SoylentNews first reported the vulnerabilities on January 3. Since then, we have had a few stories addressing different reports about these vulnerabilities. Now that it is over two weeks later and we are *still* dealing with reboots, I am curious as to what our community's experience has been.
What steps have you taken, if any, to deal with these reports? Be utterly proactive and install every next thing that comes along? Do a constrained roll out to test a system or two before pushing out to other systems? Wait for the dust to settle before taking any steps?
What providers (system/os/motherboard/chip) have been especially helpful... or non-helpful? How has their response affected your view of that company?
What resources have you been using to check on the status of fixes for your systems? Have you found a site that stands above the others in timeliness and accuracy?
How has this affected your purchasing plans... and your expectations on what you could get for selling your old system? Are you now holding off on purchasing something new?
Related Stories
UPDATE 2: (martyb)
This still-developing story is full of twists and turns. It seems that Intel chips are definitely implicated (AFAICT anything post Pentium Pro). There have been various reports, and denials, that AMD and ARM are also affected. There are actually two vulnerabilities being addressed. Reports are that a local user can access arbitrary kernel memory and that, separately, a process in a VM can access contents of other virtual machines on a host system. These discoveries were embargoed for release until January 9th, but were pre-empted when The Register first leaked news of the issues.
At this time, manufacturers are scrambling to make statements on their products' susceptibility. Expect a slew of releases of urgent security fixes for a variety of OSs, as well as mandatory reboots of VMs on cloud services such as Azure and AWS. Implications are that there is going to be a performance hit on most systems, which may have cascading follow-on effects for performance-dependent activities like DB servers.
To get started, see the very readable and clearly-written article at Ars Technica: What’s behind the Intel design flaw forcing numerous patches?.
Google Security Blog: Today's CPU vulnerability: what you need to know.
Google Project Zero: Reading privileged memory with a side-channel, which goes into detail as to what problems are being addressed as well as including CVEs:
Google security researchers have come to the conclusion that speculative execution attacks are here to stay without drastic changes to modern CPU architectures, such as removing speculative execution entirely.
Spectre is here to stay: An analysis of side-channels and speculative execution
Related:
Patch for Intel Speculative Execution Vulnerability Could Reduce Performance by 5 to 35% [Update: 2]
Qualcomm Joins Others in Confirming its CPUs Suffer From Spectre, and Other Meltdown News
Congress Questions Chipmakers About Meltdown and Spectre
What Impact Has Meltdown/Spectre Had on YOUR Systems?
Intel Admits a Load of its CPUs Have Spectre V2 Flaw That Can't be Fixed
Intel FPU Speculation Vulnerability Confirmed
New Spectre Variant SpectreRSB Targets Return Stack Buffer
Intel Discloses a Speculative Execution Attack in Software Guard eXtensions (SGX)
Intel 'Gags' Linux Distros From Revealing Performance Hit From Spectre Patches
MIT Researchers Claim to Have a Solution for Some Speculative Execution Attacks
Spectre, Meltdown Researchers Unveil 7 More Speculative Execution Attacks
New Side-Channel Leak: Researchers Attack Operating System Page Caches
(Score: 3, Funny) by Revek on Friday January 19 2018, @01:51PM (1 child)
I had three machines go down within a day of on another. So those patches are really working out for the manufacturers.
This page was generated by a Swarm of Roaming Elephants
(Score: -1, Spam) by Anonymous Coward on Friday January 19 2018, @01:56PM
"Drown in strut!" you shout. You then stab the feces baby repeatedly until it stops crying. A grand victory indeed, but what power does this place output...?
(Score: 3, Informative) by fliptop on Friday January 19 2018, @01:56PM
Spectre and Meltdown Checker [githubusercontent.com]
Our Constitution was made only for a moral and religious people. It is wholly inadequate to the government of any other.
(Score: 4, Interesting) by The Mighty Buzzard on Friday January 19 2018, @02:00PM (4 children)
Aside from the physical servers hosting our VMs being updated so we can't do nefarious stuff to Linode and an update for my browser so that javascript can't be used as a vector, nothing much at all. Aside from js, my boxes never run anything not initiated by myself and the guys who have access to run arbitrary code on any of our servers except the staff server have root anyway.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Friday January 19 2018, @02:54PM (1 child)
Same here. I use Linode for hosting as well. Good communication from them. My machines at home are all AMD machines, so there's nothing to be done there so far it seems.
