Featured Post

A Call For Calm Panic

Let’s get to the panic first.  Possibly the biggest security vulnerabilities of the last twenty years were announced yesterday (no, I’m not kidding.)

Twitter is aflutter with seemingly contradictory assessments from all corners.  If you want a link repository, Bruce Schneier is (as per usual) a good source.

So here’s the “I was up until 2am reading about this” assessment takeaways.  Warning: I’m only 1/2 through my coffee.

#1: Corporate-speak aside, you need to treat this as if these potentially affect essentially every type of processor.  Not just Intel, but AMD and ARM processors.  That means it will possibly affect every computer and mobile device regardless of operating system, unless the device was built prior to 1995.  Mac OSX, Mac iOS, Windows, Linux, Android.  There are individual processors that may be immune, but unless you’re a real computer geek odds are *very* good you should proceed as if the hardware under your hood is vulnerable.

#2: You are probably only marginally more at direct risk today than you were yesterday.  If you’re the sort of person who online banks using the same computer that you use to surf random strange porn and you open every chain letter you get from your Crazy Uncle Bob, you’re probably going to get nailed really soon now… but that’s a semiannual occurrence for you so you’re probably used to it.  On the other hand, if you’re a reasonably cautious person, you’re probably only at slightly elevated risk, and if you’re a cautious person (for example, if you only online bank from a computer that you don’t use for anything else and you always keep it updated) you’re probably fine as far as your own behavior is concerned.

#3: Unless you’re an absolute paranoid about computer activity, you really ought to manually check for updates for all of your operating systems/browers/other software routinely for the next couple of weeks, every time you use your computer, and apply the patches when they are available.  Don’t rely on automatic updates, you want the fixes as soon as they come off the shelf for this one.

#4: Side channel attacks on processors are not new.  Anybody who says this is unprecedented, unexpected, unforeseeable, or somehow a giant surprise ought to not be taken seriously when it comes to technology and security.  If you’re talking to your IT guy today and (s)he says otherwise, start looking for a better IT guy.

#5: This appears to affect machines across a hypervisor.  For the average person out there, this is gobbledegook, but in practical terms prices will go up for cloud services like AWS.  Right now people I know offering cloud services are *freaking* out trying to make sure that customers who have virtual machines sitting on the same host as other customers’ virtual machines can’t actually attack each other through the hosting company’s platform.  Anecdotally, AWS appears to be retiring at least some virtual machine instances permanently.  This will impact small businesses and contractors who get web services from cloud services.  The next couple of weeks are going to be icky.

#6: This is a *huge* deal in terms of net impact.  This microprocessor vulnerability requires re-engineering at the hardware level to fix.  You’re talking about a design cycle of redesigning, changing production lines, the whole shebang. Your IT folks are going to be preoccupied for months, if they’re any good… this is going to affect their decisions about purchasing cycles and everything else.

#7: Sometime in the next two years, a major data breach will occur at a major organization that has not patched this vulnerability.  That may or may not affect you, but hey, at least you can’t do anything about it :)

What does this (otherwise) mean for you?

A: Fixing this in software results in a 5-30% loss of compute power; not a hell of a huge impact on today’s desktops and laptops, but for your phone this is going to probably drive you crazy.  When you patch your phone, expect it to suck.  If your phone is reasonably new, don’t run out to buy a new phone, because the new phone (until the chips make their way through the hardware cycle, see #6) will have the same problem.  If your phone is really old (>3 years) changing to a new phone is probably a good idea anyway: you’re losing 5-30% of the compute power of a device that’s two-five times stronger than what you’re using now.

B: If you’re planning on buying a new computer in the next six months, maybe wait.  Check back here for more.

C. If you got a new computer for Christmas and you haven’t unboxed it, maybe take it back.  Depends upon how badly you need it.

D.  Really, really take this opportunity to be more organized about your security profile.  If you online bank, do it from a single device that you *don’t* use for anything else; if you must online bank on multiple devices, for heaven’s sake don’t let one of those devices be something that you let your kids use to download random files from the Internet.

