Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security AMD Operating Systems Linux

Linus Torvalds Slams CTS Labs Over AMD Vulnerability Report (zdnet.com) 115

Earlier this week, CTS Labs, a Tel Aviv-based cybersecurity startup claimed it has discovered critical security flaws in AMD chips that could allow attackers to access sensitive data from highly guarded processors across millions of devices. Linus Torvalds, Linux's creator doesn't buy it. ZDNet reports: Torvalds, in a Google+ discussion, wrote: "When was the last time you saw a security advisory that was basically 'if you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?' Yeah." Or, as a commenter put it on the same thread, "I just found a flaw in all of the hardware space. No device is secure: if you have physical access to a device, you can just pick it up and walk away. Am I a security expert yet?" CTS Labs claimed in an interview they gave AMD less than a day because they didn't think AMD could fix the problem for "many, many months, or even a year" anyway. Why would they possibly do this? For Torvalds: "It looks more like stock manipulation than a security advisory to me."

These are real bugs though. Dan Guido, CEO of Trail of Bits, a security company with a proven track-record, tweeted: "Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works." But, Guido also admitted, "Yes, all the flaws require admin [privileges] but all are flaws, not expected functionality." It's that last part that ticks Torvalds off. The Linux creator agrees these are bugs, but all the hype annoys the heck out of him. Are there bugs? Yes. Do they matter in the real world? No. They require a system administrator to be almost criminally negligent to work. To Torvalds, inflammatory security reports are annoying distractions from getting real work done.

This discussion has been archived. No new comments can be posted.

Linus Torvalds Slams CTS Labs Over AMD Vulnerability Report

Comments Filter:
  • by Anonymous Coward

    Linus Torvalds be like: Fuck you CTS Labs and Fuck you Nvidia.

    • But let this other famous guy say it:
       
      https://www.youtube.com/watch?v=27eADk7wh2Y

  • by Anonymous Coward on Thursday March 15, 2018 @04:38PM (#56266493)

    whats the point of some exploit if you already have admin? You can do anything you want already

    • Re: (Score:2, Interesting)

      by amorsen ( 7485 )

      Modern CPUs have an area that you aren't allowed to touch. That is where they implement TPM, store DRM keys among other things. It looks like some of the flaws may give you a chance at looking at that area; i.e. they allow you to actually control the hardware that you paid for.

      So no, you cannot do anything you want already, even with root access.

      • Re: (Score:3, Insightful)

        by Anonymous Coward

        In other words, the "victims" of these "exploits" are not you but the "business partners" of AMD....

        • by Anonymous Coward

          Sometimes security of the secure enclaves is in my (the end user) interedt. E.g. Signal uses secure enclaves (and remote attestation) to do contact discovery in a way that helps protect my privacy even in the event of a Signal server compromise.

      • by gweihir ( 88907 )

        You pretty much can do anything that matters to an attacker. It may just get a bit more complicated for some of those things.

    • Re: (Score:2, Insightful)

      by geekmux ( 1040042 )

      whats the point of some exploit if you already have admin? You can do anything you want already

      Perhaps we should stop taking the rather ignorant approach that even admins should have access to *everything*. Fuck that. It's called need to know.

      The military understood this concept with compartmentalization of data decades ago. Perhaps it's about damn time we pay attention to the value of that.

      And yeah, I DO realize that means questioning the trust of your own SysAdmins. How many times does industry need to repeat the words "Insider Threat" for people to pay attention? SysAdmins aren't magically i

      • by HiThere ( 15173 ) <[ten.knilhtrae] [ta] [nsxihselrahc]> on Thursday March 15, 2018 @05:32PM (#56266713)

        Since I'm my own systems administrator, I *do* want to have total control, even though I sure don't want to have to use it.

        Your argument seems to boil down to "Even though you 'bought' the device you don't own it.".

