Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linus Torvalds Slams CTS Labs Over AMD Vulnerability Report (zdnet.com)

Posted by BeauHD on from the technical-reports dept.

Earlier this week, CTS Labs, a Tel Aviv-based cybersecurity startup claimed it has discovered critical security flaws in AMD chips that could allow attackers to access sensitive data from highly guarded processors across millions of devices. Linus Torvalds, Linux's creator doesn't buy it. ZDNet reports: Torvalds, in a Google+ discussion, wrote: "When was the last time you saw a security advisory that was basically 'if you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?' Yeah." Or, as a commenter put it on the same thread, "I just found a flaw in all of the hardware space. No device is secure: if you have physical access to a device, you can just pick it up and walk away. Am I a security expert yet?" CTS Labs claimed in an interview they gave AMD less than a day because they didn't think AMD could fix the problem for "many, many months, or even a year" anyway. Why would they possibly do this? For Torvalds: "It looks more like stock manipulation than a security advisory to me."

These are real bugs though. Dan Guido, CEO of Trail of Bits, a security company with a proven track-record, tweeted: "Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works." But, Guido also admitted, "Yes, all the flaws require admin [privileges] but all are flaws, not expected functionality." It's that last part that ticks Torvalds off. The Linux creator agrees these are bugs, but all the hype annoys the heck out of him. Are there bugs? Yes. Do they matter in the real world? No. They require a system administrator to be almost criminally negligent to work. To Torvalds, inflammatory security reports are annoying distractions from getting real work done.

27 of 115 comments (clear)

  1. Don't need exploit if you have admin by Anonymous Coward · · Score: 5, Insightful

    whats the point of some exploit if you already have admin? You can do anything you want already

    1. Re:Don't need exploit if you have admin by amorsen · · Score: 2, Interesting

      Modern CPUs have an area that you aren't allowed to touch. That is where they implement TPM, store DRM keys among other things. It looks like some of the flaws may give you a chance at looking at that area; i.e. they allow you to actually control the hardware that you paid for.

      So no, you cannot do anything you want already, even with root access.

      --
      Finally! A year of moderation! Ready for 2019?
    2. Re:Don't need exploit if you have admin by Anonymous Coward · · Score: 3, Insightful

      In other words, the "victims" of these "exploits" are not you but the "business partners" of AMD....

    3. Re:Don't need exploit if you have admin by gweihir · · Score: 2

      You pretty much can do anything that matters to an attacker. It may just get a bit more complicated for some of those things.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    4. Re:Don't need exploit if you have admin by HiThere · · Score: 5, Insightful

      Since I'm my own systems administrator, I *do* want to have total control, even though I sure don't want to have to use it.

      Your argument seems to boil down to "Even though you 'bought' the device you don't own it.".

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    5. Re:Don't need exploit if you have admin by another_twilight · · Score: 2

      The military has pressures and responsibilities that, ideally, should not exist elsewhere. In fact, the reason to have a military is so that the rest of us aren't burdened with those concerns. The militarisation of other areas of society is worrying, dangerous and to an extent diminishes the sacrifice that those who serve have and continue to make.

      The military understood this concept with compartmentalization of data decades ago. Perhaps it's about damn time we pay attention to the value of that.

      Maybe you should consider the cost benefit ratio of that decision and ask whether that is the same for all cases.

      And yeah, I DO realize that means questioning the trust of your own SysAdmins

      This adversarial employer/employee relationship that this implies is part of the problem for the lack of trust. Trust is a relationship. It needs to be developed and it must be two way. When your employees are treated with dignity and trust, then some (most?) will respond in kind. It's easy enough in such an environment to identify the people who don't respond and remove them. But in an adversarial environment, you'll have a much harder time workout out who is and isn't capable of trust.

      SysAdmins aren't magically immune

      Neither are accountants, HR, sales reps, account managers etc. Some places those people are heavily monitored and/or restricted, in others they are trusted to act professionally and ethically.

      How many times does industry need to repeat the words "Insider Threat" for people to pay attention

      Those who sacrifice liberty for security ...

    6. Re:Don't need exploit if you have admin by gweihir · · Score: 2

      You seem to be unaware that there may be problems that need to be fixed _now_ in a running business. That is what you have the sysadmin for. Sure, you do "break glass" procedures for critical system, i.e. said sysadmin has to ask for access and justify it, but preventing the sysadmin from accessing everything is suicidal.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    7. Re: Don't need exploit if you have admin by Anonymous Coward · · Score: 4, Funny

      Before you go rouge, you need to apply a proper foundation. Or so I have gathered from the TV commercials.