E. Use this as an excuse to stop opening mail from Crazy Uncle Bob.

F.  Give your IT folks a break.  They’re going to be really grumpy for the foreseeable future.

Home Page 

Patrick is a mid-40 year old geek with an undergraduate degree in mathematics and a master's degree in Information Systems. Nothing he says here has anything to do with the official position of his employer or any other institution. ...more →

Please do be so kind as to share this post.

65 thoughts on “A Call For Calm Panic

  1. First off, the CEO of Intel just sold a bunch of stock before this announcement.

    That guy should be publicly shamed.

    Second off, I’m waiting to hear that the (acronym) knew about this for years and years and years.

    Third off, if you are a young person wondering what they should do with their life, have you considered IT? Get a CASP if you’re an engineer type, get a CISSP if you’re more into sitting in meetings.


    • Concur with all three.

      What’s interesting is after Snowden’s dump revealed a lot of NSA tricks in the goodie bag, this didn’t come up. So it’s possible that “alphabet-soup-agency” hadn’t found this trick yet…


    • Jaybird:
      First off, the CEO of Intel just sold a bunch of stock before this announcement.

      I’ll offer an alternate explanation: Tax avoidance. Per TCJA, he would likely pay about 5% more of his gains to the Federal Govt after Jan 1, 2018. Living in CA with a base salary of $10M, he surely will max the SALT deduction of $10k. So any incremental tax paid to CA at 13.3% would no longer be deductible on his Federal income tax. He ain’t the only one either. Lots of folks rushed at EOY to pull income into 2017.

      This is one of the tricks in TCJA to make things look rosy for 2018 election, but that is another discussion.


    • It’s less about the actual content than about how shady the sites hosting it are.

      That said, I’ve been getting a lot of browser-redirecting ads on my phone from (non-porn) sites I would have expected to be pretty trustworthy. It looks like some of the ad networks are allowing advertisers to embed JavaScript in their ads, which may mean all bets are off pretty much everywhere.


        • Exploiting this in javascript requires a browser bug as well as a vulnerable CPU (in order to give javascript access to the high-precision timing information required). However, if the browser bug and vulnerable CPU are present, you don’t have to download anything to be affected.

          The latest Windows 10 update included a fix for Edge (and, probably incomplete, mitigation for everything) and the Chrome and Firefox fixes are scheduled for around January 23.


          • Reports earlier today that the latest Microsoft update is semi-bricking some machines that have AMD processors. Machines won’t boot normally, but will support a re-installation of the OS. Later reports speculate that MS distributed an Intel patch that didn’t check for non-Intel processors.


      • I am infinitely too cheap to buy a brand new machine and write off 30% of its processing power. Hell, I was already struggling because buying premade machines seems like overpaying, I don’t have the confidence/skills to design/build a box of my own but my social circle of tech nerds is limited. Guh!


        • It’s really not hard to do. I taught myself how to do it back in the late 90’s. And honestly, since about 2005, I have to reteach myself how to do it everytime I need to build a new machine every 3 or 4 years because the technology has changed so much since the previous build.


        • I was already struggling because buying premade machines seems like overpaying,

          Go to Dell refurbished and buy the cheapest 64 bit computer they have. This is about $100.

          You’ll get a 4-years-old-out-of-the-box computer which (by definition) is slow and sucks.

          Then install Ubuntu on it (which is free), and now it’s changed from “slow” to “acceptable”. Windows is serious bloatware, and requires serious hardware to deal with that. Linux sidesteps that issue.

          This will last 5 years, maybe longer.

          Because it’s four year old hardware you can handwave Linux’s normal “drivers don’t exist” potential problems, the hardware has been out there far more than long enough.


          • Hear, hear! (I’ve been a Linux evangelist since ’92.) Linux gets a lot out of old hardware [1]. The laptop I use when I need to have one is a ThinkPad old enough that it says “IBM” on it (which makes it at least nine years old). For a surprising number of things the user interface and application software is plenty snappy enough to be comfortable. I do some things that are processor-bound, and those take an unpleasant amount of time, but they do eventually finish.

