The Flat Earth Society

Other Discussion Boards => Technology & Information => Topic started by: juner on January 17, 2018, 05:42:33 PM

Title: Meltdown/Spectre
Post by: juner on January 17, 2018, 05:42:33 PM
I am sure you have all heard of it by now, this is just a friendly reminder to patch your systems.

Patch your OS, patch your BIOS, and if you are running a hypervisor, patch that too.


Edit - Assuming many of you are running Windows, your anti-virus program needs to apply a registry key to be able to receive updates from January 2018 and going forward. More info here:

https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software

If you have no A/V installed, Windows Defender will take care of it for you (assuming you are running a system with Windows Defender).
Title: Re: Meltdown/Spectre
Post by: xasop on January 17, 2018, 07:41:55 PM
Patch your OS, patch your BIOS, and if you are running a hypervisor, patch that too.

Still waiting for a patch for OpenBSD as the proletarian OSes scramble to catch up after the 6-month Illuminati-only embargo. This incident has destroyed whatever faith I had left in this industry as a whole.
Title: Re: Meltdown/Spectre
Post by: Dr David Thork on January 25, 2018, 06:39:42 PM
Thank you Junker for your advice.


Here is a little advice from me. Never ever install an update until it is a least 3 months old and people like Junker have done the testing for you. Whether it is an iOS update or a windows update or a bios update or whatever. Just wait.

You'll be told your computer is unstable, insecure, dangerous, open to attack and all the rest of those FUD claims. However the single biggest threat to your computer is from the patch you got given to fix it.

https://www.christianpost.com/news/intel-confirms-patches-for-meltdown-and-spectre-bugs-affect-even-newer-generations-of-cpus-214406/
https://www.engadget.com/2018/01/18/intel-spectre-reboot-problem-affects-newer-cpu/

Just wait a few months ... see how things turn out and then update. In the mean time, you aren't going to get an issue from meltdown or spectre in the next few months on your machine (very very low probability) ... so just relax and wait.  :)
Title: Re: Meltdown/Spectre
Post by: xasop on January 25, 2018, 06:47:51 PM
Just wait a few months ... see how things turn out and then update. In the mean time, you aren't going to get an issue from meltdown or spectre in the next few months on your machine (very very low probability) ... so just relax and wait.  :)

Or use an OS made by people who don't put out shit releases without testing, but that might be too much to ask for this Shiny-Object-Syndrome-infected industry. Why use something that works when you can use something with a nice paint job, right?
Title: Re: Meltdown/Spectre
Post by: Dr David Thork on January 25, 2018, 07:10:06 PM
I haven't got enough life to f-about using command lines and learning a fairly non-transferable syntax with the added inconvenience of having to spend forever looking for drivers and workarounds for all the things that aren't compatible.

Or use an OS made by people who don't put out shit releases without testing, but that might be too much to ask for this Shiny-Object-Syndrome-infected industry. Why use something that works when you can use something with a nice paint job, right?

I don't need to be hands on getting involved in the mechanics of my machine.
I'd rather use the keys to my car than hot wire it. I just want it to work. I don't care how it works.
Title: Re: Meltdown/Spectre
Post by: juner on January 25, 2018, 09:10:47 PM
Here is a little advice from me. Never ever install an update until it is a least 3 months old and people like Junker have done the testing for you.

This is absolutely terrible advice. The Windows SMB vulnerability is proof enough of that. A patch was available yet plenty of organizations did not test/install it, and it had a very real impact on people's lives (https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/). Had they applied the SMB patch (assuming they were running supported operating systems), then the entire mess would have been avoided.

What is scarier is that you claim to run an I.T. business. These are absolutely things you need to be up to date on, and preferably doing some sort of testing with on a regular basis. It is irresponsible and a disservice to your clients if security falls anywhere in your realm of responsibilities. You should be the one testing, not relying on others. I have a patching schedule that runs through test, then to prod. For consumers, you won't likely have this available, so you can weigh the risks on your own. For critical security patches, I would advise patching as soon as possible. If you are the type who is worried about issues (which there have been with spectre/meltdown patches), then wait a few days and keep on eye on the progress, but waiting several months is just asking to be compromised.
Title: Re: Meltdown/Spectre
Post by: Dr David Thork on January 25, 2018, 10:10:49 PM
This is absolutely terrible advice. The Windows SMB vulnerability is proof enough of that. A patch was available yet plenty of organizations did not test/install it, and it had a very real impact on people's lives (https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/). Had they applied the SMB patch (assuming they were running supported operating systems), then the entire mess would have been avoided.

