Announcement

Collapse
No announcement yet.

KPTI + Retpoline Linux Benchmarking On Old Laptops

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • linuxgeex
    replied
    Originally posted by Luke View Post

    Privacy is a way of life, and its not just what you do with computers.

    EDIT: if you never bank online and never give your bank your email address, you also know that ALL emails claiming to come from your bank are "something phishy" and not do do anything they ask you to do.
    I agree wholeheartedly with these. I also understand that all security comes at the cost of some inconvenience, and that inconvenience has an actual dollar value in my personal time, and I'm prepared to spent a certain amount of money and risk a certain amount of money (risk:reward balance) even if using online banking and debit cards at merchants increases my attack surface and reduces my privacy (obviously not as much as using credit cards.)

    So for example, the debit card I use is on a zero-fee "chequing" account that never has more than $200 in it unless I am making a larger purchase. When I want to make a larger purchase then I transfer the appropriate funds in a small time window to making the purchase, and so there's never more than $200 at risk. I use a VirtualBox VPS with a snapshot of a running XUbuntu 16.10 livecd, and it connects using a VPN to a Google Compute instance so even if my wifi is compromised it is safe. Each user on my host has encfs and the host disk has LVM+LUKS-Crypt. The VPS runs under a different user than my desktop user, and I view its desktop via VNC. I enter the password manually, but the VPN password and card number are in a snapshot which I restore after every session, so even if the browser is hacked it will be undone and the hacker will need to be hacking me in the time window that I'm using the banking... 2-3 minutes at most. the risk is then primarily a keylogger on the host, in my user account. I'm prepared to live with that tiny risk given how little correlation there is to the banking data, and my password looks like PHP code, which I'm entering for hours a day.

    That isn't what I consider a significant attack surface risk cost vs the definitely real costs of making physical appearances at my bank, and regularly advertising to strangers that I carry cash! You have your safety priorities... I have mine. :-)
    Last edited by linuxgeex; 22 January 2018, 07:56 PM.

    Leave a comment:


  • tajjada
    replied
    Originally posted by GreenReaper View Post

    Sure, here you go (search for "To disable this fix"). It improved things for one of my artist friends who was running into major issues.
    Thank you!!

    Leave a comment:


  • cybertraveler
    replied
    Thanks GreenReaper

    Leave a comment:


  • GreenReaper
    replied
    They were having trouble streaming and creating artwork while using two monitors, something they did on a regular basis before.

    They​​​ didn't go into a huge amount of detail, but graphics tablet operations can involve 100-200Hz inputs with associated messaging and user/kernel transitions followed by immediate low-latency graphics operations, and of course streaming can be heavy on the CPU and GPU as well. Artists can't always update to the latest and greatest tech so it is likely that they had an older CPU without INVPCID.

    They reported that applying the registry settings and rebooting resolved the problem.
    Last edited by GreenReaper; 18 January 2018, 01:09 PM.

    Leave a comment:


  • cybertraveler
    replied
    Originally posted by GreenReaper View Post

    Sure, here you go (search for "To disable this fix"). It improved things for one of my artist friends who was running into major issues.
    What kind of issues? Stability? Performance? I'm curious.

    Leave a comment:


  • GreenReaper
    replied
    Originally posted by tajjada View Post
    I know a Linux forum is perhaps not the best place to ask this, but people here tend to be much more technically-knowledgeable than on any Windows-centered website.

    Does anyone know if there is a way to disable the exploit mitigations on Windows? Does Windows have an equivalent to "nopti noretpoline" in the Linux cmdline?

    I have a Windows machine where I don't care about security. I want my performance back.
    Sure, here you go (search for "To disable this fix"). It improved things for one of my artist friends who was running into major issues.

    Leave a comment:


  • Luke
    replied
    Originally posted by linuxgeex View Post

    My bank's online banking works fine with fingerprinting disabled (date/fonts/canvas/media APIs etc) in ScriptSafe, and only scripts from the bank website allowed. Cookies, yes I let them use cookies. They have my card number, lol, they know its me. I'm not trying to pretend I'm not me. The reason to disable fingerprinting and cookies when accessing a business website that you trust your identity with, is to prevent leaking that identity to other sites. Disabling 3rd party scripts and content effectively prevents that, so I could even enable the other fingerprinting methods, if my bank required them.
    I actually regard all online banking as too dangerous even if you could guarantee the security of your computers, because it increases the attack surface against your bank account. If a merchant's computer is compromised or a skimmer gets attached to your bank's own ATM, you will get much less argument about reversing fraudulent transactions. I also recommend withdrawing your money in the form of cash as you use it, buying with cash and not debit cards to deny merchants that information, and never registering products or participating in mail in rebate programs, surveys, warrenty registrations, etc. You want the product, not the telemarketing calls, spam, junk mail (and maybe subpeonas and search warrants) generated by your personal information being bought and sold.

