Tech Cynic: The boys (and girls) who cried wolf

Hyperbolic reporting of hardware and software flaws does nobody any favours.

It's been almost a year since the Meltdown and Spectre out-of-order execution processor vulnerabilities were discovered and publicised. The flaws affected almost every non-RISC CPU since 1995 and, for a time, it seemed that the sky was falling on our heads.

Reporters—this one included—read the technical details of the flaws and came to the conclusion that we'd reached the end of the line for secure computing, that from now on it would be technically impossible to be absolutely sure of security on certain hardware platforms. To be fair, that was pretty much the conclusion of the researchers who discovered the flaws in the first place, so we weren't too far out of line.

What all of us missed is that life goes on. Or, more accurately, commerce goes on. There was no way that even these quite devastating microscopic chip flaws would be permitted to affect the macroscopic world of business, at least not in any meaningful way.

Instead, workarounds were quickly found, from software recompilation to microcode updates and kernel modifications. Some of the initial solutions caused more problems than they solved, inconveniencing consumers with failed operating system updates and dramatically reduced CPU performance. But over time the fixes became less obtrusive and more effective, trading performance against security in ways that kept all but the most demanding users happy. Those demanding users may have switched platform or received discounts on new hardware from the same suppliers, if they had enough commercial clout to do so.

Mention Meltdown and Spectre in conversation today and you may receive curious glances or questions along the lines of, "But that's all in the past, right?" Technically it isn't in the past because the flaws are still with us, still present in the majority of desktop, laptop, phone and server chips sold today, but in practical terms it's all over.

Although it may still be possible for a competent hacker to use the Meltdown and Spectre chip vulnerabilities to work their way into a system, in practice it's now so hard to retrieve any meaningful data this way that it's probably not worth the effort. When faced with a locked and bolted steel door embedded in a wooden fence, it's easier to cut through the fence than the door. Meltdown and Spectre are still technical vulnerabilities and that's likely to remain the case for as long as speculative execution remains a performance-enhancing CPU design approach, but there are easier ways to hack a system.

So, another major security event fades into the background. A spike of hype and fear, a rush to fix the damage, then a drift back into business as usual. Compared to this time last year, what's really changed in terms of computing performance? Maybe it now costs a little more to make up for the degradation caused by Meltdown and Spectre fixes under certain conditions and in certain applications, but for most users that cost is dwarfed by the wider economics of technology that have seen the price for the same performance drop year on year for as long as anyone in this industry can remember.

To continue reading this article register now