To the list of things we once thought brilliant and entirely safe, like smoking and asbestos, we must now add microprocessors.
For the last decade or more, nearly every CPU built into phones, laptops and servers have carried two extremely serious flaws.
The scale is unprecedented – it is Chipocalypse Now.
The elaborate temples of security that hardware manufacturers and software designers have built on top come tumbling down with a simple kick at the foundation stone.
Well, not that simple. To take advantage of the Meltdown and Spectre vulnerabilities requires a lot of skill, especially for the latter.
And although chip-maker Intel has acknowledged “several” ways that hackers could exploit the flaws to access data stored on chips, no one has seen hackers do this in the real world. So far.
The main effect is to flip our conventional understanding on its head.
Apple has said its devices – computers, phones and iPads – are also affected. Apple has a hard-earned reputation for being more secure, less hackable, than its competitors.
That counts for little when the fundamental building blocks of modern computing are deeply flawed. Meltdown and Spectre probably do not pose much of a risk for consumers, unless a nation state is keen to hack you, in which case, Godspeed.
Cloud computing is more of a risk. Microsoft, Amazon and Google have all rushed to mass-patch their estates – if you have a program running in the cloud, it shares physical space with other programmes. Sharing that hardware makes them all vulnerable.
Who’s to blame? Gordon Moore. Moore was a co-founder of Intel. Since the 1970s, his company has made chips that packed in twice as many transistors into the same space every two years, leading to an exponential explosion in computing power.
Moore noticed the pattern and now we call that phenomenon Moore’s Law. It became a vaunting emblem of Silicon Valley’s awesome power and progress.
For a while this was a fairly straightforward phenomenon. But in recent years chipmakers, rubbing up against physical limits, have looked for clever ways to nevertheless increase processor speed.
That’s what happened here. One security researcher told me the problem came to exist because manufacturers “tried to make their chipsets run faster than they should”, using a technique called speculative execution, where a processor starts working on instructions before it definitely needs to.
The idea is to get ahead with some of the work that might be coming the CPU’s way.
So perhaps it is our fault for wanting new, fast, shiny devices? Most of us don’t, though. We want computers that work and that are secure.
And we also want batteries that last longer, something faster processor power actually hampers.
Instead an industry that has been so obsessed with Moore’s Law as the benchmark of progress – of progress for progress’s sake – neglected the fundamentals of security.