2013年，一位名為雅恩·霍恩的青年參加了總理安格拉·默克爾的招待會。在一次由政府舉辦、旨在鼓勵學生從事科研的競賽中，他和其他64位德國年輕人表現優異。

就霍恩來說，這次競賽起到了效果。去年夏天，作為一名22歲的谷歌（Google）網絡安全研究員，他率先報告了至今為止發現的最嚴重芯片缺陷。整個行業目前仍未擺脫他的發現帶來的影響，從今以后處理器的設計也要進行調整。這讓他有違本愿地成為了一位名人。在上周蘇黎世的行業會議上，他受到的熱烈招待和迫切的問題證明了這一點。

通過對霍恩及其熟人的采訪，我們掌握了他憑借堅定的意志和強大的頭腦，偶然發現存在超過十年卻不為人知的特性和缺陷的全過程。這些問題會讓大部分個人計算機、互聯網服務器和智能手機暴露于潛在的黑客行為之下。

比霍恩晚幾個月找到相同安全漏洞的研究人員，對獨立發現問題的他表示了贊嘆。奧地利格拉茨科技大學（Graz University of Technology）的團隊成員丹尼爾·格魯斯表示：“我們有幾個團隊，也知道從哪著手。他是從頭做起。”這個團隊隨后發現了如今被稱作Meltdown和Spectre的問題。

去年4月底，當霍恩開始閱讀英特爾（Intel Corp.）數千頁的處理器手冊時，沒有想著要發現全球計算機芯片中存在的重大缺陷。他表示，自己當時只是想確定計算機的硬件可以處理他編寫的一個需要極大數據運算量的代碼。

但位于蘇黎世的霍恩就職于Alphabet谷歌（Google）的精英項目Project Zero。這個項目中的成員，都是尋找“零日”漏洞的網絡偵探，這些無意的設計瑕疵可能會被黑客利用來入侵計算機系統。

所以他開始仔細研究芯片進行推測執行（speculative execution）的方式，并抓取需求的數據。推測執行是一種加速技術，處理器會試圖猜測下一步將使用哪一部分代碼，并提前開始執行它們。霍恩表示，手冊表明：如果處理器猜錯了，那些錯誤的嘗試記錄仍會儲存在芯片的存儲器中。霍恩意識到，既然如此，這些信息可能會暴露在聰明的黑客眼前。

霍恩在回復彭博社問題的郵件中表示：“這時，我意識到我們正在編寫的代碼模式可能會泄露機密數據。隨后，我意識到至少從理論上看，它的影響可能不僅限于我們編寫的代碼片段。”

這促使他展開了深入調查缺陷的“漸進過程”。霍恩表示，處理器檢索信息的細微耗時差異大到何種地步，就可以讓入侵者掌握信息的存儲位置，這方面的研究，包括格魯斯和格拉茨科技大學團隊的成果，他都很關注。

霍恩與谷歌在蘇黎世的另一位年輕研究人員菲利克斯·威廉探討了這個問題，后者給霍恩提供了他和其他人完成的類似研究。霍恩說，這讓他 “豁然開朗”。威廉和其他人測試的技術可以“反向運作”，強迫處理器運行通常情況下不會嘗試的新的推測執行。這會欺騙芯片檢索特定數據，從而讓黑客獲取它們。

霍恩表示，無意中發現了這些攻擊芯片的辦法后，他去請教了谷歌的老員工羅伯特·斯維基，他曾向他借過計算機來測試自己的部分想法。斯維基教他如何以最佳方式通知英特爾、ARM和超微半導體公司（Advanced Micro Devices Inc.）相關缺陷。于是霍恩在6月1日這么做了。

此舉引發了這些全球最大的公司對漏洞的匆忙修補。到1月初，當Meltdown和Spectre漏洞公布于世時，大部分功勞都歸于霍恩。官方網站的說明和安全補丁列出了超過十位匯報問題的研究人員，霍恩的名字在兩項漏洞中都被列在首位。

在離德國北部海岸20英里的老城奧爾登堡（Oldenburg）的Caecilienschule高中，霍恩當時的計算機科學老師沃爾夫岡·賴因費爾特對他的成功并不驚訝。他說：“在我的印象里，雅恩一直都才智過人。”霍恩之前曾發現過學校計算機網絡中的安全問題，賴因費爾特坦承這讓他瞠目結舌。

霍恩在青少年時期就擅長數學和物理。為了在2013年獲得默克爾的接見，他和學校的一個朋友構思了控制雙擺運動的辦法，這是一個著名的數學難題。兩人編寫了軟件，使用傳感器來預測運動，之后利用磁鐵來修正意料之外或他們不希望出現的移動。問題的關鍵在于在混亂之中理出規律。他們在競賽中得到了第五名，取得了前往柏林的資格，不過這只是霍恩能力的初步展現。

