Monthly Archives: December 2018

Breaking Up the Crypto-Criminal Bar Brawl | Best of ECT News

This story was originally published on the E-Commerce Times on Sept. 25, 2018, and is brought to you today as part of our Best of ECT News series.

As if e-commerce companies didn’t have enough problems with transacting securely and defending against things like fraud, another avalanche of security problems — like cryptojacking, the act of illegally mining cryptocurrency on your end servers — has begun.

We’ve also seen a rise in digital credit card skimming attacks against popular e-commerce software such as Magento. Some of the attacks are relatively naive and un-targeted, taking advantage of lax security on websites found to be vulnerable, while others are highly targeted for maximum volume.

Indeed, it’s so ridiculous that there are websites such as
Mage Scan
that will provide scans of your website for any client-facing malware.

As for server-side problems, you might be out of luck. A lot of e-commerce software lives in a typical LAMP stack, and while there is a plethora of security software for Windows-based environments, the situation is fairly bleak for Linux.

For a long time, Linux enjoyed a kind of smug arrogance with regard to security, and its advocates pooh-poohed the notoriously hackable Windows operating system. However, it’s becoming ultra clear that it’s just as susceptible, if not more so, for specific software such as e-commerce solutions.

Crumbling Roads and Bridges

Why have things seemingly gotten so much worse lately? It is not that security controls and processes have changed dramatically. It’s more that the attacks have become more lucrative, more tempting, and easier to get away with, thanks to the rise of cryptocurrency. It allows attackers to generate money quickly, easily and, more important, anonymously.

Folks — this is the loudspeaker — our digital roads and bridges are falling down. They are old and decrepit. Our security controls and processes have not kept pace with the rapid advancement of malware, it’s ease of use, and its coupling with a new range of software that allows attackers to hide their trails more effectively.

Things like cryptocurrency, however, are just the symptom of a greater issue. That issue is the fact that the underlying software foundations we’ve been using ever since the first browsers appeared are built on a fundamentally flawed architecture.

Whole New World

The general purpose operating system that allowed every company to have a whole slew of easy-to-use desktop software in the 90s, and that built up amazingly large Internet companies in the early 2000s, has an Achilles heel. It is explicitly designed to run multiple programs on the same system — such as cryptominers on the server that runs your WooCommerce or Magento application.

It is an old concept that dates back to the late 1960s, when the first general purpose operating systems, such as Unix, were introduced. Back then, the computers had a business need to run multiple programs and applications on them. The systems back then were just too big and too expensive not to. They literally filled entire walls.

That’s not the case in 2018. Today our computers are “virtual,” and they can be taken down and brought up with the push of a button — usually by other programs. It’s a completely different world.

Now for end user computing devices such as personal laptops and phones, we want this design characteristic, as we have the need to use the browser, check our email, use the calendar and such. However, on the server side where our databases and websites live, it’s a flaw.

Wild Party

This seemingly innocuous design characteristic is what allows attackers to run their programs, such as cryptominers, on your servers. It is what allows attackers to insert card skimmers into your websites. It is what allows the attackers to run malware on your servers that try and shut down other pieces of malware in order to remain the dominant attacker.

Yes, you read that right — many of these variants now have so much free rein on so many thousands of websites that they literally fight against each other for your computing resources. This is how bad it’s gotten. It’s as if the cryptocriminals threw a party at your house while you were gone and then got into a big brawl and tore up all your furniture and ransacked your house. Then they woke up the next day and laughed all the way to the bank.

This isn’t the only way to deploy software, though. Consider famous software companies such as Uber, Airbnb, Twitter and Facebook. If you talk to their engineers, they’ll tell you that they already have to isolate a given program per server — in this case, a virtual machine. Why? It’s because they simply have too much software to begin with.

Instead of dealing with a single database, they might have to deal with hundreds or thousands. Likewise, the old concept of allowing multiple users on a given system doesn’t make a lot of sense anymore. It has evolved to the point where identity access management lives outside of the single server model.

Locking Out the Hackers

Unikernels embrace this new model of software provisioning yet enforce it at the same time. They run only one single application per virtual machine (the server). They can not, by design, run other programs on the same server.

