Gadgetory

- Hey guys, this is Austin. If you use a PC, it's time to listen up. Put your nerd pants on and let's take a little adventure into Danger Town. There's a new group of exploits going around that can cause some serious damage to your PC. So they take advantage of what is known as speculative execution, and it's similar to some of the bugs we saw last year, including Spectre as well as Meltdown. Something as simple as visiting a website with malicious JavaScript or a little bit of a sketchy download could mean losing control over all kinds of stuff which should be very sensitive and private. So I'm talking about passwords, encryption keys. As far as bugs go, this is about as bad as it gets. Now I do want to stress that all this is theoretical right now, so researchers have found these vulnerabilities and a lot of them have been patched so it's not out in the wild. But with these things, it's only a matter of time before a plane goes overhead, and they start to make it into the wild. So last year brought us Spectre and Meltdown, and at first, it seemed like a major vulnerability. But of course, they were patched before too much longer. However, at this point, it is very clear that this is a new class of things that everyone has to worry about. It's no longer just software. There's actual hardware vulnerabilities, which can cause major problems. So this actually boils down to a few different vulnerabilities that were all announced at the same time. So there's the super scary name of, oh god, do I have to say it? ZombieLoad, yes, ZombieLoad is something you have to be afraid of, or the much nicer name of MDS, because that sounds safe and generic. - I'm not, that's why I don't want to say it. I don't want to say ZombieLoad. So what separates this from traditional bugs that are much more software focused is that it of course is in hardware. So there are some patches and some BIOS updates and stuff, and I'll get into that in just a minute, that helps to mitigate this. But at the end of the day, we now live in a different era where hardware itself is being attacked on a very regular basis, which means that sure you can always download a new patch, but if there's something that's super fundamental to the actual hardware itself, it means, oh I need to buy a new processor or upgrade my computer. Now we're not quite to that point yet, but it is becoming a very scary time. So we're definitely going to get into Nerd Town here, but the way that this all works is taking advantage of a feature known as speculative execution. So essentially what this means is that modern processors, specifically on the Intel side, are always constantly trying to figure out what you're going to do before you actually do it. So instead of saying, waiting for you to say, open Twitter, it might have portions of that loaded or on a much, much smaller scale, like little tiny bits and pieces. But the issue here is a lot of times when it's wrong, it just throws out that data. Normally no problem, no harm, no foul, and your computer's faster. However, people have found that you actually can take some of that junk data, which on a massive scale can end up being full of passwords or all kinds of stuff, and actually harvest it and then send it off to who knows where. It's a really scary thing. And the problem here is that it's taking advantage of very fundamental things which legitimately mean that we get a lot of performance out of our systems, or well, we lose a lot of performance if they're patched and deleted and removed. Nothing like a bug, which not only can compromise your data but the only way to fix it is to make your computer way slower. That's not good. That's not good at all. Because this bypasses traditional software things such as antivirus as well as all kinds of different operating system level security features, what this means is it's just pulling data straight off of the CPU. And while a lot of it is garbage, like I said, if you have enough of this stuff and you kinda parse through it, you can very regularly pull a lot of things that you absolutely do not want to get leaked. This is something that is a big deal. So right now, this affects pretty much any Intel processor made in the last decade. However, if you are using a phone with an ARM processor or if you have an AMD CPU, it actually doesn't seem to be affected just yet, but don't get too comfortable. There are definitely more of these things that are coming in the future. So Apple, Microsoft, and Google have all released patches, and a lot of the stuff is doing things like patching the JavaScript and patching the browsers themselves as well as operating system level tweaks, but at the end of the day, you still do need an actual BIOS update, which is coming from Intel, they've updated a lot of microcode, but still relies on your actual hardware vendor delivering a brand new BIOS update and for you to install it. It's not as simple as turning on Microsoft Update and being done. You actually have to make sure that everything is properly updated from browser to OS to BIOS. According to Intel, these patches mean that you're going to lose a little bit of performance. So for the most part, it should be somewhere between three and nine percent which is certainly not insignificant. However, according to Apple, it shouldn't be anything that's all that noticeable in a browser such as Safari, so it's kinda hard to say exactly how big of an impact this will have. But there's no doubt that this is not speeding anything up. It's going to make things just a little bit slower. However, that is not the full story. So according to the security researchers who actually found this, that's actually not even going to do the entire fixing job that we need. They actually recommend to turn off hyper-threading, and that is a big deal, as hyper-threading delivers a ton of performance to a CPU and if you lose that, well, you're losing like up to 40% of your processing power, so not good. Now, according to Intel, this is not that big of an exploit where you have to turn off hyper-threading and lose that much performance. But Apple does disagree. So while by default when you do all the most recent updates to macOS it still leaves it on, but they have introduced a feature where you can not only harden the code a little bit more but importantly you can turn off hyper-threading, which is great to make it a super, super secure system. And then you say it's for people who are at elevated risk of keeping state secrets on your laptop or something, but it does mean that if you do it, you're going to lose a ton of performance. And it just so happens that I have a MacBook in my bag that we can test with right now. Yeah, see. You were wondering why I had the backpack on the whole time. It's because I was waiting for it. So to take advantage of this, you do need a Mac which is fully up to date with either Sierra, High Sierra, or Mojave. What you can do is you can restart the system into recovery mode. This is the point where I realize that my Mac is not up to date. So it turns out that trying to do a three gigabyte download while tethering is not the greatest idea, so it's the next day, I have my MacBook completely up to date now. So we'll see if the security patch actually makes any kind of real difference to performance. To do this, you will need to boot your Mac into recovery mode and then you'll need to put these two commands into Terminal, which I will have listed in the description. But with that, we should now have multi-threading turned off. So if I restart the system. So the way you tell if this actually worked is to open up System Report. In the Hardware, you will see that Hyper-Threading now shows Disabled. If you're running an earlier version of macOS, that won't even be an option. So now, let's actually see how much performance we lose by hardening the system. I just like saying hardening, it's just fun. So we'll let Geekbench do its thing. Now I do want to stress this is not by any means a super scientific test, so obviously you would need to do this multiple times, I would want to use multiple systems. I'm running on battery for consistency sake. So take all of this stuff with a grain of salt. But if hyper-threading makes as big of a difference as I know it should, it won't be like, oh it's like two percent off or something. We should be losing, again according to Apple, up to 40% of our multi-threading performance by doing something like this. So our new score is 5,708 on single core which is basically identical. And the multi score only went down to 23,000 as opposed to 25,000. So they had quoted a much, much bigger performance impact. I almost feel like I want to spend more time with this because one slight advantage to this would be that, especially with the MacBooks, given how much they throttle, this actually might make a bigger difference. Okay, I feel like this is getting way outside the scope of this video, but even doing something like disabling hyper-threading in a very much best case scenario, not a big deal. Wow, I'm legitimately really surprised. That's crazy. MDS and ZombieLoad are absolutely a new page in what will certainly be years of these brand new hardware vulnerabilities that everyone really needs to stay on top of. My advice, as always, keep your operating system up to date, keep your browser up to date, and even pay attention to things like keeping your BIOS up to date. All of this stuff will make a big difference and just pay attention. There's a lot of this stuff that will be coming out, and we will be doing as many videos as possible as these things kind of approach. But I don't know. It's not a good time for security. There's a lot of really scary stuff that's coming up. And I know it's all fearmongering and stuff, but it is legitimately something to keep in mind, keep that stuff up to date, for real.