These exploits are nasty but if they've been in Intel chips ever since they started implementing out-of-order execution in 1995 then surely if there was a serious real-world threat we would have seen it long ago?
On 05-Jan-2018 1:58 PM, Alan Bourke wrote:
These exploits are nasty but if they've been in Intel chips ever since they started implementing out-of-order execution in 1995 then surely if there was a serious real-world threat we would have seen it long ago?
Unless it's been very carefully done by state-level actors!
--- StripMime Report -- processed MIME parts --- multipart/alternative text/plain (text body -- kept) text/html ---
I think it's more of a side effect of the principle of out of order execution, not everything is a conspiracy.
On 05-Jan-2018 7:27 PM, Alan Bourke wrote:
I think it's more of a side effect of the principle of out of order execution, not everything is a conspiracy.
That's been going on for a very long time - IBM were doing instruction pre-fetch in the 70's or early 80's
--- StripMime Report -- processed MIME parts --- multipart/alternative text/plain (text body -- kept) text/html ---
Andy, Memories from the past indeed!
We had similar when I moved from Singer to ICL on their 7502 Front End Processor (FEP).
I got involved in some coding in the dreaded PLAN programming language (Uuugh!) on their 1904s range of machines before the 2900 Microcode range was launched.
Dave
--------------------------------------------------------------- This communication and the information it contains is intended for the person or organisation to whom it is addressed. Its contents are confidential and may be protected in law. If you have received this e-mail in error you must not copy, distribute or take any action in reliance on it. Unauthorised use, copying or disclosure of any of it may be unlawful. If you have received this message in error, please notify us immediately by telephone or email.
Flexipol Packaging Ltd. has taken every reasonable precaution to minimise the risk of virus transmission through email and therefore any files sent via e-mail will have been checked for known viruses. However, you are advised to run your own virus check before opening any attachments received as Flexipol Packaging Ltd will not in any event accept any liability whatsoever once an e-mail and/or any attachment is received.
It is the responsibility of the recipient to ensure that they have adequate virus protection.
Flexipol Packaging Ltd. Unit 14 Bentwood Road Carrs Industrial Estate Haslingden Rossendale Lancashire BB4 5HH
Tel:01706-222792 Fax: 01706-224683 www.Flexipol.co.uk ---------------------------------------------------------------
Terms & Conditions:
Notwithstanding delivery and the passing of risk in the goods, the property in the goods shall not pass to the buyer until the seller Flexipol Packaging Ltd. ("The Company") has received in cash or cleared funds payment in full of the price of the goods and all other goods agreed to be sold by the seller to the buyer for which payment is then due. Until such time as the property in the goods passes to the buyer, the buyer shall hold the goods as the seller's fiduciary agent and bailee and keep the goods separate from those of the buyer and third parties and properly stored protected and insured and identified as the seller's property but shall be entitled to resell or use the goods in the ordinary course of its business. Until such time as the property in the goods passes to the buyer the seller shall be entitled at any time
-----Original Message----- From: ProFox [mailto:profox-bounces@leafe.com] On Behalf Of AndyHC Sent: 05 January 2018 17:05 To: profox@leafe.com Subject: Re: [NF] Meltdown and Spectre CPU Flaw Information
On 05-Jan-2018 7:27 PM, Alan Bourke wrote:
I think it's more of a side effect of the principle of out of order execution, not everything is a conspiracy.
That's been going on for a very long time - IBM were doing instruction pre-fetch in the 70's or early 80's
--- StripMime Report -- processed MIME parts --- multipart/alternative text/plain (text body -- kept) text/html ---
_______________________________________________ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/54ed184e-138a-1b2b-633b-dd803d67bab3@... ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
On Jan 5, 2018, at 2:28 AM, Alan Bourke alanpbourke@fastmail.fm wrote:
These exploits are nasty but if they've been in Intel chips ever since they started implementing out-of-order execution in 1995 then surely if there was a serious real-world threat we would have seen it long ago?
