[00:00] <TJ-> Lots of very large organisations using 'cloud' for critical stuff, storing confidential data alongside (e.g. AWS S3), are going to need to re-evaluate and possibly switch to more expensive, dedicated, hardware
[00:01] <JanC> they probably should, but I doubt most will, unless there is a huge push against the cloud in mass media...  :)
[00:04] <TJ-> Some are legally obliged to; their service providers can no longer guarantee security for shared tennants
[00:04] <JanC> nobody can guarantee security
[00:07] <TJ-> indeed, but for example, some AWS contracts specify compliance with legal requirements on data confidentiality (e.g. healthcare records in USA) e.g. https://aws.amazon.com/health/providers-and-insurers/  where one of the selling points is "Improve your Security and Compliance Posture"
[00:09] <JanC> well, they are still selling it, right?  ;)
[00:35] <JanC> so Red Hat mentions POWER architecture is impacted too
[00:37] <JanC> and there is a possible solution or mitigation against Spectre which involves patches to both the kernel and to GCC
[00:38] <JanC> Linus: https://lkml.org/lkml/2018/1/3/797  :P
[00:40] <TJ-> yes, seen that, but have you read the thread? Andi's patches (from Dave Hansen @ Intel) - there's a 'retpoline' sequence that disables speculation, and it looks like part of it requires a build-time compiler operation or insertion of a custom blob
[00:41] <nacc> there is ongoing discussion on that
[00:41] <nacc> but yeah, it's compiler-assisted
[00:42] <nacc> or needs perl in the kernel :-P
[00:42] <JanC> like I said: it needs patches in both the kernel & the compiler
[00:42] <TJ-> it looks like the best approach, if there are more workarounds in the pipeline
[00:43] <JanC> and maybe requires re-building all applications with the new compiler really, as Spectre is mostly & per-process thing?
[00:43] <TJ-> "-mindirect-branch=thunk-extern"
[00:44] <JanC> or would the kernel part protect applications too?
[00:54] <nacc> JanC: it probably could, at some cost (iiuc)
[00:55] <JanC> the more I read about Spectre, the more this sounds like something I read about months or a year ago...
[00:55] <JanC> probably someone speculating
[00:56] <nacc> yeah it's been discussed for a while, i think
[00:56] <nacc> theoretically discussed
[01:00] <TJ-> there was a paper at US blackhat 2016 about these micro-arch attacks
[01:01] <TJ-> we now also have this to give out: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
[01:03] <JanC> ah, might have been from that, or a related/derived article/talk/paper
[01:04] <TJ-> one of the BH paper authors is one of the authors of the KAISER paper/code
[01:07] <dax> !kpti
[01:12] <TJ-> good job we can all fall-back on our RasPi clusters :)
[01:17] <daftykins> Pis still don't have proper ubuntu images, do they? someone was looking it up the other day, seems to be a poor scenario
[01:20] <TJ-> http://cdimage.ubuntu.com/ubuntu-server/xenial/daily-preinstalled/current/
[01:21] <daftykins> last i saw i thought they couldn't install other kernels though
[02:41] <dax> Ben64: gotta love when ops calls fix the problem all by themselves
[02:41] <Ben64> indeed
[02:42] <daftykins> huh, an op did something?
[02:42] <daftykins> :O
[02:42] <Ben64> i'll never understand why a) people don't use the right channels and b) why they have to rebel against 'the man' and their 'rules'
[02:43] <Ben64> anyway, time to preheat the oven for my tater tots
[02:44] <daftykins> ooh yes please
[02:44] <Ben64> come on over
[02:45] <Ben64> making sloppy joes and tater tots
[02:45] <Ben64> because i'm an adult and i can
[02:45] <daftykins> :D
[02:46] <Ben64> also i looked at how much i spent eating out in december and holy crap
[06:22] <lotuspsychje> good morning to all
[07:01] <lordievader> Good morning
[07:16] <lotuspsychje> hey lordievader
[07:16] <lordievader> Morning lotuspsychje
[07:19] <ducasse> morning all
[07:19] <ducasse> hi lordievader, lotuspsychje
[07:19] <lotuspsychje> hey ducasse
[07:20] <lotuspsychje> best of wishes in 2018 guys!