If you bothered to read my post, I said leave it 3 months. Not 20 years. The NHS hospitals that were hit were running Windows XP! An operating system no longer supported by Microsoft. The patch they should have installed had been around for ages.

What is scarier is that you claim to run an I.T. business. These are absolutely things you need to be up to date on, and preferably doing some sort of testing with on a regular basis. It is irresponsible and a disservice to your clients if security falls anywhere in your realm of responsibilities. You should be the one testing, not relying on others. I have a patching schedule that runs through test, then to prod. For consumers, you won't likely have this available, so you can weigh the risks on your own. For critical security patches, I would advise patching as soon as possible. If you are the type who is worried about issues (which there have been with spectre/meltdown patches), then wait a few days and keep on eye on the progress, but waiting several months is just asking to be compromised.
1) It is common practice for companies to run one operating system behind ... or at least 6 months behind on updates. They do not maintain bleeding edge updates. Also good avdice for the home user.
2) You are dispensing information to users on this website. Not companies. Home users do not need to worry about being cyber targeted. They aren't honey pots. You are far more likely to have an issue from a patch within 3 months, than you are to get a virus from a vulnerability within 3 months. At present there are no known spectre or meltdown viruses. It is only a vulnerability at present.

For critical security patches, I would advise patching as soon as possible.
And I would advise you wait. As this Intel update and many others recently have proven.

http://www.telegraph.co.uk/technology/2016/09/13/ios-10-launch-live-how-to-upgrade-to-apples-new-software-and-wha/
http://wjla.com/news/nation-world/iphone-glitch-causes-repeated-reboots-apple-issues-software-update-saturday

Downloading a rushed out patch is fraught with risk. As mentioned, the biggest threat to your computer is the patch you are about to install. Wait 3 months, let Junker brick his computer and complain to the vendor, let them sort that out, and then install once you know the patch is thoroughly tested by those who think it clever to 'patch as soon as possible'.
Title: Re: Meltdown/Spectre
Post by: juner on January 25, 2018, 10:26:36 PM
If you bothered to read my post, I said leave it 3 months. Not 20 years. The NHS hospitals that were hit were running Windows XP! An operating system no longer supported by Microsoft.
The NHS example was just one incident of very many. That one happened to get a lot of press. While plenty of machines were XP and not supported, Microsoft still ended up releasing a patch for their unsupported OS to remedy the issue. Along with patches for Server 2003. That wouldn't have helped because it was after the incident anyway, but somehow I doubt every instance was an XP/2003 machine and not just an unpatched, supported OS.


1) It is common practice for companies to run one operating system behind ... or at least 6 months behind on updates. They do not maintain bleeding edge updates. Also good avdice for the home user.
An OS is fine, as there are plenty of compatibility concerns that may need to be accounted for. As long as the OS is still supported. 6 months on patches is purely anecdotal on your part. And it is an objectively bad policy if it is in place, regardless of the reasons behind it.


2) You are dispensing information to users on this website. Not companies. Home users do not need to worry about being cyber targeted.
This is simply nonsense. Automated attacks on public IPs happen 24x7, including home users. Targeted attacks not so much unless it is someone high profile.


You are far more likely to have an issue from a patch within 3 months, than you are to get a virus from a vulnerability within 3 months. At present there are no known spectre or meltdown viruses. It is only a vulnerability at present.
Again, this is purely made up on your part. If you said within a week, then I would agree, as that has been seen repeatedly by anyone who does this for a living. And just because you aren't aware of existing exploits for Spectre/Meltdown certainly doesn't mean they don't exist.


And I would advise you wait. As this update and many others recently have proven.
Not 3 months. It is terrible advice and displays your ignorance of the field. Attitudes like this are why there are new compromises in the news almost daily.


Downloading a rushed out patch is fraught with risk. As mentioned, the biggest threat to your computer is the patch you are about to install. Wait 3 months, let Junker brick his computer and complain to the vendor, let them sort that out, and then install.
It is a risk that people can weigh for themselves. It isn't the biggest threat to your computer, that is just another made up claim by you. I wish you luck in your endeavors to provide I.T. to your customers. Assuming you go with the poor practices you've outlined here, I hope you never get hit with things like WannaCry because you have some made up delay as to when security patches should be applied.
Title: Re: Meltdown/Spectre
Post by: Dr David Thork on January 25, 2018, 10:44:09 PM
It is the biggest threat to your computer.

If you do nothing, you run a lottery of getting a virus first that no one has ever heard of. Very slim odds. No spectre or meltdown viruses exist. What are the odds someone makes one, and you are infected?

