A Call For Calm Panic
Let’s get to the panic first. Possibly the biggest security vulnerabilities of the last twenty years were announced yesterday (no, I’m not kidding.)
Twitter is aflutter with seemingly contradictory assessments from all corners. If you want a link repository, Bruce Schneier is (as per usual) a good source.
So here’s the “I was up until 2am reading about this” assessment takeaways. Warning: I’m only 1/2 through my coffee.
#1: Corporate-speak aside, you need to treat this as if these potentially affect essentially every type of processor. Not just Intel, but AMD and ARM processors. That means it will possibly affect every computer and mobile device regardless of operating system, unless the device was built prior to 1995. Mac OSX, Mac iOS, Windows, Linux, Android. There are individual processors that may be immune, but unless you’re a real computer geek odds are *very* good you should proceed as if the hardware under your hood is vulnerable.
#2: You are probably only marginally more at direct risk today than you were yesterday. If you’re the sort of person who online banks using the same computer that you use to surf random strange porn and you open every chain letter you get from your Crazy Uncle Bob, you’re probably going to get nailed really soon now… but that’s a semiannual occurrence for you so you’re probably used to it. On the other hand, if you’re a reasonably cautious person, you’re probably only at slightly elevated risk, and if you’re a cautious person (for example, if you only online bank from a computer that you don’t use for anything else and you always keep it updated) you’re probably fine as far as your own behavior is concerned.
#3: Unless you’re an absolute paranoid about computer activity, you really ought to manually check for updates for all of your operating systems/browers/other software routinely for the next couple of weeks, every time you use your computer, and apply the patches when they are available. Don’t rely on automatic updates, you want the fixes as soon as they come off the shelf for this one.
#4: Side channel attacks on processors are not new. Anybody who says this is unprecedented, unexpected, unforeseeable, or somehow a giant surprise ought to not be taken seriously when it comes to technology and security. If you’re talking to your IT guy today and (s)he says otherwise, start looking for a better IT guy.
#5: This appears to affect machines across a hypervisor. For the average person out there, this is gobbledegook, but in practical terms prices will go up for cloud services like AWS. Right now people I know offering cloud services are *freaking* out trying to make sure that customers who have virtual machines sitting on the same host as other customers’ virtual machines can’t actually attack each other through the hosting company’s platform. Anecdotally, AWS appears to be retiring at least some virtual machine instances permanently. This will impact small businesses and contractors who get web services from cloud services. The next couple of weeks are going to be icky.
#6: This is a *huge* deal in terms of net impact. This microprocessor vulnerability requires re-engineering at the hardware level to fix. You’re talking about a design cycle of redesigning, changing production lines, the whole shebang. Your IT folks are going to be preoccupied for months, if they’re any good… this is going to affect their decisions about purchasing cycles and everything else.
#7: Sometime in the next two years, a major data breach will occur at a major organization that has not patched this vulnerability. That may or may not affect you, but hey, at least you can’t do anything about it 🙂
What does this (otherwise) mean for you?
A: Fixing this in software results in a 5-30% loss of compute power; not a hell of a huge impact on today’s desktops and laptops, but for your phone this is going to probably drive you crazy. When you patch your phone, expect it to suck. If your phone is reasonably new, don’t run out to buy a new phone, because the new phone (until the chips make their way through the hardware cycle, see #6) will have the same problem. If your phone is really old (>3 years) changing to a new phone is probably a good idea anyway: you’re losing 5-30% of the compute power of a device that’s two-five times stronger than what you’re using now.
B: If you’re planning on buying a new computer in the next six months, maybe wait. Check back here for more.
C. If you got a new computer for Christmas and you haven’t unboxed it, maybe take it back. Depends upon how badly you need it.
D. Really, really take this opportunity to be more organized about your security profile. If you online bank, do it from a single device that you *don’t* use for anything else; if you must online bank on multiple devices, for heaven’s sake don’t let one of those devices be something that you let your kids use to download random files from the Internet.
E. Use this as an excuse to stop opening mail from Crazy Uncle Bob.
F. Give your IT folks a break. They’re going to be really grumpy for the foreseeable future.
First off, the CEO of Intel just sold a bunch of stock before this announcement.
That guy should be publicly shamed.
Second off, I’m waiting to hear that the (acronym) knew about this for years and years and years.
Third off, if you are a young person wondering what they should do with their life, have you considered IT? Get a CASP if you’re an engineer type, get a CISSP if you’re more into sitting in meetings.Report
Concur with all three.
