Slashdot Mirror
Linus Torvalds Slams CTS Labs Over AMD Vulnerability Report (zdnet.com)
Earlier this week, CTS Labs, a Tel Aviv-based cybersecurity startup claimed it has discovered critical security flaws in AMD chips that could allow attackers to access sensitive data from highly guarded processors across millions of devices. Linus Torvalds, Linux's creator doesn't buy it. ZDNet reports: Torvalds, in a Google+ discussion, wrote: "When was the last time you saw a security advisory that was basically 'if you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?' Yeah." Or, as a commenter put it on the same thread, "I just found a flaw in all of the hardware space. No device is secure: if you have physical access to a device, you can just pick it up and walk away. Am I a security expert yet?" CTS Labs claimed in an interview they gave AMD less than a day because they didn't think AMD could fix the problem for "many, many months, or even a year" anyway. Why would they possibly do this? For Torvalds: "It looks more like stock manipulation than a security advisory to me."
These are real bugs though. Dan Guido, CEO of Trail of Bits, a security company with a proven track-record, tweeted: "Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works." But, Guido also admitted, "Yes, all the flaws require admin [privileges] but all are flaws, not expected functionality." It's that last part that ticks Torvalds off. The Linux creator agrees these are bugs, but all the hype annoys the heck out of him. Are there bugs? Yes. Do they matter in the real world? No. They require a system administrator to be almost criminally negligent to work. To Torvalds, inflammatory security reports are annoying distractions from getting real work done.
These are real bugs though. Dan Guido, CEO of Trail of Bits, a security company with a proven track-record, tweeted: "Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works." But, Guido also admitted, "Yes, all the flaws require admin [privileges] but all are flaws, not expected functionality." It's that last part that ticks Torvalds off. The Linux creator agrees these are bugs, but all the hype annoys the heck out of him. Are there bugs? Yes. Do they matter in the real world? No. They require a system administrator to be almost criminally negligent to work. To Torvalds, inflammatory security reports are annoying distractions from getting real work done.
Before you go rouge, you need to apply a proper foundation. Or so I have gathered from the TV commercials.
They require a system administrator to be almost criminally negligent to work.
You might want to sit down for this....
The following will cause an Intel CPU to fail catastrophically:
* pouring petrol on the Intel CPU and then igniting it.
* smashing the Intel CPU with a hammer
* dousing the Intel CPU in highly concentrated sulphuric acid
* urinating on the motherboard containing the Intel CPU
* increasing the voltage supplied to the Intel CPU to 100 volts.
* installing a computer with an Intel CPU in a cage with an angry Tyrannosaurus Rex
* targetting the Intel CPU with a nuclear bomb
These flaws are so severe that Intel should withdraw all of their CPUs from the market and file for bankruptcy immediately. Nobody should ever use an Intel CPU for anything.
I am releasing this vital information now without prior notice to Intel because I believe that they have no hope of fixing this flaw in any reasonable time frame.
Disclaimer (hidden deep within the near-impenetrable legalese on an obscure URL of my web site, just like CTS's disclaimer): the reader should assume that I may have a position on the stocks of any company mentioned in this press release.