(Score: 3, Informative) by The Mighty Buzzard on Friday January 19 2018, @05:26PM
No, AMD is not immune and there are patches out. They're just not critical to me because between my desktop and all the Linode VMs, the only thing that is supposed to allow remote code execution by untrusted parties is javascript in my desktop browser.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Saturday January 20 2018, @04:23PM (1 child)
Have you seen any measureable performance drop after the updates?
(Score: 2) by The Mighty Buzzard on Saturday January 20 2018, @07:14PM
In my browser? Nah. Haven't bothered checking on the db servers for SN though because nobody has bitched about error pages yet.
My rights don't end where your fear begins.
(Score: 5, Informative) by fyngyrz on Friday January 19 2018, @02:02PM (9 children)
My work systems are completely isolated from the net. They generate code. They don't take in files, are not connected to the LAN in any way, don't get upgraded OS's, or talk to other systems. They generate files, which get sneaker-netted from them to the uploading-capable hardware.
Consequently, they are not at risk from black hats or being (further) slowed down (they're old hardware, they aren't that fast anyway.) Replacements, when needed, are installed from known good media that is really quite old. That's only happened once, when a motherboard went bad.
I'll have to swallow the slowdown if I ever had to upgrade to a new work machine with a new OS (not looking at all likely), but there's no reason to "upgrade" the work machines at this point, nor has there been for quite a few years.
I intentionally build on the oldest OS I can (for OS X, that's 10.6.8, and Windows XP for for the rest) so that I'm not screwing my users. Once that's done, stuff gets tested on the latest machines, and if it still works, it's good to go and it gets to go into distribution.
As for the net-connected desktop - this machine - who cares. If it gets sick, it gets nuked and I start over. It's just browsers and the like anyway. I can't see connecting a computer to the Internet with critical data on it. That's just asking for something bad to happen.
I can see how it'd be a problem for a one-machine setup, but I'm not inclined to go there; it's neither a good idea for compatibility's sake for generating the applications I write, or WRT keeping the black hats out of the critical goodness.
Security's important - and the one thing we should all recognize by now is that if you're net-connected, you're not secure.
(Score: 2) by acid andy on Friday January 19 2018, @02:14PM (3 children)
I like this approach, so long as the upload machine doesn't have write access to the media (or the media is never reinserted in the secure machine) although maybe on Linux this is less of a worry than Windows. DVDR / CDR would do it.
If a cat has kittens, does a rat have rittens, a bat bittens and a mat mittens?
(Score: 5, Funny) by fyngyrz on Friday January 19 2018, @02:23PM (2 children)
Yes. CD-R is exactly how I do it. I have cases of the things. So far, they all write just fine, and once used, they're tossed. Eventually I'll run out, and/or they'll probably stop making them, but I'll probably croak or at least quit writing software first. One of the (very few) benefits of being old. :)
(Score: 1, Offtopic) by Bot on Friday January 19 2018, @04:12PM (1 child)
You might want to investigate rewritable CDRs.
Account abandoned.
(Score: 2, Informative) by Anonymous Coward on Friday January 19 2018, @06:37PM
If you read, the disposability is considered a feature, as they act as a data diode.
There also exist data diodes that allow realtime pushing of data:
http://www.waterfall-security.com/wp-content/uploads/2012/02/Securing-Critical-Cyber-Assets-with-Data-Diodes.pdf [waterfall-security.com]
(Score: 2) by Gaaark on Friday January 19 2018, @04:19PM
"and the one thing we should all recognize by now is that if you're net-connected, you're not secure"
So say we all! SO say we all! SO SAY we all!
--Commander Adama approves this message.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by RS3 on Friday January 19 2018, @06:45PM (3 children)
You're quite safe, but ... it was about 1994, I had been using the Internet for ftp, archie, etc., but not the web yet. Although we (company I worked for) had a LAN, we still did a lot of sneakernet. I remember putting a 1.44M floppy in a machine and got an error that it was write protected. That's odd, machine was running MS-DOS, nothing was running- just command.com prompt. Why was anything accessing the floppy drive, let alone trying to write to it? I don't remember what tools I had, but being a low-level guy I did some sector scanning, disassembler / debug on the stuff and found my first computer virus. One of the other employees had downloaded and run something on that machine (modem days). Somewhere I had gotten a scanner- Norton, McAfee? don't remember- but the little bugger had replicated itself to many floppies around the company, so we had to do a mass scan, then be vigilant by using the write-protect shutter and anti-virus software. Sigh.
