Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linus Torvalds Slams CTS Labs Over AMD Vulnerability Report (zdnet.com)

Posted by BeauHD on from the technical-reports dept.

Earlier this week, CTS Labs, a Tel Aviv-based cybersecurity startup claimed it has discovered critical security flaws in AMD chips that could allow attackers to access sensitive data from highly guarded processors across millions of devices. Linus Torvalds, Linux's creator doesn't buy it. ZDNet reports: Torvalds, in a Google+ discussion, wrote: "When was the last time you saw a security advisory that was basically 'if you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?' Yeah." Or, as a commenter put it on the same thread, "I just found a flaw in all of the hardware space. No device is secure: if you have physical access to a device, you can just pick it up and walk away. Am I a security expert yet?" CTS Labs claimed in an interview they gave AMD less than a day because they didn't think AMD could fix the problem for "many, many months, or even a year" anyway. Why would they possibly do this? For Torvalds: "It looks more like stock manipulation than a security advisory to me."

These are real bugs though. Dan Guido, CEO of Trail of Bits, a security company with a proven track-record, tweeted: "Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works." But, Guido also admitted, "Yes, all the flaws require admin [privileges] but all are flaws, not expected functionality." It's that last part that ticks Torvalds off. The Linux creator agrees these are bugs, but all the hype annoys the heck out of him. Are there bugs? Yes. Do they matter in the real world? No. They require a system administrator to be almost criminally negligent to work. To Torvalds, inflammatory security reports are annoying distractions from getting real work done.

7 of 115 comments (clear)

  1. yep and? by bloodhawk · · Score: 3, Interesting

    While I agree it is absolutely idiotic, this seems to be pretty much the case for a very large percentage of security advisories issued by a lot of these types. Where either physical access or administrator/root access is required in order to pull off these highly dangerous exploits. So what makes this one so special that it needs singling out?

    1. Re:yep and? by darkain · · Score: 5, Interesting

      The difference this time is that it was published by a company that was only founded a couple months ago, only allowed for ~24 hours for "reasonable disclosure" (not even enough time to verify the claims, let alone issue patches), and openly admits they most likely have a financial stake in the AMD stock values. This all points directly to stock manipulation, not an actual major exploit (minor at best)

    2. Re:yep and? by AmiMoJo · · Score: 5, Interesting

      Stock manipulation, or Intel trying to stem the bleeding. I hear that a lot of big customers are switching to AMD now, especially cloud/datacentre people.

      Meltdown's security ramifications were bad enough, the 60%+ performance hit was even worse. But AMD has been putting out some really innovative kit for server use too. Encrypted RAM, with a different key for each VM and only 2-3% performance loss. Much cheaper parts with many more PCIe lanes and better support for IOMMU pass-through. ECC support even on the consumer stuff. Sockets that last for many years.

      Intel must be very happy about this, even if they are not involved somehow.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:yep and? by bongey · · Score: 3, Interesting

      I can see a big Intel investor doing this more than Intel.

  2. Linus smacking up ... by Qbertino · · Score: 2, Interesting

    ... some blowhard douche. Nice. Like it.
    Sadly the fight is so short there's no point in getting popcorn. ...
    Ok, so it *was* some kretin looking for attention. I have that suspicion when I saw the report on some tech blog yesterday.

    --
    We suffer more in our imagination than in reality. - Seneca
  3. Re:Don't need exploit if you have admin by amorsen · · Score: 2, Interesting

    Modern CPUs have an area that you aren't allowed to touch. That is where they implement TPM, store DRM keys among other things. It looks like some of the flaws may give you a chance at looking at that area; i.e. they allow you to actually control the hardware that you paid for.

    So no, you cannot do anything you want already, even with root access.

    --
    Finally! A year of moderation! Ready for 2019?
  4. Re:Lots of trolls on this story by Anonymous Coward · · Score: 0, Interesting

    I want to live in your fantasy world where Slashdot is important enough for anyone to even bother astroturfing. 56 comments on this submission. Delusions of grandeur.