Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linus Torvalds Slams CTS Labs Over AMD Vulnerability Report (zdnet.com)

Posted by BeauHD on from the technical-reports dept.

Earlier this week, CTS Labs, a Tel Aviv-based cybersecurity startup claimed it has discovered critical security flaws in AMD chips that could allow attackers to access sensitive data from highly guarded processors across millions of devices. Linus Torvalds, Linux's creator doesn't buy it. ZDNet reports: Torvalds, in a Google+ discussion, wrote: "When was the last time you saw a security advisory that was basically 'if you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?' Yeah." Or, as a commenter put it on the same thread, "I just found a flaw in all of the hardware space. No device is secure: if you have physical access to a device, you can just pick it up and walk away. Am I a security expert yet?" CTS Labs claimed in an interview they gave AMD less than a day because they didn't think AMD could fix the problem for "many, many months, or even a year" anyway. Why would they possibly do this? For Torvalds: "It looks more like stock manipulation than a security advisory to me."

These are real bugs though. Dan Guido, CEO of Trail of Bits, a security company with a proven track-record, tweeted: "Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works." But, Guido also admitted, "Yes, all the flaws require admin [privileges] but all are flaws, not expected functionality." It's that last part that ticks Torvalds off. The Linux creator agrees these are bugs, but all the hype annoys the heck out of him. Are there bugs? Yes. Do they matter in the real world? No. They require a system administrator to be almost criminally negligent to work. To Torvalds, inflammatory security reports are annoying distractions from getting real work done.

15 of 115 comments (clear)

  1. Don't need exploit if you have admin by Anonymous Coward · · Score: 5, Insightful

    whats the point of some exploit if you already have admin? You can do anything you want already

    1. Re:Don't need exploit if you have admin by Anonymous Coward · · Score: 3, Insightful

      In other words, the "victims" of these "exploits" are not you but the "business partners" of AMD....

    2. Re:Don't need exploit if you have admin by HiThere · · Score: 5, Insightful

      Since I'm my own systems administrator, I *do* want to have total control, even though I sure don't want to have to use it.

      Your argument seems to boil down to "Even though you 'bought' the device you don't own it.".

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    3. Re: Don't need exploit if you have admin by Anonymous Coward · · Score: 4, Funny

      Before you go rouge, you need to apply a proper foundation. Or so I have gathered from the TV commercials.

    4. Re:Don't need exploit if you have admin by sjames · · Score: 3

      The kernel has been redying for that for a long time. Root is nod divided into capabilities and cgroups and namespaces can limit the ability to see across compartments.

      But ultimately, someone will have the ability to upgrade the BIOS, and that person will have a great deal of ability to violate security.

  2. yep and? by bloodhawk · · Score: 3, Interesting

    While I agree it is absolutely idiotic, this seems to be pretty much the case for a very large percentage of security advisories issued by a lot of these types. Where either physical access or administrator/root access is required in order to pull off these highly dangerous exploits. So what makes this one so special that it needs singling out?

    1. Re:yep and? by darkain · · Score: 5, Interesting

      The difference this time is that it was published by a company that was only founded a couple months ago, only allowed for ~24 hours for "reasonable disclosure" (not even enough time to verify the claims, let alone issue patches), and openly admits they most likely have a financial stake in the AMD stock values. This all points directly to stock manipulation, not an actual major exploit (minor at best)

    2. Re:yep and? by AmiMoJo · · Score: 5, Interesting

      Stock manipulation, or Intel trying to stem the bleeding. I hear that a lot of big customers are switching to AMD now, especially cloud/datacentre people.

      Meltdown's security ramifications were bad enough, the 60%+ performance hit was even worse. But AMD has been putting out some really innovative kit for server use too. Encrypted RAM, with a different key for each VM and only 2-3% performance loss. Much cheaper parts with many more PCIe lanes and better support for IOMMU pass-through. ECC support even on the consumer stuff. Sockets that last for many years.