馬里奧·海德里希是柏林網絡安全咨詢公司Cure53的創始人。他在2014年中期第一次注意到霍恩。那時，霍恩還不到20歲，就已經在針對如何繞開阻止惡意代碼感染用戶計算機的核心安全功能，發表有趣的推文。Cure53一直在研究類似的方法，所以海德里希給霍恩發了條信息，不久以后，他就邀請霍恩加入Cure53的小團隊。

海德里希很快發現霍恩還是波鴻魯爾大學（Ruhr University Bochum）的本科生，而海德里希也在那里做博士后研究。最終，他成為了霍恩本科畢業論文的導師，而霍恩與Cure53簽約成為了承包人。

網絡安全專家布萊恩特·扎德甘和安全信息初創公司Cyph的總裁賴安·萊斯特在2016年與霍恩共同提交了一項專利。扎德甘通過Cure53，邀請霍恩審核Cyph的服務，檢查容易被黑客入侵的地方。他的發現最終成為了專利的一部分，而這一部分無比重要，以至于扎德甘認為霍恩的功勞足以讓他成為發明者之一。他們開發的工具可以確保即使Cyph的主服務器被入侵，個人用戶的數據也安全無虞。

扎德甘表示：“雅恩的特長在于他可以發現有趣的響應，那些計算機運轉的有趣模式，他像是覺得‘這里有些奇怪’，然后他就會去深度挖掘。這就是他大腦的魔力。如果有些東西看起來有一點點毛病，他就會深入研究，找到它的運作機制。這就像是找到了母體錯誤一樣。”

不久以后，Cure53的深度測試者就開始討論所謂的“雅恩效應”——這位年輕的黑客不斷開發極具創造力的攻擊。海德里希表示，Meltdown和Spectre只是霍恩聰明才智的兩個例子。“他不只是曇花一現。這就是他做的事情。”

在Cure53待了兩年，完成了本科項目后，霍恩被谷歌招募，進入Project Zero。當霍恩要求海德里希為這份工作寫封推薦信時，他感到喜憂參半。他說：“谷歌是霍恩的夢想，我們不會試圖阻止他去那里。但讓他離開確實很痛苦。”

霍恩如今已是明星，至少在網絡安全領域如此。在漏洞公布后一周的1月11日，他在蘇黎世的會議上，面對座無虛席的禮堂，展示了Spectre 和Meltdown的發現，并獲得了同行研究者的響亮掌聲。

剪著西瓜頭、皮膚白皙、身材瘦削的霍恩操著帶有德國口音的英語，向他的同行展示理論上的攻擊模式。對于目前尚不清楚的事情，他口風很緊。霍恩對聽眾表示，在通知英特爾后，他與該公司幾個月沒有聯系，直到這家芯片商在12月初給他電話，告訴他其他安全研究人員也報告了同樣的漏洞。谷歌發言人亞倫·施泰因則有不同的說法：“雅恩在報告了這個問題之后，和Project Zero與英特爾保持了定期聯系。”

就處理器的另一個設計特性也可能易于受到攻擊的問題，一名同行向他詢問，而霍恩用短暫而真誠的笑容回答道：“我對此感到疑惑，但我還沒有深入調查。”（財富中文網）

?譯者：嚴匡正

In 2013, a teenager named Jann Horn attended a reception in Berlin hosted by Chancellor Angela Merkel. He and 64 other young Germans had done well in a government-run competition designed to encourage students to pursue scientific research.

In Horn’s case, it worked. Last summer, as a 22-year-old Google cybersecurity researcher, he was first to report the biggest chip vulnerabilities ever discovered. The industry is still reeling from his findings, and processors will be designed differently from now on. That’s made him a reluctant celebrity, evidenced by the rousing reception and eager questions he received at an industry conference in Zurich last week.

Interviews with Horn and people who know him show how a combination of dogged determination and a powerful mind helped him stumble upon features and flaws that have been around for over a decade but had gone undetected, leaving most personal computers, internet servers and smartphones exposed to potential hacking.

Other researchers who found the same security holes months after Horn are amazed he worked alone. “We were several teams, and we had clues where to start. He was working from scratch,” said Daniel Gruss, part of a team at Graz University of Technology in Austria that later uncovered what are now known as Meltdown and Spectre.

Horn wasn’t looking to discover a major vulnerability in the world’s computer chips when, in late April, he began reading Intel Corp. processor manuals that are thousands of pages long. He said he simply wanted to make sure the computer hardware could handle a particularly intensive bit of number-crunching code he’d created.

But Zurich-based Horn works at Project Zero, an elite unit of Alphabet Inc.’s Google, made up of cybersleuths who hunt for “zero day” vulnerabilities, unintended design flaws that can be exploited by hackers to break into computer systems.

So he started looking closely at how chips handle speculative execution — a speed-enhancing technique where the processor tries to guess what part of code it will be required to execute next and starts performing those steps ahead of time — and fetching the required data. Horn said the manuals stated that if the processor guessed wrong, the data from those misguided forays would still be stored in the chip’s memory. Horn realized that, once there, the information might be exposed by a clever hacker.

