Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linus Torvalds Slams CTS Labs Over AMD Vulnerability Report (zdnet.com)

Posted by BeauHD on from the technical-reports dept.

Earlier this week, CTS Labs, a Tel Aviv-based cybersecurity startup claimed it has discovered critical security flaws in AMD chips that could allow attackers to access sensitive data from highly guarded processors across millions of devices. Linus Torvalds, Linux's creator doesn't buy it. ZDNet reports: Torvalds, in a Google+ discussion, wrote: "When was the last time you saw a security advisory that was basically 'if you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?' Yeah." Or, as a commenter put it on the same thread, "I just found a flaw in all of the hardware space. No device is secure: if you have physical access to a device, you can just pick it up and walk away. Am I a security expert yet?" CTS Labs claimed in an interview they gave AMD less than a day because they didn't think AMD could fix the problem for "many, many months, or even a year" anyway. Why would they possibly do this? For Torvalds: "It looks more like stock manipulation than a security advisory to me."

These are real bugs though. Dan Guido, CEO of Trail of Bits, a security company with a proven track-record, tweeted: "Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works." But, Guido also admitted, "Yes, all the flaws require admin [privileges] but all are flaws, not expected functionality." It's that last part that ticks Torvalds off. The Linux creator agrees these are bugs, but all the hype annoys the heck out of him. Are there bugs? Yes. Do they matter in the real world? No. They require a system administrator to be almost criminally negligent to work. To Torvalds, inflammatory security reports are annoying distractions from getting real work done.

115 comments

  1. Linus Torvalds be like: Fuck you CTS Labs by Anonymous Coward · · Score: 1, Insightful

    Linus Torvalds be like: Fuck you CTS Labs and Fuck you Nvidia.

    1. Re: Linus Torvalds be like: Fuck you CTS Labs by Killall+-9+Bash · · Score: 0

      I'm tired of hearing you all whine about some big conspiracy keeping your race/religion/gender down because 90% of the time it's just a fucking excuse to justify your own personal failure.

      I've never seen an SJW slap him/her-self in the face with their own dick before.

      --
      "Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
    2. Re:Linus Torvalds be like: Fuck you CTS Labs by Anonymous Coward · · Score: 0

      You know what's really great? Coming to slashdot to make an anonymous n!igger hate post, and discovering that somebody has already done it for me. Thank you for making my day a more pleasant one, good sir.

  2. Don't need exploit if you have admin by Anonymous Coward · · Score: 5, Insightful

    whats the point of some exploit if you already have admin? You can do anything you want already

    1. Re:Don't need exploit if you have admin by amorsen · · Score: 2, Interesting

      Modern CPUs have an area that you aren't allowed to touch. That is where they implement TPM, store DRM keys among other things. It looks like some of the flaws may give you a chance at looking at that area; i.e. they allow you to actually control the hardware that you paid for.

      So no, you cannot do anything you want already, even with root access.

      --
      Finally! A year of moderation! Ready for 2019?
    2. Re:Don't need exploit if you have admin by Anonymous Coward · · Score: 3, Insightful

      In other words, the "victims" of these "exploits" are not you but the "business partners" of AMD....

    3. Re:Don't need exploit if you have admin by geekmux · · Score: 1, Insightful

      whats the point of some exploit if you already have admin? You can do anything you want already

      Perhaps we should stop taking the rather ignorant approach that even admins should have access to *everything*. Fuck that. It's called need to know.

      The military understood this concept with compartmentalization of data decades ago. Perhaps it's about damn time we pay attention to the value of that.

      And yeah, I DO realize that means questioning the trust of your own SysAdmins. How many times does industry need to repeat the words "Insider Threat" for people to pay attention? SysAdmins aren't magically immune...

    4. Re:Don't need exploit if you have admin by gweihir · · Score: 2

      You pretty much can do anything that matters to an attacker. It may just get a bit more complicated for some of those things.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    5. Re:Don't need exploit if you have admin by HiThere · · Score: 5, Insightful

      Since I'm my own systems administrator, I *do* want to have total control, even though I sure don't want to have to use it.

      Your argument seems to boil down to "Even though you 'bought' the device you don't own it.".

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    6. Re:Don't need exploit if you have admin by Anonymous Coward · · Score: 0

      I am the owner of my hardware. I DO NEED TO KNOW what runs on MY hardware or at least be able to block the execution of code under control of entities which I don't trust.

    7. Re:Don't need exploit if you have admin by another_twilight · · Score: 2

      The military has pressures and responsibilities that, ideally, should not exist elsewhere. In fact, the reason to have a military is so that the rest of us aren't burdened with those concerns. The militarisation of other areas of society is worrying, dangerous and to an extent diminishes the sacrifice that those who serve have and continue to make.

      The military understood this concept with compartmentalization of data decades ago. Perhaps it's about damn time we pay attention to the value of that.

      Maybe you should consider the cost benefit ratio of that decision and ask whether that is the same for all cases.

