Minimum Holdtime for BGP OpenBGPd in Production

[Tom Smyth]

Hello all,
I was wondering what is the lowest values of BGP holdtime that you
recommend running in production ?

I would like to set them to a lower value to detect an issue with
peers that dont support BFD  quicker,
but I dont want to set it to a value that would overly tax the system resources,

If you are running approx 60 Peers on one and 30 Peers on another router,

Im also running Arista 7050 Switches with BGP sessions  to the OpenBGPd Routers.

I would really apprecate any one elses real world experience on this
matter before I go lowering the default values in our production
enviornment

Thanks

Tom Smyth

Re: Running your own mail server

[Mik J]

Chris,

In my opinion it needs a lot of reading and testing to make the puzzle in one 
go.

But for path A -> B -> C -> D -> E -> F -> G -> H -> I, you might also want to 
do A -> B first and test it.
That means send an email between two users locally.
This way you'll understand better the role of each component as you go on every 
simple step

I used a couple of blogs, mailling lists and man to build it
http://technoquarter.blogspot.com/
https://frozen-geek.net/openbsd-email-server-1/





 

Le lundi 17 septembre 2018 à 22:20:24 UTC+2, Chris Bennett 
 a écrit :  
 
 On Mon, Sep 17, 2018 at 06:33:52PM +, Mik J wrote:
> 
> Really it will take time, here are the components I installed for this to 
> work: opensmtp, dkimproxy, clamav, clamsmtp, nginx, roundcube, prosody, 
> dovecot, let's encrypt, bind
> 
> I'm using imapsync for the migration and plan to use openldap and bogofilter.

Here is where my problem is. OpenSMTPD and Dovecot, yes.
Then, everywhere I look, I see an endless combination of different spam
solutions. Every guide I've seen online tends to be a little out of
date, as the knobs have all changed. And I have yet to find an
explanation as to why they selected a particular combination.

It seems that I should move to IMAP, but then I have to ask myself if
that is even justified. I don't really know.

I don't mind throwing in PostgreSQL, but where are some good
table/column examples?

Every guide just jumps straight to you need to install:
A -> B -> C -> D -> E -> F -> G -> H -> I
Whoa. I'm on severe overload here.
It's kept me from even installing Dovecot yet since I don't even know
crap about B -> C -> D -> E

I don't mind putting in the work. But can anyone recommend a slower
solution? Say skip C -> D -> E for now, but add them in bit by bit which
gives me time to actually study them? I really don't like cut and paste.

I really want to get rid of as much spam as I can, but I'm patient.
Also, other than the mailing lists, almost everything is starting to be
HTML emails.


> 
> Yes, this hostmaster work is more important for deliverability than the
> *optional* TLS & DKIM stuff, which I still don't bother at all with...
> 
> Along with correct DNS PTR records (and matching SMTP HELO hostname),
> basic SPF & DMARC DNS records are almost essential to send.
> 
> With almost all inbound connections being spam, fighting that is the
> main task of the postmaster. Aggressive spamd settings are needed here.
> 
> After that, the MTA needs to be able to check the DNS validity of the
> sender's SMTP HELO hostname, and check their DNS PTR record is valid,
> and both the mail's envelope and address from domains have MX records.
> 
> Most spam is sent by infected consumer devices, which do not have valid
> reverse DNS, nor a valid HELO hostname. After greylisting, bad DNS is
> the biggest indicator of spam. An MTA needs a lot of DNS knobs to tweak.
> 
> Following that, the sender's IP address needs to be checked against
> multiple reliable DNS black and lists, and a cumulative score being
> totalled up to decide to reject or pass on to the next stage of tests.
> 
> TLS & DKIM have very little value. The postmaster instead needs to work
> closely with the hostmaster and concentrate on good DNS practice/tests.

