Language Selection

English French German Italian Portuguese Spanish

Security

Security: 'Rich' E-mail, BlackBerry, and D-Link

Filed under
Security
  • The only safe email is text-only email

    The real issue is that today’s web-based email systems are electronic minefields filled with demands and enticements to click and engage in an increasingly responsive and interactive online experience. It’s not just Gmail, Yahoo mail and similar services: Desktop-computer-based email programs like Outlook display messages in the same unsafe way.

  • BlackBerry admits: We could do better at patching

    BlackBerry has confirmed that its first Android device, the Priv, will be stuck on Google's 2015 operating system forevermore, which Google itself will cease supporting next year.

    Having been promised "the most secure Android", BlackBerry loyalists have seen the promise of monthly security updates stutter recently, with distribution of the monthlies getting patchy (no pun intended).

  • Researcher publicly discloses 10 zero-day flaws in D-Link 850L routers

    Peeved about previous vulnerability disclosures experiences with D-Link, a security researcher has publicly disclosed 10 zero-day vulnerabilities in D-Link DIR 850L wireless AC1200 dual-band gigabit cloud routers.

    Security researcher Pierre Kim opted to publicly disclose the vulnerabilities this time, citing a “very badly coordinated” disclosure with D-Link in February. That time around he had reported nine vulnerabilities, but he said it took D-Link five months to release new firmware that ended up patching only one of the flaws he found.

A look at TAILS – Privacy oriented GNU/Linux Distribution

Filed under
Reviews
Security
Debian

The Amensic Incognito Live System, is a Debian based distribution that routes all internet traffic through the TOR network, and leaves no trace of its existence or anything done on the system when the machine is shut down. The obvious aim in this, is to aid in keeping the user anonymous and private. Tails is not installed to a users computer, but instead is run strictly as a LiveUSB / LiveDVD.

TAILS does not utilize the host machines Hard Disk at all, and is loaded entirely into RAM. When a machine is shut down, the data that is stored in RAM disappears over the course of a few minutes, essentially leaving no trace of whatever had been done. Granted, there is a method of attack known as a Cold Boot Attack, where data is extracted from RAM before it has had a chance to disappear, but TAILS has you covered on that front too; the TAILS website says,

“To prevent this attack, the data in RAM is overwritten by random data when shutting down Tails. This erases all traces from your session on that computer.”

Read more

Security: Equifax Blame Game and Germany's Election Software

Filed under
Security

Security: Minnesota, Equifax, Virginia, Kaspersky, F-35

Filed under
Security

The Apache Software Foundation Blog: Apache Struts Statement on Equifax Security Breach (and More)

Filed under
Security

Security: Microsoft Won't Patch, Kaspersky Responds, EU Cyberwar Games

Filed under
Security
  • Microsoft won't patch Edge XSS vulnerability

     

    The flaw has been patched in recent versions of Google Chrome and WebKit-based browsers (such as Apple Safari for macOS and iOS), but not in Microsoft's Edge for Windows 10.

  • Microsoft shrugs off Windows kernel bug that can block malware detection

     

    "After digging into the matter, what started as a seemingly random issue proved to originate from a coding error in the Windows kernel itself. This flaw exists in the most recent Windows 10 release and past versions of the OS, dating back to Windows 2000."

    [...]

     

    "We [also] contacted MSRC [Microsoft Security Response Center] about this issue at the beginning of this year. They did not deem it as a security issue.

  • Kaspersky: Ex-NSA infosec expert asks FBI to put up or shut up

     

    Former NSA employee and information security expert Jake Williams has told the FBI to either provide proof to the public that Kaspersky Lab products are unsafe for use or keep mum.

  • EU hosts its first cyber war games

     

    "The goal of the exercise is to highlight a number of strategic concerns and topics that arise in connection with any hypothetical cyber crisis. This exercise should serve as a forum for discussion at ministerial level and provide strategic guidance to address future crises," it said.

  • Cyber alert: EU ministers test responses in first computer war game [iophk: "blanket ban Microsoft in the EU"]

     

    After a series of global cyber attacks disrupted multinational firms, ports and public services on an unprecedented scale this year, governments are seeking to stop hackers {sic} from shutting down more critical infrastructure or crippling corporate and government networks.  

