/srv/irclogs.ubuntu.com/2018/01/04/#ubuntu-discuss.txt

TJ-Lots of very large organisations using 'cloud' for critical stuff, storing confidential data alongside (e.g. AWS S3), are going to need to re-evaluate and possibly switch to more expensive, dedicated, hardware00:00
JanCthey probably should, but I doubt most will, unless there is a huge push against the cloud in mass media...  :)00:01
TJ-Some are legally obliged to; their service providers can no longer guarantee security for shared tennants00:04
JanCnobody can guarantee security00:04
TJ-indeed, but for example, some AWS contracts specify compliance with legal requirements on data confidentiality (e.g. healthcare records in USA) e.g. https://aws.amazon.com/health/providers-and-insurers/  where one of the selling points is "Improve your Security and Compliance Posture"00:07
JanCwell, they are still selling it, right?  ;)00:09
JanCso Red Hat mentions POWER architecture is impacted too00:35
JanCand there is a possible solution or mitigation against Spectre which involves patches to both the kernel and to GCC00:37
JanCLinus: https://lkml.org/lkml/2018/1/3/797  :P00:38
TJ-yes, seen that, but have you read the thread? Andi's patches (from Dave Hansen @ Intel) - there's a 'retpoline' sequence that disables speculation, and it looks like part of it requires a build-time compiler operation or insertion of a custom blob00:40
naccthere is ongoing discussion on that00:41
naccbut yeah, it's compiler-assisted00:41
naccor needs perl in the kernel :-P00:42
JanClike I said: it needs patches in both the kernel & the compiler00:42
TJ-it looks like the best approach, if there are more workarounds in the pipeline00:42
JanCand maybe requires re-building all applications with the new compiler really, as Spectre is mostly & per-process thing?00:43
TJ-"-mindirect-branch=thunk-extern"00:43
JanCor would the kernel part protect applications too?00:44
naccJanC: it probably could, at some cost (iiuc)00:54
JanCthe more I read about Spectre, the more this sounds like something I read about months or a year ago...00:55
JanCprobably someone speculating00:55
naccyeah it's been discussed for a while, i think00:56
nacctheoretically discussed00:56
TJ-there was a paper at US blackhat 2016 about these micro-arch attacks01:00
TJ-we now also have this to give out: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown01:01
JanCah, might have been from that, or a related/derived article/talk/paper01:03
TJ-one of the BH paper authors is one of the authors of the KAISER paper/code01:04
dax!kpti01:07
ubot5Spectre and Meltdown are security issues that affect most processors, mitigated by a set of Linux kernel patches named KPTI. | General info: https://spectreattack.com/ | Ubuntu (and flavors) info: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown | An Ubuntu Security Notice will be released when updates are available, subscribe at https://usn.ubuntu.com/usn/01:07
TJ-good job we can all fall-back on our RasPi clusters :)01:12
daftykinsPis still don't have proper ubuntu images, do they? someone was looking it up the other day, seems to be a poor scenario01:17
TJ-http://cdimage.ubuntu.com/ubuntu-server/xenial/daily-preinstalled/current/01:20
daftykinslast i saw i thought they couldn't install other kernels though01:21
daxBen64: gotta love when ops calls fix the problem all by themselves02:41
Ben64indeed02:41
daftykinshuh, an op did something?02:42
daftykins:O02:42
Ben64i'll never understand why a) people don't use the right channels and b) why they have to rebel against 'the man' and their 'rules'02:42
Ben64anyway, time to preheat the oven for my tater tots02:43
daftykinsooh yes please02:44
Ben64come on over02:44
Ben64making sloppy joes and tater tots02:45
Ben64because i'm an adult and i can02:45
daftykins:D02:45
Ben64also i looked at how much i spent eating out in december and holy crap02:46
lotuspsychjegood morning to all06:22
lordievaderGood morning07:01
lotuspsychjehey lordievader07:16
lordievaderMorning lotuspsychje07:16
ducassemorning all07:19
ducassehi lordievader, lotuspsychje07:19
lotuspsychjehey ducasse07:19
lotuspsychjebest of wishes in 2018 guys!07:20
lotuspsychjeon topic this new cve:07:20
lotuspsychje!kpti07:20
ubot5Spectre and Meltdown are security issues that affect most processors, mitigated by a set of Linux kernel patches named KPTI. | General info: https://spectreattack.com/ | Ubuntu (and flavors) info: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown | An Ubuntu Security Notice will be released when updates are available, subscribe at https://usn.ubuntu.com/usn/07:20
lordievaderHow are you doing?07:20
lordievaderHey ducasse07:21
lotuspsychjegreat here, enjoyed holidays07:21
lotuspsychjetnx 4 the adjust dax07:22
EriC^^morning all07:34
lotuspsychjehey EriC^^07:35
