LINUX LITE 7.2 FINAL RELEASED - SEE RELEASE ANNOUNCEMENTS SECTION FOR DETAILS


Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Meltdown & Spectre Information and Discussion
#1
Happy New Year Everyone:
What better way to ring in 2018 than to scramble and fix a ten-year-old security flaw in the processor.
There is a kernel memory leak in Intel processors design that now put Windows and Linux users in harms ways as programmers rush to apply patches as quickly as possible.

https://www.onmsft.com/news/intels-kerne...wing-patch

But wait!
As for Linux users, there are patches for the Linux kernel available now.
Reply
#2
Which means?
Just  keep loading LL updates and all will be solved??
2006 - HP DC7700p ultraslim Desktop Intel 6300 cpu  4GB Ram LL3.8 64bit.
2007 - Fujitsu Siemens V3405 Laptop  2 GB Ram LL3.6 32bit. Now 32bit Debian 9 + nonfree.
2006 - Fujitsu Siemens Si1520 Laptop Intel T720 cpu 3GB Ram   LL5.6 64 Bit
2014 - Fujitsu Siemens Lifebook E754 Intel i7 4712MQ 16GB Ram LL6.6
2003 - RETIRED Toshiba Satellite Pro A10 1 GB RAM LL2.8 32bit
Reply
#3
A good, simple breakdown:

https://www.youtube.com/watch?v=lsQAGqMaXi0
Reply
#4
[Image: saw-a-video-benchmarking-an-amd-and-inte...444517.jpg]
Reply
#5
[member=2]Jerry[/member], watched video but it was beyond my understanding.  :-[ Glad my main computer is AMD based on the recommendations of the ghost formerly know as Spatry.  Wink
[Image: EtYqOrS.png%5D]

Left Mac OS X for Linux in Jan 2014
Reply
#6
The video lost me about 10 seconds after it started. I have no idea what he is talking about.
Life on earth is expensive but it does include a free trip around the sun.
Reply
#7
Thanks for this.  Though I'm not sure how well I understand some parts.

In essence, and from technical news posts, my understanding is that (anyone has better knowledge may correct me):-
  • Intel processors since the 1990s are vulnerable to this because of using the "speculative" approach.  But cancelling this approach can greatly slow processing in processor-intensive tasks.
  • AMD prcoessors are technically unknown according to some reports, and unaffected by others; and possibly affected in their own right by others (I don't have the sources to hand).  My take is that it is unknown/thought unlikely to affect AMD processors.
  • My take is also that it requires local access to exploit (as known at the moment), but whether that will continue the case isn't reported on in the items I've read.
  • This has been known about for some time.
  • The problem requires fixing at the OS level.

I'm presuming that using Intel processors with the current kernel 4.4.x series in Linux Lite leaves it theoretically vulnerable; though I understand that at present there is no malware exploiting the problem?

Don't worry about artificial intelligence.  Worry about natural stupidity.  Smile
Reply
#8
This may or may not help explain things......https://thehackernews.com/2018/01/meltdown-spectre-vulnerability.html
Reply
#9
OK.

I've had a few minutes to research this further, since coming to it myself first time first thing this morning.

There are two bugs reported:  MELTDOWN and SPECTRE.  According to Wikipedia:-

"The Meltdown vulnerability can be thought of as a particularly easy and efficient-to-implement special case of Spectre."  Note that there is no citation and it is reported as needing one; indeed citation is lacking in the Spectre entry at this time.

"Two Common Vulnerabilities and Exposures IDs related to Spectre, CVE-2017-5753 and CVE-2017-5715, have been issued."

Spectre affects Intel, AMD and ARM processors.

"[Meltdown] was issued a Common Vulnerabilities and Exposures ID of CVE-2017-5754."

Meltdown affects Intel processors and "does not seem to affect AMD microprocessors".

The Wikipedia entries are at:-

https://en.wikipedia.org/wiki/Spectre_(s...erability)
https://en.wikipedia.org/wiki/Meltdown_(...erability)

There is a website for Meltdown and Spectre (which both Wikipedia articles label as the "official website") at:

https://meltdownattack.com/

Hope this helps, though I'm still reading up on it at the moment.
Don't worry about artificial intelligence.  Worry about natural stupidity.  Smile
Reply
#10
I have two Windows 10 machines that have been already patched (both originally developer/insider mode) and have had no problems so far, and no noticeable performance issues though there are reports of some VM complications elsewhere. In the case of Linux this is another OEM hardware nuisance which like all such nuisances diffuses down to ordinary users with some over-reaction. Spectre is a threat to ordinary users but only on multi-user boxes i/e - do you trust your wife? I played around with this issue some years back on a Suse Linux system I administrated. It has been known in some form or another for quite a while, but developers never looked at it as particularly threatening. It's the nature of CPUs themselves to not be secure, and again this problem lies within the the whole idea of low level proprietary code. It should be a legal issue with tart recourse to the courts, but who's big enough to sue, maybe Google, or Amazon. Big business is a strangely esoteric political beast here in the US - The government bails out GM but upholds a billion dollar penalty against Ford for bad tires. I can't think of a company in recent history that deserved a class action suit against them more than Intel. As far as civil disobedience perhaps a well organized boycott of Google and Amazon would do the trick but in a lot of ways consumerism is an addiction so that would be awfully hard to organize. Buying a computer for your kids to use is a lot like taking your kids to the doctor. The difference is that most doctors live by a code of ethics, while OEM hardware is produced with an eye to insulating the developers from any liability. Intel developers don't need malpractice insurance. Intel is so big and internationalized that the US government must cast a wary eye on their hardware to protect itself. I have often thought that the first line of recourse for the government is to use the SEC to suspend trading of Intel, and then go from there.

TC

Additionally: "News" of this is hardly new. Only the exploit news part of it, which was held back by Google in agreement with Intel. I highly doubt that AMD is not vulnerable with a modified version. Any 64bit multt-core cached cpu is vulnerable. This has always been known of speculative processes. The bigger the processor the greater the possibility of stealing information. That is the only reason this has suddenly become important. CPUs are finally big enough to cough up and spew considerable information via the hack. Hilariously the hack will still work even with the patch by simply falling back to the old kernel address system. It is not a permanent solution. The permanent solutuion is full and complete free access to CPU microcode.

   
All opinions expressed and all advice given by Trinidad Cruz on this forum are his responsibility alone and do not necessarily reflect the views or methods of the developers of Linux Lite. He is a citizen of the United States where it is acceptable to occasionally be uninformed and inept as long as you pay your taxes.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)