      And yeah, I DO realize that means questioning the trust of your own SysAdmins

      This adversarial employer/employee relationship that this implies is part of the problem for the lack of trust. Trust is a relationship. It needs to be developed and it must be two way. When your employees are treated with dignity and trust, then some (most?) will respond in kind. It's easy enough in such an environment to identify the people who don't respond and remove them. But in an adversarial environment, you'll have a much harder time workout out who is and isn't capable of trust.

      SysAdmins aren't magically immune

      Neither are accountants, HR, sales reps, account managers etc. Some places those people are heavily monitored and/or restricted, in others they are trusted to act professionally and ethically.

      How many times does industry need to repeat the words "Insider Threat" for people to pay attention

      Those who sacrifice liberty for security ...

    8. Re:Don't need exploit if you have admin by gweihir · · Score: 2

      You seem to be unaware that there may be problems that need to be fixed _now_ in a running business. That is what you have the sysadmin for. Sure, you do "break glass" procedures for critical system, i.e. said sysadmin has to ask for access and justify it, but preventing the sysadmin from accessing everything is suicidal.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    9. Re: Don't need exploit if you have admin by Anonymous Coward · · Score: 0

      In military, who decides who needs to know launch codes?
      If I know launch codes what's stopping me from going rouge?

    10. Re: Don't need exploit if you have admin by Anonymous Coward · · Score: 4, Funny

      Before you go rouge, you need to apply a proper foundation. Or so I have gathered from the TV commercials.

    11. Re:Don't need exploit if you have admin by Anonymous Coward · · Score: 0

      whats the point of some exploit if you already have admin? You can do anything you want already

      Perhaps we should stop taking the rather ignorant approach that even admins should have access to *everything*. Fuck that. It's called need to know.

      The military understood this concept with compartmentalization of data decades ago. Perhaps it's about damn time we pay attention to the value of that.

      And yeah, I DO realize that means questioning the trust of your own SysAdmins. How many times does industry need to repeat the words "Insider Threat" for people to pay attention? SysAdmins aren't magically immune...

      You seem to be very ignorant of modern security practices. "Need to know" is not only known but commonly used and implemented in an enterprise environment. I'm a senior network engineer supporting a large bank. My access is read only unless I specifically request privileged access via an automated system. That request must be associated with a trouble ticket, it is logged, and the privileged access is restricted to the specific device I request. I have access to everything, but only if I follow the proper procedures and I damned well better be able to answer why I needed it or I will find my butt on the streets.

      That being said, that's an enterprise environment. On my home system, I have access to every thing any time I want it. It's my damned system and I don't need to justify a "need to know" to anyone for anything.

    12. Re: Don't need exploit if you have admin by Anonymous Coward · · Score: 0

      Do you have a newsletter or blog we can subscribe to?

    13. Re:Don't need exploit if you have admin by sjames · · Score: 3

      The kernel has been redying for that for a long time. Root is nod divided into capabilities and cgroups and namespaces can limit the ability to see across compartments.

      But ultimately, someone will have the ability to upgrade the BIOS, and that person will have a great deal of ability to violate security.

    14. Re:Don't need exploit if you have admin by Kjella · · Score: 1

      Perhaps we should stop taking the rather ignorant approach that even admins should have access to *everything*. Fuck that. It's called need to know.

      Except the computer has no mind of its own, it needs some kind of root trust. It can be software (root), hardware (signed boot), a remote computer (domain controller) or whatever but there must be something that starts with all the rights and can fundamentally alter the software and what everyone else's rights should be. The problem is not the scope of the power, it's that computers are made for solitary administration. Compare it to say an accounting system, there's usually tons of restrictions of what accounts you can use, what size individual and total expenses/transfers you can approve and it's usually never so that you can approve things you've initiated yourself. But there's always some process to lift those limits, there's always a way to add access to funds where all who had access has quit, all the money can be moved if you get enough sign-offs.

      Administration systems should be a bit more like that. If I do DROP DATABASE on a production database... it's unceremoniously dropped. And we do have people that have goofed and thought they were on the test server, but erring is human. However we as in the admin team collectively need that permission and there's not anybody else more qualified to have it. To my knowledge though there's no easy way for us to implement a system where one sysadmin requests dropping the database and a different admin approves. It's like either you got it or you don't. And that means it only takes one admin to create havoc, grant himself rights, disable security systems, reconfigure the firewall, delete backups and all sorts of shit. It wouldn't stop every problem but if you need either a conspiracy or to trick your coworkers into assisting you it'd stop a lot.

      --
      Live today, because you never know what tomorrow brings
    15. Re: Don't need exploit if you have admin by Anonymous Coward · · Score: 0

      I want to do
      DROP DATABASE
      and having someone else approve it is trivial to implement if you ate willing to actually pay for two people to donate same job at the same time.

      Just have person A script and run their code on a test system take the output and validation tests and have person B review it and then execute that same set of commands via rhat same script in the production system.

      Person A has read and write privs while person has read and execute privs. That's how i do stuff even though I am both A and B bc management won't pay for two. Or how I did it until I quit.

    16. Re:Don't need exploit if you have admin by Anonymous Coward · · Score: 0

      Way to completely miss the point.

