# Lifestyles & Discussion > Privacy & Data Security >  Major security flaw found in Intel processors

## Swordsmyth

A security flaw has been found in virtually all Intel processors that will require fixes within Windows, macOS and Linux, according to reports.
 Developers are currently scrambling behind the scenes to fix the significant security hole within the Intel chips, with patches already available within some versions of Linux and some testing versions of Windows, although the fixes are expected to significantly slow down computers. 
 The specific details of the flaw, which appears to affect virtually all Intel  processors made in the last decade and therefore millions of computers  running virtually any operating system, have not been made public.
 But details of the fixes being developed point to issues involving  the accessing of secure parts of a computers memory by regular  programs. It is feared that the security flaw within the Intel  processors could be used to access passwords, login details and other  protected information on the computer.
 Modern operating systems rely upon Intels chips to provide some  essential security services  but if a flaw has been found then the  operating systems themselves will need to be updated to do the job that  they believed Intels chips were doing properly, said independent  security expert Graham Cluley.
 The fixes involve moving the memory used by the core of the  computers operating system, known as the kernel, away from that used by  normal programs. In that way, normal programs, including anything from  javascript from a website to computer games, cannot be manipulated to  exploit the hole and gain access to the protected kernel memory.
 But implementing the fix is expected to significantly affect the performance of the computer, making some actions up to around 30% slower.

More at: https://www.theguardian.com/technolo...s-mac-os-linux

----------


## pcosmar

Defective by design.
Trusted Computing is not to be trusted.

----------


## pcosmar

https://nakedsecurity.sophos.com/201...el-os-patches/

Looking at the last Kernel upgrade. 4.14.*** but I think some of these are addressed.
or,, I know some architecture issues were addressed., if not these specifically.

they will be

----------


## dannno

So.... not an issue w/ AMD?

----------


## pcosmar

> So.... not an issue w/ AMD?


Seems not with this,, (by some reading). But AMD architecture was addressed in the last kernel.

----------


## pcosmar

I'll leave this here for your reading enjoyment.

http://pythonsweetness.tumblr.com/po...nux-page-table

----------


## Swordsmyth

There is another take, and according to this one the implications to  both Intel and the entire CPU industry could be dire. What follows is  the transcription of the Monday afternoon tweetstorm by Nicole Perlroth -  cybersecurity reporter at the NYT - according to whom today's "bug" is  "not an Intel problem but an entire chipmaker design problem that  affects virtually all processors on the market." In fact, according to  the cybersecurity expert, one aspect of the bug is extremely troubling  simply because there is no fix. Here is the full explanation.

1. Apparently I don't know how to thread, so here goes my second  attempt at blasting you with critical news on this "Intel Chip problem"  which is not an Intel problem but an entire chipmaker design problem  that affects virtually all processors on the market.2. Christmas didn't come for the computer security industry this  year. A critical design flaw in virtually all microprocessors allows  attackers to dump the entire memory contents off of a machine/mobile  device/PC/cloud server etc.3. Our story on the motherlode of all vulnerabilities just posted here: https://www.nytimes.com/2018/01/03/b...ter-flaws.html. More will be post soon.4. *We're dealing with two serious threats. The first is  isolated to #IntelChips, has been dubbed Meltdown, and affects virtually  all Intel microprocessors. The patch, called KAISER, will slow  performance speeds of processors by as much as 30 percent.*5. *The second issue is a fundamental flaw in processor  design approach, dubbed Spectre, which is more difficult to exploit, but  affects virtually ALL PROCESSORS ON THE MARKET (Note here: Intel stock  went down today but Spectre affects AMD and ARM too), and has NO FIX.*6. *Spectre will require a complete re-architecture of the  way processors are designed and the threats posed will be with us for an  entire hardware lifecycle, likely the next decade.*7. The basic issue is the age old security dilemma: Speed vs Security. *For  the past decade, processors were designed to gain every performance  advantage. In the process, chipmakers failed to ask basic questions  about whether their design was secure. (Narrator: They were not)*8. Meltdown and Spectre show that it is possible for attackers to  exploit these design flaws to access the entire memory contents of a  machine. The most visceral attack scenario is an attacker who rents 5  minutes of time from an Amazon/Google/Microsoft cloud server and  steals...9. Data from other customers renting space on that same  Amazon/Google/Microsoft cloud server, then marches onto another cloud  server to repeat the attack, stealing untold volumes of data (SSL keys,  passwords, logins, files etc) in the process.10. Basically, the motherlode. Meltdown can be exploited by any script kiddie with attack code. *Spectre  is harder to exploit, but nearly impossible to fix, short of shipping  out new processors/hardware. The economic implications are not clear,  but these are serious threats and*11. Chipmakers like Intel will have to do a full recall-- unclear  if there's even manufacturing capacity for this-- OR customers will have  to wait for secure processors to reach the market, and do their own  risk analysis as to whether they need to swap out all affected hardware.12. *Intel is not surprisingly trying to downplay the threat  of these attacks, but proof-of-concept attacks are already popping up  online today, and the timeline for a full rollout of the patch is not  clear*. And that's just for the Meltdown threat. Spectre affects AMD and ARM too.13. *But judging by stock moves today (Intel down, AMD up),  investors didn't know that, taken together, Spectre and Meltdown affect  all modern microprocessors.*14. Meltdown and Spectre affect most chipmakers including those  from AMD, ARM, and Intel, and all the devices and operating systems  running them (GOOG, AMZN, MSFT, APPL etc).15. The flaws were originally discovered last June by a researcher  at Google Project Zero (shout out @ Jann Horn) and then separately by  Paul Kocher and a crew of highly impressive researchers at Rambus and  academic institutions. Originally public disclosure was set for next  week16. But news of Meltdown started to leak out (shout out  @TheRegister) yesterday, so the disclosure was moved up a week to right  now. The problem with this rushed timeline is that we don't necessarily  know when to expect Meltdown patches from tech cos.7. Google says its systems have been updated to defend against  Meltdown security.googleblog.com/2018/01/todays…. Microsoft issued an  emergency update today. Amazon said it protected AWS customers running  Amazon's tailored Linux version, and would roll out the MSFT patch for  other customers 2day
If the above is remotely true, the semi-space which has surged  in recent week alongside the broad tech sector meltup, will have a very  tough time in the coming weeks.

