Update: It appears that we mischaracterized the conclusions in our title and our summary on this story. Greg KH was referring only to the ELF vulnerability in this story. Whether we were deliberately mislead by the submitter of this story or not, we regret the error.
The original story: According to “Greg KH,” co-maintainer of the 2.6.x.y series of important stability and security fixes, the Linux kernel does not suffer from the much-hyped hyper threading vulnerability that affected the BSDs: ” The main reason there have not been any updates, is that there really isn’t a problem for the 2.6 kernel. The original author has admited this finally, no one was ever able to reproduce it on a 2.6 kernel. The only reason I released a kernel update, was at the time, we thought there was an off-chance that there was a problem. However in further testing, it has not
been the case.” This confirms Linus’s earler assertion.
Erm, gregkh is “Responding to the kernel ELF vulnerability”, and not to the “Hyper Threading Vulnerability”
The article is about another vulnerability, in the ELF loader, and not the hyper-threading vulnerability.
The text and title of this story is complete wrong. Take it down and dont make osnews to a “Bildzeitung”
No fanboys here, just someone who actually attended Colins talk at bsdcan and am now laughing at the fact that nobody is taking him seriously amongs the linux crowd.
To back this up I’m now laughing at the posters complte and utter lack of reading comprehension skills since the article covers an ELF vuln and simply mentions HT. It has nothing to do with HT other than HT “being overly hyped”.
Did the person who put this story up even review it?
Huh???
How do you know that he was not talking about the elf vulnerability?
I see no context for gregkh to respond specifically about the hyperthreading flaw, when the article is on the elf flaw and no prior poster mentioned the hyperthreading flaw?!??!?
He did not specifically name the flaw he was referring too.
I must be missing something.
I am honestly dumbfounded by just how stupid this submission is. You should post an immediate retraction and consider enacting an editorial review process prior to making submissions live, unless you’re shooting to compete with Slashdot for irrepute.
Wow.. it’s almost three hours, and this piece of rubbish is still up.
Maybe it was not intentional FUD, as I suggested before – maybe it’s just an honest, transgalactic blunder.
Seriously, it looked too gross to be unintentional, but now it becomes likely that it is, because right now if there’s one thing that’s getting *lots* of damages, is osnews reputation..
Still keeping the Adblock though. This is *too* gross.. this kind of journalism doesn’t deserve support.
People have the idea right, but they definitely don’t have the tone right. Learn some manners, and get a life. People make mistakes, and you should all feel utterly ashamed for behaving like school children!
>>and you should all feel utterly ashamed for behaving like school children!
Why would they feel ashamed of something they are?
About the article, I like the Linus comments on HT and Multiple-cores. I would like to see more articles on that.
So, it seems that David Adams should have titled “No ELF vulnerability in 2.6 Linux kernels” instead of the current title.
I am sure he’ll change that as soon as possible. But I don’t expect David and co to be monitoring OSNews 24/24, and certainly not on a sunday. So I’ll wait quietly, knowing that a good news, even absolutely false, doesn’t show any hostility to anyone, to anything, and definitely isn’t FUD.
I don’t think we’ll see a crowd of IT professionals running to their offices to turn on HT in all their Linux boxes today, just because they read that title. After all, only the OSNews editors make mistakes;o)
I feel bad for Eugenia that her once great site has deteriorated, and it’s not at all her (or the poster’s) fault. David Adams has posted many interesting pieces in the past and has no record of mistakes like this. Programmers (in general) do not know how to write well, and the post by GregKH lacks the context to be an unambiguous comment on the above story. That doesn’t mean it shouldn’t be taken down, and I’m sure it will eventually (or have an update appended).
No, the deterioration of OSNews happened when it stopped being a news site with the ability for users to post comments and started becoming slashdot without a metamoderation system. People are too quick to point out others’ flaws and likewise too quick to defend their own. Please, ignore the immature trolls. If you call them immature trolls, they whine and complain in mile-long responses. People like that complain about a lack of journalistic integrity, when they themselves have not a shred of integrity.
Now, my comment: I think its great how although the kernel devs couldn’t replicate the ELF vulnerability in Linux 2.6, they fixed the general class of vulnerabilities anyway. Commercial devs would never do this, and this is an example of open source development at its best. Linus’ handling of the HT vulnerability is open source at its not-so-best. It doesn’t matter how important a vulnerability is, as long as people know about it. This is fairly high-profile, so it should be dealt with. I perceive this case as a BSD dev trying to drive a wedge between BSD and Linux. Its like gay marriage in the last US elections: not very important for the devs in the scheme of things, but high-profile and likely to swing customers from one side to another.
