Researchers Discover Two Major Flaws in the World’s Computers

Called Meltdown, the first and most urgent flaw affects nearly all microprocessors made by Intel. The second, Spectre, affects most other chips.


Comments: 192

  1. A 30% loss of performance means 5 years backwards in computational power. Bad news for E2, Azure and Compute Engine. Furthermore, that could be a major setback of the AI industry. Another bad news I have to mention is that NVIDIA prohibits use of GeForce GPUs in data centers. Together they could make cloud computing services less affordable in the coming year.

  2. The "AI industry" and "cloud computing" have both helped marketing-not-tech companies get a maximum of private user info with a minimum of accountability. The parting cloud lets the sun shine through. Besides, maybe actual tech groups can now make free(dom-respecting) software and hardware to replace the GeForce in the big shops. When East Coast filming was stifled by Edison's patents, Hollywood rose. Then it became the "intellectual property" demon it ran from, but hey...

  3. Why am I not surprised? The technology industry along with our highly commercialized internet focuses on one primary function: making money. It is at the heart of the Net Neutrality issue. True to form, the Trump administration sided against their base to support that republican led assault on the internet. But, back to my point. Although I use current technology, I have never trusted it. No one will ever convince me that new technology products are or have ever been vetted adequately for security flaws. These new flaws prove that! It is one H. E. double hockey sticks of a trade off: the benefits of computers/technology or personal and financial security. Everything about us is accessible on-line or in some data base somewhere. That fact was frightening when I first realized it two decades ago and even more so today. Most of us had no choice in the matter. One has to have computer/technological skills in today's world or we are not employable. Even job applications are mostly on-line and vulnerable now. I haven't liked computers since I paid $5 on a $20 doctor visit in 1973. Their new computer added the $5 to my bill instead of subtracting it. The billing department insisted that "computers do not make mistakes." But, people do. And who designs, produces and promotes the darned things? Humans who can't help but make mistakes...

  4. The first thing I thought of when read the name Spectre was evil organization in the James Bond novels. The potential for simple error or fraud in computer-based systems may be small but when it happens its consequences can be devastating either to an affected individual or an entire population. Maybe that's the price we have to pay for speedy and convenient transactions. But one place we should absolutely refuse to pay the price is in the voting booth, which is especially vulnerable to hanky-panky. It often doesn't need much to swing an election and it is unlikely to be detected. I'm all for low-tech, pencil and paper ballots and waiting a few more hours for the election results.

  5. Your first premise is false. In a market economy businesses must make money, yes. But they must do this by satisfying customers. No company continues to be profitable if they ignore customers' concerns, and security is clearly one of the most important.

  6. Oregon has been using mail in ballots for years..... easy, fraud proof, paper trail, cost effective and easy process for all. No hanging chads, or technical glitches & hacks

  7. "Spectre" seems familiar. Some time ago there was much concern about US government having Intel plant a back door into their processors. While many dismissed this as just a conspiracy theory, the US state certainly had the opportunity, means and motive for it. Is Spectre simply an independent discovery of this back door? In its redesign of the CPU, will Intel just hide it better this time?

  8. I actually think both Spectre and Meltdown (awful and massive) honest mistakes, in that probably no one at the CPU makers thought any data read by speculative execution of code would ever be known once the CPU figured out which branch of the program to *actually* run and the other branch runs were discarded as unnecessary. They figured, like a baseball lead-off, that only one thing could really happen and that plays couldn't be read just by plotting both staying on base and an attempt to steal the next. Sensible. Intel's magnificently tone-deaf PR downplay (gloriously ravaged in a separate The Register article) shot their own foot, though. Their hubristic hardware choices of late (bonding their CPUs' heat spreader to its chip with just thermal paste and not solder? Huh?!) haven't helped, and were a big reason I moved to an AMD CPU from an Intel one when I built a new machine.

  9. You can't hide a flaw. Eventually it gets exposed.

  10. Thanks for letting us know how much you know about computers.

  11. What makes this even more damaging is that legacy machines will continue to have these flaws. As computers have become increasingly pervasive in society, we should remember that not everyone can afford simply to replace everything to provide security against the Spectre flaw, and those older machines (which are already perhaps 30% slower) will be even more so with the patch, assuming they CAN be patched. (consider that someone may be using an older OS which is no longer in use, even though the computer itself is viable)

  12. No worries there, as Microsoft, the enemy of consumers, will not patch older OS. SO run your XP, or server 2003 machine with glee - just be careful.

  13. The incentive to control us, whether by the government (as suggested by Haines Brown) or business (as suggested by Vickie Hodge) is inherent in those with the power to to so. Its built into the structure of all societies; no surprise that its also built into the structure of the technology we use for our interactions with one another. SR seems to suggest that "independent tech groups" could somehow escape these controls, and offers Hollywood movie production escaping the control of Edison's intellectual property as an example. But s(he) realizes where that has gotten us.

  14. While I love tech and use it daily, I still don't believe we can trust it completely and this doubtfulness on my part is borne out time after time by the ease of hacking and the design flaws constantly, newly discovered. I refuse to put anything meaningful on my cell phone or computer. They are merely tools to simplify my life. They aren't the end all, be all of existence and I will never live my life on them. If you put all your personal and financial information on these things, even if you issue a new, insanely long password each day, you are just asking for trouble. We have made it too easy for criminals to access our very valuable information.

  15. Folks, we have reached peak complexity in our society. Every time a problem occurs, or we find a loophole in something, we add a layer of complexit . An example is our tax code which is thousands of pages long. Or the ACA which is also thousands of pages long. We spend billions on unnecessary medical tests to prevent lawsuits. We rely on traffic apps to get to work each day. A minor computer glitch can shut down an airline and delay thousands of passengers. Every time I log into my financial website I have to answer whether or not I want them to see my location, give them my password, answer a security question, verify that I am not a robot, then they have to text a passcode to my smartphone. I don't believe what we are seeing is malicious or greedy intent on the part of the chip makers, but the limits of human teams of people to keep up with the necessary level of complexity. I once worked on a computer system change for my company and the logic systems we needed to understand were overwhelming. Until we start looking at ways to simplify and rather than adding complexity, things will probably get worse.

