442 posts • joined 12 Jul 2008
What an unfortunate pair of names, when combined I parsed it as something quite different:
This two-year-old X.org give-me-root hole is so trivial to exploit, you can fit it in a single tweet
Re: Thanks for making this public
The CVE was raised back in July
Raised doesn't mean made public.
I monitor CVEs for a living (it's tedious and boring: since early 2017 there has been a huge increase in ones of no relevance). The first I saw of it was this tweet, yesterday at 9:30 pm.
The NIST site says published on the 25th, too.
Theo de Raadt of OpenBSD is not happy
Nobody at OpenBSD was made aware of the bug until very late on, despite an OpenBSD developer being on the X security team. The release of 6.4 could have been delayed until after the public annoucement.
Can it re-phrase this into a form that doesn't cause schoolboys to fall asleep?
And spotteth twice they the camels before the third hour, and so, the Midianites went forth to Ram Gilead in Kadesh Bilgemath, by Shor Ethra Regalion, to the house of Gash-Bil-Bethuel-Bazda, he who brought the butter dish to Balshazar and the tent peg to the house of Rashomon, and there slew they the goats, yea, and placed they the bits in little pots. Here endeth the lesson.
libssh and libssh2
There are two similarly named projects:
Red Hat / Centos, at least, use libssh2.
Note also that it only affects servers, not clients. sftp servers seem to be the most likely to be vulnerable and exposed.
Sounds very familiar
LWN article: Random numbers from CPU execution time jitter (2015) and HAVEGE: a linux "random" number generator that relies on instructions taking an unpredictable number of clock cycles to execute.
The consequences can be tragic
Re: What about all the other diseases?
That makes as much sense as complaining that a blood test for ebola can't detect a sprained ankle.
I was referring only to diseases diagnosed by inspecting the retina. What's the point of an automated system when a specialist has to look at it anyway to diagnose other diseases?
As for the prosecution, sorry - I missed a sarcasm tag. As with the case of Dr Hadiza Bawa-Garba, the case should never have been brought in the first place.
You will not, and will not allow any third party to ... (v) publish or provide any Software benchmark or comparison test results.
I can see why Debian aren't happy, seeing as without new instructions made available by microcode updates, some of the mitigations incur a significant performance hit.
One law for them, another for us
Do not forget the case of poor Daniel James Cuthbert, found guilty of an offence under the Computer Misuse Act back in 2005 for adding ../.. to the URL of a charity's web site.
There is a very thin line between "intending to secure access" and checking to see if insecurities may be present.
Re: What we need
Interested in your thoughts regarding Betamax v VHS
I contracted for a while at Pye TVT in Cambridge (working on a TV video effects console for the 1986 World Cup). Pye was a subsidiary of Philips, and there was a factory shop. Lots of employees, contractors and their friends and families ended up with Video 2000 recorders. Rumour had it that e.g. Dixons allocated the cassettes equally to all shops, and the manager of the Cambridge branch spent a lot of time on the phone talking to other branches to get their spare stock sent to him.
Getting back on topic, I also worked on the Acorn Archimedes and the Sinclair QL.
Dual use is hard.
Many years ago, I worked on computer aided mapping: semi-automated line following. Measuring the boundaries of all the woodland in the UK to calculate the total area, better 1:1250 maps with accurate buried utilities to stopping backhoes cutting fibre optic cables, what could possibly be wrong with that? Then came the Falklands war. Digitise the contours and produce a wire-frame perspective of Mount Tumbledown as viewed from Port Stanley, please.
A few years later, I worked on CNC blade tip grinders to make jet engines more fuel efficient. Making 747s greener is great. But what if the US Navy want some for their fighters? Or the Army for an AGT1500 turbine in an M1 Abrams tank?
Fibre break(s) near Manchester, too
Bury is north of central Manchester, so these may be separate incidents.
Re: CVE-2018-3693 "BCBS" Bounds Check Bypass Store"
Yes - the ARM one is the same as the Intel one.
CVE: CVE-2017-5753, CVE-2018-3693
CVE-2018-3693 "BCBS" Bounds Check Bypass Store"
Note that -3639 is a very similar "speculative store bypass" from May: don't get confused as I did for a short time. Could -3693 be the same as the Intel one?
arm64: spectre-v1 write fixes (CVE-2018-3693)
These patches inhibit spectre-v1-write gadgets found in arch/arm64, using the same mitigation applied to existing spectre-v1-read gadgets.
This issue is also known as CVE-2018-3693, or "bounds check bypass store". More details can be found in the Arm Cache Speculation Side-channels whitepaper, available from the Arm security updates site .
The other Large Hadron Collider incident
Active Desktop, which allowed HTML content (such as news headlines) to be shown on the user's desktop at the cost of prodigious amounts of CPU and RAM.
And bandwidth. I can remember one cow-orker enabling it, which rapidly became apparent when we looked at the ISDN logs and discovered that his desktop, left on overnight, had been connecting every few minutes, bringing the line up over and over again, incurring a call charge every time.
Not only do they only support TLS1.0, but including RC4-SHA in their cipher list? Really?
Supported Server Cipher(s):
Preferred TLSv1.0 128 bits AES128-SHA
Accepted TLSv1.0 256 bits AES256-SHA
Accepted TLSv1.0 128 bits RC4-SHA
Accepted TLSv1.0 112 bits DES-CBC3-SHA
Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
Accepted TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.0 128 bits RC4-MD5