The flaws were only discovered recently, so there hasn’t been enough time for exploits to become widespread. You can bet now that the track vectors are well known, they will be exploited more often.
Here’s an excellent explanation of the problem, and how the exploits work:
https://twitter.com/gsuberland/status/948907452786933762
It’s a long thread, but then again, it’s a complex issue.
-- Ed Leafe
On Jan 5, 2018, at 9:00 AM, Ed Leafe ed@leafe.com wrote:
Here’s an excellent explanation of the problem, and how the exploits work:
https://twitter.com/gsuberland/status/948907452786933762
It’s a long thread, but then again, it’s a complex issue.
And, of course, the required xkcd take on things:
-- Ed Leafe
On Fri, Jan 5, 2018 at 3:20 PM, Ed Leafe ed@leafe.com wrote:
And, of course, the required xkcd take on things:
And that's pretty much all you need to know!
Happy Friday, folks!
On 06-Jan-2018 1:50 AM, Ed Leafe wrote:
On Jan 5, 2018, at 9:00 AM, Ed Leafe ed@leafe.com wrote: ....And, of course, the required xkcd take on things:
-- Ed Leafe
<snip>
Well ... if you *need* to believe that software can patch hardware design faults.... and you also believe that these clever patches have either (a) been written in 48 hours or (b) been written well in advance *and* that's not sinister.... - - - - -now I know I've got a Sinclair Scientific calculator and a abacus around here somewhere.....
This is similar to the old "What came first, viruses or antivirus software?"
Laurie
On 6 January 2018 at 09:38, AndyHC andy@hawthorncottage.com wrote:
On 06-Jan-2018 1:50 AM, Ed Leafe wrote:
On Jan 5, 2018, at 9:00 AM, Ed Leafe ed@leafe.com wrote: ....And, of course, the required xkcd take on things:
-- Ed Leafe
<snip>
Well ... if you *need* to believe that software can patch hardware design faults.... and you also believe that these clever patches have either (a) been written in 48 hours or (b) been written well in advance *and* that's not sinister....
- -now I know I've got a Sinclair Scientific calculator and a abacus
around here somewhere.....
[excessive quoting removed by server]
Well, actually, he geek-splains...
On Sat, Jan 6, 2018 at 4:38 AM, AndyHC andy@hawthorncottage.com wrote:
On 06-Jan-2018 1:50 AM, Ed Leafe wrote:
On Jan 5, 2018, at 9:00 AM, Ed Leafe ed@leafe.com wrote: ....And, of course, the required xkcd take on things:
-- Ed Leafe
<snip>
Well ... if you *need* to believe that software can patch hardware design faults....
It's a thumb in the dike, not a fix. Firmware updates and eventually new chip designs are necessary.
and you also believe that these clever patches have either (a) been written in 48 hours
No, under the rules of limited disclosure, the discoverers notified the hardware and software vendors some time ago, and the disclosure has been under embargo until such time as Microsoft and Google and Mozilla and Apple had patches ready to go.
or (b) been written well in advance *and* that's not
sinister....
While it's getting a bit long in the tooth (2014), "Countdown to Zero Day" by Kim Vetter has a good layperson's description of the zero day marketplace, and the white-, black- and grey-hat hackers who make serious money ($100,000 USD or more for root-level exploit, in some cases). Is it sinister? Absolutely. Like all marketplaces, there are good guys, there are bad guys and there are seriously-scary bad guys (and governments). In this case, some geeks figured out an obscure way to poke through the garbage pile that CPUs discard and build it into an exploit. And chose to make white-hat money.
- -now I know I've got a Sinclair Scientific calculator and a abacus
around here somewhere.....
Once I get my C=64 hooked up to the internet, I'll be all set!
On Sat, Jan 6, 2018 at 4:38 AM, AndyHC andy@hawthorncottage.com wrote:
Well ... if you *need* to believe that software can patch hardware design faults....