    If you doubt what I said about subpeonas and warrants, one argument raised against noncash (EZ-Pass only) toll roads has been that divorce lawyers can subpeona travel records generated by them to track the whereabouts of a spouse suspected of having some action on the side. Counter to that one of course is not to use the offending roads or own an EZ-pass.

    Privacy is a way of life, and its not just what you do with computers.

    EDIT: if you never bank online and never give your bank your email address, you also know that ALL emails claiming to come from your bank are "something phishy" and not do do anything they ask you to do.
    Last edited by Luke; 17 January 2018, 10:28 PM.

    Leave a comment:


  • linuxgeex
    replied
    Originally posted by Luke View Post

    I would never bank online both because of the security arms race (no guarantees for anyone) and because banks would probably have to block my machines due to my refusal to ever unblock fingerprinting code and sites. As for buying games online etc, I do not pay for content at all and do not handle paid files at all. Thus, a banking and financial exploit that always worked and could never be blocked would not be a factor. It is attempts to log browsing history, verify authorship of controversial anonymous postings, and steal encryption keys that I worry about-and guess what, the basic exploits are probably the same no matter what the payload. A banking trojan and an FBI CIPAV can probably both be installed using the exact same vulnerabilities.

    This was enough that I had to replace all browsers as soon as they have been rebuilt to mitigate SPECTRE, and thankfully do not use any Intel boxes with branch prediction (vulnerable to Meltdown) online at all. Since Spectre is about using timing to export data, FF devs have modified FF to greatly reduce the resolution of any timing information exported by the browser. This both blocks the obvious ways to use JS on it with Spectre and probably (not sure if this is always through the new code) also weakens clock skew as a fingerprinting tool.

    Another defense is always blocking a website from using JS (code run on your machine!) at intial lode and never letting unknown or untrusted sites use it at all. A random porn site carrying keyloggers and trojans (haha...) can't get you if you don't allow it to run scripts and just treat it as broken when it doesn't load images or video as a result. A malicious ad with a ransomware payload probably won't be seen at all.

    One advantage most Linux user will get is this: even the best of cross-platform exploits are usually used by cops and criminals alike to install Window malware unless a known Linux user is individually targettted. For instance, the whole Freedom Hosting mess was the use by the FBI of a vulnerablity in certain versions of Firefox to install FBI spyware in Tor user's computers if they visited certain .onion (Tor-only) sites on Freedom Hosting. I do not know if the server-side malware was only on the targetted kiddie porn sites or all sites on Freedom Hosting. Here's the kicker: the server side code leveraged a cross-platform exploit, but the code it installed (the CIPAV) only ran on Windows! On top of all else, the installer also required javascript. Thus, the only vulnerable users were those who ran an obsolete version of Torbrowser on Windows and enabled JS on the offending site.

    The FF vulnerability was a memory issue, so I suspect that use of SPECTRE or Meltdown by the FBI or even the NSA would also follow this model. Not a guarantee though, as if you are known to use Linux and are individually targetted they won't waste their time on Windows payloads. Fortunately for most readers here, the FBI is reluctant to deploy CIPAVs or other spyware against anyone considered a hacker, for fear it will be detected and captured rather than do its job. Once it gets decompiled and the resulting source published, they both both the ability to hide it (virus scan authors etc will target it) and to keep it from being re-used the way the NSA's Eternal Blue exploit was re-used by ransomware creeps.
    My bank's online banking works fine with fingerprinting disabled (date/fonts/canvas/media APIs etc) in ScriptSafe, and only scripts from the bank website allowed. Cookies, yes I let them use cookies. They have my card number, lol, they know its me. I'm not trying to pretend I'm not me. The reason to disable fingerprinting and cookies when accessing a business website that you trust your identity with, is to prevent leaking that identity to other sites. Disabling 3rd party scripts and content effectively prevents that, so I could even enable the other fingerprinting methods, if my bank required them.

    Leave a comment:


  • linuxgeex
    replied
    With the System V message passing micro-benchmark with Thinkpad W510 was dragged down to 32% performance.

    Dragonfly BSD is an attempt to produce a kernel that relies more on message passing. This probably explains why the Retpoline patch hammered Dragonfly so badly.

    I wonder how Dragonfly would fare on the Thinkpad W510.

    Leave a comment:


  • cybertraveler
    replied
    Well put stormcrow.

    Leave a comment:

Working...
X