|
vmware's patches are out: https://www.vmware.com/security/advisories/VMSA-2018-0002.html
|
#
?
Jan 4, 2018 01:25
|
|
|
|
| # ? May 13, 2024 23:16 |
|
|
Number19 posted:vmware's patches are out: https://www.vmware.com/security/advisories/VMSA-2018-0002.html
|
|
#
?
Jan 4, 2018 01:28
|
|
|
anthonypants posted:well they're rated as Important and not Critical so i guess we don't have to apply them maybe it’s harder to exploit on VMware for some reason. it seems weird to not have them marked critical
|
|
#
?
Jan 4, 2018 01:33
|
|
|
Number19 posted:maybe it’s harder to exploit on VMware for some reason. it seems weird to not have them marked critical Do they reserve critical for host OS execution as opposed to info leak?
|
|
#
?
Jan 4, 2018 01:36
|
|
|
You Am I posted:Sorry, was a bit vague about my post, as I'm a newbie to this stuff. I have been in the IT industry for 15+ years and one thing that still shocks me is the lax IT security that most places have, including my current employer. what does “network security” look like to you? because for me as the senior network engineer on the security task force at work, the biggest issue is the performance hit the mitigation of this intel bug will cause. the security risks of this particular bug are way outside our threat model. we don’t run other people’s untrusted code for our business, but we do crunch a lot of data.
|
|
#
?
Jan 4, 2018 01:39
|
|
|
anthonypants posted:well they're rated as Important and not Critical so i guess we don't have to apply them lmao I’m loving triggered
|
|
#
?
Jan 4, 2018 01:44
|
|
|
You Am I posted:Sorry, was a bit vague about my post, as I'm a newbie to this stuff. I have been in the IT industry for 15+ years and one thing that still shocks me is the lax IT security that most places have, including my current employer. Unfortunately you picked a bad time to ask career questions as you've probably noticed this meltdown and spectre stuff is causing a big uproar in basically all of the IT threads. On the plus side, welcome to IT Security! Where the rules are made up and the best practices don't matter since some gigantic fuckup will come along and ruin everything. And really, this is the sec fuckup thread, you might be better off asking in the general IT thread (https://forums.somethingawful.com/showthread.php?threadid=3653857) or the infosec thread (https://forums.somethingawful.com/showthread.php?threadid=3750534). All that said, since you say you're leaning towards network security, does that mean you have a background in networking already?
|
|
#
?
Jan 4, 2018 01:47
|
|
|
the spectre attack which probably does work on amd chips is different from the meltdown attack that amd proudly declared themselves immune to.
|
|
#
?
Jan 4, 2018 01:48
|
|
|
spectre.pdf posted:As a proof-of-concept, JavaScript code was written that, when run in the Google Chrome browser, allows JavaScript to read private memory from the process in which it runs that's cool because having >90% of personal devices rowhammerable wasn't enough physical computers are such a drag turn of turbo key until further notice
|
|
#
?
Jan 4, 2018 02:09
|
|
|
Time to go back to using PowerPC Macs. 🙃 they're probably affected but whatever
|
|
#
?
Jan 4, 2018 02:12
|
|
|
Lain Iwakura posted:Time to go back to using PowerPC Macs. 🙃 I look forward to my DEC Alpha becoming a hot commodity again.
|
|
#
?
Jan 4, 2018 02:31
|
|
|
btw, -- chrome://flags/#enable-site-per-process -- is the button you want to push to protect your chrome from javascript attacks until chrome 64 lands. I can't find any information on mitigation in firefox so, uh, just assume your passwords are all gone now.
|
|
#
?
Jan 4, 2018 02:42
|
|
|
its so hot in here
|
|
#
?
Jan 4, 2018 03:03
|
|
|
Plorkyeran posted:the spectre attack which probably does work on amd chips is different from the meltdown attack that amd proudly declared themselves immune to. http://www.amd.com/en/corporate/speculative-execution code:
|
|
#
?
Jan 4, 2018 03:03
|
|
|
mrmcd posted:btw, -- chrome://flags/#enable-site-per-process -- is the button you want to push to protect your chrome from javascript attacks until chrome 64 lands. im sorry what
|
|
#
?
Jan 4, 2018 03:33
|
|
|
mrmcd posted:I can't find any information on mitigation in firefox so, uh, just assume your passwords are all gone now. mozilla is pushing out some really hacky workarounds until they can figure out a proper solution https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
|
|
#
?
Jan 4, 2018 03:35
|
|
|
Linus Torvalds posted:Date Wed, 3 Jan 2018 15:51:35 -0800 incidentally i have no idea what http://www.firstfloor.org/ do but their site is cool
|
|
#
?