      Do you know exactly what goes into the medications and foods you eat? Every single ingredient, and every process? No, because you don't god damn need to know that either.

    17. Re: Don't need exploit if you have admin by Anonymous Coward · · Score: 0

      I assume you mean "rogue" and the answer is multiple approvals. The system is designed so that one single person cannot launch. In missile silos, there are keys that are physically too far apart for one person to be able to operate both at the same time. In submarines, the keys are in different rooms of the boat - one in the control center, one in the weapons officer's station.

      Is it perfect? No, given enough time alone with the system you could probably defeat it. However, nobody is ever left alone with the system.

      Use your brain - the military already did when they came up with this stuff.

    18. Re:Don't need exploit if you have admin by Anonymous Coward · · Score: 0

      Yes. Do you not?

    19. Re:Don't need exploit if you have admin by Anonymous Coward · · Score: 0

      fuck that. you *shouldn't* have access to anything. the military should control your entire life. Perhaps it's about time you accept that.

      you're all idiots.

    20. Re: Don't need exploit if you have admin by Anonymous Coward · · Score: 0

      You load up a sniffer into the TPM where it won't be looked for, erase evidence of entry, and sit back.

      If you're playing a long game, it's awesome.
      If you're just talking about vandalism, it's awesome too... they wipe the system and restore from backup, your attack code is still there.

      Sorry Linus, I don't agree with you on this one.

    21. Re:Don't need exploit if you have admin by another_twilight · · Score: 1

      You're changing the goalposts.

      As others point out, they _can_ know that information. You're advocating a once-size-fits-all compartmentalisation of information because it works for the military.
      It achieves certain goals (or tries to) that the military consider worth the cost. That's not an evaluation that suits all situations, or even many situations.

      Some sysadmins abuse the trust they are given. Some are exemplars of professionalism and ethical behaviour. Most fall somewhere in between. Treating trustworthy and ethical people as though they are neither just to feel a little safer sounds to me like either overkill, a poor ability to identify the costs and needs of a business or an edge case. Justifying it by pointing to the military is missing _my_ point.

    22. Re: Don't need exploit if you have admin by BronsCon · · Score: 2

      Please, please, please do stay clear of sodium. Completely avoid that critical nutrient so we don't have to put up with you for much longer than a few more days.

      Or at least know what the hell you're talking about before you dole out what some might construe as medical advice.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    23. Re:Don't need exploit if you have admin by Bert64 · · Score: 1

      Yes, we do need to know so we can make informed decisions on what to eat or avoid. Some of us have allergies to certain things, and eating them would make us sick.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    24. Re: Don't need exploit if you have admin by Bert64 · · Score: 1

      The problem is that people take such systems on face value and assume they cant be defeated... There are many movies with this premise too.
      Those keys will be wired in somehow, for a simple attack you could extend the wiring to move the keys. You could also bypass parts of the system and trigger a detonation directly.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    25. Re:Don't need exploit if you have admin by Bert64 · · Score: 1

      And who operates the system that hands out access?
      And what happens if you need to do some urgent work but the system to hand out access is not working correctly?
      All of these systems are flawed in various ways, and often create new problems.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    26. Re:Don't need exploit if you have admin by TheRaven64 · · Score: 1

      Perhaps we should stop taking the rather ignorant approach that even admins should have access to *everything*. Fuck that. It's called need to know.

      Actually, we call it the Principle of Least Privilege and it's been a core idea in computer security for decades.

      --
      I am TheRaven on Soylent News
    27. Re:Don't need exploit if you have admin by TheRaven64 · · Score: 1, Flamebait

      Do you want someone with 5 minutes of physical access to the machine (e.g. the minimum wage cleaners provided by an agency) to be able to install malware that the OS can't see, which survives complete reinstalls or even physically replacing the disk, and which can intercept everything that the OS does? If so, I really hope you don't work for a company with any confidential data.

      --
      I am TheRaven on Soylent News
    28. Re:Don't need exploit if you have admin by Carewolf · · Score: 1

      Do you want someone with 5 minutes of physical access to the machine (e.g. the minimum wage cleaners provided by an agency) to be able to install malware that the OS can't see, which survives complete reinstalls or even physically replacing the disk, and which can intercept everything that the OS does? If so, I really hope you don't work for a company with any confidential data.

      Since my complete controls is as complete as theirs, it is not persistent as I can fix it.

    29. Re: Don't need exploit if you have admin by Anonymous Coward · · Score: 1

      Sometimes security of the secure enclaves is in my (the end user) interedt. E.g. Signal uses secure enclaves (and remote attestation) to do contact discovery in a way that helps protect my privacy even in the event of a Signal server compromise.

    30. Re:Don't need exploit if you have admin by TheRaven64 · · Score: 1

      Not true. They can patch the vulnerability that allows this, so unless you are preemptively replacing the secure firmware with something that you've audited then you're vulnerable and don't have a way of removing their persistent malware.

