The biggest takeaway from the discovery (or rediscovery?) of Meltdown and Spectre is the realisation of the shakiness of the foundations on which we have constructed our networked world. We have always known (though many still wilfully deny) that there is no such thing as a completely secure networked device. Now we know that at the heart of every networked device there sits a vulnerable processor.
This is a big deal, given that it affects almost all the computing devices on the planet. “In essence,” says the UK’s Information Commissioner’s office, “the vulnerabilities provide ways that an attacker could extract information from privileged memory locations that should be inaccessible and secure. The potential attacks are limited only by what is being stored in the privileged memory locations – depending on the specific circumstances, an attacker could gain access to encryption keys, passwords for any service being run on the machine, or session cookies for active sessions within a browser. One variant of the attacks could allow for an administrative user in a guest virtual machine to read the host server’s kernel memory. This could include the memory assigned to other guest virtual machines.”
But what if you don’t want others to know about the details of your wine cellar? “It turns out,” writes Tufekci, “that by watching your butler’s movements, other people can infer a lot about the cellar.” Information (the bottle on the butler’s silver salver) is visible that would not have been available if he had patiently waited for each of your commands, rather than trying to anticipate them. Almost all modern microprocessors behave like attentive butlers – and the revealing traces left by their helpful actions mean that information that is supposed to be secret isn’t.
Initially, it was thought that the only answer would be to replace all those processors – an unconscionable option. But then it turned out that solutions exist in terms of patches to operating system software. The industry is working on those and every conscientious user ought to install them when they become available. But there’s no free lunch here: fixing the problem will slow down processors by an amount that will differ from chip generation to generation. Microsoft, for example, says that patches will “significantly slow down certain servers and dent the performance of some personal computers”. Sacking that attentive butler means that you have to fetch your own drinks. And that takes longer. Patience is a virtue, sometimes, even in computing.