  16. This is important news, but I'm slightly annoyed by the conflation of processing speed and download speed (which will be remain unaffected) in the third paragraph.

  17. I believe the proper assembling of packets for downloading is affected by the software, and so would be slowed down.

  18. Technically, your maximum download speed should not be affected; however the server at the other end might not be able to send data as quickly as your ISP can forward it to you.

  19. Interestingly, you have this backwards. The “fix” (really a messy work around) for Meltdown won’t make the CPU slower, but will make system calls (used for things like IO) slower. So raw CPU-bound task (say, video encoding) are not impacted. But IO-bound tasks (databases, high performance networking) are up to 30% slower. Now, most people’s download speeds are not limited by their machine, so it is the case that most internet users will not see lower download speeds.

  20. OK, who is naming these things? I bet the same person who came up with 'bomb cyclone'.

  21. Just so you know, they're named by the tech outfit that first figures out what the baddies have done.

  22. "The more complex the plumbing, the easier it is to stop up the works" -- Scotty

  23. I'm really tired of buying software that takes over my computers to prevent hackers that take over my computers. It's just as ridiculous as it sounds. It's time for some vigilante justice. We can't just keep suffering for decades as we are picked off. We pay cops and feds the big bucks to protect us, so do it. Let's stop cowering in fear in our own homes and businesses.

  24. You're saying we should go vigilante at "cops" because of Meltdown and Spectre? smh

  25. The cops and feds aren't about to derail their gravy train by 'fixing' anything permanently. It keeps everyone occupied, and keeps the money circulating.

  26. I wonder what the SEC and DOJ will make of Intel CEO Krzanich's selling off the vast majority of his stock in October (after he was informed of the flaw, but before the public had knowledge)? Insider trading, anyone?

  27. Remember the oligarchy! DOJ will do nothing. They'll be too busy sending Weed Wacking squads to blue states.

  28. So now, any person on earth MIGHT have have access to whatever anyone else has entered through their keyboard, mouse or whatever. Sounds like our only hope/defense is to lie, lie, lie.... consistently and with abandon. Hey! Maybe Donald Trump is into something good after all!

  29. Wonderful. Now we are probably going to be gouged for the security needed to protect us from the risks entailed by these design defects -- defects that apparently have been known about and concealed for quite some time.

  30. Define "quite some time". Everything points to the fact that the two flaws have existed for a long time, but haven't been known for a long time. Besides that, it is counterproductive to broadcast that you are aware of a flaw without a countermeasure or replacement product ready. It merely encourages the bad actors.

  31. Uh oh. Looks like the SPecial Executive for Counterintelligence, Terrorism, Revenge, and Extortion is back. Apparently James Bond did not finish the job. Can no one stop Ernst Blofeld?

  32. I don't use cloud because I never trusted it from the very beginning. And I'm beginning to think maybe I should get rid of my desktop computer, do my banking in person, pay my bills by slow-mail and trade in my i-Phone for a 10-year-old flip-phone.

  33. Right you are. "The Cloud" is someone else's computer.

  34. your 10 year old flip phone is susceptible as well and people with the right information can impersonate you in banks. Security was not foolproof a few years ago. The only thing was people didn't have a hard time understanding potential flaws. Which is not the case now.

  35. Yup. My trusty tracfone flip phone sits in my car for emergencies--I don't even know the number. My landline works fine, and also brings in my wi-fi on a wire. I pay my bills by mail. However, I do have a pc, and recently started using Chrome when my firefox update did something weird to my computer. Maybe firefox is the better answer. And I NEVER click on anything in my junk mailbox.

  36. So it would seem that the best place to store one's personal data is on one's own computer rather than on "clouds" and other corporate data bases. So those of us who insist that businesses remove our credit card numbers from their website are not entirely paranoid. Storing personal data on a business's computer leaves one totally at the mercy of that business's ability to protect such data; the headlines continue to remind us of the folly of that notion. Furthermore, why should a hacker waste resources attacking a single personal computer, when the hacker could attack a business's computer which might yield millions of credit card numbers and other personal data ?

  37. No. You missed the point. All computers are vulnerable. It's just that the cloud is a lot of computers so it is a lot of instances of vulnerability that can be hacked.

  38. I am going to get a head start on this problem, not by patching my computer in any way, but by doing the smart thing and try to get adopted by an Amish family.

  39. The sad part is that extreme (and somehow ridiculous) as your plan may sound, it's not actually that bad of an option, considering the extent of our dependency on technology we can not control and understand (at least in a reasonable amount of time).

  40. Wonderful. Now wd are going to probably be gouged for the security needed to protect us from risks of these design defects -- defects that apparently have been concealed for quite time.

  41. I have avoided using Cloud. Instinctive suspicion, I suppose. Guess I'll have to do more regular backups, but what about places like Amazon, who has my credit card information. Will hackers be able to access that through them?

  42. get ready be inundated by offers from IT security firms

  43. L, you are already using the cloud if you use the internet because the websites you visit are after hosted from a cloud service. And that is just one obvious broad example. You are already using many many clouds.

  44. Depressing. Thanks for the info.

  45. 90% of all microprocessors are Intel. Not only do we all bear the brunt of a commercial monopoly but now we bear its technical consequences as well.

  46. Maybe a duopoly, but not a monopoly. It's more of a triopoly (sic?) if you count ARM, which powers most mobile devices and some Chromebooks.

  47. Clearly not too important to the home user with even moderate computing experience, and a supply of common sense. I certainly wont want my computer to be slowed down, and will not permit Microjunk or anyone else (open sourced or not) to patch that sort of nonsense into my OS. As for the big guys who were planning to make bank on this; a 20-30% reduction in speed will kill them, so expect some new chips, etc post quicko. Meanwhile the home PC/workstation market should see a boost.

  48. lol... I hope you don't connect your computers to those dangerous internet tubes - have you not patched since 1986? Still running Windows 3.1?

  49. Remember this as there is a push for "self driving" cars. Computers and their programmers are not infallible.

  50. I agree BCN but with what I've seen as more and more people look down at their phones or text at traffic slowdowns and red lights, perhaps the sooner we take the privilege of driving away from them, the safer we will be.