[07:20] <lotuspsychje> on topic this new cve:
[07:20] <lotuspsychje> !kpti
[07:20] <lordievader> How are you doing?
[07:21] <lordievader> Hey ducasse
[07:21] <lotuspsychje> great here, enjoyed holidays
[07:22] <lotuspsychje> tnx 4 the adjust dax
[07:34] <EriC^^> morning all
[07:35] <lotuspsychje> hey EriC^^
[07:37] <alkisg> Good morning everyone
[07:37] <lotuspsychje> hey alkisg
[07:38] <ducasse> hi alkisg, EriC^^
[07:42] <EriC^^> hi ducasse
[07:42] <EriC^^> hey lotuspsychje
[07:42] <lotuspsychje> 1300+ users yesterday
[07:42] <EriC^^> yuppers
[07:42] <lotuspsychje> today 1400?
[07:42] <lotuspsychje> :p
[07:43] <EriC^^> hi alkisg
[10:24] <EriC^^> lotuspsychje: no work today
[10:24] <EriC^^> ?
[10:24] <lotus|bionic> EriC^^: 8january start
[10:24] <EriC^^> cool
[10:24] <lotus|bionic> yeah =p
[10:25] <lotuspsychje> lucky you
[10:26] <lotus|bionic> lol
[10:26] <lotus|bionic> stay off the pc you
[10:26]  * lotus|bionic spanks lotuspsychje 
[10:26] <EriC^^> :D
[10:30] <lotuspsychje> lol okay doei
[10:31] <lotus|bionic> grr
[11:29] <BluesKaj> Howdy folks
[11:35] <alkisg> Hello BluesKaj
[11:39] <BluesKaj> Hi alkisg
[13:13] <EriC^^> good afternoon all
[13:15] <BluesKaj> Hey EriC^^
[13:15] <EriC^^> hey BluesKaj :)
[13:19] <lotuspsychje> hi BluesKaj
[13:20] <BluesKaj> 'Morning pauljw
[13:20] <lotuspsychje> hi TJ- pauljw
[13:21] <pauljw> morning everyone
[13:27] <lotuspsychje> http://news.softpedia.com/news/red-hat-says-security-updates-for-meltdown-spectre-bugs-may-affect-performance-519214.shtml
[13:35] <pauljw> anyone heard when we're supposed to get these patches?
[13:36] <lotuspsychje> pauljw: still waiting
[13:36] <pauljw> ok
[13:37] <lotuspsychje> pauljw: they should show on !usn when ready
[13:38] <BluesKaj> taking away rthe NSA etc 's back door :-)
[13:38] <pauljw> thanks, no biggie as i do updates every morning
[13:38] <pauljw> that would be great, BluesKaj
[13:38] <lotuspsychje> BluesKaj: lol
[13:39] <BluesKaj> that was mentioned by one of the so called experts over at the ##linux chat
[13:39] <pauljw> heheh...
[13:41] <BluesKaj> there's quite a few of them over there...an endless source of entertainment :-)
[13:43] <lotuspsychje> https://fedoramagazine.org/protect-fedora-system-meltdown/
[13:49] <lotuspsychje> https://askubuntu.com/questions/992137/how-to-check-that-kpti-is-enabled-on-my-ubuntu/992186#992186
[13:54] <pauljw> the fallout of this should prove interesting.
