*

Offline junker

  • Planar Moderator
  • *****
  • Posts: 8407
  • Boom
    • View Profile
Meltdown/Spectre
« on: January 17, 2018, 05:42:33 PM »
I am sure you have all heard of it by now, this is just a friendly reminder to patch your systems.

Patch your OS, patch your BIOS, and if you are running a hypervisor, patch that too.


Edit - Assuming many of you are running Windows, your anti-virus program needs to apply a registry key to be able to receive updates from January 2018 and going forward. More info here:

https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software

If you have no A/V installed, Windows Defender will take care of it for you (assuming you are running a system with Windows Defender).
« Last Edit: January 17, 2018, 05:44:25 PM by junker »
Please make sure to check out these resources to ensure that your time at tfes.org is enjoyable and productive.

1. The Rules

2. The FAQ

3. The Wiki

You're doing God's work, junker.

*

Offline Parsifal

  • Administrator
  • *****
  • Posts: 5211
  • A couple of bums
    • View Profile
Re: Meltdown/Spectre
« Reply #1 on: January 17, 2018, 07:41:55 PM »
Patch your OS, patch your BIOS, and if you are running a hypervisor, patch that too.

Still waiting for a patch for OpenBSD as the proletarian OSes scramble to catch up after the 6-month Illuminati-only embargo. This incident has destroyed whatever faith I had left in this industry as a whole.
How the hell am I supposed to be a moron if I keep educating myself?  >:(

Re: Meltdown/Spectre
« Reply #2 on: January 25, 2018, 06:39:42 PM »
Thank you Junker for your advice.


Here is a little advice from me. Never ever install an update until it is a least 3 months old and people like Junker have done the testing for you. Whether it is an iOS update or a windows update or a bios update or whatever. Just wait.

You'll be told your computer is unstable, insecure, dangerous, open to attack and all the rest of those FUD claims. However the single biggest threat to your computer is from the patch you got given to fix it.

https://www.christianpost.com/news/intel-confirms-patches-for-meltdown-and-spectre-bugs-affect-even-newer-generations-of-cpus-214406/
https://www.engadget.com/2018/01/18/intel-spectre-reboot-problem-affects-newer-cpu/

Just wait a few months ... see how things turn out and then update. In the mean time, you aren't going to get an issue from meltdown or spectre in the next few months on your machine (very very low probability) ... so just relax and wait.  :)
« Last Edit: January 25, 2018, 06:42:26 PM by Baby Thork »
Rate this post.      ๐Ÿ‘ 6     ๐Ÿ‘Ž 1

*

Offline Parsifal

  • Administrator
  • *****
  • Posts: 5211
  • A couple of bums
    • View Profile
Re: Meltdown/Spectre
« Reply #3 on: January 25, 2018, 06:47:51 PM »
Just wait a few months ... see how things turn out and then update. In the mean time, you aren't going to get an issue from meltdown or spectre in the next few months on your machine (very very low probability) ... so just relax and wait.  :)

Or use an OS made by people who don't put out shit releases without testing, but that might be too much to ask for this Shiny-Object-Syndrome-infected industry. Why use something that works when you can use something with a nice paint job, right?
How the hell am I supposed to be a moron if I keep educating myself?  >:(

Re: Meltdown/Spectre
« Reply #4 on: January 25, 2018, 07:10:06 PM »
I haven't got enough life to f-about using command lines and learning a fairly non-transferable syntax with the added inconvenience of having to spend forever looking for drivers and workarounds for all the things that aren't compatible.

Or use an OS made by people who don't put out shit releases without testing, but that might be too much to ask for this Shiny-Object-Syndrome-infected industry. Why use something that works when you can use something with a nice paint job, right?

I don't need to be hands on getting involved in the mechanics of my machine.
I'd rather use the keys to my car than hot wire it. I just want it to work. I don't care how it works.
« Last Edit: January 25, 2018, 07:11:50 PM by Baby Thork »
Rate this post.      ๐Ÿ‘ 6     ๐Ÿ‘Ž 1

*

Offline junker

  • Planar Moderator
  • *****
  • Posts: 8407
  • Boom
    • View Profile
Re: Meltdown/Spectre
« Reply #5 on: January 25, 2018, 09:10:47 PM »
Here is a little advice from me. Never ever install an update until it is a least 3 months old and people like Junker have done the testing for you.