        • Re: (Score:2, Flamebait)

          by TheRaven64 ( 641858 )
          Do you want someone with 5 minutes of physical access to the machine (e.g. the minimum wage cleaners provided by an agency) to be able to install malware that the OS can't see, which survives complete reinstalls or even physically replacing the disk, and which can intercept everything that the OS does? If so, I really hope you don't work for a company with any confidential data.
          • Do you want someone with 5 minutes of physical access to the machine (e.g. the minimum wage cleaners provided by an agency) to be able to install malware that the OS can't see, which survives complete reinstalls or even physically replacing the disk, and which can intercept everything that the OS does? If so, I really hope you don't work for a company with any confidential data.

            Since my complete controls is as complete as theirs, it is not persistent as I can fix it.

            • Not true. They can patch the vulnerability that allows this, so unless you are preemptively replacing the secure firmware with something that you've audited then you're vulnerable and don't have a way of removing their persistent malware.
      • The military has pressures and responsibilities that, ideally, should not exist elsewhere. In fact, the reason to have a military is so that the rest of us aren't burdened with those concerns. The militarisation of other areas of society is worrying, dangerous and to an extent diminishes the sacrifice that those who serve have and continue to make.

        The military understood this concept with compartmentalization of data decades ago. Perhaps it's about damn time we pay attention to the value of that.

        Maybe you should consider the cost benefit ratio of that decision and ask whether that is the same for all cases.

        And yeah, I DO realize that means questioning the trust of your own SysAdmins

        This adversarial employer/employee relationship t

      • by gweihir ( 88907 )

        You seem to be unaware that there may be problems that need to be fixed _now_ in a running business. That is what you have the sysadmin for. Sure, you do "break glass" procedures for critical system, i.e. said sysadmin has to ask for access and justify it, but preventing the sysadmin from accessing everything is suicidal.

      • by sjames ( 1099 ) on Thursday March 15, 2018 @06:32PM (#56266903) Homepage Journal

        The kernel has been redying for that for a long time. Root is nod divided into capabilities and cgroups and namespaces can limit the ability to see across compartments.

        But ultimately, someone will have the ability to upgrade the BIOS, and that person will have a great deal of ability to violate security.

      • by Kjella ( 173770 )

        Perhaps we should stop taking the rather ignorant approach that even admins should have access to *everything*. Fuck that. It's called need to know.

        Except the computer has no mind of its own, it needs some kind of root trust. It can be software (root), hardware (signed boot), a remote computer (domain controller) or whatever but there must be something that starts with all the rights and can fundamentally alter the software and what everyone else's rights should be. The problem is not the scope of the power, it's that computers are made for solitary administration. Compare it to say an accounting system, there's usually tons of restrictions of what acc

      • Perhaps we should stop taking the rather ignorant approach that even admins should have access to *everything*. Fuck that. It's called need to know.

        Actually, we call it the Principle of Least Privilege and it's been a core idea in computer security for decades.

      • by pnutjam ( 523990 )
        This depends on the size of the organization. Many smaller orgs only have one or two guys and their fingers are in everything. Larger orgs should definitely compartmentalize. A good sysadmin will self compartmentalize and put auditing systems in place. A bad sysadmin complains about sudo and just uses root everywhere or makes his account a domain admin in the windows world.

        A guy I work with was telling me that his last company just added the "domain user" account to the local admin account on all their win
    • by Anonymous Coward

      You know who actually cares about, and values, TPM chips? Developers who need it for DRM.

      Outside of the realm of DRM, this stuff isn't really useful (*). When non-Hollywood types talk about securing things, we accept "if they got physical access and also admin rights, then it's theirs now." Do you really care that your bootloader is signed? Fuck no, because you don't let just anyone write to your bootloader, and if you did, then you'd expect to lose.

      But Hollywood wants "even if they have physical access and

      • You know who actually cares about, and values, TPM chips?

        Users of Windows who use it to handle full-disk encryption in such a way that the OS (and therefore, importantly, malware that compromises the OS) can't exfiltrate the keys and it's impossible (or, at least, infeasibly expensive) for anyone to access them if they steal the machine? Cloud users who rely on the TPM for remote attestation that the hypervisor hasn't been compromised?