It turns out, Microsoft very much agrees with Andy:
"6. Why aren't Windows Server 2008 and Windows Server 2012 platforms getting an update? When can customers expect the fix?"
"Addressing a hardware vulnerability with a software update presents significant challenges with some operating systems requiring extensive architectural changes. Microsoft continues to work with affected chip manufacturers and investigate the best way to provide mitigations."
from:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
I encourage you to re-read the two questions and the non-answer.
Can software fix a hardware design fault? No, but you can work potentially around it by causing the processor to work in a different way.
Also connecting a C64 to the internet is easier than you might think.
Having read El Reg's pretty good article [ http://www.theregister.co.uk/2018/01/04/intel_amd_arm_cpu_vulnerability/ ] I would just take issue with the suggestion that the vulnerability could be breached by Javascript (malign code in e.g. a jpg maybe, but not just javascript in a browser). Putting on my very battered old security consultant's hat I would say it's time to evaluate actual risk on a per situation basis: If you are a company that has foolishly put the family jewels on someone else's computer because you believed in Clouds - then hope that someone up in the clouds can fix it! If you are running heavily VM'd in-house then look out for your own villains and try to air-gap your internet facing servers. If you've got a home PC don't worry about state-level actors - if they want you they'll get you. Oh but don't let your browser remember important passwords, and try to remember to switch off each time after doing your online banking.
Old cheesy related joke:
Knock knock! Branch prediction Who's there?
On 07-Jan-2018 9:57 PM, Paul Hill wrote:
Old cheesy related joke:
Knock knock! Branch prediction Who's there?
Like!
--- StripMime Report -- processed MIME parts --- multipart/alternative text/plain (text body -- kept) text/html ---
On Sun, Jan 7, 2018 at 5:27 AM, AndyHC andy@hawthorncottage.com wrote:
Having read El Reg's pretty good article [ http://www.theregister.co.uk/2018/01/04/intel_amd_arm_cpu_vulnerability/ ] I would just take issue with the suggestion that the vulnerability could be breached by Javascript (malign code in e.g. a jpg maybe, but not just javascript in a browser).
Thanks for the reference. Linux machines were all updated Friday, Windows machines under my supervision Friday and again Saturday. Client LAMP boxes onsite were updated Friday, and VPS machines still seem to be getting updates. Rebooted Friday and again Sunday afternoon.
Putting on my very battered old security consultant's hat I would say it's time to evaluate actual risk on a per situation basis: If you are a company that has foolishly put the family jewels on someone else's computer because you believed in Clouds - then hope that someone up in the clouds can fix it!
I think clouds have been over-promised and people misunderstand what they are supposed to be. A redundant array of inexpensive services with graceful failover and no loss of data-in-motion is a great idea, but only an idea for most.
On the other hand, I have web servers on the internet ("Don't call it a cloud") that are hosted on VPS that are right in the middle of the target, so I've been working on those.
If you are running heavily VM'd in-house then look out for your own villains and try to air-gap your internet facing servers.
I'm thinking that air-gapping your internet facing servers is a good idea.
If you've got a home PC don't worry about state-level actors - if they want you they'll get you. Oh but don't let your browser remember important passwords, and try to remember to switch off each time after doing your online banking.
And... right on time: "Windows Meltdown and Spectre patches: Now Microsoft blocks security updates for some AMD based PCs:" "Microsoft has paused nine operating system security updates after complaints that they rendered some AMD PCs unbootable."
http://www.zdnet.com/article/meltdown-and-spectre-now-microsoft-blocks-secur...
I'm not.
...just nod if you can hear me
On 13 January 2018 at 09:13, Alan Bourke alanpbourke@fastmail.fm wrote:
I'm not.
-- Alan Bourke alanpbourke (at) fastmail (dot) fm
On Sat, 13 Jan 2018, at 1:23 PM, AndyHC wrote:
Knock knock! Is there anybody there?
