Did I get my system compromised?

[bester69]

I saw today one discord's user has made a capture of my desktop

What could it be??.. Ive realised I was using same user password for my user and for discord, perhaps he has been able to remote hack discord password and used to take this capture?.. Ive changed my user password and set two-factor authentification in discord... Dont know, this is sometimes scary, the false security linux give you.. :




its also truth ive opera and brave browsers holded to some outdated versions (Chromium: 80.0.3987.116)..
I hope this has nothing to be with Meltdown/Spectre.. Ive those secuity holes opened cos performances reasons..:

As you can see my system is like a cheese... its has 9 holes

Spectre and Meltdown mitigation detection tool v0.43
Kernel is Linux 4.4.39-040439-generic #201612151346 SMP Thu Dec 15 18:48:20 UTC 2016 x86_64

Code: Select all

Spectre and Meltdown mitigation detection tool v0.43

Checking for vulnerabilities on current system
Kernel is Linux 4.4.39-040439-generic #201612151346 SMP Thu Dec 15 18:48:20 UTC 2016 x86_64
CPU is Genuine Intel(R) CPU             575  @ 2.00GHz
                                                                                                                                           
Hardware check                                                                                                                             
* Hardware support (CPU microcode) for mitigation techniques                                                                               
  * Indirect Branch Restricted Speculation (IBRS)                                                                                          
    * SPEC_CTRL MSR is available:  NO                                                                                                      
    * CPU indicates IBRS capability:  NO                                                                                                   
  * Indirect Branch Prediction Barrier (IBPB)                                                                                              
    * PRED_CMD MSR is available:  NO                                                                                                       
    * CPU indicates IBPB capability:  NO                                                                                                   
  * Single Thread Indirect Branch Predictors (STIBP)                                                                                       
    * SPEC_CTRL MSR is available:  NO                                                                                                      
    * CPU indicates STIBP capability:  NO                                                                                                  
  * Speculative Store Bypass Disable (SSBD)                                                                                                
    * CPU indicates SSBD capability:  NO                                                                                                   
  * L1 data cache invalidation                                                                                                             
    * FLUSH_CMD MSR is available:  NO 
    * CPU indicates L1D flush capability:  NO 
  * Microarchitectural Data Sampling
    * VERW instruction is available:  NO 
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO 
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO 
  * CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO):  NO 
  * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO):  NO 
  * CPU/Hypervisor indicates L1D flushing is not necessary on this system:  NO 
  * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA):  NO 
  * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO):  NO 
  * CPU explicitly indicates not being vulnerable to TSX Asynchronous Abort (TAA_NO):  NO 
  * CPU explicitly indicates not being vulnerable to iTLB Multihit (PSCHANGE_MSC_NO):  NO 
  * CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR):  NO 
  * CPU supports Transactional Synchronization Extensions (TSX):  NO 
  * CPU supports Software Guard Extensions (SGX):  NO 
  * CPU microcode is known to cause stability problems:  NO  (model 0xf family 0x6 stepping 0xd ucode 0xa4 cpuid 0x6fd)
  * CPU microcode is the latest known available version:  YES  (latest version is 0xa4 dated 2010/10/02 according to builtin firmwares DB v130.20191104+i20191027)
* CPU vulnerability to the speculative execution attack variants
  * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass):  YES 
  * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection):  YES 
  * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load):  YES 
  * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read):  YES 
  * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass):  YES 
  * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault):  NO 
  * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault):  YES 
  * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault):  YES 
  * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)):  YES 
  * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)):  YES 
  * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)):  YES 
  * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)):  YES 
  * Vulnerable to CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)):  NO 
  * Vulnerable to CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)):  YES 

CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass'
* Kernel has array_index_mask_nospec:  NO 
* Kernel has the Red Hat/Ubuntu patch:  NO 
* Kernel has mask_nospec64 (arm64):  NO 
* Checking count of LFENCE instructions following a jump in kernel...  NO  (only 8 jump-then-lfence instructions found, should be >= 30 (heuristic))
> STATUS:  VULNERABLE  (Kernel source needs to be patched to mitigate the vulnerability)

CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigation 1
  * Kernel is compiled with IBRS support:  NO 
    * IBRS enabled and active:  NO 
  * Kernel is compiled with IBPB support:  NO 
    * IBPB enabled and active:  NO 
* Mitigation 2
  * Kernel has branch predictor hardening (arm):  NO 
  * Kernel compiled with retpoline option:  NO 
> STATUS:  VULNERABLE  (IBRS+IBPB or retpoline+IBPB is needed to mitigate the vulnerability)

CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load'
* Kernel supports Page Table Isolation (PTI):  NO 
  * PTI enabled and active:  UNKNOWN  (dmesg truncated, please reboot and relaunch this script)
  * Reduced performance impact of PTI:  NO  (PCID/INVPCID not supported, performance impact of PTI will be significant)
* Running as a Xen PV DomU:  NO 
> STATUS:  UNKNOWN  (couldn't find any clue of PTI activation due to a truncated dmesg, please reboot and relaunch this script)

CVE-2018-3640 aka 'Variant 3a, rogue system register read'
* CPU microcode mitigates the vulnerability:  NO 
> STATUS:  VULNERABLE  (an up-to-date CPU microcode is needed to mitigate this vulnerability)

CVE-2018-3639 aka 'Variant 4, speculative store bypass'
* Kernel supports disabling speculative store bypass (SSB):  NO 
* SSB mitigation is enabled and active: > STATUS:  VULNERABLE  (Neither your CPU nor your kernel support SSBD)

CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
* CPU microcode mitigates the vulnerability:  N/A 
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault'
* Kernel supports PTE inversion:  NO 
* PTE inversion enabled and active:  UNKNOWN  (sysfs interface not available)
> STATUS:  VULNERABLE  (Your kernel doesn't support PTE inversion, update it)

CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
* This system is a host running a hypervisor:  NO 
* Mitigation 1 (KVM)
  * EPT is disabled:  N/A  (the kvm_intel module is not loaded)
* Mitigation 2
  * L1D flush is supported by kernel:  NO 
  * L1D flush enabled:  UNKNOWN  (can't find or read /sys/devices/system/cpu/vulnerabilities/l1tf)
  * Hardware-backed L1D flush supported:  NO  (flush will be done in software, this is slower)
  * Hyper-Threading (SMT) is enabled:  NO 
> STATUS:  NOT VULNERABLE  (this system is not running a hypervisor)

CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)'
* Kernel supports using MD_CLEAR mitigation:  NO 
> STATUS:  VULNERABLE  (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability)

CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)'
* Kernel supports using MD_CLEAR mitigation:  NO 
> STATUS:  VULNERABLE  (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability)

CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)'
* Kernel supports using MD_CLEAR mitigation:  NO 
> STATUS:  VULNERABLE  (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability)

CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)'
* Kernel supports using MD_CLEAR mitigation:  NO 
> STATUS:  VULNERABLE  (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability)

CVE-2019-11135 aka 'ZombieLoad V2, TSX Asynchronous Abort (TAA)'
* TAA mitigation is supported by kernel:  NO 
* TAA mitigation enabled and active:  NO  (tsx_async_abort not found in sysfs hierarchy)
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

CVE-2018-12207 aka 'No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)'
* This system is a host running a hypervisor:  NO 
* iTLB Multihit mitigation is supported by kernel:  NO 
* iTLB Multihit mitigation enabled and active:  NO  (itlb_multihit not found in sysfs hierarchy)
> STATUS:  NOT VULNERABLE  (this system is not running a hypervisor)

> SUMMARY: CVE-2017-5753:KO CVE-2017-5715:KO CVE-2017-5754:?? CVE-2018-3640:KO CVE-2018-3639:KO CVE-2018-3615:OK CVE-2018-3620:KO CVE-2018-3646:OK CVE-2018-12126:KO CVE-2018-12130:KO CVE-2018-12127:KO CVE-2019-11091:KO CVE-2019-11135:OK CVE-2018-12207:OK

[bester69]

It says I need to enable Kernel mitigation by updating microcode, but i updated microcode and kernel to last version, and set grub like that.:
GRUB_CMDLINE_LINUX_DEFAULT="zswap.enabled=0 zswap.zpool=zsmalloc apparmor=0"

rebooted, and most holes still were there.. , dont know how to put them all in green.

[oswaldkelso]

I would suggest you go through this thread and eliminate all the "apps" with no source code before you start blaming "Linux" for being insecure.

http://forums.debian.net/viewtopic.php?f=3&t=124280

[LE_746F6D617A7A69]

I saw today one discord's user has made a capture of my desktop

What could it be??.. Ive realised I was using same user password for my user and for discord, perhaps he has been able to remote hack discord password (...)

