Am 08. Jan, 2018 schwätzte [email protected] so:
moin moin,
Raspberry Pi is not vulnerable to Meltdown or either Spectre, so use it if
you can :).
For desktops, disable as much JavaScript as you can in addition to the
Chromium setting you mentioned.
uMatrix does a pretty good job of disabling 3rd party JavaScript for web
sites. At this point I recommend removing the "* 1st-party * allow" option
under "My Rules".
I also removed "* 1st-party frame allow".
See the bottom of the pdf of the slides for a table of what each affects.
https://plus.google.com/+StevenVaughanNichols/posts/GpzMQHz5tUP
The next post requires JavaScript. You should make sure pcid is available
on base OS and also on guest OS if you're using VMs. His testing found
it's on for VMware.
Subsequent reading elsewhere shows that AWS paravirtualized probably
doesn't have it, but hardware virtualized does.
A QEMU post says that KVM doesn't yet support pcid.
grep pcid /proc/cpuinfo
https://groups.google.com/forum/m/#!topic/mechanical-sympathy/L9mHTbeQLNU
ciao,
der.hans
Hi,
I'm looking for more info or ideas on how one might protect them self
given Meltdown and Spectre.
Now that it has come to light that computer memory is not completely
segregated or kept private by the CPU hardware... a failure in design
allowing a hacker access to even the CPU Kernel memory. This is
catastrophic.
I'm reading the initial solution is for the O/S manufactures to patch
their Kernel to secure the memory at its boundaries. In and of itself
this seems to be a weak approach, however probably the only one at this
point.
I am reading that the real solution is a new bread of CPU that does not
have this vulnerability. It would seem even modifying the existing CPUs
and manufacturing them would take months if not a year or so. In the
meantime we have to survive with hardware patched with software.
I read that desktops are the most vulnerable. Maybe that should be any
devise that runs a browser. The browser is the point of failure.
Introduce some rogue JavaScript and your memory is compromised.
This article says [1] one should enable site isolation using Chrome.
At this point my preventative steps are:
1) flush all browsers of any usernames, passwords and history.
2) Only run the latest version of Chrome and only Chrome.
3) Configure Chrome to run in isolation mode.
Anyone have any other thoughts?
Thank you in advance.
Keith
Links:
------
[1]
http://www.linuxandubuntu.com/home/how-hackers-can-read-your-websites-passwords-using-meltdown-and-spectre-with-solution
--
# https://www.LuftHans.com https://www.PhxLinux.org
# If it's not a toy you're looking at it wrong. -- der.hans
---------------------------------------------------
PLUG-discuss mailing list - [email protected]
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
