"The company that sent me the pictured fingerprint lock has provided the security quote of the year: “...the lock is invincible to the people who do not have a screwdriver.”"
More details about the #LazyFP Intel CPU issue. Affected OSes:
- Linux (mostly pre 4.4.y, y < 138)
- KVM when run on affected Linux kernel versions
- All Xen versions and generally all hypervisors that employ lazy FPU switching
- Verified on the Intel Core microarchitecture from Sandy Bridge to Skylake
- State of other processors unclear
There are also attack details, at least for one of three variants they discovered.
Oh look, Theo de Raadt seems to confirm my feeling regarding Intel Hyperthreading that I tooted about yesterday:
fully pledged slaacd(8) coming to a mirror near you soon.
$ ps A | grep '[s]laacd'
22110 ?? Isp 0:00.01 /sbin/slaacd
2300 ?? Ip 0:00.01 slaacd: engine (slaacd)
58317 ?? Ip 0:00.03 slaacd: frontend (slaacd)
KoL sarcasm, open source Show more
Kingdom of Loathing has a drink called "open sauce", and this is the description when you partake.
"You drink the sauce. It tastes like the end result of forty peoples' violently conflicting ideas of what sauce should taste like. After you're done drinking it, one of your teeth falls out for no apparent reason. You probably drank it wrong."
Ah on voit enfin la théorie du ruissellement s'appliquer.
The question "Should I run *BSD?" is officially my new pet peeve.
If one feels the need to ask this question online in 2018, with advanced search engines, fast internet, virtualization technologies, and abundance of quality documentation, then no, they will not find what they're looking for in the BSD world. Unless they're looking for wasting the time of people who cannot distinguish helpfulness, from enabling laziness.
New #OpenBSD errata for 6.3, backporting the Intel FPU security fix. syspatch(8) now! (amd64) https://email@example.com/msg00213.html
#BRM 600 de Tours : le compte rendu https://www.kim-minh.com/2018/2018-06-02-brm-600-tours
[mathy] "I sent one mail on 14 August where I mentioned the new disclosure date of 16 Oct. In that same mail I also gave the OK to quietly commit a fix. "
responsible disclosure Show more
On May 3rd heise rumours about 8 more spectre type bugs: https://heise.de/-4040648
It took an unknown amount of time to puzzle out the FPU problem (CVE-2018-3665).
After that it took Philip Guenther 2 weeks to fix it.
It took Colin Percival 5 hours to weaponise it.
Responsible disclosure means that certain people can fix their shit in their own time, disclose the vuln and leave the rest hanging.
I guess some people have a responsibility towards their stock options.
#OpenBSD intuition regarding a new side-channel caused by the speculative execution on systems with lazy FPU context switching wasn't unsubstantiated. Intel has just published an avdisory: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html
Systems using #Intel ® Core-based microprocessors may potentially allow a local process to infer data utilizing #LazyFP state restore from another process through a speculative execution side channel.