I ended my my blog post Secure? You better believe it about the discovery of microprocessor security vulnerabilities with this:
I wonder what Bruce Schneier will say?
The question has been answered. Here are some notable points:
“Throw it away and buy a new one” is ridiculous security advice, but it’s what US-CERT recommends. It is also unworkable. The problem is that there isn’t anything to buy that isn’t vulnerable. Pretty much every major processor made in the past 20 years is vulnerable to some flavor of these vulnerabilities. Patching against Meltdown can degrade performance by almost a third. And there’s no patch for Spectre; the microprocessors have to be redesigned to prevent the attack, and that will take years.
In short, we are all stuck in a hole not of our making.
Later on, there is some practical advice about what you should do:
This isn’t to say you should immediately turn your computers and phones off and not use them for a few years. For the average user, this is just another attack method amongst many. All the major vendors are working on patches and workarounds for the attacks they can mitigate. All the normal security advice still applies: watch for phishing attacks, don’t click on strange e-mail attachments, don’t visit sketchy websites that might run malware on your browser, patch your systems regularly, and generally be careful on the Internet.
As they used to say on Hill Street Blues, let’s be careful out there.