  51. A bit apple and oranges unless one wants to believe all tech is the exact same thing. Regarding self-driving cars, what the devs are not telling you is that tech wont work well until there are roads just for self-driving cars. Self-driving cars are very much currently beta-tests for something at least 50 years away. Investors and Wall Street do not want to hear that, so you dont see those facts written in articles virtually anywhere.

  52. The driving (excuse) force behind automated vehicles is now in the hands of the long haul trucking industry. There is a vast fortune to be made by cutting out the costs of labor. Once the concept is proven and the public is convinced, you will have a hard time finding an old fashioned car with a steering wheel. It isn't going to take fifty years. I suspect it will take less than five.

  53. I hereby express my sadness and cynicism if not ... hopelessness. Do not keep reading for reasonable elaboration. Things will probably get worse in the next 3 years of such craziness/denial of science/EPA induced regress. These pessimistic puter guys are apparently authentic and our deities ought to bless them for being truthful. It's not difficult to prognosticate that our internet security isn't really going to be fool proof. Meanwhile these fake/symbolic "coins" seem to be indicating (to me) an even more uncertain future. We are losing by not having confidence in our ability to cover the debt/borrowings of our entire governmental system(s). I further perceive POTUS Trump as (hopefully not) portending further ignorance, malignancy and absurdity. I feel true sorrow of what I think is being indicated by what I am fearing.

  54. All computer security vulnerabilities are preventable, but you still have to find the problem before you can fix it. Thank goodness it was (as far as we know) the good guys who found this one first.

  55. "All computer security vulnerabilities are preventable" So Very Not the case. tech changes so fast at both hardware and software levels that it is not feasible for EVERY issue to be prevented beforehand.

  56. I have stayed away from the cloud, but for other reasons: I like to keep control of my own content instead of trusting it to some ecosystem which I do not control. Also, I hate to accumulate recurring expenses. I use a laptop and a backup disk. I work on cloud systems in my job, and this news does not surprise me at all. The system is inherently vulnerable, with virtual boundaries spread across multiple servers in an enormously complex ecosystem run and used by people with varying degrees of talent and integrity. Such problems are inevitable. I suspect that "the cloud" is a passing fad. Things like this will happen again.

  57. A passing fad? You serious?

  58. mlbex..you cant actually stay away from the Cloud, if any sites, services you use -ie; Amazon - rely on it. Making you vulnerable...oops! Do we know what the NYT uses?

  59. If anyone is interested, here is brainsmoke's tweet: https://twitter.com/brainsmoke/status/948561799875502080 He's reading the system call table from an application program. If he can do that, he can do anything.

  60. A question from a non-tech person (me): Is there a Theorem out there that all computer systems, all encryption methods MUST be 'hackable'? I'm not a sophisticate about these matters, but as sure as there is always a larger prime number... I wonder what Fermat or Gödel would say about this

  61. I believe public-key encryption would be hackable if we had machines with the brute force to factor large primes fast. We don't have that yet. Even the embyonic quantum computers are too slow right now, so I am told by a friend at Symantec.

  62. Godel might say...'arithmetic-based, machine languages probably are not reducible to hardware in the space/time/quantum model. So, good luck with the software/machine language work-around since it probably will not work, or will have a further uncertainty which opens the doors to just about everybody. Folks should not ignore the outcomes of logic demonstrations, ever. Yep, they are all hackable.' Seems to me, the work-around can satisfy the needs, but human intuition must continue to intervene at crucial junctures.

  63. I would say no matter how tight the security is, there is is always a crack somewhere. Have you ever seen a door that is completely unbreakable not even with military grade explosives?

  64. The two revelations here are interesting, as is Intel's reaction so far. The Spectre flaw has been suspected for a long time, and is still somewhat theoretical. The Intel flaw is different, and much more serious in that an actual exploit has been demonstrated. Of note is that AMD processors do not have this flaw because they recognized the security issue and chose to avoid it, in spite of higher possible execution speeds. Intel is facing stressful times ahead, and their carefully crafted "nothing to see here" press release yesterday will probably need to be expanded upon.

  65. I work in computer hardware development. New chips don't happen quickly. New servers based on the new chips don't happen quickly either. Generally, a redesigned chip requires a redesigned server, and that is a (more or less) 3 year cycle; 1.5 years for the chip and 1.5 years for the server. Meanwhile, billions of dollars worth of existing servers will be rendered obsolete before their time instead of being phased out on predictable schedules. Unless Intel can quickly redesign chips to replace those already in *existing* servers, a fix is going to be ugly, expensive, and a long way off. Meanwhile a 20 to 30% reduction in speed could prove fatal to cloud vendors. Unless people are mistaken, this could end badly for everyone involved.

  66. Companies can decide to use mainframes or cloud technology based on mainframes instead of cloud technology based on servers with Intel technology.

  67. George M: True enough, but as of now, the bulk of them use servers based on Intel technology. Who knows what will change in the future, but for now, it's a major problem.

  68. Watch this turn into a boon for hardware manufacturers and vendors. A brand new reason to buy new computing hardware when a really compelling one hasn't existed for a while.

  69. Indeed, for anyone who wants a zippy computer, the only real solution will be to buy the new computer in later 2018, whenever Intel has a proper hardware-based fix. On the other hand, many typical users wont do that even if their computer operates more slowly.

  70. Does this mean that computers on store shelves right now can be had for pennies on the dollar? Or are they going to be recalled? Probably neither.

  71. How could Intel design a chip that is this defective this way, I could accept a defect in something like quality control when a new technology is being used. When they use a new technology to build a new chip that has a faster speed that chip still does the same thing just faster. This probably means that even the older chips have had this defect and has been around a long time. I am guessing that this vulnerability this defect allows now was not relevant when this was first designed as the system was not being used in a way that this problem woulds come up. I am guessing that when they started using the system in ways that the chip was not originally designed for they did made the assumption that a chip that up to then that was working fine didn't need to be redesigned. There is a expression . Don't fix something that isn't broken. I have a new expression. Don't use something it wasn't designed to do without checking it out. This is a hardware problems which I assume can not be fixed with changing the software on these computers. My guess is if you can't fix this by fixing the computer you may have to fix the system so it can function with these computers. I know know very little about computers but I am good at logic and this is what logic tells me.

