If you use a PC, it's time to listen up.

Put your nerd pants on and let's take a little adventure

into Danger Town.

There's a new group of exploits going around

that can cause some serious damage to your PC.

So they take advantage of what is known

as speculative execution, and it's similar to

some of the bugs we saw last year,

including Spectre as well as Meltdown.

Something as simple as visiting a website

with malicious JavaScript

or a little bit of a sketchy download

could mean losing control over all kinds of stuff

which should be very sensitive and private.

So I'm talking about passwords, encryption keys.

As far as bugs go, this is about as bad as it gets.

Now I do want to stress that

all this is theoretical right now,

so researchers have found these vulnerabilities

and a lot of them have been patched

so it's not out in the wild.

But with these things, it's only a matter of time

before a plane goes overhead,

and they start to make it into the wild.

So last year brought us Spectre and Meltdown,

and at first, it seemed like a major vulnerability.

But of course, they were patched before too much longer.

However, at this point, it is very clear that this is

a new class of things that everyone has to worry about.

It's no longer just software.

There's actual hardware vulnerabilities,

which can cause major problems.

So this actually boils down

to a few different vulnerabilities

that were all announced at the same time.

So there's the super scary name of,

oh god, do I have to say it?

ZombieLoad, yes, ZombieLoad is something

you have to be afraid of,

or the much nicer name of MDS,

because that sounds safe and generic.

- I'm not, that's why I don't want to say it.

I don't want to say ZombieLoad.

So what separates this from traditional bugs

that are much more software focused

is that it of course is in hardware.

So there are some patches and some BIOS updates and stuff,

and I'll get into that in just a minute,

that helps to mitigate this.

But at the end of the day, we now live in a different era

where hardware itself is being attacked

on a very regular basis,

which means that sure you can always download a new patch,

but if there's something that's super fundamental

to the actual hardware itself, it means,

oh I need to buy a new processor or upgrade my computer.

Now we're not quite to that point yet,

but it is becoming a very scary time.

So we're definitely going to get into Nerd Town here,

but the way that this all works is taking advantage of

a feature known as speculative execution.

So essentially what this means is that

modern processors, specifically on the Intel side,

are always constantly trying to figure out

what you're going to do before you actually do it.

So instead of saying, waiting for you to say, open Twitter,

it might have portions of that loaded

or on a much, much smaller scale,

like little tiny bits and pieces.

But the issue here is a lot of times when it's wrong,

it just throws out that data.

Normally no problem, no harm, no foul,

and your computer's faster.

However, people have found that you actually

can take some of that junk data,

which on a massive scale can end up being

full of passwords or all kinds of stuff,

and actually harvest it and then send it off

to who knows where.

It's a really scary thing.

And the problem here is that it's taking advantage

of very fundamental things

which legitimately mean that we get a lot of performance

out of our systems,

or well, we lose a lot of performance

if they're patched and deleted and removed.

Nothing like a bug, which not only can compromise your data

but the only way to fix it

is to make your computer way slower.

That's not good.

That's not good at all.

Because this bypasses traditional software things

such as antivirus as well as all kinds of different

operating system level security features,

what this means is it's just pulling data

straight off of the CPU.

And while a lot of it is garbage,

like I said, if you have enough of this stuff

and you kinda parse through it,

you can very regularly pull a lot of things

that you absolutely do not want to get leaked.

This is something that is a big deal.

So right now, this affects pretty much

any Intel processor made in the last decade.

However, if you are using a phone with an ARM processor

or if you have an AMD CPU, it actually doesn't seem to be

affected just yet, but don't get too comfortable.

There are definitely more of these things

that are coming in the future.

So Apple, Microsoft, and Google have all released patches,

and a lot of the stuff is doing things like

patching the JavaScript and patching the browsers themselves

as well as operating system level tweaks,

but at the end of the day, you still do need

an actual BIOS update, which is coming from Intel,

they've updated a lot of microcode,

but still relies on your actual hardware vendor

delivering a brand new BIOS update

and for you to install it.

