From mboxrd@z Thu Jan 1 00:00:00 1970 From: g_patrickb@yahoo.com (G B) Date: Thu, 4 Jan 2018 13:49:36 +0000 Subject: [9fans] Spectre and Meltdown References: <1911496352.319586.1515073776091.ref@mail.yahoo.com> Message-ID: <1911496352.319586.1515073776091@mail.yahoo.com> Topicbox-Message-UUID: c8c687d4-ead9-11e9-9d60-3106f5b1d025 With the release of information about Spectre and Meltdown, and that Microsoft and Linux have released patches for Meltdown and Apple soon to release a patch, I am wondering how Meltdown, or even Spectre, would or wouldn't affect Plan 9 and/or 9front given the use of namespaces. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: References: <1911496352.319586.1515073776091.ref@mail.yahoo.com> <1911496352.319586.1515073776091@mail.yahoo.com> From: Skip Tavakkolian Date: Wed, 10 Jan 2018 08:27:42 -0800 Message-ID: To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: multipart/alternative; boundary="94eb2c0716e6c8d9b505626e8244" Subject: Re: [9fans] Spectre and Meltdown Topicbox-Message-UUID: c9af9ffa-ead9-11e9-9d60-3106f5b1d025 --94eb2c0716e6c8d9b505626e8244 Content-Type: text/plain; charset="UTF-8" If your processor isn't affected, microcode patching and os work-around is not needed. For example, intel atom d525, amd athlon 64 x2, arm7 (rpi's), mips are fine. On Jan 4, 2018 5:50 AM, "G B" wrote: With the release of information about Spectre and Meltdown, and that Microsoft and Linux have released patches for Meltdown and Apple soon to release a patch, I am wondering how Meltdown, or even Spectre, would or wouldn't affect Plan 9 and/or 9front given the use of namespaces. --94eb2c0716e6c8d9b505626e8244 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
If your processor isn't affected, microcode patching = and os work-around is not needed. For example, intel atom d525, amd athlon = 64 x2, arm7 (rpi's), mips are fine.=C2=A0

On Jan 4, 2018 5:50 AM, "G B" &= lt;g_patrickb@yahoo.com> wro= te:
With the release of information about Spe= ctre and Meltdown, and that Microsoft and Linux have released patches for M= eltdown and Apple soon to release a patch, I am wondering how Meltdown, or = even Spectre, would or wouldn't affect Plan 9 and/or 9front given the u= se of namespaces.

--94eb2c0716e6c8d9b505626e8244-- From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <6B13EEEE29329BEEA52D20997C65F2D5@felloff.net> Date: Wed, 10 Jan 2018 17:59:31 +0100 From: cinap_lenrek@felloff.net To: 9fans@9fans.net In-Reply-To: CAJSxfmKhLb_U2i66fjSz=T_pRuTNCCM3YG3ddz1npTTTAnD9uQ@mail.gmail.com MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: Re: [9fans] Spectre and Meltdown Topicbox-Message-UUID: c9b3942a-ead9-11e9-9d60-3106f5b1d025 wait and see if all these scrambled together mitigations actually work. 9front is not in the business of selling shared computing environments (or sell executable javascript ads) to untrusted strangers. that was never really safe to begin with. there will be bugs in software and hardware. and there will be side channels. if you are concerned about security and leaks then run your authentication server on a dedicated box and applications on your own terminal. -- cinap From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: <6B13EEEE29329BEEA52D20997C65F2D5@felloff.net> References: <6B13EEEE29329BEEA52D20997C65F2D5@felloff.net> From: Skip Tavakkolian Date: Wed, 10 Jan 2018 11:32:49 -0800 Message-ID: To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: multipart/alternative; boundary="f4f5e8094f54c400e505627118f2" Subject: Re: [9fans] Spectre and Meltdown Topicbox-Message-UUID: c9b792b4-ead9-11e9-9d60-3106f5b1d025 --f4f5e8094f54c400e505627118f2 Content-Type: text/plain; charset="UTF-8" good advice. i agree with the wait-and-see. i'm not convinced that this issue is solvable. using pip, npm and all the other ways of importing random code from who-knows-where is insanity and plan9 systems (mostly?) avoid this practice. having dedicated auth and fs servers (don't allow cpu'ing) and using terminals for each user is a good practice. a terminal on an affected processor can still compromise your factotum data in memory. rpi3 is a safe choice and, for plan9, probably the best choice. On Wed, Jan 10, 2018 at 8:59 AM, wrote: > wait and see if all these scrambled together mitigations actually work. > > 9front is not in the business of selling shared computing environments > (or sell executable javascript ads) to untrusted strangers. > > that was never really safe to begin with. there will be bugs in software > and hardware. and there will be side channels. > > if you are concerned about security and leaks then run your authentication > server on a dedicated box and applications on your own terminal. > > -- > cinap > > --f4f5e8094f54c400e505627118f2 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
good advice. i agree with the wait-and-see. i'm not co= nvinced that this issue is solvable.

using pip, npm and = all the other ways of importing random code from who-knows-where is insanit= y and plan9 systems (mostly?) avoid this practice.
having dedicat= ed auth and fs servers (don't allow cpu'ing) and using terminals fo= r each user is a good practice.
a terminal on an affected process= or can still compromise your factotum data in memory. rpi3 is a safe choice= and, for plan9, probably the best choice.