Security: Equifax Fiasco Deepening, Apache STRUTS Blamed

Filed under
Security
  • Equifax Security Breach Is A Complete Disaster... And Will Almost Certainly Get Worse

    Okay, chances are you've already heard about the massive security breach at Equifax, that leaked a ton of important data on potentially 143 million people in the US (basically the majority of adults in America). If you haven't, you need to pay more attention to the news. I won't get into all the details of what happened here, but I want to follow a few threads:

    First, Equifax had been sitting on the knowledge of this breach since July. There is some dispute over how quickly companies should disclose breaches, and it makes sense to give companies at least some time to get everything in order before going public. But here it's not clear what Equifax actually did. The company has seemed almost comically unprepared for this announcement in so many ways. Most incredibly, the site that Equifax set up for checking if your data has been compromised (short answer: yeah, it almost certainly was...) was on a consumer hosting plan using a free shared SSL certificate, a funky domain and an anonymous Whois record. And, incredibly, it asked you for most of your Social Security Number. In short, it's set up in a nearly identical manner to a typical phishing site. Oh and it left open the fact that the site had only one user -- "Edelman" -- the name of a big PR firm.

  • Breach at Equifax May Impact 143M Americans
  • Equifax blames giant breach on vendor software flaw

    “My understanding is the breach was perpetuated via the Apache STRUTS flaw,” Meuler told The Post.

  • The hackers who broke into Equifax exploited a flaw in open-source server software

    The credit reporting agency Equifax announced on Sept. 7 that hackers stole records containing personal information on up to 143 million American consumers. The hackers behind the attack, the company said, “exploited a U.S. website application vulnerability to gain access to certain files.”

  • Apache Struts vulnerability affects versions since 2008

    A researcher discovered a remotely exploitable Apache Struts vulnerability being actively exploited in the wild and a patch was released, users urged to update software immediately.

    [...]

    Man Yue Mo, researcher at the open source software project LGTM.com run by software analytics firm Semmle, Inc., headquartered in San Francisco, disclosed the remotely executable Apache Struts vulnerability, which he said was "a result of unsafe deserialization in Java" and could lead to arbitrary code execution. Mo originally disclosed the issue to Apache on July 17, 2017.  

  • So, Equifax says your data was hacked—now what?

    Yesterday, the credit reporting agency Equifax revealed that the personal data of 143 million US consumers, as well as "limited personal information for certain UK and Canadian residents," was exposed by an attack exploiting security flaws in the company's website. Social Security numbers, dates of birth, addresses, and some drivers license numbers were all exposed—information which could be used to pose as individuals to gain access to financial accounts, open new ones in their names, or file fraudulent tax returns.

  • Are you an Equifax breach victim? You could give up right to sue to find out [Updated]

    By all accounts, the Equifax data breach is, as we reported Thursday, "very possibly the worst leak of personal info ever." The incident affects possibly as many as 143 million people.

    The breach, via a security flaw on the Equifax website, included full names, Social Security numbers, birth dates, addresses, and driver license numbers in some cases. Many of the affected consumers have never even directly done business with the giant consumer credit reporting agency.

  • Equifax won’t bar consumers from joining lawsuits related to breach

    Equifax announced on Friday it will not stop consumers from moving to join a class action lawsuit against the company, which suffered a severe breach on Thursday when hackers gained action to personal information belonging to 143 million people. 

    The firm's was forced to clarify its terms of service after it faced backlash when it appeared that in order to receive credit protection, consumers affected by the breach would have to give up their right to join a lawsuit over the hack. 

Security: Equifax, The Shadow Brokers, Microsoft Does Not Care About Security

Filed under
Security
  • Equifax Is Proving Why Forced Arbitration Clauses Ought to Be Banned, Just Like the CFPB Wants to Do

    Equifax, the credit reporting bureau that on Thursday admitted one of the largest data breaches in history, affecting 143 million U.S. consumers, is maneuvering to prevent victims from banding together to sue the company, according to consumer protection advocates and elected officials.

    Equifax is offering all those affected by the breach a free, one-year credit monitoring service called TrustedID Premier, which will watch credit reports for suspicious activity, lock and unlock Equifax credit reports, scan the internet for Social Security numbers, and add insurance for identity theft. But the service includes a forced arbitration clause, which pushes all disputes over the monitoring out of court. It also includes a waiver of the right to enter into a class-action lawsuit.

  • Equifax and Correlatable Identifiers

    The typical response when we hear about these security problems is "why was their security so bad?" While I don't know any specifics about Equifax's security, it's likely that their security was pretty good. But the breach still occurred. Why? Because of Sutton's Law. When Willie Sutton was asked why he robbed banks, he reputedly said "cause that's where the money is."

