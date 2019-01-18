from the tell-us-how-you-REALLY-think dept.
SoylentNews first reported the vulnerabilities on January 3. Since then, we have had a few stories addressing different reports about these vulnerabilities. Now that it is over two weeks later and we are *still* dealing with reboots, I am curious as to what our community's experience has been.
What steps have you taken, if any, to deal with these reports? Be utterly proactive and install every next thing that comes along? Do a constrained roll out to test a system or two before pushing out to other systems? Wait for the dust to settle before taking any steps?
What providers (system/os/motherboard/chip) have been especially helpful... or non-helpful? How has their response affected your view of that company?
What resources have you been using to check on the status of fixes for your systems? Have you found a site that stands above the others in timeliness and accuracy?
How has this affected your purchasing plans... and your expectations on what you could get for selling your old system? Are you now holding off on purchasing something new?
UPDATE 2: (martyb)
This still-developing story is full of twists and turns. It seems that Intel chips are definitely implicated (AFAICT anything post Pentium Pro). There have been various reports, and denials, that AMD and ARM are also affected. There are actually two vulnerabilities being addressed. Reports are that a local user can access arbitrary kernel memory and that, separately, a process in a VM can access contents of other virtual machines on a host system. These discoveries were embargoed for release until January 9th, but were pre-empted when The Register first leaked news of the issues.
At this time, manufacturers are scrambling to make statements on their products' susceptibility. Expect a slew of releases of urgent security fixes for a variety of OSs, as well as mandatory reboots of VMs on cloud services such as Azure and AWS. Implications are that there is going to be a performance hit on most systems, which may have cascading follow-on effects for performance-dependent activities like DB servers.
To get started, see the very readable and clearly-written article at Ars Technica: What’s behind the Intel design flaw forcing numerous patches?.
Google Security Blog: Today's CPU vulnerability: what you need to know.
Google Project Zero: Reading privileged memory with a side-channel, which goes into detail as to what problems are being addressed as well as including CVEs:
(Score: 3, Funny) by Revek on Friday January 19, @01:51PM (1 child)
I had three machines go down within a day of on another. So those patches are really working out for the manufacturers.
Parent
(Score: 3, Informative) by fliptop on Friday January 19, @01:56PM
Spectre and Meltdown Checker [githubusercontent.com]
It's crackers to slip a rozzer the dropsy in snide.
(Score: 4, Interesting) by The Mighty Buzzard on Friday January 19, @02:00PM (2 children)
Aside from the physical servers hosting our VMs being updated so we can't do nefarious stuff to Linode and an update for my browser so that javascript can't be used as a vector, nothing much at all. Aside from js, my boxes never run anything not initiated by myself and the guys who have access to run arbitrary code on any of our servers except the staff server have root anyway.
(Score: 0) by Anonymous Coward on Friday January 19, @02:54PM (1 child)
Same here. I use Linode for hosting as well. Good communication from them. My machines at home are all AMD machines, so there's nothing to be done there so far it seems.
(Score: 3, Informative) by The Mighty Buzzard on Friday January 19, @05:26PM
No, AMD is not immune and there are patches out. They're just not critical to me because between my desktop and all the Linode VMs, the only thing that is supposed to allow remote code execution by untrusted parties is javascript in my desktop browser.
(Score: 5, Informative) by fyngyrz on Friday January 19, @02:02PM (8 children)
My work systems are completely isolated from the net. They generate code. They don't take in files, are not connected to the LAN in any way, don't get upgraded OS's, or talk to other systems. They generate files, which get sneaker-netted from them to the uploading-capable hardware.
Consequently, they are not at risk from black hats or being (further) slowed down (they're old hardware, they aren't that fast anyway.) Replacements, when needed, are installed from known good media that is really quite old. That's only happened once, when a motherboard went bad.
I'll have to swallow the slowdown if I ever had to upgrade to a new work machine with a new OS (not looking at all likely), but there's no reason to "upgrade" the work machines at this point, nor has there been for quite a few years.
I intentionally build on the oldest OS I can (for OS X, that's 10.6.8, and Windows XP for for the rest) so that I'm not screwing my users. Once that's done, stuff gets tested on the latest machines, and if it still works, it's good to go and it gets to go into distribution.
As for the net-connected desktop - this machine - who cares. If it gets sick, it gets nuked and I start over. It's just browsers and the like anyway. I can't see connecting a computer to the Internet with critical data on it. That's just asking for something bad to happen.
I can see how it'd be a problem for a one-machine setup, but I'm not inclined to go there; it's neither a good idea for compatibility's sake for generating the applications I write, or WRT keeping the black hats out of the critical goodness.
Security's important - and the one thing we should all recognize by now is that if you're net-connected, you're not secure.
(Score: 2) by acid andy on Friday January 19, @02:14PM (3 children)
I like this approach, so long as the upload machine doesn't have write access to the media (or the media is never reinserted in the secure machine) although maybe on Linux this is less of a worry than Windows. DVDR / CDR would do it.