On Wed, = Jan 10, 2018 at 8:59 AM, <cinap_lenrek@felloff.net> = wrote:
wait and see if all these scramble= d together mitigations actually work.

9front is not in the business of selling shared computing environments
(or sell executable javascript ads) to untrusted strangers.

that was never really safe to begin with. there will be bugs in software and hardware. and there will be side channels.

if you are concerned about security and leaks then run your authentication<= br> server on a dedicated box and applications on your own terminal.

--
cinap


--f4f5e8094f54c400e505627118f2-- From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Wed, 10 Jan 2018 11:41:08 -0800 Message-ID: In-Reply-To: From: Erik Quanstrom To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> MIME-Version: 1.0 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: base64 Subject: Re: [9fans] Spectre and Meltdown Topicbox-Message-UUID: c9bba5ac-ead9-11e9-9d60-3106f5b1d025 PGRpdiBkaXI9J2F1dG8nPnRvIGJlIGZhaXIsIHRoaXMgdnVsbmVyYWJpbGl0eSBjYW4gYmUgZXhw bG9pdGVkIHdpdGggcGxhaW4gb2xkIEphdmFTY3JpcHQuPC9kaXY+PGRpdiBjbGFzcz0iZ21haWxf ZXh0cmEiPjxicj48ZGl2IGNsYXNzPSJnbWFpbF9xdW90ZSI+T24gSmFuIDEwLCAyMDE4IDExOjMy LCBTa2lwIFRhdmFra29saWFuICZsdDtza2lwLnRhdmFra29saWFuQGdtYWlsLmNvbSZndDsgd3Jv dGU6PGJyIHR5cGU9ImF0dHJpYnV0aW9uIj48YmxvY2txdW90ZSBjbGFzcz0icXVvdGUiIHN0eWxl PSJtYXJnaW46MCAwIDAgLjhleDtib3JkZXItbGVmdDoxcHggI2NjYyBzb2xpZDtwYWRkaW5nLWxl ZnQ6MWV4Ij48ZGl2IGRpcj0ibHRyIj5nb29kIGFkdmljZS4gaSBhZ3JlZSB3aXRoIHRoZSB3YWl0 LWFuZC1zZWUuIGkmIzM5O20gbm90IGNvbnZpbmNlZCB0aGF0IHRoaXMgaXNzdWUgaXMgc29sdmFi bGUuPGRpdj48YnIgLz48L2Rpdj48ZGl2PnVzaW5nIHBpcCwgbnBtIGFuZCBhbGwgdGhlIG90aGVy IHdheXMgb2YgaW1wb3J0aW5nIHJhbmRvbSBjb2RlIGZyb20gd2hvLWtub3dzLXdoZXJlIGlzIGlu c2FuaXR5IGFuZCBwbGFuOSBzeXN0ZW1zIChtb3N0bHk/KSBhdm9pZCB0aGlzIHByYWN0aWNlLjwv ZGl2PjxkaXY+aGF2aW5nIGRlZGljYXRlZCBhdXRoIGFuZCBmcyBzZXJ2ZXJzIChkb24mIzM5O3Qg YWxsb3cgY3B1JiMzOTtpbmcpIGFuZCB1c2luZyB0ZXJtaW5hbHMgZm9yIGVhY2ggdXNlciBpcyBh IGdvb2QgcHJhY3RpY2UuPC9kaXY+PGRpdj5hIHRlcm1pbmFsIG9uIGFuIGFmZmVjdGVkIHByb2Nl c3NvciBjYW4gc3RpbGwgY29tcHJvbWlzZSB5b3VyIGZhY3RvdHVtIGRhdGEgaW4gbWVtb3J5LiBy cGkzIGlzIGEgc2FmZSBjaG9pY2UgYW5kLCBmb3IgcGxhbjksIHByb2JhYmx5IHRoZSBiZXN0IGNo b2ljZS48ZGl2PjxiciAvPjwvZGl2PjxkaXY+PGJyIC8+PC9kaXY+PC9kaXY+PC9kaXY+PGRpdj48 YnIgLz48ZGl2IGNsYXNzPSJlbGlkZWQtdGV4dCI+T24gV2VkLCBKYW4gMTAsIDIwMTggYXQgODo1 OSBBTSwgIDxzcGFuIGRpcj0ibHRyIj4mbHQ7PGEgaHJlZj0ibWFpbHRvOmNpbmFwX2xlbnJlayYj NjQ7ZmVsbG9mZi5uZXQiPmNpbmFwX2xlbnJlayYjNjQ7ZmVsbG9mZi5uZXQ8L2E+Jmd0Ozwvc3Bh bj4gd3JvdGU6PGJyIC8+PGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdpbjowIDAgMCAwLjhleDtib3Jk ZXItbGVmdDoxcHggI2NjYyBzb2xpZDtwYWRkaW5nLWxlZnQ6MWV4Ij53YWl0IGFuZCBzZWUgaWYg YWxsIHRoZXNlIHNjcmFtYmxlZCB0b2dldGhlciBtaXRpZ2F0aW9ucyBhY3R1YWxseSB3b3JrLjxi ciAvPg0KPGJyIC8+DQo5ZnJvbnQgaXMgbm90IGluIHRoZSBidXNpbmVzcyBvZiBzZWxsaW5nIHNo YXJlZCBjb21wdXRpbmcgZW52aXJvbm1lbnRzPGJyIC8+DQoob3Igc2VsbCBleGVjdXRhYmxlIGph dmFzY3JpcHQgYWRzKSB0byB1bnRydXN0ZWQgc3RyYW5nZXJzLjxiciAvPg0KPGJyIC8+DQp0aGF0 IHdhcyBuZXZlciByZWFsbHkgc2FmZSB0byBiZWdpbiB3aXRoLiB0aGVyZSB3aWxsIGJlIGJ1Z3Mg aW4gc29mdHdhcmU8YnIgLz4NCmFuZCBoYXJkd2FyZS4gYW5kIHRoZXJlIHdpbGwgYmUgc2lkZSBj aGFubmVscy48YnIgLz4NCjxiciAvPg0KaWYgeW91IGFyZSBjb25jZXJuZWQgYWJvdXQgc2VjdXJp dHkgYW5kIGxlYWtzIHRoZW4gcnVuIHlvdXIgYXV0aGVudGljYXRpb248YnIgLz4NCnNlcnZlciBv biBhIGRlZGljYXRlZCBib3ggYW5kIGFwcGxpY2F0aW9ucyBvbiB5b3VyIG93biB0ZXJtaW5hbC48 