On this episode of Too Embarrassed to Ask, co-hosts Kara Swisher and Lauren Goode welcome Axios Chief Technology Correspondent (and former Recoder) Ina Fried to the studio to talk about the Spectre and Meltdown chip flaws.
You can read some of the highlights from the discussion here or listen to it in the audio player above. Below, we’ve posted a lightly edited complete transcript of their conversation.
Kara Swisher: Hi, I’m Kara Swisher, executive editor of Recode.
Lauren Goode: I’m Lauren Goode, senior technology editor at The Verge.
KS: You’re listening to Too Embarrassed To Ask, coming to you from the Vox Media podcast network. This is a show where we answer all of your embarrassing questions about consumer tech.
LG: It could be anything at all, like whether or not Spectre and Meltdown are going to melt down Kara Swisher’s devices so she can no longer text people at one o’clock in the morning and be a sparkly vampire and not ...
KS: Did you know I was up at four a.m. today? I was doing that today, everyone was sort of perplexed.
LG: Who were you messaging?
KS: Everybody about this NBC show I have. I was just up and talking to people.
LG: Oh man, really?
LG: Who were you messaging?
KS: Our special audience members and stuff like that.
LG: Are they famous people?
KS: Somewhat. Yes, they’re great. They’re the qualified people to talk about the issues we’re discussing, Sundar Pichai and Susan Wojcicki of Google and YouTube.
LG: I was waiting for you to drop names so I could offer to help with the hot Frito.
KS: That’s who’s on the show.
LG: All right.
KS: Yeah, but the others are great, they’re not all locked in yet, but they’re all great and they’re all going to talk all kinds of ... We’re going to talk all kinds of stuff about Silicon Valley responsibility, work, future, blah, blah, blah, blah.
LG: Blah, blah, blah. I’m looking forward to your blah, blah, blah, blah, blah show.
KS: Are you coming?
LG: I will be there.
KS: Do not rush the stage. Don’t Kanye ...
LG: I was hoping that you’d pick me to ask a question.
KS: No, I will not, but don’t Kanye me. Do you understand?
LG: Can we get a selfie backstage afterwards?
KS: No. Not at all. I’m moving ahead now.
KS: I’ll have security.
LG: Will you still do the show with me?
KS: Yes, I will, but security will be involved.
LG: Oh okay.
KS: If I need it. Anyway, so send us your questions, find us on Twitter, or tweet them to @recode or to myself or to Lauren with a hashtag #TooEmbarrassed.
LG: I was going to say, you’re like the executives I see at the grocery store down in Silicon Valley who have security guards hiding in aisle seven by the pasta.
KS: Yes, yes. For years, I’ve wanted to have a security guard and her name is Dusty, and she’s a giant lesbian, and she’s going to go to people, “Please don’t get near Miss Swisher, she doesn’t like to be touched.” Anyway ...
LG: I can’t wait for that.
KS: I think it’s time to bring in, in a minute, Ina Fried, but go ahead, we have an email address.
LG: Yes. If you’d like to tweet your questions to us, tweet them anytime with the hashtag #TooEmbarrassed. We also have an email address, it’s TooEmbarrassed@Recode.net. A friendly reminder, there are two Rs and two Ss in embarrassed. If you don’t you use two Rs and two Ss, we’re not going to get them, and also, I’m going to edit you. Kara, is your PC running fast these days?
LG: Because, if not, you better go catch it.
KS: Oh my God.
LG: No, wait, I messed up the joke.
KS: Forget it, you’re fired.
LG: I messed up the joke.
KS: You’re fired.
KS: That’s not even a dad joke, that’s a dad joke from 1962.
LG: I know.
LG: No, it’s like from 1990-something.
KS: Why did you make such a bad joke about your PC?
LG: Because we’re going to be talking all about PCs today.
KS: I don’t have a PC. All right fine, okay.
LG: ... and other devices.
LG: Really anything with a CPU in it.
KS: How are we going to do this?
LG: We’re talking about Spectre and Meltdown, and we are excited to have our good friend, Ina Fried, from Axios here in studio.
KS: Ina Fried. Yes. Comma, formerly of Recode, formerly of All Things D.
LG: That’s right.
KS: How are you doing over there at Axios?
Ina Fried: I’m doing good, it’s fun.
KS: Have you figured out what it means yet, Axios?
Yes, it means “worthy” in Greek, or so we’re told. We have a huge Greek audience that is wondering why they’re not finding out the latest in worthy recipes.
KS: All Things Digital means all things digital in English, Recode means recode in English.
Those with clever names cast the first stone there, Kara.
LG: Remember when we had that slash?
KS: Oh my God.
LG: Remember? Then we were Recode ... We are Recode dot net.
LG: So, that’s ...
KS: That’s because I couldn’t buy recode.com.
There were some great stories that I’m not allowed to tell because ...
KS: Ina was there. Yeah, but we couldn’t buy it, the guy who owns it wouldn’t sell it to us in Germany.
LG: Yeah, he was running Nero, the storage system, right?
KS: I don’t know.
LG: Or something like that.
Any name becomes good when you have people like Kara and Walt, but it was frankly not a good name.
KS: I found the old deck ...
It was only a good name when comparing to these others. They hired a naming consultant, these names ... One of them sounded like a gay bar.
KS: For us? No, they were all ...
LG: Yeah, what were they?
KS: I’ve got them. You keep talking.
One was like The Man Pleaser. I was like, I don’t think that’s really what you want to call it. Yes, it’s a site that has a mostly male audience, but I think you’ll set expectations.
KS: Now, you’re going to have to ...
LG: Are you going to find these?
KS: I’m going to find it.
LG: I have great memories of us all being holed up in a hotel room on ... Was it New Year’s Eve or New Year’s Day?
New Year’s Eve, yeah. New Year’s Day, that’s right.
