[cookiecaper]

Physical security is not necessarily automatic, but it's much more straightforward than computer security. You don't have to worry about someone in Russia getting a hold of your pen and paper while you're sitting there with it in your room.

I think that anyone who has worked professionally understands that it's a miracle we make it through life with the relatively limited quantity of exposures and accidents that we have. Things like Spectre/Meltdown usually don't get the notice of people who care to expose it publicly until they've been privately theorized, discussed, and practiced in some form for many years.

Personally I believe that if Spectre had come out 10 years prior, the likely response from Linus et al would've been "How about instead of crippling useful CPU speed optimizations, we just don't let random people feed instructions to our CPUs." Obviously, with cloud computing underpinning so much critical profit/surveillance-- uh, I mean, infrastructure-- these days, that won't fly. (Meltdown is a different story since the CPU is supposed to be protecting that.)

Computers are very complex systems designed by people. Work with more than 5 people and you quickly learn how much trust is warranted in complex systems designed by people (hint: very little).

I absolutely believe that relying on the security properties of the physical world, particularly "this item cannot exist in more than one place at a time, nor can it be replicated and transmitted across the earth in under one second", is much more reliable than any computer security.

Pen and paper is the only way to go for the truly paranoid.

[jacquesm]

I would not at all be surprised if Spectre and Meltdown were already known at nation state level, they have a lot of resources to throw at problems like this. The fact that Google provides this service for free is an amazing counterbalance to that kind of power, the bugs don't magically disappear but at least the playing field has been leveled a bit.

[blattimwind]

It is my impression that analysis of side channels has been done and professionalized in the intelligence community for a long time before it became an important consideration in the general IT community.

[hinkley]

Adi Shamir, the S in RSA, has done tons of work on side channel analysis, especially of hardware crypto, for decades. Timing attacks, voltage attacks, EM, you name it.

So it's not unknown. But as a counterpoint I had a shocking moment in the 90's when I learned that Faraday Cages (to prevent TEMPEST attacks) were being designed with a second Faraday cage inside them to protect the light bulbs.

Seems that the interference between a CRT and a fluorescent bulb are sufficient that you can detect information on the power lines leading into the room. So they caged the bulbs to keep them magnetically isolated from the computers.