[Beowulf] RHEL7 kernel update for L1TF vulnerability breaks RDMA

Jonathan Engwall engwalljonathanthereal at gmail.com
Sun Aug 19 12:02:33 PDT 2018


As far as vulnerabilities go, here is a terrible idea:
Write a little login patch that grabs your own email address and uses it
to attempt to login to Facebook without a password 1000 times per 
second. Kill the script after two seconds. You want to read the Facebook 
head first so you can kick all the noise to /dev/null. It is brute force 
based on a query.

On August 18, 2018, at 10:12 PM, John Hearns via Beowulf <beowulf at beowulf.org> wrote:

Rather more seriously, this is a topic which is well worth discussing,

What are best practices on patching HPC systems?

Perhaps we need a separate thread here.


I will throw in one thought, which I honestly do not want to see happening.

I recently took a trip to Bletchley Park in the UK. On display there was an IBM punch card machine and sample punch cards Back in the day one prepared a 'job deck' which was collected by an operator in a metal hopper then wheeled off to the mainframe. You did not ever touch the mainframe. So effectively an air gapped system. A system like that would in these days kill productivity.

However should there be 'virus checking' of executables  before they are run on compute nodes.

One of the advantages lauded for Linux systems is of course that anti-virus programs are not needed.


Also I should ask - in the jargon of anti-virus is there a 'signature' for any of these exploit codes? One would guess that bad actors copy the example codes already published and use these almost in a cut and paste fashion. So the signature would be tight loops repeatedly reading or writing to the same memory locations. Can that be distinguished from innocent code?











On Sun, 19 Aug 2018 at 05:59, John Hearns <hearnsj at googlemail.com> wrote:

To patch, or not to patch, that is the question:
Whether 'tis nobler in the mind to suffer
The loops and branches of speculative execution,
Or to take arms against a sea of exploits
And by opposing end them. To die—to sleep,
No more; and by a sleep to say we end
The heart-ache and the thousand natural shocks
That HPC is heir to: 'tis a consummation
Devoutly to be wish'd. To die, to sleep


On Sun, 19 Aug 2018 at 02:31, Chris Samuel <chris at csamuel.org> wrote:

On Sunday, 19 August 2018 5:19:07 AM AEST Jeff Johnson wrote:

> With the spate of security flaws over the past year and the impacts their
> fixes have on performance and functionality it might be worthwhile to just
> run airgapped.

For me none of the HPC systems I've been involved with here in Australia would 
have had that option.  Virtually all have external users and/or reliance on 
external data for some of the work they are used for (and the sysadmins don't 
usually have control over the projects & people who get to use them).

All the best,
Chris
-- 
 Chris Samuel  :  http://www.csamuel.org/  :  Melbourne, VIC



_______________________________________________
Beowulf mailing list, Beowulf at beowulf.org sponsored by Penguin Computing
To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.beowulf.org/pipermail/beowulf/attachments/20180819/bc45bedb/attachment.html>


More information about the Beowulf mailing list