >Also, kudos to Microsoft for shipping their patches a week early, > > >and spontaneously rebooting idle Windows workstations while people > > >were freaking out over the new exploits. Good job! > > > > > >On Thu, Jan 4, 2018 at 12:27 PM, Ken Dibble <krdib...@stny.rr.com> wrote: > > > > Hi folks, > > > > > > > > Ask Woody has a very thorough report on this, with links to more > > > > information. > > > > > > > > We all need to be fully informed about this; it is going to > > > > affect everybody. > > > > > > > > https://www.askwoody.com/ > > > > > > > > Ken Dibble > > > > www.stic-cil.org > > > > > > > > [excessive quoting removed by server] ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/007501d38673$29a84150$7cf8c3f0$@tpcqpc.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] Meltdown and Spectre CPU Flaw Information
On Fri, Jan 5, 2018 at 3:20 PM, Ed Leafewrote: > And, of course, the required xkcd take on things: > > https://xkcd.com/1938/ > And that's pretty much all you need to know! Happy Friday, folks! -- Ted Roche Ted Roche & Associates, LLC http://www.tedroche.com ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/cacw6n4shyib17o5nvsgbhc5yi4iqgduxsg9uxqrtg-tj_-3...@mail.gmail.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] Meltdown and Spectre CPU Flaw Information
On Jan 5, 2018, at 9:00 AM, Ed Leafewrote: > Here’s an excellent explanation of the problem, and how the exploits work: > > https://twitter.com/gsuberland/status/948907452786933762 > > It’s a long thread, but then again, it’s a complex issue. And, of course, the required xkcd take on things: https://xkcd.com/1938/ -- Ed Leafe ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/f302b639-769d-4a40-b46f-519736ff6...@leafe.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
RE: [NF] Meltdown and Spectre CPU Flaw Information
A very interesting and realistic report on this subject https://researchcenter.paloaltonetworks.com/2018/01/threat-brief-meltdown-sp ectre-vulnerabilities/?utm_source=Adobe+Campaign+-+ACS_medium=email_ campaign=20180105.NL.unit42.PANW_subs.threat.global.xx.xx=DM170 8 Jose Enrique Llopis -Mensaje original- De: ProFox [mailto:profox-boun...@leafe.com] En nombre de AndyHC Enviado el: jueves, 04 de enero de 2018 18:46 Para: profox@leafe.com Asunto: Re: [NF] Meltdown and Spectre CPU Flaw Information Nah! - nothing to worry about here - just an old government backdoor into - er - everything. On 04-Jan-2018 10:57 PM, Ken Dibble wrote: > Hi folks, > > Ask Woody has a very thorough report on this, with links to more > information. > > We all need to be fully informed about this; it is going to affect > everybody. > > https://www.askwoody.com/ > > Ken Dibble > www.stic-cil.org > > [excessive quoting removed by server] ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/352B762C35D648EC8126D51690F8D38A@LENOVO1 ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
RE: [NF] Meltdown and Spectre CPU Flaw Information
Andy, Memories from the past indeed! We had similar when I moved from Singer to ICL on their 7502 Front End Processor (FEP). I got involved in some coding in the dreaded PLAN programming language (Uuugh!) on their 1904s range of machines before the 2900 Microcode range was launched. Dave --- This communication and the information it contains is intended for the person or organisation to whom it is addressed. Its contents are confidential and may be protected in law. If you have received this e-mail in error you must not copy, distribute or take any action in reliance on it. Unauthorised use, copying or disclosure of any of it may be unlawful. If you have received this message in error, please notify us immediately by telephone or email. Flexipol Packaging Ltd. has taken every reasonable precaution to minimise the risk of virus transmission through email and therefore any files sent via e-mail will have been checked for known viruses. However, you are advised to run your own virus check before opening any attachments received as Flexipol Packaging Ltd will not in any event accept any liability whatsoever once an e-mail and/or any attachment is received. It is the responsibility of the recipient to ensure that they have adequate virus protection. Flexipol Packaging Ltd. Unit 14 Bentwood Road Carrs Industrial Estate Haslingden Rossendale Lancashire BB4 5HH Tel:01706-222792 Fax: 01706-224683 www.Flexipol.co.uk --- Terms & Conditions: Notwithstanding delivery and the passing of risk in the goods, the property in the goods shall not pass to the buyer until the seller Flexipol Packaging Ltd. ("The Company") has received in cash or cleared funds payment in full of the price of the goods and all other goods agreed to be sold by the seller to the buyer for which payment is then due. Until such time as the property in the goods passes to the buyer, the buyer shall hold the goods as the seller's fiduciary agent and bailee and keep the goods separate from those of the buyer and third parties and properly stored protected and insured and identified as the seller's property but shall be entitled to resell or use the goods in the ordinary course of its business. Until such time as the property in the goods passes to the buyer the seller shall be entitled at any time -Original Message- From: ProFox [mailto:profox-boun...