Re: Fedora vs. Meltdown & Spectre

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, 4 Jan 2018 12:50:44 -0500
sean darcy <seandarcy2@xxxxxxxxx> wrote:

> Meltdown - CVE-2017-5754 - is not mentioned in the koji kernel builds.
> 
> But should we be worried about Meltdown even without kpti for:
> 
> An internet facing headless laptop acting as a router. No local
> users. No X. No browsers. The only private info on the machine is ssh
> keys, and the local root password. Any potential problem ?
> 
> This machine is _very_ remote, running FC 25. We haven't updated to
> 26 because dnf remote update fails 2-3 times each update, leaving
> dups and a mess. We only update when we have someone there, which
> won't be for another 2 months.

I would say you can sleep at night.  Both of the two attacks I'm aware
of, meltdown and spectre, require external software designed to exploit
the weakness running on the system in order to succeed.  If your router
never allows anything that isn't already on it to execute, it isn't
available for these attacks.  That presumes there isn't something
already on it using these exploits, which is very likely the case.  And
that it hasn't been compromised already - which precludes worry about
the attack, anyway.  :-)

For the average home user, whose only external software that runs on
their system is browser client side software, being careful with
javascript will mitigate much of the risk once meltdown is patched.
Don't leave tabs open that have javascript enabled once you aren't
using them.  Block all javascript except that required to get the
functionality you need.  From the paper, spectre can execute from
javascript run in a sandbox - they provide demonstration code.

If I was exploiting spectre, I would compromise a website that people
access and leave open, that requires javascript.  e.g. a weather site,
a puzzle site, etc.  I would then install the attack javascript and have
it return the data from users that I would store over time until I
gained something worthwhile.  Like fishing.  This isn't like heartbleed,
it requires patience.  But I think it is invisible to current
monitoring, so it has the time.

The real threat of this is to cloud service providers, whose business
is allowing foreign software to run on their servers.

All that said, this advice is worth what you paid for it.  As Matthew
said, "Up to you..."
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux