Placeholder Image

字幕表 動画を再生する

  • - Hey guys, this is Austin.

  • If you use a PC, it's time to listen up.

  • Put your nerd pants on and let's take a little adventure

  • into Danger Town.

  • There's a new group of exploits going around

  • that can cause some serious damage to your PC.

  • So they take advantage of what is known

  • as speculative execution, and it's similar to

  • some of the bugs we saw last year,

  • including Spectre as well as Meltdown.

  • Something as simple as visiting a website

  • with malicious JavaScript

  • or a little bit of a sketchy download

  • could mean losing control over all kinds of stuff

  • which should be very sensitive and private.

  • So I'm talking about passwords, encryption keys.

  • As far as bugs go, this is about as bad as it gets.

  • Now I do want to stress that

  • all this is theoretical right now,

  • so researchers have found these vulnerabilities

  • and a lot of them have been patched

  • so it's not out in the wild.

  • But with these things, it's only a matter of time

  • before a plane goes overhead,

  • and they start to make it into the wild.

  • So last year brought us Spectre and Meltdown,

  • and at first, it seemed like a major vulnerability.

  • But of course, they were patched before too much longer.

  • However, at this point, it is very clear that this is

  • a new class of things that everyone has to worry about.

  • It's no longer just software.

  • There's actual hardware vulnerabilities,

  • which can cause major problems.

  • So this actually boils down

  • to a few different vulnerabilities

  • that were all announced at the same time.

  • So there's the super scary name of,

  • oh god, do I have to say it?

  • ZombieLoad, yes, ZombieLoad is something

  • you have to be afraid of,

  • or the much nicer name of MDS,

  • because that sounds safe and generic.

  • - I'm not, that's why I don't want to say it.

  • I don't want to say ZombieLoad.

  • So what separates this from traditional bugs

  • that are much more software focused

  • is that it of course is in hardware.

  • So there are some patches and some BIOS updates and stuff,

  • and I'll get into that in just a minute,

  • that helps to mitigate this.

  • But at the end of the day, we now live in a different era

  • where hardware itself is being attacked

  • on a very regular basis,

  • which means that sure you can always download a new patch,

  • but if there's something that's super fundamental

  • to the actual hardware itself, it means,

  • oh I need to buy a new processor or upgrade my computer.

  • Now we're not quite to that point yet,

  • but it is becoming a very scary time.

  • So we're definitely going to get into Nerd Town here,

  • but the way that this all works is taking advantage of

  • a feature known as speculative execution.

  • So essentially what this means is that

  • modern processors, specifically on the Intel side,

  • are always constantly trying to figure out

  • what you're going to do before you actually do it.

  • So instead of saying, waiting for you to say, open Twitter,

  • it might have portions of that loaded

  • or on a much, much smaller scale,

  • like little tiny bits and pieces.

  • But the issue here is a lot of times when it's wrong,

  • it just throws out that data.

  • Normally no problem, no harm, no foul,

  • and your computer's faster.

  • However, people have found that you actually

  • can take some of that junk data,

  • which on a massive scale can end up being

  • full of passwords or all kinds of stuff,

  • and actually harvest it and then send it off

  • to who knows where.

  • It's a really scary thing.

  • And the problem here is that it's taking advantage

  • of very fundamental things

  • which legitimately mean that we get a lot of performance

  • out of our systems,

  • or well, we lose a lot of performance

  • if they're patched and deleted and removed.

  • Nothing like a bug, which not only can compromise your data

  • but the only way to fix it

  • is to make your computer way slower.

  • That's not good.

  • That's not good at all.

  • Because this bypasses traditional software things

  • such as antivirus as well as all kinds of different

  • operating system level security features,

  • what this means is it's just pulling data

  • straight off of the CPU.

  • And while a lot of it is garbage,

  • like I said, if you have enough of this stuff

  • and you kinda parse through it,

  • you can very regularly pull a lot of things

  • that you absolutely do not want to get leaked.

  • This is something that is a big deal.

  • So right now, this affects pretty much

  • any Intel processor made in the last decade.

  • However, if you are using a phone with an ARM processor

  • or if you have an AMD CPU, it actually doesn't seem to be

  • affected just yet, but don't get too comfortable.

  • There are definitely more of these things

  • that are coming in the future.

  • So Apple, Microsoft, and Google have all released patches,

  • and a lot of the stuff is doing things like

  • patching the JavaScript and patching the browsers themselves

  • as well as operating system level tweaks,

  • but at the end of the day, you still do need

  • an actual BIOS update, which is coming from Intel,

  • they've updated a lot of microcode,

  • but still relies on your actual hardware vendor

  • delivering a brand new BIOS update

  • and for you to install it.

  • It's not as simple as turning on Microsoft Update

  • and being done.

  • You actually have to make sure that

  • everything is properly updated

  • from browser to OS to BIOS.

  • According to Intel, these patches mean

  • that you're going to lose a little bit of performance.

  • So for the most part, it should be somewhere between

  • three and nine percent which is certainly not insignificant.

  • However, according to Apple, it shouldn't be anything

  • that's all that noticeable in a browser such as Safari,

  • so it's kinda hard to say exactly

  • how big of an impact this will have.

  • But there's no doubt that this is not speeding anything up.

  • It's going to make things just a little bit slower.

  • However, that is not the full story.

  • So according to the security researchers

  • who actually found this, that's actually not even going

  • to do the entire fixing job that we need.

  • They actually recommend to turn off hyper-threading,

  • and that is a big deal,

  • as hyper-threading delivers a ton of performance to a CPU

  • and if you lose that, well, you're losing like

  • up to 40% of your processing power, so not good.

  • Now, according to Intel, this is not that big of an exploit

  • where you have to turn off hyper-threading

  • and lose that much performance.

  • But Apple does disagree.

  • So while by default when you do all the most recent updates

  • to macOS it still leaves it on,

  • but they have introduced a feature where you can

  • not only harden the code a little bit more

  • but importantly you can turn off hyper-threading,

  • which is great to make it a super, super secure system.

  • And then you say it's for people who are at elevated risk of

  • keeping state secrets on your laptop or something,

  • but it does mean that if you do it,

  • you're going to lose a ton of performance.

  • And it just so happens that I have a MacBook in my bag

  • that we can test with right now.

  • Yeah, see.

  • You were wondering why I had the backpack on the whole time.

  • It's because I was waiting for it.

  • So to take advantage of this, you do need a Mac

  • which is fully up to date with either Sierra,

  • High Sierra, or Mojave.

  • What you can do is you can restart the system

  • into recovery mode.

  • This is the point where I realize that

  • my Mac is not up to date.

  • So it turns out that trying to do a three gigabyte download

  • while tethering is not the greatest idea,

  • so it's the next day, I have my MacBook

  • completely up to date now.

  • So we'll see if the security patch