Then there is this part. Umm, I'd like to get this all correct.
Despite reading up on this that I've done, without seeing any correct
examples, I feel a little like my DMARC is being put up my DKIM, to be a
little graphic. I would like nothing more than an example of the whole
ball of wax that I can use to cut and paste with my info substituted.
This has got to be a lot simpler than what I've seen as far as
explanations, which has left me very frustrated. Worse, I got stuck for
months without a laptop/desktop to work from. 
Yeah, I know I said cut and paste here. Shrug.

This email thing is kinda important. I feel like a little kid trying to
make pancakes with a fork instead of a spatula in a pressure cooker.

Right now is a good time for me to learn all this. I don't get or send
much email. But I'm planning on trying to make a real living wage
online. If that works, I better have this all figured out by then.
Turns out that right hip problems are genetic from my father's side of
the family. All I can say is Ouch! I need to figure this out.

Hey, thanks for any help and a special thanks for those clever OpenSMTPD
people. Wow, sendmail was a real bitch!

Chris Bennett


  

Re: Running your own mail server

[Chris Bennett]

On Mon, Sep 17, 2018 at 06:33:52PM +, Mik J wrote:
> 
> Really it will take time, here are the components I installed for this to 
> work: opensmtp, dkimproxy, clamav, clamsmtp, nginx, roundcube, prosody, 
> dovecot, let's encrypt, bind
> 
> I'm using imapsync for the migration and plan to use openldap and bogofilter.

Here is where my problem is. OpenSMTPD and Dovecot, yes.
Then, everywhere I look, I see an endless combination of different spam
solutions. Every guide I've seen online tends to be a little out of
date, as the knobs have all changed. And I have yet to find an
explanation as to why they selected a particular combination.

It seems that I should move to IMAP, but then I have to ask myself if
that is even justified. I don't really know.

I don't mind throwing in PostgreSQL, but where are some good
table/column examples?

Every guide just jumps straight to you need to install:
A -> B -> C -> D -> E -> F -> G -> H -> I
Whoa. I'm on severe overload here.
It's kept me from even installing Dovecot yet since I don't even know
crap about B -> C -> D -> E

I don't mind putting in the work. But can anyone recommend a slower
solution? Say skip C -> D -> E for now, but add them in bit by bit which
gives me time to actually study them? I really don't like cut and paste.

I really want to get rid of as much spam as I can, but I'm patient.
Also, other than the mailing lists, almost everything is starting to be
HTML emails.


> 
> Yes, this hostmaster work is more important for deliverability than the
> *optional* TLS & DKIM stuff, which I still don't bother at all with...
> 
> Along with correct DNS PTR records (and matching SMTP HELO hostname),
> basic SPF & DMARC DNS records are almost essential to send.
> 
> With almost all inbound connections being spam, fighting that is the
> main task of the postmaster. Aggressive spamd settings are needed here.
> 
> After that, the MTA needs to be able to check the DNS validity of the
> sender's SMTP HELO hostname, and check their DNS PTR record is valid,
> and both the mail's envelope and address from domains have MX records.
> 
> Most spam is sent by infected consumer devices, which do not have valid
> reverse DNS, nor a valid HELO hostname. After greylisting, bad DNS is
> the biggest indicator of spam. An MTA needs a lot of DNS knobs to tweak.
> 
> Following that, the sender's IP address needs to be checked against
> multiple reliable DNS black and lists, and a cumulative score being
> totalled up to decide to reject or pass on to the next stage of tests.
> 
> TLS & DKIM have very little value. The postmaster instead needs to work
> closely with the hostmaster and concentrate on good DNS practice/tests.

Then there is this part. Umm, I'd like to get this all correct.
Despite reading up on this that I've done, without seeing any correct
examples, I feel a little like my DMARC is being put up my DKIM, to be a
little graphic. I would like nothing more than an example of the whole
ball of wax that I can use to cut and paste with my info substituted.
This has got to be a lot simpler than what I've seen as far as
explanations, which has left me very frustrated. Worse, I got stuck for
months without a laptop/desktop to work from. 
Yeah, I know I said cut and paste here. Shrug.