This completely prevents attackers from running their programs on your server. It prevents them from downloading new software onto the server and massively limits their ability to inject malicious content, such as credit card skimming scripts and cryptomining programs.

Instead of scanning for hacked systems or unpatched systems waiting to be attacked, you could even run outdated software that has known bugs in it, and these same styles of attacks would fall flat, as there would be no capability to execute them. This is all enforced at the operating system level and backed by hardware baked-in isolation.

Are we going to continue to let the cryptocriminals run free on our servers? How are you going to call the cops on people you can’t even see who might live halfway around the world? Don’t fall prey to the notion that hackers are natural disasters and it’s only inevitable that they’ll get you one day. It doesn’t need to be like that. We don’t have to deploy our software like we are using computers from the 1970s. It’s time that we rebuilt our digital infrastructure.

Ian Eyberg is CEO of
NanoVMs, based in San Francisco. A self-taught expert in computer science, specifically operating systems and mainstream security, Eyberg is dedicated to initiating a revolution and mass-upgrading of global software infrastructure, which for the most part is based on 40-year-old tired technology. Prior to cracking the code of unikernels and developing a commercial viable solution, Eyberg was an early engineer at Appthority, an enterprise mobile security company.

Source link

HAMMER2 File-System Performance On DragonFlyBSD 5.4.1

BSD --

With the newly released DragonFlyBSD 5.4.1 having a lot of HAMMER2 file-system work on top of all of the changes introduced by DragonFlyBSD 5.4 at the start of December, here is a fresh look at the HAMMER versus HAMMER2 file-system performance on this BSD operating system.

Using an Intel Core i9 7960X test system with Intel 800p 128GB NVMe SSD, fresh benchmarks were carried out of DragonFlyBSD 5.4.1 when installed with a root HAMMER file-system and again with the latest HAMMER2 file-system option that has matured quite nicely over the DragonFlyBSD 5.x releases.

This quick testing is just looking at the HAMMER vs. HAMMER2 file-system performance. Besides the performance, HAMMER2 offers a lot of features not found in the original HAMMER design. The latest HAMMER2 design information can be found here.

All of these BSD storage benchmarks were carried out using the Phoronix Test Suite.

SQLite was operating much faster with HAMMER2.

BlogBench that simulates the web server workload of running a web blog was yielding reads much faster on HAMMER2 but writes were faster with HAMMER1.

The CompileBench compile task was much faster on HAMMER2.

But in the I/O heavier initial create process, the original HAMMER was faster as of DragonFlyBSD 5.4.1.

HAMMER2 was faster for PostgreSQL with both reads and writes.

The FIO synthetic tests didn’t yield much of a difference except for 4K sequential writes being faster.

More tests, including a comparison against FreeBSD with ZFS, coming up as we get ready for more exciting benchmarks in 2019.

NXP PowerPC Processors Finally Being Mitigated Against Spectre V2 With Linux 4.21


Nearly one year after the Spectre vulnerabilities were first published, Freescale/NXP PowerPC processors are being mitigated against Spectre Variant Two with the in-development Linux 4.21 kernel.

Queued for merging into Linux 4.21 is the Spectre V2 mitigation for these NXP PowerPC Book3E processors. Their approach is to flush the branch predictor whenever the privilege level has changed or kernel entry to protect user-space to user-space attacks and user-space attacks against the kernel. In the case of KVM virtualization, the branch predictor is flushed as well at each KVM entry.

For those that want to forego this mitigation to avoid the likely performance impact, the code does support a no_spectrev2 kernel command line parameter (the same as on x86-based platforms) that won’t enforce this frequent branch predictor flushing.

NXP developers working on this Spectre V2 mitigation hadn’t shared any of their expected performance costs of this mitigation.

The mitigation is landing as part of the PowerPC changes. That pull also has POWER DMA code changes, support for generating their system call tables from a text file, fixes to the transactional memory support, and other low-level changes.

Adiantum & Streebog Sent In For Linux 4.21 Along With Various Crypto Performance Boosts


The crypto subsystem changes for the Linux 4.21 kernel were sent in this morning and they are quite exciting.