Make hay whilst the intervening mass is insufficient to inhibit the perceived intensity of incoming solar radiation.
(Score: 5, Funny) by fyngyrz on Friday January 19, @02:23PM (2 children)
Yes. CD-R is exactly how I do it. I have cases of the things. So far, they all write just fine, and once used, they're tossed. Eventually I'll run out, and/or they'll probably stop making them, but I'll probably croak or at least quit writing software first. One of the (very few) benefits of being old. :)
(Score: 1, Offtopic) by Bot on Friday January 19, @04:12PM (1 child)
You might want to investigate rewritable CDRs.
(Score: 0) by Anonymous Coward on Friday January 19, @06:37PM
If you read, the disposability is considered a feature, as they act as a data diode.
There also exist data diodes that allow realtime pushing of data:
http://www.waterfall-security.com/wp-content/uploads/2012/02/Securing-Critical-Cyber-Assets-with-Data-Diodes.pdf [waterfall-security.com]
(Score: 2) by Gaaark on Friday January 19, @04:19PM
"and the one thing we should all recognize by now is that if you're net-connected, you're not secure"
So say we all! SO say we all! SO SAY we all!
--Commander Adama approves this message.
(Score: 2) by RS3 on Friday January 19, @06:45PM (2 children)
You're quite safe, but ... it was about 1994, I had been using the Internet for ftp, archie, etc., but not the web yet. Although we (company I worked for) had a LAN, we still did a lot of sneakernet. I remember putting a 1.44M floppy in a machine and got an error that it was write protected. That's odd, machine was running MS-DOS, nothing was running- just command.com prompt. Why was anything accessing the floppy drive, let alone trying to write to it? I don't remember what tools I had, but being a low-level guy I did some sector scanning, disassembler / debug on the stuff and found my first computer virus. One of the other employees had downloaded and run something on that machine (modem days). Somewhere I had gotten a scanner- Norton, McAfee? don't remember- but the little bugger had replicated itself to many floppies around the company, so we had to do a mass scan, then be vigilant by using the write-protect shutter and anti-virus software. Sigh.
Point of the story: even sneaker-net can carry malware, and Microsoft's "autoplay" makes it worse (I _always_ turn autoplay OFF for all drives / globally).
(Score: 0) by Anonymous Coward on Friday January 19, @08:10PM (1 child)
Is that really the term that was used for the situation?
Reply to This
(Score: 0) by Anonymous Coward on Friday January 19, @08:13PM
Sorry.
(Score: 2) by Snotnose on Friday January 19, @02:21PM (3 children)
Used to auto-download Windows updates then had it ask me to install them. Now I don't even want to download an update until they fix the brick AMD issues. I've got an AMD based laptop.
I'll take my chances with being hacked over my laptop being bricked.
(Score: 4, Informative) by ElizabethGreene on Friday January 19, @02:39PM (1 child)
>> amd based laptop
Microsoft changed the detection logic for the Spectre/meltdown patch so you won't be offered it if you have one of the machines that may fail to boot after the update.
If you are on Win10 1607, I saw a new release for it yesterday that fixes the AMD issue entirely. It's here.
https://support.microsoft.com/en-us/help/4057142 [microsoft.com]
Reply to This
(Score: 2) by Nerdfest on Friday January 19, @07:56PM
It may still fail to boot for normal Windows-related reasons of course.
(Score: 0) by Anonymous Coward on Friday January 19, @07:45PM
The most critical problem you have is Windows. That however is fortunately easily cured.
(Score: 1) by ElizabethGreene on Friday January 19, @02:46PM (2 children)
This is a 2-day old press release from Intel.
https://newsroom.intel.com/news/firmware-updates-and-initial-performance-data-for-data-center-systems/ [intel.com]
“[…]As I noted in my blog post last week, while the firmware updates are effective at mitigating exposure to the security issues, customers have reported more frequent reboots on firmware updated systems.
As part of this, we have determined that similar behavior occurs on other products in some configurations, including Ivy Bridge-, Sandy Bridge-, Skylake-, and Kaby Lake-based platforms. We have reproduced these issues internally and are making progress toward identifying the root cause. In parallel, we will be providing beta microcode to vendors for validation by next week.”
I'm waiting to apply the Intel/Hp microcode updates to my PC until they get it sorted. The windows patches cover two of the three attacks. That has to be good enough for now.
(Score: 5, Insightful) by bradley13 on Friday January 19, @03:04PM (1 child)
You have to love the "more frequent reboots". Their PR folks are being weasels. Say it together now: "system crashes".
A rushed microcode update that causes the O/S to crash. That's going to be just buckets of fun to debug.
Everyone is somebody else's weirdo.
(Score: 2) by Runaway1956 on Friday January 19, @03:42PM
Every silver lining has it's cloud, right?