      Intel must be very happy about this, even if they are not involved somehow.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:yep and? by HiThere · · Score: 4, Insightful

      If the changes are persistent, as at least some of the sources have indicated, then this *is* a serious problem, but probably only for people targeted by state actors. (OTOH, sometimes those "state actors" have a pretty loose focus to their targeting, and it's not unknown for their code to have bugs.)

      This, of course, doesn't excuse their mode of announcing this, but it suggests that some group may have caused those "bugs" to be present intentionally...and that they may have been known (by some) for quite awhile.

      OTOH, if it's not persistent, then it's not clear to me what is gained by anyone except Intel and stock market manipulators. So I suspect Intel of managing the process of revelation, possibly in a criminal way. And I suspect someone of (attempted?) stock market manipulation. I have no proof of either, and one doesn't exclude the other.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    4. Re:yep and? by bongey · · Score: 3, Interesting

      I can see a big Intel investor doing this more than Intel.

  3. So... by Yunzil · · Score: 5, Funny

    They require a system administrator to be almost criminally negligent to work.

    You might want to sit down for this....

  4. Beyond the hype by Lorens · · Score: 5, Insightful

    I have read through the documents (for work). Once stripped of the hype, I would not be surprised if these "vulnerabilities" are literally correct as described. There is a whole lot of hedging going on down in the details, which gut the document of any really critical vulnerabilities. It would have been so easy to leave out a sentence to make any one of those bugs earth-shaking, but no. This makes me think that the document is carefully written to be as alarming, as scare-mongering, as possible, while not actually giving in to blatant lies that could land someone in prison.

    *If* the vulnerabilities are as described, then the real-world impact is that you will no longer be able to really trust a pre-owned computer. Governments and security-conscious companies will no longer be able to take any computer (new or pre-owned), format or replace the disks, and declare the computer secure. Those "bugs" will need to be taken into account. Same thing for computer forensics.

    Of course, this was already somewhat the case. You should already reflash the BIOS, and some hard disks and ethernet cards have flashable firmware, but it would seem that the impact of these bugs are that the manufacturer's manual for cleaning the system, more or less unchanged for decades, now has a few holes in it.

    To sum it up, I suspect we paranoid people will need a much more hard-core procedure to sanitize hardware. A format/reinstall isn't going to cut it any more.

    1. Re:Beyond the hype by phantomfive · · Score: 4, Informative

      With UEFI, you already shouldn't trust a used computer. That stuff is heavily insecure and difficult to detect.

      --
      "First they came for the slanderers and i said nothing."
  5. Re:FTFY by alexo · · Score: 4, Insightful

    Torvalds was not the only person this irritated. I was irritated too. Where's my Slashdot post?

    Right next to the kernel you developed.

  6. INTEL CPUS HAVE HUGE SECURITY FLAWS!!! by cas2000 · · Score: 5, Funny

    The following will cause an Intel CPU to fail catastrophically:

      * pouring petrol on the Intel CPU and then igniting it.
      * smashing the Intel CPU with a hammer
      * dousing the Intel CPU in highly concentrated sulphuric acid
      * urinating on the motherboard containing the Intel CPU
      * increasing the voltage supplied to the Intel CPU to 100 volts.
      * installing a computer with an Intel CPU in a cage with an angry Tyrannosaurus Rex
      * targetting the Intel CPU with a nuclear bomb

    These flaws are so severe that Intel should withdraw all of their CPUs from the market and file for bankruptcy immediately. Nobody should ever use an Intel CPU for anything.

    I am releasing this vital information now without prior notice to Intel because I believe that they have no hope of fixing this flaw in any reasonable time frame.

    Disclaimer (hidden deep within the near-impenetrable legalese on an obscure URL of my web site, just like CTS's disclaimer): the reader should assume that I may have a position on the stocks of any company mentioned in this press release.