@leafe.com] On Behalf Of AndyHC Sent: 05 January 2018 17:05 To: profox@leafe.com Subject: Re: [NF] Meltdown and Spectre CPU Flaw Information On 05-Jan-2018 7:27 PM, Alan Bourke wrote: > I think it's more of a side effect of the principle of out of order > execution, not everything is a conspiracy. > That's been going on for a very long time - IBM were doing instruction pre-fetch in the 70's or early 80's --- StripMime Report -- processed MIME parts --- multipart/alternative text/plain (text body -- kept) text/html --- ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/54ed184e-138a-1b2b-633b-dd803d67b...@hawthorncottage.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious. ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/18725b8cd2d5d247873a2baf401d4ab2beac7...@ex2010-a-fpl.fpl.LOCAL ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] Meltdown and Spectre CPU Flaw Information
On 05-Jan-2018 7:27 PM, Alan Bourke wrote: I think it's more of a side effect of the principle of out of order execution, not everything is a conspiracy. That's been going on for a very long time - IBM were doing instruction pre-fetch in the 70's or early 80's --- StripMime Report -- processed MIME parts --- multipart/alternative text/plain (text body -- kept) text/html --- ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/54ed184e-138a-1b2b-633b-dd803d67b...@hawthorncottage.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] Meltdown and Spectre CPU Flaw Information
On Jan 5, 2018, at 2:28 AM, Alan Bourkewrote: > These exploits are nasty but if they've been in Intel chips ever since they > started implementing out-of-order execution in 1995 then surely if there was > a serious real-world threat we would have seen it long ago? The flaws were only discovered recently, so there hasn’t been enough time for exploits to become widespread. You can bet now that the track vectors are well known, they will be exploited more often. Here’s an excellent explanation of the problem, and how the exploits work: https://twitter.com/gsuberland/status/948907452786933762 It’s a long thread, but then again, it’s a complex issue. -- Ed Leafe ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/e9d1baf7-db07-4e6a-b4bc-80c8a8927...@leafe.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
RE: [NF] Meltdown and Spectre CPU Flaw Information
If you are a HIPAA shop then I'm sure your IT team is paying proper attention to this. Hah! I AM the IT team. (I have a couple of part-time assistants who do help desk and maintenance, but I'm the CIO/SysAdmin/DBA/Systems Analyst/Code Monkey/chief cook and bottle washer. We have an internal "cloud"; we don't use any form of commercial cloud storage for documents, or for any sensitive data (unless you count email as such; and sensitive data sent by email is password-encrypted in zip file attachments using 7-Zip). We do not host public-facing websites or email servers. I have a consultant that I use for extremely technical purposes. I've requested their opinion on the issues. I have a lot of stuff to research on my own, though, as I don't accept anybody's opinion without evaluating it for myself to the best of my ability. My primary concern is what happens to the performance of VMWare when they issue a patch for this, and what happens to the performance of various vintages of MS Server that have been virtualized after I apply patches to them. Ken ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/ ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] Meltdown and Spectre CPU Flaw Information
I think it's more of a side effect of the principle of out of order execution, not everything is a conspiracy. -- Alan Bourke alanpbourke (at) fastmail (dot) fm On Fri, 5 Jan 2018, at 9:28 AM, AndyHC wrote: > On 05-Jan-2018 1:58 PM, Alan Bourke wrote: > > These exploits are nasty but if they've been in Intel chips ever since they > > started implementing out-of-order execution in 1995 then surely if there > > was a serious real-world threat we would have seen it long ago? > > > > > > > Unless it's been very carefully done by state-level actors! > > > --- StripMime Report -- processed MIME parts --- > multipart/alternative > text/plain (text body -- kept) > text/html > --- > [excessive quoting removed by server] ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/1515160624.896609.1225279832.55ade...@webmail.messagingengine.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] Meltdown and Spectre CPU Flaw Information
On 05-Jan-2018 1:58 PM, Alan Bourke wrote: These exploits are nasty but if they've been in Intel chips ever since they started implementing out-of-order execution in 1995 then surely if there was a serious real-world threat we would have seen it long ago? Unless it's been very carefully done by state-level actors! --- StripMime Report -- processed MIME parts --- multipart/alternative text/plain (text body -- kept) text/html --- ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/8a512143-0659-2383-a0d7-81623ad2a...@hawthorncottage.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] Meltdown and Spectre CPU Flaw Information