      --
      I am TheRaven on Soylent News
    31. Re: Don't need exploit if you have admin by Anonymous Coward · · Score: 0

      You are speaking about this?
      https://en.wikipedia.org/wiki/Signal_(software)

    32. Re: Don't need exploit if you have admin by Anonymous Coward · · Score: 0

      I agree with your statement, but the "physical owner" (which in your case I suppose means also "end user"..) should ALWAYS be able to give his consent to the establishement of these blackboxed "secure enclaves" running code under the control of remote entities (be they "trusted" or not...)

    33. Re:Don't need exploit if you have admin by RKThoadan · · Score: 1

      I mostly agree with you, but I'm not clear on the persistence of these attacks.

      If it is actually installing nearly undetectable malware within the processor itself then just about anyone could set up shop and sell you an infected CPU or intercept and infect your hardware before it gets to you. That's always been a somewhat theoretical attack that sophisticated intelligence agencies might be able to pull off, but it sounds like this *might* make that very easy for anyone of moderate technical skills to pull off.

    34. Re:Don't need exploit if you have admin by pnutjam · · Score: 1

      This depends on the size of the organization. Many smaller orgs only have one or two guys and their fingers are in everything. Larger orgs should definitely compartmentalize. A good sysadmin will self compartmentalize and put auditing systems in place. A bad sysadmin complains about sudo and just uses root everywhere or makes his account a domain admin in the windows world.

      A guy I work with was telling me that his last company just added the "domain user" account to the local admin account on all their windows machines. I was appalled.

      --
      Cheap storage VM.
    35. Re:Don't need exploit if you have admin by Anonymous Coward · · Score: 0

      If you own my web server, I'll catch it in a few days during my weekly security audit. I'll then wipe the drive, restore from backup, apply new patches and change passwords, and be on my way again in a few hours.

      If you own my web server AND my BIOS and motherboard, then a wipe-and-restore isn't going to fix the problem. I'll think I'm good - I may even fix your initial entry vector - but I'll still be at your mercy, because the very hardware I'm running on is not under your control.

      I don't know if the persistence claims these guys have made are true. Some people have said that they've made working examples. But if they ARE true, then this is a much bigger problem than you, and Torvald, have acknowledged.

    36. Re:Don't need exploit if you have admin by Anonymous Coward · · Score: 0

      My system's TPM chip is a plugin. It is not soldered, and is thus replacable.

      Where is the security in this case?

    37. Re: Don't need exploit if you have admin by Anonymous Coward · · Score: 0

      Fuck this ... and fuck that.... most importantly... fuck you!

      You are all dicks. You hand is a dick, you legs are dicks and your face.... is a fuck face.... your dick is not a dick but a fucked up vagina.

      WTF... youâ(TM)re an idiot

    38. Re: Don't need exploit if you have admin by Anonymous Coward · · Score: 0

      Yea. Slashdot.org

  3. yep and? by bloodhawk · · Score: 3, Interesting

    While I agree it is absolutely idiotic, this seems to be pretty much the case for a very large percentage of security advisories issued by a lot of these types. Where either physical access or administrator/root access is required in order to pull off these highly dangerous exploits. So what makes this one so special that it needs singling out?

    1. Re:yep and? by darkain · · Score: 5, Interesting

      The difference this time is that it was published by a company that was only founded a couple months ago, only allowed for ~24 hours for "reasonable disclosure" (not even enough time to verify the claims, let alone issue patches), and openly admits they most likely have a financial stake in the AMD stock values. This all points directly to stock manipulation, not an actual major exploit (minor at best)

    2. Re:yep and? by AmiMoJo · · Score: 5, Interesting

      Stock manipulation, or Intel trying to stem the bleeding. I hear that a lot of big customers are switching to AMD now, especially cloud/datacentre people.

      Meltdown's security ramifications were bad enough, the 60%+ performance hit was even worse. But AMD has been putting out some really innovative kit for server use too. Encrypted RAM, with a different key for each VM and only 2-3% performance loss. Much cheaper parts with many more PCIe lanes and better support for IOMMU pass-through. ECC support even on the consumer stuff. Sockets that last for many years.

      Intel must be very happy about this, even if they are not involved somehow.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:yep and? by Anonymous Coward · · Score: 1

      "you don't know anything."

      This is /. in 2018, no one here knows anything.

    4. Re: yep and? by Anonymous Coward · · Score: 0

      "most of your posts"??
      Are you a resident shill here? Damage control me-too squadron?

    5. Re:yep and? by HiThere · · Score: 4, Insightful

      If the changes are persistent, as at least some of the sources have indicated, then this *is* a serious problem, but probably only for people targeted by state actors. (OTOH, sometimes those "state actors" have a pretty loose focus to their targeting, and it's not unknown for their code to have bugs.)

      This, of course, doesn't excuse their mode of announcing this, but it suggests that some group may have caused those "bugs" to be present intentionally...and that they may have been known (by some) for quite awhile.

