In A Meltdown And Spectre World Is Digital Privacy Truly Dead?


The new year rang in with fright last week as headlines across the world breathlessly proclaimed that every computer built in the last 20 years was suddenly vulnerable to any random webpage downloading every secret from your PC. The truth was a bit more technical, but little less alarming: in our ultimate race for endlessly increasing computing speed, we failed to recognize the security implications of key processor design choices in the hands of creative people. What lessons are there here to be learned about the state of security and privacy in today’s digital world?

Despite some of the conspiracy theories floating about, Meltdown and Spectre were far from nefarious NSA plots to let them hack computers around the world. In contrast, they stem from timing artifacts in the memory hierarchy of modern computing systems and design decisions that relentlessly prioritized speed over an absolute focus on security.

They also demonstrated how such vulnerabilities can slip through even with the collective eyes of the world’s cybersecurity experts pouring over them over two decades and that all it took was a few creative people to think in a different way to realize that some of those design decisions had undermined memory protections in such a way as to render even the inviolate virtual machine barrier vulnerable. As the cybersecurity mantra goes, you can spend an infinite amount of money on defense, but it just takes one creative offensive attack to render all those fortifications moot.


How many similar vulnerabilities remain lurking just below the surface? How many new creative ways are there to exploit the design of the hardware and software systems that power our modern world? If the ever-accelerating deluge of breaches and vulnerabilities pouring forth each day is any indication, the answer is “lots” - with new ones being added each day as the world’s hardware and software developers make the myriad architectural decisions that govern how the digital world functions. Isolated decisions made by different developers at different companies over many years can ultimately collide together to produce unintended vulnerabilities, or previously secure designs can be rendered vulnerable by advancing hardware or algorithmic understanding.

As hardware, rather than the far more common software vulnerabilities, Meltdown and Spectre are stark reminders of the immense physical complexity behind our modern digital world. From the lowliest smart toaster to billion-dollar military hardware, our digital devices are massive piles of an incredible diversity of individual parts from a huge global network of manufacturers and factories.


While the latest vulnerabilities were inadvertent side effects of the race for speed, there is also the worrying prospect of purposeful vulnerabilities. The defense community has long wrestled with how to manage the security implications of building the nation’s increasingly computerized weapons using hardware that is increasingly manufactured by our rivals. As a senior DOD official put it, “The defense community is critically reliant on a technology that obsoletes itself every 18 months, is made in unsecure locations and over which we have absolutely no market share influence.” The nightmarish vision of American smart weapons suddenly being remoted controlled to shut down during a war or, worse, turn on their users to attack American forces instead, is top of the list of concerns of the defense supply chain.

Even the major cloud vendors, wary of rogue backdoors sneaking into their data centers, enforce strict controls and monitoring over their supply chains, intensely cognizant of the desire of foreign nation states to penetrate their servers.

Yet, even when hardware functions as expected, the software that runs on top of it can render all its myriad protections useless. Nation states are stockpiling and building backdoors into the core infrastructure products that are the lifeblood of our digital world. When discovered by criminal actors or other nation states, these surveillance tools can be repurposed to great harm.

In a previous era, it was the employee with the easy-to-guess password that was the bane of security professionals. Today the most sophisticated and advanced security infrastructure is for naught when an employee misunderstands access permissions and sets a cloud storage bucket to world readable. From the world’s biggest companies to the intelligence agencies responsible for protecting the nation’s secrets, more and more sensitive data is being exposed not because of a failure of security systems, but rather because the way in which we access data is advancing so fast that employees don’t fully understand the implications of the decisions they make. In the web server era, posting a sensitive file at a secret world-readable URL was commonplace, even if such security through obscurity wasn’t really security at all. In the cloud era, world readable directory listings might be enabled on that directory, meaning with the wrong settings anyone can see the complete list of world readable files and download them all. Security through obscurity and secret URLs are fast coming to an end, yet few employees fully appreciate these changes.

The once-frontpage news of a data breach has now become so commonplace that they rarely receive even a casual mention beyond the technical press. Yet, lest you think data breaches are decreasing in scope, just take a look at this powerful visualization of major breaches by year over the past decade. Or, for a  truly frightening look at the state of online privacy and security, skim the daily cyber headline roundups from sites like CyberWire to see just how bad things have gotten with our personal data and the infrastructure that protects it.

Of course all of this doesn’t even take into account the myriad websites that record everything we do in cyberspace, generating countless data archives on our most sensitive behavior that are bought, sold and breached every day.

Putting this all together, hardware vulnerabilities lurking in plain sight for 20 years, military chip compromises, software backdoors, misconfigured cloud storage, breaches galore and a myriad sites where our most sensitive behavior is bought, sold and breached every day - is there any hope left for digital privacy?

Please reload

Featured Posts

In A Meltdown And Spectre World Is Digital Privacy Truly Dead?

January 10, 2018

Please reload

Recent Posts
Please reload