Most notably, Adiantum was added as Google’s replacement for their original Speck plans for supporting data encryption on low-end Android Go devices that lack native crypto extensions on the CPU/SoC. Adiantum’s performance beats out Speck and most importantly there aren’t the concerns like there were with Speck with it being developed by the NSA and potentially back-doored.

The Adiantum changes are part of this pull request, which builds atop XChaCha12/XChaCha20. With this Adiantum work also comes various performance improvements around ChaCha20 on ARM64 and x86 (x86_64), NEON / SSE2 / AVX2 acceleration for HPoly, and other crypto performance work.

Staged separately is the Adiantum support for fscrypt so the likes of EXT4 and F2FS can then offer up this encryption support. Those fscrypt changes are expected to be pulled in too for Linux 4.21.

Also part of this pull request is the Streebog hashing function is added. Streebog was developed by the Russian FSB security services and other organizations. At the moment there doesn’t appear to be any in-kernel users of Streebog lined up.

More details on all of the crypto improvements for Linux 4.21 via this pull request.

The Most Popular Intel Linux News & Reviews Of 2018


With less than one week until the new year, here is a look back at the most popular Intel Linux/open-source news of 2018, among all of our other end-of-year articles.

It was certainly an eventful year for Intel with their OpenCL NEO driver coming about, the Iris Gallium3D driver taking shape for next-gen OpenGL, their ANV Vulkan driver continuing to keep up to the latest Vulkan specs, Clear Linux continuing to deliver leading Linux performance, the initial hits taken in dealing with Spectre/Meltdown mitigations although now at the end of the year many optimizations are fortunately in place, hearing just recently that Raja Koduri and others at Intel are working on open-sourcing the FSP, more excitement building around Intel discrete graphics, and much more.

Of 255 Linux/open-source-oriented news articles written this year about Intel, below is a look at the twenty most popular:

Intel Rolls Out Their New CPUs With Radeon Vega M Graphics
Kicking off CES 2018, Intel launched their new CPUs featuring integrated Radeon Vega M Graphics.

ODROID Rolling Out New Intel-Powered Single Board Computer After Trying With Ryzen
While ODROID is most known for their various ARM single board computers (SBCs), some of which offer impressive specs, they have dabbled in x86 SBCs and on Friday announced the Intel-powered ODROID-H2.

AMD Contributes 8.5x More Code To The Linux Kernel Than NVIDIA, But Intel Still Leads
Given all the new hardware enablement work going into the Linux kernel recently, I was curious how the code contributions were stacking up by some of the leading hardware vendors… Here are those interesting numbers.

Fedora 29 Succeeds At Flicker-Free Boot Experience On Intel Hardware
After optimizing the Linux laptop battery life last cycle, Hans de Goede of Red Hat has been working on Fedora 29 to provide a “flicker-free” boot experience. A Linux desktop flicker-free boot has been talked about for a decade or longer but with Fedora 29 and using Intel graphics that is finally becoming a reality.

Google Makes Disclosure About The CPU Vulnerability Affecting Intel / AMD / ARM
We’re finally getting actual technical details on the CPU vulnerability leading to the recent race around (K)PTI that when corrected may lead to slower performance in certain situations. Google has revealed they uncovered the issue last year and have now provided some technical bits.

Intel Releases New BSD-Licensed Open-Source Firmware Implementation
At the European Open-Source Firmware Conference happening this week in Erlangen, Intel announced the open-source “Slimbootloader” (also referred to as Slim Bootloader) project that is quite exciting.

Clear Linux Shedding More Light On Their “Magic” Performance Work
If you have been a Phoronix reader for any decent amount of time, you have likely seen how well Intel’s Clear Linux distribution continues to run in our performance comparisons against other distributions. The developers behind this Linux distribution have begun a new blog series on “behind the magic” for some of the areas they are making use of for maximizing the out-of-the-box Linux performance.

To No Surprise, Intel’s Discrete GPU Efforts Will Support Linux Gaming
It should come as virtually no surprise to any regular Phoronix reader given the significant investment Intel makes to Linux via their Open-Source Technology Center with working on Mesa for their Vulkan/OpenGL drivers and related components, but their discrete GPU undertaking will support Linux gaming alongside Windows.

