Last week, we learned of two significant security vulnerabilities in the most common processor architectures, which are now used in just about every digital system on the planet. Our own Jim Turley wrote a great explanation of the problem. Predictably, the world responded with alarm, indignation, and a total lack of actual comprehension. After all – these bugs were launched with a full-on marketing frenzy. These bugs have Logos! A panic swept the tech world unlike anything we had seen since… a few days earlier when Apple “admitted slowing down older iPhones.”
Today’s soundbite-driven culture is heavily dependent upon the technology that five decades of Moore’s Law have suddenly bestowed upon us all. Almost overnight, we have capabilities that humans never dreamt of, and we have quickly hit the point where the human race is unable to adapt fast enough to keep up with the change that technology has brought into our lives. Most of the population is simultaneously both deeply engaged with technology and incapable of grasping any reasonable understanding of how it works.
As engineers, we deal with this constantly – perhaps most often in the form of tech support for our friends and families. If we’re very lucky, we’ve taught them the “before you call me, turn it off and back on again. If that doesn’t fix it, then we’ll talk” rule. But, when it comes to issues such as security, all bets are off. The media – particularly the non-technical media – does a terrible job of explaining security issues in terms the general public can understand. And they have little to no incentive to even try. After all, if they can toss up a headline that portends massive doom, they’re likely to pull a lot more clicks than if their article was titled “Spectre and Meltdown – Not a Very Big Deal.”
To make your article go viral, it helps to have high stakes and a villain. That’s why so much of the early press on Spectre and Meltdown singled out Intel. If the public can be convinced that there’s a deep, dark conspiracy and cover-up behind the issue with nefarious characters in mirror-windowed skyscrapers pulling the strings, outrage (and a whole lotta online ad impressions) will likely ensue. Technology problems are fertile ground for whipping torch mobs into a fantasy-fueled frenzy. The Apple battery “scandal” is a perfect example of this. Apple built technology into the iPhone that extends the useful life of the battery and helps to prevent unexpected shutdowns by slowing down the processor when the voltage sags. But it’s a lot more fun to bill that as “Apple deliberately slows down older iPhones.”
What if we considered Spectre and Meltdown in a much lower-tech context? Let’s say we’ve been selling cars for decades. Those cars have locking doors. Then, suddenly, someone says “Hey, even with the door locked, pretty much anybody can get into any car by throwing a rock through the window.” Yep. This is a true fact. You can try it yourself. (Please use your own car, however.) Now, this security vulnerability isn’t exactly a “bug.” It’s not something that the car companies have been trying to hide from us for years. And it probably doesn’t require an immediate recall of every car ever made. Unlike Spectre and Meltdown, this vulnerability has most certainly been used many times. And, unlike Spectre and Meltdown, this vulnerability doesn’t require extremely specialized skills to exploit. Any six-year-old with a rock can pull it off.
There’s a certain kind of fear that is imparted by the unknown. We have a much greater ability to accept risk and danger when that danger is familiar. This is one of the reasons people can read study after study showing that commercial air travel is far safer than private auto travel, and still harbor a strong fear of flying while hopping into a car without giving it a second thought. Things we don’t understand, and therefore cannot control, seem far scarier than even the most dangerous situations we encounter on a daily basis.
Out of order and speculative execution have been with us for a long time. (Not as long as windows on cars, but stay with me here.) The recently discovered vulnerabilities can be mitigated to a large degree with software patches – albeit with some still-unknown performance penalty. And, as Jim pointed out in his article, the bad guys have to already be inside before even attempting to exploit Spectre or Meltdown. In that way, it’s less like breaking into the car and more like a new way to bust into the glovebox once you’re already in. And, like the glovebox, there’s no guarantee the bad guys will find anything of value even after they’ve used the (as of yet incompletely designed) hack.
This brings us to one of the more important questions about Spectre and Meltdown: with all of the security holes out there in the world, do these vulnerabilities offer any new value to the black hats? Sure, some of your passwords might possibly be hanging out in protected memory. But is a Meltdown exploit the best, easiest, or most economical way to get them? In that way, I see these vulnerabilities as being ubiquitous, but not especially valuable.
A lot of technology concerns fit this mold. As a hobby, I do aerial photography with a quadcopter. I generally keep my flying to very remote areas, and I am careful to avoid behaviors that might upset people nearby. Still, a few times, I’ve had people say “That would be a good way to spy on people, wouldn’t it?” My response is “No, actually, it wouldn’t be. A conventional camera with a telephoto lens would be a good way to spy on people.” The quadcopter brings almost nothing to the party if your goal is “spying on people.” It may seem like a new and exotic tool, but it wouldn’t really advance the capabilities of your average “peeping Tom.” Do Spectre and Meltdown offer any real new capability to cyber criminals? At this point I’m unconvinced.
I predict that Spectre and Meltdown will turn out to be minor speed-bumps in the information security realm. Yes, the sheer breadth of the vulnerability is breathtaking, and the scale of the fix will be similarly monumental, but in the long run, I doubt these two gremlins will amass much of a toll in terms of actual damage done to society. It will be interesting to watch.