What are the odds that if you downloaded the patch it would screw your PC up? Quite high. Look at all the people being effected by these updates. Millions of them.

I might also add most viruses are rather benign. A keylogger, a browser hijacker, and trojan. All these things are very fixable. What are you going to do when Apple releases a patch and you download and brick your device?
http://wjla.com/news/nation-world/iphone-glitch-causes-repeated-reboots-apple-issues-software-update-saturday
You can't even roll the bloody thing back.

You are just wrong. You picked examples like the NHS and those are entities that are several years behind with updates. Not 3-6 months. Many companies take at least 6 months, just to finish testing for compatibility with in-house software. They aren't installing next day updates. That is not anecdotal ... that is industry standard. You don't run bleeding edge updates in large organisations.

There is no need as a home user to be up to the minute. You only run the risk of installing a botched update, the prevalence or which has increased dramatically of late. You aren't likely to be able to test it and find such errors yourself ... just let large corps do the work, let those who claim vulnerability bounties knock themselves out testing ... and when the coast is clear 3-6 months later ... install.

https://www.forbes.com/sites/gordonkelly/2017/12/05/apple-ios-11-2-problems-ios-11-problem-iphone-battery-life/#377fdec259d9
I avoided all that crap.
Title: Re: Meltdown/Spectre
Post by: juner on January 25, 2018, 11:09:12 PM
It is the biggest threat to your computer.
This is simply false. You seem to be committed to it, though, so I won't try to change your mind. I will just point it out for other users who happen to read the thread.

No spectre or meltdown viruses exist.
You literally do not know this, so I don't know why you keep saying it.

What are the odds that if you downloaded the patch it would screw your PC up? Quite high. Look at all the people being effected by these updates. Millions of them.
It isn't quite high. You are simply using this as an example to make a blanket statement. Thousands of patches come and ago without issue. Again, waiting a week wouldn't cause an issue, as you'd see that there is a chance this particular patch could cause a problem. The patch gets pulled, and a better one is released. You don't have to be bleeding edge, but 3-6 months is an arbitrary time frame made up by you, and doesn't comply with any sort of best practice.

I might also add most viruses are rather benign. A keylogger, a browser hijacker, and trojan. All these things are very fixable.
Whatever the risk is worth to you I guess. The bad guys only have to get it right once, and then you are dealing with stolen identity issues for the next 5 years.

You are just wrong. You picked examples like the NHS and those are entities that are several years behind with updates.
You suggesting that I am wrong shows your ignorance once again, and I would caution anyone reading to question your advice on anything I.T. related. In this SMB case, Microsoft released a patch 2 months or so before the first major attacks. You pretending this isn't a risk is irrelevant. You don't have to be years behind to be impacted, as evidenced by this specific example.

Not 3-6 months. Many companies take at least 6 months, just to finish testing for compatibility with in-house software. They aren't installing next day updates. That is not anecdotal ... that is industry standard. You don't run bleeding edge updates in large organisations.
Bleeding edge is updating prod the same day a patch is released. Companies may have 3-6 month delays, but it doesn't change the fact it is bad practice, and likely driven by inefficiency. And it isn't an industry standard, stop making things up. I've worked for plenty of very large organizations, and we rolled about a month behind, sometimes 6 weeks for extra change management.

There is no need as a home user to be up to the minute. You only run the risk of installing a botched update, the prevalence or which has increased dramatically of late. You aren't likely to be able to test it and find such errors yourself ... just let large corps do the work, let those who claim vulnerability bounties knock themselves out testing ... and when the coast is clear 3-6 months later ... install.
I agree not "up to the minute." For some reason you seem to suggest there isn't a middle ground between the day a patch is released and your arbitrary "3-6 months."


Obviously we aren't going to agree on this. I am just compelled to point out that you are suggesting bad practices. People and businesses can weigh the risk and make their own decisions, but to try to pretend a bad practice is not a bad practice because of $REASON is juvenile. To call it a "standard" is dishonest and speaks to limited experience. Again, people engage in bad habits all the time, but they should at least be self-aware that it is a bad habit and not try to pretend otherwise.
Title: Re: Meltdown/Spectre
Post by: xasop on January 25, 2018, 11:41:48 PM
Why use something that works

I just want it to work.

Looks like someone didn't read my post.
Title: Re: Meltdown/Spectre
Post by: Dr David Thork on January 26, 2018, 12:30:34 AM
I would advise patching as soon as possible.
I'm not going to let you run away from this statement. It is bad advice.