More at: https://www.zerohedge.com/news/2018-...are-staggering

----------


## ClaytonB

The conditions required for these kinds of attacks in the wild are very difficult to achieve. These are very "academic" problems. But they do point at a general vulnerability in using (literally) opaque hardware - there is no way to audit the hardware itself short of roundabout software-testing methods. Software cannot protect itself from compromised hardware. That said, there's way too much FUD on this particular headline. Source: myself; this is my field (CPU architecture).

----------


## pcosmar

> That said, there's way too much FUD on this particular headline. Source: myself; this is my field (CPU architecture).


It is over blown,, but I updated my kernel anyway.

Seems it has been a quietly known issue for some time and patches are out.
Eventually,, the Next-gen processors will evolve.

----------


## ClaytonB

> It is over blown,, but I updated my kernel anyway.
> 
> Seems it has been a quietly known issue for some time and patches are out.
> Eventually,, the Next-gen processors will evolve.


Absolutely, everybody should be taking safety precautions. What bothers me most about the news coverage is that this is being covered as though the chip designers are being "blind-sided" by some kind of "discovery" within the chip. Chip designers are well aware of these dangers and, to an extent, so are software designers. There is actually an entire field of research devoted to it. This isn't quite _fake_ news, but it's taking a proof-of-concept that demonstrates a pretty arcane vulnerability (that exists in any CPU) and says, "See, we broke the CPU". In fact, the demonstrated exploits still require the attacker to have access to information that she probably can't get at runtime (precise location(s) of branches and other timing-sensitive instructions in the targeted code). Ironically, closed-source OS's like MSwin, iOS and so on are probably less vulnerable to this kind of attack for exactly this reason. In other words, Linus might want to back off on the afterburners on this particular issue lest he end up with egg on his face.

----------


## pcosmar

> Ironically, closed-source OS's like MSwin, iOS and so on are probably less vulnerable to this kind of attack for exactly this reason. In other words, Linus might want to back off on the afterburners on this particular issue lest he end up with egg on his face.


Actually,, no.
The Open Source community has more eyes,, and less with blinders on..

I suspect Micro$oft will be impacted most as they are the most vulnerable architecture (and most common).

and I can not speak for apple users,, but linux/gnu users tend to be far more security conscious that the average windoze user.

----------


## fisharmor

So, if Spectre affects all processors, does that include Qualcomm?  Seems to me that if it is anywhere near that serious, things are gonna get super interesting when someone figures out how to gain control of billions of cellphones and tablets that every manufacturer has been going out of their way to prevent individual users from having any kind of meaningful ability to modify (as in, there is virtually no ability to slick them).

----------


## pcosmar

> So, if Spectre affects all processors, does that include Qualcomm?  Seems to me that if it is anywhere near that serious, things are gonna get super interesting when someone figures out how to gain control of billions of cellphones and tablets that every manufacturer has been going out of their way to prevent individual users from having any kind of meaningful ability to modify (as in, there is virtually no ability to slick them).


Cloud vulnerability is being discussed. Servers will be of more concern than personal devices,, except for anything you save "out there".

----------


## kahless

I have a bad feeling about this.  Maybe I am missing something here but why are Linux and Microsoft OS's so quick to push updates that could potentially impact production systems performance and not just leave it to anti-virus vendors or a determination whether the exploits are possible based on purpose of the device.

For example, why should one hose Linux based web and database server performance when the users are only reading pages and/or there are restrictions on what data can be being submitted.  This seems pretty obvious but they are telling everyone to update, why?

Hmmm.

