How the meltdown CPU bug adds 50 million tons of CO2 to the atmosphere

The first few days of 2018 have been busy for security professionals and IT admins. As Ars Technica put it: every modern processor has “unfixable” security flaws. There are fixes – sort of. But they come with a cost: computers will run up to 30% slower because of it, depending on the type of work being performed. A lot of the heavy lifting performed in large data centers is related to data processing in databases. Unfortunately, this is the type of operation that looks to have the worst impact of fixing the Meltdown and Specter vulnerabilities. A selection of tests shows that a performance reduction of about 20% is at least realistic (see details at This is equivalent to increasing the power consumption of data centers by 25%. That is a lot of energy! With assumed growth in data center consumption of 5% per year we should expect the total electricity consumption by data centers globally to hit 480 TWh this year.

Meltdown may be a very fitting name for the CPU bug on everyone’s mind in the beginning of 2018: adding another 50 million tons of CO2 to the atmosphere doesn’t help the polar bear. 

A 2013 estimate of the US use of data centers put the 2020 electricity use at 139 TWh, and the Independent reported that the 2015 global data center energy consumption was 416 TWh. For comparison, the total electricity generation globally is approximately 25000 TWh, so data center usage is not insignificant – and it is growing fast.

Our energy mix is still heavily dependent on fossil fuels, mainly coal and natural gas. Globally about 40% of our electricity generation is done based on coal, and another 30% is based on petroleum, primarily natural gas. In OECD countries coal use is on the decline but demand growth for electricity in particularly the BRICS economies still outnumbers the achievable growth in renewable energy generation in these areas. This means that short-term increases in global electrical energy generation will still be heavily influenced by fossil fuels  – meaning coal and natural gas, and to some extent oil.

According to an article on curbing greenhouse gas emissions in the Washington Post, average coal fired power plants in the United States emits the equivalent of 1768 lb CO2/MWh, whereas for natural gas the average number would be around 800-850 lb/MWh. This corresponds to 800 g/kWh and 385 g/kWh for coal and natural gas, respectively.

Based on these numbers we can estimate an approximate value of extra CO2 emissions based on the Meltdown and Specter vulnerability fixes. If the unadjusted data center electricity consumption for 2018 is estimated at 480 TWh, and the bug fixes will lead to a 25% increase in consumption we are talking about and extra energy demand of 120 TWh for running our data centers. If 40% of that energy is generated by coal fired power plants, and 30% by natural gas, and the remaining by nuclear and renewable energy sources we are looking at 48 TWh extra to be produced from coal, and 36 TWh extra to be produced from natural gas. The combined expected “extra” CO2 emissions would be 52 million tons!

That is the same as all the climate gas emissions from the Norwegian economy in 2016 – including the entire petroleum sector (source: SSB). Another “yard stick” for how huge this number is: it corresponds to 1/3 of all emissions from U.S. aviation (source: EPA). Or – it would correspond to driving the largest version of a Hummer with a 6.2l V8 engine 3 million times around the earth (source:

This is a huge increase in emissions due to data processing because the CPU optimizations we have come to rely on since 1995 cannot be used safely. Also note that we have only included data centers in our estimate; this excludes all PC’s, Macs and smartphones that could see hits in performance too – meaning we’d have to charge our tech toys more often, thereby consuming even more electricity.



How do you tell your audience that somebody found a vulnerability on your site?

Disclosing vulnerabilities is a part of handling your risk exposure. Many times, web vulnerabilities are found by security firms scanning large portions of the web, or it may come from independent security researchers that have taken an interest in your site.

Ignoring the communication issues around vulnerability disclosure can cost you a lot. Working on maturity at the top is a high ROI activity!

How companies deal with such reported vulnerabilities usually will take one of the following 3 paths:

  1. Fix the issue, tell your customers what happened, and let them know what their risk exposure is
  2. Fix the issue but try to keep it a secret.
  3. Threaten the reporter of the vulnerability, claim that there was never any risk regardless of the facts, refuse to disclose details

Number 2 is perhaps still the normal, unfortunately. Number 1 is idea. Number 3 is bad.

If you want to see an example of ideal disclosure, this article about revealing password hashes in source shows how it should be done.

A different case was the Norwegian grocery chain REMA 1000, where a security researcher reported lack of authentication between frontend and backend, exposing the entire database of customer data. They chose to go with route 3. The result: media backlash, angry consumers and the worst quarter results since…., well, probably forever.

So, what separates the businesses that do it the right way, and those that choose to go down the way of the rambling angry ignorant? It is about maturity and skills a the top. This is why boards and top management need to care about information security – it is a key business issue.



Hijacking existing email threads: taking phishing to a new level

Phishing e-mails is the most common way for a hacker to breach the initial attack surface. Filters and blacklisting technologies have been less than effective in stopping such threats, and it is up to the cybersecurity training and awareness of the user to ensure safe choices are made. Now phishermen have new ideas about making their bait more trustworthy; hijacking existing mail threads, piggybacking on existing interpersonal trust. A received an e-mail sent me from a contact who told me he realized he’d fallen for a scam the second he submitted his username and password to the phoney login site he was led to. Here’s (a somewhat edited) excerpt of the e-mail thread leading him into the phisherman’s trap.

From: Jim Salesman
To: Danny Customer

Subject: Re: confirm order details

Dear Danny,

thank you for your purchase. Please download and check these documents.


With best regards,

From: Danny Customer
To: Jim Salesman

Subject: Re: confirm order deetails

Dear Danny,

I agree to the conditions as you have suggested. Make sure the part serial numbers are indicated correctly on the labels.

With best regards,

——- (after multiple e-mails back and forth)

Where does the link lead to?

The link does not lead to a Google page, despite claiming to be a Google Docs file. Also the lack of Google branding in the download section could be an indicator. The URL is “ehbd-dot-ml/hbdesigns/gibberish/” and is rendered over http – no security. It displays a selection of “login credentials” to choose from.


OK, so here are several well-known brand names.

So, who owns the domain ehbd-ml? A whois search shows the domain is registered to Mali Divi. B.V. in the Netherlands.This firm has been active since 2012 and owns a number of free domains. It has a VAT number and one employee, according to this site:

Why submitting your info is dangerous

My friend realized the mistake the moment he hit “submit”. He then called his company’s IT department, and was told to change his passwords and run a virus scan. That was the right thing to do. But why is this dangerous?

Giving hackers access to your e-mail makes it easy for them to:

  • your e-mails and attachments
  • they can impersonate you by sending e-mails as you
  • they can hijack other accounts where your email is used to reset your password

Lessons learned

Phishing scammers are skilled at exploiting established trust between you and your contacts. Always be suspicous about links in e-mails, even from people you know. Before clicking, always check:

  • Does the URL look reasonable?
  • Does the branding (logos etc.) look right for the contents?
  • Is the site it leads to secured when you would expect it to be? All major service providers will only serve https – not http
  • Is the domain name strange? The .ml top domain is the national domain for Mali in Africa. Google Docs does not use that as the default login site domain.