1. 40

  2. 6

    very surprising that the BSDs weren’t given heads up from the researchers. Feels like would be a list at this point of people who could rely on this kind of heads up.

    1. 13

      The more information and statements that come out, the more it looks like Intel gave the details to nobody beyond Apple, Microsoft and the Linux Foundation.

      Admittedly, macOS, Windows, and Linux covers almost all of the user and server space. Still a bit of a dick move; this is what CERT is for.

      1. 5

        Plus, the various BSD projects have security officers and secure, confidential ways to communicate. It’s not significantly more effort.

        1. 7


          And it’s worse than that when looking at the bigger picture: it seems the exploits and their details were released publicly before most server farms were given any head’s up. You simply can’t reboot whole datacenters overnight, even if the patches are available and you completely skip over the vetting part. Unfortunately, Meltdown is significant enough that it might be necessary, which is just brutal; there have to be a lot of pissed ops out there, not just OS devs.

          To add insult to injury, you can see Intel PR trying to spin Meltdown as some minor thing. They seem to be trying to conflate Meltdown (the most impactful Intel bug ever, well beyond f00f) with Spectre (a new category of vulnerability) so they can say that everybody else has the same problem. Even their docs say everything is working as designed, which is totally missing the point…

      2. 7

        Wasn’t there a post on here not long ago about Theo breaking embargos?


        1. 12

          Note that I wrote and included a suggested diff for OpenBSD already, and that at the time the tentative disclosure deadline was around the end of August. As a compromise, I allowed them to silently patch the vulnerability.

          He agreed to the patch on an already extended embargo date. He may regret that but there was no embargo date actually broken.

          @stsp explained that in detail here on lobste.rs.

          1. 10

            So I assume Linux developers will no longer receive any advance notice since they were posting patches before the meltdown embargo was over?

            1. 3

              I expect there’s some kind of risk/benefit assessment. Linux has lots of users so I suspect it would take some pretty overt embargo breaking to harm their access to this kind of information.

              OpenBSD has (relatively) few users and a history of disrespect for embargoes. One might imagine that Intel et al thought that the risk to the majority of their users (not on OpenBSD) of OpenBSD leaking such a vulnerability wasn’t worth it.

              1. 5

                Even if, institutionally, Linux were not being included in embargos, I imagine they’d have been included here: this was discovered by Google Project Zero, and Google has a large investment in Linux.

          2. 2

            Actually, it looks like FreeBSD was notified last year: https://www.freebsd.org/news/newsflash.html#event20180104:01

            1. 3

              By late last year you mean “late December 2017” - I’m going to guess this is much later than the other parties were notified.

              macOS 10.13.2 had some related fixes to meltdown and was released on December 6th. My guess is vendors with tighter business relationships (Apple, ms) to Intel started getting info on it around October or November. Possibly earlier considering the bug was initially found by Google back in the summer.

              1. 2

                Windows had a fix for it in November according to this: https://twitter.com/aionescu/status/930412525111296000

            2. 1

              A sincere but hopefully not too rude question: Are there any large-scale non-hobbyist uses of the BSDs that are impacted by these bugs? The immediate concern is for situations where an attacker can run untrusted code like in an end user’s web browser or in a shared hosting service that hosts custom applications. Are any of the BSDs widely deployed like that?

              Of course given application bugs these attacks could be used to escalate privileges, but that’s less of a sudden shock.

              1. 1

                DigitalOcean and AWS both offer FreeBSD images.

                1. 1

                  there are/were some large scale deployments of BSDs/derived code. apple airport extreme, dell force10, junos, etc.

                  people don’t always keep track of them but sometimes a company shows up then uses it for a very large number of devices.

                  1. 1

                    Presumably these don’t all have a cron job doing cvsup; make world; reboot against upstream *BSD. I think I understand how the Linux kernel updates end up on customer devices but I guess I don’t know how a patch in the FreeBSD or OpenBSD kernel would make it to customers with derived products. As a (sophisticated) customer I can update the Linux kernel on my OpenWRT based wireless router but I imagine Apple doesn’t distribute the Airport Extreme firmware under a BSD license.

              2. 4

                marc.info is getting hugged hard right now, so here’s some google cache links from a google cache link of the submitted URL: