Riseup Security Bulletin

As you have probably read, there are three related security problems in contemporary CPUs. These vulnerabilities open the potential for a nefarious program to steal passwords, secrets, and personal information from you computer, even if the program is just Javascript loaded from a web site you visit. These vulnerabilities are as serious as they sound, and you should take action to upgrade your software.

* The first flaw, called “Meltdown,” affects nearly all Intel CPUs and has been fixed with updates to most operating systems.

* The two other flaws, called “Spectre,” apply to nearly all CPUs built in the last 20 years, not just Intel, although they are more difficult to exploit. There are no permanent fixes for Spectre available at this time, although if you update your software you will make these attacks much less likely.

You should take *both* these steps now, for all your devices:

(1) Upgrade your web browser (see below). These fixes make the new attacks against CPUs more much difficult.

(2) Upgrade your operating system. There are updates available for Windows, macOS, and GNU/Linux that fix the Meltdown vulnerability for Intel CPUs and provide some mitigations for Spectre. Additionally, new releases of iOS and Android have mitigations for Spectre.

Better fixes will continue to arrive in the next weeks/months for your operating system and software. Please keep your system up to date!

Browsers
————————-

By updating your browser, you can make it significantly harder for an attacker to steal secrets off your computer using Javascript loaded from a web site you visit.

Firefox version 57.0.4 and later includes mitigation measures against Spectre attack [1].

Edge has been updated to include Spectre migitations. When you apply the latest Windows update, you will get the new version of Edge.

Safari will be updated very soon, according to Apple. Check the App Store updates.

Chrome will include Spectre mitigations starting with version 64, to be released Jan 23. In the mean time, you can change your configuration to greatly mitigate against the Spectre vulnerability by enabling “site isolation” https://support.google.com/chrome/answer/7623121?hl=en

Additionally, please see https://riseup.net/en/better-web-browsing for instructions on best practices for securing your web experience (which will also help mitigate against these new attacks).

Windows


For Windows 10, you must first upgrade any anti-virus software before upgrading Windows. Failure to do so may make your computer stop working. [2]

To upgrade Windows 10:

> Select the Start button, and then go to Settings > Update & security > Windows Update, and select Check for updates.

Now is a good time to enable automatic updates:

> Select the “Start” button, then select “Settings” > “Update & security” > “Windows Update” > “Advanced options” and then under “Choose how updates are installed”, select “Automatic (recommended)”.

If you are running Windows 7 or 8, an update is also available.

macOS


If you already have macOS version 10.13.2 then you are protected against Meltdown [3]. Otherwise, to upgrade macOS:

> Open the App Store app on your Mac. Click “Updates” in the App Store toolbar, then use the “Update” buttons to download and install any updates listed.

Now is a good time to check enable automatic updates:

> Select the Apple menu, then select “System Preferences” > “App Store” > “Automatically check for updates”.

Apple plans to soon release an update to Safari browser to provide some mitigation against Spectre.

iOS


Apple has said that iOS is affected by Spectre, and an update to mitigate against most of the new attacks has been released. If you have iOS version 11.2 or later, then you are good [3]. To check for new updates, go to Settings > General > Software Update.

Android


The bad news is that Android is vulnerable to Spectre and unless you have a Google-branded phone or run a custom firmware you might not get an update for months, if ever. However, the consensus among security researchers at the moment is that the Spectre attack is difficult enough that there are probably easier ways to compromise an Android device. Yeah?

There is one thing you can do now to make your Android device more safe against these new CPU attacks:

* Turn on “site isolation” in Chrome: https://support.google.com/chrome/answer/7623121?hl=en
* Upgrade Chrome Browser after Jan 23.
* Alternately, use Firefox for Android.

Debian/Ubuntu GNU/Linux


Run “Software Center” or “Software Updater.”

Alternately, open a terminal and type:

sudo apt update
sudo apt upgrade
sudo reboot

Fedora GNU/Linux


Open a terminal and type:

sudo dnf –refresh update kernel
sudo reboot

Stay safe, keep strong,
The Riseup Birds

[1] https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/
[2] http://www.theregister.co.uk/2018/01/04/microsoft_windows_patch_meltdown/
[3] https://support.apple.com/en-us/HT208394

[en] [es] [fr]

Advertisements

Threatened with the sack for speaking out against cuts: defend Louise Harrison and South Yorkshire Women’s Aid!