YnIgLz4NCjxiciAvPg0KLS08YnIgLz4NCmNpbmFwPGJyIC8+DQo8YnIgLz4NCjwvYmxvY2txdW90 ZT48L2Rpdj48YnIgLz48L2Rpdj4NCg0KPC9ibG9ja3F1b3RlPjwvZGl2Pjxicj48L2Rpdj4= From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <2C30DB67F23E42E276320A25C390A22F@felloff.net> Date: Wed, 10 Jan 2018 21:30:04 +0100 From: cinap_lenrek@felloff.net To: 9fans@9fans.net In-Reply-To: abc8b280-20f5-4858-af67-941e9226c14a@email.android.com MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: Re: [9fans] Spectre and Meltdown Topicbox-Message-UUID: c9c29600-ead9-11e9-9d60-3106f5b1d025 yeah, and javascript was NEVER dangerous before. like it never would steal your passwords or exploit bugs in the monstrosity called a webbrowser. or ave bugs in the jit. all was perfectly safe until now :-) we can perfectly trust the dozens of megabytes injected from whoever pays the advertisement delivery network. 3d ads that is, because gpu drivers are bugfree. i can't wait for javacript crypto implementations that will totally be free of timing side channels... -- cinap From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Wed, 10 Jan 2018 12:41:58 -0800 Message-ID: <57420609-b38a-4561-b845-eb8cdc37a54a@email.android.com> In-Reply-To: <2C30DB67F23E42E276320A25C390A22F@felloff.net> From: Erik Quanstrom To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> MIME-Version: 1.0 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: base64 Subject: Re: [9fans] Spectre and Meltdown Topicbox-Message-UUID: c9cb15dc-ead9-11e9-9d60-3106f5b1d025 PGRpdiBkaXI9J2F1dG8nPnRoaXMgaXMgZGlmZmVyZW50LiZuYnNwOyB0aGUgc2lkZSBjaGFubmVs IGF0dGFjayBpcyBlYXN5IGFuZCBjb21wbGV0ZXMgaW4gbWlsbGlzZWNvbmRzLiZuYnNwOyBpdCBp cyBub3QgcmVsYXRlZCB0byB0aGUgZXhwcmVzc2l2ZW5lc3Mgb2YganMuPGRpdiBkaXI9ImF1dG8i Pjxicj48L2Rpdj48ZGl2IGRpcj0iYXV0byI+LSBlcmlrPC9kaXY+PGRpdiBkaXI9ImF1dG8iPjxi cj48L2Rpdj48L2Rpdj4= From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: <2C30DB67F23E42E276320A25C390A22F@felloff.net> References: <2C30DB67F23E42E276320A25C390A22F@felloff.net> From: Skip Tavakkolian Date: Wed, 10 Jan 2018 12:48:38 -0800 Message-ID: To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: multipart/alternative; boundary="f403045e39f4ebb29b05627227b8" Subject: Re: [9fans] Spectre and Meltdown Topicbox-Message-UUID: c9cef68e-ead9-11e9-9d60-3106f5b1d025 --f403045e39f4ebb29b05627227b8 Content-Type: text/plain; charset="UTF-8" all binaries on any repo (9p.io, 9front.org, bell-labs.com) are taken on faith to be safe; but it applies there too. does anyone read all the various rc scripts carefully? On Wed, Jan 10, 2018 at 12:30 PM, wrote: > yeah, and javascript was NEVER dangerous before. like it never > would steal your passwords or exploit bugs in the monstrosity > called a webbrowser. or ave bugs in the jit. all was perfectly > safe until now :-) we can perfectly trust the dozens of megabytes > injected from whoever pays the advertisement delivery network. > 3d ads that is, because gpu drivers are bugfree. > > i can't wait for javacript crypto implementations that will > totally be free of timing side channels... > > -- > cinap > > --f403045e39f4ebb29b05627227b8 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
all binaries on any repo (9p.io, 9front.org, bell-labs.com) are taken on faith to be safe; but it applies th= ere too.
does anyone read all the various rc scripts carefully?