----------


## timosman

> I have a bad feeling about this.  Maybe I am missing something here but why are Linux and Microsoft OS's so quick to push updates that could potentially impact production systems performance and not just leave it to anti-virus vendors or a determination whether the exploits are possible based on purpose of the device.
> 
> For example, why should one hose Linux based web and database server performance when the users are only reading pages and/or there are restrictions on what data can be being submitted.  This seems pretty obvious but they are telling everyone to update, why?
> 
> Hmmm.


Maybe we'll finally see the end of the public cloud? It was a stupid idea to begin with.

----------


## nikcers

I had someone tell me 5 years ago when 4 core processors were a thing he said he worked for a large manufacture that makes 5 core processors, I said don't you mean 4 core, he said nope they have an extra one built in there for backdoor purposes, then started bragging about how it can do all this without making any lag on the CPU. Then I was like its gotta slow it down or use battery or atleast or cost money to manufacture that backdoor and he said that its no extra cost because it gets monetized in the sales and there is no competition. The best thing about the Trump administration is the conspiracies that are becoming true, from aliens to manufactured backdoors in consumer electronics. Whats next lizard people??

----------


## pcosmar

> I have a bad feeling about this.  Maybe I am missing something here but why are Linux and Microsoft OS's so quick to push updates that could potentially impact production systems performance and not just leave it to anti-virus vendors or a determination whether the exploits are possible based on purpose of the device.
> 
> For example, why should one hose Linux based web and database server performance when the users are only reading pages and/or there are restrictions on what data can be being submitted.  This seems pretty obvious but they are telling everyone to update, why?
> 
> Hmmm.


I have noticed no reduced performance on my machine. Though I have not been running Virtual environments.

The last kernel (4.14.8) is pretty snappy..  , on my machine.

----------


## pcosmar

> I had someone tell me 5 years ago when 4 core processors were a thing he said he worked for a large manufacture that makes 5 core processors, I said don't you mean 4 core, he said nope they have an extra one built in there for backdoor purposes, then started bragging about how it can do all this without making any lag on the CPU. Then I was like its gotta slow it down or use battery or atleast or cost money to manufacture that backdoor and he said that its no extra cost because it gets monetized in the sales and there is no competition. The best thing about the Trump administration is the conspiracies that are becoming true, from aliens to manufactured backdoors in consumer electronics. Whats next lizard people??


Manufactured back doors and corporate malware have been known issues.

Trusted computing was adding chip level crap. DRM was more defective design.
and of course the usual players,, alphabetically

----------


## kahless

> I have noticed no reduced performance on my machine. Though I have not been running Virtual environments.
> 
> The last kernel (4.14.8) is pretty snappy..  , on my machine.


One of the articles I read said database servers were being impacted.  Just think of the massive amount of machines on the web running all different kernels that could potentially be brought to their knees by applying the patches.  Not sure what I am missing here since it does not seem to make any sense for a website to receive these updates.

For example vBulletin on RPF would have sufficient input validation protections and no one is sitting down at the server browsing the web that could execute the malicious code.  If the apache web server could be effected why not just patch apache.

Unless I am missing something I do not see how a site like RPF could be impacted.  By Cento/RHEL and other Linux distros pushing the updates I believe they are probably asking for trouble. 

Who knows with declining hardware and hosting sales maybe that is what they want.  This would be a boon to server manufacturers and hosting providers (an industry in decline).  People upgrading their servers because their web/database servers are slower with the patches.

----------


## pcosmar

> One of the articles I read said database servers were being impacted.  Just think of the massive amount of machines on the web running all different kernels that could potentially be brought to their knees by applying the patches.  Not sure what I am missing here since it does not seem to make any sense for a website to receive these updates.
> 
> For example vBulletin on RPF would have sufficient input validation protections and no one is sitting down at the server browsing the web that could execute the malicious code.  If the apache web server could be effected why not just patch apache.
> 
> Unless I am missing something I do not see how a site like RPF could be impacted.  By Cento/RHEL and other Linux distros pushing the updates I believe they are probably asking for trouble. 
> 
> Who knows with declining hardware and hosting sales maybe that is what they want.  This would be a boon to server manufacturers and hosting providers.  People upgrading their servers because their web/database servers are slower with the patches.


well something you obviously don't understand is that updates are routine.
the linix kernel is continuously being updated. as are others.
Security patches happen almost daily.
and replacing a kernel only requires installation and a reboot. Took less than ten minutes.

----------


## kahless

> well something you obviously don't understand is that updates are routine.
> the linix kernel is continuously being updated. as are others.
> Security patches happen almost daily.
> and replacing a kernel only requires installation and a reboot. Took less than ten minutes.


I know this since I have been supporting Linux servers for 20 years in 24x7 up time environments.  I read the details of each update before allowing it to be applied and exclude some that are known to be problematic which is rare.  It does happen sometimes where they rush an update that hoses a driver or a DB update that effects performance. 

In this case it seemed to be rushed out despite the potential significant performance impact without making the case how some systems could or count not be compromised and the hype that all systems should be upgraded.