  72. It's the result of a design meant to predict the next sequence of commands (that may or may not happen), which is a decade or so old design. Software that changes the way an operating system accesses certain elements of memory DOES in fact mitigate this problem, albeit with sometime significant slowdowns in certain tasks.

  73. What the article should have said but does not: is that the flaw is hardware-based, not in software. That is far more serious to remedy than a software flaw. The only way to fix a hardware flaw is 1. replace the hardware (in this instance 90% of the worlds computers are affected so not feasible) or 2. write patches that do a work-around to the hardware flaw which often means corralling and buffering data to keep it safe (which slows the computer down). As computer news goes, this is a big deal and should be on the nytimes front page. It affects virtually every intel computer in the last decade according to those that know the most about the issue.

  74. It's not necessarily true that because this is a hardware flaw it can't be prevented. Hardware flaws can and have been avoided in the past. It appears that's being done here, because google and microsoft have already made fixes. The way that's done is to modify software to disable or avoid using the flawed features in the hardware. That may not be possible with every hardware bug, but in some cases it is (for example if a specific instruction or feature doesn't work correctly). In this case, they must be somehow avoiding use of the speculative execution function, which was included to improve performance. Avoiding that may mean using other software instructions, or issuing the instructions more slowly to avoid the problem. Either one may take longer. That must explain the 30% performance reduction that's described.

  75. I work with computers but no longer do any dev work, haven't done that for years. I have worked at AMD in Austin, TX in my previous life... as a software engineer. I have instinctively stayed away from cloud computing. I have never trusted documents on google docs or anywhere else and just like someone else said before me I like to keep control of my stuff. However, I do use the internet to buy goods and services for convenience so how do I protect my cc information? I do very little for it. I have a regular checking account with a visa debit, and I keep 200 dollars or less in that account. Anywhere I use the cc on the net, I use that visa debit and if the purchase is more I make a deposit in that account and use it immediately. Even exercising such prudence, I have had a few small mishaps for which I had to get a new visa debit from the bank. I had trouble getting my money back once and I just ate that 40 dollars or so loss... just couldn't be bothered with it much more. My suggestion is everyone set up low fee or no fee (plus no transaction costs) similar accounts with to avoid large headaches. It costs me $4 per month for my "special, internet usage account."

  76. I have a credit card I use ONLY for the Internet, and that card has been used by someone else a number of times. Sometimes I have a good guess what website let it slip. Sometimes none. But I will credit Chase that their security algorithms have identified purchases of as little at 57 cents as suspicious, contacted me promptly, and refunded the amounts. Just before Christmas, they also sent me a new card by overnight delivery. (And no, I do not work for Chase.)

  77. Or just freeze your credit information.

  78. Readers should know: the "up to 30%" slowdown figure which has been repeated by the press is misleading. It came from an unrealistic usage pattern, a do-nothing exercise which really did slow down that much, but which isn't representative of real programs.

  79. Would this 20%-30% slow down have any more slowing down of the current FCC ruling on net neutrality or just a coincidental occurrence,rather than a planned business decision? Patching you in at 30% less speed,allows others more speed...others who will and can pay. Thinking all these major corporations and tech companies do work for themselves and their investments as priority one...not your personal data, your data will and is being collected regardless.

  80. Is it fair to assume the off-shore banking servers used by tech-companies to avoid taxes are not shared, are not suspect to these flaws?

  81. Based on what we know, this is a big deal by virtue of the number of machines impacted. But there are many considerations: 30% is not a firm number (yet), and 30% slowdown on processing power does not mean that a computer will literally be 30% slower. Most of the time, a CPU sits well below its maximum with cycles to spare. The shared nature of clouds makes these exploits more dangerous, but clouds have other physical and technical security advantages. Clouds are built to scale rapidly and can accommodate adding hardware to counter performance degradation. This is not the "end of the cloud". Could this be the result of carelessness? a ploy to sell new hardware? Sure. However, Meltdown appears to be a flaw in branch prediction. Branch prediction has been known to computer science since the 1950s and has been an integral part of Intel CPUs for decades, so this probably wasn't someone cutting corners for a quick win. Security is paramount to technology, and most tech companies--selfishly or not--want to release secure products. It's likely a result (fueled by consumer demand) of working within some of the most complex, sophisticated engineering in existence. As usual, we'll figure it out and move forward a little wiser.

  82. @Tim Medora - I so concur with your comment. These bugs, especially for Intel, are Satan's lake of fire filled with all things unholy because of the sheer number of CPUs in use. It is going to take time, money, and some really great engineering to resolve, and now that the issue is known it becomes just that: an engineering issue. The issues are dead serious but they can be mitigated in the near term with Spectre being the one that will bedevil the computing world for some time to come. In the meantime, the world will go on, Netflix will continue to show Sponge Bob on demand, and data breaches and theft will continue. The areas that have the greatest risk, the rapidly expanding cloud environments, also have the very best software and security engineers to address these issues. With all that said, if I alone knew about this issue years ago I would have quit being a software engineer and went to law school; this is going to be legal and business nightmare for Intel. And with that, I am going outside and stare at the sky to make sure it isn't falling.

  83. The computer "geniuses" always lag behind the hackers. Everyone knows this. ALL computers in the world are ALWAYS at risk. It's mostly a matter of when we computer users find out.

  84. Indeed, it is easier to destroy than to build (except for plumbing). Said the woman who re-plumbed her kitchen sink personally, over the holidays.

  85. Tell me again why we should trust computerized voting systems?

  86. We shouldn't. And we might want to carefully roll back some of the things we rushed to connect to the Internet. I seem to recall that once upon a time -- before 1995, that is -- we somehow managed to produce electricity and operate dams without making them vulnerable to hackers on other continents.

  87. I know, right? It makes Trump's electoral college win all the more suspect, with Russia in the mix.

  88. Really.

  89. BIG SISTER is here, and she like to gossip.

  90. Who didn't know that "cloud computing" was about as safe as unprotected sex at the Las Bonitas massage club and bar in Tijuana.