This is absolutely terrible advice. The Windows SMB vulnerability is proof enough of that. A patch was available yet plenty of organizations did not test/install it, and it had a very real impact on people's lives. Had they applied the SMB patch (assuming they were running supported operating systems), then the entire mess would have been avoided.

What is scarier is that you claim to run an I.T. business. These are absolutely things you need to be up to date on, and preferably doing some sort of testing with on a regular basis. It is irresponsible and a disservice to your clients if security falls anywhere in your realm of responsibilities. You should be the one testing, not relying on others. I have a patching schedule that runs through test, then to prod. For consumers, you won't likely have this available, so you can weigh the risks on your own. For critical security patches, I would advise patching as soon as possible. If you are the type who is worried about issues (which there have been with spectre/meltdown patches), then wait a few days and keep on eye on the progress, but waiting several months is just asking to be compromised.
Please make sure to check out these resources to ensure that your time at tfes.org is enjoyable and productive.

1. The Rules

2. The FAQ

3. The Wiki

You're doing God's work, junker.

Re: Meltdown/Spectre
« Reply #6 on: January 25, 2018, 10:10:49 PM »
This is absolutely terrible advice. The Windows SMB vulnerability is proof enough of that. A patch was available yet plenty of organizations did not test/install it, and it had a very real impact on people's lives. Had they applied the SMB patch (assuming they were running supported operating systems), then the entire mess would have been avoided.

If you bothered to read my post, I said leave it 3 months. Not 20 years. The NHS hospitals that were hit were running Windows XP! An operating system no longer supported by Microsoft. The patch they should have installed had been around for ages.

What is scarier is that you claim to run an I.T. business. These are absolutely things you need to be up to date on, and preferably doing some sort of testing with on a regular basis. It is irresponsible and a disservice to your clients if security falls anywhere in your realm of responsibilities. You should be the one testing, not relying on others. I have a patching schedule that runs through test, then to prod. For consumers, you won't likely have this available, so you can weigh the risks on your own. For critical security patches, I would advise patching as soon as possible. If you are the type who is worried about issues (which there have been with spectre/meltdown patches), then wait a few days and keep on eye on the progress, but waiting several months is just asking to be compromised.
1) It is common practice for companies to run one operating system behind ... or at least 6 months behind on updates. They do not maintain bleeding edge updates. Also good avdice for the home user.
2) You are dispensing information to users on this website. Not companies. Home users do not need to worry about being cyber targeted. They aren't honey pots. You are far more likely to have an issue from a patch within 3 months, than you are to get a virus from a vulnerability within 3 months. At present there are no known spectre or meltdown viruses. It is only a vulnerability at present.

For critical security patches, I would advise patching as soon as possible.
And I would advise you wait. As this Intel update and many others recently have proven.

http://www.telegraph.co.uk/technology/2016/09/13/ios-10-launch-live-how-to-upgrade-to-apples-new-software-and-wha/
http://wjla.com/news/nation-world/iphone-glitch-causes-repeated-reboots-apple-issues-software-update-saturday

Downloading a rushed out patch is fraught with risk. As mentioned, the biggest threat to your computer is the patch you are about to install. Wait 3 months, let Junker brick his computer and complain to the vendor, let them sort that out, and then install once you know the patch is thoroughly tested by those who think it clever to 'patch as soon as possible'.
« Last Edit: January 25, 2018, 10:25:07 PM by Baby Thork »
Rate this post.      ๐Ÿ‘ 6     ๐Ÿ‘Ž 1

*

Offline junker

  • Planar Moderator
  • *****
  • Posts: 8407
  • Boom
    • View Profile
Re: Meltdown/Spectre
« Reply #7 on: January 25, 2018, 10:26:36 PM »
If you bothered to read my post, I said leave it 3 months. Not 20 years. The NHS hospitals that were hit were running Windows XP! An operating system no longer supported by Microsoft.
The NHS example was just one incident of very many. That one happened to get a lot of press. While plenty of machines were XP and not supported, Microsoft still ended up releasing a patch for their unsupported OS to remedy the issue. Along with patches for Server 2003. That wouldn't have helped because it was after the incident anyway, but somehow I doubt every instance was an XP/2003 machine and not just an unpatched, supported OS.