Cautiously pessimistic

As changes to housing benefit and general austerity cuts threaten the future of domestic violence refuges all over the country, Doncaster has seen a particularly determined and long-lasting campaign in defence of the local Women’s Aid shelter. Now, Louise Harrison, a worker at the service who has been heavily involved in campaigning to keep it open in the face of funding cuts, has received a letter threatening the future of her employment contract. According to reports from local campaigners:

“Since the campaign to save the service began, Louise and volunteers of the services have vocally opposed the council’s decision to not fund the service past December 2017.

The trustees however have opted to attempt to water down the campaign and work to silence Louise and others attached to the service, by putting pressure on Louise and others to stay positive about the council.

The trustees who are members…

View original post 610 more words

Vulnerable to disruption…

We’ve written a few pieces about the situation at the Amazon distribution facility at Tilbury where atrocious working conditions were exposed by an undercover reporter from the Mirror back in the autumn. Here they are:
Are Amazon digging a hole for themselves at Tilbury?https://southessexstirrer.wordpress.com/2017/12/01/are-amazon-digging-a-hole-for-themselves-at-tilbury/
Amazon workers are fighting backhttps://southessexstirrer.wordpress.com/2017/11/28/amazon-workers-are-fighting-back/
Dark, Satanic warehouses…https://southessexstirrer.wordpress.com/2017/11/27/dark-satanic-warehouses/

The southern part of Essex is a major logistics hub with facilities clustered around West Thurrock, Tilbury, London Gateway and along the northern fringes of Basildon by the A127. Although we’ve focused on Amazon so far, it has to be acknowledged that there are worse employers in the region. Bearing all of this in mind, it was with great interest that we read this piece from The Conversation: Modern capitalism has opened a major new front for strike action – logisticshttps://theconversation.com/modern-capitalism-has-opened-a-major-new-front-for-strike-action-logistics-89616

At the moment, given the weakness of the…

View original post 325 more words

Spain gives 12 Musicians 2 years Jail each for Subversive Lyrics + Rodrigo Lanza jailed Again

The Free

translated fromLa Directa https://directa.cat/       The Spanish National Court has condemned the twelve rappers of the group La Insurgencia to two years and a day of jail each, accused of the crimes of ‘supporting terrorism’ in their lyrics, a sentence that automatically gives jail time. The High Court also condemned them to pay fines of 4,800 euros and nine years of absolute disqualification from public jobs.

During the trial, the Prosecutor’s Office argued that the songs of La Insurgencia “advocate a violent method to combat a system that [the accused] consider unfair”“Now it’s time to appeal to the Supreme Court,” said Saúl Zaitsev, one of the condemned members of La Insurgencia. But this will take years and meanwhile 12 people have their lives destroyed because some government members don’t like their lyrics. And of course many other artists will take note and self censor their work.

View original post 1,652 more words

Occupy Bournemouth Homeless Sanctuary evicted, re-taken, evicted again.

Wessex Solidarity

Homeless are doing it for themselves in Bournemouth.

The kitchen re-built yesterday

The  site was partially evicted on the 2nd January by high court bailiffs and police, re-squatted almost immediately and the infrastructure re-built. A second, even more heavy-handed eviction took place earlier this morning 5th January. Dorset police, who can barely be arsed to turn out these days for burglary and arson unless someone dies, were complicit in the destruction of the residents’ personal effects. A.C.A.B.

Friday afternoon

The landlord, local ‘businessman’ Ammar Alkhiami (above, centre) has been described by capitalist-apologists Dorset Echo as a refugee from the Syrian Civil War.

Let us be clear, Mr Alkhiami is not a refugee, he is a capitalist. Let’s not confuse him with the unfortunates at Calais or adrift on the high seas. He entered this country with sufficient funds to set himself up as a property speculator and proprietor of numerous…

View original post 120 more words

Introduction to supporting prisoner resistance, London, 13 January, and upcoming prisoner birthdays

First direct action of 2018! 2nd Jan, save Bournemouth’s autonomous homeless sanctuary and get the year off to a flying start …

Game on!

Wessex Solidarity

Come to Bournemouth on 2nd Jan 2018, Exeter rd, opposite the Bournemouth International Centre (BIC), and help stop the eviction of our town’s homeless and their supporters, you will be assured of a warm welcome and a hot drink.

Bailiffs like to take us unawares so we’re asking people to be on site by 06:00 – yeah, we know, but one day your grandchildren will ask: “what did you do in the Class War?” The greater the numbers, the more relaxed the day will be.

If you like, come on new year’s day and camp overnight, there’s plenty to eat, and supporters on call to fetch supplies.

Homeless are doing it for themselves in Bournemouth.

This fancy vehicle, reg. LD06 SRV belongs to the firm of property speculators that are threatening our community. If you see them, have a word.

View original post