Spectre & Meltdown Explained To “Normal People”

Patricia Aas of TurtleSec Norway issued a challenge to the cyber security community:

Go try to explain Spectre and Meltdown to normal people, I dare ya’

Challenge accepted!

Computer and phones use lots of clever tricks to run your apps faster.

One trick is guessing what will happen next, and already do things just in case the things you guessed really happen.

It’s like cooking extra food in case more people than expected join your party.

If it doesn’t happen, you just throw away the extra.

If it does happen, you saved time.

Bad people can write clever apps to use this trick against you.

They can make your computer start preparing for something that will never happen in a way that results in things you don’t want.

This is because, unlike humans, computers are pretty stupid in some ways.

[OK, in fact, we humans are perfectly capable of being pretty stupid too, just in other ways.]

If I tell you I only eat lead-based food, and I might come to your party, you won’t go and start touching and breathing lots of lead to make me a lead cake, just in case I come.

If you ask the computer in the right way, a computer will.

It doesn’t matter that you throw the lead cake in the bin when I don’t come.

You already have lead poisoning.

That’s approximately how Spectre/Meltdown works.

This problem is present in approximately 100% of computers and mobile devices worldwide.

No need to panic though, it is very difficult and expensive to make someone’s computer cook lead cakes.

And, all the time, clever people are putting in additional protections to make it harder for the baddies to make your phone cook lead cakes.

For those interested in diving deeper, here is the website for these bugs, along with detailed technical papers.

Reading this kind of thing, and stopping to look up concepts that are new to you, is a great way to turn yourself into an expert, if that’s what you want.

Note, that the reason for this challenge is that Spectre/Meltdown is one of the most complex hard-to-wrap-your-brain-around security exploits of recent years, and we in cyber security are notoriously bad at explaining things to anyone outside our little bubble.

This kind of challenge is an important exercise worth practicing for us who want to protect “normal people” from security threats.

Not only do you find where you do not in fact understand the concept well enough yourself, making yourself understood is also a necessity for helping to protect your family, friends, and community.