Point of the story: even sneaker-net can carry malware, and Microsoft's "autoplay" makes it worse (I _always_ turn autoplay OFF for all drives / globally).
(Score: 0) by Anonymous Coward on Friday January 19 2018, @08:10PM (2 children)
Is that really the term that was used for the situation?
(Score: 0) by Anonymous Coward on Friday January 19 2018, @08:13PM
Sorry.
(Score: 2) by Runaway1956 on Friday January 19 2018, @09:29PM
Not sure where you're coming from. I'll presume that you are young, and never used floppy disks. There was a little sliding plastic tab at the top corner of the disk. Slide the tab closed, and your floppy drive could write to the disk. Slide the tab open, and your floppy drive could not write to the disk. The term generally used was "write protect".
http://www.techbuzz.in/how-can-i-enable-or-disable-write-protection-of-a-3%C2%BD-inch-floppy-disk.php [techbuzz.in]
image here http://art-design-glossary.musabi.ac.jp/wpwp/wp-content/uploads/2014/01/039_floppy-disk_03_2_en.jpg [musabi.ac.jp]
(Score: 2) by Snotnose on Friday January 19 2018, @02:21PM (3 children)
Used to auto-download Windows updates then had it ask me to install them. Now I don't even want to download an update until they fix the brick AMD issues. I've got an AMD based laptop.
I'll take my chances with being hacked over my laptop being bricked.
When the dust settled America realized it was saved by a porn star.
(Score: 4, Informative) by ElizabethGreene on Friday January 19 2018, @02:39PM (1 child)
>> amd based laptop
Microsoft changed the detection logic for the Spectre/meltdown patch so you won't be offered it if you have one of the machines that may fail to boot after the update.
If you are on Win10 1607, I saw a new release for it yesterday that fixes the AMD issue entirely. It's here.
https://support.microsoft.com/en-us/help/4057142 [microsoft.com]
(Score: 3, Insightful) by Nerdfest on Friday January 19 2018, @07:56PM
It may still fail to boot for normal Windows-related reasons of course.
(Score: 0) by Anonymous Coward on Friday January 19 2018, @07:45PM
The most critical problem you have is Windows. That however is fortunately easily cured.
(Score: -1, Offtopic) by realDonaldTrump on Friday January 19 2018, @02:33PM
I'm not an EMAIL person. I don't believe in it because I think it can be hacked, for one thing. But when I send an EMAIL -- if I send one -- I send one almost never. I'm just not a believer in EMAIL.
I think the computers have complicated lives very greatly. I don't use computers. I use Samsung. I used to use iPhone too, but I'm boycotting Apple, because Apple doesn't give info to authorities on the terrorists. I'll only be using Samsung until they give info.
The whole, you know, age of computer has made it where nobody knows exactly what's going on. We have speed and we have a lot of other things, but I'm not sure you have the kind of security you need. You try to be fast, you lose the security. You try to have security, you lose the speed. Big league.
(Score: 1) by ElizabethGreene on Friday January 19 2018, @02:46PM (2 children)
This is a 2-day old press release from Intel.
https://newsroom.intel.com/news/firmware-updates-and-initial-performance-data-for-data-center-systems/ [intel.com]
“[…]As I noted in my blog post last week, while the firmware updates are effective at mitigating exposure to the security issues, customers have reported more frequent reboots on firmware updated systems.
As part of this, we have determined that similar behavior occurs on other products in some configurations, including Ivy Bridge-, Sandy Bridge-, Skylake-, and Kaby Lake-based platforms. We have reproduced these issues internally and are making progress toward identifying the root cause. In parallel, we will be providing beta microcode to vendors for validation by next week.”
I'm waiting to apply the Intel/Hp microcode updates to my PC until they get it sorted. The windows patches cover two of the three attacks. That has to be good enough for now.
(Score: 5, Insightful) by bradley13 on Friday January 19 2018, @03:04PM (1 child)
You have to love the "more frequent reboots". Their PR folks are being weasels. Say it together now: "system crashes".
A rushed microcode update that causes the O/S to crash. That's going to be just buckets of fun to debug.
Everyone is somebody else's weirdo.
(Score: 2) by Runaway1956 on Friday January 19 2018, @03:42PM
Every silver lining has it's cloud, right?