  91. In his seminal work In the Absence of the Sacred, Jerry Mander accurately portrays the biggest threat of all new technologies - unintended consequences. In their enthusiasm to push and profit from every glittering new idea, entrepreneurs almost never look for the downsides. Now that faster and faster IT rules the world and supposedly saves all of us so much time, I wonder why most of us are busier than ever and rarely see any quiet down time. The internet is the biggest time and energy suck in history.

  92. While I use the internet -- so do you obviously -- and I love being able to look stuff up fast & easy -- overall, it is the biggest time suck in history and has made so many aspects of life infinitely worse than they were 20 years ago, in what I now call "the lost world of 1995 (and earlier)". Sometimes I cry remembering what it was like.

  93. Intel is on top of this, people, just as they were with the Pentium error. The strategy rolls out today. 1. Everything's fine. 2. Almost everything is fine. 3. Anything that's not fine isn't serious. 4. Okay, it's serious. 5. Why did you cause this serious problem? 6. Intel will replace some of the devices with this serious problem. 7. Whoa, scratch that. 8. Okay, Intel will replace all of the devices with this serious problem. 9. Whoa, scratch that. 10. Intel will replace all of the management who caused, alerted anyone to, or knows about this serious problem. 11. Problem? What problem?

  94. Somehow this reminds me of Y2K.

  95. One solution: Avoid cloud computing services.

  96. Like the one used by the NY TIMES to host the article you just read? Does the NY Time have you CC information on file to charge you for your monthly subscription?

  97. I think I see an opening for sales of IBM z-series mainframes to cloud computing service providers. . .

  98. OMG! 30%! I will pay my ISP immediately $100 more a month to upgrade my speed.

  99. Anyone who stores their valuable data in the "Cloud" deserves to lose their data.

  100. "The optimist thinks this is the best of all possible worlds. The pessimist fears it is true." J. Robert Oppenheimer

  101. The pessimist says, “things can’t get any worse.” The optimist says, “sure it can!”

  102. The nefarious among us seem to have the upper hand. Who that turns out to be in this 'cyclone bomb' remains to be seen. Decades for a fix??? Give us a break. Keep in mind this could completely do in cryptocurrency, a win-win for big bad money and centralization.

  103. "Attackers could fool consumers into downloading software in an email, from an app store or visiting an infected website."---This is the only way to attack a Mac computer, as I found out recently. I was in a legit website and it redirected me to a page that looked like an Apple help page, and said I had two viruses that needed immediate removal. I, of course, deleted the tab and did not click on the link. I could see how someone would think it was legit, though. Upon contacting Apple, it appears that for Macs you must accept and download any programs, and that includes programs that facilitate viruses. But one must be savvy and realize these pages and attempts are scams!

  104. “There’s been this desire from the industry to be as fast as possible and secure at the same time. Spectre shows that you cannot have both.” This is a variant of the aphorism: "fast, cheap, good (secure). Pick two." Pay an extra 50% for more processing power, and you'll make up for the 30% slowdown in speed with the patch. Moore's Law may take care of that in a year or so.

  105. The idea of “technical debt” might now become more widespread but business folks will still not care. Speed to market is their only consideration.

  106. Looking at the photo accompanying the article, who is in charge of this mess? MEN. It figures!

  107. YogaGal, the photo accompanying the article is of the people who discovered the flaw, not of the people who designed the processors. But, yeah, you're right, MEN are responsible for every bad thing ever.

  108. I noticed that too

  109. If you had actually read the article you would know that those men are the ones who found the problem. Next time consider reading the article you are commenting on before sharing your opinion.

  110. Luddites and technophobes everywhere will be saying "I told you so!".

  111. And sensible people who actually paid attention while learning from the ground up on TRS-80s. Don't forget us -- because we DEFINITELY said so.

  112. There are some very basic misunderstandings in this article. At the very least, not understanding bandwidth vs. CPU is beneath the reputation of the NYT. It's incumbent on the NYT to at least understand the tech enough to not make a factually untrue article. This paragraph in particular is awful: "As for Meltdown, the software patch needed to fix the issue could slow down computers by as much as 30 percent — an ugly situation for people used to fast downloads from their favorite online services." It's not hard to understand the issue here - a very fast computer can have a very slow internet connection, and vice-versa. "Downloads" are not CPU bound. Downloading your pictures or watching Netflix is a "bandwidth bound" operation, typically restricted by the speed of your internet connection, or (rarely) the speed of Google's internet connection. What might be slower? Probably nothing. Cloud infrastructure is scalable. It might make certain things more expensive (page rendering on social media sites, facial recognition, internet searches). Although with processors improving more than 20% per generation that won't be a big deal. At most we've been kicked one generation back (about a year) in certain applications only. 20% is a maximum, not a minimum performance penalty.

  113. Yes, it was an over simplification; but I suspect they said it would be slower because the servers resolving the information request and then pushing out the results would do so more slowly. Of course that is also suspect though, because in all likelihood the company would just buy more space on the cloud or more processing power to make up for that "up to 30%" slow down in processing power.

  114. Well written! As a retired IT professional, I know that the distinction is not well understood but very important. By the way, I put as little information into the cloud as possible.

  115. I cringed in the same way when I read that "Downloads" bit. I still think the omission of this being a problem with Intel chips, and one that does not affect AMD chips, is the worst part of the article. There is nothing anyone can do about the fact that the hardware of Intel chips for the last 20 years has been designed in a fatally insecure way or that the patch will slow their computers. But knowing which chips, exactly, are affected and which are not is information people can use. I get that the NYT isn't out there to pick sides between CPU manufacturers, but that that this is Intel's problem and AMD is unaffected are objective facts that consumers need to know.

  116. Are any of our nation's voting machines infected with these flaws?

  117. Of course, the voting machines have the flaws, and more importantly the machines that count the votes are vulnerable. This makes it even more imperative that there are paper ballots to check whether the election was honest in each and every county in the US.

