Zombieload forces a choice between performance and security. What will you do?

Another week, another devastating, industry-shaking, cybersecurity threat. This week’s is particularly haunting, though — the resurrected corpse of the Spectre and Meltdown vulnerabilities, aptly known as ZombieLoad.

It’s been over 16 months since the original Spectre and Meltdown vulnerabilities were revealed, and little has been done to assure us our PCs are safe. Each of us has to make a choice between performance and security.

That really sucks.

The Hyper-threading problem

Unlike in 2018, the major companies’ products affected by this vulnerability have responded quickly. Statements and patches from Microsoft, Amazon, Google, Apple, and Intel were all released on day one of the publishing of the discovery. It’s great to see Intel confidently announce the problem it discovered and present the available solutions to its customers.

There are, however, performance compromises to some of these solutions.

Dips in performance (or far worse) were common in the Spectre microcode patches released by Intel in 2018. That was especially true toward the beginning of the process. As in the early days of the fight against ZombieLoad and other Micro-architectural Data Sampling (MDS) vulnerabilities, we’re seeing signs of that same problem.

Now, Intel has already addressed of the issue at the hardware level in its recent 8th and 9th-gen processors, but the biggest bit of confusion has been with the issue of Hyper-threading. It’s a proprietary Intel technology that brings higher thread counts on high core-count processors and allows much better performance in complex multi-threaded applications. It’s one of the primary features that distinguishes between desktop Core i5 processors and the more expensive Core i7 desktop options. But in this case, Hyper-threading presents a possible gap for systems to leak data out of.

While Intel says Simultaneous Multi-Threading could help protect certain systems, it’s not outright recommending disabling Hyper-threading.

“Once these updates are applied, it may be appropriate for some customers to consider additional steps,” said Intel in a statement. “This includes customers who cannot guarantee that trusted software is running on their system(s) and are using Simultaneous Multi-Threading (SMT). In these cases, customers should consider how they utilize SMT for their particular workload(s), guidance from their OS and VMM software providers, and the security threat model for their particular environment. Because these factors will vary considerably by customer, Intel is not recommending that Intel HT be disabled, and it’s important to understand that doing so does not alone provide protection against MDS.”

There’s a serious issue with this statement. Other companies don’t agree with that evaluation. Because the vulnerability affects every Intel chip since 2008 (except for the newer aforementioned 8th and 9th-gen chips), laptop manufacturers and software developers are making their own calls. Google was the first to release an official statement saying Chrome OS 74, the latest software update for Chromebooks, will have Hyper-threading turned off completely.

Hyper-threading isn’t all that common on Chromebooks, so that might not strike you as a big deal. But what about your pumped-up Core i9 MacBook Pro? Or how about your $4,000 iMac Pro? Apple was the second to recommend  its customers disable Hyper-threading. Its instructions for “full mitigation” of the vulnerability include disabling the feature entirely, resulting in a drop in performance by as much as 40%. That’s based on Apple’s own performance with “tests that include multi-threaded workloads and public benchmarks.”

You do, however, get the option. As Apple states, it might depend on how “high risk” your security is. Intel says the decision to disable hyper-threading will depend “on each individual’s security requirements.” If you’re a government agency or a banking institution, maybe that’s an easy decision. But for the average person, it’s a bit more ambiguous.

How much do you really care about your security? That’s the question begged by this entire scenario. Enough to throw away 40% of your computer’s performance? Enough to install the software patches but not go through the “full mitigation?” In certain situations — let’s say you’re a freelance video editor, for example — that drop in performance could be akin to throwing away profits because videos will take longer to encode and edit.

You must choose

When you zoom out from the experience of just one person, the problem compounds. Will the next version of Hyper-threading be ZombieLoad-proof? What about other future technologies? It’s an existential crisis for the entire industry. Improving performance has been the name of the game in computing. We have a need for speed that makes it hard for companies like Intel, AMD, Nvidia, or Qualcomm to take the gas off the pedal.

