LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 02-03-2019, 04:54 PM   #1
kjhambrick
Senior Member
 
Registered: Jul 2005
Location: Round Rock, TX
Distribution: Slackware64 14.2 + Multilib
Posts: 1,475

Rep: Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908
Spectre and Meltdown and Linux and Turn it Off Please !


This link on ZDNet was worth browsing for all the links:

https://www.zdnet.com/article/linux-...e-mitigations/

I found it on SlashDot: https://it.slashdot.org/story/19/02/...re-mitigations

Have Fun all'Y'all !

-- kjh
 
Old 02-03-2019, 06:36 PM   #2
Skaendo
Member
 
Registered: Dec 2014
Location: West Texas, USA
Distribution: Slackware64-14.2
Posts: 833

Rep: Reputation: Disabled
Yes please.
 
Old 02-04-2019, 07:32 AM   #3
kjhambrick
Senior Member
 
Registered: Jul 2005
Location: Round Rock, TX
Distribution: Slackware64 14.2 + Multilib
Posts: 1,475

Original Poster
Rep: Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908
One Clarification ...

I don't believe that Pat should change any of the Default Kernel Configs nor should he tweak any of the Spectacular Meltdown Kernel Config Knobs for us by default.

The Configs and Knobs are there for each Administrator to mess with for each of her Machines, depending on how each Machine is being used.

At least that's my $0.02

-- kjh
 
6 members found this post helpful.
Old 02-04-2019, 01:44 PM   #4
montagdude
Senior Member
 
Registered: Apr 2016
Distribution: Slackware
Posts: 1,385

Rep: Reputation: 1037Reputation: 1037Reputation: 1037Reputation: 1037Reputation: 1037Reputation: 1037Reputation: 1037Reputation: 1037
I just tried it on my server running object detection on images, and it cut down the time for each one from 5-7 seconds to 3-4 seconds. I think I'll keep it this way...

Thanks for the info, kjh.
 
1 members found this post helpful.
Old 02-04-2019, 01:55 PM   #5
abga
Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware
Posts: 904

Rep: Reputation: 468Reputation: 468Reputation: 468Reputation: 468Reputation: 468
Another Clarification ...

The security of these utterly insecure computer systems is not really taken seriously, especially now that pretty much everything is interconnected publicly and there's always an attempt to disable/simplify things, mostly due to procrastination and "positive thinking" (whatever that sh... means). No wonder you get news like:
https://www.pcworld.com/article/3336...formation.html
https://www.lifewire.com/how-many-em...-there-1171213

Point(s) is:
https://www.azquotes.com/picture-quo...n-39-38-96.jpg
&
http://quotes.land/wp-content/upload...te-by-Dali.jpg

Last edited by abga; 02-04-2019 at 03:00 PM. Reason: seriously
 
1 members found this post helpful.
Old 02-04-2019, 02:25 PM   #6
kjhambrick
Senior Member
 
Registered: Jul 2005
Location: Round Rock, TX
Distribution: Slackware64 14.2 + Multilib
Posts: 1,475

Original Poster
Rep: Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908
abga --

In that case, the last link on the Page: NSA's Hardware-and-Firmware-Security-Guidance is an enlightening read

-- kjh
 
1 members found this post helpful.
Old 02-05-2019, 07:56 AM   #7
kjhambrick
Senior Member
 
Registered: Jul 2005
Location: Round Rock, TX
Distribution: Slackware64 14.2 + Multilib
Posts: 1,475

Original Poster
Rep: Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908
Quote:
Originally Posted by montagdude View Post
I just tried it on my server running object detection on images, and it cut down the time for each one from 5-7 seconds to 3-4 seconds. I think I'll keep it this way...

Thanks for the info, kjh.
You're welcome montagdude

Wow ! That's quite a difference, especially if you're processing tens, hundreds or thousands of image files !!

Thank YOU for the info.

May I ask which configs you tweaked ?

-- kjh
 
Old 02-05-2019, 08:01 AM   #8
montagdude
Senior Member
 
Registered: Apr 2016
Distribution: Slackware
Posts: 1,385

Rep: Reputation: 1037Reputation: 1037Reputation: 1037Reputation: 1037Reputation: 1037Reputation: 1037Reputation: 1037Reputation: 1037
Quote:
Originally Posted by kjhambrick View Post
You're welcome montagdude

Wow ! That's quite a difference, especially if you're processing tens, hundreds or thousands of image files !!

Thank YOU for the info.

May I ask which configs you tweaked ?

-- kjh
I am running Linux 4.19 on this machine, so I used nospectre_v1, nospectre_v2, and spec_store_bypass_disable. Thankfully, I'm only processing in the range of tens (max) in the span of a few minutes, otherwise I would need a faster server.

So, my firewall blocks all incoming traffic to the server except https and ssh (but only from 1 known address for ssh). Anyone know if I should be worried/"paranoid" about potential attacks with these mitigations disabled, given this setup? Perhaps it's a hypothetical question, since AFAIK there are no known exploits in the wild.

Last edited by montagdude; 02-05-2019 at 08:39 AM.
 
1 members found this post helpful.
Old 02-05-2019, 10:11 AM   #9
kjhambrick
Senior Member
 
Registered: Jul 2005
Location: Round Rock, TX
Distribution: Slackware64 14.2 + Multilib
Posts: 1,475

Original Poster
Rep: Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908
Quote:
Originally Posted by montagdude View Post

<<snip>>

So, my firewall blocks all incoming traffic to the server except https and ssh (but only from 1 known address for ssh). Anyone know if I should be worried/"paranoid" about potential attacks with these mitigations disabled, given this setup?
montagdude --

That's the $64,000 question ...

Quote:
Perhaps it's a hypothetical question, since AFAIK there are no known exploits in the wild.
And I don't know if anyone has anything more than hypothetical answers either ...

