Recently we reported about two, possible new, James Bond themed, vulnerabilities in Intel processors that were reportedly based on the infamous Spectre and Meltdown leaks. The websites that announced the so-called Skyfall and Solace vulnerabilities, have now been updated. They reveal the announcements were a ‘social experiment’.
The experiment was conducted by Rob Leadbeater who works as Cloud Linux Engineer at European IT giant Atos.
He recently registered the domains, solaceattack.com and skyfallattack.com. On the domains was written that two new vulnerabilities, Skyfall and Solace, that were based on Specte and Meltdown, would be announced soon. More details about the vulnerabilities would be disclosed once hardware and operating system vendors had sufficient time to patch the leaks.
The websites have now been updated and reveal the vulnerabilities are not real but, “a social experiment to highlight everything that’s wrong with the IT Industry’s approach to security.”
Leadbeater conducted the social experiment as he believes that the amount of time and effort spent on the Spectre and Meltdown vulnerabilities are partly due to their catchy names. He underlines that Spectre and Meltdown are important vulnerabilities but thinks that if they hadn’t had such catchy names, they could have gone (almost) unnoticed.
Leadbeater also raises the question how big chances are to be exploited and wonders why everyone is obsessed over Spectre and Meltdown while there’ve recently been critical vulnerabilities in products from Oracle, Juniper and Microsoft as well. Leadbeater thinks the “catchy name and flashy logo” of Spectre and Meltdown make the difference and that, “the IT industry has a ridiculous fascination with naming security vulnerabilities”.
He end his story stating his websites received more than 100,000 visitors and that he’s surprised about that, as computers users are cautious when opening email and clicking links in them, but apparently not cautious to visit unknown websites.
As Leadbeater concludes, “even without a fancy logo, thousands of people have blindly clicked through to a site, that could easily have been hosting a zero-day exploit or a cryptocurrency miner. If an IT Professional like me could generate that much interest with virtually no effort, imagine how easy it could be for a determined attacker to compromise your systems.”