Comment Of The Day: “Wait, WHAT? NOW They Tell There Are “Two Big Flaws” in Every Computer?”

The comments on this post about the sudden discovery that every computer extant was vulnerable to hacking thanks to two 20-year-old “flaws” were so detailed, informative and excellent that I had the unenviable choice of posting one representative Comment of the Day, or eight. Having just posted eight COTDs on another post last weekend, I opted for one, but anyone interested in the topic—or in need of education about the issues involved— should go to the original post and read all the comments. Forget the post itself—the comments are better.

Here is Extradimensional Cephalopod‘s Comment of the Day on the post, Wait, WHAT? NOW They Tell There Are “Two Big Flaws” in Every Computer?

This is not likely to be a popular opinion among professional programmers, but I feel it needs to be said.

The excuse that computers are complex and that testing to remove all of these flaws would take a prohibitive amount of time just doesn’t hold water. I understand that security vulnerabilities are different from outright bugs: security vulnerabilities are only problems because people deliberately manipulate the system in unanticipated ways. Bugs happen when people inadvertently manipulate the system in unanticipated ways. Some of these ways are incredibly sophisticated and may be infeasible to anticipate. However, having supported computers for the past few years, I’ve seen bugs that should have been anticipated, and zero testing would be required in order to do so.

The problem with testing is that the people testing usually understand the software well enough to know how it is supposed to work, or they are given a few basic things to try, but they don’t have time to test a program with heavy use. Luckily, testing is not the problem.

The problem is that in many cases I’ve seen (and I’ve come to suspect most cases across the software industry) the input and output footprints of code modules are not documented (and if your code contains comments laying out the pseudocode structure, I consider you very lucky). From an engineering standpoint, the input footprint of a system or subsystem describes the conditions the system assumes to be true in order to work effectively. The output footprint describes what effects (including side-effects) the system has or could have on its environment, including if the input footprint is not fulfilled. Those aren’t the official names; I’ve just been calling them that. Continue reading

Wait, WHAT? NOW They Tell There Are “Two Big Flaws” in Every Computer?

(That’s Meltdown on the left, Spectre on the right.)

From the New York Times:

Computer security experts have discovered two major security flaws in the microprocessors inside nearly all of the world’s computers. The two problems, called Meltdown and Spectre, could allow hackers to steal the entire memory contents of computers, including mobile devices, personal computers and servers running in so-called cloud computer networks.

There is no easy fix for Spectre, which could require redesigning the processors, according to researchers. As for Meltdown, the software patch needed to fix the issue could slow down computers by as much as 30 percent — an ugly situation for people used to fast downloads from their favorite online services. “What actually happens with these flaws is different and what you do about them is different,” said Paul Kocher, a researcher who was an integral member of a team of researchers at big tech companies like Google and Rambus and in academia that discovered the flaws.

Meltdown is a particular problem for the cloud computing services run by the likes of Amazon, Google and Microsoft. By Wednesday evening, Google and Microsoft said they had updated their systems to deal with the flaw.

Here’s the best part:

“Amazon told customers of its Amazon Web Services cloud service that the vulnerability “has existed for more than 20 years in modern processor architectures.”

We trust the tech giants and computer manufacturers to give us secure devices. We then entrust our businesses and lives to these devices.

That there were such massive “flaws” in every computer, and that it took 20 years for those whom we trusted to discover them, is an unprecedented breach of competence, trust and and responsibility. Imagine auto manufacturers announcing that every car in the world had a “flaw” that might cause a fatal crash. I see no difference ethically.

And why is this story buried in the Times’ Business Section, and not on the front page, not just of the Times, but of every newspaper?