    8. Re:Don't need exploit if you have admin by sjames · · Score: 3

      The kernel has been redying for that for a long time. Root is nod divided into capabilities and cgroups and namespaces can limit the ability to see across compartments.

      But ultimately, someone will have the ability to upgrade the BIOS, and that person will have a great deal of ability to violate security.

    9. Re: Don't need exploit if you have admin by BronsCon · · Score: 2

      Please, please, please do stay clear of sodium. Completely avoid that critical nutrient so we don't have to put up with you for much longer than a few more days.

      Or at least know what the hell you're talking about before you dole out what some might construe as medical advice.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  2. yep and? by bloodhawk · · Score: 3, Interesting

    While I agree it is absolutely idiotic, this seems to be pretty much the case for a very large percentage of security advisories issued by a lot of these types. Where either physical access or administrator/root access is required in order to pull off these highly dangerous exploits. So what makes this one so special that it needs singling out?

    1. Re:yep and? by darkain · · Score: 5, Interesting

      The difference this time is that it was published by a company that was only founded a couple months ago, only allowed for ~24 hours for "reasonable disclosure" (not even enough time to verify the claims, let alone issue patches), and openly admits they most likely have a financial stake in the AMD stock values. This all points directly to stock manipulation, not an actual major exploit (minor at best)

    2. Re:yep and? by AmiMoJo · · Score: 5, Interesting

      Stock manipulation, or Intel trying to stem the bleeding. I hear that a lot of big customers are switching to AMD now, especially cloud/datacentre people.

      Meltdown's security ramifications were bad enough, the 60%+ performance hit was even worse. But AMD has been putting out some really innovative kit for server use too. Encrypted RAM, with a different key for each VM and only 2-3% performance loss. Much cheaper parts with many more PCIe lanes and better support for IOMMU pass-through. ECC support even on the consumer stuff. Sockets that last for many years.

      Intel must be very happy about this, even if they are not involved somehow.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:yep and? by HiThere · · Score: 4, Insightful

      If the changes are persistent, as at least some of the sources have indicated, then this *is* a serious problem, but probably only for people targeted by state actors. (OTOH, sometimes those "state actors" have a pretty loose focus to their targeting, and it's not unknown for their code to have bugs.)

      This, of course, doesn't excuse their mode of announcing this, but it suggests that some group may have caused those "bugs" to be present intentionally...and that they may have been known (by some) for quite awhile.

      OTOH, if it's not persistent, then it's not clear to me what is gained by anyone except Intel and stock market manipulators. So I suspect Intel of managing the process of revelation, possibly in a criminal way. And I suspect someone of (attempted?) stock market manipulation. I have no proof of either, and one doesn't exclude the other.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    4. Re: yep and? by Anonymous Coward · · Score: 2, Insightful

      Because this one is obviously part of a stock manipulation scam and was far more overly reported than others. It's more fake news, this time being spread for financial gains. And as usual news sites don't give a fuck because it gives them ad money.

    5. Re:yep and? by bongey · · Score: 3, Interesting

      I can see a big Intel investor doing this more than Intel.

    6. Re:yep and? by afxgrin · · Score: 2

      But look at their nice offices, they couldn't have been founded a couple months ago.

  3. Linus smacking up ... by Qbertino · · Score: 2, Interesting

    ... some blowhard douche. Nice. Like it.
    Sadly the fight is so short there's no point in getting popcorn. ...
    Ok, so it *was* some kretin looking for attention. I have that suspicion when I saw the report on some tech blog yesterday.

    --
    We suffer more in our imagination than in reality. - Seneca
  4. DRM by Anonymous Coward · · Score: 2

    You know who actually cares about, and values, TPM chips? Developers who need it for DRM.

    Outside of the realm of DRM, this stuff isn't really useful (*). When non-Hollywood types talk about securing things, we accept "if they got physical access and also admin rights, then it's theirs now." Do you really care that your bootloader is signed? Fuck no, because you don't let just anyone write to your bootloader, and if you did, then you'd expect to lose.