LG: New Year’s Day and up until midnight.
KS: I have it right here because I was just naming this new TV show.
LG: And then Adam Tow pushed the button.
LG: Now that is a whole different meaning, but it was a very big button.
KS: It was good. Here’s some names.
LG: And Recode launched.
KS: Here’s some names.
KS: Dispatch, Red Chair, New Level, Inside Look, Highwater, what was that? Hell or? I don’t know. Sordid, which I think is ...
Sordid, yeah, that would have been great.
KS: Recode was on this list. Base Node. Noble Few, I was like, that’s a wine site, right? I don’t know, whatever. Code Motion, Signal State, Surface Space, Upside of the Upside, Code State, Encoder, Durable Media, and that was it, and we picked Recode out of that group.
LG: Durable Media, that sounds like a condom brand.
Yeah, I’m glad you didn’t pick Surface Space, it’s a bad name and Microsoft would have sued you.
LG: Maybe we’d be sponsored by Durable Condoms if we went with Durable Media.
KS: I would have liked to have called it Spectre now that I see it.
Ina is the chief technology correspondent at Axios and still one of the world’s leading Pokémon players, but she also knows a ton about Intel, she covered it a lot for All Things D.
My first job ,actually, in San Francisco, I was covering chips for an ill-fated financial wire site.
LG: What was that one called?
KS: Bridge News, all right.
That name’s probably available, too.
KS: Yeah. Anyway, we want to talk about this and we have lots of questions. It got a lot of attention at CES last week because Brian Krzanich spoke, so why don’t you just walk us through it? The name Spectre, of course, it’s from the Bond movie, which was the villains in the Bond movies, and Donald Trump has a meltdown on Twitter every week.
LG: Are these as ominous as those things?
KS: Yes, exactly. A daily meltdown, actually, on Twitter.
Yeah. I’m not going to comment on Trump’s meltdowns, but this chip vulnerability, what’s fascinating about it is usually when there’s a problem, it’s a math error or a heat bug or something in one particular chip. This is actually a flaw in the way chips have been designed basically for more than the last decade. The way that chips have worked, to put this in as simple terms as possible is, they have had more capability than there has been work to do. Like a very motivated person when they’re done doing all the work, they get ahead on next week, and so they were trying to go off and assume what they might be asked to do next, and that’s where they got in trouble.
Once they were done with the work that they knew they had, they would think, “What might we be asked to do next?” They’d go off in all kinds of places and figure out and do the calculations. The problem with that was, if you wrote a malicious script, you could have them go and fetch all kinds of things out of memory, and that’s bad. The fact that nobody thought of this ahead of time is kind of bizarre to me, but basically, the way that they were doing this — and it’s not just Intel, although Intel is effected in ways that some others aren’t — but it is really all chips. So, the chips in your phones, the chips in your PCs, the chips potentially in other things, other kinds of high powered devices, your cars.
LG: Smart fridges.
Yeah, probably the Samsung smart fridge, you might no longer be able to take a picture of what’s in your refrigerator and have to open it. The problem is, when you have something that’s been in every phone and every computer for the last decade, kind of tough to fix.
KS: Yep. Yep.
LG: I’ve heard different phrases applied to Spectre and Meltdown, are they bugs, are they design flaws, are they vulnerabilities?
KS: Or just bad design?
LG: I think if you say design flaw, then it makes you think of the CPU itself, and that makes me think, Intel. If you say bug, I think software and I think something that could inherently be fixed with software. What is it exactly?
Part of it is, which term you choose to use. I don’t use “bug” because I think of those other things. It is definitely a massive vulnerability, so that’s the term I use the most because it is a security vulnerability, there is no question about that. I think “design flaw” is also fair because it is a flaw in the way that they’re designed. It’s not a bug in that it wasn’t a small error, it’s working the way they designed them, the problem is the way they designed them has a big security hole.
KS: And they didn’t anticipate this or ...
It’s a little puzzling.
Again, I’m an English major.
KS: It feels like Samsung. It feels as bad and big as Samsung’s exploding phones.
Yes and no. It’s not in the sense of, it’s not physically dangerous.
KS: It’s worse.
But it’s bad in that, in theory, if the systems aren’t patched or if someone comes up with a new exploit, they could get your passwords and other stuff. Intel likes to point out they can’t corrupt the data, so they can’t mess with your data, but that doesn’t mean they couldn’t steal your data.
That’s why the whole industry is trying to fix this as much as they can, but there’s a lot of debate and it’s been very confusing to report over just how much they actually can fix. A couple of the researchers involved are saying part of the Spectre vulnerability is unfixable, at the one hand. On the other hand, you have Intel saying it’s completely mitigated. One of the challenges I’ve had in reporting this — and we’ve been reporting it since before it was announced publicly — is just figuring out where the truth lies. I think it’s probably somewhere in the middle, but literally every company involved that I talk to explains it differently, has a different impact and a different level of mitigation.
LG: A lot of them are being very protective right now.
KS: Yeah, of course, they don’t want to admit what’s happened here. So, explain this to me, Spectre and Meltdown.
Meltdown is a more specific thing, so it’s both a more present danger, but also more easily solved because it’s more specific. What that was was basically a specific technique that applied, it seems like to both Intel and ARM chips.
KS: ARM chips, right.
AMD’s a little less affected, Intel’s rival, but they’re far less prevalent than Intel systems, but both Intel and ARM, and this was a specific way you could go in and get a specific set of information. Spectre is a little different, it’s harder, you have to know how a specific chip works, but it’s a whole class of attacks. We might be seeing Spectre-related attacks for years. You’re not going to change the chips that are in these machines, so you’re going to have to patch them.
