All the world’s computers are flawed, and companies are fumbling with fixes. It will take years until the issue is fully sorted out.
In the three weeks since researchers revealed major flaws in virtually every computer processors, issuing patches has not gone smoothly.
A bungled rollout for fixes is not surprising. The issue is so massive, and the vulnerabilities so embedded into the building blocks of computers, experts say the difficulties will continue.
What was the problem in the first place?
Meltdown and Spectre are flaws in processors, the brains of computers and smartphones. Modern processors are designed to perform something called “speculative execution,” or predicting what tasks they will be asked to do. That data is supposed to be protected and isolated, but researchers discovered that in some cases, the information can be exposed while the processor queues it up.
These flaws go back decades. Some companies have already issued fixes for these problems — for example, Microsoft (), Apple ( ), and Google ( ) products received updates quickly.
Microsoft reportedly faced early problems with its patches creating issues for anti-virus products, and earlier this month, the company said updates will likely slow down computers. Apple said its mitigations don’t have measurable performance impact.
In order to ensure devices are fully protected, hardware makers must put out microcode updates to tell chips to behave differently. Software companies must also update their products to protect against exploitation.
Paul Kocher is one of the researchers who discovered Spectre. He’s a veteran of chip vulnerability discoveries — in 1998, he found another hardware issue called differential analysis. He said that despite the last two decades between the chip flaws, the industry still doesn’t have a solid grasp on how to fix these types of issues.
Hardware flaws don’t fit into the traditional patching model — unlike software flaws where a vendor issues an update and users can download it quickly, chip flaws require a different strategy.
“The playbook everyone’s familiar with is one that works well for software bugs, but not a lot of clear thought has gone into how to handle situations that don’t fit that mode very well,” Kocher said.
Since early January, issues have piled up.
Intel () introduced a fix, then told companies earlier this week to hold off on implementing patches because they were addressing a reboot issue caused by the updates. VMWare also said this week it is delaying new updates, while Lenovo, Dell, and HP pulled some fixes following Intel’s advice.
Patches caused machines to reboot or slow down, and in some cases, full system crashes referred to as the “blue screen of death.”
On Wednesday, the House Energy and Commerce Committee sent letters to the CEOs of Intel, AMD, ARM, Apple, Microsoft, Amazon, and Google, all of which were informed of the vulnerabilities before they became public, asking why these firms kept the flaws under a strict embargo.
If you just use a laptop for checking emails and watching Netflix (), you likely won’t notice a difference in your computer’s function after it receives updates. Where chip flaws are causing issues is within businesses.
According to data from Spiceworks, a professional network for people in the IT industry, 70% of businesses have begun patching against the flaws, and of those 38% have experienced problems with the fixes, including performance degradation and computers crashing.
The study also found that of the 29% of large companies who expect to spend more than 80 hours addressing the issues, 18% expect to spend more than $50,000 to fix them.
What is the tech industry doing now?
Companies are continuing to test and release patches to mitigate the problems caused by buggy updates as well as fix the vulnerabilities. The Meltdown flaw can be fixed through updates to the operating system, but fixing Spectre requires updates to a variety of components, including microcode, Kocher explained.
“If you look at how long it’s going to take for all of the relevant software on your PC, including the drivers and such are updated, you’re probably looking at many years before that process is done,” Kocher said.
On Intel’s fourth quarter earnings call on Thursday, Intel CEO Brian Krzanich said Intel has been working to incorporate silicon changes into products to directly address the Spectre and Meltdown flaws. That means new chips won’t have these problems. They will start appearing later this year.
Kocher said although fixes are rolling out, it’s likely researchers will see variations attacks taking advantage of the chip flaws popping up for a long time.
According to Enveil’s Williams, who spent over a decade as a researcher at the NSA, Spectre and Meltdown have exposed a vulnerable point of entry for sophisticated attackers that companies — and many hackers — likely didn’t think about before these flaws were made public.
“Coming from a nation-state perspective, the memory attack surface was normal and pedestrian,” Williams said. “The awareness wasn’t in the commercial space. The only difference between now and three weeks ago is now it’s exposed.”
Experts say the attention now paid to the recent flaws will likely lead to more revelations about the insecurity of computers’ building blocks.
New chips will eventually mitigate the problems, and in the meantime, hardware and software makers are rushing to fix the vulnerabilities. For now, it’s unclear how this massive security issue will change the fundamental strategies currently used to make processors.
Kocher has a potential solution, but he admits he’s in the minority for considering it. Companies should produce different chip designs depending on whether security or performance is more important, he said.
“I don’t see any way you can optimize simultaneously for the best possible security as well as playing video games with the best graphics possible,” he said. “I think you need different hardware and software to do those kinds of tasks.”
We’ll get to the hourly pay in a minute, but the real value in these jobs is probably in the flexibility and those two little words: “with benefits.” Because if you work more than 20 hours a week at Amazon, the company says, you get:
“… life and disability insurance, dental and vision insurance with premiums paid in full by Amazon, and funding toward medical insurance,” along with the company’s Career Choice program, which “prepays 95 percent of tuition for courses related to in-demand fields, regardless of whether the skills are relevant to a future career at Amazon.”
“There are lots of people who want or need a flexible job–whether they’re a military spouse, a college student, or a parent–and we’re happy to empower these talented people no matter where they happen to live,” Tom Weiland, Amazon vice president for worldwide customer service, said in a press release.
In addition to these positions, Amazon says it’s hiring another 25,000 part-timers to work onsite this year, and another 100,000 full-timers over the next 18 months.
The fine print
There’s no word on what the home-based jobs pay in the press release, but a separate job listing says the “pay rate nationwide is $10.00 per hour.”
And, at least for now, it looks like the part-time hours are limited to nighttime and weekend work, which could make it tough for parents who were hoping to work while their kids are at school, for example.
Also–again at least for now–Amazon is limiting hiring to people who live in 26 of the 50 states. (Sorry Californians and Texans.) You can find the details and the application process here.
Nobody is going to get rich working from home for Amazon for $10 an hour, of course, but even though we’re technically at full employment in America, that’s an economic term–of course there are still people who would like to be working but can’t find jobs.
Among them: lots of stay-at-home moms, military spouses, and others who need income but might not have the flexibility to work outside their homes. Here’s hoping other companies follow suit, and that these unemployed and underemployed workers might now have a steady, new, workable option.
Mediabites Editorial – Shoaib Naqvi (CNN Money)