[13:54] <pauljw> from this
[13:56] <daftykins> hey all \o
[13:56] <EriC^^> heya daftykins o/
[13:56] <pauljw> o/
[13:56] <daftykins> well, it's not gonna be fixed even after patches
[13:56] <EriC^^> happy (belated) new year
[13:56] <daftykins> and to you :D
[13:56] <EriC^^> :D
[13:56] <lotuspsychje> hey daftykins
[13:57] <daftykins> there'll be plenty more Intel ME issues to come this year, too :)
[13:57] <pauljw> no, it's just a work around
[13:57] <lotuspsychje> i also think mass exploits gonna come
[13:57] <BluesKaj> hey daftykins
[13:58] <BluesKaj> lotuspsychje
[14:00] <lotuspsychje> the underground always faster then the patches
[14:00] <pauljw> yep
[14:03] <daftykins> and everyone faster than Equifax ;D
[14:08] <BluesKaj> we got phony phone calls from scammers posing as Equifax fact checkers about our CCs and bank accts...I told them to send me their requests for info in the mail ...they hemmed and hawed fro a few swcs and said they would, but that was 2 months ago and we haven't received anything from them
[14:11] <daftykins> hehe
[14:11] <daftykins> a client had their secretary forward me a legit looking email offering the fraid protection services and so on
[14:11] <daftykins> i asked how that really related to the work i do...
[14:12] <BluesKaj> heh
[14:13] <daftykins> *fraud oops
[14:15] <BluesKaj> the reason i knew they were phishing is they couldn't  tell me the last 4 digits of my VISA card...wife just reminded me
[14:16] <daftykins> ah har
[14:21] <BluesKaj> always ask for correspondence by regular mail, simple but usually effective advice from my bank.
[14:23] <daftykins> yip, that's true
[14:23] <daftykins> right i'm heading off, laters all \o
[14:23] <pauljw> :)
[14:27] <TJ-> BluesKaj: but it's much more fun to give them incorrect information :p
[14:31] <BluesKaj> TJ-, true, but the sooner I can get rid of them, the better...besides wife hates it when i stay on the phone and make fun of them. She's more paranoid than I am :-)
[14:32] <lotuspsychje> lol
[14:32] <BluesKaj> I like blaming my wife :-)
[14:33] <TJ-> I once had a very entertaining call where I turned tables on them, because, as I said "It's only fair if you want to know my bank account info that I also know yours!
[14:33] <lotuspsychje> lol
[14:37] <lotuspsychje> new usn, but for 12.04 https://usn.ubuntu.com/usn/usn-3430-3/
[14:37] <TJ-> Can I interest you in my new CPU architecture? I call it speculated-abacus because I sprinkled glitter on the beads :)
[14:38] <pauljw> lol
[14:38] <TJ-> I wish those security notices would drop the phrase " If a user were tricked into viewing a malicious website, " - the user doesn't need to be tricked, any web-site is potentially malicious, regardless of who operates it
[14:39] <TJ-> I'm referring to the USN-3514-1 WebKitGTK+ batch
[14:40] <lotuspsychje> indeed
[14:40] <lotuspsychje> when is one really safe on the net?
[14:41] <lotuspsychje> the best hacker is the invisible one, without a name, without a connection
[14:42] <TJ-> You mean Intel? :D
[14:42] <lotuspsychje> loll
[14:42] <lotuspsychje> 1nt3L
[14:43] <lotuspsychje> pikapika: was reading this, this morning: https://fedoramagazine.org/protect-fedora-system-meltdown/
[14:43] <TJ-> Well, they've always been brazen about it with their "Intel Inside" trademark and campaign, just people didn't realise just how 'inside' Intel were
[14:45] <pikapika> So um just to make it clear...in eli5 terms, fix isnt yet available for Ubuntu?
[14:46] <lotuspsychje> pikapika: still in progress
[14:46] <TJ-> It's being worked on, intensely! but the mainline patch-set isn't complete yet so there is no final 'fix' available. There may be more patches to fix discovered regressions yet
[14:46] <pikapika> Ok, thanks. Any expected time for release?
