MELTDOWN? LET’S NOT
Adrian Weckler on the latest tech panic
PANIC! Calamity! Action stations! Yes, the first big security scare of 2018 has arrived and it sounds apocalyptic. Prepare for the worst, folks. Because the newest, horriblest computer flaws are here.
They are suitably named: ‘Meltdown’ and ‘Spectre’.
Are you still sitting down reading this? If so, what are you doing? Why aren’t you rushing to search for an online patch for your laptop or phone?
Oh, I see — you want to see how it settles. Maybe it’ll all be grand if you just sit and do nothing? I can’t really blame you. Every week we’re told of a new bug, virus, piece of malware or exploit that is set to change computing as we know it. Depending on which story you pick over the last year, your computer is all set to sell you out to the Chinese, get locked up for bitcoin or become part of an online bot army.
Neither can I blame you for casting a sceptical eye over some of the coverage that we in the media give this type of topic.
I say this as someone who writes fairly regularly about it: as an industry, we pump out an unsteady mixture of responsible reporting and hyped-up terror pieces.
For instance, it’s hard to know which of these Friday’s front page of the Financial Times was, where its ‘splash’ report headline warned companies to replace all their computers “or risk a Spectre attack”. All of them, FT? In Ireland alone, that would cost well over €1bn. How much would it cost UK or EU businesses?
The FT, as well as everyone else, knows that this wholesale replacement of PCs is completely unfeasible and won’t be happening. But a line in an advisory notice from a US college (the Carnegie Mellon University) said that “the only way” to fully remove the vulnerability was by replacing hardware. So that, together with plenty of enthusiastic doomsdaying comments from IT security consultants, creates a front page to scare the bejesus out of its corporate readers.
Lest readers think I’m being snotty here, that is not the intention. We’re all a little guilty of this.
Part of the issue is that many IT security experts, upon whom we invariably lean for guidance and direction, sometimes have a vested interest in people being worried. Concern generates business for them. The doomier the prognosis, the boomier it could be for their sales leads.
It’s the same with surveys that inform us how bad our lack of preparedness is against IT security malware. Mostly (though not always) they are undertaken by companies with a vested interest in getting you to buy an IT security product, service or consultancy contract.
Even the most credible, highly-decorated practitioners in the industry have some commercial upside from heightened tension over IT security fears.
(I have written this before and been taken up on it by some IT security professionals, who say this is too cynical an interpretation. They say that while IT security news events do bring business to them, it should be regarded as proper, constructive awareness rather than cheap fear-mongering. I accept the point, but still think there’s an issue.)
Don’t get me wrong, here. This doesn’t quite mean that the Meltdown and Spectre computer flaws we’re all reporting on don’t deserve attention.
To be clear, they absolutely do. Apple, for instance, never issues public guidance on issues that aren’t deadly serious. On Friday, it took the rare action of putting out an advisory notice on Meltdown and Spectre, confirming that they could potentially affect iPhones and iPads, as well as Macs. (The company said that Apple Watch devices aren’t in the line of fire for the moment, but that it would probably include protection anyway in future updates to WatchOS.) Even this fact alone represents quite an event. Remember the basic tenet of computers we’ve gotten used to over the last 20 years, that “Apple devices don’t get viruses”? It turns out they might.
So regardless of those who are, once again, catastrophising on an IT security worry, the Meltdown and Spectre ‘flaws’ are certainly worthy of discussion and, probably, some action.
That can largely be summed up as follows: update your stuff. You know all of those pop-ups from your Windows or Mac laptop, or your iPad or iPhone, telling you that the new release is ready to be installed?
Stop telling yourself you’ ll do it some other time when you’re not busy. Do it right now.
This goes double if you’re one of those who skipped an OS generation, such as not bothering to upgrade from Windows 7 to Windows 10 or from Mac OS Yosemite or El Capitan to High Sierra. Seriously, do that as soon as you can. It’s a generally-observed principle that big companies such as Microsoft and Apple prioritise safety implementation for the most modern versions of their systems.
And yes, that does mean that if you’re one of the holdouts who stubbornly still uses something ridiculously outdated such as Windows XP, you are sort of asking for it. At the risk of sounding like one of the sirens I lampooned above, you’re genuinely living dangerously with Windows XP or similar old, unpatched, unsupported computer systems.
The kicker is that with new rules on data breach disclosure coming in later this year, you may not get away with keeping any problems you experience on work computers secret. Yes, the General Data Protection Regulation (GDPR) rules are lurking behind this whole process, as they will many issues you may not have thought them applying to. So if you have a bunch of vulnerable work PCs that cede customer information out into the wild because you didn’t secure them, that’s a paddling. Or, to be more precise, up to €20m (or 4pc in turnover) as a fine from the Data Protection Commissioner.
But here I am, reverting to Scaremaster General again. You see? It’s built in. In conclusion: protect yourself. But don’t have to throw out all your existing PCs.