It also has to do with how they’re fixed. For Meltdown, there was a pretty specific fix. Basically, the attack worked by letting you get access to different kinds of memory. If you take that access away, you solve the problem. Great, except the techniques that they were using, they were doing it because it made things faster. So one of the issues is, by fixing Meltdown, in some cases, you could be really slowing things down, and that’s where a lot of the criticisms come, that’s where these class action lawsuits are coming, and that’s where I think you’ll see some people that use cloud services also saying, “Whoa, this is a really big deal.”
LG: How many computers do we believe are impacted at this point?
This is an easy one: All of them.
LG: All of them.
No, I mean, it’s basically any modern high-end device. High end meaning any computer, any modern Android phone, any iPhone, and even some Internet of Things devices, if they’re using a fast-enough chip. The chips that aren’t affected are ones that aren’t high powered to be doing this thing, it’s called speculative execution. They don’t have enough computing power that they needed to use this technique.
KS: Such as?
LG: Is that like ...
So, the Apple Watch, for example, isn’t going that fast, or Chromecast, or ... So, some of the Internet of Things devices aren’t using that high end of an ARM chip.
LG: That’s interesting. Okay.
KS: So they’re all affected. One is just easier to fix than the other. So how do you get to this kind of thing? It seems to be a failing on Intel’s part, so what do we know based on what Intel’s made public? How are they handling the crisis?
On the one hand, it is hard to see how this big a vulnerability got out there. At the same time, you had all the minds in the chip industry, all thinking the same way, nobody caught this. It’s in literally every modern chip architecture. What’s interesting, they have known about it for a while. So, Google researchers found this, last June they reported it to Intel, AMD and ARM, so they’ve been working on these fixes for a while. The whole industry’s kind of known it has a problem. Again, the challenge is, it’s a lot to go back and fix.
LG: There’s been a little bit of back and forth between, just for one example, Intel and Microsoft. Intel is saying, “Here’s what we know and we don’t think this is going to slow down your machines.” Microsoft came out with a blog post last week during CES saying, “No, we do think this is going to slow down our machines, especially ones that have been running Windows 7 or are running on older chips like Haswell.” Then it just seems like there are just a lot of conflicting reports here as to what is actually going to happen to people’s machines.
KS: Both performance-wise and vulnerability-wise.
LG: Yeah. Right, but a lot of it’s around performance, because once you issue these patches and people do these OS upgrades that include these patches, that’s when, basically, from what I understand, the communication in the kernel has changed and that’s what’s slows things down. What do we know is actually the case here in terms of slowdowns?
From what I understand, when you really get a slowdown are applications that were making a lot of use of this communication with the kernel, and now, in order to fix it, what they’re doing is ... Cache is basically memory that’s stored, they’re dumping that every time to avoid being vulnerable. So if you have an application, like a database, I’ve heard databases are particularly affected, that’s going back and forth between the kernel, that’s where you see a slowdown.
There’s some ways, over time, that they might be able to change this. For example, they could leave you in the kernel and you could do a lot of work in the kernel, that would improve performance, but it would again be a security issue. There’s a reason they want to keep you out of the kernel, the kernel’s like the vault. If you think of this as a bank, right now the issue is, it’s easy to go back and forth between the lobby of the bank and the high-security vault. In order to close that, they’re making it really hard to get between those two things again. You could do everything in a high-security vault, but the people that are also in the vault don’t really want you hanging out there. I like this, I could use this.
LG: We’re just going to keep going with this, yeah.
KS: How about a house? Do a house analogy. My panic room, they’re in your panic room.
It’s interesting, you do have Microsoft and Intel saying a lot of different things, and in fact, you even have Intel saying some different things.
KS: Which one is more affected, Microsoft and Google, or Apple? Especially because everything’s mobile, obviously, that’s where the ... Or is it the laptop?
So, Microsoft and Linux, on the server side, are impacted similarly and they’re both doing relatively similar things to fix it. Google is interesting. On Android, this is an issue because they use ARM chips. I think what we’re going to see over time is, if there are exploits, Android is more vulnerable because people don’t fix their Android systems. So the Android flaw could last longer in the sense of, even though Google has pushed out a patch, that’s not the same as the phone maker, so Samsung may not have put out a patch, the different chip makers, it’s just a more crowded atmosphere.
Apple has said a little less, they’ve said, “Look, we’ve updated iOS and Mac OS,” as is typical, they don’t go into a ton of detail about how vulnerable they were. They do have the advantage, though, that they can see the software and the chips and the hardware, and they can be more elegant in the way that they fix it because they control all those things.
KS: Because they can do it together. Obviously, it’s helped that everyone works on mobile, obviously now, more than anything, that Intel wasn’t as competitive in mobile as others, correct? Or not? Or is it just everything?
It’s everything. There’s fewer Intel chips in mobile, but the same flaw applies to the ARM chips.
This is also interesting, I don’t think we’ve ever seen a flaw like this that affected multiple types of vendors. In other words, if there’s a flaw in Linux, it doesn’t usually affect Windows and vice versa. Although, that’s not totally true.
LG: Who designed this original flaw?
KS: Yeah, who’s the idiot?
Who can we blame?
KS: Who can we blame?
Pretty much everyone who went to chip design school.
KS: Who can we give responsibility to?
That’s the thing, is everyone in the industry did it, it’s like ... I’m trying to think of a good example.
KS: A bad lock, someone who ...
KS: ... and everyone ...
And the whole industry moved to that bad lock.
KS: Right. Right. Right.
There were good reasons ... Again, you had these chips that were incredibly powerful and they had extra brain cycles, and so people were like, “What do we do with these extra brain cycles?” What surprises me isn’t that they went to that, it’s that they didn’t foresee basically unlocking the bank vault could cause problems. Again, nobody in the industry seemed to have seen it.
KS: It’s almost like Silicon Valley doesn’t understand its impact.
LG: I spy a recurring theme here.