      OTOH, if it's not persistent, then it's not clear to me what is gained by anyone except Intel and stock market manipulators. So I suspect Intel of managing the process of revelation, possibly in a criminal way. And I suspect someone of (attempted?) stock market manipulation. I have no proof of either, and one doesn't exclude the other.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    6. Re:yep and? by Anonymous Coward · · Score: 1

      Yeah. He's probably a 400 pound hacker sitting on his mother's bed.

    7. Re: yep and? by Anonymous Coward · · Score: 2, Insightful

      Because this one is obviously part of a stock manipulation scam and was far more overly reported than others. It's more fake news, this time being spread for financial gains. And as usual news sites don't give a fuck because it gives them ad money.

    8. Re:yep and? by bongey · · Score: 3, Interesting

      I can see a big Intel investor doing this more than Intel.

    9. Re:yep and? by afxgrin · · Score: 2

      But look at their nice offices, they couldn't have been founded a couple months ago.

    10. Re:yep and? by Anonymous Coward · · Score: 0

      (((big Intel investor)))

  4. In not even a word by Anonymous Coward · · Score: 1

    https://regmedia.co.uk/2015/07...

    WORD--;

  5. Linus smacking up ... by Qbertino · · Score: 2, Interesting

    ... some blowhard douche. Nice. Like it.
    Sadly the fight is so short there's no point in getting popcorn. ...
    Ok, so it *was* some kretin looking for attention. I have that suspicion when I saw the report on some tech blog yesterday.

    --
    We suffer more in our imagination than in reality. - Seneca
  6. No shit shirlock by Anonymous Coward · · Score: 1

    If you replace the BIOS or microcode with something not expected it wont work as expected.

    This doesn't seem any more malicious then issuing a command like

    dd if=/dev/random of=/dev/bios count=1024 bs=1024 to overwrite the BIOS with garbage and brick the machine on next boot

    Maybe we need to go back to the days of removable BIOS chips where on the cheap end one could snip the write enable pin on the BIOS chip or on the slightly more expensive end there were devices that could sit between the BIOS chip and the socket with a switch on them to physically switch off the WE pin. I actually had a similar device back in the day called the BIOSSaver. It actually contained a second EEPROM on the device that sat between the real BIOS chip and socket. with the flip of a switch you could switch between two different BIOS versions, or have a backup BIOS in the case that a BIOS update went tits up.

    Can't find much about the BIOSSaver these days, a few forum posts, here's a german site that still appears to sell them

    https://www.com-tra.de/de/zubehoer/

  7. FTFY by Anonymous Coward · · Score: 1

    "To everyone who does patch management, inflammatory security reports are annoying distractions from getting real work done."

    Torvalds was not the only person this irritated. I was irritated too. Where's my Slashdot post?

    1. Re:FTFY by alexo · · Score: 4, Insightful

      Torvalds was not the only person this irritated. I was irritated too. Where's my Slashdot post?

      Right next to the kernel you developed.

  8. DRM by Anonymous Coward · · Score: 2

    You know who actually cares about, and values, TPM chips? Developers who need it for DRM.

    Outside of the realm of DRM, this stuff isn't really useful (*). When non-Hollywood types talk about securing things, we accept "if they got physical access and also admin rights, then it's theirs now." Do you really care that your bootloader is signed? Fuck no, because you don't let just anyone write to your bootloader, and if you did, then you'd expect to lose.

    But Hollywood wants "even if they have physical access and admin rights, the computer should still [at least partially] belong to Hollywood."

    It's a non-story. Unless you're in the DRM snakeoil business. ie. if you make your living through fraud. So Linus wouldn't care. But Microsoft, Google, etc would, because they want their OSes to offer DRM.

    (*) Ok, maybe VPSes and "cloud providers" (e.g. AWS) care, a little.

    1. Re:DRM by TheRaven64 · · Score: 1

      You know who actually cares about, and values, TPM chips?

      Users of Windows who use it to handle full-disk encryption in such a way that the OS (and therefore, importantly, malware that compromises the OS) can't exfiltrate the keys and it's impossible (or, at least, infeasibly expensive) for anyone to access them if they steal the machine? Cloud users who rely on the TPM for remote attestation that the hypervisor hasn't been compromised?

      --
      I am TheRaven on Soylent News
    2. Re:DRM by q4Fry · · Score: 1

      Not just Windows.

  9. Re:Jewish TERRORISM against AMD by Anonymous Coward · · Score: 0

    Clever plan for Intel:
    Allow the ME to be REALLY disabled (or even better open source it .. ;-))
    This will for sure ruin AMD... ;-)

  10. Lots of trolls on this story by HiThere · · Score: 1, Insightful

    My word, but there are a lot of trolls posting on this story. I do wonder how many are being paid to do so...and who would fund an astroturf campaign, though they don't all seem to have the same playbook.

    --

    I think we've pushed this "anyone can grow up to be president" thing too far.
    1. Re:Lots of trolls on this story by Anonymous Coward · · Score: 0, Interesting

      I want to live in your fantasy world where Slashdot is important enough for anyone to even bother astroturfing. 56 comments on this submission. Delusions of grandeur.