[excessive quoting removed by server]
The lunatics are in my hall.
-----Original Message----- From: ProfoxTech [mailto:profoxtech-bounces@leafe.com] On Behalf Of Desmond Lloyd Sent: Sunday, January 14, 2018 7:06 AM To: profoxtech@leafe.com Subject: Re: hellooo-o
...just nod if you can hear me
On 13 January 2018 at 09:13, Alan Bourke alanpbourke@fastmail.fm wrote:
I'm not.
-- Alan Bourke alanpbourke (at) fastmail (dot) fm
On Sat, 13 Jan 2018, at 1:23 PM, AndyHC wrote:
Knock knock! Is there anybody there?
[excessive quoting removed by server]
On Mon, Jan 15, 2018 at 12:54 PM, Paul H. Tarver paul@tpcqpc.com wrote:
The lunatics are in my hall.
The paper holds their folded faces to the floor. And every day the paper boy brings more.
Just nod if you can hear me Is there anyone home?
On Mon, Jan 15, 2018 at 12:02 PM, Ted Roche tedroche@gmail.com wrote:
On Mon, Jan 15, 2018 at 12:54 PM, Paul H. Tarver paul@tpcqpc.com wrote:
The lunatics are in my hall.
The paper holds their folded faces to the floor. And every day the paper boy brings more.
-- Ted Roche Ted Roche & Associates, LLC http://www.tedroche.com
[excessive quoting removed by server]
Felix
John Weller 01380 723235 07976 393631
-----Original Message----- From: ProfoxTech [mailto:profoxtech-bounces@leafe.com] On Behalf Of AndyHC Sent: 13 January 2018 13:23 To: profoxtech@leafe.com Subject: hellooo-o
Knock knock! Is there anybody there?
OK - I give!
Felix Who?
On 1/13/2018 10:39 AM, John Weller wrote:
Felix
John Weller 01380 723235 07976 393631
-----Original Message----- From: ProfoxTech [mailto:profoxtech-bounces@leafe.com] On Behalf Of AndyHC Sent: 13 January 2018 13:23 To: profoxtech@leafe.com Subject: hellooo-o
Knock knock! Is there anybody there?
[excessive quoting removed by server]
If he licks my ice cream I'll hit him :-)
John Weller 01380 723235 07976 393631
-----Original Message----- From: ProfoxTech [mailto:profoxtech-bounces@leafe.com] On Behalf Of Kurt at VR-FX Sent: 13 January 2018 15:57 To: profoxtech@leafe.com Subject: Re: hellooo-o
OK - I give!
Felix Who?
On 1/13/2018 10:39 AM, John Weller wrote:
Felix
John Weller 01380 723235 07976 393631
-----Original Message----- From: ProfoxTech [mailto:profoxtech-bounces@leafe.com] On Behalf Of AndyHC Sent: 13 January 2018 13:23 To: profoxtech@leafe.com Subject: hellooo-o
Knock knock! Is there anybody there?
[excessive quoting removed by server]
Felix The Cat? The wonderful.... wonderful cat? :)
On Sat, Jan 13, 2018 at 11:39 PM, John Weller john@johnweller.co.uk wrote:
Felix
On Sat, Jan 13, 2018 at 8:23 AM, AndyHC andy@hawthorncottage.com wrote:
Knock knock! Is there anybody there?
Present!
On Jan 13, 2018, at 7:23 AM, AndyHC andy@hawthorncottage.com wrote:
Knock knock! Is there anybody there?
Knock knock! Branch prediction! Who's there?
-- Ed Leafe
--- StripMime Report -- processed MIME parts --- multipart/signed text/plain (text body -- kept) application/pgp-signature ---
We gave at the office!