Kara’s moving it back to home turf, “Enough of this talk about chips.”
KS: No, but it’s the same thing. It’s the same thing, is these people have the responsibility to protect their consumers. It’s like bad meat, you know what I mean? It doesn’t kill people, but it’s not ...
Well, what’s interesting, and that brings up one of the things that I find interesting, is that Intel has said it doesn’t expect a financial impact from this, which I find fascinating.
LG: That’s kind of shocking.
KS: I’m feeling like suing them tomorrow.
Well, and a bunch of people have beaten you to it.
You can join their class action suits. I think that’s one issue. The other issue is, if you do work in the cloud, this impacts you. One of the things that Intel and others are saying is, “The performance that you see will be very workload dependent,” so it depends what you’re doing, but that means that the people that are impacted the most are these businesses that are paying a ton of money to Amazon or Microsoft or Google to do work in the cloud. They might be doing one thing over and over, and if that one thing is what’s impacted, they’re going to see that 20-30 percent performance hit. It’s not going to be you or I.
KS: It’ll affect businesses.
You or I, we don’t do enough of this to probably notice.
LG: Right, but if you’re running a bunch of servers ...
And you’re doing one thing over and over, you might be totally unaffected because that one thing doesn’t use this technique a lot, but you might be very impacted. I think one of the reasons Microsoft has been so outspoken about this is, they’re worried about being blamed because suddenly Azure or Amazon or Google’s cloud, the people you pay, they’re sending you a bill for 20 or 30 percent more work. They’re worried that they’re going to be the ones to blame.
KS: Why would you pay it? Why would pay?
KS: Why would you pay for more because it’s their ...
Basically, each unit of time ...
KS: No, I get why. I just, “Why would you?”
KS: You’d complain about it.
LG: Hypothetically speaking.
KS: Yeah. It’s a really interesting ...
LG: What does it mean if you’re working in a virtualized environment? Let’s say you’re at VMware right now and you provide software for people to run Windows on Macs, does this impact your experience at all?
I think it does. I was reading up some on this, I’m not an expert, you should definitely read ... The bottom line, I think a lot of people are wondering, “What should I do?” If you’re a consumer, patch to the latest updated. If you’re an enterprise, you really need to read from each of these. So you should go to your virtualization provider. There’s things you need to update on both the underlying metal, but also the virtualization architecture.
KS: I will get to that, and then of course people ask these questions ...
Because Kara loves it when we talk virtualization.
LG: Yeah, virtualization really gets her going.
KS: No, but I want to know what people should do, and regular people. I think businesses are probably ... They have all kinds of experts to do that. Why did it take so long for Spectre and Meltdown to be ... This has been a decade, you said, chips going back a decade, right?
That speaks to, it couldn’t have been that obvious, or not only would the industry have found it, but this whole security community that loves to poke holes ...
These are the smartest brains that basically sit around looking for holes, and they find the most obvious holes. So, it did take a while.
KS: Yeah, they did a great job on the Russian stuff. Anyway, sorry. What? Go ahead. I want to know why they’re falling down in their ...
I think what’s interesting, and I think a lot of people will be like, “Wait, you’ve known about this since June? Why are we just hearing about it?”
KS: That’s another one.
I actually think this was an example of the system working. The way that the security system works is, if people do what’s called responsible disclosure, I find out there’s a big flaw in the system, I go to the system provider and say, “Hey, here’s what I found. When the time comes I want credit, but I’m going to give you guys a reasonable amount of time to fix it,” and that’s what happened here. It came out like a week early, so this is what I think, as a reporter, I’m like, “This was crappy.” They were going to disclose it during CES, the day after Brian Krzanich’s speech.
KS: Oh man.
KS: You could see that meeting, you could see that PR meeting, “Should we mention?”
Luckily for us, because I think it would have just made reporting at CES a nightmare, not to mention the fact we didn’t even have power.
KS: Another security flaw.
So it came out about a week early.
LG: A week before, right. Yeah.
So that was good, but it was held since last June. It held since last June, so that’s a pretty long time for the entire industry.
LG: That is. It makes me wonder if these independent, or somewhat independent, in some cases they’re working for Google or whoever it might be, but these researchers who follow this ethics code feel like they need to come out with it ...
KS: Yeah, I’m surprised ...
LG: But they have the access to these tools. It makes me wonder, researchers within government who are probably not disclosing things with the same ...
We do have this.
Basically, there’s a question, should the government be out there looking for unpatched holes?
Whether it’s for the surveillance they want to do or to attack foreign powers, and this is really going on. If the government had found this hole, they probably would have used it to attack other countries.
KS: Oh, nice.
Or other governments would have used it to attack us.
KS: Yeah. Yeah, great, don’t we all feel safe. I think this was the plot of a Téa Leoni movie about the end of the world, as I recall. They didn’t tell anybody the world was ending for six months or something like that.
I think Hawaii got the heads up.
KS: Yeah. Oh God.
That’s another story.
LG: Poor Hawaii.
Yeah, that was awful.
KS: It’s down the same thing, it’s like the way these systems are designed. Apparently, there’s two buttons and they seemed alike, test missile system, missile thing ...
LG: Yeah, reportedly a dropdown menu.
We talk about the computers getting smarter than us, that it’s an advancement in the computers, I think it’s actually us getting progressively less and less sophisticated.
KS: I know, I was thinking, “Let’s let the computers run things,” because literally, I think it was right there in a dropdown.
KS: It’s sending people ... Can you imagine if you thought you had 30 minutes to live?
It was “end of shift” and “end of world,” and he accidentally hit, “end of world.”
KS: All right.
LG: Have you guys been watching “Black Mirror,” by the way?
KS: I can’t watch that show.
LG: I just watched the episode last night with the Boston Dynamics-like little robot dog, have you seen that one?
I have not yet.