1) It is common practice for companies to run one operating system behind ... or at least 6 months behind on updates. They do not maintain bleeding edge updates. Also good avdice for the home user.
An OS is fine, as there are plenty of compatibility concerns that may need to be accounted for. As long as the OS is still supported. 6 months on patches is purely anecdotal on your part. And it is an objectively bad policy if it is in place, regardless of the reasons behind it.


2) You are dispensing information to users on this website. Not companies. Home users do not need to worry about being cyber targeted.
This is simply nonsense. Automated attacks on public IPs happen 24x7, including home users. Targeted attacks not so much unless it is someone high profile.


You are far more likely to have an issue from a patch within 3 months, than you are to get a virus from a vulnerability within 3 months. At present there are no known spectre or meltdown viruses. It is only a vulnerability at present.
Again, this is purely made up on your part. If you said within a week, then I would agree, as that has been seen repeatedly by anyone who does this for a living. And just because you aren't aware of existing exploits for Spectre/Meltdown certainly doesn't mean they don't exist.


And I would advise you wait. As this update and many others recently have proven.
Not 3 months. It is terrible advice and displays your ignorance of the field. Attitudes like this are why there are new compromises in the news almost daily.


Downloading a rushed out patch is fraught with risk. As mentioned, the biggest threat to your computer is the patch you are about to install. Wait 3 months, let Junker brick his computer and complain to the vendor, let them sort that out, and then install.
It is a risk that people can weigh for themselves. It isn't the biggest threat to your computer, that is just another made up claim by you. I wish you luck in your endeavors to provide I.T. to your customers. Assuming you go with the poor practices you've outlined here, I hope you never get hit with things like WannaCry because you have some made up delay as to when security patches should be applied.
Please make sure to check out these resources to ensure that your time at tfes.org is enjoyable and productive.

1. The Rules

2. The FAQ

3. The Wiki

You're doing God's work, junker.

Re: Meltdown/Spectre
« Reply #8 on: January 25, 2018, 10:44:09 PM »
It is the biggest threat to your computer.

If you do nothing, you run a lottery of getting a virus first that no one has ever heard of. Very slim odds. No spectre or meltdown viruses exist. What are the odds someone makes one, and you are infected?

What are the odds that if you downloaded the patch it would screw your PC up? Quite high. Look at all the people being effected by these updates. Millions of them.

I might also add most viruses are rather benign. A keylogger, a browser hijacker, and trojan. All these things are very fixable. What are you going to do when Apple releases a patch and you download and brick your device?
http://wjla.com/news/nation-world/iphone-glitch-causes-repeated-reboots-apple-issues-software-update-saturday
You can't even roll the bloody thing back.

You are just wrong. You picked examples like the NHS and those are entities that are several years behind with updates. Not 3-6 months. Many companies take at least 6 months, just to finish testing for compatibility with in-house software. They aren't installing next day updates. That is not anecdotal ... that is industry standard. You don't run bleeding edge updates in large organisations.

There is no need as a home user to be up to the minute. You only run the risk of installing a botched update, the prevalence or which has increased dramatically of late. You aren't likely to be able to test it and find such errors yourself ... just let large corps do the work, let those who claim vulnerability bounties knock themselves out testing ... and when the coast is clear 3-6 months later ... install.

https://www.forbes.com/sites/gordonkelly/2017/12/05/apple-ios-11-2-problems-ios-11-problem-iphone-battery-life/#377fdec259d9
I avoided all that crap.
« Last Edit: January 25, 2018, 10:46:46 PM by Baby Thork »
Rate this post.      ๐Ÿ‘ 6     ๐Ÿ‘Ž 1

*

Offline junker

  • Planar Moderator
  • *****
  • Posts: 8407
  • Boom
    • View Profile
Re: Meltdown/Spectre
« Reply #9 on: January 25, 2018, 11:09:12 PM »
It is the biggest threat to your computer.
This is simply false. You seem to be committed to it, though, so I won't try to change your mind. I will just point it out for other users who happen to read the thread.

No spectre or meltdown viruses exist.
You literally do not know this, so I don't know why you keep saying it.

What are the odds that if you downloaded the patch it would screw your PC up? Quite high. Look at all the people being effected by these updates. Millions of them.
It isn't quite high. You are simply using this as an example to make a blanket statement. Thousands of patches come and ago without issue. Again, waiting a week wouldn't cause an issue, as you'd see that there is a chance this particular patch could cause a problem. The patch gets pulled, and a better one is released. You don't have to be bleeding edge, but 3-6 months is an arbitrary time frame made up by you, and doesn't comply with any sort of best practice.

