Everything you need to know about the computer chip security mess By Francis Navarro, Komando.com

Boy, the computer security world has been abuzz because of the two major critical chip flaws that were recently brought into the public eye.

The security issues, known as Meltdown and Spectre, are probably the worst bugs found in processors ever and they might fundamentally change how chips will be designed moving forward.

Read on to learn what we know so far about these massive security vulnerabilities.

Speculative execution: the heart of these flaws

Both Meltdown and Spectre exploit a process called "speculative execution," a capability built into every modern processor.

This process makes chips faster by allowing them to predict what tasks your gadget may need and execute them beforehand whether you actually need a task or not. If a task is not needed, then it is discarded.

As demonstrated by Google's Project Zero team, attackers can then exploit flaws caused by this predictive process to access protected areas of a system's memory.

Due to how data is being cached in these areas, hackers can then read and steal sensitive information such as passwords, encryption keys, login info and even files. Anything cached is fair game.

Keep in mind that these flaws are entirely a new class of attacks, meaning, this is the first time a processor's "speculative execution" process has been found to be exploitable.

Since this process is being used as a core optimization technique by all modern chips, this discovery will potentially change everything and it will require a redesign of how chips work. Yep, it really sounds bad, folks.

Note: Meltdown is known as Variant 3 of this type of attack, specific to Intel chips. Spectre attacks are Variants 1 and 2 and these are said to impact AMD, ARM, and Intel chips.

Meltdown

The first flaw that was reported by "The Register" is officially known as Meltdown. This critical design flaw was discovered in Intel processing chips that could let attackers gain access to protected kernel memory areas and steal sensitive information like passwords, login data, security keys and files that are still cached on your computer's disk.

To fix this particular flaw, the kernel's memory has to be separated from user processes completely (known as Kernel Page Table Isolation). The downside - according to initial tests, this isolation was found to slow down your Intel-based computers.

Spectre

Spectre is the name the two other variants of this new class of attacks and it can potentially be even worse than Meltdown.

First, unlike Meltdown, which reportedly primarily affects Intel chips, the Spectre bug can impact chips from every major manufacturer - ARM, AMD, and Intel. This puts almost every computer, smartphone and tablet at risk of Spectre attacks.

Secondly, while Meltdown can be addressed with software patches, Spectre appears to be a fundamental flaw in how processors work and a software patch may not be able to fix it.
Spectre also abuses flaws in a processor's speculative execution process and does it by taking advantage of the timing delay between the CPU's data cache and the validity checks for a memory access call.

Fortunately, on the flipside, it looks like Spectre is harder to exploit than Meltdown.

Intel's response

Intel confirmed that the design flaws exist and it is working on a solution that will not significantly bog down computers. Since Meltdown is the only variant that is currently patchable via software, we're assuming that the company is referring to this specific flaw.

The company also stated that the problem is not unique to Intel chips. Technically this is true because, as mentioned earlier, the Spectre variants affect AMD and ARM chips, as well.

Intel also disputes the claims regarding the performance hits that the fix will bring. The company stated that the slowdowns are dependent on the tasks at hand and average users will not be significantly affected.

"Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time," Intel wrote in an official statement.

Furthermore, Intel stated that its updates for all types of Intel machines will render them immune from BOTH Meltdown and Spectre attacks.

AMD's response

Advanced Micro Devices aka AMD, also issued its own statement regarding these flaws. Contrary to earlier reports that stated that AMD processors are impacted by at least one Spectre variant, AMD believes that its chips are not vulnerable to all three variants of the attack, including Spectre.

According to AMD:
"To be clear, the security research team identified three variants targeting speculative execution. The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants. Due to differences in AMD's architecture, we believe there is a near zero risk to AMD processors at this time."

Since the Spectre flaw is apparently a fundamental design flaw in virtually all modern chips made in the last 20 years, we'll have to wait for third-party security researchers to confirm AMD's claims.

What now?

Google's Project Zero wrote that there is no single fix for all variants and each requires a specific method of protection.

Fortunately, it is believed that the vulnerabilities have NOT been exploited as of yet and there is no evidence that hackers have abused or are actively abusing them. Technical details about the flaws are still scarce, buying hardware and software vendors some time.

However, since the existence of these flaws is now publicly known, issuing patches and security updates to mitigate these flaws will be the first order of business for hardware and software vendors.

What can you do to protect yourself against the chip flaws?