(Score: 4, Interesting) by bradley13 on Friday January 19 2018, @02:57PM
I manage the IT for an SME (very small):
Steps taken to deal with the reports? None. Assume MS/Linux updates will happen when ready. For AWS cloud servers, assume that AWS updates will happen when ready. The systems are all set up securely, are behind firewalls, the company doesn't hold any really sensitive data. "No action" seems to be the most sensible choice.
What providers have been helpful? I haven't heard from any system providers, not even for recently purchases systems (which we do have).
What resources you been using to check on the status of fixes? Um, that would be "none" again. Nothing I'm going to do about these security holes anyway, so...let things take their course.
How has this affected your purchasing plans? If AMD keeps up the good work, it's back to AMD processors. AMD had fallen behind for a while, but Ryzen already looked good, and now it looks even better. That is: if the system builders (Asus, Acer, Dell, whoever) have AMD offerings in their catalogs. I'm not building systems myself, it's just not worth it.
Everyone is somebody else's weirdo.
(Score: 1, Informative) by Anonymous Coward on Friday January 19 2018, @03:30PM (1 child)
I've had some annoyances with AV.
Cylance refuses to set the registry key that indicates they are compatible with the patch. Their excuse is "We are compatible, but what if your other AV software isn't?"
Symantec Endpoint Protection has an opposite problem. They dropped an engine update that set the "we're compatible" registry flag, but our version crashes (SEP known issue) after installing the patches.
(Score: 0) by Anonymous Coward on Saturday January 20 2018, @08:21PM
lmao, thanks that was hilarious. fucking windows users...
(Score: 1, Informative) by Anonymous Coward on Friday January 19 2018, @03:44PM (1 child)
No hurry to upgrade anything until there's a generation of chips with microarchitecture revisions.
(Score: 0) by Anonymous Coward on Saturday January 20 2018, @12:38AM
Continuing with grep:
# dmesg | grep "isolation"
It should report something like "Kernel/User page tables isolation: enabled" if the patch is in use. It can be disabled by boot param "nopti".
https://pastebin.com/5qacGA17 [pastebin.com] has a small test that can be compiled with g++ -o foo foo.cpp.
It opens and closes a file. For me that takes ~4x times with PTI vs the same kernel with "nopti". Luckly programs don't do that only, they also compute things, but it's clear this CPU (first or second generation of i7) gets a bad hit when calling the kernel. Maybe future changes to KPTI will improve that, but not holding my breath.
(Score: 3, Informative) by bzipitidoo on Friday January 19 2018, @03:58PM
On some of my systems. Rushing to update backfires too often for me to jump on every update the moment they come out. Witness the issue with Windows 10 patches making AMD machines unbootable.
Thought about digging out my old 133 MHz Pentium MMX laptop that still has its original installation of Windows 98 (of course I made it into a dual boot machine), but with only 96M RAM (the maximum that machine could support) Firefox is barely usable. Takes 30 seconds just to start up. Last version I installed was 3.5, and that is now so obsolete it probably can't handle most websites today. Predates HTML5. Possibly it could still view SoylentNews, since this site does not have all the fancy bells and whistles that serve only to slow everything down. Nah, not worth the trouble.
I have been kinda hoping some accident would destroy that laptop thus pushing me to finally get rid of it like I should have done 10 years ago. But dang, now it's one of 2 working machines I have that supposedly aren't affected by Spectre or Meltdown. The other is a 486 based Soekris box that I use as my web server.
(Score: 2) by richtopia on Friday January 19 2018, @04:08PM (1 child)
Servers that consider security super critical will need new silicon to resolve Spectre. If AMD starts making chips with Spectre resolved first then maybe some servers will migrate, but after the majority of servers running Intel chips for years many purchasers won't deviate from their experience.
(Score: 2) by frojack on Friday January 19 2018, @06:33PM
Are you sure? I'm not.
For better than a decade, there has been no operational difference in the server world between competitive AMD vs Intel chips.
There hasn't been any reason, other than price, to choose one over the other. There's really not much reason not to choose ARM for server platforms, where there exist competitive models.
If you have a warehouse sized rack room, and you build one image and impose it on a couple thousand servers, maybe you want them all the same, but even that sounds fictitious.
No, you are mistaken. I've always had this sig.