On Wed, Jan 10, 2018 at 12:30 PM, <cinap_lenrek@felloff.net&= gt; wrote:
yeah, and javascript wa= s NEVER dangerous before. like it never
would steal your passwords or exploit bugs in the monstrosity
called a webbrowser. or ave bugs in the jit. all was perfectly
safe until now :-) we can perfectly trust the dozens of megabytes
injected from whoever pays the advertisement delivery network.
3d ads that is, because gpu drivers are bugfree.

i can't wait for javacript crypto implementations that will
totally be free of timing side channels...

--
cinap


--f403045e39f4ebb29b05627227b8-- From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: References: From: Skip Tavakkolian Date: Wed, 10 Jan 2018 12:52:16 -0800 Message-ID: To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: multipart/alternative; boundary="001a11402784e0f8df05627234b2" Subject: Re: [9fans] Spectre and Meltdown Topicbox-Message-UUID: c9d2b314-ead9-11e9-9d60-3106f5b1d025 --001a11402784e0f8df05627234b2 Content-Type: text/plain; charset="UTF-8" i think "javascript in the browser" is implied here. and that is a HUGE gate to close. fortunately, we don't have such browsers in plan9 :) On Wed, Jan 10, 2018 at 11:41 AM, Erik Quanstrom wrote: > to be fair, this vulnerability can be exploited with plain old JavaScript. > > On Jan 10, 2018 11:32, Skip Tavakkolian > wrote: > > good advice. i agree with the wait-and-see. i'm not convinced that this > issue is solvable. > > using pip, npm and all the other ways of importing random code from > who-knows-where is insanity and plan9 systems (mostly?) avoid this practice. > having dedicated auth and fs servers (don't allow cpu'ing) and using > terminals for each user is a good practice. > a terminal on an affected processor can still compromise your factotum > data in memory. rpi3 is a safe choice and, for plan9, probably the best > choice. > > > > On Wed, Jan 10, 2018 at 8:59 AM, wrote: > > wait and see if all these scrambled together mitigations actually work. > > 9front is not in the business of selling shared computing environments > (or sell executable javascript ads) to untrusted strangers. > > that was never really safe to begin with. there will be bugs in software > and hardware. and there will be side channels. > > if you are concerned about security and leaks then run your authentication > server on a dedicated box and applications on your own terminal. > > -- > cinap > > > > --001a11402784e0f8df05627234b2 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
i think "javascript in the browser" is implied h= ere. and that is a HUGE gate to close.

fortunately, we d= on't have such browsers in plan9 :)

On Wed, Jan 10, 2018 at 11:41 AM, Erik Qu= anstrom <quanstro@quanstro.net> wrote:
to be fair, this vulnerability can be ex= ploited with plain old JavaScript.

On Jan 10, 2= 018 11:32, Skip Tavakkolian <skip.tavakkolian@gmail.com> wrote:
= good advice. i agree with the wait-and-see. i'm not convinced that this= issue is solvable.

using pip, npm and all the other way= s of importing random code from who-knows-where is insanity and plan9 syste= ms (mostly?) avoid this practice.
having dedicated auth and fs se= rvers (don't allow cpu'ing) and using terminals for each user is a = good practice.
a terminal on an affected processor can still comp= romise your factotum data in memory. rpi3 is a safe choice and, for plan9, = probably the best choice.


On Wed, Jan 10, 2018 at 8:= 59 AM, <cinap_lenrek@felloff.net> wrote:
wrote: > it is also exploitable in node.js. > > On Jan 10, 2018 12:52, Skip Tavakkolian > wrote: > > i think "javascript in the browser" is implied here. and that is a HUGE > gate to close. > > fortunately, we don't have such browsers in plan9 :) > > On Wed, Jan 10, 2018 at 11:41 AM, Erik Quanstrom > wrote: > > to be fair, this vulnerability can be exploited with plain old JavaScript. > > On Jan 10, 2018 11:32, Skip Tavakkolian > wrote: > > good advice. i agree with the wait-and-see. i'm not convinced that this > issue is solvable. > > using pip, npm and all the other ways of importing random code from > who-knows-where is insanity and plan9 systems (mostly?) avoid this practice. > having dedicated auth and fs servers (don't allow cpu'ing) and using > terminals for each user is a good practice. > a terminal on an affected processor can still compromise your factotum > data in memory. rpi3 is a safe choice and, for plan9, probably the best > choice. > > > > On Wed, Jan 10, 2018 at 8:59 AM, wrote: > > wait and see if all these scrambled together mitigations actually work. > > 9front is not in the business of selling shared computing environments > (or sell executable javascript ads) to untrusted strangers. > > that was never really safe to begin with. there will be bugs in software > and hardware. and there will be side channels. > > if you are concerned about security and leaks then run your authentication > server on a dedicated box and applications on your own terminal. > > -- > cinap > > > > > > --94eb2c1c0694a268bf056272bd1d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
yep. i mentioned npm, but there are a few more.