Why use something that works

I just want it to work.

Looks like someone didn't read my post.
I read your post. I may not have understood your post, but I definitely read it. Or are you going to go all Junker on me and start making stuff up?  >:(

Title: Re: Meltdown/Spectre
Post by: juner on January 26, 2018, 12:39:35 AM
I would advise patching as soon as possible.
I'm not going to let you run away from this statement. It is bad advice.

It’s almost like the literal thing I said is general enough to fit everyone’s use cases. It doesn’t change the fact that your suggestion is bad practice.
Title: Re: Meltdown/Spectre
Post by: xasop on January 26, 2018, 01:02:43 AM
I read your post. I may not have understood your post, but I definitely read it. Or are you going to go all Junker on me and start making stuff up?  >:(

I suggested using an OS that doesn't ship broken garbage. There are plenty of those out there to suit everyone. I have no idea why you seem to have assumed I was talking about one in particular.
Title: Re: Meltdown/Spectre
Post by: Dr David Thork on January 26, 2018, 01:08:13 AM
I would advise patching as soon as possible.
I'm not going to let you run away from this statement. It is bad advice.

It’s almost like the literal thing I said is general enough to fit everyone’s use cases. It doesn’t change the fact that your suggestion is bad practice.

It isn't
http://uk.businessinsider.com/why-you-should-wait-to-install-software-updates-2015-12?r=US&IR=T
https://www.computerworld.com/article/3213929/microsoft-windows/the-case-against-windows-automatic-update.html


This has been going on for a long time now.
https://www.infoworld.com/article/2834535/security/four-more-botched-black-tuesday-patches-kb-3000061-kb-2984972-kb-2949927-and-kb-2995388.html

If you are still patching "as soon as possible" you are doing it wrong. Do you get 4 viruses a week because you take a few months to update? Updates are far more likely to take down your home computer than any threat. Just be patient, leave it a while and done. I don't know why this is hard to understand. All the evidence is there. Every week another botched update is rolled out by someone. If you wait a while, you only update the ones that aren't pulled or repatched. In other words you aren't willfully loading harmful software onto your machine.

I read your post. I may not have understood your post, but I definitely read it. Or are you going to go all Junker on me and start making stuff up?  >:(

I suggested using an OS that doesn't ship broken garbage. There are plenty of those out there to suit everyone. I have no idea why you seem to have assumed I was talking about one in particular.
All the OSes you have ever suggested are nihilistic, command-driven time thieves with the visual beauty of a octogenarian vagina. 
Title: Re: Meltdown/Spectre
Post by: juner on January 26, 2018, 01:19:06 AM
No matter how many times you repeat yourself, Thork, it doesn’t make you any less wrong. I’m sorry if that’s hard for you to understand.
Title: Re: Meltdown/Spectre
Post by: xasop on January 26, 2018, 01:37:47 AM
with the visual beauty of a octogenarian vagina. 
Why use something that works when you can use something with a nice paint job, right?

Thanks for making my point for me. If you're going to follow the herd and choose form over function, don't complain when you end up with something that doesn't function.
Title: Re: Meltdown/Spectre
Post by: Dr David Thork on January 26, 2018, 03:22:20 PM
with the visual beauty of a octogenarian vagina. 
Why use something that works when you can use something with a nice paint job, right?

Thanks for making my point for me. If you're going to follow the herd and choose form over function, don't complain when you end up with something that doesn't function.

Pretty sure I already had this covered.
I'd rather use the keys to my car than hot wire it. I just want it to work. I don't care how it works.
Title: Re: Meltdown/Spectre
Post by: xasop on January 26, 2018, 05:02:49 PM
Pretty sure I already had this covered.
I'd rather use the keys to my car than hot wire it. I just want it to work. I don't care how it works.

I'm literally telling you to use something that works. You're telling me you're going to use something shiny instead, because you want something that works.

Does not compute.
Title: Re: Meltdown/Spectre
Post by: Dr David Thork on January 26, 2018, 05:06:53 PM
A bicycle works. A shiny car costs more and is easier to use. I understand how every part of a bicycle works and can fix it. I can't do this with my 'bloated' one ton car. It needs a laptop and a skilled mechanic. Sometimes my car breaks. I need to spend time and money fixing it. But I'm sure as hell not going to use my bike to cycle to London.  >o<
Title: Re: Meltdown/Spectre
Post by: xasop on January 26, 2018, 05:12:32 PM
A bicycle works. A shiny car costs more and is easier to use. I understand how every part of a bicycle works and can fix it. I can't do this with my 'bloated' one ton car. It needs a laptop and a skilled mechanic. Sometimes my car breaks. I need to spend time and money fixing it. But I'm sure as hell not going to use my bike to cycle to London.  >o<

If you had to wait 3 months for other people to test new parts your mechanic puts into your car before you can trust his work, would you keep paying the same mechanic or would you find someone else?
Title: Re: Meltdown/Spectre
Post by: Dr David Thork on January 26, 2018, 05:15:07 PM
I still wouldn't be cycling everywhere.
Title: Re: Meltdown/Spectre
Post by: xasop on January 26, 2018, 05:16:35 PM
I still wouldn't be cycling everywhere.