    2. Re:Lots of trolls on this story by Anonymous Coward · · Score: 0

      Comments are all that are used to determine a posts visibility? Do you have any idea who reads Slashdot? You must be new here...

  11. So... by Yunzil · · Score: 5, Funny

    They require a system administrator to be almost criminally negligent to work.

    You might want to sit down for this....

    1. Re:So... by jezwel · · Score: 1

      This isn't about Equifax is it?

    2. Re:So... by Anonymous Coward · · Score: 0

      I was thinking more like BOFH...

  12. Beyond the hype by Lorens · · Score: 5, Insightful

    I have read through the documents (for work). Once stripped of the hype, I would not be surprised if these "vulnerabilities" are literally correct as described. There is a whole lot of hedging going on down in the details, which gut the document of any really critical vulnerabilities. It would have been so easy to leave out a sentence to make any one of those bugs earth-shaking, but no. This makes me think that the document is carefully written to be as alarming, as scare-mongering, as possible, while not actually giving in to blatant lies that could land someone in prison.

    *If* the vulnerabilities are as described, then the real-world impact is that you will no longer be able to really trust a pre-owned computer. Governments and security-conscious companies will no longer be able to take any computer (new or pre-owned), format or replace the disks, and declare the computer secure. Those "bugs" will need to be taken into account. Same thing for computer forensics.

    Of course, this was already somewhat the case. You should already reflash the BIOS, and some hard disks and ethernet cards have flashable firmware, but it would seem that the impact of these bugs are that the manufacturer's manual for cleaning the system, more or less unchanged for decades, now has a few holes in it.

    To sum it up, I suspect we paranoid people will need a much more hard-core procedure to sanitize hardware. A format/reinstall isn't going to cut it any more.

    1. Re:Beyond the hype by phantomfive · · Score: 4, Informative

      With UEFI, you already shouldn't trust a used computer. That stuff is heavily insecure and difficult to detect.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:Beyond the hype by Anonymous Coward · · Score: 0

      and some hard disks and ethernet cards have flashable firmware

      I remember from tech news around 2001, there were already IT researchers who pointed out about the dangers of chips that can be reflashed, that it would create bigger problems than the old problems posed by classic ROM chips. With ROM chips, a reboot could reset your system to factory default.
      I think Flashable IC's is a part of planned obsolescence.

    3. Re:Beyond the hype by Anonymous Coward · · Score: 0

      I remember from tech news around 2001, there were already IT researchers who pointed out about the dangers of chips that can be reflashed, that it would create bigger problems than the old problems posed by classic ROM chips.

      I came to the same conclusion a good deal later when Microsoft was pushing much harder on security. But time passed, and it's now very clear that the well that is shitty written programs is unlikely to run dry any time soon. So, the real meaningful risk doesn't seem to be there, for me. Really, if the worry is that some State actor is going to flash the ROMs from the factory, then before flash they'd just have handed the factory the mask to make. If the collusion is there, then it's not like flash suddenly makes that collusion possible. It does make it cheap/easier, though.

      I think Flashable IC's is a part of planned obsolescence.

      No, that's actually the paradox. The point of flashable ICs is to allow hardware makers to just flash different ROMs to get different behavior, often from just setting a flag; that gives them more flexibility for market differentiation and in theory allows the computer you're likely to buy be cheaper*. The planned obsolescence would already be there if they were not rewrittable. Now, they just don't bother to issue updates and the flash image is opaque enough that few would dare to try to patch it themselves. But because images are issued for newer systems and because there are some people who bother to check, not only do people figure out they can use different version firmware to keep up to date longer, they can figure out how to enable more higher end features that were intentionally disabled on their hardware.

      The risk is definitely there that malware writers will take the effort to make changes to ROMs. The reality is that only state actors are likely to bother and in most cases they'll make the changes at the factory. The exception are the higher end targets for which they'd find a way in, regardless of the ability to rewrite firmware--it'd again, just be more costly/more difficult. That's, at least, how the situation seems today.

      * It's obviously hard to be sure if the results are actually cheaper systems, especially if you're one of the people buying their "higher end" systems. YMMV.

    4. Re:Beyond the hype by Anonymous Coward · · Score: 0

      Used computer? Why would I trust a new computer with UEFI??

  13. Don't hold back, now by Provocateur · · Score: 1

    But let this other famous guy say it:
     
    https://www.youtube.com/watch?v=27eADk7wh2Y

    --
    WARNING: Smartphones have side effects--most of them undocumented.
  14. Slammin by Presence+Eternal · · Score: 1

    He then suplexed Fox news for disingenuous reporting and triple axle-kicked the those who think 'slams' isn't the most goddamn overused headline verb.

  15. "It rather involved being on the other side of... by The+MAZZTer · · Score: 2

    ...this airtight hatchway."

    "Yes, all the flaws require admin [privileges] but all are flaws, not expected functionality."

    Relevant: https://www.google.com/search?q=site%3Ablogs.msdn.com%2Fb%2Foldnewthing%2F+%22airtight+hatchway%22

    If there is no privilege escalation, they are not security flaws, just boring ol' bugs.

