Messages

https://www.theverge.com/2018/1/22/16919426/intel-advises-pause-deployment-of-spectre-patch

https://techcrunch.com/2018/01/22/linus-torvalds-declares-intel-fix-for-meltdown-spectre-complete-and-utter-garbage/

https://gizmodo.com/intel-is-trying-to-fix-the-biggest-problem-with-its-spe-1822305604

All fixed!

Well, thanks for banging away on it.

I'm very interested to find out how all these changes will impact packets per second, throughput in terms of bandwidth and VPN bandwidth etc.  I'm hoping it won't be huge.

I'm assuming that more packages, more filtering, more processing will equal more impact, but I'm just guessing and hoping it is less than initially thought.

Sounds like good stuff.  How big is "rather large" in terms of percent performance impact?

Security guys are talking a big game but I feel like this is a whole new game they are not prepared for.
BTW - The firefox and google chrome patches seem to make things both slow and memory hungry if you ask me. 

I'm going to need more tinfoil...

Generally true, but some of the Atom chips before 2013 and AMD chips as well are immune.  I'm talking about spectre.  Meltdown can be addressed with OS updates if I'm not misled.

I'm pretty sure that neither my Athlon X2 nor my D2700 are at risk.  However, every laptop and desktop and small server I have are.  Those are all fairly modern Intel CPUs and I do not believe intel when they say they have a fix for this.  I think they are just grasping at straws trying to prevent further devaluation.

The sad thing is that my box's processors are dated enough to be immune to these attacks but I bet the patches slow down my boxes anyway.  Its an epic mess.  Maybe some good will come of this and the x86 architecture will get a badly needed revamp. 

Totally agree judging by what I've read, however, VM is a local attack.  It is code running on the machine.  However, If you own the machine and you are the only one running VMs on the machine I think you are in the clear. 

I don't think this really impacts most of us as far as opnsense is concerned unless we are running VMs in the cloud and we don't know what the neighbors are up to.

I believe the word that is being tossed around is "mitigation". 

I think we are stuck with Spectre until the next slew of chips are fabricated and the problem is eliminated at the chip level. 

I'm not really worried about any of this as far as my firewall goes because unless opnsense is going to start writing code to exploit the vulnerabilities themselves, I'm totally at a loss for how any of this would ever get a chance to RUN on my box.  Sure, it might pass through the firewall, but I don't see that as a threat to the firewall itself.

Now, If I had something running in a cloud I'd be very worried that someone else might run something malicious on that same cloud server.  I suppose it also makes sense to worry about computers where you run web browsers or that idiots who like clicking "yes, download, install" might have access to the keyboard.

However, probably the biggest problem I see is people running things in the cloud.  If I read and understand these vulnerabilities correctly, it would mean that I could run a malicious VM that could potentially start grabbing info from the memory of the server running many other VMs and potentially get lucky and gain some privileged info. 

I love updates.  Release them as often as you like whenever you like.  I never look a gift-horse in the mouth.

Yep - Be sure to let me know when support for 64 bit systems runs out and its 128 bit only.

You may need a Ouija Board or at least some smelling salts and a heater...

I would feel very confident with auto update on hardware used and sold by opensense, assuming updates were tested on all the hardware sold in the last few years.  This would be a case where I'd see an advantage in buying from the sponsor's store. 

I'd create that with a delay.  I don't care what distro we are talking about, updates often crash a bunch of units.  The problems get reported and a fix is released.  Auto update would most likely lead to auto crash.  My experience anyway.  An exception may be if you were using exactly the same hardware that the opnsense team was developing and testing with.

Had a similar issue with a company called obihai recently.  They also prey on tech stupidity.

They sell phone FOBS that are basically SIP and they allow googlevoice.  Thats on their server side.

So recently they decided to say that their obi100 (basically a sip device) was no longer supported. 

They advised me to buy their new device which offers the amazing new feature of doing exactly what the old one was doing just fine. 

Amazing.  Why don't they just ask for money instead of crap like that?