[14:46] <TJ-> pikapika: as soon as possible
[14:46] <lotuspsychje> https://www.phoronix.com/scan.php?page=article&item=linux-kpti-kvm&num=1
[14:47] <TJ-> pikapika: this was supposed to be under wraps until the 9th, to give time for OS vendors to get the updates published, so there's a week or work to be done instantly
[14:47] <pikapika> Ok
[14:48] <pikapika> I hope its released soon, as I am sorta a refugee from Windows 10 and wouldnt like going back
[14:50] <TJ-> It depends on what you use the PC for, as to how urgent patching is. Enterprise services on shared hardware processing sensitive data are the most at-risk. Desktop users at least risk (especially once the browser updates are installed)
[14:51] <pikapika> Oh
[14:51] <pikapika> Yeah this too.
[14:51] <pikapika> I'll have to check Firefox updates too
[14:51] <TJ-> Mozilla are publishing updates which will be available quite soon
[14:52] <pikapika> Yeah its an everyday use desktop, but still since the method is now so well known, things are um scary lol
[14:52] <lotuspsychje> i dont get the hassle about 1 active security hole...there are soo many around for many Os and we keep saying: keep your system up to date..
[14:53] <TJ-> The hassle is because this class of exploits effectively takes away all the security guarantees we've assumed were there for the last 15 years
[14:53] <lotuspsychje> yeah understand that part
[14:54] <TJ-> There will be more exploits using these general techniques; the researches developed 4 exploits for 'Spectre' but there will be many more
[14:55] <TJ-> And for Intel CPUs 'Meltdown' is 'game over' - hence the performance-impacting workaround KAISER  a.k.a Kernel Page Table Isolation (KPTI) patches
[14:55] <lotuspsychje> indeed
[14:56] <lotuspsychje> there will be always guys testing/finding security holes
[14:56] <lotuspsychje> with a lot of time
[14:57] <TJ-> yes, this class of vulnerabilities has been well known since mid 2016, it was just a matter of time until effective exploits were developed
[14:57] <lotuspsychje> we can learn so much of underground techniques
[14:58] <lotuspsychje> and once its get official its way too late
[14:58] <lotuspsychje> all got exploited already
[15:01] <lotuspsychje> especially fast servers are big targets every time
[15:13] <lotuspsychje> bbl
[18:05] <dax> https://devtalk.nvidia.com/default/topic/1028222/linux/lts-kernel-patch-for-intel-cpu-vulnerability-breaks-nvidia-driver/post/5230546/#5230546
[18:05] <dax> EXPORT_SYMBOL_GPL + nvidia strikes again!
[18:07] <TJ-> yes, I was looking at that earlier and grinning to myself since I reported a similar one for 4.14 when the AMD SME code was added, where Linux eventually over-rode the sub-system maintainer and changed to EXPORT_SYMBOL. I expect upstream will do likewise for this
[18:08] <TJ-> s/Linux/Linus/ grrr, what is with my fingers today? Have they caught the speculative execution bug!?
[19:17] <nicomachus> TJ-: maybe they're cold, like mine
[20:27] <nicomachus> nacc: taking the problem over to #android now, but thanks for the help. adb is complaining about "insufficient permissions for device: verify udev rules." now
[20:28] <nacc> nicomachus: fun :)
[20:28] <nicomachus> I've never had a problem with adb before this stupid script. wondering if it's worth the effort... but the white background on the notification pane in Android 8 hurts my eyes.
[20:36] <nicomachus> nacc: i made a stupid
[21:16] <nacc> nicomachus: :)
[22:28] <Ben64> nicomachus: supposedly with oreo we can theme the system
[22:43] <nicomachus> Ben64: I think with Samsung devices you can easily. With mine, I had to install an app called substratrum and another called Andromeda, then run the companion Andromeda script over ADB from my laptop, and then I can pick a theme (installed separately from the play store)
[22:44] <nicomachus> Ben64: if ONLY there was an easier way. this is without root, too.
[22:44] <nicomachus> And I have to re-run the script and re-enable the theme if I reboot the phone.
[22:45] <nicomachus> but, hey, it looks pretty sexy right now so I got that going for me.
[22:54] <Ben64> i haven't tried it yet
[22:55] <Ben64> but yeah,the white background and stuff is annoying