In the meantime, prepare for these inevitable updates that you must apply as soon as you can to protect yourself from the "chip-ocalypse."

Microsoft

Microsoft will likely push its fixes in this month's Patch Tuesday updates for supported Windows systems. Most Windows machines are set to download and install updates automatically by default. If you haven't changed your automatic update settings then you should be fine.

On Windows 10, click Start (Windows logo), choose "Settings," select "Update & Security," then on the "Windows Update" section, click on "Advanced Options." (Note: the "Windows Update" section is also handy for showing you updates that are currently being downloaded or applied.) Under "Advanced Options," just make sure the drop down box is set to "Automatic."

Apple

Apple has also confirmed that its products are also affected by the chip flaws. The company wrote in a post that it has already released mitigations for Meltdown in iOS 11.2, macOS 10.12.2, and tvOS 11.2. This means Macs, iPhones, iPads, and Apple TVs are all impacted by either Meltdown or Spectre variants so make sure you keep all your Apple gadgets up to date. Note: The Apple Watch is not affected by Meltdown.

Google and Android

Google stated that it already issued security patches for its Nexus and Pixel phones. Chromebooks also received patches later this week.

Although the software fixes are ready, rollouts for other Android phones from companies like Samsung and LG, for example, will depend on the carrier and the phone manufacturers themselves.

Keep checking for the latest updates for your Android gadget and apply them as soon as you can.
To manually update your Android gadget, Go to Settings >> scroll down, click on 'About Phone' or 'About Tablet.' (If you have a tabbed settings menu then this will appear in the 'general' section) >> click software update >> click install now, install overnight, or later.

Web Browsers

Since Meltdown can also be initiated via web browsers using JavaScript applications, Google Chrome, Mozilla Firefox, Apple Safari, and Microsoft Edge updates have incoming updates, as well.
Firefox 57.0.4 has security patches for both Meltdown and Spectre exploits by disabling a feature called SharedArrayBuffer. Firefox ordinarily updates itself when you open it by default. To manually update, visit mozilla.com/firefox for the latest version.

Google recommends turning on an optional feature in its Chrome browser called Site Isolation to protect against the chip flaws for now. Proper security patches will be included in Chrome 64, due out on January 23.

To turn on Chrome's Site Isolation, paste this on your Chrome address bar: chrome://flags#enable-site-per-process, then click Enable on "Strict Site Isolation."

For more information about Chrome's Site Isolation, click here.

Safari
Apple is set to release an update in the next few days for Safari for Macs and iOS to mitigate the Meltdown and Spectre exploits. Apple claims that its Safari fixes have no significant impact on its speed.

Microsoft Edge and Internet Explorer 11
As mentioned earlier, Microsoft will likely push its security fixes with this month's Patch Tuesday updates and this will include patches for Microsoft Edge and Internet Explorer 11.

And don't forget - Always follow computer safety basics

Aside from keeping your gadgets updated with the latest software, following basic computer safety practices should protect you from these threats.

Since these flaws still require malicious code to execute on your computer or gadget, avoid clicking on unknown links and attachments on emails and refrain from installing software and apps from unofficial sources.

Avoid clicking on website ads too that may harbor malicious code. If you want to take it a step further, you can turn off Javascript on your browser (this will limit functionality, however.)

As bad as it looks, there's actually no real reason to panic. Performance hit or not, the incoming patches should mitigate Meltdown's flaw. Spectre, on the other hand, is difficult to execute so its widespread impact will be fairly limited.

Spectre, on the other hand, likely can't be fixed by a simple software patch and security pundits are saying that it might take a new generation of chips to completely eradicate it. Hopefully, updates can still be issued to at least lessen its potency.

A few questions

With these revelations, we can't help but pose some interesting questions. First, why did it take more than 20 years to discover these flaws? Does it take extensive technical and software engineering skills to pull them off in the first place?

Did the chip makers know something that they didn't want the rest of the computing world to know? Considering it will require a total rethinking of how chips are designed, didn't they factor how they can affect a processor's speed?

Are they expecting us to relegate all our old flawed gadgets to that big tech recycle bin and wait for newer chips that, of course, will be immune to these flaws? Just asking.

Read More

Apple's HomePod speaker: Either way late or way earlyby David Pogue

Apple (AAPL) has never been ashamed to be late to the party. The iPod wasn’t the first pocket music player; the iPhone wasn’t the first cellphone; the Apple Watch wasn’t the first smartwatch. But in each case, Apple won the category by making its product better. 