I have nothing against any of the BSDs. The politics/religions are different from Linux, but very few people deploy software based on those principles. Linux has more native software, far greater vendor support, and many more developers. Some of the BSDs might have already fixed the HT vulnerability, and that’s great. I’m sure Linux will be next, certainly before MS issues a fix for Windows. Linux doesn’t have to compete with BSD, because its already won. If you’re wondering, it was sometime around USB support becoming a necessary feature.
So, it seems that David Adams should have titled “No ELF vulnerability in 2.6 Linux kernels” instead of the current title.
Well, it’s not just the title.. the whole story is mixed up and totally false.
So I’ll wait quietly, knowing that a good news, even absolutely false, doesn’t show any hostility to anyone, to anything, and definitely isn’t FUD.
It’s true that it would be good news for Linux users, but since there’s an open dispute over the HT security flaw, this *is* hostile to the reputation of those people who assert that the HT exploitability should be taken more seriously.
The piece also says “the Linux kernel does not suffer from the much-hyped hyper threading vulnerability that affected the BSDs”. It looks like the BSDs were the only ones affected, opposite to Linux and Windows. The truth is very different: the problem affects every OS (Windows, Linux, BSDs), and the BSDs, if anything, were the ones that patched it first. Hence, it’s more than conceivable to look at it as FUD.
Anyway, I admit that it’s very likely that the submitter did it in good faith – but it’s a really, really big blunder.
I’m just wondering why you believe that FreeBSD is any safer than Linux when it comes to the hyper-threading vulnerability. From what I’ve seen, they both employ the same “fix”, which is to simply disable HT. At least, I can’t draw any other conclusion from the FreeBSD security advisory here:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:09…
It seems that their patches just disable HT, so they’re no less affected by this than Linux. Or have I read something wrong?
ulib: The truth is very different: the problem affects every OS (Windows, Linux, BSDs), and the BSDs, if anything, were the ones that patched it first. Hence, it’s more than conceivable to look at it as FUD.
On that note… (And I’m honestly curious hear, because this is my understanding) I thought OpenBSD wasn’t affected by HT because it doesn’t even support HT? And with NetBsd it was still an open issue? (That was my understanding from Colin’s website.) And that for all others (like FreeBSD) the current “patch” is for the OS to turn off Hyperthreading? (Which is what I suggested in the last thread.
People are too quick to point out others’ flaws and likewise too quick to defend their own. Please, ignore the immature trolls. If you call them immature trolls, they whine and complain in mile-long responses. People like that complain about a lack of journalistic integrity, when they themselves have not a shred of integrity.
Maybe I’m wrong (well, at least I hope so) but, after the previous comments, I feel this aimed at me. If this is the case, I’d ask you to provide something (even *one* link, for example) that actually questions my integrity.
If I’m wrong and I misunderstood, nevermind.
On that note… (And I’m honestly curious hear, because this is my understanding) I thought OpenBSD wasn’t affected by HT because it doesn’t even support HT? And with NetBsd it was still an open issue? (That was my understanding from Colin’s website.) And that for all others (like FreeBSD) the current “patch” is for the OS to turn off Hyperthreading? (Which is what I suggested in the last thread.
Yes, OpenBSD wasn’t affected. The other BSDs basically turned off hyperthreading (not completely sure, but that’s my understanding).
The point is, they took action – quickly.
I agree with the others here this news item is probably a mistake. I only found reference to GregKH working on the ELF-problem : http://www.networksecurityarchive.org/html/VulnWatch/2005-05/msg000… . But even if it’s a mistake it’s an easy one to make.
Oh and it’s sunday, so give David a break for not monitoring the site 24/7 for god’s sake.
ulib: Yes, OpenBSD wasn’t affected. The other BSDs basically turned off hyperthreading (not completely sure, but that’s my understanding).
The point is, they took action – quickly.
Which is nice. But you can already turn off hyperthreading in the BIOS. (Unless there’s a systemboard that doesn’t have that option that I’m unaware of.)
Anyway… I’m waiting for when someone does something more drastic. (In case that is not obvious)
(BTW… It is not my intention to offend you. I know we had a long discussion in the last thread and I just wanted to point that out. Anyway… I think I’ll bow out now, since what I was curious about has been reasonably confirmed.)
After reading some other people’s comments (mainly Tyr’s), I really think it was a bad overreaction when I called the submitter a FUDster. Even if the story is totally false and disinforming (and even if the blunder IMHO is a major one..) that was quite out of line: apologies to Mr. Adams.
Also, just for the record, the OSNews ads on my screen are back where they were before, and where they should be.
But *please*, clarify things and make it even.
Personally I’ve no horses in this race, but this story is very badly disinforming, even if involuntarily, about security issues that are still very open and debated.
I kind of hope he leaves it up. It’s entertaining watching people have spaz attacks over this. They get so excited when they get to correct other’s mistakes.