----------


## pcosmar

> In this case it seemed to be rushed out in spite of a significant performance impact without making the case how some systems could be compromised.


Seems rushed? Patches had been out long before News was reported..

The "news" was released on patch Tuesday (windoze) 

Patches  had been available for linux,, at least since December. (perhaps longer)

and the projected slowdowns in performance (from my reading) were speculated results of the flaw being exploited..

My experience,,so far,, the new kernel is working fine,, and seems to have a performance increase.. (though that is subjective)

----------


## pcosmar

LINUX users,,

Kernel 4.14 contained some of the patches..

Kernel 4.15 scheduled for release in Jan.. rc testing now.
https://www.phoronix.com/scan.php?pa...5-rc5-Released

Grab 4.15.** whenever it hits the repositories.
 @kahless
Server and performance in testing.
https://www.phoronix.com/scan.php?pa...kpti-kvm&num=1

----------


## kahless

> Seems rushed? Patches had been out long before News was reported..
> 
> The "news" was released on patch Tuesday (windoze) 
> 
> Patches  had been available for linux,, at least since December. (perhaps longer)
> 
> and the projected slowdowns in performance (from my reading) were speculated results of the flaw being exploited..
> 
> My experience,,so far,, the new kernel is working fine,, and seems to have a performance increase.. (though that is subjective)


Like I said rushed to the extent that telling everyone to update in spite of the performance impact and without noting how systems could and could not be compromised in plain english.  This might not be a big deal for you as a desktop user but it is a big deal if you could potentially hose production servers.

https://bgr.com/2018/01/04/intel-chi...w-slow-mac-pc/



> You’d really notice the speed “if you hammer the disk, the network, or use software that makes lots of system calls in and out of the kernel,”





> Linux kernel supremo Linus Torvalds has suggested a five per cent slowdown should be typical; Willy Tarreau, CTO of HAProxy and a Linux kernel contributor, has reported a 17 per cent slowdown; worst-case scenarios have been as high as 30 per cent.


https://bgr.com/2018/01/04/intel-chi...w-slow-mac-pc/



> The fixes will also slow down computers by between 5% to 30%, according to some researchers
> ....
> The report notes that if all you do is play games on your computer, then the PC won’t see a slowdown because the software rarely jumps to the kernel. The same thing happens if you use the computer to browse the internet, write emails and type documents. “If you do a lot of in-memory number crunching, you won’t see much of an impact because again the kernel isn’t getting in the way,” The Register says. Furthermore, process context identifiers (PCID) support enabled on your hardware and kernel would minimize the performance hit.
> 
> You’d really notice the speed “if you hammer the disk, the network, or use software that makes lots of system calls in and out of the kernel,” and if you lack PCID support.
> 
> Data centers and enterprise computers may be impacted the most. Because of slowdowns, cloud service prices could increase because computers will need more time, and therefore more resources, to process data. Those extra costs might be passed along to customers.


Desktop users are not as effected as servers it seems.  If you are making allot of syscalls it is indicated in the fix it could be as much as 30% performance hit.  If you have a server on the cusp bogged down with traffic even 5% is allot.

----------


## kahless

> LINUX users,,
> 
> Kernel 4.14 contained some of the patches..
> 
> Kernel 4.15 scheduled for release in Jan.. rc testing now.
> https://www.phoronix.com/scan.php?pa...5-rc5-Released
> 
> Grab 4.15.** whenever it hits the repositories.
>  @kahless
> ...


4.15, although commonly found with servers, enterprise OS's using older kernels 2.6.x or 3.1x for stability rather than bleeding edge kernels.

----------


## pcosmar

> 4.15, although commonly found with servers, enterprise OS's using older kernels 2.6.x or 3.1x for stability rather than bleeding edge kernels.


I would find that to be a bit silly,,, and most certainly "Not best practice".

I started with 2.6 Slackware. 13 years ago.



edit

oh hell,, 2.6 was pre 64 bit..

those systems could not handle 4 gig of ram,, (3 was max)

----------


## kahless

> I would find that to be a bit silly,,, and most certainly "Not best practice".
> 
> I started with 2.6 Slackware. 13 years ago.
> 
> edit
> 
> oh hell,, 2.6 was pre 64 bit..
> 
> those systems could not handle 4 gig of ram,, (3 was max)


Notice I wrote 2.6.x and they are actually 64 bit, have been for some time now.  Updates are back ported and the number incremented.  You just do not get new versions of software but rather maintenance updates for stability. These are very stable kernels for high availability environments and yes "best practice" not running bleeding edge kernels for availability.  They are commonly found in hosting environments - in Enterprise Linux distros like RHEL/Centos, Scientific Linux...

----------


## pcosmar

> Notice I wrote 2.6.x and they are actually 64 bit, have been for some time now.  Updates are back ported and the number incremented.  You just do not get new versions of software but rather maintenance updates for stability. These are very stable kernels for high availability environments and yes "best practice" not running bleeding edge kernels for availability.  They are commonly found in hosting environments - in Enterprise Linux distros like RHEL/Centos, Scientific Linux...


