A Call For Calm Panic
So here’s the “I was up until 2am reading about this” assessment takeaways. Warning: I’m only 1/2 through my coffee.
#1: Corporate-speak aside, you need to treat this as if these potentially affect essentially every type of processor. Not just Intel, but AMD and ARM processors. That means it will possibly affect every computer and mobile device regardless of operating system, unless the device was built prior to 1995. Mac OSX, Mac iOS, Windows, Linux, Android. There are individual processors that may be immune, but unless you’re a real computer geek odds are *very* good you should proceed as if the hardware under your hood is vulnerable.
#2: You are probably only marginally more at direct risk today than you were yesterday. If you’re the sort of person who online banks using the same computer that you use to surf random strange porn and you open every chain letter you get from your Crazy Uncle Bob, you’re probably going to get nailed really soon now… but that’s a semiannual occurrence for you so you’re probably used to it. On the other hand, if you’re a reasonably cautious person, you’re probably only at slightly elevated risk, and if you’re a cautious person (for example, if you only online bank from a computer that you don’t use for anything else and you always keep it updated) you’re probably fine as far as your own behavior is concerned.
#3: Unless you’re an absolute paranoid about computer activity, you really ought to manually check for updates for all of your operating systems/browers/other software routinely for the next couple of weeks, every time you use your computer, and apply the patches when they are available. Don’t rely on automatic updates, you want the fixes as soon as they come off the shelf for this one.
#4: Side channel attacks on processors are not new. Anybody who says this is unprecedented, unexpected, unforeseeable, or somehow a giant surprise ought to not be taken seriously when it comes to technology and security. If you’re talking to your IT guy today and (s)he says otherwise, start looking for a better IT guy.
#5: This appears to affect machines across a hypervisor. For the average person out there, this is gobbledegook, but in practical terms prices will go up for cloud services like AWS. Right now people I know offering cloud services are *freaking* out trying to make sure that customers who have virtual machines sitting on the same host as other customers’ virtual machines can’t actually attack each other through the hosting company’s platform. Anecdotally, AWS appears to be retiring at least some virtual machine instances permanently. This will impact small businesses and contractors who get web services from cloud services. The next couple of weeks are going to be icky.
#6: This is a *huge* deal in terms of net impact. This microprocessor vulnerability requires re-engineering at the hardware level to fix. You’re talking about a design cycle of redesigning, changing production lines, the whole shebang. Your IT folks are going to be preoccupied for months, if they’re any good… this is going to affect their decisions about purchasing cycles and everything else.
#7: Sometime in the next two years, a major data breach will occur at a major organization that has not patched this vulnerability. That may or may not affect you, but hey, at least you can’t do anything about it 🙂
What does this (otherwise) mean for you?
A: Fixing this in software results in a 5-30% loss of compute power; not a hell of a huge impact on today’s desktops and laptops, but for your phone this is going to probably drive you crazy. When you patch your phone, expect it to suck. If your phone is reasonably new, don’t run out to buy a new phone, because the new phone (until the chips make their way through the hardware cycle, see #6) will have the same problem. If your phone is really old (>3 years) changing to a new phone is probably a good idea anyway: you’re losing 5-30% of the compute power of a device that’s two-five times stronger than what you’re using now.
B: If you’re planning on buying a new computer in the next six months, maybe wait. Check back here for more.
C. If you got a new computer for Christmas and you haven’t unboxed it, maybe take it back. Depends upon how badly you need it.
D. Really, really take this opportunity to be more organized about your security profile. If you online bank, do it from a single device that you *don’t* use for anything else; if you must online bank on multiple devices, for heaven’s sake don’t let one of those devices be something that you let your kids use to download random files from the Internet.
E. Use this as an excuse to stop opening mail from Crazy Uncle Bob.
F. Give your IT folks a break. They’re going to be really grumpy for the foreseeable future.