On Wed, Jan 10, 2018 a= t 12:56 PM, Erik Quanstrom <quanstro@quanstro.net> wrote= :
it is also exploitabl= e in node.js.

On Jan 10, 2018 12:52, Skip Tavak= kolian <= skip.tavakkolian@gmail.com> wrote:
i think "javascr= ipt in the browser" is implied here. and that is a HUGE gate to close.=

fortunately, we don't have such browsers in plan9 := )

On We= d, Jan 10, 2018 at 11:41 AM, Erik Quanstrom <quanstro@quanstro.net> wrote:
to be fair, this vulner= ability can be exploited with plain old JavaScript.
On Jan 10, 2018 11:32, Ski= p Tavakkolian <skip.tavakkolian@gmail.com> wrote:
good advice. i agree with the wait-and-see. i'm not convinced that = this issue is solvable.

using pip, npm and all the other= ways of importing random code from who-knows-where is insanity and plan9 s= ystems (mostly?) avoid this practice.
having dedicated auth and f= s servers (don't allow cpu'ing) and using terminals for each user i= s a good practice.
a terminal on an affected processor can still = compromise your factotum data in memory. rpi3 is a safe choice and, for pla= n9, probably the best choice.



On Wed, Jan 10, 2018 at 8:59 AM, <cinap_lenrek@felloff= .net> wrote:
wait and see if all these scrambled= together mitigations actually work.

9front is not in the business of selling shared computing environments
(or sell executable javascript ads) to untrusted strangers.

that was never really safe to begin with. there will be bugs in software and hardware. and there will be side channels.

if you are concerned about security and leaks then run your authentication<= br> server on a dedicated box and applications on your own terminal.

--
cinap






--94eb2c1c0694a268bf056272bd1d-- From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <188F69327A86275BA90105F31906A720@felloff.net> Date: Wed, 10 Jan 2018 22:43:14 +0100 From: cinap_lenrek@felloff.net To: 9fans@9fans.net In-Reply-To: CAJSxfm+xfHctaQV_n3-rKzZt3D+0JXW3T6sVpfU4dGRm=B8HcA@mail.gmail.com MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: Re: [9fans] Spectre and Meltdown Topicbox-Message-UUID: c9df6578-ead9-11e9-9d60-3106f5b1d025 > all binaries on any repo (9p.io, 9front.org, bell-labs.com) are taken on > faith to be safe; but it applies there too. > does anyone read all the various rc scripts carefully? how's that comparable? the broken promise is that web code will be contained in the browser tab so nobody needs to trust that code. and we can just run it. that assumption is proven over and over again to not be true due to bugs in the interpreter and bugs in the massive libraries exposed to it and now theres a case where its broken even if there is no obvious flaw in the interpreter. nobody promised, or tried to do that with a plan9 process. code running in plan9 can do whatever you can do. and easily crash the whole system. so you obviouly need to be cautous about what you run. and yes, you should read the code. -- cinap From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: <188F69327A86275BA90105F31906A720@felloff.net> References: <188F69327A86275BA90105F31906A720@felloff.net> From: Skip Tavakkolian Date: Wed, 10 Jan 2018 14:46:34 -0800 Message-ID: To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: multipart/alternative; boundary="f403045e315eaa7fb7056273cde5" Subject: Re: [9fans] Spectre and Meltdown Topicbox-Message-UUID: c9e3b7b8-ead9-11e9-9d60-3106f5b1d025 --f403045e315eaa7fb7056273cde5 Content-Type: text/plain; charset="UTF-8" we foolishly assumed that intel and other cpu manufacturers would not do stupid things, out of self interest, if nothing else. stupid things like put a whole processor hidden inside every cpu since pentium, running minix that "manages" what you thought was "your" cpu. stupid things like have (and try to hide) instructions that allow one to reprogram the microcode. On Wed, Jan 10, 2018 at 1:43 PM, wrote: > > all binaries on any repo (9p.io, 9front.org, bell-labs.com) are taken on > > faith to be safe; but it applies there too. > > does anyone read all the various rc scripts carefully? > > how's that comparable? the broken promise is that web > code will be contained in the browser tab so nobody needs > to trust that code. and we can just run it. that assumption > is proven over and over again to not be true due to bugs > in the interpreter and bugs in the massive libraries exposed > to it and now theres a case where its broken even if there is > no obvious flaw in the interpreter. > > nobody promised, or tried to do that with a plan9 process. > > code running in plan9 can do whatever you can do. and > easily crash the whole system. so you obviouly need to > be cautous about what you run. > > and yes, you should read the code. > > -- > cinap > > --f403045e315eaa7fb7056273cde5 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
we foolishly assumed that intel and other cpu manufacturer= s would not do stupid things, out of self interest, if nothing else.
st= upid things like put a whole processor hidden inside every cpu since pentiu= m, running minix that "manages" what you thought was "your&q= uot; cpu.
stupid things like have (and try to hide) instructions = that allow one to reprogram the microcode.