    So long as we insist on creating huge honeypots of valuable data, hackers will continue to target them. And since no security is perfect, they will eventually succeed. Computer security is difficult because computer systems are non-linear—small errors can result in huge losses. This makes failure points difficult to detect. These failure points are not usually obvious. But hackers have a lot of motivation to find them when the prize is so large.

  • TheShadowBrokers group returns with NSA UNITEDRAKE hacking malware and promises more leaks

    UNITEDRAKE is a remote access hacking tool that can be used to target Windows machines. Modular in nature, the malware can be expanded through the use of plugins to increase its capabilities so it can capture footage from webcams, tap into microphones, capture keystrokes, and more.

  • The Shadow Brokers Unveil United Rake Toolkit and Double Monthly NSA Dump Frequency

    Most people have come to know The Shadow Brokers as a hacker collective that successfully infiltrated the NSA and took some of its goodies. Over the past year or so, we have seen most of these exploits released to the public. More powerful tools remain part of the collective’s monthly subscription service, which has been operational for nearly three months now. If certain tools could earn them money, they would much rather take that option.

    There were some interesting recent changes made by The Shadow Brokers. Instead of doing just one dump of exploits each month, they are shifting things into a higher gear. There will now be two dumps per month, which can still only be paid in ZCash. Their PDF file clearly states that they have no interest in Monero, which is pretty interesting. All of the previously issued dumps are now available for purchase as well, should someone want to see what those are all about.

    The August software is called United Rake, and it is quite a powerful tool. It is a “fully extensible remote collection system.” As one would come to expect, it is designed for the world’s most popular operating system, which is still Microsoft Windows. As is the case with every exploit unveiled by The Shadow Brokers, the release comes with its own detailed manual, allegedly created by and distributed to NSA staffers at some point.

  • Microsoft won't patch Edge browser content security bypass

    Which of Google, Apple and Microsoft think a content security bypass doesn't warrant a browser patch?

    Thanks to Cisco Talos security bod Nicolai Grødum, who found the cross-site scripting bug that affects older Chrome and Safari plus current versions of Edge, we know the answer is "Microsoft".

  • Bug in Windows Kernel Could Prevent Security Software From Identifying Malware
  • Bug In Windows Kernel Could Prevent Security Software From Identifying Malware

    "Malware developers can abuse a programming error in the Windows kernel to prevent security software from identifying if, and when, malicious modules have been loaded at runtime," reports Bleeping Computer. "The bug affects PsSetLoadImageNotifyRoutine, one of the low-level mechanisms some security solutions use to identify when code has been loaded into the kernel or user space. The problem is that an attacker can exploit this bug in a way that PsSetLoadImageNotifyRoutine returns an invalid module name, allowing an attacker to disguise malware as a legitimate operation.

Security: Updates, Election, Lenovo and Equifax

Filed under
Security
  • Security updates for Thursday
  • Security updates for Friday
  • Software to capture votes in upcoming national election is insecure

    The result of this analysis is somewhat of a „total loss“ for the software product. The CCC is publishing its findings in a report of more than twenty pages. [0] The technical details and the software used to exploit the weaknesses are published in a repository. [1]

    „Elementary principles of IT-security were not heeded to. The amount of vulnerabilities and their severity exceeded our worst expectations“, says Linus Neumann, a speaker for the CCC that was involved in the study.

  • The $3.5 Million Check Comes Due for Lenovo And Its Security-Compromising Superfish Adware

    You might recall that back in 2015, Lenovo was busted for installing a nasty bit of snoopware made by a company named Superfish on select models of the company's Thinkpad laptops. Superfish's VisualDiscovery wasn't just annoying adware however; it was so poorly designed that it effectively made all of Lenovo's customers vulnerable to HTTPS man-in-the-middle attacks that were relatively trivial for an attacker to carry out. More specifically, it installed a self-signed root HTTPS certificate that could intercept encrypted traffic for every website a user visits -- one that falsely represented itself as the official website certificate.

  • Equifax website hack exposes data for ~143 million US consumers

    Equifax, a provider of consumer credit reports, said it experienced a data breach affecting as many as 143 million US people after criminals exploited a vulnerability on its website. The US population is about 324 million people, so that's about 44 percent of its population.