            The Mac Mini I use for my desktop machine now is probably my last non-Linux box. The only Apple-specific program that I’ll be reluctant to give up is Mail, but that’s more because I’ve used it long enough to be habituated.

            If you are dependent on Windows-only software, and insist on Windows 7, Amazon is still selling it (~$150), there’s free virtual machine software available for Linux, and if your hardware is only $100… you can connect the dots.

            I prefer Debian to Ubuntu, but I’m a really old UNIX guy.

            [1] At the tail end of my R&D career at <giant telecom company>, I was doing a variety of research things that Windows simply wouldn’t support (okay, absent spending a lot of money for a license to the source code and permission to hack at it) but Linux would. People frequently came by my office, cradling a beige/black box or laptop in their arms, with some variation of, “IT says my baby won’t support the required upgrade to the new Windows; can you find him/her something useful to do?”


          • Ok, so how does a person who knows absolutely nothing about computers install and use Ubuntu on a new computer? Also will Linux run all the games I want to play which is the entire point of getting the box?


            • Well, you can check Steam’s Linux lineup here and GOG.com has a list here.

              So, for Gog, the short answer is “not really” but the longer answer is “yes, if you’re hoping to play Heroes III or Arcanum or Master of Orion 1+2.”

              Steam shows a little more promise… I’ll recommend everything by Klei (check out Invisible Inc!), Dungeon Warfare, Gunpoint, FTL, X-Com: Enemy Within… but none of those are really games that you’d buy a graphics card from the last year or so for.

              But if you’d rather play tried-and-true than the latest fad, yeah, the Linux box is exactly what you need.

              And get a PS4 for the new hotness. You can, at least, use that as a Blu-Ray/Netflix box when you’re not playing it.


                • Not for much longer. I saw a lengthy reddit post on “the future of the internet” (specifically, ISP’s goals for it) and it was both unpleasant and very, very likely.

                  The short version? Over the next five years, expect data caps to drop to very, very small numbers. While your ISP also offers “packages” that exempt programs from counting towards your cap.

                  10 GB monthly cap, with ridiculous fees after that, for 50 bucks a month.

                  But for another 8 bucks, Netflix doesn’t count towards your cap. Another 8 and Hulu doesn’t. 5 gets you HBO Go…..

                  In short, this whole net neutrality fight is cable’s response to cord cutters. They’re going to make you pay for your channels, come hell or high water. And streaming services are basically just premium channels….

                  Add in the FCC cheerfully looking to reclassify broadband so more of the country is magically covered, well….


                  • Hmmm, that sounds horrific and just the kind of thing Comcast or their ilk would merrily do. Our fiber provider is US Internet and we could kick them to the curb if they tried jacking rates that way. I live snuggled up next to the Minneapolis urban core so we have a couple internet options. I believe you with what you’re predicting is coming but I suspect I live in one of the areas where such an impact will arrive last if it arrives at all.


                  • How will that impact non-cord cutters who still stream? I have an HBO subscription with my cable company but sometimes watch HBOGo on my AppleTV in another room (without a cable box).


                  • On an unrelated note, you and I once had a discussion about finding jeans to fit guys who are not in the skinny jeans set, but don’t want to be baggy.

                    I just got a pair of Mugsy jeans (the athletic cut) and I love the hell out of them. Super comfy, but without the droopy butt you get with jeans to fit guys with actual thighs. Material has a respectable amount of stretch so things don’t bunch up in bad places.

                    Highly recommend.


            • Installing Ubuntu is quite easy. Download an installation disk image, burn it to DVD, reboot from that DVD, follow the largely next-next-next-ish prompts, eject the DVD, reboot.

              Not knowing what games in particular you want to play – I’d guess you might find some don’t work. The Steam games I’ve bought for Linux do work fine (the last two Civilization games, and some older titles), but I’m not a big gamer, so that’s a small sample size.