LG: I don’t want to add any spoilers.
KS: Does it eat the face of the owner? I need something like ...
LG: Well, anytime you think, “Oh, well, we’re smarter than these things,” or do you remember when we had Rich Mahoney on to talk about robots and whether or not we should all be afraid of robots, and he said, “No, don’t worry about it, you just unplug it or let the battery die, and then you’re fine.” Yeah, that’s what I was thinking when I watched this episode, and that is not the case.
KS: Oh no, I don’t even want to know about it.
LG: That’s all I’m going to say. You should all go watch it.
LG: It’s terrifying.
KS: No. No.
KS: No robot dogs.
LG: That’s our future.
KS: No, thank you.
LG: That’s our future. They’re smarter than us.
KS: How about a robot cat?
All right, in a minute we’re going to take some questions about Spectre and Meltdown from our readers and listeners, and terrify you even more. First, we’re going to take a quick break for a word from our sponsors.
LG: Hashtag Money, hashtag YoureWelcome, hashtag INeedMoreSleep.
KS: I like hashtag Money.
LG: I’m going to try hashtagging now for our ads.
KS: I like hashtag Money.
LG: Hashtag Money.
KS: I like it.
LG: Money, money, money, money.
KS: Cash, hashtag Cash.
LG: Hashtag Sleep, because sleep.
KS: We’re back with Ina Fried from Axios, formerly of All Things D and Recode. We let her in the building today to talk about Spectre and Meltdown chip vulnerabilities, which are potentially endangering computers around the world. What a happy day, thanks for coming.
I’m always here. Last time it was when Samsung phones were blowing up. I’m Miss Good News.
KS: Miss Good News. So, no surprise, we’ve got a lot of questions from our listeners and readers about what’s going on and what they can do. Ina, they need your help. Lauren, can you read the first question?
LG: I can.
KS: Thank you.
LG: Would you like me to?
KS: Yes, if you can.
LG: Say please?
KS: No. Just read the first question.
LG: All right. This is from Matt Del Signore, @delsig on Twitter: “Do you think companies are downplaying the danger of this? It seems like Spectre combined with Rowhammer means you have arbitrary reads and writes on any system, and that these can’t be fixed with software updates because it’s a flaw in hardware.” Are they downplaying the danger?
KS: What’s Rowhammer?
LG: Yeah, what is ... Hashtag Rowhammer.
KS: What is that?
LG: Google Rowhammer.
While Lauren’s Googling Rowhammer ...
KS: You just tell us.
I think an argument could be made, a reasonable argument, that they’re both over and underplaying it. I think with any security vulnerability, the real issue is, what do people do with it? I sort of balk at the notion that there’s no way of fixing these things. I think the fact that it’s in silicon and it’s in every piece of silicon makes it hard, but the fact of the matter is, you can do things differently, and that’s what you’re seeing. That’s why it’s falling on every operating system to go out and patch.
So it’s a big problem, but I’m sort of skeptical of the idea it can’t be fixed, but there’s usually a cost. Cost in this sense comes in performance. You have this technique and if you decide you are going to avoid the vulnerability, that means avoiding using this performance-enhancing technique.
LG: Guys, I have a very easy-to-digest description of Rowhammer here.
KS: All right, go ahead.
LG: It appears as though the researchers from Project Zero also worked on this in 2015, they built some exploits that used this Rowhammer effect. Rowhammer is a problem with some recent D-RAM devices, in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. There you go, you have it.
So it’s a memory flaw.
LG: Yeah, it’s a memory flaw. It’s a side effect in D-RAM, which is dynamic random access memory, that causes memory cells to leak their charges. I guess in some instances altering the memory.
This is a more traditional ... That’s like a chip bug.
KS: All right.
LG: Okay, so there you go.
KS: All right.
LG: You learn something new every day.
KS: Next question. Kevin Lam, @The_KevinLam: “Why are companies like Apple being dragged into lawsuits against the processor manufacturers? Is it because Apple uses ARM designs in their custom chips?”
Yeah. Anyone who’s ultimately shipping a system has a problem, it’s whose fault is it. Ultimately, I think the chipmaker, but Apple in this case is the chipmaker, Apple makes its own ARM chips. So, Apple, it’s pretty simple, they make everything in the system, so if you’re going to sue somebody, they’re probably the ones you’re going to sue.
I think the more interesting question is, if you’re getting your cloud services from Amazon, who’s responsible? Amazon? The company that made Amazon servers? The company that made the chips? We may well get to find out the answer of that through litigation, which is why I think it’s so interesting that Intel said it doesn’t see a financial impact here.
KS: Let’s sue them all.
LG: This is a good question from Evan Spielberg, “When will new chips come out that aren’t affected or infected, as the case may be?” This, I guess, is a question about supply chain, right?
KS: That takes a while.
LG: Right. How long is the chip production cycle, generally, and when we can we get ...
KS: Especially new chips, because that’s always usually multi-year.
LG: ... completely newly designed?
Yeah. Chips take a couple years to design. I think what you’ll see is, starting later this year — and I asked Intel this specific question, since they’ve known since June, they’ve had a little time to start thinking about this. I think what you’ll see initially are, at the chip level and at the firmware level, chips written that are more elegantly doing what’s now being done as a software patch.
You could argue they’ve changed the chip design, I don’t think you’ll see an end to the technique. In fact, they said they won’t, that you’ll still be able to do this speculative execution, it’ll just be a little smarter when it comes to memory. I think what you’ll see is, down the line, more elegant revisions. I think chips this year may be less vulnerable than the ones coming out over the last decade, I don’t think it’s that they fundamentally rethought how chips are done, I think they’re just designing and releasing these chips, aware that this vulnerability exists.
KS: Interesting. So, any timing?
Yeah, later this year. What Intel said is that the chips that come out starting as early as later this year won’t be vulnerable in the same ways.