This email thing is kinda important. I feel like a little kid trying to
make pancakes with a fork instead of a spatula in a pressure cooker.

Right now is a good time for me to learn all this. I don't get or send
much email. But I'm planning on trying to make a real living wage
online. If that works, I better have this all figured out by then.
Turns out that right hip problems are genetic from my father's side of
the family. All I can say is Ouch! I need to figure this out.

Hey, thanks for any help and a special thanks for those clever OpenSMTPD
people. Wow, sendmail was a real bitch!

Chris Bennett

Re: Running your own mail server

[Mik J]

 Hello,

I started to use my own mail server two years ago, but a few years ago I tried 
it unsuccessfully.
So yes it will take you some time to set it up with all options.

Now for your needs I would advice you openbsd+opensmtpd, you don't especially 
need performance just a one box solution.

The only drawback I see is that roundcube is less sexy and less good than gmail.
I also had a hard time to install the calendaring/invite functionality on my 
mail server. And also added prosody as an xmpp server (chat).
Maybe your children will like less the look of roundcube.

Really it will take time, here are the components I installed for this to work: 
opensmtp, dkimproxy, clamav, clamsmtp, nginx, roundcube, prosody, dovecot, 
let's encrypt, bind

I'm using imapsync for the migration and plan to use openldap and bogofilter.

You'll need to set it up just for yourself first and make your family to use it 
when you're sure it will really work otherwise your family won't want to use it.



Le vendredi 14 septembre 2018 à 13:41:44 UTC+2, Craig Skinner 
 a écrit :  
 
 On Thu, 13 Sep 2018 09:24:18 +0200 Peter N. M. Hansteen wrote:
> The part about getting a static IP address with correct reverse
> lookup is truly essential. 

Yes, this hostmaster work is more important for deliverability than the
*optional* TLS & DKIM stuff, which I still don't bother at all with...

Along with correct DNS PTR records (and matching SMTP HELO hostname),
basic SPF & DMARC DNS records are almost essential to send.

With almost all inbound connections being spam, fighting that is the
main task of the postmaster. Aggressive spamd settings are needed here.

After that, the MTA needs to be able to check the DNS validity of the
sender's SMTP HELO hostname, and check their DNS PTR record is valid,
and both the mail's envelope and address from domains have MX records.

Most spam is sent by infected consumer devices, which do not have valid
reverse DNS, nor a valid HELO hostname. After greylisting, bad DNS is
the biggest indicator of spam. An MTA needs a lot of DNS knobs to tweak.

Following that, the sender's IP address needs to be checked against
multiple reliable DNS black and lists, and a cumulative score being
totalled up to decide to reject or pass on to the next stage of tests.

TLS & DKIM have very little value. The postmaster instead needs to work
closely with the hostmaster and concentrate on good DNS practice/tests.

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

  

Re: chrome 68 and protonmail

[Daniel Bolgheroni]

On Fri, Sep 14, 2018 at 05:39:21AM +, vincent delft wrote:
> Hello,
> 
> With the last version of Chrome (Chromium 68.0.3440.106) on -current, I can
> no more login in protonmail.
> 
> In fact after the 2nd login screen chrome complains about an issue.

In chromium or iridium, on address bar, go to chrome://flags and
set the option:

  Experimental Validate Asm.js and convert to WebAssembly when valid.

to Disabled.

In Firefox, on address bar, go to about:config and set the option:

  javascript.options.asmjs

to false. 

Hope this helps.

Cheers,

-- 
db

Re: panic booting with bsd.rd from the September 15 2018 snapshot

[jungle Boogie]

See this post:
https://marc.info/?l=openbsd-tech=153713589005530=2

Doesn't hurt to search before posting.