On Wed, Jan 10, 2018 at= 1:43 PM, <cinap_lenrek@felloff.net> wrote:
> all binaries on any repo (<= a href=3D"http://9p.io" rel=3D"noreferrer" target=3D"_blank">9p.io, 9front.org<= /a>, = bell-labs.com) are taken on
> faith to be safe; but it applies there too.
> does anyone read all the various rc scripts carefully?

how's that comparable? the broken promise is that web
code will be contained in the browser tab so nobody needs
to trust that code. and we can just run it. that assumption
is proven over and over again to not be true due to bugs
in the interpreter and bugs in the massive libraries exposed
to it and now theres a case where its broken even if there is
no obvious flaw in the interpreter.

nobody promised, or tried to do that with a plan9 process.

code running in plan9 can do whatever you can do. and
easily crash the whole system. so you obviouly need to
be cautous about what you run.

and yes, you should read the code.

--
cinap


--f403045e315eaa7fb7056273cde5-- From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: <188F69327A86275BA90105F31906A720@felloff.net> References: <188F69327A86275BA90105F31906A720@felloff.net> From: Charles Forsyth Date: Wed, 10 Jan 2018 22:48:40 +0000 Message-ID: To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: multipart/alternative; boundary="94eb2c03b12428c86e056273d52e" Subject: Re: [9fans] Spectre and Meltdown Topicbox-Message-UUID: c9e994bc-ead9-11e9-9d60-3106f5b1d025 --94eb2c03b12428c86e056273d52e Content-Type: text/plain; charset="UTF-8" If Intel sells you lemons, make lemonade (ok, ok, at least a whiskey sour). I myself welcome our new speculative overlords, and look forward to new interesting predictions, and perhaps even a renewed interest in single-address space systems, since that's what we've got. On 10 January 2018 at 21:43, wrote: > > all binaries on any repo (9p.io, 9front.org, bell-labs.com) are taken on > > faith to be safe; but it applies there too. > > does anyone read all the various rc scripts carefully? > > how's that comparable? the broken promise is that web > code will be contained in the browser tab so nobody needs > to trust that code. and we can just run it. that assumption > is proven over and over again to not be true due to bugs > in the interpreter and bugs in the massive libraries exposed > to it and now theres a case where its broken even if there is > no obvious flaw in the interpreter. > > nobody promised, or tried to do that with a plan9 process. > > code running in plan9 can do whatever you can do. and > easily crash the whole system. so you obviouly need to > be cautous about what you run. > > and yes, you should read the code. > > -- > cinap > > --94eb2c03b12428c86e056273d52e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
If Intel sells you lemons, make lemonade (ok, ok, at least= a whiskey sour).
I myself welcome our new speculative overlords, and l= ook forward to new interesting predictions, and perhaps even a renewed inte= rest in single-address space systems, since that's what we've got.<= /div>

On 10 = January 2018 at 21:43, <cinap_lenrek@felloff.net> wr= ote:
> all binaries o= n any repo (9= p.io, 9front.org, bell-labs.com) are taken on
> faith to be safe; but it applies there too.
> does anyone read all the various rc scripts carefully?

how's that comparable? the broken promise is that web
code will be contained in the browser tab so nobody needs
to trust that code. and we can just run it. that assumption
is proven over and over again to not be true due to bugs
in the interpreter and bugs in the massive libraries exposed
to it and now theres a case where its broken even if there is
no obvious flaw in the interpreter.

nobody promised, or tried to do that with a plan9 process.

code running in plan9 can do whatever you can do. and
easily crash the whole system. so you obviouly need to
be cautous about what you run.

and yes, you should read the code.

