Spectre & Meltdown highlight tech industry’s disparities
THE RECENT issue concerning Spectre and Meltdown, the two “bugs” found to be causing security problems at a hardware level in Intel microprocessors, has thrown several aspects of the computing industry into sharp contrast.
When the security implications came to light last summer after a successful exploitation of the chips’ architecture, an embargo of silence fell on the industry. Manufacturers and operating system vendors worked to create patches to mitigate the possible problems, while plans for new chips were drawn up.
The intricacies of chip design are highly complex and beyond this author, but it is to be understood that the problem arose because of an on-chip method of speeding up computation called “speculative execution”. Speculative execution was no secret to the industry which has known about the technique for over 20 years. But the effect, speeding up computing processes, was one which no-one wanted to curtail. After all, who would want to have their chip or operating system effectively hobbled because of some (as was then) nebulous security doubt?
The embargo of silence began July 17 and lasted months, and it was a surprise that it lasted as long as it did, being broken only nine days earlier than planned. The embargo was designed to allow the industry to put measures in place before word got out to the Internet’s many ne’er-do-wells.
Or at least, some of the industry.
At a recent Linux public event in Australia, it was pointed out by several speakers that it was only the larger chip purchasers – the Amazon Web Services, the Microsoft Azures of this world – who were party to all information in a timely manner.
Smaller cloud providers, such as Digital Ocean were not “in the loop” and so were therefore somewhat on the back foot when the issue came to wider attention.
Advantage was granted on the basis of chip-buying power, not chip use. The big cloud vendors were granted knowledge; the rest, not as much.
In some ways, the disparity represents a logical representation of neo-liberalism, in that the gambling high-rollers with big bucks to gamble on chips (literally) would be more party to important information than the ten-cent players.
Some attest that nothing in the industry represents the opposite of purest capitalism more than the open source and Linux communities – at least, those communities when they are at their best!
BTW, it's happening – researchers detected at least 139 malware samples, as of today, related to recently reported CPU vulnerabilities. pic.twitter.com/T5YyNM47Xd
— The Hacker News (@TheHackersNews) February 1, 2018
Without an overall controlling body, the Linux community of kernel writers, operating system & app developers was among the second rank to know of the potential for widespread security breach. The irony is that Linux runs the majority of the world’s servers & infrastructure, and therefore the cloud, and therefore, just about everything we do today.
Smaller cloud providers are now relying on the speedy work of the open source community to patch “upwards” towards the chip-based problem. The high stakes players had the resources, and were granted the time to patch “downwards”.
While the difference between those in the know and those left out in the cold can be decried, the inevitability of more hardware bugs must be accepted. And with that acceptance, what can the industry do to protect itself, and therefore the world’s data and much of its commerce?
Some have pointed to the possibilities of open source architecture for chip design, an idea probably impractical given the almost atomic level of physical chip components. Ensuring compliance with published schema would be difficult without electron microscopy facilities handy, and the temptation for chip manufacturers to speed up their product by means that pose potential security risks may be too much to bear.
— Arduino (@arduino) February 3, 2018
As any systems administrator will know, it is impossible to absolutely ensure cyber-safety without creating impractically-censorious systems on which disgruntled users do their jobs inefficiently.
In the same way, we cannot hobble future microprocessor design in the name of security concerns; at least, not completely.
But the large cloud providers need to realize that their empires are built on the sum knowledge of a community of people whose primary motivation is not money. Money figures, but it’s not a bottom-line issue, to use a business analogy.
People spend long hours writing/debugging/publishing/discussing/refining the code that runs the world and the value of that activity can’t easily be quantified monetarily. Neo-liberalism has never awarded much credibility to anything other than money, but perhaps if those who do quantify in dollar bills recognized that other significant bodies in their industry think differently, there would be (for one) fewer security issues.
- You don’t have to be a cybersecurity expert to protect your small business
- Are the latest cyber threat reports an ignorable sales pitch?
- How US$1000 (or nothing) buys malware access to your network
- Mysterious 鬼 (“devil”) malware’s motives unknown
- Bangladesh and Pakistan are the most vulnerable to cyberattacks in Asia