(Score: 2) by legont on Friday January 19 2018, @04:09PM
From a large shop here where customers actually matter. No patch - not a single one - is ready to even start performance testing. End of February... maybe... I'll have something to play with, but I doubt it very much.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 2) by inertnet on Friday January 19 2018, @05:10PM (1 child)
After some Linux updates I thought all my VM's were bricked because of these issues, but a more recent Virtualbox version fixed everything again. I don't know if this was related to a Meltdown/Spectre security fix, but because of the timing I have to assume so. Ubuntu 16.10 repositories still have the old bricking Virtualbox version as far as I can tell.
(Score: 0) by Anonymous Coward on Friday January 19 2018, @06:42PM
This was my hairloss experience most of last week. After the kernel patch arrived, every time I started up any VM it would freeze the entire machine (host), leave no logs and no other way out than the power button. Then I found a thread that was auto-dismissed by the moderators on a tech site which I won't name, but below their terse silliness lay a reply with the answer. I had even removed Vbox and re-installed from the repos, something like 5.0.24 .. but the solution was to get Oracle's 5.2 release directly.
(Score: 2) by frojack on Friday January 19 2018, @06:18PM (2 children)
I actually have noticed nothing, before or after all the patches arrived, other than kernel update after kernel update forcing reboots.
So its exactly like all the other vulnerabilities found by researchers with carefully crafted proofs of concept, which somehow never seem occur in the real world.
Will this flood of #NotMe posts serve any real purpose not better served by a poll?
No, you are mistaken. I've always had this sig.
(Score: 2) by inertnet on Friday January 19 2018, @07:49PM (1 child)
It would have been nice to be able to measure actual performance loss. But I assume, like me, not many people have bothered to benchmark their systems before the updates were installed.
(Score: 0) by Anonymous Coward on Saturday January 20 2018, @09:19PM
> measure actual performance loss.
Apples.
> like me, not many people have bothered to benchmark their systems
Oranges.
Benchmarks might tell you what it's like under particular stresses. But they won't reveal cache miss rate changes causing every 13th frame to drop from a particular codec's CPU-processed video, giving a strange stutter. And so forth.
(Score: 0) by Anonymous Coward on Friday January 19 2018, @09:14PM (2 children)
Does anyone have "proof of exploit code" for meltdown for Intel CPUs?
I would like to test Intel P4 Prescott era CPUs. I see the "CPUs since 1995" quoted, but have P4s really been tested?
For internet access I use a customized Linux live image booted from a USB key. So every power cycle gives me a "fresh install".
(Score: 2) by RS3 on Saturday January 20 2018, @01:49AM
"fliptop" posted this earlier in this discussion:
https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh [githubusercontent.com]
I tried it on an older P4, and on some P3s and they are all vulnerable:
(Score: 0) by Anonymous Coward on Sunday January 21 2018, @06:39AM
I was actually referring to the exploit code, not the patch checker.
So i used this:
https://github.com/paboldin/meltdown-exploit [github.com]
When I run on a P4 prescott 630, I have to run the exploit code somewhere between 200 and 2000 times to get it to show the correct "stolen" data and even then, not all bytes are correct. So my conclusion is that P4s of that vintage theoretically have the vulnerability, but its not reliable enough to steal much data.
I ran using the same linux live USB key on different machines with the same exact 32 bit executable. To verify that the executable could work, I ran it on an Intel i5-2520M and it showed the vulnerability every time for about 30 runs (all "stolen" bytes correct).
The link above also has lists of VULNERABLE and NOT VULNERABLE cpus -- see the issues 19 and 22.
(Score: 2) by shortscreen on Friday January 19 2018, @09:49PM
no 1337 hAcKeR v00d00 is necessary for me to get pwned
(Score: 1) by iru on Friday January 19 2018, @10:19PM
Still patching it. I manage a few systems that have the ksplice utility which allows kernel updates without reboots. Oracle however has not answered my questions about the possibility of patching through the tool or if we will have to take time to reboot those servers. We also have around thousands of PoS systems based on Ubuntu 16.06 which require a dist-upgrade but we are still studying if said upgrade will break our custoomizations.
(Score: 1) by TuxPower on Saturday January 20 2018, @10:50AM
But that is probably because Mint 17.3 upgraded the kernel from 3.19.0 to 4.4.0.
cd
more beer
(Score: 1) by Apparition on Sunday January 21 2018, @01:50AM
I was planning to purchase a new AMD Ryzen+ computer this year, but I'll hold off until 2019 or possibly 2020 as all of the CPUs that will release the next six months at minimum will still be susceptible to Spectre. Perhaps AMD Ryzen 2.