              But not everything is available for Linux, so your existing library likely includes some that aren’t compatible with Linux if it was never a consideration previously.


            • If you want to go Linux try Linux Mint before Ubuntu. Installation is easy peasy however you do have to decide if you also want to boot into Windows on that computer. If it will only be a linux computer then very easy. If you want to dual boot than it’s a bit more complex though doable.

              I can’t speak to games since i haven’t been able to stay involved in them, despite thinking about it, for years. For just about everything else Linux is great.


            • Here, I’ll be blunt.

              Take your old hard disk to Best Buy (or its equivalent), go to the pro desk, tell them you want an up-to-date box that will boot Windows 7 from that disk and run all the software that’s already loaded. I’m willing to bet that they will quote you a price that is roughly the cost of a comparable Dell box plus $250. If you have local independent strip-mall computer stores (there are at least a couple near where I live), they might cut that to $200 over the Dell price.

              Dell is willing to give you a heck of a discount if you buy their mass-market box. And can afford to do that because Intel’s price for a processor is quite different when you buy them 10,000 at a time. As is MS’s license fee.


            • Ok, so how does a person who knows absolutely nothing about computers install and use Ubuntu on a new computer? Also will Linux run all the games I want to play which is the entire point of getting the box?

              RE: Games
              Ask the internet “is anyone running GAME-X on Ubuntu”?
              Or “is anyone running GAME-X on linux with Wine”? (Wine is “Windows Emulator”).

              The gaming community is big, spends money, and is thus very well supported.

              RE: Install.
              I’d get the most recent LTS (long term support) rev.

              Instructions are here. https://www.ubuntu.com/download/desktop


      • For today’s fast-paced world, Intel offers you a product that gives you the extra time you need to enjoy the moment and reflect, and for a limited time only, you get “the blue screen of remembrance” to reconnect to the past and share those precious experiences of early pioneers.

        Intel — isn’t it about time you pulled off the information highway and enjoyed the view?


        • Have you ever played a video game on your computer and thought “man, I wish I could take this character and play this character in some other video game I own”?

          Well, this chip lets you do that!

          Only with financial information.


  2. This is just solidifying my dislike of the cloud. I still back everything up on a few different thumb drives as well as my hard drive. Nothing is worse than having to rely on the cloud when your internet is spotty.


    • aaron david: This is just solidifying my dislike of the cloud.

      I would suggest that this should mitigate some of your distaste for the cloud. They were told about this before you and I. They get the fixes before us. They have an army that takes care of protecting their systems and your data. Who do you trust more to fix this and fix it right, You or an army of nerds?


  3. Various reports say:

    1) The Meltdown vulnerability is specific to Intel chips, and is the one that can be fixed by the operating system with a 5-30% performance hit. At least preliminary reports are that this one does not affect AMD processors. I’m waiting for the sh*t to hit the fan if Microsoft’s patches impose the performance hit on AMD processors as well as Intel.

    2) The Spectre vulnerability affects most all of the high-end processors to one degree or another (opinions seem to vary). ARM has stated that some of their chips are affected by some versions of the problem, others not. The processor on the latest Raspberry Pi is not on the vulnerable list. I keep muttering about how I could get by on a Pi…


  4. Dang, I just bought a new desktop about 3 or 4 months ago.

    I do manually check for updates, less because I’m security conscious and more because I hate getting interrupted with a “we’re updating your computer and you’ll have to restart now and not at any other time” message at some random point in the day.

    I do have a question. What do the more tech/computer savvy among you think of “NoScript,” at ? Is it legit? Does it help any with this kind of problem?


  5. Oh, so the tech elites are insisting that it’s a catastrophic flaw to have non-privileged (read poor and minority) programs getting access to privileges reserved for trusted kernel (read white) processes. Would someone remind me why we are letting these blatant racist misogynists write OS code?


Leave a Reply

Your email address will not be published. Required fields are marked *