What’s interesting is after Snowden’s dump revealed a lot of NSA tricks in the goodie bag, this didn’t come up. So it’s possible that “alphabet-soup-agency” hadn’t found this trick yet…Report
I’ll offer an alternate explanation: Tax avoidance. Per TCJA, he would likely pay about 5% more of his gains to the Federal Govt after Jan 1, 2018. Living in CA with a base salary of $10M, he surely will max the SALT deduction of $10k. So any incremental tax paid to CA at 13.3% would no longer be deductible on his Federal income tax. He ain’t the only one either. Lots of folks rushed at EOY to pull income into 2017.
This is one of the tricks in TCJA to make things look rosy for 2018 election, but that is another discussion.Report
Because the Equifax data breach wasn’t enough of a pain…Report
That was just standard inexcusable negligence; this one is serious.Report
But think of all the new opportunities for inexcusable negligence this will create!Report
Bigger and better!Report
What if I watch semi-normal porn in Incognito windows?
Asking for a friend.Report
It’s less about the actual content than about how shady the sites hosting it are.
That said, I’ve been getting a lot of browser-redirecting ads on my phone from (non-porn) sites I would have expected to be pretty trustworthy. It looks like some of the ad networks are allowing advertisers to embed JavaScript in their ads, which may mean all bets are off pretty much everywhere.Report
I guess I use most of the more common streaming sites? I don’t (knowingly) download anything.
I mean he… he… my friend…Report
Exploiting this in javascript requires a browser bug as well as a vulnerable CPU (in order to give javascript access to the high-precision timing information required). However, if the browser bug and vulnerable CPU are present, you don’t have to download anything to be affected.
The latest Windows 10 update included a fix for Edge (and, probably incomplete, mitigation for everything) and the Chrome and Firefox fixes are scheduled for around January 23.Report
Reports earlier today that the latest Microsoft update is semi-bricking some machines that have AMD processors. Machines won’t boot normally, but will support a re-installation of the OS. Later reports speculate that MS distributed an Intel patch that didn’t check for non-Intel processors.Report
But.. I really really want/need a new computer… six months? Really? God(ess?) damn it!Report
You can get one now if you’re willing to look at the speed and get rid of 30% of whatever you see.
Hell, you can probably get some good deals!Report
Exactly this.Report
I am infinitely too cheap to buy a brand new machine and write off 30% of its processing power. Hell, I was already struggling because buying premade machines seems like overpaying, I don’t have the confidence/skills to design/build a box of my own but my social circle of tech nerds is limited. Guh!Report
It’s really not hard to do. I taught myself how to do it back in the late 90’s. And honestly, since about 2005, I have to reteach myself how to do it everytime I need to build a new machine every 3 or 4 years because the technology has changed so much since the previous build.Report
Correct me if I’m mistaken but aren’t you an engineer by profession and a tech guy by hobby?Report
*sarcasm* I fail to see how that has any relevance here at all…Report
I don’t know anything about the subject but I managed to build my own a couple months back. You can get the internet to figure it out for you.Report
@north
Go to Dell refurbished and buy the cheapest 64 bit computer they have. This is about $100.
You’ll get a 4-years-old-out-of-the-box computer which (by definition) is slow and sucks.
Then install Ubuntu on it (which is free), and now it’s changed from “slow” to “acceptable”. Windows is serious bloatware, and requires serious hardware to deal with that. Linux sidesteps that issue.
This will last 5 years, maybe longer.
Because it’s four year old hardware you can handwave Linux’s normal “drivers don’t exist” potential problems, the hardware has been out there far more than long enough.Report
Hear, hear! (I’ve been a Linux evangelist since ’92.) Linux gets a lot out of old hardware [1]. The laptop I use when I need to have one is a ThinkPad old enough that it says “IBM” on it (which makes it at least nine years old). For a surprising number of things the user interface and application software is plenty snappy enough to be comfortable. I do some things that are processor-bound, and those take an unpleasant amount of time, but they do eventually finish.
The Mac Mini I use for my desktop machine now is probably my last non-Linux box. The only Apple-specific program that I’ll be reluctant to give up is Mail, but that’s more because I’ve used it long enough to be habituated.
If you are dependent on Windows-only software, and insist on Windows 7, Amazon is still selling it (~$150), there’s free virtual machine software available for Linux, and if your hardware is only $100… you can connect the dots.
I prefer Debian to Ubuntu, but I’m a really old UNIX guy.
[1] At the tail end of my R&D career at <giant telecom company>, I was doing a variety of research things that Windows simply wouldn’t support (okay, absent spending a lot of money for a license to the source code and permission to hack at it) but Linux would. People frequently came by my office, cradling a beige/black box or laptop in their arms, with some variation of, “IT says my baby won’t support the required upgrade to the new Windows; can you find him/her something useful to do?”Report
Ok, so how does a person who knows absolutely nothing about computers install and use Ubuntu on a new computer? Also will Linux run all the games I want to play which is the entire point of getting the box?Report
Well, you can check Steam’s Linux lineup here and GOG.com has a list here.