And there you go assuming I'm talking about one particular OS again. Why are you reading more into my statements than there is?
Title: Re: Meltdown/Spectre
Post by: Dr David Thork on January 26, 2018, 05:29:32 PM
All the OSes you have ever suggested are nihilistic, command-driven time thieves with the visual beauty of a octogenarian vagina. 
As fun as this time loop has become, its my 40th birthday. I am off out to drink lots and be obnoxious to women. ttfn.
Title: Re: Meltdown/Spectre
Post by: xasop on January 26, 2018, 06:29:55 PM
All the OSes you have ever suggested are nihilistic, command-driven time thieves with the visual beauty of a octogenarian vagina. 
As fun as this time loop has become, its my 40th birthday. I am off out to drink lots and be obnoxious to women. ttfn.

That statement doesn't really explain anything. Why do you think there are no good OSes that aren't interesting to me personally?
Title: Re: Meltdown/Spectre
Post by: JohnAdams1145 on January 28, 2018, 08:21:41 AM
Baby Thork, I hope you realize that something called the Windows Insider Program exists. People who sign up for it get the latest and greatest in features in exchange for submitting feedback/bug reports on stuff that doesn't work. Typical software updates have been tested extensively; any bugs will probably just be small annoyances and won't brick your computer. On the other hand, deciding to avoid updates on published vulnerabilities makes your computer an easy target. Imagine if an attacker knew everything you typed, everywhere you visited... That's asking for identity theft. Even ransomware will cost you far more time than the slight annoyances that come with keeping up-to-date. Besides, most updates fix annoying bugs in previous versions.
Title: Re: Meltdown/Spectre
Post by: Lord Dave on January 28, 2018, 08:27:29 AM
Baby Thork, I hope you realize that something called the Windows Insider Program exists. People who sign up for it get the latest and greatest in features in exchange for submitting feedback/bug reports on stuff that doesn't work. Typical software updates have been tested extensively; any bugs will probably just be small annoyances and won't brick your computer. On the other hand, deciding to avoid updates on published vulnerabilities makes your computer an easy target. Imagine if an attacker knew everything you typed, everywhere you visited... That's asking for identity theft. Even ransomware will cost you far more time than the slight annoyances that come with keeping up-to-date. Besides, most updates fix annoying bugs in previous versions.


To be fair, Windows has released updates that they've had to retract due to system crashes or breaking the OS.  I've seen a few personally.


And most vulnerabilities are specific and unbroadcasted.  Yes, its a hole but its like trying to poke a moving target in the dark.  You need lure.  You need the vulnerable pc to get infected or to link up with a compromised website.  Then you need to use the right attack in the time you have.
Title: Re: Meltdown/Spectre
Post by: Pete Svarrior on January 28, 2018, 11:51:59 AM
Typical software updates have been tested extensively; any bugs will probably just be small annoyances and won't brick your computer.
The big "Creators Updates" have consistently caused major issues on small (but significant) numbers of machines. The Insider Program is a decent attempt at widening participation in testing, but it is still insufficient for the product of this size.
Title: Re: Meltdown/Spectre
Post by: Dr David Thork on January 28, 2018, 03:36:50 PM
Typical software updates have been tested extensively; any bugs will probably just be small annoyances and won't brick your computer.
The big "Creators Updates" have consistently caused major issues on small (but significant) numbers of machines. The Insider Program is a decent attempt at widening participation in testing, but it is still insufficient for the product of this size.
The creators update before last, I held off. Eventually it forced the update on me and I figured it must be fine by now. It wasn't. It broke my wifi (compatibility problems with Intel dual band wireless AC-8260). In the end I had to reconfigure my router to get it working, but it took 3 days to figure out what happened.  >:(