I might also add most viruses are rather benign. A keylogger, a browser hijacker, and trojan. All these things are very fixable.
Whatever the risk is worth to you I guess. The bad guys only have to get it right once, and then you are dealing with stolen identity issues for the next 5 years.

You are just wrong. You picked examples like the NHS and those are entities that are several years behind with updates.
You suggesting that I am wrong shows your ignorance once again, and I would caution anyone reading to question your advice on anything I.T. related. In this SMB case, Microsoft released a patch 2 months or so before the first major attacks. You pretending this isn't a risk is irrelevant. You don't have to be years behind to be impacted, as evidenced by this specific example.

Not 3-6 months. Many companies take at least 6 months, just to finish testing for compatibility with in-house software. They aren't installing next day updates. That is not anecdotal ... that is industry standard. You don't run bleeding edge updates in large organisations.
Bleeding edge is updating prod the same day a patch is released. Companies may have 3-6 month delays, but it doesn't change the fact it is bad practice, and likely driven by inefficiency. And it isn't an industry standard, stop making things up. I've worked for plenty of very large organizations, and we rolled about a month behind, sometimes 6 weeks for extra change management.

There is no need as a home user to be up to the minute. You only run the risk of installing a botched update, the prevalence or which has increased dramatically of late. You aren't likely to be able to test it and find such errors yourself ... just let large corps do the work, let those who claim vulnerability bounties knock themselves out testing ... and when the coast is clear 3-6 months later ... install.
I agree not "up to the minute." For some reason you seem to suggest there isn't a middle ground between the day a patch is released and your arbitrary "3-6 months."


Obviously we aren't going to agree on this. I am just compelled to point out that you are suggesting bad practices. People and businesses can weigh the risk and make their own decisions, but to try to pretend a bad practice is not a bad practice because of $REASON is juvenile. To call it a "standard" is dishonest and speaks to limited experience. Again, people engage in bad habits all the time, but they should at least be self-aware that it is a bad habit and not try to pretend otherwise.
« Last Edit: January 25, 2018, 11:20:36 PM by junker »
Please make sure to check out these resources to ensure that your time at tfes.org is enjoyable and productive.

1. The Rules

2. The FAQ

3. The Wiki

You're doing God's work, junker.

*

Offline Parsifal

  • Administrator
  • *****
  • Posts: 5211
  • A couple of bums
    • View Profile
Re: Meltdown/Spectre
« Reply #10 on: January 25, 2018, 11:41:48 PM »
Why use something that works

I just want it to work.

Looks like someone didn't read my post.
How the hell am I supposed to be a moron if I keep educating myself?  >:(

Re: Meltdown/Spectre
« Reply #11 on: January 26, 2018, 12:30:34 AM »
I would advise patching as soon as possible.
I'm not going to let you run away from this statement. It is bad advice.

Why use something that works

I just want it to work.

Looks like someone didn't read my post.
I read your post. I may not have understood your post, but I definitely read it. Or are you going to go all Junker on me and start making stuff up?  >:(

Rate this post.      ๐Ÿ‘ 6     ๐Ÿ‘Ž 1

*

Offline junker

  • Planar Moderator
  • *****
  • Posts: 8407
  • Boom
    • View Profile
Re: Meltdown/Spectre
« Reply #12 on: January 26, 2018, 12:39:35 AM »
I would advise patching as soon as possible.
I'm not going to let you run away from this statement. It is bad advice.

Itโ€™s almost like the literal thing I said is general enough to fit everyoneโ€™s use cases. It doesnโ€™t change the fact that your suggestion is bad practice.
Please make sure to check out these resources to ensure that your time at tfes.org is enjoyable and productive.

1. The Rules

2. The FAQ

3. The Wiki

You're doing God's work, junker.

*

Offline Parsifal

  • Administrator
  • *****
  • Posts: 5211
  • A couple of bums
    • View Profile
Re: Meltdown/Spectre
« Reply #13 on: January 26, 2018, 01:02:43 AM »
I read your post. I may not have understood your post, but I definitely read it. Or are you going to go all Junker on me and start making stuff up?  >:(

I suggested using an OS that doesn't ship broken garbage. There are plenty of those out there to suit everyone. I have no idea why you seem to have assumed I was talking about one in particular.
How the hell am I supposed to be a moron if I keep educating myself?  >:(

Re: Meltdown/Spectre
« Reply #14 on: January 26, 2018, 01:08:13 AM »
I would advise patching as soon as possible.
I'm not going to let you run away from this statement. It is bad advice.

