Debian User Forums

[Deb-fan]

Well the original idea in this is obviously trash/ed. Yep according to plenty of credible sources the host OS is accessible by this zombieload junk through kvm(or another real hypervisor.) Still think this is mostly a concern in a multiuser environment(many of them being who knows who users. With plenty of access time on their hands.) Still not at all worried about this regardless. The only aspect that concerns me is the researchers saying stuff like with a couple lines of javascript ZL can leak xyz but everything I've been able to find on this is so damn vague it's friggin infuriating. Personally been using noscript forever, will continue doing so, as well as never bothering with flashplayer, esp adobe's nightmare and long gotten rid of java in the browser as well. Firefox supposedly patched for this though again not really able to find much good info on what that means.

Saw one source saying they managed to use ZL to extract the /etc/shadow file from a gnu/nix OS via it's web browser, it reportedly took them 24hrs to do so and presumably javascript was used for this. Who spends 24 straight hours dorking around on a website normally anyway and with js enabled too ? Which of course any passwords they get are hashed anyway, while yeah depending on password strength may be cracked. Still leaves much they'd need to do to find and connect to that system again(would seem highly unlikely truthfully), even if they've successfully gotten ahold of creds for it. Arghhhh. Again ... really think this just amounts to yet more online hazards, nothing more or less. At least for vast majority of desktop nixers. Outside of a multiuser setting can still see where this could make malicious hackers lives easier if they can get a foothold onto a users system. Though that still requires that targeted user doing or having done something stoopid for that to be possible. As usual believe it's more of a concern for M$ users in that context, as they're dependent upon M$ to great extent and clearly never an ideal position to be in. Still even for M$'s users, just one more of a TON of other exploits and easy button solution for this threat = AMD.

[CwF]

Ya, 24 hrs on my systems is impossible due to pause capabilities, dhcp timeouts, etc. I still understand this risk as requiring physical access at first. I do believe there are too many ways to have things operating for any standardized approach. Don't forget, to exploit 'adjacent data' it needs to be adjacent. Single home use risk is still zero in my opinion, and at least at the bottom of the risk list.

Since this thread is borked, I'll add another twist. While I do think info leakage to private entities is a bad thing, I've been swayed by a simple argument I heard a decade ago. A government data professional then said, "we are often ask to find the needle in the haystack. This requires ONE thing, the haystack." In so many ways big data is very helpful. In medical research, it's pure gold. I do see both sides and try to explain to people that while detailed info on YOU might be out there, YOU are not necessarily the interest. Big G had some discussion awhile back talking about the disappointment in the info they collect, estimating maybe a third of it is 'actionable'. Most ad revenue is bogus, bad assumptions, already closed the deal, overall exceptionally low hit rate, etc. I've morphed somewhat and am not really concerned with the collection, or the haystack, and don't think it is beneficial or practical to create laws to restrict it. I'd rather see very serious laws against personalized use and abuse. Identity theft might as well be one step more serious than 1st degree murder. Any personal attack on me, I suggest the criminal call the police. I don't like guns, the criminal will wish I did.

With all that, I still segregate browser vm's for a simple reason, crosstalk. Some vm's never see an ad, some very few, some are wide open. I have found aggregation beyond our machines, at least I make them work for it. Note also, per some other threads, I do have browser vm's that live within a gig of memory, most 2GB, this one is sloppy with a 'full' 4GB. It takes but a single click for things to go crazy, but they're already in a padded cell.

[golinux]

@CwF . . . if you have not already watched this, now would be the time. Eben Moglen nails it:

viewtopic.php?f=3&t=142911

And back on topic . . . I ran

Code: Select all

grep -R . /sys/devices/system/cpu/vulnerabilities

and it returned nothing.

[CwF]

@golinux
I have, should watch it again sometime. It's like no one watches sci-fi stuff, and thinks about it. The things that are happening, like they are new ideas? It's all been addressed, multiple times, some references 40-50 years old.

I do have vulnerabilities. But then I operate as a honey pot, with horsepower and depth.

[golinux]

@CwF . . . Indeed. Like this Mike Wallace interview 60 years ago in 1958 with Aldous Huxley:

https://www.youtube.com/watch?v=alasBxZsb40

[CwF]

Very good golinux!
A drag after each question!
The best population control is prosperity, the selfish check.
I'd like to see Michio Kaku talking with these guys. Much has changed. The interesting part would be what hasn't. We're a couple full cycles into the wave. Underneath it all is a humanity that's been in most phases before. I'm hopeful we are leaving a complacent stage and entering a skeptical one, That's why the media is so coordinated pounding on 'the message', people are starting to tune out and stop listening. I also called the orange disruptor, an agent to reveal hypocrisy in all, and help raise the skepticism.