    But Hollywood wants "even if they have physical access and admin rights, the computer should still [at least partially] belong to Hollywood."

    It's a non-story. Unless you're in the DRM snakeoil business. ie. if you make your living through fraud. So Linus wouldn't care. But Microsoft, Google, etc would, because they want their OSes to offer DRM.

    (*) Ok, maybe VPSes and "cloud providers" (e.g. AWS) care, a little.

  5. So... by Yunzil · · Score: 5, Funny

    They require a system administrator to be almost criminally negligent to work.

    You might want to sit down for this....

  6. Beyond the hype by Lorens · · Score: 5, Insightful

    I have read through the documents (for work). Once stripped of the hype, I would not be surprised if these "vulnerabilities" are literally correct as described. There is a whole lot of hedging going on down in the details, which gut the document of any really critical vulnerabilities. It would have been so easy to leave out a sentence to make any one of those bugs earth-shaking, but no. This makes me think that the document is carefully written to be as alarming, as scare-mongering, as possible, while not actually giving in to blatant lies that could land someone in prison.

    *If* the vulnerabilities are as described, then the real-world impact is that you will no longer be able to really trust a pre-owned computer. Governments and security-conscious companies will no longer be able to take any computer (new or pre-owned), format or replace the disks, and declare the computer secure. Those "bugs" will need to be taken into account. Same thing for computer forensics.

    Of course, this was already somewhat the case. You should already reflash the BIOS, and some hard disks and ethernet cards have flashable firmware, but it would seem that the impact of these bugs are that the manufacturer's manual for cleaning the system, more or less unchanged for decades, now has a few holes in it.

    To sum it up, I suspect we paranoid people will need a much more hard-core procedure to sanitize hardware. A format/reinstall isn't going to cut it any more.

    1. Re:Beyond the hype by phantomfive · · Score: 4, Informative

      With UEFI, you already shouldn't trust a used computer. That stuff is heavily insecure and difficult to detect.

      --
      "First they came for the slanderers and i said nothing."
  7. Re:FTFY by alexo · · Score: 4, Insightful

    Torvalds was not the only person this irritated. I was irritated too. Where's my Slashdot post?

    Right next to the kernel you developed.

  8. "It rather involved being on the other side of... by The+MAZZTer · · Score: 2

    ...this airtight hatchway."

    "Yes, all the flaws require admin [privileges] but all are flaws, not expected functionality."

    Relevant: https://www.google.com/search?q=site%3Ablogs.msdn.com%2Fb%2Foldnewthing%2F+%22airtight+hatchway%22

    If there is no privilege escalation, they are not security flaws, just boring ol' bugs.

  9. INTEL CPUS HAVE HUGE SECURITY FLAWS!!! by cas2000 · · Score: 5, Funny

    The following will cause an Intel CPU to fail catastrophically:

      * pouring petrol on the Intel CPU and then igniting it.
      * smashing the Intel CPU with a hammer
      * dousing the Intel CPU in highly concentrated sulphuric acid
      * urinating on the motherboard containing the Intel CPU
      * increasing the voltage supplied to the Intel CPU to 100 volts.
      * installing a computer with an Intel CPU in a cage with an angry Tyrannosaurus Rex
      * targetting the Intel CPU with a nuclear bomb

    These flaws are so severe that Intel should withdraw all of their CPUs from the market and file for bankruptcy immediately. Nobody should ever use an Intel CPU for anything.

    I am releasing this vital information now without prior notice to Intel because I believe that they have no hope of fixing this flaw in any reasonable time frame.

    Disclaimer (hidden deep within the near-impenetrable legalese on an obscure URL of my web site, just like CTS's disclaimer): the reader should assume that I may have a position on the stocks of any company mentioned in this press release.

  10. Re:This isn't news by DamnOregonian · · Score: 2

    He's generally a pretty bright guy, but I almost pissed myself at the claim of a requirement of criminal negligence from an administrator.
    I've made a living finding privilege escalations in *his* goddamn operating system.
    I've never before been able to say, with this root escalation, I can now render this machine forever owned. Now I can.
    I just really hope it drives home the silliness of allowing any kind of code to run on the goddamn chipsets, and special security domains running at ring -1.

  11. Re:This by Killall+-9+Bash · · Score: 2

    Oh... so you don't need root...... you just need the even higher access privilege of PHYSICAL ACCESS.

    --
    "Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016