  118. I don’t think it matters when the DOE's Argonne National Laboratory hacked into one of the machines in 2011 and determined that “anyone with $26 in parts and an eighth-grade science education would be able to manipulate the outcome of an election….” Victoria Collier: How to Rig an Election – The G.O.P. Aims to Paint the Country Red https://harpers.org/archive/2012/11/how-to-rig-an-election/ "GEMS turned out to be a vote rigger’s dream. According to Harris’s analysis, it could be hacked, remotely or on-site, using any off-the-shelf version of Microsoft Access, and password protection was missing for supervisor functions. Not only could multiple users gain access to the system after only one had logged in, but unencrypted audit logs allowed any trace of vote rigging to be wiped from the record. "Damning reports have since been issued by researchers from Johns Hopkins, Princeton, Rice, and Stanford Universities, the Brennan Center, and the GAO. Experts describe appalling security flaws, from the potential for system-wide vote-rigging viruses to the use of cheap, easily replicated keys—the same kind used on jukeboxes and hotel minibars—to open the machines themselves. In 2005, the nonpartisan Commission on Federal Election Reform, chaired by Jimmy Carter and James Baker, stated unequivocally that insiders with direct access to the machines: 'There is no reason to trust insiders in the election industry any more than in other industries.'"

  119. Margalo, Election integrity advocate Jonathan Simon explains in his interviews (they can be found on his Code Red 2014 website) that ballots give us a false assurance as they 'almost never" see the light of day. They are off limits to the public, candidates, and in most cases election administrators. The system was set up for concealment. Of course, that's the opposite of what a democracy is supposed to do.

  120. HAIL TECHNOLOGY! Technology Will Set Us Free and Make Our Lives RICHER! I can feel my Standard of Living rising underneath my ergonomic chair! HAIL TECHNOLOGY!!! (Will my "smart refrigerator" still remind me when my milk from two months ago has gone bad?)

  121. Why assume the Russians didn't secretly discover these flaws, esp. Meltdown, long before the recent discoveries now made public? That could explain how Russia's St. Petersburg hacking operation -- along with WikiLeaks' middleman collusion -- could discover specifically which of Hillary's campaign emails might reveal the "dirt" that Don Jr., Kushner and Manafort wanted dug out from her private server. And we all remember "SPECTRE" from TV, where that organization committed harmful deeds internationally, secretively, and fundamentally.

  122. Blofeld had an operative at Intel

  123. It really has nothing to do with Hillary; her campaign emails were hacked long ago -- 3 years before the campaign. At that point, Trump wasn't a twinkle in anyone's eye. All that it proved is that HIllary was a dunce about computer security and her team no better than she.

  124. Self-driving cars just got several years farther away - thank goodness! I will absolutely not trust one with my life, especially because they will be hackable. (BTW, I'm in IT.)

  125. “Intel believes these exploits do not have the potential to corrupt, modify or delete data.” Why would this delay self-driving cars? This issue relates to privacy and safe-keeping. It is worrisome if people can now get access to delicate information, but a cars' specs is not delicate information. I couldn't care less if hackers can see a what speed I am going or where I am. As long as this does not increases the chances of them taking control of cars (which would be the same as before this flaw was discovered), then this would not impact the deployment of self-driving cars. And well, as for you, you are still entrusting your life to other drivers. A world with no reckless or intoxicated drivers vs a world where some cars may get hacked. I think the choice is pretty simple, but to each its own.

  126. So I was right to heed the little voice that told me "don't trust the cloud."

  127. Slowing performance by 20 to 30 percent is likely accompanied by an increase in power consumption. Given the number of machines affected, the patch approach discussed will likely have a major environmental impact.

  128. If the speculative execution function is turned off, that might modestly reduce power per processor (if that's what's being done to prevent the problem). But if more processors need to be employed due to less performance per processor (this may be the case in cloud computing where processors are shared and have a high workload), then the additional processors would result in a net power increase. Your typical home computer isn't shared, so it's somewhat less at risk (although it's still possible a web app could exploit this). Your home computer is more likely to simply lose performance if a fix is applied, I would not expect a power increase, instead the lost performance might reduce power a bit. Your computer consumes the most power when it's most busy.

  129. That's a great point. But most computers spend most of their time waiting around for something to happen, and waiting more slowly isn't a big problem. So the increase in power consumption might not be directly comparable to the performance decrease.

  130. The basic rule my wife and I follow is this: everything we entrust to the digital world is public information. Perhaps not at the moment, but sooner or later. This comment. My banking information. My life history. There is no such thing as personal privacy in this age. If there's something you don't want to see posted on the nearest telephone pole, keep it to yourself. It'll get out anyway, but it's slower. If you're well-off, you can keep some things hidden: think Trump's taxes. For the rest of us, well, welcome to Brave New World.

  131. Problem is that our banks and other institutions we do business with put things in the cloud whether we want them to or not.

  132. Actually, it will get out much more slowly if you do post it to the nearest telephone pole than on the Internet.

  133. Your banking information is entrusted to the digital world whether you bank online or not; your bank digitizes everything. So if someone else lets a trojan into your bank, they can still get your information.

  134. Well, it seems that it's finally happened - a hardware virus. According to the article: "A fix may not be available for Spectre until a new generation of chips hit the market." This probably means that the only way to fix this virus is to replace the hardware. And the only way it will stay fixed is to build open source hardware. I wonder what the microprocessor manufacturer's liability will be on this one?

  135. Viruses spread. This is not a virus. Using your logic, a defective airbag in your car is a hardware virus. SMH

  136. "Virus" is the wrong term. The two issues here are "security flaws" or "vulnerabilities." It's possible that these problems could be exploited by a virus, but the flaws themselves are not a "hardware virus" any more than a romaine lettuce is an E. coli bacterium.

  137. No need to be pedantic. It's a hardware vulnerability, and a virus depending on the hardware vulnerability appears to be possible. Calling it a "hardware virus" is not so far off.

  138. Does anyone else think it's fishy that this "flaw" in 90% of all computers is revealed at a time of slowing computer sales? Not to get all conspiracy-minded, but did it really take 20 years and the production of billions of processors to figure this out? And in the next year, there won't be enormous pressure on companies, governments, and individuals to buy new computers numbering in the hundreds of millions in order to replace these machines that can't be "fixed," right? I can't know the truth, but I'm not crazy to be suspicious.

