Meltdown and Spectre - After the dust has settled

in #tech6 years ago (edited)

Now that the hubbub has died down a bit, and people aren't in a big panic anymore, let's take a moment and look a bit over the Meltdown/Spectre debacle and how it affects you. 

What are Spectre and Meltdown?

At the beginning of last month the world found out something that a certain few already knew for months, possibly even years if you're the conspirative type. Modern CPUs are vulnerable to certain types of attacks that exploit the predictive and speculative characteristics of the hardware. There are several exploits. A few of them are dubbed Spectre, and affect all known CPUs, be they ARM, Intel x86-64 or AMD x86-64. One of the versions of Spectre is stated to have a near zero chance of affecting security, but near zero is still too much in the case of sensitive date. So patches were developed for all versions of Spectre. Some work well, some not as well, and in some cases the exploit will be manageable, but can't be stopped via software. All major operating systems have had updates related to them... apart from FreeBSD, because the people in charge are more focused on banning hug emoticons. Meltdown however is a bit of a different animal. It affects only Intel CPUs and hits them really hard. 

Should you be worried?

For the most part, no. In spite of what was revealed in the past few months, and the serious security issue that Meltdown and Spectre do represent, the average user shouldn't be too worried. Why? Well, the first reason is because these problems have existed for years. Not one. Not two. There are multiple generations of CPUs, stretching over decades, that have had this problem. I have no doubt that it's been exploited before, probably by intelligence agencies. At a high level, for data companies, these are security issues that are critical. But you and me? We're small fries, I doubt people will go through the effort of using Meltdown or Spectre to hack our cat videos. Unless you start downloading "totallynotavirus.exe" or have a browser that executes every bit of javascript it sees, you should be safe. "Should", not totally are. You never "totally are". And besides, the patches just about handle most things that would present a security risk for you. But let's face it, if you have an Android phone, unless it's from one of the big companies, it will NEVER be patched and has always been vulnerable.

Patches and their fallout

The patches themselves use various methods to fix Spectre and Meltdown. They are made to limit the predicting and speculative features of a processor, even assume that a CPU is executing code that is not trustworthy. There's many ways to manage them, and in the case of Spectre no way to totally fix them, just make the exploits so hard to use that people just won't bother. The patches however have come with their own issues. Number one was them just sucking. Older Athlons were being borked by them, with Microsoft blaming AMD for providing wrong specifications. Linux patches would bork systems. Other Windows patches would bork other systems. It got to the point where Intel just told people to stop patching, because they were causing more trouble than Meltdown itself. 

Why would this happen? Because the companies involved, even though they had months to prepare and test, botched the execution completely. They rushed, they panicked, they didn't really care, or they weren't really as prepared for this.

And even when the patches worked, they came with baggage. Because they're meant to limit a feature usually used to increase performance, they can drop performance. Now, if you're a usual user, the patches won't really affect you. You won't be noticing a performance decrease running video games, browsing the web or even doing things like video encoding. But if you're doing things that require a lot of reading/writing to the drive, which is what servers tend to do, then there is a hit. And it can be a big one. Orders of magnitude, budget crushing big one when addressing the Meltdown bug. Data centers are going to have trouble, meaning they're either going to have to expand, increasing cost, or move to AMD. Spectre's patches don't have such a noticeable performance hit. But such a switch will be very slow to implement.

Massive legal problems

AMD is currently being sued by a few law offices over them stating that they have "near zero" vulnerability to Spectre, but they still issued patches. It's a bit of a dumb thing to sue someone over, since data centers don't want "near zero" they want just zero. 

Intel on the other hand is being sued by around 30 entities and there's a bit more of a merit here. Now, it'll be up to a judge and jury(or something like that) to actually decide if it has merit, but in my view it kinda has. And here's why. Intel knew about Meltdown, and it knew about it before releasing Coffee Lake. And yet, it did nothing to improve the architecture, because that would lead to a delay that it did not want when Ryzen was breathing at down their necks. They also did not inform any of their shareholders about this massive security hole, and that is a serious problem, especially since the CEO of Intel sold all the shares he can legally sell (he is obligated to still own a bunch of them) about a week or two before the public reveal. That is bordering on insider trading and can bring down severe consequences on top of the company and the CEO. Screwing over the customers is one thing, Intel has been doing it since the Athlon 64 days. But when they start pissing off shareholders, they are in hot water. The customers that bought CPUs with the Meltdown vulnerability after Intel was informed about it may stand to get some money returned. Don't expect much, it took about 15 years for the Pentium 4 thing to get settled, so that people that bought them would get 15$ returned. You'll probably see 5 bucks returned somewhere in 2025. 

Moving forward

So, what's going to happen now? Well, AMD and Intel promise that their next-next generation processors will be immune to the bugs exploited by Meltdown and Spectre. Some of these chips may even arrive in 2018, probably late 2018. Until then, we have to deal with patches that cause more trouble than they're worth, performance drops in data servers, game servers performance getting worse and from what I understood, it also affects the workload of the witnesses of the Steem blockchain.

What's important to understand is that whoever knew about these exploits a decade ago has run amok with them already, so we're basically playing catch-up at this point anyway. The bulk of whatever damage could be done has been done. It's like the Yahoo mail hack. The biggest security cockup on the web, all our information out there in the wind, and those responsible for our security got a golden parachute and are free to ruin tech in general to their hearts content.

#technology #pc #blog #ro
6 years ago in #tech by
$12.15
  • Past Payouts $12.15, 0.00 TRX
  • - Author $10.11, 0.00 TRX
  • - Curators $2.04, 0.00 TRX
17 votes
Reply 0

Coin Marketplace

STEEM 0.20
TRX 0.14
JST 0.030
BTC 69264.29
ETH 3316.64
USDT 1.00
SBD 2.66