Re: Pkg_add

[Johan Mellberg]

Den sön 16 sep. 2018 kl 09:40 skrev Solène Rapenne :
>
> Le 2018-09-16 03:33, Michael Ayres a écrit :
> > Thanks to everyone who has replied in helping me. I have read up on
> > the man pages and I understand what I need; it is:
> >
> > 1) I want to install some packages on OpenBSD 6.0 which I have
> > operational on a Parallels VM on my precious MacBookPro High Sierra.
>
> are you using 6.0? If so, it's no longer supported and packages are not
> available anymore.

Sure they are, but it can depend on the mirror. See for example
http://ftp.eu.openbsd.org/pub/OpenBSD/6.0/packages/i386/.

>
> > 2) I want to set a environmental variable PKG_PATH to the ftp site to
> > get packages.
> >   2.a) I am trying to set it to
> > https://ftp.openbsd.org/pub/OpenBSD/6.3/packages/i386/
> > , which has an
> > index of packages I might want to get. I will later put that
> > PKG_PATH in the start up file so it is always set each time I boot up
> > OpenBSD.

Why are you trying to set the PKG_PATH to use 6.3 packages when you
are according to the above using 6.0? To install 6.3 packages you
first need to upgrade the system to 6.3, one step at a time; 6.0-6.1,
6.1-6.2, 6.2-6.3. Start here:
http://www.openbsd.org/faq/upgrade61.html

Or just reinstall.

>
> > 3) My PKG_PATH string [
> > https://ftp.openbsd.org/pub/OpenBSD/6.3/packages/i386/
> >  ] does not
> > seem to work. An example I refer to includes some wild cards, “%”,
> > which I can’t seem to get right.k The example I am working from is at:
> > https://linux-audit.com/updating-all-openbsd-packages-with-pkg_add/
> > 
> > and one example it uses is passing a variable for name and arch -s,
> > which I have not set.
>
> http://man.openbsd.org/installurl
>
> https://ftp.openbsd.org/pub/OpenBSD is a right content for the file

But that was not introduced until 6.1 and there seems to be some
confusion on which release he is using. If he is using 6.0 installurl
is not available.

>
> >
> >
> > 4) What is a correct string i should use to set my PKG_PATH variable
> > to get packages from location at 2a above?
> >
>
> use /etc/installurl instead of PKG_PATH
>

The PKG_PATH environment variable could for example be set in root's
.profile, which is read when logging in as root (or doing su -) as in
the instructions you pasted earlier:
export PKG_PATH="http://ftp.eu.openbsd.org/pub/OpenBSD/$(uname
-r)/packages/$(arch -s)/"

The $(uname -r) and the $(arch -s) could be replaced with your literal
version and architecture respectively, in your case 6.0 and i386 (if
that is what you are using, please verify, by logging in and issuing
the two commands one after the other, ie. uname -r and arch -s).
Verify that you are installing the same version of packages as your
installed system. Test it on the command line first, works with or
without the quotation marks.

On a fresh install of 6.3 (6.1 or later), /etc/installurl will be
automatically populated during installation. If you are upgrading you
will need to create the file. Note that at some release the url should
be changed to use https, see the upgrade instructions if you go down
that route.

/Johan

/dev/efi driver

[Sijmen J. Mulder]

Hi all,

I'm working on a small EFI boot entry mangement utiltiy[1] which works
by querying and setting EFI variables (Boot, BootOrder, NextBoot).
It appears that OpenBSD does not expose an EFI variable interface.

Are there objections against such a driver on principle, e.g. security?
If not, FreeBSD's efidev[2] may be a suitable starting point. It's an
ioctl interface rather than Linux' efivars virtual file system.

If the FreeBSD design is appropriate I'd like to attempt to port it (if
no one more experienced will).