(Score: 3, Interesting) by bradley13 on Friday January 19, @02:57PM
I manage the IT for an SME (very small):
Steps taken to deal with the reports? None. Assume MS/Linux updates will happen when ready. For AWS cloud servers, assume that AWS updates will happen when ready. The systems are all set up securely, are behind firewalls, the company doesn't hold any really sensitive data. "No action" seems to be the most sensible choice.
What providers have been helpful? I haven't heard from any system providers, not even for recently purchases systems (which we do have).
What resources you been using to check on the status of fixes? Um, that would be "none" again. Nothing I'm going to do about these security holes anyway, so...let things take their course.
How has this affected your purchasing plans? If AMD keeps up the good work, it's back to AMD processors. AMD had fallen behind for a while, but Ryzen already looked good, and now it looks even better. That is: if the system builders (Asus, Acer, Dell, whoever) have AMD offerings in their catalogs. I'm not building systems myself, it's just not worth it.
(Score: 1, Informative) by Anonymous Coward on Friday January 19, @03:30PM
I've had some annoyances with AV.
Cylance refuses to set the registry key that indicates they are compatible with the patch. Their excuse is "We are compatible, but what if your other AV software isn't?"
Symantec Endpoint Protection has an opposite problem. They dropped an engine update that set the "we're compatible" registry flag, but our version crashes (SEP known issue) after installing the patches.
(Score: 1, Informative) by Anonymous Coward on Friday January 19, @03:44PM
No hurry to upgrade anything until there's a generation of chips with microarchitecture revisions.
(Score: 3, Informative) by bzipitidoo on Friday January 19, @03:58PM
On some of my systems. Rushing to update backfires too often for me to jump on every update the moment they come out. Witness the issue with Windows 10 patches making AMD machines unbootable.
Thought about digging out my old 133 MHz Pentium MMX laptop that still has its original installation of Windows 98 (of course I made it into a dual boot machine), but with only 96M RAM (the maximum that machine could support) Firefox is barely usable. Takes 30 seconds just to start up. Last version I installed was 3.5, and that is now so obsolete it probably can't handle most websites today. Predates HTML5. Possibly it could still view SoylentNews, since this site does not have all the fancy bells and whistles that serve only to slow everything down. Nah, not worth the trouble.
I have been kinda hoping some accident would destroy that laptop thus pushing me to finally get rid of it like I should have done 10 years ago. But dang, now it's one of 2 working machines I have that supposedly aren't affected by Spectre or Meltdown. The other is a 486 based Soekris box that I use as my web server.
(Score: 2) by richtopia on Friday January 19, @04:08PM (1 child)
Servers that consider security super critical will need new silicon to resolve Spectre. If AMD starts making chips with Spectre resolved first then maybe some servers will migrate, but after the majority of servers running Intel chips for years many purchasers won't deviate from their experience.
(Score: 2) by frojack on Friday January 19, @06:33PM
Are you sure? I'm not.
For better than a decade, there has been no operational difference in the server world between competitive AMD vs Intel chips.
There hasn't been any reason, other than price, to choose one over the other. There's really not much reason not to choose ARM for server platforms, where there exist competitive models.
If you have a warehouse sized rack room, and you build one image and impose it on a couple thousand servers, maybe you want them all the same, but even that sounds fictitious.
(Score: 2) by legont on Friday January 19, @04:09PM
From a large shop here where customers actually matter. No patch - not a single one - is ready to even start performance testing. End of February... maybe... I'll have something to play with, but I doubt it very much.
(Score: 2) by inertnet on Friday January 19, @05:10PM (1 child)
After some Linux updates I thought all my VM's were bricked because of these issues, but a more recent Virtualbox version fixed everything again. I don't know if this was related to a Meltdown/Spectre security fix, but because of the timing I have to assume so. Ubuntu 16.10 repositories still have the old bricking Virtualbox version as far as I can tell.
(Score: 0) by Anonymous Coward on Friday January 19, @06:42PM
This was my hairloss experience most of last week. After the kernel patch arrived, every time I started up any VM it would freeze the entire machine (host), leave no logs and no other way out than the power button. Then I found a thread that was auto-dismissed by the moderators on a tech site which I won't name, but below their terse silliness lay a reply with the answer. I had even removed Vbox and re-installed from the repos, something like 5.0.24 .. but the solution was to get Oracle's 5.2 release directly.
Reply to This
(Score: 2) by frojack on Friday January 19, @06:18PM (1 child)
I actually have noticed nothing, before or after all the patches arrived, other than kernel update after kernel update forcing reboots.
So its exactly like all the other vulnerabilities found by researchers with carefully crafted proofs of concept, which somehow never seem occur in the real world.
Will this flood of #NotMe posts serve any real purpose not better served by a poll?
(Score: 2) by inertnet on Friday January 19, @07:49PM
It would have been nice to be able to measure actual performance loss. But I assume, like me, not many people have bothered to benchmark their systems before the updates were installed.
Reply to This