  139. No it's not unusual. The vulnerabilities exist and the discoveries depend on who and how many are looking.

  140. As a consumer of these CPUs, I expect Intel to supply replacement parts under the 3 year warranty that these parts carry. A software patch that impairs performance is not warranty maintenance.

  141. So, Intel processors will work some 30% slower than the speed were sold as. That will surely result in class-action suits.

  142. They'll still run at the same speed, but they'll have to do more work to get the same result safely. Failing to address the problem is far more likely to have legal consequences than doing something about it, even if the fix diminishes performance.

  143. Ever since cloud-based computing has existed, it's been clear that using these services is based on a trade-off--security vs. convenience. For most individuals, this may not be a serious problem as it is for businesses that hold data on millions of customers. Nonetheless, if you want to ensure privacy, don't put sensitive files in the cloud. Download them to a thumb drive and erase the traces they leave behind on a computer.

  144. I buy and upgrade my machines regularly, but I am not a power user. My guess is that the 30% performance difference would not even be noticeable by those of use who just use the computer for word processing, business related work. It would slow down computations with large databases. But for those who do cloud computing, may be upgrading your internet to the highest speed, and picking an internet provider less likely to be hacked might be one way to offset the reduction in performance, especially if most of your work is cloud-based. In the mean time, it is time to think about how and whether to net work all your computers.

  145. Why aren't the microprocessor makers liable?

  146. Why am I not seeing any mention of the takedown of net neutrality here? It seems to me that the stage is being set for all internet users to pay and pay and pay for things that (supposedly) used to be free, fast, secure.....

  147. 80% of comments here reflect either tinfoil hat or Luddite thinking. Thank God a few here have studied Electrical or Computer Engineering and can speak rationally on this.

  148. Beware: the Intel-Cloud-Chip-Meltdown-Spectre-Cyclone...! Is it Y2K all over again...?

  149. I hope a fix is discovered soon.

  150. Please just fix it. I have three Mac Airs, a Mac Pro, two Dells, three Ipads and a Zenpad in my house and internet security on my home network is nearly impossible. My phone has forced me onto the Cloud. My Windows computer keeps trying to push me onto the Cloud. McAfee keeps telling me it blocked 800 attempts to hack into my computer and that it is protecting thousands of files. WebRoot conflicts with McAfee. I got rid of Kaspersky. I use shareware security. I clear my cache regularly and shred my deleted files. We are already vulnerable. We don't need any more vulnerabilities. I allow every software update. You know where I keep my passwords? On a creased, wrinkled paper in my wallet. Disconnecting from the web is beginning to look like a good idea.

  151. Backup everything on an xternal hard drive and the after the backup is complete unplug that hard drive from your computer so it is untouchable by anything / anyone on the Internet

  152. Time to save some money to replace the computers and drive the economy up:-)

  153. Spectre?? Call Bond, James Bond. Deploy the 007 patch. He will take care of it.

  154. That first sentence is a doozy. Perhaps that explains why I despise technology! Why do we as a society accept this, and even embrace it? And why are the people on the stage not identified? Are they afraid of something? And these companies, Silicon Valley-based that is, are worth billions of dollars and here is where we are? I ask this question every day...... When will our collective national nightmare end?

  155. @Steve Beck Why? Why ask why? It's the seductiveness of Convenience! It's the same reason mankind has ever embraced ANY new technology. Because it does something that took awhile, and some effort, that this new tool does faster and better, from plows to airplanes to atom bombs. The fact that you're using a computer to post your comment means, on some level, you too, have bought into the convenience of allowing us to collectively experience your reaction to this news. "Same as it ever was, same as it ever was."-David Byrne

  156. My MacBook, now patched, is disturbingly slow waking up, but seems normal in most other respects.

  157. They said I was mad--MAD, I tell you--to base my most secure communications and data storage methods around an underground network of Belgian weasels trained to respond only to Flemish commands transmitted via underground vibrations in Morse code. Well? WHO'S LAUGHING NOW, INTEL?

  158. Translated: Anonymous Bosch uses a Radio Shack TRS 80 with a cassette deck hooked up for data storage. I am pretty ticked off right now that I sold it to AB now that Intel has ruined my day; I can assure you I am not laughing. Moral: Never trust or do business with anyone that can train Belgian weasels.

  159. Th most interesting question of the moment would seem to be the security of cyber currencies. If 90% of the world's processors are now deemed vulnerable to hacking, then how can anyone trust Bitcoin or it's spawn? Bitcoin "experts" and major investors could tell the world that it's architecture makes hacking impossible, but who is willing to trust them? How can the average person even think about verifying claims like this? The lesson we should learn is to not trust our major IT corporations. The credit companies that got hacked seem to have zero accountability--I had to pay to have my accounts suspended. Why? How is this my fault?

  160. Please do not inform Mr. Trump. He would only blame this computer flaw on Hillary Clinton and her secretary.

  161. I have read up on this issue extensively as I am a bit of a computer geek. I could give a detailed explanation of exactly what happens in the hardware flaws, but that would cause people's eyes to glaze over. The actual useful piece of information that everyone needs to understand that is shockingly not mentioned in this article--inexplicably mentioned in this article, is that for x86 processors, this issue is exclusive to Intel. AMD processors do not have the problem as they did not take the same predictive shortcuts approach in how they designed their silicone to interact with the operating system. If you have an AMD processor, your computer will not be slowed by any percent with the security patches. This information matters! The one, most important thing for you as the consumer to understand about this whole debacle is glaringly absent from the NYT explanation of it.

  162. You're half right. Meltdown only applies to Intel processors. Spectre applies to all processors, including those produced by AMD and also ARM processors on phones.

  163. @A Michael - But there is a working POC for Meltdown that shows an application program reading kernel memory and printing it on the screen. There is apparently no POC for Spectre as of yet, so it may not be an exploitable flaw.

  164. Some of what I've read says the Meltdown flaw is Intel-specific, and that makes some sense since details of how hardware works (like the speculative execution at issue here) is proprietary or even protected by patents, but this google blog suggests this vulnerability may also affect AMD and ARM processors: https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-yo... For much more detail, continue here: https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory... It's complicated, but it looks like Intel didn't do enough to protect data being acted on speculatively (which means the processor is working ahead before it knows data will be needed to have it ready if it is, much like chess software may look several moves ahead and have pre-planned moves ready).