On Friday, you’ll be able to buy the HomePod, Apple’s answer to the smart speakers from companies like Amazon, Google, and Sonos. It is indeed way late to the party, even by Apple’s definition — last June, Apple said that it would ship the HomePod in time for the holidays.

But the HomePod is better only in the “speaker” sense. Despite all of those delays, despite the chance Apple has had to study its rivals, despite the fact that Apple says it’s been working on the HomePod for six years, the “smart” part of this speaker is way behind.

Which is so weird. Apple’s voice assistant, Siri, was born before Alexa, “OK Google,” and Cortana. It had a huge head start. It has no excuse now for being the dumbest smart assistant on the market.

View photos

The Apple HomePod is here at last: get a black or white pod in your home.

Music first

You hear people shrieking about the HomePod’s price, which is $350. “I could get an Amazon Echo Dot for $40!”

Well, yeah. And instead of buying a Tesla, you could buy a bike off of Craigslist. It’s just not the same thing.

This thing is built. It’s a heavy, squat cylinder (6.8 inches by 5.6 inches), available in black or white. Rubber on the bottom, cloth mesh around the sides, touch-sensitive screen on the top. Even the power cord is dressed up.

View photos

The HomePod’s cord is wrapped in fabric, too.

The touchscreen on the top never displays words or recognizable pictures; it exists solely to offer a cool, colorful swirling LED light whenever HomePod is speaking or listening. Then it goes black.

View photos

Apple says that your music habits are encrypted and anonymized before anything’s transmitted to its servers.

Setting up the HomePod is incredibly easy: You just bring your iPhone near it and tap Set Up.

View photos

Things get off to a very easy start.

After a few setup screens (including, inevitably, an Apple Music ad), your Apple account password and home Wi-Fi password get transmitted automatically, and then you’re good to listen.

View photos

The iPhone walks you through the HomePod setup. No iPhone? No HomePod for you!

Assuming you’re among the 40 million subscribers of the Apple Music service ($10 a month), you’re in for a glorious ride. You can ask it to start playing music by genre, band, song name, album name, whatever. “Hey Siri — play Coldplay.” “Hey Siri — play me some 80’s dance tunes.” “Hey Siri — play ‘The Wall.’” “Hey Siri, next track.” “Hey Siri, volume up.” “Hey Siri, stop.”

You tap the top to pause playback, or tap + and – to adjust the volume. You can also double-tap for “next track,” or triple-tap for “previous track.”

View photos

You can tap these buttons for volume adjustment—or just speak your volume requests.

The audio quality will floor you. Let’s just get one thing straight: The HomePod sounds better than the Google Home Max ($400), the Sonos One ($200), or the Amazon Echo Plus ($150), let alone all the smaller Echos and Google Homes. This isn’t a matter of opinion; it’s a universal reaction, based on blind side-by-side blind listening tests I’ve conducted with listeners from all walks of demographics. (I’ll post the video here on Friday.) The HomePod has the most balanced midrange, the most detailed highs, and a crisp, muscular, musical bass the other little guys can’t touch.

View photos

From left: The Amazon Echo Plus ($150), Google Home Max ($400), Apple HomePod ($350), Sonos One ($200). The HomePod sounds best.

Maybe that’s because the HomePod contains seven tweeters, arrayed in a circle, and a gigantic, 4-inch woofer, capable of moving 0.8 inches, pointing out the top. Or, as Apple describes it, “array of seven beam-forming tweeters, each with its own amplifier and transducer. And each custom designed with a precision acoustic horn that focuses sound for tremendous directional control.” But you knew that.

View photos

Here’s what the HomePod looks like naked.

At top volume, the HomePod is powerful enough to fill your entire downstairs, or your entire yard. It gets really loud — so loud that Siri asks if you’re sure you want to crank it that loud before doing so. And guess what? It doesn’t distort at 100 percent, like the Google Home Max does.

The HomePod also contains six microphones. They’re designed to pick up your voice commands even when you’re across the room, even when it’s blasting music. (My 13-year-old is fond of subjecting his parents to the following prank. He tells our Amazon Echo: “Alexa, play ‘Who Let the Dogs Out’ at 100% volume.” The Echo complies — but at that point, it’s impossible for it to hear any further commands! There’s no way to stop it except to get off the couch, march over, and tap it. The HomePod, on the other hand, can always hear you. You can say: “Hey Siri — tell me about this album.” “Hey Siri — who’s this singer?” “Hey Siri — play more like this.” And so on.)