It's not as simple as turning on Microsoft Update

and being done.

You actually have to make sure that

everything is properly updated

from browser to OS to BIOS.

According to Intel, these patches mean

that you're going to lose a little bit of performance.

So for the most part, it should be somewhere between

three and nine percent which is certainly not insignificant.

However, according to Apple, it shouldn't be anything

that's all that noticeable in a browser such as Safari,

so it's kinda hard to say exactly

how big of an impact this will have.

But there's no doubt that this is not speeding anything up.

It's going to make things just a little bit slower.

However, that is not the full story.

So according to the security researchers

who actually found this, that's actually not even going

to do the entire fixing job that we need.

They actually recommend to turn off hyper-threading,

and that is a big deal,

as hyper-threading delivers a ton of performance to a CPU

and if you lose that, well, you're losing like

up to 40% of your processing power, so not good.

Now, according to Intel, this is not that big of an exploit

where you have to turn off hyper-threading

and lose that much performance.

But Apple does disagree.

So while by default when you do all the most recent updates

to macOS it still leaves it on,

but they have introduced a feature where you can

not only harden the code a little bit more

but importantly you can turn off hyper-threading,

which is great to make it a super, super secure system.

And then you say it's for people who are at elevated risk of

keeping state secrets on your laptop or something,

but it does mean that if you do it,

you're going to lose a ton of performance.

And it just so happens that I have a MacBook in my bag

that we can test with right now.

Yeah, see.

You were wondering why I had the backpack on the whole time.

It's because I was waiting for it.

So to take advantage of this, you do need a Mac

which is fully up to date with either Sierra,

High Sierra, or Mojave.

What you can do is you can restart the system

into recovery mode.

This is the point where I realize that

my Mac is not up to date.

So it turns out that trying to do a three gigabyte download

while tethering is not the greatest idea,

so it's the next day, I have my MacBook

completely up to date now.

So we'll see if the security patch

actually makes any kind of real difference to performance.

To do this, you will need to boot your Mac

into recovery mode and then you'll need to put

these two commands into Terminal,

which I will have listed in the description.

But with that, we should now have

multi-threading turned off.

So if I restart the system.

So the way you tell if this actually worked

is to open up System Report.

In the Hardware, you will see that

Hyper-Threading now shows Disabled.

If you're running an earlier version of macOS,

that won't even be an option.

So now, let's actually see

how much performance we lose by hardening the system.

I just like saying hardening, it's just fun.

So we'll let Geekbench do its thing.

Now I do want to stress this is not by any means

a super scientific test,

so obviously you would need to do this multiple times,

I would want to use multiple systems.

I'm running on battery for consistency sake.

So take all of this stuff with a grain of salt.

But if hyper-threading makes as big of a difference

as I know it should, it won't be like,

oh it's like two percent off or something.

We should be losing, again according to Apple,

up to 40% of our multi-threading performance

by doing something like this.

So our new score is 5,708 on single core

which is basically identical.

And the multi score only went down to 23,000

as opposed to 25,000.

So they had quoted a much, much bigger performance impact.

I almost feel like I want to spend more time with this

because one slight advantage to this would be that,

especially with the MacBooks, given how much they throttle,

this actually might make a bigger difference.

Okay, I feel like this is getting

way outside the scope of this video,

but even doing something like disabling hyper-threading

in a very much best case scenario, not a big deal.

Wow, I'm legitimately really surprised.

That's crazy.

MDS and ZombieLoad are absolutely a new page

in what will certainly be years

of these brand new hardware vulnerabilities

that everyone really needs to stay on top of.

My advice, as always, keep your operating system up to date,

keep your browser up to date,

and even pay attention to things like

keeping your BIOS up to date.

All of this stuff will make a big difference

and just pay attention.

There's a lot of this stuff that will be coming out,

and we will be doing as many videos as possible

as these things kind of approach.

But I don't know.

It's not a good time for security.

There's a lot of really scary stuff that's coming up.

And I know it's all fearmongering and stuff,

but it is legitimately something to keep in mind,

keep that stuff up to date, for real.