Sijmen

[1] https://github.com/sjmulder/bootto
[2] https://svnweb.freebsd.org/base/head/sys/dev/efidev/efidev.c?view=markup

panic booting with bsd.rd from the September 15 2018 snapshot

[Ed Ahlsen-Girard]

trap type 18, code 0, pc=81374ace
gsbase 0x81870ff0 kgsbas 0x0
panic: trap type 18, code 0, pc=81374ace


dmesg below.
-- 

Edward Ahlsen-Girard
Ft Walton Beach, FL


OpenBSD 6.4-beta (GENERIC.MP) #294: Wed Sep 12 19:50:03 MDT 2018
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4176125952 (3982MB)
avail mem = 4040314880 (3853MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xdbc40018 (36 entries)
bios0: vendor AMI version "80.06" date 04/01/2015
bios0: Hewlett-Packard 550-036
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT FIDT MSDM SSDT SSDT MCFG HPET SSDT SSDT DBGP
acpi0: wakeup devices PXSX(S4) RP01(S4) PXSX(S4) PXSX(S4) PXSX(S4) RP04(S4) 
PXSX(S4) PXSX(S4) RP06(S4) PXSX(S4) RP07(S4) PXSX(S4) GLAN(S4) EHC1(S3) 
EHC2(S3) XHC_(S3) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i3-4170 CPU @ 3.70GHz, 3691.97 MHz, 06-3c-03
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i3-4170 CPU @ 3.70GHz, 3691.46 MHz, 06-3c-03
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Core(TM) i3-4170 CPU @ 3.70GHz, 3691.46 MHz, 06-3c-03
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 1, core 0, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i3-4170 CPU @ 3.70GHz, 3691.46 MHz, 06-3c-03
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 1, package 0
ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins
acpimcfg0 at acpi0
acpimcfg0: addr 0xf800, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (RP01)
acpiprt2 at acpi0: bus 2 (RP04)
acpiprt3 at acpi0: bus 3 (RP06)
acpiprt4 at acpi0: bus 4 (RP07)
acpiprt5 at acpi0: bus -1 (PEG0)
acpiec0 at acpi0: not present
acpicpu0 at acpi0: C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS
acpicpu2 at acpi0: C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS
acpicpu3 at acpi0: C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS
acpipwrres0 at acpi0: FN00, resource for FAN0
acpipwrres1 at acpi0: FN01, resource for FAN1
acpipwrres2 at acpi0: FN02, resource for FAN2
acpipwrres3 at acpi0: FN03, resource for FAN3
acpipwrres4 at acpi0: FN04, resource for FAN4
acpitz0 at acpi0: critical temperature is 105 degC
acpitz1 at acpi0: critical temperature is 105 degC
acpicmos0 at acpi0
acpibtn0 at acpi0: PWRB
"PNP0C14" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
acpivideo0 at acpi0: GFX0
cpu0: Enhanced SpeedStep 3691 MHz: speeds: 3700, 3500, 3300, 3100, 2900, 2700, 
2500, 2300, 2200, 2000, 1800, 1600, 1400, 1200, 1000, 800 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Core 4G Host" rev 0x06

Re: OT: Firmware encryption hacked?

[Carlos Lopez]

Many thanks to all for your explanations, as always.

Regards,
C. L. Martinez

From: owner-m...@openbsd.org  on behalf of Kevin 
Chadwick 
Sent: 13 September 2018 17:39
To: misc@openbsd.org
Subject: Re: OT: Firmware encryption hacked?

On Thu, 13 Sep 2018 10:23:11 -0400


  Uhmm … Reality?
  
https://techcrunch.com/2018/09/12/security-flaw-in-nearly-all-modern-pcs-and-macs-leaks-encrypted-data/?guccounter=1

 Somewhat better writup from the source:

 https://blog.f-secure.com/cold-boot-attacks/

 The vulnerability seems to be when a computer is running or "sleeping"
 not actually off or hibernating. There are then ways that an attacker
 with physical access might recover encryption keys or other data from
 RAM.

Old news. Also, cold boot attacks go atleast several years before 2008.
In fact, expensive cold boot resistant hdd were around in 2005.