Linix kernel 4.14 (I had 4.8.**) has been out and stable for some time. that is hardly bleeding edge. I has tested Release Candidates before..

4.15rc5 is a release candidate,, in testing,, that is bleeding edge.

It will be Running enterprise software by the end of Feb,, if not the beginning of February

and since you mention CENTOS,,
https://www.tecmint.com/install-upgr...n-in-centos-7/
and this (from Oct)
https://access.redhat.com/errata/RHSA-2017:2918

----------


## kahless

> Linix kernel 4.14 (I had 4.8.**) has been out and stable for some time. that is hardly bleeding edge. I has tested Release Candidates before..
> 
> 4.15rc5 is a release candidate,, in testing,, that is bleeding edge.
> 
> It will be Running enterprise software by the end of Feb,, if not the beginning of February
> 
> and since you mention CENTOS,,
> https://www.tecmint.com/install-upgr...n-in-centos-7/
> and this (from Oct)
> https://access.redhat.com/errata/RHSA-2017:2918


Big difference between users with a desktop and business - enterprise use which are hosting environments designed for stability - typically older kernels.

You would break enterprise support or whatever hosting environment the provider is using by updating to a newer non-supported kernel.  These systems are thoroughly tested with the older kernels for stability.   They have been out a long time thus thoroughly tested and safe to use for high availability with security updates and fixes back ported.

But we are getting off topic now since the point was not breaking production systems with these patches due the performance issues.

----------


## pcosmar

> Big difference between users with a desktop and business - enterprise use which are hosting environments designed for stability - typically older kernels.


I'm getting that looking for info,,, and surprised to see old kernels in use..

It was kernel 4 that had major changes,, and a new release schedule.
This may indeed affect the Server side if they are all running antiques.

----------


## kahless

> I'm getting that looking for info,,, and surprised to see old kernels in use..
> 
> It was kernel 4 that had major changes,, and a new release schedule.
> This may indeed affect the Server side if they are all running antiques.


They are not completely old when bug fixes and security updates are back ported.  You are just missing out on improvements and compatibility with newer packages.

----------


## devil21

It was revealed during the Snowden leaks, iirc, that pretty much all tech had been compromised with backdoors at the manufacturer level. 

eta:

http://www.ronpaulforums.com/showthr...turer-s-drives 




> Regardless of what is claimed by the articles, I think it's naive to think it's just a few targeted systems. They didn't call it the "Total Information Awareness" program for nuthin'. This is also the sort of stuff that limited the Snowden releases to around 5% of his total haul. EVERYTHING is compromised. All of it.


Pardon me if I don't run out to install whatever the media and _Intel_ (agencies) blare at me to install to fix "bugs" now.  The same ones that have hidden the "flaws" are now offering the solution?  Eh, a bit too Hegelian for my liking.

----------


## pcosmar

> It was revealed during the Snowden leaks, iirc, that pretty have all tech had been compromised with backdoors at the manufacturer level.  
> 
> Pardon me if I don't run out to install whatever the media and _Intel_ (agencies) blare at me to install to fix "bugs" now.


The Open Source,, and Digital Rights communities have been working on just those issues.
Hardware back doors are closed when found.. And this had been known about for some time,and vault7 revealed more.

The fix for these problems is available,, and is being scrutinized by many eyes,,, some of them more paranoid than you.

----------


## pcosmar

> They are not completely old when bug fixes and security updates are back ported.  You are just missing out on improvements and compatibility with newer packages.


Not really..
You are running an old (stable) but antique Kernel thet has been patch and patched for 10 or 12 years. It was developed when the internet was running "98".
It was stable before 64bit chips were available to the public. and before multi core processors.

I really don't understand the industry insistence on maintaining outdated kernels.
But it does likely explain some vulnerabilities.

----------


## devil21

> The Open Source,, and Digital Rights communities have been working on just those issues.
> Hardware back doors are closed when found.. And this had been known about for some time,and vault7 revealed more.
> 
> The fix for these problems is available,, and is being scrutinized by many eyes,,, some of them more paranoid than you.


That assumes these same organizations haven't been infiltrated just like every other organization of importance has.  I don't have much faith in that assumption.  ymmv

----------


## pcosmar

> ymmv


You are quite welcome to code your own OS from Source Code. That is the beauty and freedom of Open Source.
or look into the several distributions made by some one else.. There are un-hackable (hard code,read only),, high security distros for just that purpose.

it is ever evolving

My distro,, my favorite. is the work of a guy in Texas and a bunch of folk in a community of users.
https://www.pclinuxos.com/
https://en.wikipedia.org/wiki/PCLinuxOS
https://distrowatch.com/table.php?di...tion=pclinuxos

----------


## kahless

> Not really..
> You are running an old (stable) but antique Kernel thet has been patch and patched for 10 or 12 years. It was developed when the internet was running "98".
> It was stable before 64bit chips were available to the public. and before multi core processors.
> 
> I really don't understand the industry insistence on maintaining outdated kernels.
> But it does likely explain some vulnerabilities.