Jan 4, 2018 03:43
|
|
|
i’m learning a lot of new things today
|
|
#
?
Jan 4, 2018 03:44
|
|
|
I only have one question at this point when will templeos get patched?
|
|
#
?
Jan 4, 2018 03:45
|
|
|
A Pinball Wizard posted:I only have one question at this point this is a feature with templeos: there's no need for virtual memory because God said everything should be free (to rwx)
|
|
#
?
Jan 4, 2018 03:52
|
|
|
A Pinball Wizard posted:I only have one question at this point It contains the ultimate xen secret - you do not need security for something which possess no data.
|
|
#
?
Jan 4, 2018 03:55
|
|
|
Terry is in prison at the moment so it'll be a while, assuming templeOS even needs patched
|
|
#
?
Jan 4, 2018 03:55
|
|
|
https://twitter.com/misc0110/status/948706387491786752
|
|
#
?
Jan 4, 2018 03:57
|
|
|
mrmcd posted:btw, -- chrome://flags/#enable-site-per-process -- is the button you want to push to protect your chrome from javascript attacks until chrome 64 lands. the gently caress is this about?
|
|
#
?
Jan 4, 2018 04:02
|
|
|
AggressivelyStupid posted:Terry is in prison at the moment so it'll be a while, assuming templeOS even needs patched It's ring 0 only. I don't think this affects it one way or the other.
|
|
#
?
Jan 4, 2018 04:04
|
|
|
https://twitter.com/misc0110/status/948706387491786752
|
|
#
?
Jan 4, 2018 04:04
|
|
|
This is the single biggest case of "fix worse than the disease" I can remember for everyone who isn't a hosting platform/shared system.
|
|
#
?
Jan 4, 2018 04:17
|
|
|
James Baud posted:This is the single biggest case of "fix worse than the disease" I can remember for everyone who isn't a hosting platform.
|
|
#
?
Jan 4, 2018 04:18
|
|
|
James Baud posted:This is the single biggest case of "fix worse than the disease" I can remember for everyone who isn't a hosting platform/shared system. This is the single biggest misunderstanding of worst case performance impact I can remember.
|
|
#
?
Jan 4, 2018 04:18
|
|
|
If you're executing arbitrary code to exploit the side channel, you're already 99% of the way to everything that matters in most of the world.
|
|
#
?
Jan 4, 2018 04:22
|
|
|
James Baud posted:If you're executing arbitrary code to exploit the side channel, you're already 99% of the way to everything that matters in most of the world. You don't understand a single loving thing about the situation.
|
|
#
?
Jan 4, 2018 04:28
|
|
|
James Baud posted:If you're executing arbitrary code to exploit the side channel, you're already 99% of the way to everything that matters in most of the world. most of the world disables javascript?
|
|
#
?
Jan 4, 2018 04:29
|
|
|
akadajet posted:the gently caress is this about? Spectre leaks memory contents in user space for the same process, meaning it's theoretically possible for javascript to read data from other pages or parts of the browser. The experimental chrome flag should mitigate most of the risk until chrome 64 which is due on Jan 23, which supposedly has additional hardening, at the cost of ~10-20% more ram usage!  see: https://www.chromium.org/Home/chromium-security/ssca https://support.google.com/chrome/a/answer/7581529
|
|
#
?
Jan 4, 2018 04:53
|
|
|
Jabor posted:most of the world disables javascript? they ought to
|
|
#
?
Jan 4, 2018 04:54
|
|
|
Also when the first "javascript from a dodgy porn site steals all your butts from buttcoinloverexchange.com in another tab" lands I'm gonna laugh really, really hard.
|
|
#
?
Jan 4, 2018 04:58
|
|
|
5
|
|
#
?
Jan 4, 2018 05:02
|
|
|
repiv posted:mozilla is pushing out some really hacky workarounds until they can figure out a proper solution i like how they link to workarounds for their mitigation attempts in the very same blog post that introduces them
|
|
#
?
Jan 4, 2018 05:04
|
|
|
microsoft has patch kb4056892 out tonight for windows 10, which might the fix for this bug, or it might not. who knows
|
|
#
?
Jan 4, 2018 05:19
|
|
|
anthonypants posted:microsoft has patch kb4056892 out tonight for windows 10, which might the fix for this bug, or it might not. who knows 
|
|
#
?
Jan 4, 2018 05:22
|
|
|
|
| # ? May 13, 2024 23:16 |
|
|
anthonypants posted:microsoft has patch kb4056892 out tonight for windows 10, which might the fix for this bug, or it might not. who knows quote:Addresses issue where event logs stop receiving events when a maximum file size policy is applied to the channel. way to bury the lede
|
|
#
?
Jan 4, 2018 05:23
|
|
