Meta: It's been a while since I've posted! I have some other things in the works, but this was a quick gimme based on some recent events, and it has been good to sit down and write it.
Last week, the early announcement of the Meltdown and Spectre attacks surprised many, although not by an awful lot. Word had started to get around on twitter the night before, and I managed to get in an early word.
As a quick re-cap: Meltdown and Spectre are two newly discovered and disclosed security vulnerabilities. Meltdown applies primarily to recent Intel chips and allows unprivileged processes to access all memory locations on a computer. Spectre is a bit harder to pin down, but the important things to note are that it uses out-of-order execution and branch prediction on modern CPUs to provide access to memory locations.
The early buzz was entirely about Meltdown. Before all the information was out, people were reporting patching it might cause a 30% slowdown. Of course, in real testing, most user-facing workloads have a much less severe penalty, although many server tasks will have trouble.
The looming specter of the whole situation, though, is Spectre. Spectre is more difficult to exploit, but could have much more severe impacts, and will be much more difficult to protect against in software.
Permanently fixing vulnerabilities related to Spectre will require entire new CPU silicon. A few proof-of-concept attacks on Spectre are already being patched against, but there are so many possibilities it's likely server computer hardware (and, anything running a desktop-class OS as well) can't be considered "safe" until it's simply replaced by a new generation of hardware.
The next generation of computer hardware currently in design phase likely doesn't fix for this. It's possible that the generation after that also won't fix these problems in hardware. We're looking to systems that are two or more generations away to fix this, and that will take between two and five years, just depending on what's needed to mitigate these risks.
Once a CPU is designed and verified, there will be the matter of producing enough of it to meet demand. Cloud service providers and enterprise datacenters will be doing their best to get at these chips first. In a situation where hypothetically every server system doing work in cloud or service provider setting needs to be replaced, it could be years before silicon is available for consumer and desktop applications.
I think by the time this is published, the moment of true widespread panic will really be over. A huge rush on server-class systems may or may not appear in a few generations, and even if it does, it probably won't look too abnormal for a processor generation launch. The chipmakers (Intel and AMD) may do a server-first release, but they may not bother, opting as they generally do to build consumer silicon first.
My prediction is that the hype will pass and that systems departments will, as ever, increase monitoring and attempt to decrease exposure. In theory, this is what a good information systems department is already doing, so it's going to be a matter of doing the same thing, but more, instead of doing a different thing.
On the desktop side of things, I think that following guides for security such as Decent Security is as important as ever.
I can't stress this point enough. It has been fun to watch the vintage computing circles on Twitter fall over themselves to come up with the most creative ways to avoid these hardware vulnerabilities, and it has been in good fun, but a necessary side-effect of digging out a twenty-year-old machine to avoid a modern hardware vulnerability is that software vulnerabilities are re-introduced. This is especially true on anything running closed-source software, or for which modern releases of open source software are no longer available.
I love pulling out my old computers, but everyone should keep their modern patched Internet-faring computers ready to go. Part of regular security operations in the computer industry will involve vendors releasing more patches for Spectre-class vulnerabilities as they're discovered. Users of modern operating systems that get patches from a vendor will benefit from those patches as they become available.
Meanwhile, most of my desktop systems have already been patched against Meltdown. My Mac downloaded and installed the patch before the new year, which might say something else about the state of information sharing among security professionals, but that's for later, if ever. My Windows systems also have the patch and as I predicted on Twitter, I haven't noticed any difference. I have yet to go play a game and record my screen and a camera at once, but I'm not particularly worried about that working well, it was fine last time I tried it.
Personally, I'm not making any big plans to rush out and replace any hardware I know or suspect to be affected by Spectre, mostly because there's nothing better right now. My server and my desktop are each pushing six or seven years at this point and depending on what my budget looks like in a few years, I think I will be able to make a relatively easy case for replacing either of them. My laptop is still less than a year old. Its replacement isn't even on the thought roadmap yet.
I think Spectre has larger possible implications for the model of centralized services and the cloud, but that will have to wait for another time. New vulnerabilities are always exciting, but the takeaway should still be to run a modern OS, patch it regularly, and keep an eye out for possible trouble and monitor the machine's behavior.