From owner-freebsd-security@freebsd.org Thu Jan 4 15:42:52 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5B7CAEBDBED for ; Thu, 4 Jan 2018 15:42:52 +0000 (UTC) (envelope-from joey@joeykelly.net) Received: from safegreet.com (safegreet.com [173.230.129.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 35EDE6F10A for ; Thu, 4 Jan 2018 15:42:51 +0000 (UTC) (envelope-from joey@joeykelly.net) Received: from localhost (localhost [127.0.0.1]) by safegreet.com (Postfix) with ESMTP id 19BC04212 for ; Thu, 4 Jan 2018 09:42:45 -0600 (CST) X-Virus-Scanned: amavisd-new at safegreet.com Received: from safegreet.com ([127.0.0.1]) by localhost (safegreet.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id O9JH3uEvbxZl for ; Thu, 4 Jan 2018 09:42:43 -0600 (CST) Received: by safegreet.com (Postfix, from userid 48) id 7395342BA; Thu, 4 Jan 2018 09:42:43 -0600 (CST) Received: from 64.88.172.228 (SquirrelMail authenticated user mmlj4) by safegreet.com with HTTP; Thu, 4 Jan 2018 09:42:43 -0600 Message-ID: In-Reply-To: <20726.1515042417@segfault.tristatelogic.com> References: <20726.1515042417@segfault.tristatelogic.com> Date: Thu, 4 Jan 2018 09:42:43 -0600 Subject: Re: Intel hardware bug From: "Joey Kelly" Cc: "freebsd-security@freebsd.org" User-Agent: SquirrelMail/1.4.22-5.el6 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 15:42:52 -0000 > > In message <2347560.AJVtGcUuTT@elisha.atlnet>, > Joey Kelly wrote: > >>... >>No, I mean their lame excuses, dances around the truth, claiming many >> other >>platforms AND OPERATING SYSTEMS do it too. 'Tain't so. This is hardware, >> INTEL >>hardware, and not an OS problem... > > While it is clearly true, even from the current very preliminary reports, > that > this is indeed a hardware issue, rather than an OS issue, you may want to > reserve > judgement about the possibility that this thing is confined only to Intel > hardware. Hmm... others have my opinion too, it seems: https://www.theregister.co.uk/2018/01/04/intel_meltdown_spectre_bugs_the_registers_annotations/ > > Intel, of course, has said that they believe that this bug may also affect > AMD and also ARM CPUs. (But then they would say that, wouldn't they?) > But > AMD, for its part, has already put out a public statement saying that > their > CPUs are not affected. > > So now, the other shoe that we should all be expecting to drop, any time > now, > is some public statement from ARM Holdings, PLC. If one has already been > issued > by that company, then Google News doesn't seem to be giving me any easy > way to > find it, and there is nothing of relevance on the ARM corporate web site > (www.arm.com). So I suspect that they haven't said anything yet, which is > itself a rather ominous data point. > > If it turns out that this same bug, or same sort of bug, also affects > ARM-based > chips, then that is quite possibly an even bigger deal than the already > obvious > Intel cataclysm. > > > Regards, > rfg > > > P.S. It occured to me today just how much this bug, and the still-fresh > WPA2 > insecurities, are likely to cost -- said costs to be paid by an entire > planet's > worth of both individuals and businesses. I believe that it may be a > conservative > estimate to say that each one of these cock ups may cost the global > economy > something in the range of tens of billions of dollars, or perhaps even > more. > > Immediately following on the heals of this thought, a somewhat humorous > idea > occured to me... > > These days we have bug bounty programs which pay people to find bugs, in > particular, > security-rlated bugs. And perhaps as a result, nowadays we have a bumper > crop of > them to deal with. > > In contrast to that, for the past many decades, at least, in my country, > at least, when there is an excess of some commodity... e.g. wheat, or > corn, > or some such thing... the government pays farmers to NOT grow that > specific > commodity. > > Given the gigantic global costs resulting from these ever-more-horrendous > bugs > that clever researchers are out there discovering, nowadays, on a regular > basis, > perhaps we should be paying people to NOT find bugs. That might be more > cost > effective, in the long run. > > And there is some precedent for this kind of counter-intutive reward > system, > and not just in the field (excuse the pun) of agricultural commodities... > > https://www.washingtonpost.com/local/paying-criminals-not-to-commit-crime-may-not-be-so-funny-after-all/2016/02/08/151ab936-cea3-11e5-b2bc-988409ee911b_story.html > > http://www.foxnews.com/politics/2016/08/24/one-california-city-is-paying-people-not-to-commit-crimes.html > > http://www.guns.com/2017/09/01/sacramento-city-council-approves-1-5-million-program-to-combat-gun-violence/ > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > -- Joey Kelly Minister of the Gospel and Linux Consultant http://joeykelly.net 504-239-6550