Slashdot Mirror
Linus Torvalds Slams CTS Labs Over AMD Vulnerability Report (zdnet.com)
Earlier this week, CTS Labs, a Tel Aviv-based cybersecurity startup claimed it has discovered critical security flaws in AMD chips that could allow attackers to access sensitive data from highly guarded processors across millions of devices. Linus Torvalds, Linux's creator doesn't buy it. ZDNet reports: Torvalds, in a Google+ discussion, wrote: "When was the last time you saw a security advisory that was basically 'if you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?' Yeah." Or, as a commenter put it on the same thread, "I just found a flaw in all of the hardware space. No device is secure: if you have physical access to a device, you can just pick it up and walk away. Am I a security expert yet?" CTS Labs claimed in an interview they gave AMD less than a day because they didn't think AMD could fix the problem for "many, many months, or even a year" anyway. Why would they possibly do this? For Torvalds: "It looks more like stock manipulation than a security advisory to me."
These are real bugs though. Dan Guido, CEO of Trail of Bits, a security company with a proven track-record, tweeted: "Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works." But, Guido also admitted, "Yes, all the flaws require admin [privileges] but all are flaws, not expected functionality." It's that last part that ticks Torvalds off. The Linux creator agrees these are bugs, but all the hype annoys the heck out of him. Are there bugs? Yes. Do they matter in the real world? No. They require a system administrator to be almost criminally negligent to work. To Torvalds, inflammatory security reports are annoying distractions from getting real work done.
These are real bugs though. Dan Guido, CEO of Trail of Bits, a security company with a proven track-record, tweeted: "Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works." But, Guido also admitted, "Yes, all the flaws require admin [privileges] but all are flaws, not expected functionality." It's that last part that ticks Torvalds off. The Linux creator agrees these are bugs, but all the hype annoys the heck out of him. Are there bugs? Yes. Do they matter in the real world? No. They require a system administrator to be almost criminally negligent to work. To Torvalds, inflammatory security reports are annoying distractions from getting real work done.
Linus Torvalds be like: Fuck you CTS Labs and Fuck you Nvidia.
whats the point of some exploit if you already have admin? You can do anything you want already
If the changes are persistent, as at least some of the sources have indicated, then this *is* a serious problem, but probably only for people targeted by state actors. (OTOH, sometimes those "state actors" have a pretty loose focus to their targeting, and it's not unknown for their code to have bugs.)
This, of course, doesn't excuse their mode of announcing this, but it suggests that some group may have caused those "bugs" to be present intentionally...and that they may have been known (by some) for quite awhile.
OTOH, if it's not persistent, then it's not clear to me what is gained by anyone except Intel and stock market manipulators. So I suspect Intel of managing the process of revelation, possibly in a criminal way. And I suspect someone of (attempted?) stock market manipulation. I have no proof of either, and one doesn't exclude the other.
I think we've pushed this "anyone can grow up to be president" thing too far.
My word, but there are a lot of trolls posting on this story. I do wonder how many are being paid to do so...and who would fund an astroturf campaign, though they don't all seem to have the same playbook.
I think we've pushed this "anyone can grow up to be president" thing too far.
I have read through the documents (for work). Once stripped of the hype, I would not be surprised if these "vulnerabilities" are literally correct as described. There is a whole lot of hedging going on down in the details, which gut the document of any really critical vulnerabilities. It would have been so easy to leave out a sentence to make any one of those bugs earth-shaking, but no. This makes me think that the document is carefully written to be as alarming, as scare-mongering, as possible, while not actually giving in to blatant lies that could land someone in prison.
*If* the vulnerabilities are as described, then the real-world impact is that you will no longer be able to really trust a pre-owned computer. Governments and security-conscious companies will no longer be able to take any computer (new or pre-owned), format or replace the disks, and declare the computer secure. Those "bugs" will need to be taken into account. Same thing for computer forensics.
Of course, this was already somewhat the case. You should already reflash the BIOS, and some hard disks and ethernet cards have flashable firmware, but it would seem that the impact of these bugs are that the manufacturer's manual for cleaning the system, more or less unchanged for decades, now has a few holes in it.
To sum it up, I suspect we paranoid people will need a much more hard-core procedure to sanitize hardware. A format/reinstall isn't going to cut it any more.
Because this one is obviously part of a stock manipulation scam and was far more overly reported than others. It's more fake news, this time being spread for financial gains. And as usual news sites don't give a fuck because it gives them ad money.
Torvalds was not the only person this irritated. I was irritated too. Where's my Slashdot post?
Right next to the kernel you developed.