The First Benchmarks Of The Intel-Powered ODROID-H2 $111 Board
Last month ODROID announced an Intel-powered single board computer after their experimenting with a Ryzen SBC hadn’t panned out for this company known for their high-performance ARM SBCs. The ODROID-H2 has begun shipping as this $111 USD Intel x86_64 quad-core board while for your viewing pleasure today are some initial performance benchmarks of this board.

Intel Working On Open-Sourcing The FSP – Would Be Huge Win For Coreboot & Security
Intel’s Architecture Day on Tuesday was delightfully filled with an overwhelming amount of valuable hardware information, but Intel’s software efforts were also briefly touched on too. In fact, Raja Koduri reinforced how software is a big part of Intel technology and goes in-hand with their security, interconnect, memory, architecture, and process pillars and that’s where their new oneAPI initiative will fit in. But what learning afterwards was most exciting on the software front.

Intel Open-Sources LLVM Graphics Compiler, Compute Runtime With OpenCL 2.1+
Now it’s clear why Intel hasn’t been working on the Beignet code-base in months as they have been quietly working on a new and better OpenCL stack and run-time! On open-source Intel OpenCL you can now have OpenCL 2.1 while OpenCL 2.2 support is on the way.

Intel MPX Support Will Be Removed From Linux – Memory Protection Extensions Appear Dead
Back in April was a discussion about dropping MPX support from the Linux kernel but no action taken. Now though an Intel developer is preparing to see this Memory Protection Extensions functionality removed from the mainline Linux kernel.

Intel Has Quietly Been Working On A New Gallium3D Driver Being Called “Iris”
After resisting Gallium3D for the past decade with a preference on continuing to maintain their “i965” Mesa classic driver and all they’ve invested into its compiler stack and more, it seems times are changing as the open-source Intel team has been starting up development of a modern Gallium3D driver.

Intel Prepares “Enhanced IBRS” As Better Spectre V2 Protection For Future CPUs
An Intel engineer has today published a patch providing support for enhanced IBRS within the Linux kernel, which aims to provide better Spectre Variant Two protection by default with future generations of Intel CPUs.

Intel Begins Teasing Their Discrete Graphics Card
Don’t expect the Intel discrete gamer graphics card to come until 2020, but with the SIGGRAPH graphics conference happening this week in Vancouver, they have begun teasing their first PCI Express graphics card.

Intel Clears Up Microcode Licensing Controversy – Simpler License, Allows Benchmarking
Over the past day online there has been lots of controversy following some high-profile sites reporting about Intel’s “un-friendly microcode license update” and its “ban on benchmarking”, among other catch phrases. It’s now been officially cleared up by Intel with a simpler license that doesn’t forbid benchmarking, allows distribution vendors to re-distributed these binary files to their users, and doesn’t have any other nastiness integrated into the legal text.

GCC 9 Looks Set To Remove Intel MPX Support
Last year we reported on GCC deprecating Intel Memory Protection Extensions (MPX) and now it looks like with GCC 9 they will be dropping the support entirely.

Intel Open-Sources Sound Firmware, Pushing For More Open Firmware
Imad Sousou, Intel’s GM of the Open-Source Technology Center, had some interesting remarks to make during his keynote today as part of this week’s Embedded Linux Conference in Portland.

Intel Posts Updated Microcode Files For Linux
In the wake of Meltdown and Spectre, Intel yesterday released new microcode binaries for Linux systems.

What Makes GLIBC 2.27 Exciting To The Clear Linux Folks
Released at the beginning of February was Glibc 2.27 and it’s comprised of a lot of new features and performance improvements. But what’s the best of Glibc 2.27?

And the ten most popular Intel Linux reviews/benchmarks this year on Phoronix:

Further Analyzing The Intel CPU “x86 PTI Issue” On More Systems
2018 has been off to a busy start with all the testing around the Linux x86 PTI (Page Table Isolation) patches for this “Intel CPU bug” that potentially dates back to the Pentium days but has yet to be fully disclosed. Here is the latest.

POWER9 Benchmarks vs. Intel Xeon vs. AMD EPYC Performance On Debian Linux
For several days we’ve had remote access to one of the brand new Raptor Talos II Workstations that is powered by POWER9 processors and open-source down through the firmware. For those curious how these latest POWER processors compare to AMD EPYC and Intel Xeon processors, here are some benchmarks comparing against of the few other systems in house while all testing was done from Debian GNU/Linux.