--
cinap


--94eb2c03b12428c86e056273d52e-- From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: To: 9fans@9fans.net From: Richard Miller <9fans@hamnavoe.com> Date: Wed, 10 Jan 2018 23:46:47 +0000 In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: Re: [9fans] Spectre and Meltdown Topicbox-Message-UUID: c9f68d48-ead9-11e9-9d60-3106f5b1d025 > rpi3 is a safe choice Safe against spectre perhaps, but there are interesting remote attacks against the firmware in the bcm43xx wifi engine. I wouldn't want to bet on plan 9's immunity to some variant of broadpwn. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Bakul Shah To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> In-reply-to: Your message of "Wed, 10 Jan 2018 23:46:47 +0000." References: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <730.1515630823.1@bitblocks.com> Date: Wed, 10 Jan 2018 16:33:43 -0800 Message-Id: <20180111003358.4AFE6156E524@mail.bitblocks.com> Subject: Re: [9fans] Spectre and Meltdown Topicbox-Message-UUID: c9fab7e2-ead9-11e9-9d60-3106f5b1d025 On Wed, 10 Jan 2018 23:46:47 +0000 Richard Miller <9fans@hamnavoe.com> wrote: Richard Miller writes: > > rpi3 is a safe choice > > Safe against spectre perhaps, but there are interesting remote attacks > against the firmware in the bcm43xx wifi engine. I wouldn't want to bet > on plan 9's immunity to some variant of broadpwn. CVE-2017-9417. Poking around the 'net I found https://github.com/raspberrypi/linux/issues/1342#issuecomment-321221748 Need Linux to run this but does not fix the problem? Though there seems to be another unrelated problem that seems not quite fixed. From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: References: From: Skip Tavakkolian Date: Wed, 10 Jan 2018 16:55:56 -0800 Message-ID: To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: multipart/alternative; boundary="94eb2c1c06945803730562759ca1" Subject: Re: [9fans] Spectre and Meltdown Topicbox-Message-UUID: ca77294e-ead9-11e9-9d60-3106f5b1d025 --94eb2c1c06945803730562759ca1 Content-Type: text/plain; charset="UTF-8" yes; i had forgotten about that. fortunately there's the ethernet port. https://www.blackhat.com/docs/us-17/thursday/us-17-Artenstein-Broadpwn-Remotely-Compromising-Android-And-iOS-Via-A-Bug-In-Broadcoms-Wifi-Chipsets.pdf On Wed, Jan 10, 2018 at 3:46 PM, Richard Miller <9fans@hamnavoe.com> wrote: > > rpi3 is a safe choice > > Safe against spectre perhaps, but there are interesting remote attacks > against the firmware in the bcm43xx wifi engine. I wouldn't want to bet > on plan 9's immunity to some variant of broadpwn. > > > --94eb2c1c06945803730562759ca1 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
yes; i had forgotten about that.=C2=A0 fortunately th= ere's the ethernet port.


On Wed, Jan 10, 2018 at 3:46 PM, Richard Miller <9= fans@hamnavoe.com> wrote:
<= span class=3D"">> rpi3 is a safe choice

Safe against spectre perhaps, but there are interesting remote attac= ks
against the firmware in the bcm43xx wifi engine.=C2=A0 I wouldn't want = to bet
on plan 9's immunity to some variant of broadpwn.