  165. Computer systems were once the domain of a few - like me - who learned programming in the middle of the twentieth century (!). Then as more people learned, and as computer usage spread far and wide, some bad actors got in. While it is impossible to prevent that, it is far past time that we have people devoted to trying to stay ahead of the thieves and other troublemakers. Good to see that that seems to be happening.

  166. The ruination of the nations. With Russia and Venezuela going to digital currency the fun is just starting. Bitcoin and such are NOT unimpregnable.

  167. Maybe it’s not the computer’s problem it’s the attackers. Where do all these bad people come from? They’re getting very tiresome.

  168. Best technical writing I have seen in a while. A great summary of the issue. Very clearly written.

  169. This is mostly an Intel and to a lesser extent ARM issue. Due to design differences the impact to AMD is minimal.

  170. I'd be willing to bet that Intel knew about this problem for much longer than they're letting on, and did nothing about it. Once this vulnerability is exploited by hackers, class-action lawsuits will follow and the discovery phase of the trial will show that folks at Intel kept this swept under the rug for years. It's gonna be a blast!

  171. can't we just use the end of net neutrality to delay the bad guys?

  172. I am grateful for the comments which add important explanations to the article.

  173. This public revelation is one of those things that should have been felt with silently rather than made public. This may sound alarmist, but if the exploits are as pervasive as stated then it could potentially lead to apocalyptic outcomes. Since the hardwired issue is impossible to fix, it means that all computers are vulnerable- with this public knowledge, there is little to stop malicious hackers from attempting to get this ‘unholy grail’.

  174. Nice marketing ploy, microchip industry. When you can't make the next generation of chips much faster anymore, make them "more secure". Or better yet, declare the early generations "less secure" by fining some flaw in them or something. That should move new silicon much faster. Brilliant.

  175. Marketing ploy. Right. Go ahead, ignore the request to update or upgrade. No one is forcing you to do it. There is a Russian hacker out there who will love you for it.

  176. To sit atop a major business knowing that that top is indeed not the top must be very unnerving to commanders in all arena. The technauts have a tidy Jack Horner game afloat....create problems .... marketing solutions Semiconduct-addiction makes this now all an easy play

  177. This is like reading a whodunnit by first finding out whodunnit! I'd like to know what got them to even look for these flaws in the first place? Was it something stumbled upon by accident, or did they have a clue that something was wrong on the hardware layer? Full story, please.

  178. Is there a way for us to scan our mobile devices or computers have been affected? How can we best protect ourselves?

  179. Maybe I’m naive and uninformed (maybe?!), but wouldn’t it have been better to at least try to keep this information within the community of manufacturers who designed the faulty chips? Now, every hacker on the planet (looking at you, Russians) knows about these vulnerabilities and today are working on all kinds of fun ways to exploit them.

  180. That does it. I'm going back to my abacus, even though I'm sure that security researchers will eventually discover it has a backdoor installed by the Chinese.

  181. practice virtue... PATIENCE is a VIRTUE. Most Americans would be advised to practice several others of the Seven Deadly Virtues!:-} Temperance, Faith, Hope , Charity, Moderation (not Gluttony), Humility not Pride.. whatever.. Abstinence??? Never liked that Cloud nonsense in anycase... So long as the electrical grid isn't hacked I could care less in the financial entities find their stock trades slowed down... and profits diminished a bit. Exactly what are we afraid of here? Please explain in greater depth... Back up your data is rule no.1 in case people have forgotten.

  182. Where do you get the patch?

  183. For Windows, https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb405... -- or Windows Update will get it automagically.

  184. Oh great. Another bright day in America.

  185. On software, hackers have been developing and using their threats to their advantages for a long line. But some months ago it was revealed that lax security at the NSA allowed the theft of powerful predatory software by hackers that was planned to be used as spyware. Hackers and cybercriminals used this predatory software to release a version known as ransomware that infected as many as 200,000 Windows PCs worldwide. One particular vulnerability in Windows, leaked by a shady crew called Shadow Brokers, was used by the WannaCry hackers to give their ransomware a worm feature, allowing it to spread between vulnerable PCs silently and at speed. On hardware, now it is revealed that computer security experts have discovered two major security flaws embedded in virtually all microprocessors, including those made by Intel, inside nearly all of the world’s industrial and personal computers. In addition, it is revealed that the two problems or vulnerabilities, which have existed for more than 20 years in modern processor architectures, could allow hackers to steal the entire memory contents of computers including both industrial and personal computers. Who among the software and hardware makers can you trust ??? OMG … we are all potential victims of hackers.

  186. Might the world be better off if we and our computers (streaming films and videos excluded of course) all operated 30% slower? I'm by no means a neo-Luddite. But those of us fortunate enough to have spent our childhoods in the 1950s, and/or who have not forgotten how to stop once and while to smell and enjoy roses, know the value of life's many slower pleasures.

  187. As a former hacker as a kid, the only way to truly secure your computer is to burn it. Just like bicycle locks on bikes, security systems only delay a talented hacker. Security is like politicians, everyone is shocked when a politician is found to be corrupt, but the real conundrum is why people aren't shocked when a politician is found to be honest. Assume all your sensitive data has been hacked and in the hands of some criminal and act accordingly is the only plan that makes sense

  188. Oh, so we *shouldn't* burn our computers?

  189. Atomic energy and internal combustion are two technologies that can kill us all. We fear the former for its destructive power. We do not fear the latter because it has valuable uses and as a species we lack imagination to understand what a 40 centigrade wet bulb weather day will do if global warming is uncontrolled. We, collectively as a species, do not understand the implications of instantaneous connected worldwide communication nor do we know where the technology that makes it work leads to. Perhaps we should begin to think about it like atomic power . More fear and more imagination might be helpful to avoid consequences that could killl us all.

  190. I have found a third major flaw: not one woman in your RSA conference pic.

  191. Looks like my faith in Pilot, Bic, Clairefontaine & Moleskine has been rewarded.

  192. Well if for the most part you look at what in memory 99 percent will be useless to anybody .