In fact You're lucky, because You have just realized that Your system has been compromised - think of of people who have no idea that their flatpak applications can become a security holes ...

[bester69]

I saw today one discord's user has made a capture of my desktop

What could it be??.. Ive realised I was using same user password for my user and for discord, perhaps he has been able to remote hack discord password (...)

In fact You're lucky, because You have just realized that Your system has been compromised - think of of people who have no idea that their flatpak applications can become a security holes ...

damn, I should have used flatpak's discord version to get some isolation...

[stevepusser]

Why are you looking at difficult spectre exploits when you already said you left the door open with duplicate passwords?

Your kernel is not the latest version--it's a 4.4 Ubuntu kernel that was built in 2016, long before anyone knew about these exploits. I have to wonder what version of microcode you're using now.

[bester69]

Why are you looking at difficult spectre exploits when you already said you left the door open with duplicate passwords?

Your kernel is not the latest version--it's a 4.4 Ubuntu kernel that was built in 2016, long before anyone knew about these exploits. I have to wonder what version of microcode you're using now.

Hi Steve,

im using kernel 4.4.39 and intel-microcode_3.20171117.1-bpo9+1_amd64
but i tried with kernerl 4.4.last and 5.9 plus 2020 stretch's last microcode, and security holes stilll were there when i runned that test again... the log says, i need to install last microcode or something like that to enable kernel mitigation...

Ive read last kernel (5.9) is able to deal with these meltdown/spectre patches and improving performance lost.

[Head_on_a_Stick]

im using kernel 4.4.39 and intel-microcode_3.20171117.1-bpo9+1_amd64

So you're using a kernel and µcode package that were released before Spectre & Meltdown were announced? Are you ****ing stupid?

Use the latest Debian buster kernel and µcode packages to get the full suite of mitigations (they're not fixes).

Then remove all the proprietary crap & anything that's not from the official Debian repositories and change all of your passwords. Or just reinstall from scratch and try to keep your system clean next time.

the false security linux give you

Unix was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.

Security is a state of mind.

[LE_746F6D617A7A69]

You wont change my mind when I know Im right, Im not an ...

May the Force be with You, bester69 ...

[bester69]

damn, again organic portals''s noise is getting to me.. i dont find anywhere to hide myself ..they smell blood fresh ,they're everywhere around... in games they give you kicks/bans.. in discord they ban you.. what's going on its really scary..

[bester69]

im using kernel 4.4.39 and intel-microcode_3.20171117.1-bpo9+1_amd64

So you're using a kernel and µcode package that were released before Spectre & Meltdown were announced? Are you ****ing stupid?

Use the latest Debian buster kernel and µcode packages to get the full suite of mitigations (they're not fixes).

Then remove all the proprietary crap & anything that's not from the official Debian repositories and change all of your passwords. Or just reinstall from scratch and try to keep your system clean next time.

the false security linux give you

Unix was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.

Security is a state of mind.

My system is perfect , stable and clean like water.. that was that cheesse of software called discord.. is a virus itself....The only propietary software I use is Mega client (always active) and sometimes some wine app I use for a while, like Swat4 game and faststone capture... rest of thing are very ordered , clean and stable, I try to install only debian repository software.. and use snapshots to consolidate stable and clean points... I install a lot of things and then reboot to snapshot stable to start again.. and the software I cant isntall throught debian repositories, i try to use snaps or flatpaks since BTRFS came out I didnt need to reinstall anymore thanks to use of snapshots

My system feels smooth and stable con i enjoy taking good cares of my system installation... i watch out all process and strange things I catch in desktop..and if i detect something bad.. I remind what was last i did, and restore a previously snapshot to fix that condition state..

[trinidad]

https://cybernews.com/privacy/discord-p ... e-in-2020/

Any gaming protocol that needs to interpret keystrokes into a public facing chat UI can get to you and your xorg.
Compromised? Ummmm... yeah could be.

TC

[bester69]

https://cybernews.com/privacy/discord-p ... e-in-2020/

Any gaming protocol that needs to interpret keystrokes into a public facing chat UI can get to you and your xorg.
Compromised? Ummmm... yeah could be.