Itโ€™s almost like the literal thing I said is general enough to fit everyoneโ€™s use cases. It doesnโ€™t change the fact that your suggestion is bad practice.

It isn't
http://uk.businessinsider.com/why-you-should-wait-to-install-software-updates-2015-12?r=US&IR=T
https://www.computerworld.com/article/3213929/microsoft-windows/the-case-against-windows-automatic-update.html


This has been going on for a long time now.
https://www.infoworld.com/article/2834535/security/four-more-botched-black-tuesday-patches-kb-3000061-kb-2984972-kb-2949927-and-kb-2995388.html

If you are still patching "as soon as possible" you are doing it wrong. Do you get 4 viruses a week because you take a few months to update? Updates are far more likely to take down your home computer than any threat. Just be patient, leave it a while and done. I don't know why this is hard to understand. All the evidence is there. Every week another botched update is rolled out by someone. If you wait a while, you only update the ones that aren't pulled or repatched. In other words you aren't willfully loading harmful software onto your machine.

I read your post. I may not have understood your post, but I definitely read it. Or are you going to go all Junker on me and start making stuff up?  >:(

I suggested using an OS that doesn't ship broken garbage. There are plenty of those out there to suit everyone. I have no idea why you seem to have assumed I was talking about one in particular.
All the OSes you have ever suggested are nihilistic, command-driven time thieves with the visual beauty of a octogenarian vagina. 
Rate this post.      ๐Ÿ‘ 6     ๐Ÿ‘Ž 1

*

Offline junker

  • Planar Moderator
  • *****
  • Posts: 8407
  • Boom
    • View Profile
Re: Meltdown/Spectre
« Reply #15 on: January 26, 2018, 01:19:06 AM »
No matter how many times you repeat yourself, Thork, it doesnโ€™t make you any less wrong. Iโ€™m sorry if thatโ€™s hard for you to understand.
Please make sure to check out these resources to ensure that your time at tfes.org is enjoyable and productive.

1. The Rules

2. The FAQ

3. The Wiki

You're doing God's work, junker.

*

Offline Parsifal

  • Administrator
  • *****
  • Posts: 5211
  • A couple of bums
    • View Profile
Re: Meltdown/Spectre
« Reply #16 on: January 26, 2018, 01:37:47 AM »
with the visual beauty of a octogenarian vagina. 
Why use something that works when you can use something with a nice paint job, right?

Thanks for making my point for me. If you're going to follow the herd and choose form over function, don't complain when you end up with something that doesn't function.
How the hell am I supposed to be a moron if I keep educating myself?  >:(

Re: Meltdown/Spectre
« Reply #17 on: January 26, 2018, 03:22:20 PM »
with the visual beauty of a octogenarian vagina. 
Why use something that works when you can use something with a nice paint job, right?

Thanks for making my point for me. If you're going to follow the herd and choose form over function, don't complain when you end up with something that doesn't function.

Pretty sure I already had this covered.
I'd rather use the keys to my car than hot wire it. I just want it to work. I don't care how it works.
Rate this post.      ๐Ÿ‘ 6     ๐Ÿ‘Ž 1

*

Offline Parsifal

  • Administrator
  • *****
  • Posts: 5211
  • A couple of bums
    • View Profile
Re: Meltdown/Spectre
« Reply #18 on: January 26, 2018, 05:02:49 PM »
Pretty sure I already had this covered.
I'd rather use the keys to my car than hot wire it. I just want it to work. I don't care how it works.

I'm literally telling you to use something that works. You're telling me you're going to use something shiny instead, because you want something that works.

Does not compute.
How the hell am I supposed to be a moron if I keep educating myself?  >:(

Re: Meltdown/Spectre
« Reply #19 on: January 26, 2018, 05:06:53 PM »
A bicycle works. A shiny car costs more and is easier to use. I understand how every part of a bicycle works and can fix it. I can't do this with my 'bloated' one ton car. It needs a laptop and a skilled mechanic. Sometimes my car breaks. I need to spend time and money fixing it. But I'm sure as hell not going to use my bike to cycle to London.  >o<
Rate this post.      ๐Ÿ‘ 6     ๐Ÿ‘Ž 1