To my mind, being given some apps and a newer version of MS Paint 3D which I don't use anyway, isn't worth the risk of being kicked off the internet. I wish Microsoft would abandon the Windows 10 forever strategy. I don't want to play. I just want my machine to work as it does right now. I paid for the product. Let me use it as I intended, not as Microsoft intend.
Title: Re: Meltdown/Spectre
Post by: Lord Dave on January 28, 2018, 03:42:33 PM
Typical software updates have been tested extensively; any bugs will probably just be small annoyances and won't brick your computer.
The big "Creators Updates" have consistently caused major issues on small (but significant) numbers of machines. The Insider Program is a decent attempt at widening participation in testing, but it is still insufficient for the product of this size.
The creators update before last, I held off. Eventually it forced the update on me and I figured it must be fine by now. It wasn't. It broke my wifi. In the end I had to reconfigure my router to get it working, but it took 3 days to figure out what happened.  >:(

To my mind, being given some apps and a newer version of MS Paint 3D which I don't use anyway, isn't worth the risk of being kicked off the internet. I wish Microsoft would abandon the Windows 10 forever strategy. I don't want to play. I just want my machine to work as it does right now. I paid for the product. Let me use it as I intended, not as Microsoft intend.

Exactly how did windows break your wifi?  What configurations did you need to change to get it working?

Also...
you CAN turn off updates so it won't ever force them.  At least I'm 90% sure you can.  But if you want "install updates when I want" you probably want a linux or unix distro, not windows. 
Title: Re: Meltdown/Spectre
Post by: Dr David Thork on January 28, 2018, 03:44:46 PM
You press "remind me later" and keep doing that. At some point it just stops asking and before you know it when you shut down the percentage time install has begun and it is telling you not to turn off your PC. Now you're getting that update, permission or not.

And no, you couldn't stop it.
https://www.computerworld.com/article/3247754/microsoft-windows/reports-say-win10-creators-update-users-are-being-forced-to-fall-creators-update-again.html


They weren't supposed to
https://wccftech.com/microsoft-forced-windows-10-update/
But they did anyway.  >:(
Title: Re: Meltdown/Spectre
Post by: Lord Dave on January 28, 2018, 03:54:38 PM
Oh there's ways around that and you know it.  Just go block the update server on your router or firewall.  Or turn off the update service.

And really, I can't blame Microsoft, one of the biggest and most used OSes in the world, to not force it's users to update sometimes when alot don't bother and that lets infections spread.

It's like people who refuse to get vaccinations.  Sure, you'll probably be ok but if enough do it, well, your chances get worse every day.
Title: Re: Meltdown/Spectre
Post by: garygreen on January 28, 2018, 03:57:17 PM
>uses windows because it "just works"
>arg why doesn't windows ever work!!!!11
Title: Re: Meltdown/Spectre
Post by: Dr David Thork on January 28, 2018, 04:03:24 PM
Oh there's ways around that and you know it.  Just go block the update server on your router or firewall.  Or turn off the update service.
Do you even have a Windows PC?
https://answers.microsoft.com/en-us/windows/forum/windows_10-update/how-can-i-block-the-creators-update/47be322a-30fb-4cfc-a503-47ac48dc99b8?auth=1

And really, I can't blame Microsoft, one of the biggest and most used OSes in the world, to not force it's users to update sometimes when alot don't bother and that lets infections spread.

It's like people who refuse to get vaccinations.  Sure, you'll probably be ok but if enough do it, well, your chances get worse every day.
There is a world of difference between a content update (creators) and a vulnerability update (patch). I should just be able to opt out of creators updates full stop.

And it is not up to microsoft to keep my PC free of viruses. It is up to me. Its my machine, I paid for it and I bear the brunt of anything that happens to it. I also use 3rd party software to keep it clean of nasty stuff. I haven't had a virus in years. I have had update problems. So again, the patch is the biggest threat to my PC, not malware. Their patches are malware at this stage. I like to wait, it gives the best chance of not installing a patch that later gets pulled or repatched because it broke computers.
Title: Re: Meltdown/Spectre
Post by: Lord Dave on January 28, 2018, 05:33:58 PM
Oh there's ways around that and you know it.  Just go block the update server on your router or firewall.  Or turn off the update service.
Do you even have a Windows PC?
https://answers.microsoft.com/en-us/windows/forum/windows_10-update/how-can-i-block-the-creators-update/47be322a-30fb-4cfc-a503-47ac48dc99b8?auth=1 (https://answers.microsoft.com/en-us/windows/forum/windows_10-update/how-can-i-block-the-creators-update/47be322a-30fb-4cfc-a503-47ac48dc99b8?auth=1)

Literally the first reply:
Quote
You can physically block updates by fiddling with system settings. But that's an absurd thing to do, for at least two reasons: 1) Your computer will eventually stop receiving security updates; and 2) going forward, all changes to Windows and all software programs and hardware drivers will presume that they are dealing with a fully patched system, leading to unpredictable results if the system is not fully patched.