Paul
-----Original Message----- From: ProfoxTech [mailto:profoxtech-bounces@leafe.com] On Behalf Of AndyHC Sent: Saturday, January 13, 2018 7:23 AM To: profoxtech@leafe.com Subject: hellooo-o
Knock knock! Is there anybody there?
[excessive quoting removed by server]
Greetings from Spain!!
-----Mensaje original----- De: ProFox [mailto:profox-bounces@leafe.com] En nombre de AndyHC Enviado el: sábado, 13 de enero de 2018 14:23 Para: profox@leafe.com Asunto: hellooo-o
Knock knock! Is there anybody there?
[excessive quoting removed by server]
[image: MailTag] Did the "No Soliciting" sign fall off my door?
----------------------------- Michael Oke, II okeind@gmail.com 661-349-6221 -----------------------------
On Sat, Jan 13, 2018 at 3:02 PM, José Enrique Llopis futura@lobocom.es wrote:
Greetings from Spain!!
-----Mensaje original----- De: ProFox [mailto:profox-bounces@leafe.com] En nombre de AndyHC Enviado el: sábado, 13 de enero de 2018 14:23 Para: profox@leafe.com Asunto: hellooo-o
Knock knock! Is there anybody there?
[excessive quoting removed by server]
Andy,
Ach....
Ach who?
Guesuntight!
Fletcher
Fletcher Johnson FletcherSJohnson@Yahoo.com LinkedIn.com/in/FletcherJohnson beknown.com/FletcherJohnson twitter.com/fletcherJ strava.com/athletes/fletcherjohnson 408-946-0960 - work 408-781-2345 - cell
-----Original Message----- From: ProFox [mailto:profox-bounces@leafe.com] On Behalf Of AndyHC Sent: Saturday, January 13, 2018 5:23 AM To: profox@leafe.com Subject: hellooo-o
Knock knock! Is there anybody there?
[excessive quoting removed by server]
On Tue, Jan 9, 2018 at 1:24 PM, Ted Roche tedroche@gmail.com wrote:
On Sun, Jan 7, 2018 at 5:27 AM, AndyHC andy@hawthorncottage.com wrote:
Having read El Reg's pretty good article [ http://www.theregister.co.uk/2018/01/04/intel_amd_arm_cpu_vulnerability/ ] I would just take issue with the suggestion that the vulnerability could be breached by Javascript (malign code in e.g. a jpg maybe, but not just javascript in a browser).
Thanks for the reference. Linux machines were all updated Friday, Windows machines under my supervision Friday and again Saturday. Client LAMP boxes onsite were updated Friday, and VPS machines still seem to be getting updates. Rebooted Friday and again Sunday afternoon.
And my hosting provider (Linode, good experience) has updated their host machines, requiring another very brief restart on each of my hosted boxes.
If you've got a home PC don't worry about state-level actors - if they want you they'll get you. Oh but don't let your browser remember important passwords, and try to remember to switch off each time after doing your online banking.
And... right on time: "Windows Meltdown and Spectre patches: Now Microsoft blocks security updates for some AMD based PCs:" "Microsoft has paused nine operating system security updates after complaints that they rendered some AMD PCs unbootable."
http://www.zdnet.com/article/meltdown-and-spectre-now-microsoft-blocks-secur...
And, apparently, security never sleeps, as Microsoft released an updated advisory on Friday night (~5 PM Seattle time, hmmm...) that it was okay to patch AMD machines again.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
Perhaps I'll wait a while on this one, and find out how it works for others...
Ed - that comic is pretty wild!
Will admit - I never heard of this RowHammer concept! Is it for Real? I suspect so...
-K-
On 1/5/2018 3:20 PM, Ed Leafe wrote:
On Jan 5, 2018, at 9:00 AM, Ed Leafe ed@leafe.com wrote:
Here’s an excellent explanation of the problem, and how the exploits work:
https://twitter.com/gsuberland/status/948907452786933762
It’s a long thread, but then again, it’s a complex issue.