Haha. I didnt read the article, but if the freebsd fix just disables HT then what is everyone in a hissy about the other OS’ not “fixing” it. Like someone said, you can turn it off in the bios. The freebsd fix, is just a workaround if that is the case. Dont get all high and mighty on freebsd (my second favorite OS) if they arent actually fixng the problem while allowing HT to stay on.
From what I’ve understood, “fixing” it is not trivial. That’s why they provided a workaround.
What you and the other poster seem not to realize is that the difference here is not about who provided a *complete and satisfactory fix* and who didn’t – there is no such fix right now.
The difference is about who provided a *solution* (even if only a workaround) to the security flaw, like FreeBSD & the other BSDs, and who refused to even acknowledge it and/or preferred to downplay its relevance, like Microsoft and most Linux vendors.
But this discussion has already been done in another thread:
http://osnews.com/comment.php?news_id=10690
ulib: From what I’ve understood, “fixing” it is not trivial. That’s why they provided a workaround.
Agreed.
ulib: What you and the other poster seem not to realize is that the difference here is not about who provided a *complete and satisfactory fix* and who didn’t – there is no such fix right now.
The difference is about who provided a *solution* (even if only a workaround) to the security flaw, like FreeBSD & the other BSDs, and who refused to even acknowledge it and/or preferred to downplay its relevance, like Microsoft and most Linux vendors.
And what you don’t understand is that the “simple” fix was implemented before the problem was ever reported, because it’s in the BIOS. If you care, go into the BIOS and turn off hyperthreading. No need for an OS to do that for you (that I’m aware of anyway). The OS vendors basicly didn’t do anything except “satisfy” the people who thought it was the OS’s problem. In other words, it appears to be a political fix, not a technical one. (Unless as I mentioned before, there’s some systemboards without the option to turn it off. Which I’ll admit is a possiblity, since I don’t have one of every single one. If there is such a systemboard then it is indeed a very good thing that they put the patch in.)
Now does a more “complete” fix need to be implemented? That is what is being looked into. Reality is, if one does need to be implemented, we aren’t even sure who is responsible for it. (Hardware? OS? Library?)
ulib: But this discussion has already been done in another thread.
True. (Anyway… I said I wouldn’t post in this thread anymore, but since I got a “response”, kind of, I decided I should address it.)
This thread makes me feel sad about humanity.
lol! this incident is even being reported about at slashdot as we speak!
http://slashdot.org/comments.pl?sid=151108&cid=12674286
lol! i cant believe how this has exploded into an international scandal!
The difference between OSNews and Slashdot is, that Slashdot posters usually have some quite funny and witty comments. Here people just yell “IS TOO!” “IS NOT!” without any good comments.
If someone at Slashdot makes mistake, posters just crack a joke about it. At OSNews, people go mad and start yelling and accusing others. Sorry boys, Slashdot may not be the most professional site, but at least it’s funnier to read.
Linux doesn’t have to compete with BSD, because its already won. If you’re wondering, it was sometime around USB support becoming a necessary feature.
“NetBSD was the first free OS to provide USB support, and was using USB on Apple Power Macintosh machines before Apple had MacOS X even booting.”
http://www.my.netbsd.org/Misc/features.html#usb
I hate even comparing the two (as I find OSNews far superior to Slashdot for my needs), but I find it telling that people are so shocked, upset, dissappointed, and offended by an innacurate and misleading article like this on OSNews. However, as noted by another poster, on Slashdot, such articles just seem to roll over most posters’ shoulders and become the brunt of further jokes. Posts like this are actually considered to be “normal” on Slashdot.
Okay now my point…keep up the good work Eugenia & Co., it’s obvious that despite the dissenting voices of a couple of loud trolls, your site is considered to be a relatively credible news and information source for most of us, hence all of the discontent over this article.
C’mon people, everybody makes mistakes, get over it. I find it hard to believe that all of the critics posting here have never accidentally spread misinformation at some point.
actually, i got an update on my ubuntu box for this about half a week ago. at least as far as i remember is was for this.
Just for the record, I also prefer OSNews among those two (by far). That’s why totally misinforming articles like these are a huge disappointment: they’re not usual here.
Even if I simply write comments here and there, I try very hard to be accurate – and I’d say I succeed: for god’s sake, it’s not *that* difficult..
The one thing I really miss at OSNEWS is the humour which one finds at Slashdot. If one *tries* to be humorous here their comment will likely get mod’ed down-not I emphasize the word try, often humour manages to appear in these forums even if only accidently and/or un*witt*ingly
I have been following the tech industry fairly intensively off and on for the past 20 years. In that time I have come to find that ‘journalism’ is simply overstated-%90 of everything in tech media is pure hype and speculation and the vast majority of those writing about it have extremley little knowledge to draw on-of course there are some exceptions. I do not blame OSNEWS for any of this-that OSNEWS succeeds in publishing at least a handful of well-written, thoughtful and knowledgable articles per week amidst the torrent of brain-dead techno-babble, which is the norm for the industy, is actually something for which the OSNEWS folks deserve credit.
