Another PIII ID Exploit Found

Peter Hernberg writes "We, it looks like someone has found another exploit to get your PIII ID. The new story is here.. " Cyrix and AMD are looking shinier each day.

In Defense of Intel

[MSackton]

I have to say, I fine all the disgust over Intel's PIII id somehow overstated in the linux community and these recent comments seem to be the worse.

Intel has asked that anti-virsus people list as a virus a program that *crashes the users computer without their consent*! What definition of virus are people using such that this doesn't qualify? Not only does it crash the user's computer, it reveals information that the user doesn't want revealed. If instead of revealing the PIII, this
program searched for Quicken documents and mailed them to a hotmail account, would be be saying that
whoever makes Quicken shouldn't call it a virus?

I agree that on general principle the PIII id isn't a wonderful idea, but I can understand why Intel did it. Most high-end computers (Sun, SGI, Alpha?, etc) ship with some sort of unique id, for licensing purposes. The only reason people don't get upset about that is that they are not person computers, but servers, so they cannot be linked to an identity. Intel wants to enter that market,
and CPU ids are needed. But they then anger the consumer market. What should they do? The road they took (disable to PIII id, unless you need it for a server) seems like a air compromise. Why is everyone so upset at them?

Finally, under an real operating system, this sort of exploit would be useless unless it was run as root. And if you go web browsing as root, you deserve what you get :-)

Mike Sackton

Stating the obvious

[DonkPunch]

It is disturbing how some companies react to people who find flaws in their product.

Remember the Internet Exploder control? It was an ActiveX component which, when loaded with a web page, would count down ten seconds and shut down a Windows computer. The creator did it for the sole purpose of demonstrating potential security dangers with ActiveX.

Microsoft and Verisign threatened the guy with court action for obtaining a Verisign certificate under false pretenses. Never mind that part of his demonstration was just how easy it is to obtain such a certificate.

Now Intel has declared Zero-Knowledge's little demo to be a virus or trojan. Apparently, the goal is to discredit them. The worst part is that I think just about everyone saw it coming before they even got to "Intel's response" part of the article.

Here's the obvious part of my comment -- this tactic is pretty foreign to the Free Software community. It seems that most security problems with Free operating systems are received with, "thank you," and then they are FIXED. If you actually write a program which demonstrates the problem, you're a hero. No one attacks your credibility or motives. In fact, you are likely to GAIN credibility.

Of course, by posting this here I'm pretty much preaching to the choir. :)