    The data exposed in the hack includes names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers. The hackers also accessed credit card numbers for 209,000 US consumers and dispute documents with personal identifying information for about 182,000 US people. Limited personal information for an unknown number of Canadian and UK residents was also exposed. Equifax—which also provides credit monitoring services for people whose personal information is exposed—said the unauthorized access occurred from mid-May through July. Equifax officials discovered the hack on July 29.

  • Why the Equifax breach is very possibly the worst leak of personal info ever

    It's a sad reality in 2017 that a data breach affecting 143 million people is dwarfed by other recent hacks—for instance, the ones hitting Yahoo in 2013 and 2014, which exposed personal details for 1 billion and 500 million users respectively; another that revealed account details for 412 million accounts on sex and swinger community site AdultFriendFinder last year; and an eBay hack in 2014 that spilled sensitive data for 145 million users.

Security: GPG Keysigning Protocol, Reproducible Builds, Struts and Android

Filed under
Security
  • GPG Keysigning Protocol

    With Randa approaching, I’ll be meeting some KDE people, some for the first time. So it’s time for another GPG keysigning! The usual approach to a GPG keysigning is to have Harald organise it, that ensures a maximum amount of abiding-by-rules. But .. he’s not going to be there, this year. So this post is a random bit of throw-information-out-there about how typical KDE event keysignings work, and an annoucement of my own protocol in handling keysinging.

  • Reproducible Builds: Weekly report #123
  • 'Critical' RCE vulnerability found in open-source Struts framework
  • Boffins hijack bootloaders for fun and games on Android

    The team of nine researchers decided to look at a little-studied aspect Android architecture – the interaction between OS and chip at power-up. To get inside that operation, they built a tool dubbed “BootStomp” “designed to locate problematic areas where input from an attacker in control of the OS can compromise the bootloader’s execution, or its security features”.