  16. Re:Obligatory: Intel CPU Backdoor Report (Jan 1 20 by Anonymous Coward · · Score: 0

    tl;dr

  17. What's with all the hate by Anonymous Coward · · Score: 0

    So they are banking on these bugs... big fokking deal. Be gratefull they inform us ! and bank via wall street instead of NSA or whatever.

    Oh and something that can infect a system via "admin rights" at least on windows is a big deal.

    Some games may require admin right to run.

    "Run as Admin" in combination with these bugs would be a real threat as far as I am concerned.

    So this is definetly a big fat RED ALERT.

  18. This by Anonymous Coward · · Score: 0

    It looks like Intel has hired some PR mitigation experts. They've come up with this bogus attack vector*, and we see stories of how this claimed vector could be used to attack stock markets etc.

    It all smells of a stinky 800lb Gorilla.

    Yeh, this looks like it's all about Intel's Meltdown problem. I don't need to upgrade right now, but I suddenly feel like I want to go upgrade to a thread ripper box.

    * It needs local admin priviledges FFS, the big prize for all hacks, root admin, is a pre-requisite for even starting this attack.

    1. Re:This by TheRaven64 · · Score: 1, Informative

      It needs local admin priviledges FFS, the big prize for all hacks, root admin, is a pre-requisite for even starting this attack.

      Not necessarily. Imagine this scenario: You have a secured machine, it is using SecureBoot to verify the bootloader and kernel image, signed using your org's keys. When it boots, the user must enter a pass phrase, which is used to decrypt the keys stored in the TPM to decrypt the hard disk. Without the correct pass phrase, entered into the verified boot loads, you have no way of accessing any of the confidential data on the disk. I'm pretty sure Windows supports this configuration out of the box and I believe that you can do the same with Linux / GRUB.

      This setup is incredibly hard to bypass. Except with a vulnerability like this, because no if you have 2 minutes of physical access to the machine, you can reboot into an OS from a USB disk and install persistent malware that can fake the boot attestation, extract the keys when the TPM unlocks them, and access all of the data on the disk. The malware can also establish network connections without the OS being aware of them, so it can exfiltrate the data if there isn't a decent IDS on the network (or it can just let the attacker dump the entire disk contents to a USB drive the next day, or the attacker can take the encrypted disk image the first time and then the malware just needs to transmit the key, which can be hidden as a single HTTPS request and probably not blocked by anything).

      How much confidential data is stored on your organisation's computers? How sure are you that your cleaners would say no if someone offered them $100,000 to stick a USB drive in each of the desktops in an office, reboot, and then remove it a couple of minutes later?

      --
      I am TheRaven on Soylent News
    2. Re:This by Carewolf · · Score: 1

      It looks like Intel has hired some PR mitigation experts. They've come up with this bogus attack vector*, and we see stories of how this claimed vector could be used to attack stock markets etc.

      It all smells of a stinky 800lb Gorilla.

      Yeh, this looks like it's all about Intel's Meltdown problem. I don't need to upgrade right now, but I suddenly feel like I want to go upgrade to a thread ripper box.

      * It needs local admin priviledges FFS, the big prize for all hacks, root admin, is a pre-requisite for even starting this attack.

      Yeah, this company was formed just shortly after Intel was informed of their own security holes 6 months ago, before they even started dumbing their own stocks.

    3. Re: This by Anonymous Coward · · Score: 0

      Why do you think I save FireWire PCI cards?

    4. Re:This by Killall+-9+Bash · · Score: 2

      Oh... so you don't need root...... you just need the even higher access privilege of PHYSICAL ACCESS.

      --
      "Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
    5. Re:This by TheRaven64 · · Score: 1

      You can do it with root, but it doesn't need to be root on the OS the has access to the sensitive data. The entire point of these features is to protect you from an attacker with either physical access or the ability to insert malware into your OS. That they can be bypassed by someone with either physical access or the ability to insert malware into your OS means that they are useless.

      --
      I am TheRaven on Soylent News
    6. Re:This by OneAhead · · Score: 1

      if you have 2 minutes of physical access to the machine

      Meh... if you have less than 30 seconds of physical access to the machine, you can plug the keyboard into a tiny hardware keylogger that plugs into the back of the machine. Those are cheap, readily available, don't require any assumptions about what's under the hood, and a cleaner reaching into the dusty area behind a PC will look a helluva lot less suspicious than a cleaner booting from USB (which, BTW, would be disabled by any remotely competent admin working in a high-security environment).

      The point being not so much this specific attack vector, but the fact that that an adversary with physical access has nearly infinite ways to compromise a machine. If your organisation handles info that is that confidential, you'd better screen your cleaning personnel, or lock them out of certain rooms.

    7. Re:This by TheRaven64 · · Score: 1

      You're then leaving a physical device behind, which someone might notice. With this kind of attack, you need a few seconds / minutes of access and then the only thing you leave behind is untraceable software. That said, my favourite attack along these lines involved a vulnerability in some of the early Apple USB keyboards, combined with their overengineering, which meant that you could replace the firmware with something that included a keylogger and you had a few tens of KBs of spare flash to write the keys into, so you could record a day's worth of typical use in a buffer in the keyboard's flash and dump it via the USB ports each night.