On 04-Jan-2018 11:47 PM, Ted Roche wrote: Also, kudos to Microsoft for shipping their patches a week early, and spontaneously rebooting idle Windows workstations while people were freaking out over the new exploits. Good job! ... it's almost as if they're saying "here's one I prepared earlier!" ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/7bc6e9b9-472b-1799-7ece-e5b2cbc68...@hawthorncottage.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] Meltdown and Spectre CPU Flaw Information
These exploits are nasty but if they've been in Intel chips ever since they started implementing out-of-order execution in 1995 then surely if there was a serious real-world threat we would have seen it long ago? -- Alan Bourke alanpbourke (at) fastmail (dot) fm On Thu, 4 Jan 2018, at 7:46 PM, Ken Dibble wrote: > Virtually everything we do here involves HIPAA-sensitive information, > but we have very robust perimeter defenses. I'm much more concerned > about a potential 30%+ performance loss in systems that are > constantly used by nearly a hundred people every day. > > >The exploit allows VMs to go into the memory space of other VMs. > >Very bad. Unless you don't have any sensitive info that needs to > >stay that way. > > > >-- > > > >rk > > > >-Original Message- > >From: ProfoxTech [mailto:profoxtech-boun...@leafe.com] On Behalf Of Ken > >Dibble > >Sent: Thursday, January 04, 2018 1:35 PM > >To: profoxt...@leafe.com > >Subject: Re: [NF] Meltdown and Spectre CPU Flaw Information > > > >I just can't wait to see what it's going to do to my highly > >virtualized network--if I ever decide to let it through. Probably a > >smaller version of what it's already started to do to some commercial > >cloud systems. > > > >Windows Automatic Updates: Just Say No. (TM) > > > > >Also, kudos to Microsoft for shipping their patches a week early, and > > >spontaneously rebooting idle Windows workstations while people were > > >freaking out over the new exploits. Good job! > > > > > >On Thu, Jan 4, 2018 at 12:27 PM, Ken Dibble <krdib...@stny.rr.com> wrote: > > > > Hi folks, > > > > > > > > Ask Woody has a very thorough report on this, with links to more > > > > information. > > > > > > > > We all need to be fully informed about this; it is going to affect > > > > everybody. > > > > > > > > https://www.askwoody.com/ > > > > > > > > Ken Dibble > > > > www.stic-cil.org > > > > > > > > [excessive quoting removed by server] ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/1515140886.815878.1225027584.154a1...@webmail.messagingengine.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
RE: [NF] Meltdown and Spectre CPU Flaw Information
If you are a HIPAA shop then I'm sure your IT team is paying proper attention to this. -- rk -Original Message- From: ProfoxTech [mailto:profoxtech-boun...@leafe.com] On Behalf Of Ken Dibble Sent: Thursday, January 04, 2018 2:46 PM To: profoxt...@leafe.com Subject: RE: [NF] Meltdown and Spectre CPU Flaw Information Virtually everything we do here involves HIPAA-sensitive information, but we have very robust perimeter defenses. I'm much more concerned about a potential 30%+ performance loss in systems that are constantly used by nearly a hundred people every day. >The exploit allows VMs to go into the memory space of other VMs. >Very bad. Unless you don't have any sensitive info that needs to >stay that way. > >-- > >rk > >-Original Message- >From: ProfoxTech [mailto:profoxtech-boun...@leafe.com] On Behalf Of Ken Dibble >Sent: Thursday, January 04, 2018 1:35 PM >To: profoxt...@leafe.com >Subject: Re: [NF] Meltdown and Spectre CPU Flaw Information > >I just can't wait to see what it's going to do to my highly >virtualized network--if I ever decide to let it through. Probably a >smaller version of what it's already started to do to some commercial >cloud systems. > >Windows Automatic Updates: Just Say No. (TM) > > >Also, kudos to Microsoft for shipping their patches a week early, and > >spontaneously rebooting idle Windows workstations while people were > >freaking out over the new exploits. Good job! > > > >On Thu, Jan 4, 2018 at 12:27 PM, Ken Dibble <krdib...@stny.rr.com> wrote: > > > Hi folks, > > > > > > Ask Woody has a very thorough report on this, with links to more > > > information. > > > > > > We all need to be fully informed about this; it is going to affect > > > everybody. > > > > > > https://www.askwoody.com/ > > > > > > Ken Dibble > > > www.stic-cil.org > > > > > > [excessive quoting removed by server] ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/mwhpr10mb177482304dba53204e569459d2...@mwhpr10mb1774.namprd10.prod.outlook.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
RE: [NF] Meltdown and Spectre CPU Flaw Information