And, of course, the required xkcd take on things:
-- Ed Leafe
[excessive quoting removed by server]
On Jan 6, 2018, at 10:57 AM, Kurt at VR-FX vrfx@optonline.net wrote:
Will admit - I never heard of this RowHammer concept! Is it for Real? I suspect so...
Oh, they don't have Google in your area? Too bad!
http://lmgtfy.com/?q=rowhammer
-- Ed Leafe
--- StripMime Report -- processed MIME parts --- multipart/signed text/plain (text body -- kept) application/pgp-signature ---
Yes - I guess I could have answered my own question. I was mostly shocked at the concept.
And - no - its SO Damn Cold up here in the NorthEast right now - that even Google is Frozen and doesn't work!!!
:-)
-K-
On 1/6/2018 12:39 PM, Ed Leafe wrote:
On Jan 6, 2018, at 10:57 AM, Kurt at VR-FX vrfx@optonline.net wrote:
Will admit - I never heard of this RowHammer concept! Is it for Real? I suspect so...
Oh, they don't have Google in your area? Too bad!
http://lmgtfy.com/?q=rowhammer
-- Ed Leafe
--- StripMime Report -- processed MIME parts --- multipart/signed text/plain (text body -- kept) application/pgp-signature
[excessive quoting removed by server]
My thoughts exactly. I usually read what the media says ("AAAAAHHHH! REPLACE ALL COMPUTERS TODAY!") and know that the reality is more like "Keep Calm And Patch On!"
Paul H. Tarver Tarver Program Consultants, Inc.
-----Original Message----- From: ProfoxTech [mailto:profoxtech-bounces@leafe.com] On Behalf Of Alan Bourke Sent: Friday, January 05, 2018 2:28 AM To: profoxtech@leafe.com Subject: Re: [NF] Meltdown and Spectre CPU Flaw Information
These exploits are nasty but if they've been in Intel chips ever since they started implementing out-of-order execution in 1995 then surely if there was a serious real-world threat we would have seen it long ago?
-- Alan Bourke alanpbourke (at) fastmail (dot) fm
On Thu, 4 Jan 2018, at 7:46 PM, Ken Dibble wrote:
Virtually everything we do here involves HIPAA-sensitive information, but we have very robust perimeter defenses. I'm much more concerned about a potential 30%+ performance loss in systems that are constantly used by nearly a hundred people every day.
The exploit allows VMs to go into the memory space of other VMs. Very bad. Unless you don't have any sensitive info that needs to stay that way.
--
rk
-----Original Message----- From: ProfoxTech [mailto:profoxtech-bounces@leafe.com] On Behalf Of Ken Dibble Sent: Thursday, January 04, 2018 1:35 PM To: profoxtech@leafe.com Subject: Re: [NF] Meltdown and Spectre CPU Flaw Information
I just can't wait to see what it's going to do to my highly virtualized network--if I ever decide to let it through. Probably a smaller version of what it's already started to do to some commercial cloud systems.
Windows Automatic Updates: Just Say No. (TM)
Also, kudos to Microsoft for shipping their patches a week early, and spontaneously rebooting idle Windows workstations while people were freaking out over the new exploits. Good job!
On Thu, Jan 4, 2018 at 12:27 PM, Ken Dibble krdibble@stny.rr.com
wrote:
Hi folks,
Ask Woody has a very thorough report on this, with links to more information.
We all need to be fully informed about this; it is going to affect everybody.
Ken Dibble www.stic-cil.org
[excessive quoting removed by server]
-
Alan Bourke -
AndyHC -
Dave Crozier -
Desmond Lloyd -
Ed Leafe -
Fletcher Johnson -
Jean MAURICE -
John Weller -
José Enrique Llopis -
Kurt at VR-FX -
Laurie Alvey -
Man-wai Chang -
Michael Oke, II -
Paul H. Tarver -
Paul Hill -
Stephen Russell -
Ted Roche