      --
      I am TheRaven on Soylent News
  19. INTEL CPUS HAVE HUGE SECURITY FLAWS!!! by cas2000 · · Score: 5, Funny

    The following will cause an Intel CPU to fail catastrophically:

      * pouring petrol on the Intel CPU and then igniting it.
      * smashing the Intel CPU with a hammer
      * dousing the Intel CPU in highly concentrated sulphuric acid
      * urinating on the motherboard containing the Intel CPU
      * increasing the voltage supplied to the Intel CPU to 100 volts.
      * installing a computer with an Intel CPU in a cage with an angry Tyrannosaurus Rex
      * targetting the Intel CPU with a nuclear bomb

    These flaws are so severe that Intel should withdraw all of their CPUs from the market and file for bankruptcy immediately. Nobody should ever use an Intel CPU for anything.

    I am releasing this vital information now without prior notice to Intel because I believe that they have no hope of fixing this flaw in any reasonable time frame.

    Disclaimer (hidden deep within the near-impenetrable legalese on an obscure URL of my web site, just like CTS's disclaimer): the reader should assume that I may have a position on the stocks of any company mentioned in this press release.

  20. This isn't news by tezbobobo · · Score: 0

    The only thing that would make this news is if it read:

    "Linus reacts proportionally to something he doesn't like and actually has something new and insightful to contribute."

    I'm sick of hearing tech news about this idiot whinging about stuff. Linus, act like a normal person mate.

    1. Re:This isn't news by DamnOregonian · · Score: 2

      He's generally a pretty bright guy, but I almost pissed myself at the claim of a requirement of criminal negligence from an administrator.
      I've made a living finding privilege escalations in *his* goddamn operating system.
      I've never before been able to say, with this root escalation, I can now render this machine forever owned. Now I can.
      I just really hope it drives home the silliness of allowing any kind of code to run on the goddamn chipsets, and special security domains running at ring -1.

    2. Re:This isn't news by Anonymous Coward · · Score: 0

      > I've never before been able to say, with this root escalation, I can now render this machine forever owned. Now I can.

      Uh, then you must have been asleep. People replacing the BIOS, UEFI, installing things there etc. is not really new. They can even disable the BIOS flashing so you can't get rid of it.
      How exactly is this actually a NEW thing?

    3. Re:This isn't news by pnutjam · · Score: 1

      Yeah, there is some sort of lojack for computers that would reinstall itself at least two or three years ago. It did only work on Windows, if I remember correctly, but that had more to do with the software design.

      --
      Cheap storage VM.
  21. Flashing BIOS by DrYak · · Score: 1

    If the changes are persistent, as at least some of the sources have indicated, then this *is* a serious problem,

    It's a serious problem that require flashing the UEFI/BIOS firmware.
    If you have the capacity to flash firmware, you *already at that point* have the capability to do a ton of awful and persisting damages.
    The fact that these peculiar variants happen to attack the AMD PSP is just a small foot note detail.

    To put it into perspective, this has nothing to do with the numerous bugs and exploit that have plagued IntelAMT and IPMI (those were more of the type "the lights-out remote management system is so buggy and fucked up, that you can basically use it as a backdoor"). Here, it's more "if you upgrade and put a buggy lights-out remote management tool, you'd be openning a backdoor" - Well no shit.

    (Except that the AMD PSP isn't used for Light-out-management. But for handling stuff like DRM, TPM, boot firmware signing, etc.
    But still, if you install a crappy one, yes, the system will be hosed.
    And if have the capability of installing a one, then you have tons of possibility to hose the system. Including possibility that have nothing to do with AMD PSP).

     

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  22. Re:"It rather involved being on the other side of. by Anonymous Coward · · Score: 0

    There is priviledge escalation: from administrator to security chip. Which means that any malware exploiting this will be undetectable (since it doesn't run on the CPU) and very difficult to remove (will survive a full HDD wipe for example, will work regardless of what OS is running).

  23. Re:Jewish TERRORISM against AMD by Anonymous Coward · · Score: 0

    Absolutely this. Jews jewing AMD to save their Intel shekels following the Meltdown/Spectre fiasco. Not surprised at all it was an Israeli team that released this, without warning, in the most damaging way possible to AMD. Intel is so heavily kiked it's not funny; its upper management is literally crawling with jews, and every design since Core has had significant work done by teams in Israel (meaning every Intel CPU is backdoored from top to bottom). Israel will suffer significant losses if Intel tanks, and this fear-mongering is their mitigation strategy: an dishonest, and overwhelmingly jewish strategy.

  24. Re:SysAdmins are never negligent. by Anonymous Coward · · Score: 0

    Fuck off, jew.

  25. Disappointed by Anonymous Coward · · Score: 0

    I, for one, am disappointed that Linus Torvalds didn't go full profane rant on CTS Labs. They truly deserve the full measure of his gifts.