Not just I am running, millions of enterprise servers and data centers throughout the world.  Centos/RHEL is everywhere. They are less vulnerable since they are being actively maintained for quite a long time.  A business that provides 24x7 up time is more likely to use a stable kernel with security vulnerabilities and patches back ported rather than test the latest kernel on contract customers.

You want to support servers that required 24x7 up time with unproven kernels then go right ahead and see how long you customers stay with you.  No one loves giving credit due to down time.

Again you are comparing home users to business.  

btw - most servers I am supporting have multiple core 64 bit and more than 8gb's a RAM so we are not talking about the original kernel.  For something like 10 years now.

----------


## devil21

> You are quite welcome to code your own OS from Source Code. That is the beauty and freedom of Open Source.
> or look into the several distributions made by some one else.. There are un-hackable (hard code,read only),, high security distros for just that purpose.
> 
> it is ever evolving
> 
> My distro,, my favorite. is the work of a guy in Texas and a bunch of folk in a community of users.
> https://www.pclinuxos.com/
> https://en.wikipedia.org/wiki/PCLinuxOS
> https://distrowatch.com/table.php?di...tion=pclinuxos


I don't have much desire to code anything.  I just know that if the MSM (controlled by same entities that mandated the backdoors in the first place) is blaring on about some emergency and urging you to do something in response to it, it's generally not for a reason that is beneficial to you.

----------


## pcosmar

> btw - most servers I am supporting have multiple core 64 bit and more than 8gb's a RAM so we are not talking about the original kernel.  For something like 10 years now.


The linux kernel 4+ is not unstable nor cutting edge,

And yes, The 2.6 kernel was was new, 2.4 was old and known. and Win xp was new. 
People were still running Windows servers,, (some still do) despite being complete crap.

I am wondering why,, especially in critical environments,, people insist on running outdated and substandard hardware and software..

it makes little sense to me. and I suspect it bites ass.

----------


## pcosmar

> I don't have much desire to code anything.  I just know that if the MSM (controlled by same entities that mandated the backdoors in the first place) is blaring on about some emergency and urging you to do something in response to it, it's generally not for a reason that is beneficial to you.


Ah,,
Well I found linux by my own research long ago. Not the MSM or marketing,,, just other users online.
I got tired of mainstream crap.

I don't have to agree to any dumb EULA
I don't have malware, or viruses,, 
I fear no E-mail attachment,
I am invisible, and hard to hack. (nothing being impossible)

I like the system they built. and it gives me TOTAL control of my system. 
ymmv

----------


## kahless

> The linux kernel 4+ is not unstable nor cutting edge,
> 
> And yes, The 2.6 kernel was was new, 2.4 was old and known. and Win xp was new. 
> People were still running Windows servers,, (some still do) despite being complete crap.
> 
> I am wondering why,, especially in critical environments,, people insist on running outdated and substandard hardware and software..
> 
> it makes little sense to me. and I suspect it bites ass.


Cost and stability.  A bit of sweat spot with the bugs mostly ironed out and security fixes and patches back ported.  Why risk that with an unproven kernel.

It does in a sense bites ass with workstations sometimes if you buy new hardware. On the other hand trying to install newer kernels on older hardware sucks to due to performance issues.  

2.6.x is still maintained with migrations and newer installations to 3.1.x kernel.  But not so much 4.x since no one wants to test the latest and greatest in a production environment but it is not far away. 

For home with newer equipment no problem with newer kernel which more likely I would need if my hardware is bleeding edge and I need drivers to support it.  I am not going to render older hardware useless with a newer kernel due to performance issues.  The longer they support the older kernel's which make old systems fly the better.  In many cases there really is no reason to upgrade your hardware or UI if the system is serving your needs and the OS is providing security patches.

----------


## Swordsmyth

*Intel CEO In Jeopardy For Selling Stock After Learning Of "Staggering" Flaw*https://www.zerohedge.com/news/2018-01-08/it-doesnt-look-good-intel-ceo-jeopardy-selling-stock-after-learning-staggering-flaw

----------


## Swordsmyth

*It gets worse: Microsoft’s Spectre-fixer wrecks some AMD PCs*https://www.theregister.co.uk/2018/01/08/microsofts_spectre_fixer_bricks_some_amd_powered_p  cs/

----------


## timosman

> *Intel CEO In Jeopardy For Selling Stock After Learning Of "Staggering" Flaw*https://www.zerohedge.com/news/2018-01-08/it-doesnt-look-good-intel-ceo-jeopardy-selling-stock-after-learning-staggering-flaw


How dumb is this dude?

----------


## Swordsmyth

> How dumb is this dude?


I think arrogance is more to the point.

----------


## timosman

> I think arrogance is more to the point.


You are right. He might know SEC is really toothless.