KS: But the billions of devices ...
Will have to be fixed with software.
KS: Billions. Billions.
KS: Billions. All right. Next question is two questions from Ravish Kumar. “As the MacBook Air is already underpowered, is it going to make the laptop obsolete to use in 2018 after the update?” Then, “I’m planning to get a MacBook Air, but I’m not sure if the updates are going to slow it down by 30 percent as the processor is also pretty old.” I have one, too, it feels like it ...
LG: You have an Air?
KS: I have an Air.
LG: Do you really?
KS: I think so.
LG: What year?
KS: I don’t know. I don’t use my laptop ...
LG: Walt Mossberg has a bunker of MacBook Airs, somewhere, I’m convinced.
KS: Yeah, I have a lot of them.
LG: He just loves that thing.
KS: Yeah, I have a lot of them. I have the Pro, I’ve got ... I don’t know, I’ve got a lot of computers.
Just hook them all together and you’ll be fine. No. I don’t think this chip issue is going to be the determining factor for the average computer user because as we’ve said and as others have said, I don’t think the average computer user is going to notice a huge impact. Now, Microsoft has said, for some Windows 7 systems, on older chips, there’s a performance impact that can be noticeable. So, I don’t want to underplay it.
KS: Explain to people what noticeable would be.
Noticeable probably means ... They didn’t specify, but I think ...
KS: You get the little spinning things?
... 10 percent, 15 percent. I think it’s tasks that you do all the time taking longer.
So, I don’t know with Apples what they’re seeing. They’ve said, “We don’t see a significant impact,” it always feels like your older computer is getting slower.
KS: My spinny thing suddenly is making a debut all the time.
I think people will have it in their head that this is the reason why they need a new computer. In general, it’s not the chip performance that tends to be what slows things down.
KS: You have too many emails and ...
Things like battery and memory and stuff, the speed of your hard drive, really boring stuff that’s hard to quantify, I don’t think this is going to be the factor of getting a new Mac or not. It is a rare argument for getting a more modern chip. In general, I don’t know what your advice is, Lauren, but it’s not the first thing I tell people to worry about. I say, “Get as big a hard drive as you need, think about a solid-state drive,” but not worry too much about what chip because historically, they’ve all been fast enough.
LG: Yeah, I will say that for me, being kind of a nerd, I waited for the next generation Kaby Lake processor to be available in new MacBooks before I went ahead and bought one, but for most people who were like, “I need a new laptop, which one should I get?” generally they’re looking at low-cost Windows-based PCs. And if they are looking at a MacBook, most people aren’t looking for high-powered stuff unless they’re pros, and if they’re pros, then they kind of know what they want. Yeah, I would say the chip is generally not the very first thing I tell them to look for.
KS: Yeah. I’m just curious if there’s any possibility that this is not a mistake, that there’s some sort of hacking or something else attached to it.
I don’t think so. If you want to create a backdoor, you don’t create a massive vulnerability in the entire industry.
KS: Right. For a long time, people will bring that up.
Yeah. Again, I think people often want to make things into a big conspiracy theory and it’s hugely not the case.
KS: It’s because they’re true. They’re absolutely true.
We can get into, why is Apple slowing down our phones? I think that’s not actually what was going on with that either.
KS: Right. Okay. I know, trust tech. Okay, got it.
No, I’m not saying that at all. I just think ...
LG: No, I see what you’re saying. They’re often engineering solutions that are done a certain way because of the limitations of the hardware that exists, but most of the time, what people take away is that one detrimental thing as a result of the engineering solution.
Yeah. On the Apple thing, we have Congress holding hearings and it’s like, look, you can knock Apple for making the battery hard to replace, that’s a totally legitimate criticism, or how they communicated this, or sort of being cavalier in how they assume they know what’s best for the consumer. All three of those are valid criticisms. It is not the case that Apple was intentionally slowing down iPhones, that’s not really what was going on.
Similar with this, nobody was trying ...
KS: I think the issue is, a lot of them act like they’re so confident, and when they make ... They project an aura of invincibility and competence, and lots of things have been badly designed. From horribly tragic things like the O-ring to just basic things that are ...
LG: It does become a communication issue, we saw with Samsung, as well. Samsung was really slow to issue formal recalls and communicate properly about what was going on with their overheating and fiery batteries.
KS: Even when they did have a good answer.
LG: Intel is now not communicating very well, it’s still unclear whether or not Intel just doesn’t have the same information as Microsoft, or whether Intel is bluffing a little bit because ultimately this could come down on them. Same with Apple, like you said, Ina, it’s not necessarily like, “Yeah, let’s throttle iPhones and make everyone rush to the store on that Friday so they can buy new ones,” but it’s like, “We did this tricky engineering thing in order to compensate for aging batteries in older devices, but we didn’t really communicate that right.”
KS: Okay. Next one, Lauren?
LG: Liz Nasty Weeks, one of our loyal listeners, thanks for writing in all the time, Liz: “I’ll ask the obvious: What does this imply for tech like self-driving cars?”
LG: “This wasn’t wholly foreseeable, and we have the space to wait for a fix, but less so with more sophisticated tech that dovetails into traditional harm concerns, for example, car control.”
KS: I’m already worried about the hacking of cars.
I think it is a good and reasonable question that we should all be asking as we take the computer industry and apply the same technology to all sorts of other things, how do we feel about a vulnerability there? The medical device, I think, is the best example. They have not said, they have specifically said the opposite, “We’re not going to just take computer technology and bring it over, we’re going to have a different level of security required.”
I think when you think about self-driving cars, it is a good and reasonable question to say, “Do we want all the benefits of the PC industry, along with all the costs, or do we need something different?” What’s been interesting is, historically, what they’ve said is, “We’ll take computer technology for the infotainment and for some of those things, but when it comes to the core operation of the car, we’re going to keep that separate.”
