Now that the patches across various platforms for the recently discovered Spectre and Meltdown vulnerabilities have largely been deployed, Google has detailed how it managed to address these threats on its cloud services such as Gmail and Search before the public even knew about them. Hint: It wasn’t easy.
In a lengthy blog post Thursday, Google’s VP of 24/7 operations Ben Treynor Sloss explains how tough these security holes were to patch, and how long it took Google to fully fix all of them, even though it was Google’s own Project Zero team that had discovered them.
According to Sloss, Spectre and Meltdown are actually three different vulnerabilities, one of which — a variant of Spectre — was particularly hard to protect from. One solution involved disabling some CPU features, which would inevitably lead to slower performance.
“For months, hundreds of engineers across Google and other companies worked continuously to understand these new vulnerabilities and find mitigations for them,” he wrote.
Finally, software engineer Paul Turner created Retpoline, a software that does the job without slowing down the machines it’s applied to.
Sloss said that by December, all Google Cloud Platform services were protected from all variants of these vulnerabilities. The company deployed this solution across its infrastructure and open-sourced it so that others can benefit from it as well.
“This set of vulnerabilities was perhaps the most challenging and hardest to fix in a decade, requiring changes to many layers of the software stack. It also required broad industry collaboration since the scope of the vulnerabilities was so widespread,” wrote Sloss.
It was supposed to be about the future, but things haven’t exactly been going as planned for chip manufacturer Intel.
On Monday evening, CEO Brian Krzanich took the stage at CES in Las Vegas to deliver a keynote speech billed as a look toward how data will transform our lives. Unfortunately for the executive, Intel is still having trouble escaping its past. That was made perfectly clear the moment he turned his remarks to the two elephant-sized vulnerabilities in the room: Spectre and Meltdown.
The bugs, first publicly disclosed last week, affect almost all modern computer processors to some extent, including Intel chips. Between the two of them, there’s a good chance your laptop, desktop, cloud computer, or smartphone are susceptible to hackers looking to steal your data.
Krzanich’s answer to consumers seeking direction on what to do? He urged we take the same precautionary measures insisted by practically every other tech company: patch, patch, patch.
And just when will those updates become available for Intel products? For those introduced in the past five years, Krzanich said over 90 percent of them should get an update within a week. He cautioned, however, that some systems might slow down as a result (“workload dependent”), but that Intel would continue working with the industry to minimize those effects.
“The best thing you can do to make sure your data remains safe is to apply any updates […] as soon as they become available,” he noted.
Krzanich, however, had a bit of a different take: “The collaboration across the industry […] has been truly remarkable,” he told those gathered. “As of now we have not received any information that these exploits have been used to access customer data.”
Notably, this is not the only controversy looming large over Krzanich — there’s another one that happens to be of his own making. You see, the CEO sold off $39 million worth of stock after the company was notified of the vulnerabilities present in Intel chips. Crucially, the sale took place in November — well before Spectre and Meltdown were publicly disclosed.
See the potential problem? Yeah, so do we. Intel, for its part, has claimed via a spokesperson that the sale was just a regular part of Krzanich’s stock plan.
The truth of that statement, much like Intel’s response to the bugs, will likely take some time to flesh out. At least Krzanich was willing to address one of them at this year’s CES.
Meltdown and Spectre. Spectre, and Meltdown. The two vulnerabilities, both affecting computer processors across the globe, were disclosed on Jan. 3 and in the process sent manufactures scrambling to answer whether or not their operating systems, laptops, cloud computers, and smartphones are safe from hackers.
But another, less technical, question presents itself: just how did the bugs get those cool names?
It turns out we have the security researchers who first discovered Meltdown and Spectre to thank for the terror-evoking nomenclature that may haunt us for years to come. And, importantly, that was kind of the point.
Meltdown has layers
According to Michael Schwarz, who was on one of the teams that first discovered and reported Meltdown, the name was coined by his colleague Daniel Gruss.
“One morning, he came into the office and suggested to [Moritz Lipp] and me that we should call it Meltdown,” Schwarz told Mashable over email. “We really liked the name for multiple reasons.”