“At this point, I realized that the code pattern we were working on might potentially leak secret data,” Horn said in emailed responses to Bloomberg questions. “I then realized that this could — at least in theory — affect more than just the code snippet we were working on.”

That started what he called a “gradual process” of further investigation that led to the vulnerabilities. Horn said he was aware of other research, including from Gruss and the team at Graz, on how tiny differences in the time it takes a processor to retrieve information could let attackers learn where information is stored.

Horn discussed this with another young researcher at Google in Zurich, Felix Wilhelm, who pointed Horn to similar research he and others had done. This led Horn to what he called “a big aha moment.” The techniques Wilhelm and others were testing could be “inverted” to force the processor to run new speculative executions that it wouldn’t ordinarily try. This would trick the chip into retrieving specific data that could be accessed by hackers.

Having come across these ways to attack chips, Horn said he consulted with Robert Swiecki, an older Google colleague whose computer he had borrowed to test some of his ideas. Swiecki advised him how best to tell Intel, ARM Holdings Plc. and Advanced Micro Devices Inc. about the flaws, which Horn did on June 1.

That set off a scramble by the world’s largest technology companies to patch the security holes. By early January, when Meltdown and Spectre were announced to the world, most of the credit went to Horn. The official online hub for descriptions and security patches lists more than ten researchers who reported the problems, and Horn is listed on top for both vulnerabilities.

Wolfgang Reinfeldt, Horn’s high school computer-science teacher at the Caecilienschule in the medieval city of Oldenburg about 20 miles from Germany’s north coast, isn’t surprised by his success. “Jann was in my experience always an outstanding mind,” he said. Horn found security problems with the school’s computer network that Reinfeldt admits left him speechless.

As a teenager he excelled at mathematics and physics. To reach the Merkel reception in 2013, he and a school friend conceived a way to control the movement of a double pendulum, a well-known mathematical conundrum. The two wrote software that used sensors to predict the movement, then used magnets to correct any unexpected or undesired movement. The key was to make order out of chaos. The pair placed fifth in the competition that took them to Berlin, but it was an early indicator of Horn’s ability.

Mario Heiderich, founder of Berlin-based cybersecurity consultancy Cure53, first noticed Horn in mid-2014. Not yet 20, Horn had posted intriguing tweets on a way to bypass a key security feature designed to prevent malicious code from infecting a user’s computer. Cure53 had been working on similar methods, so Heiderich shot Horn a message, and before long they were discussing whether Horn would like to join Cure53’s small team.

Heiderich soon discovered that Horn was still an undergraduate at the Ruhr University Bochum, where Heiderich was doing post-doctoral research. Ultimately, he became Horn’s undergraduate thesis supervisor, and Horn signed on at Cure53 as a contractor.

Cybersecurity specialist Bryant Zadegan and Ryan Lester, head of secure messaging startup Cyph, submitted a patent application alongside Horn in 2016. Zadegan had asked Horn, through Cure53, to audit Cyph’s service to check for hacking vulnerabilities. His findings ended up as part of the patent and proved so significant that Zadegan felt Horn more than merited credit as one of the inventors. The tool they built would ensure that, even if Cyph’s main servers were hacked, individual user data were not exposed.

“Jann’s skill set is that he would find an interesting response, some interesting pattern in how the computer works, and he’s just like ‘There’s something weird going on’ and he will dig,” Zadegan said. “That’s the magic of his brain. If something just seems a little bit amiss, he will dig further and find how something works. It’s like finding the glitch in the Matrix.”

Before long, Cure53’s penetration testers were talking about what they called “the Jann effect” — the young hacker consistently came up with extremely creative attacks. Meltdown and Spectre are just two examples of Horn’s brilliance, according to Heiderich. “He’s not a one-hit wonder. This is what he does.”

After two years at Cure53 and completing his undergraduate program, Horn was recruited by Google to work on Project Zero. It was a bittersweet day for Heiderich when Horn asked him to write a recommendation letter for the job. “Google was his dream, and we didn’t try to prevent him from going there,” he said. “But it was painful to let him go.”

Horn is now a star, at least in cybersecurity circles. He received resounding applause from fellow researchers when he presented his Spectre and Meltdown findings to a packed auditorium at a conference in Zurich on Jan. 11, a week after the attacks became public.

With bowl-cut brown hair, light skin and a thin build, Horn walked his fellow researchers through the theoretical attacks in English with a German accent. He gave little away that wasn’t already known. Horn told the crowd that after informing Intel, he had no contact with the company for months until the chipmaker called him in early December to say other security researchers had also reported the same vulnerabilities. Aaron Stein, a Google spokesman, has a different account though: “Jann and Project Zero were in touch with Intel regularly after Jann reported the issue.”

When a fellow researcher asked him about another possible aspect of processor design that might be vulnerable to attack, Horn said, with a brief-but-telling smile: “I’ve been wondering about it but I have not looked into it.”