Skip to main content

Zombieload forces a choice between performance and security. What will you do?

Another week, another devastating, industry-shaking, cybersecurity threat. This week’s is particularly haunting, though — the resurrected corpse of the Spectre and Meltdown vulnerabilities, aptly known as ZombieLoad.

It’s been over 16 months since the original Spectre and Meltdown vulnerabilities were revealed, and little has been done to assure us our PCs are safe. Each of us has to make a choice between performance and security.

That really sucks.

Recommended Videos

The Hyper-threading problem

Understanding Spectre and Meltdown

Unlike in 2018, the major companies’ products affected by this vulnerability have responded quickly. Statements and patches from Microsoft, Amazon, Google, Apple, and Intel were all released on day one of the publishing of the discovery. It’s great to see Intel confidently announce the problem it discovered and present the available solutions to its customers.

There are, however, performance compromises to some of these solutions.

Dips in performance (or far worse) were common in the Spectre microcode patches released by Intel in 2018. That was especially true toward the beginning of the process. As in the early days of the fight against ZombieLoad and other Micro-architectural Data Sampling (MDS) vulnerabilities, we’re seeing signs of that same problem.

Now, Intel has already addressed of the issue at the hardware level in its recent 8th and 9th-gen processors, but the biggest bit of confusion has been with the issue of Hyper-threading. It’s a proprietary Intel technology that brings higher thread counts on high core-count processors and allows much better performance in complex multi-threaded applications. It’s one of the primary features that distinguishes between desktop Core i5 processors and the more expensive Core i7 desktop options. But in this case, Hyper-threading presents a possible gap for systems to leak data out of.

While Intel says Simultaneous Multi-Threading could help protect certain systems, it’s not outright recommending disabling Hyper-threading.

“Once these updates are applied, it may be appropriate for some customers to consider additional steps,” said Intel in a statement. “This includes customers who cannot guarantee that trusted software is running on their system(s) and are using Simultaneous Multi-Threading (SMT). In these cases, customers should consider how they utilize SMT for their particular workload(s), guidance from their OS and VMM software providers, and the security threat model for their particular environment. Because these factors will vary considerably by customer, Intel is not recommending that Intel HT be disabled, and it’s important to understand that doing so does not alone provide protection against MDS.”

There’s a serious issue with this statement. Other companies don’t agree with that evaluation. Because the vulnerability affects every Intel chip since 2008 (except for the newer aforementioned 8th and 9th-gen chips), laptop manufacturers and software developers are making their own calls. Google was the first to release an official statement saying Chrome OS 74, the latest software update for Chromebooks, will have Hyper-threading turned off completely.

Hyper-threading isn’t all that common on Chromebooks, so that might not strike you as a big deal. But what about your pumped-up Core i9 MacBook Pro? Or how about your $4,000 iMac Pro? Apple was the second to recommend  its customers disable Hyper-threading. Its instructions for “full mitigation” of the vulnerability include disabling the feature entirely, resulting in a drop in performance by as much as 40%. That’s based on Apple’s own performance with “tests that include multi-threaded workloads and public benchmarks.”

You do, however, get the option. As Apple states, it might depend on how “high risk” your security is. Intel says the decision to disable hyper-threading will depend “on each individual’s security requirements.” If you’re a government agency or a banking institution, maybe that’s an easy decision. But for the average person, it’s a bit more ambiguous.

How much do you really care about your security? That’s the question begged by this entire scenario. Enough to throw away 40% of your computer’s performance? Enough to install the software patches but not go through the “full mitigation?” In certain situations — let’s say you’re a freelance video editor, for example — that drop in performance could be akin to throwing away profits because videos will take longer to encode and edit.

You must choose

When you zoom out from the experience of just one person, the problem compounds. Will the next version of Hyper-threading be ZombieLoad-proof? What about other future technologies? It’s an existential crisis for the entire industry. Improving performance has been the name of the game in computing. We have a need for speed that makes it hard for companies like Intel, AMD, Nvidia, or Qualcomm to take the gas off the pedal.

It’s not unlike the situation we currently face with privacy. Most of us are all too aware of how our data is taken and used, often without our consent. Yet, we’re rarely willing to trade convenience for privacy. It’s a price most of us just aren’t willing to pay.

In the long run, I have a hard time seeing us behaving differently when it comes to security. And that could become a cataclysmic problem for consumer tech.

Topics
Luke Larsen
Luke Larsen is the Senior Editor of Computing, managing all content covering laptops, monitors, PC hardware, Macs, and more.
Nvidia’s RTX 3080 GPUs are crashing. Here’s what we know, and what you can do
nvidia rtx 3080 review 02

If you're one of the lucky gamers or creative professionals who defied the impossible and managed to snag one of the limited inventory of Nvidia's GeForce RTX 3080 flagship graphics card when they dropped, you may have found yourself in for a bit of a roller coaster ride with the new GPU. Gamers have reported instability problems with the card since shortly after the launch that cause the GPU to crash.

Since those reports have emerged, technology sites and industry insiders have offered differing hypotheses on what the issue could be, with both software and hardware being potential culprits. Nvidia has responded and released an updated GeForce driver. Here's what we know, and what you can do right now to prevent crashes from happening if you are the proud owner of an RTX 3080.
The problem

Read more
This gorgeous Mac mini hub exacerbates the power button placement problem
M4 Mac mini with Satechi hub on a desk.

Satechi, known for its high-quality tech accessories, is updating its Mac mini hub for the new M4 model. Like previous hubs, it allows Mac mini owners to expand their storage and ports while preserving airflow, wireless signal, and performance. It looks awesome, but this time, the design highlights the problematic nature of the new Mac mini's placement of its power button.

With previous Mac mini models, the power button was at the back, making it easily accessible even when it was in a Satechi hub. The new button placement on the bottom of the PC, however, may prove even more annoying for anyone who wants to buy this accessory.

Read more
Proton VPN vs. Mullvad: Which is the best open-source VPN?
Proton VPN Plus and Mullvad websites appear in a split-screen on a PC monitor.

Open-source software is exploding in popularity and even virtual private networks (VPNs) share code for transparency. With over 100 million open-source developers contributing to the community, there’s an improved chance to find bugs and patch vulnerabilities.

Proton VPN and Mullvad are among the best VPNs available, and both are open-source solutions. You can browse the code used in Proton VPN and Mullvad on GitHub to check that there isn’t any secret logging or undisclosed data collection.

Read more