--94eb2c1c06945803730562759ca1-- From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: References: From: hiro <23hiro@gmail.com> Date: Thu, 11 Jan 2018 10:35:12 +0100 Message-ID: To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: text/plain; charset="UTF-8" Subject: Re: [9fans] Spectre and Meltdown Topicbox-Message-UUID: ca7d0bde-ead9-11e9-9d60-3106f5b1d025 when did you implement wifi on the rpi?! From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\)) From: Rui Carmo In-Reply-To: Date: Thu, 11 Jan 2018 09:49:36 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: References: To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Subject: Re: [9fans] Spectre and Meltdown Topicbox-Message-UUID: ca8268e0-ead9-11e9-9d60-3106f5b1d025 If that=E2=80=99s working with WPA2, I=E2=80=99m interested too. > On 11 Jan 2018, at 09:35, hiro <23hiro@gmail.com> wrote: >=20 > when did you implement wifi on the rpi?! >=20 From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <614f2fae8598b1c394ac002f6f849eba@hamnavoe.com> To: 9fans@9fans.net From: Richard Miller <9fans@hamnavoe.com> Date: Thu, 11 Jan 2018 09:58:27 +0000 In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: Re: [9fans] Spectre and Meltdown Topicbox-Message-UUID: ca866ca6-ead9-11e9-9d60-3106f5b1d025 > when did you implement wifi on the rpi?! Late 2016. And yes, it works with wpa2 (thanks to cinap's aux/wpa). From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: To: 9fans@9fans.net From: Richard Miller <9fans@hamnavoe.com> Date: Thu, 11 Jan 2018 14:19:43 +0000 In-Reply-To: <20180111003358.4AFE6156E524@mail.bitblocks.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: Re: [9fans] broadpwn (was Spectre and Meltdown) Topicbox-Message-UUID: caa90dec-ead9-11e9-9d60-3106f5b1d025 > https://github.com/raspberrypi/linux/issues/1342#issuecomment-321221748 > > Need Linux to run this but does not fix the problem? No need for linux. If you don't mind installing firmware from random files on drive.google.com, you can grab the tarball referenced from the url above, unpack it, and copy brcmfmac43430-sdio.^(bin txt) into /sys/lib/firmware on your pi3 or pi0w. You will need to pad the .bin file to a multiple of 2048 bytes (eg by appending from /dev/zero) otherwise the verify after loading seems to fail. If you use the piwifi kernel (rootfs from wifi) as opposed to the pi3 kernel (rootfs from ethernet or sdcard with access to wifi), you'll want to rebuild the kernel in order to get the updated files into the /boot builtin fs. There should be a more definitive source for the firmware files somewhere. > Though there seems to be another unrelated problem that seems > not quite fixed. The other two fixes mentioned in that issue (turning off power management and harcoding packet priority to zero) were already in the plan 9 driver. From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: <614f2fae8598b1c394ac002f6f849eba@hamnavoe.com> References: <614f2fae8598b1c394ac002f6f849eba@hamnavoe.com> From: hiro <23hiro@gmail.com> Date: Fri, 12 Jan 2018 12:45:53 +0100 Message-ID: To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: text/plain; charset="UTF-8" Subject: Re: [9fans] Spectre and Meltdown Topicbox-Message-UUID: cad320aa-ead9-11e9-9d60-3106f5b1d025 Cool, so we now have a lot of wifi support in total. never imagined that. There's prism(Lucent WaveLAN), Ralink RT2860, Ralink RT3090, a bunch of intels, AND that rpi. IIUC only the wavelan stuff has hardmac, so no wifi.c -> no wpa2 there. From mboxrd@z Thu Jan 1 00:00:00 1970 From: giacomo@tesio.it (Giacomo Tesio) Date: Mon, 15 Jan 2018 10:57:17 +0100 Subject: [9fans] Spectre and Meltdown In-Reply-To: <6B13EEEE29329BEEA52D20997C65F2D5@felloff.net> References: <6B13EEEE29329BEEA52D20997C65F2D5@felloff.net> Message-ID: Topicbox-Message-UUID: cae901cc-ead9-11e9-9d60-3106f5b1d025 2018-01-10 17:59 GMT+01:00 : > wait and see if all these scrambled together mitigations actually work. Sorry if this is a dumb question, but the descriptions I read of the mitigations taken in Linux for Meltdown (in particular kernel page-table isolation) sound really familiar to my poor understanding of how plan 9 and 9front already manage user memory. As far as I can remember plan9 flush tables very often and clearly separate kernel memory pages and user space memory. So my dumb question is: are plan9/9front and friends actually vulnerable to Meltdown? Giacomo From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <0F4FA85AB2055BA6EC8455B0EBB086C0@felloff.net> Date: Mon, 15 Jan 2018 12:26:53 +0100 From: cinap_lenrek@felloff.net To: 9fans@9fans.net In-Reply-To: CAHL7psH067PyatJ17dNcZxJUyy-FEQN=7iWm=m5YaypuWh2mVA@mail.gmail.com MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: Re: [9fans] Spectre and Meltdown Topicbox-Message-UUID: cae215d8-ead9-11e9-9d60-3106f5b1d025 > As far as I can remember plan9 flush tables very often and clearly > separate kernel memory pages and user space memory. no. the kernel is mapped in each user process but with PTEUSER bits clear (owner bit) in the pte so user process cannot access it (but with meltdown, it can). -- cinap From mboxrd@z Thu Jan 1 00:00:00 1970 From: jules.merit.eurocorp.us@gmail.com (Jules Merit) Date: Mon, 15 Jan 2018 16:51:48 -0800 Subject: [9fans] Spectre and Meltdown In-Reply-To: References: <614f2fae8598b1c394ac002f6f849eba@hamnavoe.com> Message-ID: Topicbox-Message-UUID: caf154c6-ead9-11e9-9d60-3106f5b1d025 23hiro now has dead 46 planberries, no see front c h ke On Fri, Jan 12, 2018 at 3:45 AM, hiro <23hiro at gmail.com> wrote: > Cool, so we now have a lot of wifi support in total. never imagined that. > > There's prism(Lucent WaveLAN), Ralink RT2860, Ralink RT3090, a bunch > of intels, AND that rpi. > > IIUC only the wavelan stuff has hardmac, so no wifi.c -> no wpa2 there. > From mboxrd@z Thu Jan 1 00:00:00 1970 From: jules.merit.eurocorp.us@gmail.com (Jules Merit) Date: Mon, 15 Jan 2018 17:16:49 -0800 Subject: [9fans] Spectre and Meltdown In-Reply-To: References: <614f2fae8598b1c394ac002f6f849eba@hamnavoe.com> Message-ID: Topicbox-Message-UUID: cb023f52-ead9-11e9-9d60-3106f5b1d025 srv ieee-754 trouble, GDS-II stream On Mon, Jan 15, 2018 at 4:51 PM, Jules Merit wrote: > 23hiro now has dead 46 planberries, no see front > c h ke > > On Fri, Jan 12, 2018 at 3:45 AM, hiro <23hiro at gmail.com> wrote: >> Cool, so we now have a lot of wifi support in total. never imagined that. >> >> There's prism(Lucent WaveLAN), Ralink RT2860, Ralink RT3090, a bunch >> of intels, AND that rpi. >> >> IIUC only the wavelan stuff has hardmac, so no wifi.c -> no wpa2 there. >>