Syndicate content

More in Tux Machines

today's leftovers

  • State of Linux Containers
    In this video from the Stanford HPC Conference, Christian Kniep from Docker Inc. presents: State of Containers. “This talk will recap the history of and what constitutes Linux Containers, before laying out how the technology is employed by various engines and what problems these engines have to solve. Afterward, Christian will elaborate on why the advent of standards for images and runtimes moved the discussion from building and distributing containers to orchestrating containerized applications at scale. In conclusion, attendees will get an update on what problems still hinder the adoption of containers for distributed high performance workloads and how Docker is addressing these issues.”
  • ONS 2018: Networking Reimagined
    For the past seven years, Open Networking Summit (ONS) has brought together the networking industry’s ecosystem of network operators, vendors, open source projects, leading researchers, and investors to discuss the latest SDN and NFV developments that will shape the future of the networking industry. With this year’s event, taking place March 26-29, 2018 in Los Angeles, ONS will evolve its approach as the premier open source networking event. We’re excited to share three new aspects of this year’s ONS that you won’t want to miss:
  • AT&T contributes code to Linux open source edge computing project
    The Linux Foundation recently announced a new project, dubbed Akraino, to develop an open source software stack capable of supporting high-availability cloud services for edge computing systems and applications. To kick off the project, AT&T will contribute code made for carrier-scale edge computing applications running in virtual machines and containers.
  • AT&T Brings Akraino Networking Project to Edge of the Linux Foundation
    The Linux Foundation has been particularly busy in 2018 thus far consolidating its existing networking project under a single umbrella, known as LF Networking. That umbrella might need to get a bit larger, as on Feb. 20 the Linux Foundation announced the new Akraino project, with code coming initially from AT&T.
  • FreeOffice 2016 – An Efficient Alternative to Microsoft Office
    FreeOffice 2016 is the latest version of the Office software from SoftMaker. In fact, you wouldn’t be wrong if you called it the free version of SoftMaker Office 2018 seeing as it features the same suite of applications.
  • Stellaris 2.0 'Cherryh' patch & Stellaris: Apocalypse expansion released, over 1.5 million copies sold
    Stellaris: Apocalypse [Steam], the latest expansion for the grand space strategy game from Paradox Development Studio is out. The big 2.0 'Cherryh' patch is also now available. Paradox has also announced today, that Stellaris has officially passed 1.5 million copies sold making it one of their most popular games ever made. I'm not surprised by this, as I consider Stellaris their most accessible game.
  • Action-packed platformer with local and online co-op 'Vagante' has left Early Access
    After being in Early Access for quite some time, the action-packed platformer 'Vagante' [Steam, Official Site] has now officially left Early Access.
  • Gentoo has been accepted as a Google Summer of Code 2018 mentoring organization
  • Getting Debian booting on a Lenovo Yoga 720
    I recently got a new work laptop, a 13” Yoga 720. It proved difficult to install Debian on; pressing F12 would get a boot menu allowing me to select a USB stick I have EFI GRUB on, but after GRUB loaded the kernel and the initrd it would just sit there never outputting anything else that indicated the kernel was even starting. I found instructions about Ubuntu 17.10 which helped but weren’t the complete picture. What seems to be the situation is that the kernel won’t happily boot if “Legacy Support” is not enabled - enabling this (and still booting as EFI) results in a happier experience.
  • Dell PowerEdge T30
    I just did a Debian install on a Dell PowerEdge T30 for a client. The Dell web site is a bit broken at the moment, it didn’t list the price of that server or give useful specs when I was ordering it. I was under the impression that the server was limited to 8G of RAM, that’s unusually small but it wouldn’t be the first time a vendor crippled a low end model to drive sales of more expensive systems. It turned out that the T30 model I got has 4*DDR4 sockets with only one used for an 8G DIMM. It apparently can handle up to 64G of RAM.
  • Quad-Ethernet SBC and controller tap new Renesas RZ/N1D SoC
    Emtrion’s Linux-ready “SBC-RZN1D” SBC, which will soon power a “Flex2COM” controller, features a Renesas dual-core -A7 RZ/N1D SoC and 4x LAN ports, and is designed for multi-protocol fieldbus communications. Emtrion, which recently announced its emCON-RZ/G1H module based on an octa-core Renesas RZ/G1H SoC, has unveiled a Renesas based, quad-LAN port SBC-RZN1D SBC focused on industrial communication. The SBC-RZN1D taps the Renesas RZ/N1D (R9006G032), one of a new line of RZ/N1D SoCs launched last year by Renesas for industrial multi-protocol communications. Renesas recently collaborated with Avnet to ship its own dual-Ethernet Renesas RZ/N1D Solution Kit (see farther below).
  • Postage-Stamp Linux
    There was a time when big operating systems ran on big iron. IBM, Data General, Burroughs, DEC, and other computer makers built big machines with big, blinking lights, and big price tags. They ran grown-up software and they supported multiuser operating systems. If you wanted a toy, you built a microcomputer. If you wanted a real machine for serious work, you bought a mainframe. Maybe a minicomputer, if it were for lesser tasks.
  • Most Popular Android Versions In February 2018 (Always Updated List)
    Android is the most used operating system on the planet. In fact, it’s almost omnipresent in the mobile ecosystem. Even the Android versions, like Nougat, Marshmallow, Lollipop, etc. have been able to build their individual fan following.

Red Hat and Fedora: David Egts, Radcom, Google Summer of Code 2018, FOSS Wave

  • Red Hat’s David Egts: Microservices Tech Could Help Simplify App Deployment
    David Egts, chief technologist for Red Hat’s public sector, told MeriTalk in an interview published Wednesday that the microservices technology works to help the developer split complex, large applications into small components and share them with other members of the DevOps team.
  • Radcom partners with Red Hat for NFV management
    Radcom announced it is collaborating with Red Hat to provide operators with a fully virtualized network visibility solution running on Red Hat OpenStack Platform. As operators transition to NFV, a critical first step is gaining end-to-end network visibility. This collaboration enables operators to attain cloud-native network visibility without the hassle of building their own private cloud infrastructure, the vendor said. Once the operator's transition to NFV matures, integration efforts with the NFV and MANO infrastructure can be simplified.
  • The Markets Are Undervaluing these stock’s: Red Hat, Inc. (RHT), Xerox Corporation (XRX)
  • Meeder Asset Management Inc. Has $1.75 Million Holdings in Red Hat Inc (RHT)
  • Justin W. Flory: Humanitarian open source work: My internship at UNICEF
    In December, I received the happy news of an offer for a internship position at UNICEF in the Office of Innovation. The Office of Innovation drives rapid technological innovation by rapid prototyping of new ideas and building full-stack products to make a positive impact in the lives of children. This is a simple answer, but a more detailed description is on our website. My internship at UNICEF is unique: I support open source community engagement and research as my primary task for the MagicBox project. For years, I’ve done this in open source communities in my free time (namely SpigotMC and Fedora), but never in a professional role. As I navigate my way through this exciting opportunity, I plan to document some of the experience as I go through blogging. My intent is that my observations and notes will be useful to someone else in the humanitarian open source space (or maybe to a future me).
  • Fedora participating in Google Summer of Code 2018
    GSoC is a summer program aiming to bring more student developers into open source software development. It enables students to spend their summer break working with open source organizations on projects proposed by participating organizations and supported by mentors.
  • FOSS Wave with Fedora at KGISL, Coimbatore
    Recently, I was invited by Prem to NASSCOM to give a brief talk on FOSS and Technology as part of the FOSS Wave community. Prem is doing a great job there by putting his effort in helping students from Tier2 and Tier3 cities. Around twenty enthusiastic students were selected and invited to Bengaluru to take part in such events. Mine was one of them. I conducted a GitHub session after Intro to FOSS and a brief intro about Fedora Project.