Ubuntu 18.04 LTS vs. Fedora 28 vs. Clear Linux Benchmarks
Given last week’s release of Ubuntu 18.04 LTS and then Fedora 28 having debuted earlier this week, I decided to see how these popular tier-one Linux distributions now compare to Intel’s own Clear Linux platform. This three-way Linux distribution comparison was carried out on six systems comprising both of Intel and AMD CPUs.

The Ubuntu Linux Performance Over The Past Six Years On An Intel Xeon Server
In needing to make some room in the racks for some new hardware and some other interesting platforms on the way, I’ve retired the last of the Intel Nehalem era hardware at Phoronix that was still used for occasional historical Linux performance tests… I decided to take this Sun Microsystems SunFire X4170 server with dual Intel Xeon E5540 (Nehalem EP) processors for a final spin before pulling it from the racks. Here is a look at how the near-final Ubuntu 18.10 Linux performance compares to that of Ubuntu 12.10.

Intel Graphics On Ubuntu: GNOME vs. KDE vs. Xfce vs. Unity vs. LXDE
For those wondering how the Intel (U)HD Graphics compare for games and other graphical benchmarks between desktop environments in 2018, here are some fresh benchmarks using GNOME Shell on X.Org/Wayland, KDE Plasma 5, Xfce, Unity 7, and LXDE.

AMD Ryzen 3 2200G + Ryzen 5 2400G Linux CPU Performance, 21-Way Intel/AMD Comparison
Yesterday I posted some initial Linux benchmarks of the Ryzen 5 2400G Raven Ridge APU when looking at the Vega 11 graphics, but for those curious about the CPU performance potential of the Ryzen 5 2400G and its ~$100 Ryzen 3 2200G sibling, here are our first CPU benchmarks of these long-awaited AMD APUs. These two current Raven Ridge desktop APUs are compared to a total of 21 different Intel and AMD processors dating back to older Kaveri APUs and FX CPUs and Ivy Bridge on the Intel side.

Raptor Talos II POWER9 Benchmarks Against AMD Threadripper & Intel Core i9
For those curious about the performance of IBM’s POWER9 processors against the likes of today’s AMD Threadripper and Intel Core i9 HEDT processors, here are some interesting benchmarks as we begin looking closer at the POWER9 performance on the fully open-source Raptor Talos II Secure Workstation. This open-source, secure system arrived for Linux testing with dual 22-core POWER9 CPUs to yield 176 total threads of power.

Arch Linux vs. Antergos vs. Clear Linux vs. Ubuntu Benchmarks
Last week when sharing the results of tweaking Ubuntu 17.10 to try to make it run as fast as Clear Linux, it didn’t take long for Phoronix readers to share their opinions on Arch Linux and the request for some optimized Arch Linux benchmarks against Clear Linux. Here are some results of that testing so far in carrying out a clean Arch Linux build with some basic optimizations compared to using Antergos Minimal out-of-the-box, Ubuntu Server, and Clear Linux.

macOS 10.14 Mojave vs. Ubuntu 18.04 LTS vs. Clear Linux Benchmarks
With macOS Mojave having been released earlier this week, I’ve been benchmarking this latest Apple operating system release on a MacBook Pro compared to Ubuntu 18.04.1 LTS with the latest updates as well as Intel’s high-performance Clear Linux rolling-release operating systems to see how the performance compares.

8-Way Linux Distribution Benchmarks On The Intel Core i9 9900K – One Distro Wins 67% Of The Time
Following last week’s release of the Intel Core i9 9900K, I spent several days testing various Linux distributions on this latest Core i9 CPU paired with the new ASUS Z390-A PRIME motherboard. I was testing not only to see that all of the Linux distributions were playing fine with this latest and greatest desktop hardware but also how the performance was looking. Benchmarked this round on the i9-9900K was Ubuntu 18.04.1 LTS, Ubuntu 18.10, Clear Linux 25720, Debian Buster Testing, Manjaro 18.0-RC3, Fedora Workstation 29, openSUSE Tumbleweed, and CentOS 7.