It’s not unlike the situation we currently face with privacy. Most of us are all too aware of how our data is taken and used, often without our consent. Yet, we’re rarely willing to trade convenience for privacy. It’s a price most of us just aren’t willing to pay.

In the long run, I have a hard time seeing us behaving differently when it comes to security. And that could become a cataclysmic problem for consumer tech.


Windows on a Chromebook is a dead dream, but something better could replace it

Recent code updates posted in Chromium Gerrit indicate that Google has canceled Project Campfire, ending its plans to let Chromebooks dual boot Windows and Chrome OS. Is hope all but lost on this popular feature?

Kwikset’s second-generation deadbolts get smarter and safer

Kwikset introduced the second generation of its Signature Series Deadbolt with Home Connect locks, which feature a more compact design and an improved chipset that offers over-the-air security updates.

The Motorola One Vision is a 21:9 Android One phone with a 48-megapixel camera

Motorola has a new phone, but unlike its Moto G7 series, the Motorola One Vision comes with a promise of two years of Android version updates, and three years of security updates. That's because it's an Android One phone.

ZombieLoad is Meltdown resurrected. Here’s how to secure your PC right now

This year's follow up to Intel's Meltdown and Spectre chipocalypse is the new MDS attack. Four distinct attack methods have been uncovered that could leave your data exposed, but thankfully patches are already available.

The new ThinkPad X1 Extreme has a 4K OLED screen and a Core i9 processor

The ThinkPad X1 Extreme is one powerful laptop, and now Lenovo has announced its second generation. The new version comes with a vibrant 4K OLED display and the latest 9th-gen Core i9 processor.

Best Buy flash sale drops the Microsoft Surface Pro 6 down to its lowest price

Amazon recently slashed prices on the Surface Pro 6 and Surface Laptop, but Best Buy is offering an even bigger bang for your buck. Today only, score your Microsoft Surface Pro 6 to the lowest price we've seen.
Product Review

Microsoft’s Surface Laptop 2 launched last year, but already feels old

Released in fall of 2018, the Surface Laptop 2 was competitive at the time but now must deal with new competitors that were announced at CES 2019. How does the popular Surface Laptop 2 hold up six months later?

The Dell XPS 13 headlines the best laptop deals for May 2019

Whether you need a new laptop for school or work or you're just doing some post-holiday shopping, we have you covered: These are the best laptop deals going right now, from discounted MacBooks to on-the-go gaming PCs.

The best Amazon Prime Day 2019 deals: Everything you need to know

Amazon Prime Day 2019 is still a few months off, but it's never too early to start preparing. We've been taking a look at the best discounts from previous Prime Days to give you our predictions of what to expect this year.

Is Threadripper dead? If so, AMD has made a huge mistake

Think Threadripper is dead? Think again. AMD's flagship CPU line might not be on this year's roadmap, but it's not dead and could well bring some amazing new enhancements when it returns.
Social Media

6 easy ways to archive all of your favorite Instagram videos

Saving Instagram videos should be just as easy as taking a screenshot. So, we've put together a list of the best apps and tools that save your favorite Instagram videos onto your phone or computer.

Cybercrime gang that stole $100M busted in international effort

A major cybercrime gang that used powerful malware to steal an estimated $100 million from bank accounts has been dismantled following an international effort that spanned six countries.

G-Sync is a game-changer. These are the best monitors with Nvidia's display tech

Looking for a monitor that plays well with Nvidia GPUs? You need G-Sync and we have picked the best G-Sync monitors available. Take a look and find out which monitor works best for your PC upgrade.

Microsoft is discounting this Surface Laptop 2 by a sweet $300

Microsoft is offering a nearly 14-inch Surface Laptop 2 with 256GB of storage at a $300 discount until May 18, 2019. The laptop comes with a PixelSense display, and Intel Core i5 processor and a 720p HD camera.