What hackers have shown, that team that went to Apple has shown, is that’s not always true, the firewall isn’t as good as it sounds, and so I think it is a really good question. What if this flaw had been found 10 years from now when the same technology is powering our cars? I think it’s a good question, but it’s already powering our elections and our power grid, and our everything.
KS: Other things, yeah.
And there’s a cost. There’s a cost to all these vulnerabilities.
KS: 100 percent.
LG: Nothing is really benign anymore.
KS: Yeah, nothing.
LG: I was thinking about this at CES because my mom is fond of telling me that the first trade show I ever went to, I was so little I was in a stroller, and it was at the Javits Center in New York City, and she and my dad ended up buying a VCR. They were like the first of their friends to have this JVC VCR. That thing must have lasted for ... It might have been CES, but if it wasn’t CES, it was a CES-like trade show, and that thing probably lasted for like 20 years.
KS: It was the other one.
LG: It was never connected.
KS: What was the other one that closed? We used to go to ...
LG: Yeah, started with a ...
LG: COMDEX, yeah. For a while, all of those prototypical products that were at trade shows were like this, were gadgets, they were not connected. They were benign, they lasted for a really long time. On the downside, they couldn’t be optimized or constantly updated through software, but on the upside, they were not vulnerable to this sort of stuff. We are just moving to an ever-connected world, everything is connected.
KS: Do you know where I’m going on vacation?
LG: Everything is vulnerable.
KS: No internet or ...
LG: Yeah, I know where you’re going. I’m not going to tell on the podcast because I don’t want to dox you, but ...
KS: No electricity.
LG: I told you I’d go.
KS: You might still. We’ll see.
A place with no electricity or internet?
LG: Kara’s partner in crime didn’t seem too excited about the vacation.
Wait, you’re going to place with no electricity or internet?
In Las Vegas?
LG: I offered myself.
KS: Yes, you will be my ...
KS: You will be my ...
LG: No, really, every single thing I saw at CES last week, for the most part, was connected in some way. Everything has an app, everything has the connected protocol and you can’t ...
KS: We are living The Terminator.
LG: I said this last week, you can’t put the toothpaste back in the tube now.
No, you can’t. These things that are choices are quickly becoming not choices. For example, a lot of people have been writing about avoiding Google Home or Alexa, that they don’t want an always-listening thing, which I think is a perfectly good choice.
I actually haven’t had any of them. I’ve tested them briefly, but I haven’t kept them on. Well, that’s nice when the choice is, “Do I want this smart speaker or not?” It’s a product I can decide to buy or not. What we saw at CES, two years from now, it’s not going to be up to me, it’s not going to be a question, either my microwave’s going to have it, or my TV, or whatever. Donald Trump wasn’t apparently wrong about this, the microwave will be watching us.
LG: The cyber.
So you can add that to the very long list of things that have actually turned out to be true.
LG: It always comes back to that man, doesn’t it?
KS: No, it does not. Whatever. Anyway.
LG: This is a really good one, I love this question.
KS: I’m going to ask it.
KS: You’re going to get the last two.
LG: Okay, go ahead.
KS: Jeff Yang, @OriginalSpin: “Why do horrible civilization-threatening computer bugs always have totally awesome-sounding names? Can’t we just call them something like Flarb and Ziffle, so it doesn’t make you kind of psyched to be pwned?”
Wait, he knows about Flarb and Ziffle? Those aren’t supposed to be disclosed until next week.
KS: Why do they have these names? Who names these things?
KS: Who named it Spectre?
The researchers. So, in this case, it was people looking to make it sound good.
There’s a security industry that benefits from these cool sci-fi names.
KS: What’s your favorite of these names?
WannaCry was pretty good.
LG: WannaCry was pretty good.
KS: What’s that?
I’m old enough to remember I Love You.
LG: Heartbleed was good.
Heartbleed was good.
KS: I don’t get that, Heartbleed?
LG: Oh, Heartbleed, that was from a few years ago.
It’s like ...
KS: Heartbleed. Oh, Heartbleed. I thought you said Harpley and I was ...
LG: No, Heartbleed. My boyfriend still wears a Heartbleed t-shirt.
KS: Oh, Heartbleed, I remember that one.
LG: Now it’s vintage at this point.
There was I Love You and Melissa, back when ... Remember when the biggest vulnerability issues were mass emails?
KS: Who was the Intel ... There was an Intel one.
They would send out email and your email box might be flooded. Oh, what a naïve time we lived in.
KS: What was the Intel one from a couple years ago? They had the flaw in the chip, what was it? Remember?
The Pentium FDIV.
KS: Pentium, yeah, that was ...
Well, Pentium was the name of their chip.
Yeah. It had a math bug.
KS: Yes, that’s a math ...
It couldn’t do floating point math. I can’t either.
LG: Rowhammer’s pretty good.
KS: Rowhammer sounds strange. Give me a name that you would make if you were the security researcher?
I’d name them after Pokémon. That might run into some trademark issues.
KS: It’s like internet companies, they used to ... Netscape, in the early days, Marc Andreessen would name them after diseases of the skin, the meeting rooms, and different things, and different servers.
I don’t know that we want to conflate human disease and computer disease much more.
KS: I’m just saying, he had diseases of the skin.
“I just had to patch my system, it’s got syphilis.”
KS: Yeah, right.
LG: I’m trying to look up some good ones.
KS: Syphilis is a good name for a thing.
It’s popular in the baby name books, I hear it’s making a comeback.
LG: I would name mine after cats and be like, Slider, Nougat, Fluffy.
I believe Nougat is already used.
LG: You know what would be good? I know Nougat is already used. I would name it after Keanu Reeves’ characters: Neo, Constantine.
KS: That’s a good idea.