Virtually everything we do here involves HIPAA-sensitive information, but we have very robust perimeter defenses. I'm much more concerned about a potential 30%+ performance loss in systems that are constantly used by nearly a hundred people every day. The exploit allows VMs to go into the memory space of other VMs. Very bad. Unless you don't have any sensitive info that needs to stay that way. -- rk -Original Message- From: ProfoxTech [mailto:profoxtech-boun...@leafe.com] On Behalf Of Ken Dibble Sent: Thursday, January 04, 2018 1:35 PM To: profoxt...@leafe.com Subject: Re: [NF] Meltdown and Spectre CPU Flaw Information I just can't wait to see what it's going to do to my highly virtualized network--if I ever decide to let it through. Probably a smaller version of what it's already started to do to some commercial cloud systems. Windows Automatic Updates: Just Say No. (TM) >Also, kudos to Microsoft for shipping their patches a week early, and >spontaneously rebooting idle Windows workstations while people were >freaking out over the new exploits. Good job! > >On Thu, Jan 4, 2018 at 12:27 PM, Ken Dibble <krdib...@stny.rr.com> wrote: > > Hi folks, > > > > Ask Woody has a very thorough report on this, with links to more > > information. > > > > We all need to be fully informed about this; it is going to affect > > everybody. > > > > https://www.askwoody.com/ > > > > Ken Dibble > > www.stic-cil.org > > > > [excessive quoting removed by server] ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/ ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
RE: [NF] Meltdown and Spectre CPU Flaw Information
The exploit allows VMs to go into the memory space of other VMs. Very bad. Unless you don't have any sensitive info that needs to stay that way. -- rk -Original Message- From: ProfoxTech [mailto:profoxtech-boun...@leafe.com] On Behalf Of Ken Dibble Sent: Thursday, January 04, 2018 1:35 PM To: profoxt...@leafe.com Subject: Re: [NF] Meltdown and Spectre CPU Flaw Information I just can't wait to see what it's going to do to my highly virtualized network--if I ever decide to let it through. Probably a smaller version of what it's already started to do to some commercial cloud systems. Windows Automatic Updates: Just Say No. (TM) >Also, kudos to Microsoft for shipping their patches a week early, and >spontaneously rebooting idle Windows workstations while people were >freaking out over the new exploits. Good job! > >On Thu, Jan 4, 2018 at 12:27 PM, Ken Dibble <krdib...@stny.rr.com> wrote: > > Hi folks, > > > > Ask Woody has a very thorough report on this, with links to more > > information. > > > > We all need to be fully informed about this; it is going to affect > > everybody. > > > > https://www.askwoody.com/ > > > > Ken Dibble > > www.stic-cil.org > > > > [excessive quoting removed by server] ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/mwhpr10mb177425e77fd9e2074307b0a8d2...@mwhpr10mb1774.namprd10.prod.outlook.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] Meltdown and Spectre CPU Flaw Information
I just can't wait to see what it's going to do to my highly virtualized network--if I ever decide to let it through. Probably a smaller version of what it's already started to do to some commercial cloud systems. Windows Automatic Updates: Just Say No. (TM) Also, kudos to Microsoft for shipping their patches a week early, and spontaneously rebooting idle Windows workstations while people were freaking out over the new exploits. Good job! On Thu, Jan 4, 2018 at 12:27 PM, Ken Dibblewrote: > Hi folks, > > Ask Woody has a very thorough report on this, with links to more > information. > > We all need to be fully informed about this; it is going to affect > everybody. > > https://www.askwoody.com/ > > Ken Dibble > www.stic-cil.org > > [excessive quoting removed by server] ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/ ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] Meltdown and Spectre CPU Flaw Information
Also, kudos to Microsoft for shipping their patches a week early, and spontaneously rebooting idle Windows workstations while people were freaking out over the new exploits. Good job! On Thu, Jan 4, 2018 at 12:27 PM, Ken Dibblewrote: > Hi folks, > > Ask Woody has a very thorough report on this, with links to more > information. > > We all need to be fully informed about this; it is going to affect > everybody. > > https://www.askwoody.com/ > > Ken Dibble > www.stic-cil.org > > [excessive quoting removed by server] ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/cacw6n4u-jc7-0fbxrvrx4gymcgz+uav53ju7ea9vex5uh-h...@mail.gmail.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Re: [NF] Meltdown and Spectre CPU Flaw Information
Nah! - nothing to worry about here - just an old government backdoor into - er - everything. On 04-Jan-2018 10:57 PM, Ken Dibble wrote: Hi folks, Ask Woody has a very thorough report on this, with links to more information. We all need to be fully informed about this; it is going to affect everybody. https://www.askwoody.com/ Ken Dibble www.stic-cil.org [excessive quoting removed by server] ___ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/fe2dc23c-7906-fbf2-be1e-ed148a369...@hawthorncottage.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.