Quote
And really, I can't blame Microsoft, one of the biggest and most used OSes in the world, to not force it's users to update sometimes when alot don't bother and that lets infections spread.

It's like people who refuse to get vaccinations.  Sure, you'll probably be ok but if enough do it, well, your chances get worse every day.
There is a world of difference between a content update (creators) and a vulnerability update (patch). I should just be able to opt out of creators updates full stop.

And it is not up to microsoft to keep my PC free of viruses. It is up to me. Its my machine, I paid for it and I bear the brunt of anything that happens to it. I also use 3rd party software to keep it clean of nasty stuff. I haven't had a virus in years. I have had update problems. So again, the patch is the biggest threat to my PC, not malware. Their patches are malware at this stage. I like to wait, it gives the best chance of not installing a patch that later gets pulled or repatched because it broke computers.
You're right, it's not up to Microsoft to keep your PC free of viruses.  It IS up to them to fix the security holes in the OS that lets others use it as part of a bot net though.  Cause no AV in the world is gonna help with that.

This meltdown/spectre thing?  Tell me what AV is gonna stop that? 
Ransomeware.  You know why it's so potent?  Because it uses Windows's own god damn encryption.  AV can barely figure out when something is encrypting that isn't intentional and relies on delivery signatures or blacklisted IPs.  It's not gonna scan your processes and go "Hey... the OS is encrypting this file.  Do you want to allow it?"
or
"Hey, this program is reading cache.  Do you wish to allow that?"

So yes, Microsoft is responsible for fixing your OS.  Just like Ford is responsible for replacing your airbag when they learn it'll (probably) kill you if deployed.
Title: Re: Meltdown/Spectre
Post by: xasop on January 28, 2018, 05:54:50 PM
There is a world of difference between a content update (creators) and a vulnerability update (patch). I should just be able to opt out of creators updates full stop.

Do you understand how software development works?

I mean, yes, in theory you are correct. However, in order to support you with security updates without giving you the Creators update, Microsoft would effectively be supporting two different OSes. Now add the next "content update" onto that, and it's three OSes. Fast-forward 10 years and you have another Windows XP situation.

The reality is that very few OS vendors will continue to produce security patches for old releases past about a year after their replacement comes out. This isn't a Microsoft-only problem, it simply requires too much manpower to support every special snowflake configuration everyone wants to run.

For example, the only Linux distribution I'm aware of that enables users to hold off on "content updates" within one major release is Red Hat Enterprise Linux. This will cost you $249 (https://www.redhat.com/en/store/extended-update-support-add), and you still only get 2 years of security support before you need to get the "content updates" anyway.

So no, when you consider practicality, "content updates" and security updates are not so separate.
Title: Re: Meltdown/Spectre
Post by: Dr David Thork on January 28, 2018, 11:38:32 PM
You're right

you are correct


My work here is done.
Title: Re: Meltdown/Spectre
Post by: juner on January 31, 2018, 05:05:23 PM
I also use 3rd party software to keep it clean of nasty stuff. I haven't had a virus in years.

Interesting, what kind of 3rd party software? Anti-virus or similar? Do you let that 3rd party software do its own definition updates, or do you also wait 3-6 months on that? I have had more issues with 3rd party software (specifically A/V) breaking things than OS updates. Bad definition updates that happen automatically have taken down applications on me 3 times I can recall in recent memory. I guess I should apply Thork-LogicTM and not let those things update for months as well, as they are likely the biggest risk to my machine according to you.
Title: Re: Meltdown/Spectre
Post by: Dr David Thork on January 31, 2018, 07:49:27 PM
Definitions are different to patches.

Lets use a different example. So I have Spybot as one of my tools. And I update the definitions on that regularly. But the difference is, it tells me when its going to do something. It tells me what its found, and asks me what to do. I also only have it in on-demand mode. IE I ask it to check the drive. It isn't 'immunizing' my computer. I have other things for that.

A virus definition tends to be a check for a registry key setting or the location of where a bad file loads itself and a check for it. And it always asks ... do you want to quarantine or delete this threat? It isn't sneakily doing shit behind my back. And if it says my keyboard is a virus and it wants to remove it, I tell it not to. I can't do that with a patch.