But Apple says that the six microphones also serve to sample the proximity of the walls and ceilings around it. It instantly reconfigures what’s coming out of those seven tweeters so that the important stuff, like the band and the singers, come out toward the room, and the ones on the sides handle reverb, applause, and the like.

I don’t know about all that — there’s really no way to tell if all that’s happening. But never mind. The HomePod sounds really, really great.

Siri second

If you’re among the 39 million Americans who own an Amazon Echo or Google Home, you already have certain expectations of the things it can do for you. You can ask about sports, weather, news, measurements, facts, timers, reminders, and so on.

And you can voice-control your home, to the extent that you’ve bought Apple HomeKit-compatible thermostats, lights, and so on. Unfortunately, Google and, especially, Amazon are way, way ahead on smart-home compatibility. Siri can’t even control anything from Nest, which is probably the most popular brand.

But the sad, stunning fact is that the HomePod can’t do a lot of the things that the other speakers can— or even things Siri on your iPhone can. It can’t call you an Uber. It can’t tell you what’s on your calendar. It can’t set up more than one timer at a time (sorry, kitchen chefs). It can’t check your email.

It also can’t make free speakerphone calls to any number without needing a phone, the way the Amazon Echo and Google Home can. You can use the HomePod for dictating texts and reading incoming ones, if your iPhone is within range; and the HomePod can be a speakerphone for the iPhone.

But the HomePod can’t tell apart different voices in your family, the way the Google and Amazon speakers can. So if the texting feature is on, there’s nothing to stop other people from sending texts “from you” while you’re in the shower, or listening to your incoming texts when you’re upstairs. For a company that touts its dedication to personal privacy, Apple dropped the ball on this one.

Oh, and while we’re categorizing our disappointments: You can’t set up two HomePods as a stereo pair, as you can with Google or Sonos smart speakers. Nor is the HomePod multi-room; you can’t say “Play Barry White in the bedroom,” as you can with its rivals. Apple says that both of those features will come later in the year. (What exactly were you doing during those six years, Apple?)

Velvet handcuffs

The most astonishing limitation of the HomePod is that you must own an iPhone, iPad, or iPod Touch to set it up, and you must be an Apple Music subscriber to voice-control music. (It can also play what’s in your iTunes or iTunes Match libraries.) Unless you’re all-in on Apple, you can’t even use this thing.

That’s right. Apple’s $350 smart speaker has never heard of Spotify, the music service that’s twice as popular as Apple Music (70 million subscribers). No Spotify, no Pandora, no Google Play, no iHeart Radio.

Now, you can start up these services on their various iPhone apps and send the playback through the HomePod. But you can’t command them by voice, which is the whole point.

“Totally understandable,” you might say. “Apple runs a music service — they want to drive customers to that.” Well, sure, but so do Google and Amazon. Yet their speakers let you control Spotify and other services by voice. And they don’t require one phone brand or another.

For most people looking for a smart speaker, I’d recommend the Sonos One (here’s my review). Its audio quality is just shy of the HomePod’s (you’d notice a difference only in a direct A/B comparison test). It contains Amazon Alexa and “OK Google.” It’s multi-room, it’s stereo-pairable, and — here’s the kicker — you can buy two for the price of a single HomePod.

Bringing HomePod

Being late to the party is an Apple hallmark — but so is starting out with a lame 1.0 version. The first iPod worked only with Macs, not Windows. The first MacBook Air was painfully slow. The first Apple Music app was a hot, confusing mess. And how about the Apple Watch 1.0? Yeah — nobody touched it.

Maybe that’s the master plan for the HomePod, too.

View photos

It’s a 1.0 product, for sure.

We already know that Apple is working on letting you use two in a stereo pair, and developing multi-room features (“Hey Siri, play Taylor Swift in the playroom”). So maybe Apple’s also assembling a team of voice engineers to bring Siri out of its 2011 rut. Maybe a software update will bring speaker-independent voice recognition, so each family member can ask about their own calendars, texts, and playlists. And maybe Apple’s lawyers are furiously hammering out the deals with Spotify and Pandora even as we speak.

Until then, the HomePod sounds amazing only in the literal sense. Otherwise, it’s best suited only to a core audience of true-blue Appleheads: people who use the iPhone, signed up for Apple Music, and, preferably, live alone.

In other words, maybe the HomePod isn’t late to the party. Maybe it’s just really, really early.

Read More