Meltdown & Spectre discoveries credited to 22-year-old German genius

The identification of the "Meltdown" and "Spectre" vulnerabilities in Intel- and ARM-based processors — including chips used in Apple's Macs, iPhones, and iPads — can be credited almost entirely to a Google security researcher in his early 20s, Jann Horn.

Originally from Germany, Horn now works in Zurich, Switzerland with Project Zero, Google's zero-day team, Bloomberg noted on Wednesday. He's said to have discovered the issues while working alone, beginning in April, when he was reading Intel processor manuals to make sure chips could handle code he'd written.

It's in reading about speculative execution that Horn realized that sensitive data was being kept in memory and could potentially be accessed by clever hacking. After talking to a fellow Google researcher, he arrived at the idea of tricking a processor into unusual speculative executions that could be used to fetch specific data.

Horn eventually told Intel, ARM, and AMD about the situation on June 1. By the time Meltdown and Spectre were announced to the public this January, Horn was given lead credit.

Accounts differ on the amount of contact between Horn and Intel. At a conference in Zurich on Jan. 11, Horn said that after his initial data sharing, there was no discussion until Intel called him in early December to confirm other researchers had found the same issues. A Google spokesman, Aaron Stein, insists however that there was much more chatter.

"Jann and Project Zero were in touch with Intel regularly after Jann reported the issue," Stein told Bloomberg.

Apple has already released several related security fixes, with more in the works. It's nevertheless facing multiple lawsuits, as are companies like ARM and Intel.

17 Comments

MplsP 4021 comments · 8 Years

About 6 years ago

I admittedly haven’t read extensively on the Meltdown/Spectre flaws, but the fact that it’s present in multiple processor from different manufacturers and of different types tells me this is a flaw with the underlying chip design architecture that has been used for many years now without anyone discovering the hole. Kudos to Mr. Horn for discovering the flaw, but reading this and the articles about all the class action lawsuits, I can’t understand how Intel, Apple or any other manufacturer should be held liable for something that no one knew about until 6 months ago at best. Or am I just making the mistake of applying common sense to the law?

mike1 3432 comments · 10 Years

About 6 years ago

MplsP said:

I admittedly haven’t read extensively on the Meltdown/Spectre flaws, but the fact that it’s present in multiple processor from different manufacturers and of different types tells me this is a flaw with the underlying chip design architecture that has been used for many years now without anyone discovering the hole. Kudos to Mr. Horn for discovering the flaw, but reading this and the articles about all the class action lawsuits, I can’t understand how Intel, Apple or any other manufacturer should be held liable for something that no one knew about until 6 months ago at best. Or am I just making the mistake of applying common sense to the law?

Don't confuse lawsuits with law. Anybody can file a suit, for almost any reason. The merit of that suit is what will determine if they actually win. I would bet there is a good chance all these suits will be dismissed before they even get to a trial.

airnerd 688 comments · 13 Years

About 6 years ago

MplsP said:

I admittedly haven’t read extensively on the Meltdown/Spectre flaws, but the fact that it’s present in multiple processor from different manufacturers and of different types tells me this is a flaw with the underlying chip design architecture that has been used for many years now without anyone discovering the hole. Kudos to Mr. Horn for discovering the flaw, but reading this and the articles about all the class action lawsuits, I can’t understand how Intel, Apple or any other manufacturer should be held liable for something that no one knew about until 6 months ago at best. Or am I just making the mistake of applying common sense to the law?

Nailed it...too much common sense. Lawyers all want to be the first to hit mega-corporations in order to take the lead or make more money on the class action status. It's a "file first and then figure out standing later" mentality, and it will keep happening as long as there are few to no ramifications.

pdbreske 45 comments · 9 Years

About 6 years ago

MplsP said:

Or am I just making the mistake of applying common sense to the law?

Your mistake isn't in applying common sense, it's in assuming lawyers for the plaintiffs are motivated by anything other than an easy payday. They are hoping that Apple et al will settle instead of pursuing a lengthy and expensive trial. As Mike1 points out, these will likely be thrown out of court, but if a judge decides there is some merit to the suit, there will be a non-trivial settlement paid to the plaintiffs (and their lawyers) to avoid the trial.

viclauyyc 847 comments · 10 Years

About 6 years ago

airnerd said:

MplsP said:

I admittedly haven’t read extensively on the Meltdown/Spectre flaws, but the fact that it’s present in multiple processor from different manufacturers and of different types tells me this is a flaw with the underlying chip design architecture that has been used for many years now without anyone discovering the hole. Kudos to Mr. Horn for discovering the flaw, but reading this and the articles about all the class action lawsuits, I can’t understand how Intel, Apple or any other manufacturer should be held liable for something that no one knew about until 6 months ago at best. Or am I just making the mistake of applying common sense to the law?

Nailed it...too much common sense. Lawyers all want to be the first to hit mega-corporations in order to take the lead or make more money on the class action status. It's a "file first and then figure out standing later" mentality, and it will keep happening as long as there are few to no ramifications.

Is there a way to counter suit the plaintiff if the judge deemed the the suit is totally bs for damage in US?