----------


## devil21

> *It gets worse: Microsoft’s Spectre-fixer wrecks some AMD PCs*https://www.theregister.co.uk/2018/01/08/microsofts_spectre_fixer_bricks_some_amd_powered_p  cs/


Well, there's a quick example of why I don't jump all over whatever "fix" is being blared by the media.  Forcing people to buy new hardware (likely Intel, funny that) that they wouldn't otherwise have needed.  I recall reading how a recent Windows update bricked people's old dot matrix printers, forcing new printer purchases.  Eventually, hopefully, people will realize that the MEDIA IS NOT THEIR FRIEND and these tech companies are most definitely not either.  To the heads of these companies we are nothing but consuming cattle to be herded in whatever direction is best for their bottom line and the completion of their full control agenda.  That is IT.




> How dumb is this dude?


You know damn well nothing will happen to him.  Nothing happened to the MGM execs and Board that dumped most of their stock before the LV shooting either.  Even the charade of a rule of law has been dropped.  It's wild west, everyone for themselves, before the run for the exit doors.

----------


## timosman

> You know damn well nothing will happen to him.  Nothing happened to the MGM execs and Board that dumped most of their stock before the LV shooting either.  Even the charade of a rule of law has been dropped.  It's wild west, everyone for themselves, before the run for the exit doors.


This is depressing.

----------


## pcosmar

> Well, there's a quick example of why I don't jump all over whatever "fix" is being blared by the media.  .


Actually,, That is exactly why I don't use windoze.

----------


## kahless

As expected.

Microsoft admits that the Meltdown/Spectre patches will hit Windows Server performance
https://www.geekwire.com/2018/micros...r-performance/



> Microsoft acknowledged Tuesday morning that Windows Server is now slower for certain types of applications thanks to the patches.
> ...
> Myerson also noted that Windows PC users with recently purchased systems probably won’t notice much of a performance impact from the patches pushed out to Windows users last week, but people with older Windows 10 hardware, and people with Windows 8 or Windows 7 machines, will likely see a performance hit.


Microsoft says older Windows versions will face greatest performance hits after Meltdown, Spectre patches.
http://www.zdnet.com/article/microso...rmance-issues/

----------


## kahless

Same for Linux

IBM melts down fixing Meltdown as processes and patches stutter - RHEL servers croaking
http://www.theregister.co.uk/2018/01/09/ibm_melts_down/



> The documents also say some Red Hat Enterprise Linux servers aren’t rebooting after patching, which is of more concern given that Red Hat developed its own Meltdown/Spectre patches.


Red Hat Warned Partners Of Computing, Cloud Performance Loss Stemming From Protecting Against Chip Vulnerabilities
http://www.crn.com/news/security/300...rabilities.htm



> Solution providers are expecting some systems to be degraded by up to 30 percent


Some with the latest kernel having boot problems
http://www.zdnet.com/article/the-lin...tle-continues/



> Work is continuing, but the latest update of the stable Linux kernel, 4.14.2, has the current patches. Some people may experience boot problems with this release, but 4.14.13 will be out in a few days.

----------


## pcosmar

> As expected.
> 
> Microsoft admits that the Meltdown/Spectre patches will hit Windows Server performance
> https://www.geekwire.com/2018/micros...r-performance/
> 
> 
> Microsoft says older Windows versions will face greatest performance hits after Meltdown, Spectre patches.
> http://www.zdnet.com/article/microso...rmance-issues/


And I was just reading that RedHat published their bench tests,,
19% reduction in performance,, worst case. but most a 2 to 8% hit.

I suspect they are still massaging it.

windoze likes to throw out nasty patches. it's like a history or a habit.

----------


## devil21

^^^^
What Intel, MS, etc is actually saying is go buy new crap that most DEFINITELY has all of the backdoors in it.

----------


## pcosmar

> Work is continuing, but the latest update of the stable Linux kernel, 4.14.2, has the current patches. Some people may experience boot problems with this release, but 4.14.13 will be out in a few days.


I'm running 4.14.8,, and have no issues. It had some patches.. 4 15rc is being tested,, and it should have patches,, it is being tested.

Looking forward to it's release as stable later this month.

----------


## Swordsmyth

*Intel is having reboot issues with its Spectre-Meltdown patches*“We  have received reports from a few customers of higher system reboots  after applying firmware updates. Specifically, these systems are running  Intel Broadwell and Haswell CPUs for both client and data center,”  Shenoy wrote.
He added, “If this requires a revised firmware update from Intel, we will distribute that update through the normal channels.”

More at: https://finance.yahoo.com/news/intel...221114762.html

----------


## ClaytonB

I did a more detailed write-up on the Meltdown/Spectre attacks here. 

tl;dr: This entire class of attacks can be mooted by restricting user-space software from having access to high-precision timers (timestamp-counters) or slowing the timers (obscuring microarchitectural timing) or fuzzing the timers (same thing, different method). If you are running user software in a virtual container, you can defend against all these attacks by changing one setting (timestamp-counter scaling) without any kernel update or CPU patch. You won't find this fact mentioned anywhere. Fixes that require "re-architecting CPUs" are nonsense-on-stilts.

