New devastating Intel CPU flaw discovered


It feels like yesterday that Meltdown and Spectre emerged and changed computers forever, but it was actually January 2018—these are not James Bond movie titles, but major security problems that were uncovered in the way Intel builds CPU hardware and software. 

Now, there's four new attacks on processors that use similar tactics to gain access to in-flight data, called ZombieLoad, Fallout, Store-to-Leak and RIDL (Rogue In-Flight Data Load). And, the really bad news: it affects every Intel CPU since 2011.

These new security flaws work both against normal PCs and cloud environments, like those run by Amazon, Google and Microsoft, where a successful attack could spill adjacent data from someone else's running workloads. A video demonstrating ZombieLoad in action shows a computer infected with a specially-crafted piece of malware being able to track what URLs the user visits—despite being connected to a VPN using Tor inside a virtual machine. 

These attacks exploit a method Intel employs to make processors seem faster—called 'speculative execution'—to trick them into exposing data that's running either in memory, or on CPU. The attacks are bad, particularly for shared environments, but don't allow targeted data collection if they're successful: just whatever is running at that particular moment.

ZombieLoad is a little more worrying because it can be executed in a surprisingly trivial way: via targeted browser attacks on malicious websites, if not protected against it, to steal in-memory secrets, like the password you're typing in another tab.

Cloud platforms are scrambling to patch their fleets, though Amazon says it's already on top of it and smaller providers like DigitalOcean received heads-up notice from Intel.

And Intel? They downplay the vulnerabilities almost entirely—which was the script last time around too—saying that "MDS vulnerabilities have been classified as low to medium severity per the industry standard CVSS, and it’s important to note that there are no reports of any real world exploits of these vulnerabilities."

What does this mean for you? Microsoft, Google, Apple, HP and many Linux distributions have already published patches to help protect users against these flaws—so it's worth checking if your machine is already up to date. 

If not, install the patches as soon as you can. Yay, rebooting computers endlessly is fun!

Will these patches slow down your computer? Unfortunately, the answer is... probably. 

Apple's advisory says that it's built in mitigations against the attacks, but to be fully protected you need to disable Hyperthreading—which I would absolutely not do—and that might come with a CPU hit of up to 40%. Intel advises strongly against doing this, and claims that it isn't a real way to mitigate the threats.

As in the past, future patches actually decreased the impact of performance constraints from these mitigations, so I'd advise not avoiding them.

Will this keep happening? Researchers indicated after Spectre/Meltdown last year that those attacks were the tip of a side-channel exploit iceberg, and many more would arrive. Indeed, before these four, a number of other attacks were unveiled, albeit more quietly.

Is Intel being punished? Not really. It proactively responds to these attacks and is pretty good at engaging with the industry—but people's processors are being slowed down. A number of class action lawsuits were kicking around in 2018, but they seem to have gone nowhere.

Google brings ads to its landing page


In the two decades that Google has been the metaphorical homepage for the web, it's avoided placing advertising on its homepage for the most part—it has remained a sacred, ad-free spot, with the rare exceptions of Google running one-liner ads for its own products.

After a earnings miss last quarter, that's over, and the company is making changes to some of its sacred, ad-free spots—on mobile. While some headlines are claiming that Google will change the homepage on the web, that's not quite true: the new ads will show in places the 'Discover' feed might appear.

The Discover feed is a relatively old invention, and lives to the left of the home screen on Android (and can be disabled), the new tab page in Chrome on some platforms, as well as in the Google app. 

Not only does this feature drive a surprising amount of publisher traffic—it's a surprise it wasn't already monetized.

Essentially, these ads will show up as sponsored slots in that feed. With more than 800 million people "using" Discover, that's a new cash cow waiting to be exploited and likely to be a potent return to growth for the company, given it's really difficult to block such ads.

Describing the changes, the company put forward one hell of a compelling spin that it'll help people shop "in spurts while watching TV or sitting in the bathroom." Instagram's for when you want to buy a nice sweater, and Google is for...buying stuff from the toilet? OK, then.

Poor metaphors aside, Discover has proven to be a good way to surface content in lieu of owning a giant social network, which has been slowly coming to many Google products on mobile with little notice. The revenue pop from this is almost certainly going to show up in next quarter's earnings—it's too good for most advertisers to turn down.

Tab Dump

Sonos finally launches Google Assistant integration [Sonos Blog]
I'm genuinely surprised this is actually shipping, but relieved! I've finally turned it on today, and it works as advertised. Sonos has a compelling story here now, with the only speakers that can run either Alexa or Assistant. It's US only for now—but will roll out to other countries soon.

US labor relations board rules that Uber drivers are contractors, not employees [The Verge]
A huge win for Uber, which would have struggled to justify its business model in any other way.

San Francisco bans facial recognition technology use by city agencies [The New York Times]
It's the first US city to ban facial recognition technology, which many police forces are quietly using, despite issues with its accuracy remaining pervasive. This is a big, surprising win for privacy advocates, but limited in its scope, however there's hope that other cities will be inspired to enact similar laws.

Amazon broke ground on a $1.5B "Prime Air" hub in Cincinnati, with room for 100 planes [GeekWire]
Click through for video of Jeff Bezos driving a front loader, if nothing else.

Facebook will ban users for set periods of time from Live if they violate its policies [CNN]

Twitter has new APIs and sends a message: it wants developers back...again [Techcrunch]