LG: John Wick. Eric’s nodding, he knew that was coming.
KS: Oh no.
LG: The John Wick security flaw.
KS: Yeah. I would call them Kara One, Two, Three, Four, Five.
That’s actually my pet name for them.
LG: Of course you would.
“This Kara is completely ruining my system, and it calls at all hours.”
KS: All right, last two questions.
LG: Some guy named Walt Mossberg ...
KS: I heard he’s retired.
That meme sounds familiar.
KS: He’s opening a cigar store called Smoke and Mossberg.
LG: “How will these devastating bugs affect the production of Diet Coke and Starbucks iced coffee?” Another question, a follow-up from Dieter Bohn: “Also, are Niantic’s Pokémon servers okay?” Very important questions for you, Ina, from your fans.
I feel like both of these are uniquely directed to me. Well, I’m holding a Diet Coke here in our studio.
KS: She is.
This was another thing, so I don’t know that they’re related, but I am very upset. So, if Intel had had its way, this chip flaw would have been disclosed at CES while we were busy, and Diet Coke actually got away with this. They announced massive changes coming to Diet Coke while we were at CES, which I thought was an incredibly ...
KS: That was how many years ago? Oh, this year.
KS: Oh, this year. Twisted Mango and ...
Blood orange. Yeah.
KS: Blood orange.
So, they’re getting rid of the Diet Coke can.
LG: Oh no.
KS: Ginger Lime.
They’re going to have a new formula. I guess Diet Coke sales are down, which it’s certainly not due to any lack of ...
KS: You and Donald Trump, really, that’s who drinks Diet Coke.
KS: Look, I’m just saying, he drinks like 10 a day.
That feels so much better. It is really a good motivator.
LG: Feisty Cherry?
So, I think Diet Coke, like a lot of businesses, if they’re storing their secret formula, it’s potentially vulnerable.
KS: It’s Twisted Mango, Blood Orange, or something like that.
Yeah. I think these new flavors suggest they don’t have a secret formula that needs to be protected.
KS: Yeah, they’ve got weird ... You know, “Twisted Mango” is Tony Romm’s new code name, but anyway.
LG: You know what’s funny about this? At least according to one article, that part of this drop in Diet Coke sales in the U.S. is because Americans are increasingly cutting sugar out of their diets. So, why would you go with the names Feisty Cherry, Zesty Blood Orange and Twisted Mango? Doesn’t that make you think more sugar?
LG: You’re adding fruit to the mix, so I would think more sugar.
KS: Yeah, Feisty Cherry.
Tepid Quinoa, though, just doesn’t sound like a very good drink.
KS: Lukewarm. Lukewarm Quinoa.
LG: Tepid Diet ... Miso Tepid Diet Coke.
As for Niantic’s servers ...
KS: I made some delicious miso soup the other night from scratch.
LG: Where is it?
KS: I ate it.
LG: I don’t see it here.
KS: I ate it. I ate it. Anyway, Niantic, what are they ...
I haven’t noticed any slowdown in Pokémon, but I promise you this, I’m going to keep testing it. If I have to play the game 24/7 ...
KS: You are the only person ... You play like ...
There’s a lot of us, we’re just not as concentrated. They have these events and there’re mobs.
They are still a lot of people, but it’s way less than it used to be.
KS: Yeah, Louie Swisher stopped playing.
Yeah, a lot of people don’t play anymore, but a lot of people do.
KS: Do you remember when you found one in my bedroom? Do you remember that? Like there was some party and there was one upstairs.
Was that a Pokémon?
KS: Yeah. I had a Pokémon whatever, gym, or whatever.
LG: Was it a Pokémon cuddle puddle?
KS: No. No, there’s no cuddle puddle going on in my house. That’s a reference to sex parties in Silicon Valley, which of course ...
LG: For those of you who have not yet read the Vanity Fair article by Emily Chang.
KS: The fact of the matter is, them calling them cuddle puddles, it sucks all the sex out of it.
LG: That would be a good name for a vulnerability.
KS: Cuddle puddles.
So what you’re saying is, it’s in your bedroom, they can take a peek at you.
KS: No, Pikachu, oh my God, Ina. We missed you so much. Not at all. Cuddle puddle is a great name for a vulnerability.
LG: It is.
That is, there we go.
LG: Have you been impacted by the cuddle puddle? Is your cuddle puddle running?
Elon Musk says it was not a cuddle puddle. He’s totally immune.
KS: Oh my God, that story, I’m sorry, I just can’t ... I just can’t. I just can’t. Everybody’s like, “Kara, write about it,” I’m like, “No, I just can’t.” I don’t know, Ina. Knock yourself out, it’s all yours.
No, I’m in bed by nine, I’m surprised people in tech are going to parties, nevermind that they’re sex parties.
KS: It’s true. It’s true.
KS: According to sources close to the situation.
LG: Hashtag CuddlePuddles. Yeah, but I do appreciate that you wore your Glamazon attire here today for the ...
Thank you. I’m also wearing my “Think Before You Tweet” t-shirt.
KS: Yeah, no, we don’t do that.
Yeah, I wore it for Kara’s benefit.
KS: You’ll come on again. Ina, it’s been a delight having you back here.
LG: It really is.
KS: As usual. Ina works for Axios now, she does a great job covering tech. What is your title?
I’m chief tech correspondent, but I also do the Daily Newsletter Login, which you can subscribe to.
KS: Wow. That’s excellent.
LG: You don’t get Login, Kara? I get Login.
KS: I don’t read any of those newsletters, I’m sorry. I don’t have time. When do you have time to do it? I’m busy tweeting. Thinking, not thinking before I tweet. Anyway, this has been another great episode of Too Embarrassed To Ask. Ina, again, thank you for coming.
Thanks, Kara, great to see you.
This article originally appeared on Recode.net.