TC

Sadly I can only get whole spectre protection by enabling PTI isolation..and my chipset doesnt support reduced performance impact of PTI:
Reduced performance impact of PTI: NO (PCID/INVPCID not supported, performance impact of PTI will be significant)

So, Im will stay like that and be more carefully; my microcode chipset neither gets any longer protection for last security holes..they stopped support in 2010..so i cant get away of any of thoses 8 security holes but the PTI mitigated...

brave browser is protectec against Spectre, so it wasnt the browser the culpier it had to be the discord app :

Disable site isolation
Disables site isolation (SitePerProcess, IsolateOrigins, etc). Intended for diagnosing bugs that may be due to out-of-process iframes. Opt-out has no effect if site isolation is force-enabled using a command line switch or using an enterprise policy. Caution: this disables important mitigations for the Spectre CPU vulnerability affecting most computers. – Mac, Windows, Linux, Chrome OS, Android

#site-isolation-trial-opt-out

In resume, it doesnt matter I update to las microcode cos they stopped in 2010 support for my chipset.. and kernel 4.4 do support enabling PTI and Spectre mitigations

[sgosnell]

I don't think you need to worry about all the security measures as long as you don't run Discord. That appears to be designed mostly for seining up private information from those foolish enough to use it. There are far better messaging apps, and almost all of them are more secure.

[LE_746F6D617A7A69]

brave browser is protectec against Spectre

That's bullshit - it's not the Brave browser which is protected, but it's Chrome/(ium) which is protected - by disabling precision timers for Java (so is Firefox, using the same methods)
And the Brave browser is just a clone of Chrome, excluding proprietary additions to the code, injected by the company behind the Brave browser. That additional closed source code is probably far more dangerous than the spectre/meltdown itself

My system is perfect

Yeah.
Your system has been compromised not because of outdated microcode, but because You are using insecure/untested applications, downloaded from untrusted sites - but yeah, I'm a "portal"

[bester69]

brave browser is protectec against Spectre

That's bullshit - it's not the Brave browser which is protected, but it's Chrome/(ium) which is protected - by disabling precision timers for Java (so is Firefox, using the same methods)
And the Brave browser is just a clone of Chrome, excluding proprietary additions to the code, injected by the company behind the Brave browser. That additional closed source code is probably far more dangerous than the spectre/meltdown itself

My system is perfect

Yeah.
Your system has been compromised not because of outdated microcode, but because You are using insecure/untested applications, downloaded from untrusted sites - but yeah, I'm a "portal"

Whats for you an untrusted site to you??..
.i think you're just being nosense and faithful to your own portal's nature...its very funny and disturbing to watch how once you provoke OP's subtly , they all starts overreacting to crazy loops of rising nostop hate...

[bester69]

I don't think you need to worry about all the security measures as long as you don't run Discord. That appears to be designed mostly for seining up private information from those foolish enough to use it. There are far better messaging apps, and almost all of them are more secure.

Thanks, Im very agree with you.. I used for joining tematic channels and conferences,..the app chats and rooms conferences are wonderfull.. but seems very insecure.

[oswaldkelso]

You use Debian like a "Windows TM" user. Get hacked like a "Windows TM" user and complain like a "Windows TM"user.

Why??? Because you are a "Windows TM" user. The give away is icons on the desktop (though I'll give you it's a more efficient setup than Gnome!)

Switch or go back to your true home

[bester69]

You use Debian like a "Windows TM" user. Get hacked like a "Windows TM" user and complain like a "Windows TM"user.

Why??? Because you are a "Windows TM" user. The give away is icons on the desktop (though I'll give you it's a more efficient setup than Gnome!)

Switch or go back to your true home

Oh yeah, Im afraid i summoned all Organic Portals again, they're coming!!! (be like i tell you and submit yourself or i will create a needed atmosfera noise till you're ready to get then ban; this is how they always operate )

[LE_746F6D617A7A69]

Whats for you an untrusted site to you??..

Just everything besides debian.org...

... are You surprised?

Life is brutal: the only way to be sure that a new version of some program is not containing unwanted code (a code which was not written by the original authors), is to download the code from GitHub and compile it against Your system - this is the only safe alternative to APT, but of course it's not as convenient.

F.e. I'm using Code::Blocks nightly builds - every single day on various systems - the first thing I do before compiling it from sources, is to verify if the changelogs are reflecting the changes in the code...

If You don't want to spend Your time on such things, or when You're not a developer, then the only way left is to use APT.