So, for Gog, the short answer is “not really” but the longer answer is “yes, if you’re hoping to play Heroes III or Arcanum or Master of Orion 1+2.”
Steam shows a little more promise… I’ll recommend everything by Klei (check out Invisible Inc!), Dungeon Warfare, Gunpoint, FTL, X-Com: Enemy Within… but none of those are really games that you’d buy a graphics card from the last year or so for.
But if you’d rather play tried-and-true than the latest fad, yeah, the Linux box is exactly what you need.
And get a PS4 for the new hotness. You can, at least, use that as a Blu-Ray/Netflix box when you’re not playing it.Report
Oh yes, we have a PS4, it’s a useful and versatile machine and has replaced cable entirely for us (with huge savings). God(ess?) bless fiber internet.Report
Not for much longer. I saw a lengthy reddit post on “the future of the internet” (specifically, ISP’s goals for it) and it was both unpleasant and very, very likely.
The short version? Over the next five years, expect data caps to drop to very, very small numbers. While your ISP also offers “packages” that exempt programs from counting towards your cap.
10 GB monthly cap, with ridiculous fees after that, for 50 bucks a month.
But for another 8 bucks, Netflix doesn’t count towards your cap. Another 8 and Hulu doesn’t. 5 gets you HBO Go…..
In short, this whole net neutrality fight is cable’s response to cord cutters. They’re going to make you pay for your channels, come hell or high water. And streaming services are basically just premium channels….
Add in the FCC cheerfully looking to reclassify broadband so more of the country is magically covered, well….Report
Hmmm, that sounds horrific and just the kind of thing Comcast or their ilk would merrily do. Our fiber provider is US Internet and we could kick them to the curb if they tried jacking rates that way. I live snuggled up next to the Minneapolis urban core so we have a couple internet options. I believe you with what you’re predicting is coming but I suspect I live in one of the areas where such an impact will arrive last if it arrives at all.Report
@morat20
How will that impact non-cord cutters who still stream? I have an HBO subscription with my cable company but sometimes watch HBOGo on my AppleTV in another room (without a cable box).Report
Most likely two snakes one tunnel. You’d wanna change your habits pronto.Report
Well, if the FCC won’t, the states might.
At the very least, I’d like to see states doing more to break up local monopolies of ISPs.Report
@morat20
On an unrelated note, you and I once had a discussion about finding jeans to fit guys who are not in the skinny jeans set, but don’t want to be baggy.
I just got a pair of Mugsy jeans (the athletic cut) and I love the hell out of them. Super comfy, but without the droopy butt you get with jeans to fit guys with actual thighs. Material has a respectable amount of stretch so things don’t bunch up in bad places.
Highly recommend.Report
I’ll have to check those out.Report
Installing Ubuntu is quite easy. Download an installation disk image, burn it to DVD, reboot from that DVD, follow the largely next-next-next-ish prompts, eject the DVD, reboot.
Not knowing what games in particular you want to play – I’d guess you might find some don’t work. The Steam games I’ve bought for Linux do work fine (the last two Civilization games, and some older titles), but I’m not a big gamer, so that’s a small sample size.
But not everything is available for Linux, so your existing library likely includes some that aren’t compatible with Linux if it was never a consideration previously.Report
If you want to go Linux try Linux Mint before Ubuntu. Installation is easy peasy however you do have to decide if you also want to boot into Windows on that computer. If it will only be a linux computer then very easy. If you want to dual boot than it’s a bit more complex though doable.
I can’t speak to games since i haven’t been able to stay involved in them, despite thinking about it, for years. For just about everything else Linux is great.Report
Here, I’ll be blunt.
Take your old hard disk to Best Buy (or its equivalent), go to the pro desk, tell them you want an up-to-date box that will boot Windows 7 from that disk and run all the software that’s already loaded. I’m willing to bet that they will quote you a price that is roughly the cost of a comparable Dell box plus $250. If you have local independent strip-mall computer stores (there are at least a couple near where I live), they might cut that to $200 over the Dell price.
Dell is willing to give you a heck of a discount if you buy their mass-market box. And can afford to do that because Intel’s price for a processor is quite different when you buy them 10,000 at a time. As is MS’s license fee.Report
Oh, and don’t worry about the speculative-execution side-channel security hacks. Compared to the other security risks you are exposed to, they’re not going to be important.Report
That seems like sage advice. Thank you.Report
RE: Games
Ask the internet “is anyone running GAME-X on Ubuntu”?