Plus it should be noted here- this was a ‘weekend’ article and for us regulars here ‘weekend’ articles are always somewhat ‘fun’. ‘Weekend’ articles are those articles which appear on OSNEWS when there are no moderators around or monitoring the discussions going on. One can safely assume these people also have a life, probalby with familes etc-you know typical human things. And when these articles are published the semi-proffession trolls come out in full force-they know the posts aren’t being moderated and it is kind of like a free license to say what ever they want to-which often boils down to horrific tirades of BS some of which is quite offensive, often interlaced with sexist and racist diatribes which are extremely offensive.
Anybody who thinks that moderators here are deliberately posting misinformation should go and visit their local shrink-you have spent too much time reading Robert Anton Wilson and having nightmares about the Illuminati
“karl (IP: —.dip.t-dialin.net)” wrote:
>The one thing I really miss at OSNEWS is the humour which one finds at Slashdot.
Many Slashdot readers think misinforming is funny.
Apparently, many OSNews readers don’t. But IMHO this is a *good* thing…
[Btw I wrote far too much in these two days, this is my last comment for a while – over and out]
The way i see it the Linux scheduler could certainly be changed to defeat attempted cache based attacks on hyperthreaded processors but is it needed? Imean there are numerous obstacles to any sort of real-world exploit of this vulnerability. From what I can tell the attacker must be able to run a CPU-intensive program on the target system – without being noticed and ensure that it remains on the same hyperthreaded processor as the cryptographic process. The data channel as we all know is noisy at best, and it will be made much more so by any other processes running on the system. You would also have to time the attack by knowing when the target process is performing cryptographic calculations, rather than doing something else which is tricky. Getting past all these roadblocks is likely to keep a wannabe key thief busy for some time…..
turn off HT if you are that worried… but I am not
I can’t believe the title and summary hasn’t been changed yet!! Someone please, do something!
Adding insult to injury this post is now up on slashdot :
“No ELF Vulnerability in 2.6 Kernel
Posted by Hemos on Monday May 30, @11:10AM
from the good-news-bear dept.
gaijincory writes “Greg KH, the co-maintainer of the 2.6 kernel has posted a comment on lwn.net confirming that there is indeed no such ELF vulnerability as spelled out by Paul Starzetz on isec. The bug was originally thought to be particularly nasty, allowing a malicious user to gain elevated privileges using a carefully crafted binary which would exploit the kernel’s Executable and Linking Format. The bug’s author confirmed that no one has been able to repro the exploit.”
took care of the update and posting stuff like crazy
Delete it, that would show regret.
If I deleted the story, it would be interpreted as us trying to hide the fact that we made the mistake in the first place. I’d rather have the correction on the record, so any discussion of the incorrect story or the correction can be placed in their correct context.
The one thing I really miss at OSNEWS is the humour which one finds at Slashdot. If one *tries* to be humorous here their comment will likely get mod’ed down-not I emphasize the word try, often humour manages to appear in these forums even if only accidently and/or un*witt*ingly
You ain’t kidding on that last part. I keep a text file on my desktop to collect the funniest spelling errors/typos I come across, and almost all of them come the OSNews comments section.
“on mass” = en mass
“for all intensive purposes” = “for all intents and purposes”
“died in the whool” = “dyed in the wool”
“server allergies” = “severe allergies”
“premisquess ” = promiscuous
“Common poeple” = “come on, people, …”
“provail” = prevail
“technicien” = technician
“pooring” = pouring
“heatred” = hatred
“holy grale” = holy grail
“flexibel” = flexible
“reprocutions” = reprecussions
“blote” = bloat
“plunty” = plenty
My apologies, It looks like you were missed off the mailing
list when the important email went out in regards to humour. It has been banned across the globe. Fun may lead to a five year jail term and £1,000,000 find or hanging. It is most important to remain emotionless or the world will end. Its vital that we show the next generation how to keep the world safe… before its too late.
Act now !!!
I suppose your en mass is in fact the french en masse ?
Why are you (osnews) posting stories that haven’t been proven true? What happen to good jornalism?
I think it is clear that osnews is biased towards Linux, by down playing any vulnerabilities to their precious OS Linux.
“Why are you (osnews) posting stories that haven’t been proven true? What happen to good jornalism? I think it is clear that osnews is biased towards Linux, by down playing any vulnerabilities to their precious OS Linux.”
Actually, journalism is not a science but an art. It is dynamic rather than static. Actually, I have observed a pro MicroSilly bias.
That aside, at least, I am able to come in here and voice my opinion or proverbial two-cents worth. I think trolls on both sides of the OS line should remember Carl Sagan’s BS detector. Please note the Law of the Excluded Middle.
The two extremes while loud generally don’t represent the majority of facts in the middle.