Linus Torvalds Slams CTS Labs Over AMD Vulnerability Report
Linus Torvalds Slams CTS Labs Over AMD Vulnerability Report
Published on March 16, 2018 at 02:30AM
Earlier this week, CTS Labs, a Tel Aviv-based cybersecurity startup claimed it has discovered critical security flaws in AMD chips that could allow attackers to access sensitive data from highly guarded processors across millions of devices. Linus Torvalds, Linux's creator doesn't buy it. ZDNet reports: Torvalds, in a Google+ discussion, wrote: "When was the last time you saw a security advisory that was basically 'if you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?' Yeah." Or, as a commenter put it on the same thread, "I just found a flaw in all of the hardware space. No device is secure: if you have physical access to a device, you can just pick it up and walk away. Am I a security expert yet?" CTS Labs claimed in an interview they gave AMD less than a day because they didn't think AMD could fix the problem for "many, many months, or even a year" anyway. Why would they possibly do this? For Torvalds: "It looks more like stock manipulation than a security advisory to me." These are real bugs though. Dan Guido, CEO of Trail of Bits, a security company with a proven track-record, tweeted: "Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works." But, Guido also admitted, "Yes, all the flaws require admin [privileges] but all are flaws, not expected functionality." It's that last part that ticks Torvalds off. The Linux creator agrees these are bugs, but all the hype annoys the heck out of him. Are there bugs? Yes. Do they matter in the real world? No. They require a system administrator to be almost criminally negligent to work. To Torvalds, inflammatory security reports are annoying distractions from getting real work done.
Published on March 16, 2018 at 02:30AM
Earlier this week, CTS Labs, a Tel Aviv-based cybersecurity startup claimed it has discovered critical security flaws in AMD chips that could allow attackers to access sensitive data from highly guarded processors across millions of devices. Linus Torvalds, Linux's creator doesn't buy it. ZDNet reports: Torvalds, in a Google+ discussion, wrote: "When was the last time you saw a security advisory that was basically 'if you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?' Yeah." Or, as a commenter put it on the same thread, "I just found a flaw in all of the hardware space. No device is secure: if you have physical access to a device, you can just pick it up and walk away. Am I a security expert yet?" CTS Labs claimed in an interview they gave AMD less than a day because they didn't think AMD could fix the problem for "many, many months, or even a year" anyway. Why would they possibly do this? For Torvalds: "It looks more like stock manipulation than a security advisory to me." These are real bugs though. Dan Guido, CEO of Trail of Bits, a security company with a proven track-record, tweeted: "Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works." But, Guido also admitted, "Yes, all the flaws require admin [privileges] but all are flaws, not expected functionality." It's that last part that ticks Torvalds off. The Linux creator agrees these are bugs, but all the hype annoys the heck out of him. Are there bugs? Yes. Do they matter in the real world? No. They require a system administrator to be almost criminally negligent to work. To Torvalds, inflammatory security reports are annoying distractions from getting real work done.
Read more of this story at Slashdot.
No comments