From owner-freebsd-questions@freebsd.org Mon Jan 8 09:15:47 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4795DE5D752 for ; Mon, 8 Jan 2018 09:15:47 +0000 (UTC) (envelope-from aryeh.friedman@gmail.com) Received: from mail-io0-x233.google.com (mail-io0-x233.google.com [IPv6:2607:f8b0:4001:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0C19871D72 for ; Mon, 8 Jan 2018 09:15:47 +0000 (UTC) (envelope-from aryeh.friedman@gmail.com) Received: by mail-io0-x233.google.com with SMTP id w188so12239444iod.10 for ; Mon, 08 Jan 2018 01:15:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=xklVfR+ZJ6aQ7vG8bXlTCPn3daaPau37naA1HmUgbkI=; b=qWygvBUe7gwo0uUUJUJWD045d0yNi9YM1M9PjvhnuvfbVYrZsCdOsFpC19XPy8+rYD iiXC1iI5EOt2JqpP4IFihgU+TSK5tfkpRd3Yp66n+KvpbNzoTSPqaNprlLeTwdK13koJ P8x6hEzD4HY5VMpKiq11BTL4FF7jr43WqI8F9SisNiXnt36GOJm9LMHE8W2MVZawyIJJ +SPqmA74bEly9dFF6AZ38Fy4N8eP9zTb7+IZXVikXmZF1WLJITX/F6sCKtwB7nwJroPu M9wA+15SUeORsgGulKx6C4TIET8A1RTADrRIVRiqueUkkRy7zO/zKxfJ2eaRjdGU4YeS wZIA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=xklVfR+ZJ6aQ7vG8bXlTCPn3daaPau37naA1HmUgbkI=; b=o9eGb/1rQgMqS/O7D5UU3H03Da5RshY+wuaWbJC/WLsf+VjUFoQVP1JWY2Om4xaIfs vSiD96rucS2JKZoJjJAfUTZpiIzPxbF4dnJevx/+rFqMrL/ZJ2o4c3yri1wSgwYFLO4b xzQcjr6UsYZe9LKvekyuaxLULuawj2uhVGWytm10NDeCwwvZ7owErnfVrrlMfyvCgBn1 DrNmGDmoRPDnIkmZU/EI1wvZfdT/pgFrYDmHiR5a41TM9ernLFgC84tJXqPeXvMuSv1L Tq/x+IWtlClhCMpEw1ntWj+Ql8r47VZwqqM/H4aLz0al0WMHkZwH66/S4/VLnBxtFv7F 0xpg== X-Gm-Message-State: AKwxytcCDZSkPuXaXrrUNLuLZVh2k71qluwRY2npKYG0ChRbjrt13l+I qg2aIMQX+fqhl6jxZxVSTdZNuLjJl7Y8ojf6aGU= X-Google-Smtp-Source: ACJfBotK6+9VQyi9+KAVscRdwjMeRF3gIxeVZKnbNce4sY8wQJxs6Npm0yd0g9SU3C/SMI83dwpMYT26+YJZz4/mCC8= X-Received: by 10.107.180.200 with SMTP id d191mr10997411iof.249.1515402946489; Mon, 08 Jan 2018 01:15:46 -0800 (PST) MIME-Version: 1.0 Received: by 10.36.105.3 with HTTP; Mon, 8 Jan 2018 01:15:46 -0800 (PST) In-Reply-To: <20180108085756.GA3001@c720-r314251> References: <3AECDC7F-8838-4C09-AC7F-117DFBAA326C@sigsegv.be> <20180108085756.GA3001@c720-r314251> From: Aryeh Friedman Date: Mon, 8 Jan 2018 04:15:46 -0500 Message-ID: Subject: =?UTF-8?B?UmU6IE1lbHRkb3duIOKAkyBTcGVjdHJl?= To: Matthias Apitz , FreeBSD Mailing List Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jan 2018 09:15:47 -0000 On Mon, Jan 8, 2018 at 3:57 AM, Matthias Apitz wrote: > As I side note, and not related to FreeBSD: My Internet server is run by > some webhosting company (www.1blu.de), they use Ubuntu servers and since > yesterday they have shutdown SSH access to the servers argumenting that > they want > protect my (all's) servers against attacks of Meltdown and Spectre. > > Imagine, next time we have to shutdown all IOT gadgets... Not always possible for things like medical test equipment/devices. For example I maintain a specialized EMR for interacting with Dr. prescribed remote cardiac monitors. Having those off line is not an option since they are used to detect if the patient needs something more serious like a pace maker (also almost always a IoT device these days) surgery. The actual monitoring is done on Windows and was attacked by some ransomeware via a bit coin miner that somehow installed it self. Since all the users claim that they don't read email/upload/download executables or any other of the known attack vectors this leaves something like Meltdown or Spectre. We have also detected issues on the CentOS that has the non-medical corporate site on it. The only machine left on touched on the physical server (running some bare metal virtualization tool) is the FreeBSD machine that runs the actual EMR we wrote. TL;DR -- It seems Linux and Windows already have issues with these holes but I have seen little to no evidence that FreeBSD (when run as a host). In general when ever any virtualization issue (like the bleed through on Qemu last year) comes up FreeBSD is the one OS that seems to be immune (thanks to good design of the OS and bhyve). This is the main reason why I chose FreeBSD over Linux as the reference host for PetiteCloud. -- Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org