alkisgGood morning everyone07:37
lotuspsychjehey alkisg07:37
ducassehi alkisg, EriC^^07:38
EriC^^hi ducasse07:42
EriC^^hey lotuspsychje07:42
lotuspsychje1300+ users yesterday07:42
EriC^^yuppers07:42
lotuspsychjetoday 1400?07:42
lotuspsychje:p07:42
EriC^^hi alkisg07:43
=== lotuspsychje_ is now known as lotus|bionic
EriC^^lotuspsychje: no work today10:24
EriC^^?10:24
lotus|bionicEriC^^: 8january start10:24
EriC^^cool10:24
lotus|bionicyeah =p10:24
lotuspsychjelucky you10:25
lotus|bioniclol10:26
lotus|bionicstay off the pc you10:26
* lotus|bionic spanks lotuspsychje 10:26
EriC^^:D10:26
lotuspsychjelol okay doei10:30
lotus|bionicgrr10:31
BluesKajHowdy folks11:29
alkisgHello BluesKaj11:35
BluesKajHi alkisg11:39
EriC^^good afternoon all13:13
BluesKajHey EriC^^13:15
EriC^^hey BluesKaj :)13:15
lotuspsychjehi BluesKaj13:19
BluesKaj'Morning pauljw13:20
lotuspsychjehi TJ- pauljw13:20
pauljwmorning everyone13:21
lotuspsychjehttp://news.softpedia.com/news/red-hat-says-security-updates-for-meltdown-spectre-bugs-may-affect-performance-519214.shtml13:27
pauljwanyone heard when we're supposed to get these patches?13:35
lotuspsychjepauljw: still waiting13:36
pauljwok13:36
lotuspsychjepauljw: they should show on !usn when ready13:37
BluesKajtaking away rthe NSA etc 's back door :-)13:38
pauljwthanks, no biggie as i do updates every morning13:38
pauljwthat would be great, BluesKaj13:38
lotuspsychjeBluesKaj: lol13:38
BluesKajthat was mentioned by one of the so called experts over at the ##linux chat13:39
pauljwheheh...13:39
BluesKajthere's quite a few of them over there...an endless source of entertainment :-)13:41
lotuspsychjehttps://fedoramagazine.org/protect-fedora-system-meltdown/13:43
lotuspsychjehttps://askubuntu.com/questions/992137/how-to-check-that-kpti-is-enabled-on-my-ubuntu/992186#99218613:49
pauljwthe fallout of this should prove interesting.13:54
pauljwfrom this13:54
daftykinshey all \o13:56
EriC^^heya daftykins o/13:56
pauljwo/13:56
daftykinswell, it's not gonna be fixed even after patches13:56
EriC^^happy (belated) new year13:56
daftykinsand to you :D13:56
EriC^^:D13:56
lotuspsychjehey daftykins13:56
daftykinsthere'll be plenty more Intel ME issues to come this year, too :)13:57
pauljwno, it's just a work around13:57
lotuspsychjei also think mass exploits gonna come13:57
BluesKajhey daftykins13:57
BluesKajlotuspsychje13:58
lotuspsychjethe underground always faster then the patches14:00
pauljwyep14:00
daftykinsand everyone faster than Equifax ;D14:03
BluesKajwe got phony phone calls from scammers posing as Equifax fact checkers about our CCs and bank accts...I told them to send me their requests for info in the mail ...they hemmed and hawed fro a few swcs and said they would, but that was 2 months ago and we haven't received anything from them14:08
daftykinshehe14:11
daftykinsa client had their secretary forward me a legit looking email offering the fraid protection services and so on14:11
daftykinsi asked how that really related to the work i do...14:11
BluesKajheh14:12
daftykins*fraud oops14:13
BluesKajthe reason i knew they were phishing is they couldn't  tell me the last 4 digits of my VISA card...wife just reminded me14:15
daftykinsah har14:16
BluesKajalways ask for correspondence by regular mail, simple but usually effective advice from my bank.14:21
daftykinsyip, that's true14:23
daftykinsright i'm heading off, laters all \o14:23
pauljw:)14:23
TJ-BluesKaj: but it's much more fun to give them incorrect information :p14:27
BluesKajTJ-, true, but the sooner I can get rid of them, the better...besides wife hates it when i stay on the phone and make fun of them. She's more paranoid than I am :-)14:31
lotuspsychjelol14:32
BluesKajI like blaming my wife :-)14:32
TJ-I once had a very entertaining call where I turned tables on them, because, as I said "It's only fair if you want to know my bank account info that I also know yours!14:33
lotuspsychjelol14:33
lotuspsychjenew usn, but for 12.04 https://usn.ubuntu.com/usn/usn-3430-3/14:37
TJ-Can I interest you in my new CPU architecture? I call it speculated-abacus because I sprinkled glitter on the beads :)14:37
pauljwlol14:38
TJ-I wish those security notices would drop the phrase " If a user were tricked into viewing a malicious website, " - the user doesn't need to be tricked, any web-site is potentially malicious, regardless of who operates it14:38
TJ-I'm referring to the USN-3514-1 WebKitGTK+ batch14:39
lotuspsychjeindeed14:40
lotuspsychjewhen is one really safe on the net?14:40
lotuspsychjethe best hacker is the invisible one, without a name, without a connection14:41
TJ-You mean Intel? :D14:42
lotuspsychjeloll14:42
lotuspsychje1nt3L14:42
lotuspsychjepikapika: was reading this, this morning: https://fedoramagazine.org/protect-fedora-system-meltdown/14:43
TJ-Well, they've always been brazen about it with their "Intel Inside" trademark and campaign, just people didn't realise just how 'inside' Intel were14:43
pikapikaSo um just to make it clear...in eli5 terms, fix isnt yet available for Ubuntu?14:45
lotuspsychjepikapika: still in progress14:46
TJ-It's being worked on, intensely! but the mainline patch-set isn't complete yet so there is no final 'fix' available. There may be more patches to fix discovered regressions yet14:46
pikapikaOk, thanks. Any expected time for release?14:46
TJ-pikapika: as soon as possible14:46
lotuspsychjehttps://www.phoronix.com/scan.php?page=article&item=linux-kpti-kvm&num=114:46
TJ-pikapika: this was supposed to be under wraps until the 9th, to give time for OS vendors to get the updates published, so there's a week or work to be done instantly14:47
pikapikaOk14:47
pikapikaI hope its released soon, as I am sorta a refugee from Windows 10 and wouldnt like going back14:48
TJ-It depends on what you use the PC for, as to how urgent patching is. Enterprise services on shared hardware processing sensitive data are the most at-risk. Desktop users at least risk (especially once the browser updates are installed)14:50
pikapikaOh14:51
pikapikaYeah this too.14:51
pikapikaI'll have to check Firefox updates too14:51
TJ-Mozilla are publishing updates which will be available quite soon14:51
pikapikaYeah its an everyday use desktop, but still since the method is now so well known, things are um scary lol14:52
lotuspsychjei dont get the hassle about 1 active security hole...there are soo many around for many Os and we keep saying: keep your system up to date..14:52
TJ-The hassle is because this class of exploits effectively takes away all the security guarantees we've assumed were there for the last 15 years14:53
lotuspsychjeyeah understand that part14:53
TJ-There will be more exploits using these general techniques; the researches developed 4 exploits for 'Spectre' but there will be many more14:54
TJ-And for Intel CPUs 'Meltdown' is 'game over' - hence the performance-impacting workaround KAISER  a.k.a Kernel Page Table Isolation (KPTI) patches14:55
lotuspsychjeindeed14:55
lotuspsychjethere will be always guys testing/finding security holes14:56
lotuspsychjewith a lot of time14:56
TJ-yes, this class of vulnerabilities has been well known since mid 2016, it was just a matter of time until effective exploits were developed14:57
lotuspsychjewe can learn so much of underground techniques14:57
lotuspsychjeand once its get official its way too late14:58
lotuspsychjeall got exploited already14:58
lotuspsychjeespecially fast servers are big targets every time15:01
lotuspsychjebbl15:13
daxhttps://devtalk.nvidia.com/default/topic/1028222/linux/lts-kernel-patch-for-intel-cpu-vulnerability-breaks-nvidia-driver/post/5230546/#523054618:05
daxEXPORT_SYMBOL_GPL + nvidia strikes again!18:05
TJ-yes, I was looking at that earlier and grinning to myself since I reported a similar one for 4.14 when the AMD SME code was added, where Linux eventually over-rode the sub-system maintainer and changed to EXPORT_SYMBOL. I expect upstream will do likewise for this18:07
TJ-s/Linux/Linus/ grrr, what is with my fingers today? Have they caught the speculative execution bug!?18:08
nicomachusTJ-: maybe they're cold, like mine19:17
=== czesmir_ is now known as czesmir
nicomachusnacc: taking the problem over to #android now, but thanks for the help. adb is complaining about "insufficient permissions for device: verify udev rules." now20:27
naccnicomachus: fun :)20:28
nicomachusI've never had a problem with adb before this stupid script. wondering if it's worth the effort... but the white background on the notification pane in Android 8 hurts my eyes.20:28
nicomachusnacc: i made a stupid20:36
naccnicomachus: :)21:16
Ben64nicomachus: supposedly with oreo we can theme the system22:28
nicomachusBen64: I think with Samsung devices you can easily. With mine, I had to install an app called substratrum and another called Andromeda, then run the companion Andromeda script over ADB from my laptop, and then I can pick a theme (installed separately from the play store)22:43
nicomachusBen64: if ONLY there was an easier way. this is without root, too.22:44
nicomachusAnd I have to re-run the script and re-enable the theme if I reboot the phone.22:44
nicomachusbut, hey, it looks pretty sexy right now so I got that going for me.22:45
Ben64i haven't tried it yet22:54
Ben64but yeah,the white background and stuff is annoying22:55
=== Scytale89 is now known as Scytale
=== Scytale is now known as Scyt4l3
=== Scyt4l3 is now known as Scytale89
=== Scytale89 is now known as Scytale
=== Scytale89 is now known as Scytale
=== Scytale is now known as Scyt4l3
=== Scyt4l3 is now known as Scytale89

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!