----------


## ClaytonB

Also, a quick note about "backdoors". If you are an ordinary PC user, you should never operate under the assumption that "my computer is secure" because... it isn't. These latest attacks have nothing to do with that. If the NSA or somebody at that scale wants inside your PC, they're in, just like that and they don't have to use academic timing attacks to do it. The best overall description is "push-button access". We know this is the case thanks to the Snowden disclosures, among other whistleblowers.

----------


## Swordsmyth

*Intel admits Spectre patch problems also affect newer Core chips*Intel has revealed that even its newer CPUs are affected by the frequent reboot problems  brought about by the Spectre/Meltdown patches. The chipmaker previously  said that the reboot issue affects systems running Broadwell and  Haswell. Now that it has managed to reproduce the problem internally in  an effort to fix it, the company found that a similar behavior can occur  in platforms powered by Skylake and Kaby Lake, which are newer than  Haswell and Broadwell. Ivy Bridge- and Sandy Bridge-based systems, both  older cores, are also susceptible to the bug. Thankfully, Intel VP Navin  Shenoy said that they're close to identifying the problem's root issue.  "In parallel," he added, "we will be providing beta microcode to  vendors for validation by next week."

More at: https://finance.yahoo.com/news/intel...075000640.html

----------


## pcosmar

@Swordsmyth

The reboot issues are not Intel. The Chip Flaw is Intel,, but the reboot problem is Windize. and the windoze patches.

No issue here,,, nor with linux in general. so that issue is unique to that OS.

----------


## kahless

Red Hat Will Revert Spectre Patches After Receiving Reports of Boot Issues
https://www.bleepingcomputer.com/new...f-boot-issues/



> Red Hat is releasing updates that are reverting previous patches for the Spectre vulnerability (Variant 2, aka CVE-2017-5715) after customers complained that some systems were failing to boot.
> 
> "Red Hat is no longer providing microcode to address Spectre, variant 2, due to instabilities introduced that are causing customer systems to not boot," the company said yesterday.

----------


## pcosmar

> Red Hat Will Revert Spectre Patches After Receiving Reports of Boot Issues
> https://www.bleepingcomputer.com/new...f-boot-issues/


Been following 4.15 release,, expected today.

It may still be a problem with the server patches... there has been a push to fix,,and release candidates are being tested still.

There are a lot of eyes on the code.

----------


## TheCount

> Also, a quick note about "backdoors". If you are an ordinary PC user, you should never operate under the assumption that "my computer is secure" because... it isn't. These latest attacks have nothing to do with that. If the NSA or somebody at that scale wants inside your PC, they're in, just like that and they don't have to use academic timing attacks to do it. The best overall description is "push-button access". We know this is the case thanks to the Snowden disclosures, among other whistleblowers.


The same is true of everything.  Nothing is completely secure.  But if an ordinary citizen takes some very ordinary precautions, they will be 1) more effort than they're worth, and 2) safe from prosecution, because the NSA is not about to show off their toolkit in court unless you're Bin Laden 2.0.

----------


## Swordsmyth

The  always outspoken Linus Torvalds, best known for his continuing work on  the innermost code of Linux systems, has harsh words to say and  accusations to level against Intel. His evaluation of Intel's latest  proposed fix for the Meltdown/Spectre issue:  "the patches are COMPLETE AND UTTER GARBAGE." As a potential line of  inquiry, he suggests: "Has anybody talked to them and told them they are  f*cking insane?" (asterisk his.)
These and other kind epithets are awarded by Torvalds in a public email chain  between him and David Woodhouse, an engineer at Amazon in the U.K.,  regarding Intel's solution as relating to the Linux kernel. The issue is  (as far as I can tell as someone far out of their depth) a clumsy and,  Torvalds argues, "insane" implementation of a fix that essentially does  nothing while also doing a bunch of unnecessary things.
The  fix needs to address Meltdown (which primarily affects Intel chips),  but instead of just doing so across the board, it makes the whole fix  something the user or administrator has to opt into at boot. Why even  ask, if this is such a huge vulnerability? And why do it at such a low  level when future CPUs will supposedly not require it, at which point  the choice would be at best unnecessary and at worst misleading or lead  to performance issues?
Meanwhile,  a bunch of other things are added in the same patch that Torvalds  points out are redundant with existing solutions, for instance adding  protections against an exploit already mitigated by Google Project  Zero's "retpoline" technique.
Why  do this? Torvalds speculates that a major part of Intel's technique, in  this case "Indirect Branch Restricted Speculation" or IBRS, is so  inefficient that to roll it out universally would result in widespread  performance hits. So instead, it made the main Meltdown fix optional and  added the redundant stuff to make the patch look more comprehensive.

More at: https://finance.yahoo.com/news/linus...202431449.html

----------

