The big Linux 4.20 performance slowdown is now corrected by tonight's Linux 4.20 Git code while still providing reasonable security for cross-hyperthread Spectre V2 mitigation.

Spectre/Meltdown kernel patch wrangler Thomas Gleixner sent in his patch series this afternoon with a subject line of "Cure the STIBP fallout" and started the message with, "The performance destruction department finally got it's act together and came up with a cure for the STIPB regression." That cure is the reworked code around "Single Thread Indirect Branch Predictors."

Rather than enabling STIBP for all processes, which had been done at the start of the Linux 4.20 kernel merge window and was a wreck for performance across many workloads as Phoronix was first to shine the light on this problem, by default it now just applies STIBP to processes opting into that functionality via the prctl interface and additionally for sandboxed processes by means of SECCOMP.

• Dell forces password reset on customers after cyber attack but tells them five whole days later

  Apparently, the [intruders] were after customer names, email addresses and passwords, but Dell explained to Reuters that there were no regulatory or legal requirements for it to notify its customers about why they were being forced to change their passwords.

• Dell.com resets all customer passwords after cyber attack: statement

  The breach occurred as companies come under increasing scrutiny from regulators worldwide to provide quick and accurate disclosure of customer data theft. The European Union implemented strict new privacy regulations in May that punish violators with fines of up to 20 million euros ($23 million), or 4 percent of global revenue, whichever is higher.

• Marriott Security Breach Exposed Data of Up to 500M Guests

  A security breach inside the Marriott hotel empire compromised the information of as many as 500 million guests worldwide, exposing their credit card numbers, passport numbers and birth dates for as long as four years, the company said Friday.

  [...]

  For as many as two-thirds of those affected, the exposed data could include mailing addresses, phone numbers, email addresses and passport numbers. Also included might be Starwood Preferred Guest account information, date of birth, gender, arrival and departure times and reservation dates.

  Credit card numbers and expiration dates of some guests may have been taken, according to the company.

  “We fell short of what our guests deserve and what we expect of ourselves,” CEO Arne Sorenson said in a statement. “We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

  It isn’t common for passport numbers to be part of a hack, but it is not unheard of. Hong Kong-based airline Cathay Pacific Airways said in October that 9.4 million passengers’ information had been breached, including passport numbers.

• This is big!! – 500 Million Marriott Guest Records Stolen

  The world’s biggest hotel chain Marriott International today disclosed that unknown hackers compromised guest reservation database its subsidiary Starwood hotels and walked away with personal details of about 500 million guests.

  Starwood Hotels and Resorts Worldwide was acquired by Marriott International for $13 billion in 2016. The brand includes St. Regis, Sheraton Hotels & Resorts, W Hotels, Westin Hotels & Resorts, Aloft Hotels, Tribute Portfolio, Element Hotels, Le Méridien Hotels & Resorts, The Luxury Collection, Four Points by Sheraton and Design Hotels.

• Security updates for Friday

• Hackers Stole Nearly Quarter Million Dollars Our Revolution Raised for Standing Rock Protests

  The money stolen from the compromised account had been raised for the Standing Rock Sioux Native American tribe, which was at the time fighting vigorously to stop the construction of the Dakota Access Pipeline.

  Lucy Flores, a former Our Revolution board member, told Politico that the organization still gave the tribe the $242,924 it had raised on its behalf, though it was forced to dip into other funds to do so.

  "We'd done fundraising specifically on behalf of the tribe, and to have that money just be gone and never reach its intended purpose was unacceptable," Flores said. "So we decided to give them the money that was raised and take the loss as an organization."

• Remember Those Leaked NSA Tools? Hackers Are Still Using Them To Hijack Computers

  When UPnProxy attack was first spotted, about 3.5 million devices were vulnerable to the attack. Months later, Akamai reported that 277,000 remained vulnerable. As per the latest development, about 45,000 of these systems have already been compromised.

  [...]

