The Story Behind the Meltdown and Spectre Threats
By Stephen Bryen and Rachel Ehrenfeld
Friday, January 5th, 2018 @ 6:17PM
Left: First IBM PC, 1981 – (IBM Model 5150).
The latest revelations that Intel, AMD and ARM microprocessors have major security vulnerabilities should have surprised no one. In 2004 IBM sold its PC group to the Chinese Lenovo, and Intel opened its first chip manufacturing plant in China in 2007, and other US-based companies, have been outsourcing the development and production of their technologies to foreign companies. So, while we shouldn’t be surprised, we should demand to know why it took so long for those companies to admit that all the computers and other electronic devices we use are vulnerable and pose a direct threat to our national security.
The vulnerability of commercial computers and electronics is not new. The latest revelations about Intel microprocessors now expanded to include microprocessors made by AMD and ARM cover just about every device on the market that uses a microprocessor, including all PCs, all smartphones, and countless devices that fall into the category of the Internet of Things (IoT).
Two vulnerabilities are known as Meltdown and Spectre.
Government spy agencies –here and abroad– have known about these vulnerabilities for some time. Intel, which has known about it at least since June 2016, certainly did not act to try and fix the problem even though its CEO unloaded $24 million in Intel stock before the chip vulnerability was made public. The Spectre vulnerability was first reported in a technical paper Spectre Attacks: Exploiting Speculative Execution, and another paper titled Meltdown discussed the Meltdown vulnerability. Google Project Zero carried out its own separate research that partly “overlapped” with the two papers cited here. The reports concluded that top computer operating systems, Windows, Mac and Linu
Different “fixes” have been proposed. But no one knows if any of the proposed “fixes” actually work (one consequence of a partial fix is that computers will be slowed down by 30%), and in any case, Intel-powered devices are so pervasive and so thoroughly embedded in government and military systems including nuclear submarines, that trying to fix them could take years if ever carried out. Meanwhile, the government, the military and billions of computers and devices are left vulnerable to attacks. The billions spent on so-called “security” have been a complete waste, even in instances where the Russian Kaspersky Lab’s anti-virus software was not trusted with cybersecurity.
The government has got itself in the position it is in through what seems like willful blindness, allegedly to save money, though some describe this as an abject stupidity and cupidity. In a dictatorship, those responsible would be put against a wall and shot.
In the mid-1980s, the government decided on an “economy measure” to replace secure government sponsored and manufactured equipment with commercial off the shelf systems –known in the trade as COTS. COTS was cheap and plentiful, and the USA was in the midst of the PC revolution where IBM had quickly captured 25% of the emerging market with its Intel-8086-powered PCs. These were assembled in Boca Raton, Florida, but most parts came from Asia. In a short time, foreign-made computers, especially laptops, started to dominate the US-government purchases; one of the big suppliers was Toshiba. While Toshiba was duping America by selling advanced machine tools to the Soviet Leningrad shipyards to make silent propellers for Soviet attack submarines, it was selling billions in laptops to the Pentagon.
But that was only the beginning. Today, most of the electronics the Pentagon buys comes from China, either directly or when you look inside the box that may have an American label. Instead of Intel inside, Intel (or AMD or ARM) are joined by a chorus of Chinese, Korean, Japanese and Taiwanese companies, with China dominating (probably accounting for 80% of all COTS electronics). Countless vulnerabilities have been uncovered in PCs, routers, memory chips, graphics processor, flash memories, infected smartphones, phony battery chargers, Webcams and other equipment dumped onto the U.S. market.
Today’s COTS equipment is not engineered for security. At best, it is engineered for entertainment and to keep the masses happy and willing to shell out lots of dollars for equipment they barely understand and are mostly incapable of using. It is not surprising that Apple calls its salespersons “Evangelists” because they are selling the Electron Religion to millennials and millennial wannabes.
Typically, one would say, caveat emptor –buyer beware. Or you get what you pay for.
But now the Intel vulnerability raises an even uglier “Spectre.” That’s because Intel is an American company from good old’ Silicon Valley –the same guys, real globalists, have been outsourcing American jobs for the past 40 years, and getting richer and richer doing so. These are the modern version of late-19th-century Robber Barons, and the darlings of Wall Street who have built strong relationships with the Democratic Party that is purportedly pro-Labor. Successive U.S. governments never interfered and apparently did not question their modus operandi, even as countless jobs went abroad. (And to add insult to injury, American jobs were in-sourced to foreigners imported under liberal visa programs, as if there were no Americans to fill them.)
We are facing a huge mess. Security has not only taken a back seat to selling gadgets, but it has also put our security and survival at risk.
Stephen Bryen (one of the authors) proposes to replace all COTS systems with government-approved and security screened hardware and fully vetted software made in the U.S., and completely capable of being fixed if something amiss is found, even after a real security layer is put in place.
“The only real way to solve the problem,” he wrote in US News and World Report on 21 June 2016, “is to throw out existing systems and start over. The United States needs a technological ‘Manhattan Project,’* staffed with the best and brightest Americans with security clearances and charged with implementing a new security paradigm for government and nongovernment critical infrastructure systems that are essential to the functioning of the nation if it is attacked. Such a plan should place the highest priority on replacing COTS operating systems, communications and internet communications with a proprietary solution developed by vetted American citizens and made available for critical infrastructure users, government agencies and the military. It would prioritize compartmentalization and “need to know,” keeping core functions isolated and hidden to thwart espionage, either from corporate entities or foreign powers.”
A Cyber Manhattan Project would cost $2 to $4 billion for R&D and would require replacing all equipment in critical installations, and isolate that equipment from any COTS channels. That sounds like a lot of money, but the U.S. government is spending a lot more on fake security right now and getting nowhere. If we don’t get rid of COTS we will pay an inestimable price, and the day will come when our missiles won’t launch, our communications won’t work and out government will collapse.
*The Manhattan Project is short for the cover name of America’s atomic bomb program during World War II (1942-1945), which was named the Manhattan Engineering District Project of the US Army Corps of Engineers. The British equivalent secret atomic bomb project was code-named, Tube Alloys.
Stephen Bryen and Rachel Ehrenfeld
Categories: Latest News
Tags: ARM, China, COTS, Cybersecurity, GOOGLE, IBM, Intel, IoT, Japan, Korea, Meltdown, PC AMD, Russia, Sovirt, Spectre, Taiwan, US Government, US Military