In short I keep my definitions up to date. They don't cause me issues. It is patches that break my machine from time to time, and not being so keen to update has really reduced the likelihood of me getting an issue. I'm usually one version behind on my bios too ... + I google and read to see if the version I'm looking to install has caused other people problems and weigh the risk. For example if an update is breaking people's Logitech mice, I might ignore that as I don't have one and install. If people with my graphics package are saying it destroys their performance, then I'm going to wait and ride that one out.

For me it is more about not just installing because it is there. Do I need it, do I need it right now, what might it break, how long has it been out ... it has to be a better strategy than "patching as soon as possible". That is a strategy that has burned me many times in the past. Sure it takes a few mins to decide whether or not to do the updates, but that is better than losing several hours or worse because a patch broke something.
Title: Re: Meltdown/Spectre
Post by: juner on February 02, 2018, 04:24:58 PM
No spectre or meltdown viruses exist.


http://www.zdnet.com/article/meltdown-spectre-malware-is-already-being-tested-by-attackers/
Quote
The number of potential Meltdown-Spectre malware samples collected by AV-Test has steadily climbed since the first one was spotted on January 7 to 139 by the end of January.

I know pointing out Thork being wrong is like shooting fish in a barrel, but I figured I should remind everyone again that he is wrong.
Title: Re: Meltdown/Spectre
Post by: xasop on February 02, 2018, 04:33:28 PM
No spectre or meltdown viruses exist.


http://www.zdnet.com/article/meltdown-spectre-malware-is-already-being-tested-by-attackers/
Quote
The number of potential Meltdown-Spectre malware samples collected by AV-Test has steadily climbed since the first one was spotted on January 7 to 139 by the end of January.

I know pointing out Thork being wrong is like shooting fish in a barrel, but I figured I should remind everyone again that he is wrong.

Actually, Thork was correct. The sort of malware described in that article is not a virus.
Title: Re: Meltdown/Spectre
Post by: juner on February 02, 2018, 04:35:56 PM
Actually, Thork was correct. The sort of malware described in that article is not a virus.

He uses Spybot. Somehow I think he lacks the nuance to ensure he is using the proper technical terms in every case.
Title: Re: Meltdown/Spectre
Post by: xasop on February 02, 2018, 04:38:27 PM
Actually, Thork was correct. The sort of malware described in that article is not a virus.

He uses Spybot. Somehow I think he lacks the nuance to ensure he is using the proper technical terms in every case.

Oh, I'd never dream of suggesting that he was intentionally correct. Nevertheless, he was correct.
Title: Re: Meltdown/Spectre
Post by: juner on February 02, 2018, 04:42:17 PM
Nevertheless, he was correct.

Not necessarily. This goes back to my previous point. There is no way of knowing if he is correct. Just because a virus hasn't been identified doesn't mean that it does not exist.

Title: Re: Meltdown/Spectre
Post by: xasop on February 02, 2018, 04:53:11 PM
Not necessarily. This goes back to my previous point. There is no way of knowing if he is correct. Just because a virus hasn't been identified doesn't mean that it does not exist.

While that is technically true, correctness can be expressed in terms of available information. If absolute proof of something had to be presented in order for someone to be considered correct, the word "correct" would never be used.

Sacrificing some brevity, you could rewrite my earlier statement as: To the best of our current knowledge, Thork is correct. However, that is redundant when you consider that all statements ever made are within the context of available knowledge.
Title: Re: Meltdown/Spectre
Post by: juner on February 02, 2018, 05:02:42 PM
While that is technically true, correctness can be expressed in terms of available information. If absolute proof of something had to be presented in order for someone to be considered correct, the word "correct" would never be used.
It is almost like there is some flexibility for being correct that exists between can be and absolutely. But, I will take "technically true" as an acknowledgment.


Sacrificing some brevity, you could rewrite my earlier statement as: To the best of our current knowledge, Thork is correct. However, that is redundant when you consider that all statements ever made are within the context of available knowledge.
I feel like you are suggesting that Thork's statement was made in the context of available knowledge. This would imply that he has included available knowledge when making the claim. Again, I think we both know he lacks the nuance to consider such a thing. It is much more probable he shoehorned the claim into his anti-update argument because he hasn't seen a headline on aol.com (or whatever old people use for their news source).

I also feel like none of us here have scoured all the available knowledge on this topic to make a concrete claim on this very specific topic.
Title: Re: Meltdown/Spectre
Post by: Dr David Thork on February 02, 2018, 07:34:25 PM
Erm guys, this isn't your PM. How embarrassing for you. You've accidentally posted all of this in a public forum and I read it.  :-[