  The security researchers are calling the newly discovered implementation Eternal Silence. This is because the attack uses the already popular EternalBlue (affecting Windows devices) and EternalRed (affecting Linux devices) exploits; they also found ‘galleta silenciosa’ or ‘silent cookie/cracker’ in Spanish written in the description field on the affected routers.

• Mass Router Hack Exposes Millions of Devices to Potent NSA Exploit

  More than 45,000 Internet routers have been compromised by a newly discovered campaign that’s designed to open networks to attacks by EternalBlue, the potent exploit that was developed by, and then stolen from, the National Security Agency and leaked to the Internet at large, researchers said Wednesday.

• Updated AMD Zen CPU Microcode Posted

  AMD has just dropped a new Family 17h "Zen" microcode file for Linux users.

  Just posted to the kernel mailing list is the latest CPU microcode file for Family 17h. Unfortunately there is no change-log/notes and obviously with it being binary-only there isn't anything to glean by itself.

• Multiple vulnerabilities in FreeBSD NFS server code

  FreeBSD is a free and open source operating system. The NFS (Network File System) is a server and client application that turn FreeBSD into a file sharing server. Users can upload or update files on a remote NFS server. NFS is standard on NAS (network attached storage) devices or sharing data for web servers. A new bug found in NFS server code which could allow a remote attacker to crash the NFS server, resulting in a denial of service (DoS) attack. Another possibility is to execute arbitrary code on the server.

• Cybersecurity Threats Keep Evolving, Research Shows

  Cybersecurity industry research is a great way to stay on top of the latest threats -- and the controls that can keep those vulnerabilities from affecting your organization. Research released in November 2018 spanned the gamut of IT risk concerns, including identity, application containers, vulnerability disclosures, and the global threat landscape itself. Here are key takeaways from 11 reports released this month, along with cyber defenses organizations should consider implementing.

• Security updates for Wednesday

• “New Tech” From DriveSavers Unlocks Locked iPhones With 100% Success Rate

  DriveSavers’s website strictly says that they do not offer their “passcode lockout data recovery” service to law enforcement agencies and it is meant only for the owners of the locked devices.

• Daniel Lange: Security is hard, open source security unnecessarily harder

  Now it is a commonplace that security is hard. It involves advanced mathematics and a single, tiny mistake or omission in implementation can spoil everything.

  And the only sane IT security can be open source security. Because you need to assess the algorithms and their implementation and you need to be able to completely verify the implementation. You simply can't if you don't have the code and can compile it yourself to produce a trusted (ideally reproducible) build. A no-brainer for everybody in the field.

  But we make it unbelievably hard for people to use security tools. Because these have grown over decades fostered by highly intelligent people with no interest in UX.
  "It was hard to write, so it should be hard to use as well."
  And then complain about adoption.

• NSA Leaked Tool Used to Exploit Computers, UPnProxy Vulnerability Surfaces

  IT has been over a year since The National Security Agency (NSA) hacking tool was leaked online but its aftermath is coming back to haunt everyone again. Security agency Akamai has warned everyone that the UPnProxy vulnerability can now target your personal computers that are still prone to hacks and other cyber attacks.

  When the NSA was hacked, there were patches released over the time in order to counter the exploits that were being done, but now it looks as if the security vulnerability is back again. Security agency researchers believe that the unpatched computers are now at high risk with hackers using the leaked tool of NSA to create some malicious proxy network.

  The unpatched computers are at risk of being targeted by hackers through the router’s firewall. The hackers are now using more powerful tools through which they can exploit through your personal computer. This can be done by making way through your internet Wi-Fi router that can cause damage to your personal computer on the Wi-Fi network.

• Dell.com Breached: Hackers Tried To Steal Customer Data

  Dell also revealed that a password reset was initiated for all customer accounts on Dell[.]com online electronics store on November 14 for security purposes.

  While the company didn’t discuss the complexity of the password-hashing algorithms used to protect them, some of them — such as MD5 can be broken within seconds to reveal the plaintext password.