Thanks for posting this news item from the always-reliable Reuters news. I don't know what to make of it. I had already read similar, elsewhere, as the Internet seems to have gone crazy over "Meltdown" and "Spectre" (such dramatic and scary names!) these last couple of days. They are a "thing", it seems, and may be potentially even worse and more imminently threatening as a national security risk
than Climate Change™, or something. Anyway, we must act - and now!
There's no debate about that, except perhaps from the usual pointy-headed tinfoil-cap-wearing conspiracy theorists whom we all spurn as less than human - and rightly so.
A report and video interview from the always-reliable CNN investigative reporting team
- that the flaws affect "...billions of computers and smartphones" (Oh no!),
- that "Meltdown" (sounds a bit overheated to me) affects only (all/most) Intel processors(!), whereas,
- "Spectre" (sounds like code for a sorta James-Bondi ghostly Russian spy system to me) "...exists in almost every computer system" (which sounds scarily pretty comprehensive),
- that "Intel CEO Brian Krzanich sold about half his stock months after he learned about critical flaws in billions of his company's microchips.", which carried the implicit suggestion that the flaw(s) were deemed to be serious enough for the CEO to risk potentially breaching insider trading regulations constraining the sale of Intel stock - so thus, obviously the flaw(s) are real and serious and need to be remedied ASAP.
- that these hardware/firmware design vulnerabilities have apparently been known about/discussed for years as being potentially exploitable, and were a known result (trade-off) of chip hardware designers working towards maximising optimum throughput - the implication being that to "fix" them now could necessarily reduce throughput and slow down all our PCS/smartphones. (Mightt we not all need to buy new, non-vulnerable CPUs?)
Oh dear, what a pity, never mind.
seems to be based on a supposition that these are hardware/firmware vulnerabilities/flaws, or something, that were not previously known about (which would seem to not be true), whereas what we can deduce seems to be that this is the first time that some details of these vulnerabilities have been published
(I think that, at least could be true).
In the Reuters report you quoted, "Daniel Gruss"
(not sure whether that is a real person) is the name assigned to the "discovery" of the "Meltdown"
flaw, whereas we are only told - somewhat ambiguously - that "Separately, a second defect called Spectre has been found"
.What? Simultaneously? Coincidentally? Just like that?
Woooow, scary; must download the fix ASAP before the bogeyman looks into my laptop/smartphone/raspberry Pi firmware with "X-ray vision"
(Yep, that's what it was called.). Then I shall feel safer.
The parallel report that the Intel CEO apparently had the audacity to risk potentially flouting insider trading rules and sell off his max limit of stock at a good price before the flaw(s) were published (Shock! Horror! Who would do such a thing! Capitalist scum!) is really interesting. Apparently (per CNN), Intel stock had already dropped 6% on the "bad news" about the chips, or something, so Brian Krzanich could now redeem himself by buying his stock back at a hefty discount, even increasing his stockholding at no extra cost - if he wished. Ahh, serendipity.
Bet there wasn't a 99% chance that that
price drop wouldn't happen, eh?
Colour me highly skeptical - especially given the history/experience/example(s) I coincidentally referred to in the recent post here:
Unfortunately, history also shows that it generally doesn't seem to make a blind bit of difference whether corporations exhort their personnel to conform to avoidance of this or that unethical or illegal practice or "behaviours", because people (usually senior managers and executives) will attempt to do their damnedest to work around such "ethical" constraints where they see a potential pot of gold, or a savings, or a marketing advantage can be had.
Of course, Microsoft, Intel, AMD, et al
are presumably assiduously working collaboratively day and night now, even as I write this, and probably after I have gone to sleep for the night (though I am a bit of an insomniac), to push out a broad "fix" to these terrifying flaws. The last thing we want is people "peeking at our passwords" or, maybe worse, even "looking at what tabs we had open in our browsers". Oh, the horror!
It was bad enough when Snowden blew the whistle on the NSA spying. Oh, but wait...
Which rather begs the question as to whether these apparently long-known vulnerabilities (QED)
and flaws were not already
being (relatively) "harmlessly" exploited by (say) the NSA or other state agencies/organisations, or whether the comprehensive world-wide "fixing" of CPU hardware/firmware is actually necessary, and whether the reality of the "fix" might not be worse than the reality of the supposed vulnerabilities, introducing (say) new backdoors where there were none before... How would we know for sure?
But I suspect that there may not be any consumer option there. It currently rather seems that we WILL
get the fix via a remorseless push
, and whether we want it or not, and it may have already started.
Ordinarily, I would say that "Doctor knows best.", but - post-Snowdengate - I'm none too sanguine about these IT medicos and their "You can trust us to do no evil!"
(or similar) approach... I mean, it's not like they have taken the Hippocratic Oath
, or something - is it?
I couldn't help thinking that this all seemed to be déjà vu
for some reason, and then I recalled the Halcyon days of the Y2K
work that I and thousands of others helped to
helping clients who bought into our consultancies' hugely lucrative Y2K risk mitigation proposals.
The poor wee darlings couldn't sleep at night for worrying that the sky was falling down - and it was! Yes! It really was!
- because all their CPU-controlled systems, including in computer-rooms, elevators, calculators, PC workstations and distributed 3-tier LANs and databases, aircraft control systems, telephone exchanges, etc. were all at risk - very real risk
- of stopping dead on the turn of the year 2000. Aircraft would literally fall out of the skies, elevator brakes in tall buildings would come OFF
automatically sending the lift and its occupants hurtling to certain destruction below, banks and payment systems would collapse as their systems stopped, food and water would be in short supply due to the banking system collapse and store checkouts not operating, balance sheets would evaporate, huge losses would be incurred, etc.. Oh, the horror!
Well, we put their little minds at rest, so they could sleep peacefully, secure in the knowledge that we had put mitigation plans in place and mitigated the risks for them
, the poor dears. So they slept on soundly, whilst we tiptoed off into the sunset of the first day of 2000, laughing all the way to the bank, secure in the knowledge that the
clients were convinced that we had delivered them a good
Ah, those were the days, eh?
It would be nice if we could catch another gravy train like that... Oh, but wait...
...looks like the MSM (MainStream Media) may have already climbed aboard. A quick survey seems to show pretty consistent reporting (almost word-for-word) of the narrative coming from all/most "news" sources, with little real variation and no apparent evidence of critical investigative journalism. Speaking as the ex-Principle Marketing Consultant for the AP region, to what was apparently the third-largest IT corporation on the planet at the time, and where my specialism was strategic marketing communications planning (and in which I was regarded as being pretty capable), the MSM chatter on this Meltdown-gate
(my terms, for want of a better terminology) would seem to have all the markings of a well-orchestrated and well-synchronised public communications launch. Not a bad job at all.Respect!