These days we are having more and more confirms that closed-source solutions always imply a liability, as they may come with a surprise in the box in the form of a major vulnerability which, this time, basically affects the whole world. But while open source solutions deployed on a massive scale are subject to peer review and thorough scrutiny by a worldwide army of developers, for closed-source ones we ultimately rely on trust. That is, you may have to wait a decade before the bug is discovered since the software or hardware in question is a black box that you run because you trust the company.
In case you missed the latest news and you don’t know what the hell I’m talking about, on January 3, everyone woke up with mainstream media and news outlets yelling about a bug affecting all Intel microprocessors produced in the last ten years. The bug – a security bug, to be precise – may even be patched shortly, but from what we already know the workaround will cost about 30% in terms of CPU power. Three days later, the scenario seems even more alarming, as we discover that what has been referred to as Chipocalypse is a catch-em-all bug, sort of a pandemic computer disease if you’ll pardon the poetic license. Or, to put it shortly, this is not just an Intel issue and, despite counter-narratives on social media, everyone’s affected, i.e. not only Intel but also AMD and ARM devices. Which translates into the whole basket of mobile devices, computers, and servers around the world. Even iPhones and Macs – with huge headaches for Apple PR, already busy stopping the bleeding since December, when Cupertino answered users’ claims about battery issues afflicting “old” iPhones.
And the story gets even more nuts.
On November 29 Intel CEO Brian Krzanich sold 245,743 of his 495,743 Intel shares, remaining with exactly 250,000 shares, the bare minimum he needs to be the chief executive officer of Intel. Useless to say, the market wasn’t happy, nor it is now that more and more clues of insider trading are popping out. Krzanich sold the shares in accordance with SEC Rule 10b5-1 plan that prevents insider trading and allows sales of shares in the form of predetermined selling plans, which means that if you are an executive and you want to sell your shares you have to adopt a selling plan now that will get executed in the future. Problem is, Intel CEO already knew about the bug on October 30, 2017, when he adopted the plan. Google says it informed Intel on June 1, 2017 – which on my calendar comes before October 30.
What Google’s Project Zero researchers, together with academic and industry researchers from all over the world, have discovered, is a couple of bugs, Meltdown and Spectre. The first one targets Intel chips and makes any data on Intel-based devices accessible by applications running on the devices. Any data means any data, including passwords and encrypted stuff. Spectre instead is based on a feature – yes, a feature – of Intel, AMD and ARM chips called speculative execution. You may even find some Intel white paper dubbing it “one of the main techniques used by most modern high-performance processors to improve performance.” (My suggestion to get a hilarious couple of minutes is also to give a read to Linus Torvalds’ comment on speculative execution.)
Solutions
Because you know, here it comes the reassuring part, doesn’t it? Uhm, no. There’s no easy way out of this giant mess. Microsoft and Apple were already working round the clock on this issue before January 3, when the house of cards started unfolding, but are of few words because the solutions cost as much as 30% of CPU power. And given that these vulnerability flaws afflict pretty much everybody, even Internet pages may load slower, since servers answering your calls are bugged too. Anyway, Microsoft has released a software update for Windows, Amazon is updating several servers and Google’s working on it since before the public revelation.
Everybody’s overworking to solve this problem, and most of the big tech companies already were before January 3. In fact, there should have been sort of a schedule for a joint disclosure, so to let the companies work on the problems before the hackers – and there actually was. The news should have been disclosed on January 9, according to the plan, but there was a leak on January 3 that exposed Ubuntu systems everywhere (nobody was working on Ubuntu before January 3, since Canonical hadn’t been informed).
Moral of this story
With this mega apocalyptic bug storm, the Russia-hacked-the-elections narrative, cryptocurrencies on the rise (disclaimer: I own small amounts of cryptocurrencies) and Mark Zuckerberg worried for the centralization vs decentralization debate, my guess is that 2018 will be the year in which security, transparency and open source become cool again.