OSS Leftovers

  • Comment: Many happy returns to open source
    Twenty years ago the phrase “open source” was first used and the development of software – and hardware – was changed forever. Very few designers today will not use some element of open source software in their development projects.
  • Percona Unveils Full Conference Session Schedule for the Annual Percona Live Open Source Database Conference 2018
  • Worth seeing in Barcelona: Open source for white box vRAN solutions
    News this week from cloud and carrier infrastructure platform company Kontron builds on our earlier coverage of the emerging virtual radio access network (vRAN); a promising technology that could help the evolution to 5G by maximising available bandwidth while lowering costs. The market for open vRAN solutions is gaining wider acceptance as operators seek more cost-effective approaches to network architectures and deployment. According to analyst firm Research and Markets, the growth of the vRAN market is expected to grow at a CAGR of approximately 125 per cent during the next three years.
  • Barcelona is the first city council to join the FSFE's "Public Money? Public Code!" campaign
  • Earlham Institute releases open source software to help identify gene families
    Researchers at Earlham Institute (EI) have released ‘GeneSeqToFamily’, an open-source Galaxy workflow that helps scientists to find gene families based on the ‘EnsemblCompara GeneTrees’ pipeline. Published in Gigascience, the open source Galaxy workflow aims to make researchers job of finding find gene families much easier.
  • 3 reasons to say 'no' in DevOps
    DevOps, it has often been pointed out, is a culture that emphasizes mutual respect, cooperation, continual improvement, and aligning responsibility with authority. Instead of saying no, it may be helpful to take a hint from improv comedy and say, "Yes, and..." or "Yes, but...". This opens the request from the binary nature of "yes" and "no" toward having a nuanced discussion around priority, capacity, and responsibility.
  • 5 rules for having genuine community relationships
    As I wrote in the first article of this three-part series on the power and importance of communities, building a community of passionate and committed members is difficult. When we launched the NethServer community, we realized early that to play the open source game, we needed to follow the open source rules. No shortcuts. We realized we had to convert the company in an open organization and start to work out in the open.
  •  
  • Rust Typestates
    A long time ago, the Rust language was a language with typestate. Officially, typestates were dropped long before Rust 1.0. In this entry, I’ll get you in on the worst kept secret of the Rust community: Rust still has typestates.
  • It's Time To Do CMake Right
    Not so long ago I got the task of rethinking our build system. The idea was to evaluate existing components, dependencies, but most importantly, to establish a superior design by making use of modern CMake features and paradigms. Most people I know would have avoided such enterprise at all costs, but there is something about writing find modules that makes my brain release endorphins. I thought I was up for an amusing ride. Boy was I wrong.

OpenBSD Gets Mitigated For Meltdown CPU Vulnerability

  • OpenBSD Gets Mitigated For Meltdown CPU Vulnerability
    A few days back FreeBSD 11 stable was mitigated for Meltdown (and Spectre vulnerabilities), which came more than one month after these nasty CPU vulnerabilities were disclosed while DragonFlyBSD was quickly mitigated and the first of the BSDs to do so. While OpenBSD is known for its security features and focus, only today did it land its initial Meltdown mitigation.
  • Meltdown fix committed by guenther@

    Meltdown mitigation is coming to OpenBSD. Philip Guenther (guenther@) has just committed a diff that implements a new mitigation technique to OpenBSD: Separation of page tables for kernel and userland. This fixes the Meltdown problems that affect most CPUs from Intel. Both Philip and Mike Larkin (mlarkin@) spent a lot of time implementing this solution, talking to various people from other projects on best approaches.

    In the commit message, Philip briefly describes the implementation [...]