Or “is anyone running GAME-X on linux with Wine”? (Wine is “Windows Emulator”).
The gaming community is big, spends money, and is thus very well supported.
RE: Install.
I’d get the most recent LTS (long term support) rev.
Instructions are here. https://www.ubuntu.com/download/desktopReport
Thanks Dark.Report
For today’s fast-paced world, Intel offers you a product that gives you the extra time you need to enjoy the moment and reflect, and for a limited time only, you get “the blue screen of remembrance” to reconnect to the past and share those precious experiences of early pioneers.
Intel — isn’t it about time you pulled off the information highway and enjoyed the view?Report
Have you ever played a video game on your computer and thought “man, I wish I could take this character and play this character in some other video game I own”?
Well, this chip lets you do that!
Only with financial information.Report
NOTHING is secure.
Welcome to the future.Report
Not the future. Just another day.
Side-channel attacks have been a staple at Black Hat for… forever. So it was inevitable that this (or something like it) would come out eventually.
Amusing that this is a bug that goes back to 1995, in a way. But not a surprise.Report
My comment was more about the rose colored glasses of technology that some people have–that tech will solve all the worlds problems. Frankly, stuff like this makes me even more dubious of autonomous vehicles and automated systems with little to no human involvement.Report
Have you seen Fate of the Furious yet?
https://www.youtube.com/watch?v=AoB_mdZxNlYReport
I was there!Report
I… think I was too. Was that Cleveland?Report
They did some actual filming in Manhattan… what appeared to be motorcycles racing down sidewalks to get the necessary background shots and the like. I stumbled upon the set when they were around Madison Square Park one day.Report
I stumbled onto a shoot in Cleveland for some stuff that looked a lot like that, for “the new Fast and Furious movie” the summer before last.
I don’t live in Cleveland. I was just passing through and got lucky. Or unlucky, given the baleful effect it had on traffic.Report
This is just solidifying my dislike of the cloud. I still back everything up on a few different thumb drives as well as my hard drive. Nothing is worse than having to rely on the cloud when your internet is spotty.Report
I would suggest that this should mitigate some of your distaste for the cloud. They were told about this before you and I. They get the fixes before us. They have an army that takes care of protecting their systems and your data. Who do you trust more to fix this and fix it right, You or an army of nerds?Report
Various reports say:
1) The Meltdown vulnerability is specific to Intel chips, and is the one that can be fixed by the operating system with a 5-30% performance hit. At least preliminary reports are that this one does not affect AMD processors. I’m waiting for the sh*t to hit the fan if Microsoft’s patches impose the performance hit on AMD processors as well as Intel.
2) The Spectre vulnerability affects most all of the high-end processors to one degree or another (opinions seem to vary). ARM has stated that some of their chips are affected by some versions of the problem, others not. The processor on the latest Raspberry Pi is not on the vulnerable list. I keep muttering about how I could get by on a Pi…Report
Update on performance. Google and Intel are claiming to have found better-performing fixes that have only minor performance impact.Report
Thank goodness!Report
I appreciated this metaphor from Google’s description of the fix:
Report
Oh, it brings me much amusement.Report
Dang, I just bought a new desktop about 3 or 4 months ago.
I do manually check for updates, less because I’m security conscious and more because I hate getting interrupted with a “we’re updating your computer and you’ll have to restart now and not at any other time” message at some random point in the day.
I do have a question. What do the more tech/computer savvy among you think of “NoScript,” at ? Is it legit? Does it help any with this kind of problem?Report
Is that NoScript the browser add-on?Report
Yes. I guess the url didn’t copy when I tried to paste it. Here it is:
https://noscript.net/Report
I no longer use it. Some of its features became obsolete, eg when browsers started adding default settings to block Flash themselves. Using JavaScript to do detailed layout and formating has become very common*, so the NoScript whitelist mode breaks lots of pages. In blacklist mode, maintaining the blacklist is up to the user. I use one of the less-common adblockers, and an anti-adblock-killer, both of which get updated blacklists daily, and which combine to block a lot of JavaScript anyway. Just as an observation, the anti-adblock-killer seems to defeat a lot of the lesser paywalls.
* I’m guilty of this offense. Myself, I blame the CSS priority system, which is fundamentally flawed for simple, practical use.Report
Thanks for the free advice!Report
Oh, so the tech elites are insisting that it’s a catastrophic flaw to have non-privileged (read poor and minority) programs getting access to privileges reserved for trusted kernel (read white) processes. Would someone remind me why we are letting these blatant racist misogynists write OS code?Report
This is why everyone should buy locally-sourced processors.Report
This is a *huge* deal in terms of net impact.
Pun intended?Report
Because.
https://xkcd.com/1938/Report