-- kjh
 
1 members found this post helpful.
Old 02-05-2019, 10:16 AM   #10
montagdude
Senior Member
 
Registered: Apr 2016
Distribution: Slackware
Posts: 1,385

Rep: Reputation: 1037Reputation: 1037Reputation: 1037Reputation: 1037Reputation: 1037Reputation: 1037Reputation: 1037Reputation: 1037
Yeah, I figured as much.
 
Old 02-05-2019, 05:35 PM   #11
abga
Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware
Posts: 904

Rep: Reputation: 468Reputation: 468Reputation: 468Reputation: 468Reputation: 468
Quote:
Originally Posted by montagdude View Post
So, my firewall blocks all incoming traffic to the server except https and ssh (but only from 1 known address for ssh).
This is the proper way to reduce the attack surface & restrict the access to only trusted peers. Since port/service scanning is a widespread phenomenon nowadays, you should maybe consider implementing a port knocking service:
https://en.wikipedia.org/wiki/Port_knocking
There are simple sequence-based port knocking client apps already available even for Android.
This is just to make sure you don't let your https&ssh "orifices" open to the world (IP restriction won't help you against IP spoofing).
A dynamic (DHCP provided) public IP (you could randomly disconnect/reconnect from your ISP with a script) together with a https based dynDNS service is also helpful, but it'll disrupt your service when doing the reconnect.
And I'd tunnel everything through a VPN, that will be a second layer of security.
For public services you'll definitely need to consider an IDS/IPS system - snort is pretty good, you have it also on SlackBuilds:
https://en.wikipedia.org/wiki/Snort_(software)
Or, "hide" your systems behind one of those CDN systems like Cloudflare.
There are some other interesting (and simple) measurements, but I'd need to shoot you if I tell you about them, and you're a nice guy (so far)

Theoretically/hypothetically/philosophically, the services you use will be always vulnerable at some point in time, you'll need to constantly update them and I like the concept of designing a security system to "fail gracefully" (Bruce Schneier "preaches" that on every ocassion):
https://en.wikipedia.org/wiki/Kerckh...ining_security
https://en.wikipedia.org/wiki/Graceful_exit
Good presentation - The Mirage of Security:
https://www.youtube.com/watch?v=NB6rMkiNKtM

Last edited by abga; 02-05-2019 at 08:17 PM. Reason: typo-URL
 
2 members found this post helpful.
Old 02-10-2019, 06:36 AM   #12
Martinus2u
Member
 
Registered: Apr 2010
Distribution: Slackware
Posts: 414

Rep: Reputation: 75
Quote:
Originally Posted by montagdude View Post
So, my firewall blocks all incoming traffic to the server except https and ssh (but only from 1 known address for ssh). Anyone know if I should be worried/"paranoid" about potential attacks with these mitigations disabled, given this setup? Perhaps it's a hypothetical question, since AFAIK there are no known exploits in the wild.
Since I build my own kernels anyway, I have opted from the beginning NOT to include spectre type mitigations. Why? As I've commented in the past, the problem can only manifest itself if the attacker manages to execute code on your machine. If the attacker has physical contact to the machine, you are lost anyway. Therefore the main threat remains remote code execution, which we must prevent in any case. So nothing new.

HOWEVER.

The big problem is Javascript. Most people allow remote code execution on their machine via web browsers, assuming it is sandboxed and therefore harmless. It has been shown that the spectre type attacks can be performed due to the predictable behaviour of modern Javascript JIT compilers.

I may come across as grumpy git when I rant against Javascript, but it is the gateway of doom we must close. Browsers executing a downloaded turing-complete language is a fundamentally flawed concept that should never have been allowed. It has only given us poor-quality flawed web apps, while exposing us to privacy breaches and remote attacks.

Last edited by Martinus2u; 02-11-2019 at 10:54 AM.
 
3 members found this post helpful.
Old 02-10-2019, 07:09 AM   #13
syg00
LQ Veteran
 
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 17,509

Rep: Reputation: 2744Reputation: 2744Reputation: 2744Reputation: 2744Reputation: 2744Reputation: 2744Reputation: 2744Reputation: 2744Reputation: 2744Reputation: 2744Reputation: 2744
I'd better go find some previous posts from this "grumpy git".
As for these "exposures", I am reminded of Chicken Little ... yet again ...
 
Old 02-18-2019, 08:50 AM   #14
abga
Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware
Posts: 904

Rep: Reputation: 468Reputation: 468Reputation: 468Reputation: 468Reputation: 468
https://www.theregister.co.uk/2019/0...ant_be_killed/
Quote:
Google security researchers have analyzed the impact of the data-leaking Spectre vulnerabilities afflicting today's processor cores, and concluded software alone cannot prevent exploitation.
....
Initially, software and hardware makers pushed fixes like microcode updates and techniques like Retpoline. Browser makers Google and Mozilla made timing data less accessible, to make speculative execution attacks more difficult.

But that appears to be futile. "We argue that mitigating timing channels by manipulating timers is impossible, nonsensical, and in any case ultimately self-defeating," the researchers say.
Research paper:
https://arxiv.org/pdf/1902.05178.pdf
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Kali Linux Ethical Hacking OS Getting Fix for Meltdown and Spectre with Linux 4.15 LXer Syndicated Linux News 0 02-18-2018 03:30 AM
LXer: Linux Lite Developer Creates Automated Spectre/Meltdown Checker for Linux OSes LXer Syndicated Linux News 0 01-17-2018 06:02 PM
LXer: Linspire and Freespire Linux OSes Now Patched Against Meltdown and Spectre Flaws LXer Syndicated Linux News 0 01-15-2018 03:12 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 03:02 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration