Let’s be serious for a moment
You’ve probably heard the terms “Meltdown” and “Spectre” a lot lately. Over the past few days the two security vulnerabilities have been everywhere in the news. Hell, you’re reading about them on a video game website right now, that’s usually a sign that something’s gone too far.
There’s a good reason for that! We’re used to vulnerabilities being isolated to some software or some machines, but nothing quite this widespread. Unless you’re browsing Destructoid on a Raspberry Pi or something, the device you’re using to read this page right now is vulnerable. That’s just how it goes.
Indeed, Meltdown and Spectre are both very similar in nature, the result of the unending performance race of the processors used in computers (I’ll refer to them as CPUs from now on). In order to sell, hardware needs to be faster. Expectations are higher every year, both for consumer computers and servers alike. More parts. Speedier parts.
At one point, predicting what the computer would have to do in the future became part of the core design of CPUs. If the prediction turns out to be wrong, you can throw away what you’re currently working on and go back to what you’re supposed to be doing. If you got it right, you don’t have to wait around until you’re told to do it! Sounds like free performance, right? Yeah, mostly!
While branch prediction and speculative execution is incredibly neat tech, these are also the root cause of Meltdown and Spectre. Somewhere along the way, fast won over secure, and it happened quite a long time before Blackberry fell into obscurity too.
Meltdown
Meltdown is the “bigger” of the two vulnerabilities, being easier to exploit for nefarious purposes. It affects Intel CPUs since the Pentium Pro and a bunch of ARM chips (the ones in your cellphones). Here’s the basic idea of how it works:
- Some crooked criminal gets into an old-school bank and asks to withdraw from John Smith’s drawer.
- The clerk, thinking ahead like CPUs do, thinks to himself “Ah, I’ll need to go to the third drawer from the left”.
- The clerk realizes that the crooked criminal isn’t John Smith. Smart person that he is, he gives the villain access to neither the drawer nor the information about its location in his head.
- The crooked criminal is very good at what he does, and the bank staff isn’t quite as good at dealing with criminals as it thought it was. By reading the clerk’s eyebrow movement, the thief figured the clerk was keeping information about the drawer’s location in his head already.
- This allows the crooked criminal to copy the contents of John Smith’s drawer because we’ve reached the limit of my comparison skills.
Patches have been released on Windows, Mac OS and Linux alike. The Windows patches might not be available to you straight away when checking Windows Update, due to incompatibilities with antivirus software. This means you’ll have to make sure your antivirus software, if any, is up to date beforehand.
Servers using Intel hardware are either updated or in the process of being updated already, so your own personal machine is all you have to worry about. Whether you’re using Linux, OSX, or Windows, just keep yourself as up to date as you possibly can. Don’t worry about performance. As Intel initially claimed, performance loss from these security updates on the average setup is minimal, nowhere near 30%. Update.
Spectre
Spectre is harder to define and much harder to fix, but thankfully more difficult to implement as an attack. It’s a name given to a lot of potential vulnerabilities resulting from speculative execution as a whole, which means nearly all modern CPUs are affected.
AMD. Intel. ARM. Apple.
Updates have been released, and others are in development, to protect people against Spectre. However, they’re more of a Band-aid solution. These updates make it harder to run code that would exploit the vulnerability, fixing the symptoms rather than the illness. In all likelihood, we’ll need a new generation of computers that will fix the issues inherent to modern CPU design. Until then, Spectre will never truly be defeated.
Spectre and Meltdown are scary. They’re scary in the way that airport security vulnerabilities are scary. They’re potentially very harmful, yet the average person should be more worried about car accidents.
So, here are a few safety tips to help you stay safe on the road. Don’t forget to wear condoms, kids.
Tips to keep yourself safe online:
Internet cafés are a poor place to handle sensitive data. Public WiFi doesn’t protect you against people listening to your communications. Whether you’re entering your credit card number or logging into an email account that contains work information… Wait until you have access to a secure network, or at least wait until you’re connected to a VPN before logging in anywhere else.
Reusing passwords is a no-no in general. Nobody likes domino effects. The same advice goes for easy-to-guess passwords. I know it’s an obvious comment, but people are still falling into this trap. For how many years has a series of numbers like 123456 been the most popular password now?
You should be particularly wary of passwords you’ve used with emails, or usernames identified as compromised in haveibeenpwned.com. Once the password is out there somewhere, it’s very easy to use it on a lot of websites until it clicks. Leaks rarely come alone.
Be wary of websites that do not bother using secured communications, yet ask you for sensitive information. If the address doesn’t start with “https”, that’s usually a bad sign.
Phishing. That’s what’s most likely to trick inexperienced internet users, like young kids. It’s the name given to these cute attempts at getting you to give away your own information. You’ve seen it before.
- Emails pretending to be Paypal or your bank, warning you about a suspicious transaction, and asking you to login to your account. These usually address you by your email address instead of your name… Nothing’s easier for a bot than filling out an email with an email address, after all.
- Malicious ads that tell you you’ve won a contest, or that your device is infected by viruses.
In general, the best trick you can do, when seeing an important email from a company, is to go to the company’s website manually instead of clicking on links. Googling takes seconds. If you like to live in the fast lane, at least make sure to hover your mouse cursor over links before clicking them. Just to make sure they lead to the proper site.
As far as children go, it’s much easier to tell them to ask an adult to help before clicking on something out of the ordinary.
A nice read for developers:
Trusting open-source packages can be pretty dangerous. In fact, reading an article on the topic is what inspired me to write this article to begin with. It’s called “I’m harvesting credit card numbers and passwords from your site. Here’s how.“, by David Gilbertson, and it’s frightening stuff. Don’t worry, he doesn’t actually harvest our info.
I think.
There’s reason to panic, but that doesn’t mean there’s reason to panic. The goal of this article isn’t to make you shave 30 years off your life by stressing out over security all the time. The goal isn’t to make you become a hermit traveling the world untethered to technology either, even though that sounds like a pretty sweet outcome.
Security is just something to keep in mind when you’re doing important things. Every person has a role to play. By simply being careful, you’re helping the creation of a better, safer world.
At least, until the computer singularity decides to get rid of us.
I’m neither a security expert nor smart in general, so if you’ve got additional information to add to the article… Do tell. I’m open to updating the article as often as it takes.