And those reasons? Well, the name drove home the destructive nature of the vulnerability.
“The bug basically ‘melts’ the border between programs and the operating system,” Schwarz explained. “A (nuclear) meltdown usually comes with some form of leakage. It sounds really devastating, with a huge impact, like an actual meltdown in a nuclear reactor.”
Realizing that the “disclosure [would] lead to a collective meltdown,” the name seemed even more perfect. Plus, Schwarz hipped us to the fact that Meltdown evokes a German-language pun.
“In German, meltdown is ‘Kernschmelze,’ which is ‘melting of the core,'” he noted. “We also call the CPU core ‘CPU Kern,’ so it is also a wordplay, implying that the CPU is not in a good condition.”
Which, yeah, that’s pretty neat.
So does Spectre
The thinking behind the name Spectre was also multilayered. According to Paul Kocher, who worked with five other researchers to discover the bug, the idea of a ghost was very much on his mind.
“I picked the name Spectre for two reasons — the word’s similarity with ‘speculative’ (since the vulnerability results from speculative execution) and its literal definition as a ghost,” he explained over email. “Speculative execution is largely invisible from ordinary program execution.”
What about the logos?
And the logos? Those were designed by Natascha Eibl. We reached out to her for comment, but haven’t heard back as of press time. Thankfully, however, Schwarz was able to fill us in on some of the details.
“Our ideas for Meltdown were something that melts, e.g. a wall, a barrier, a no entrance sign, or a safe,” he noted of the logo design process. “For Spectre we agreed that it has to be something with a ghost. I don’t know who came up with the idea that the ghost holds a branch, I think it was Moritz. We had 3 or 4 iterations for the logos until we ended up with the final logos, which we really like.”
But things almost took a different turn. Werner Haas, who worked with Thomas Prescher to independently discover Meltdown before teaming up with other researchers also working on the bug, told Mashable that had the two been left to their own devices both the name and the artwork would have likely been something else entirely.
“[We] had a different code name internally and as Thomas and I are rather clumsy with respect to artwork and astronomy aficionados we would have picked a picture from the public domain.”
But that doesn’t mean he’s not a fan. Upon seeing the logo drafts, Haas noted that “they seemed good enough to everybody (and I actually like them) so we quickly decided not to waste any more energy on this topic.”
And so that’s how we ended up with Meltdown and Spectre being the names that chip manufacturers will cry out at night, in anger and despair, for the foreseeable future. But hey, at least they’re catchy. It’s almost enough — almost — to make us forget (even if only for a second) that we’ll be dealing with the ramifications of these vulnerabilities for years.
In late 2017, Brian Krzanich, who has been chief executive of Intel since May 2013, sold as much stock as he was contractually allowed. Executives routinely sell stock, but this move caused some suspicion at the time for just how much stock Krzanich sold.
Months later, news broke that two massive security flaws had been found in variety of computer chips — with Intel’s hardware being under particular scrutiny.
The timing here is crucial. The security flaw was first discovered by Google researchers, who told Intel about the problem in June, according to a statement Intel gave to Business Insider.
Then, in November, Krzanich sold off $39 million of stock for a tidy profit of $25 million, according to CNBC.
Intel representatives have claimed the sale was part of the CEO’s stock plan. Business Insider adeptly pointed out that this plan was put in place at the end of October — well after the company had been informed of the security issues.
To say that this looks bad would be to put it as mildly as possible.
Executive stock sales are closely watched to make sure they’re not doing… almost exactly what Krzanich just did. At the very least, he’ll be expected to offer some justification for his stock sale. At worst, he could face an investigation from the U.S. Securities Exchange Commission.
Intel shares fell sharply after news of the security issues went public. Its stock is down about 3 percent in the past five days.
Krzanich isn’t the only tech exec who has recently come under fire to suspicious stock sales ahead of security issues. Equifax execs sold almost $2 million worth of stock in the days after learning about its company’s massive security breach.
Kraznich is a big deal in the business world. In December, Forbes Intel as the top “corporate citizen” for its positive impact and treatment of employees.