    • I mostly agree with you, but I'm not clear on the persistence of these attacks.

      If it is actually installing nearly undetectable malware within the processor itself then just about anyone could set up shop and sell you an infected CPU or intercept and infect your hardware before it gets to you. That's always been a somewhat theoretical attack that sophisticated intelligence agencies might be able to pull off, but it sounds like this *might* make that very easy for anyone of moderate technical skills to pull

  • yep and? (Score:4, Interesting)

    by bloodhawk ( 813939 ) on Thursday March 15, 2018 @04:39PM (#56266497)
    While I agree it is absolutely idiotic, this seems to be pretty much the case for a very large percentage of security advisories issued by a lot of these types. Where either physical access or administrator/root access is required in order to pull off these highly dangerous exploits. So what makes this one so special that it needs singling out?
    • Re:yep and? (Score:5, Interesting)

      by darkain ( 749283 ) on Thursday March 15, 2018 @04:47PM (#56266529) Homepage

      The difference this time is that it was published by a company that was only founded a couple months ago, only allowed for ~24 hours for "reasonable disclosure" (not even enough time to verify the claims, let alone issue patches), and openly admits they most likely have a financial stake in the AMD stock values. This all points directly to stock manipulation, not an actual major exploit (minor at best)

      • Re:yep and? (Score:5, Interesting)

        by AmiMoJo ( 196126 ) on Thursday March 15, 2018 @04:55PM (#56266579) Homepage Journal

        Stock manipulation, or Intel trying to stem the bleeding. I hear that a lot of big customers are switching to AMD now, especially cloud/datacentre people.

        Meltdown's security ramifications were bad enough, the 60%+ performance hit was even worse. But AMD has been putting out some really innovative kit for server use too. Encrypted RAM, with a different key for each VM and only 2-3% performance loss. Much cheaper parts with many more PCIe lanes and better support for IOMMU pass-through. ECC support even on the consumer stuff. Sockets that last for many years.

        Intel must be very happy about this, even if they are not involved somehow.

        • Re:yep and? (Score:4, Interesting)

          by bongey ( 974911 ) on Thursday March 15, 2018 @07:35PM (#56267185)
          I can see a big Intel investor doing this more than Intel.
      • Re:yep and? (Score:5, Insightful)

        by HiThere ( 15173 ) <[ten.knilhtrae] [ta] [nsxihselrahc]> on Thursday March 15, 2018 @05:41PM (#56266741)

        If the changes are persistent, as at least some of the sources have indicated, then this *is* a serious problem, but probably only for people targeted by state actors. (OTOH, sometimes those "state actors" have a pretty loose focus to their targeting, and it's not unknown for their code to have bugs.)

        This, of course, doesn't excuse their mode of announcing this, but it suggests that some group may have caused those "bugs" to be present intentionally...and that they may have been known (by some) for quite awhile.

        OTOH, if it's not persistent, then it's not clear to me what is gained by anyone except Intel and stock market manipulators. So I suspect Intel of managing the process of revelation, possibly in a criminal way. And I suspect someone of (attempted?) stock market manipulation. I have no proof of either, and one doesn't exclude the other.

        • If the changes are persistent, as at least some of the sources have indicated, then this *is* a serious problem,

          It's a serious problem that require flashing the UEFI/BIOS firmware.
          If you have the capacity to flash firmware, you *already at that point* have the capability to do a ton of awful and persisting damages.
          The fact that these peculiar variants happen to attack the AMD PSP is just a small foot note detail.

          To put it into perspective, this has nothing to do with the numerous bugs and exploit that have plagued IntelAMT and IPMI (those were more of the type "the lights-out remote management system is so buggy and

      • Comment removed based on user account deletion
    • Re: yep and? (Score:2, Insightful)

      by Anonymous Coward

      Because this one is obviously part of a stock manipulation scam and was far more overly reported than others. It's more fake news, this time being spread for financial gains. And as usual news sites don't give a fuck because it gives them ad money.

  • by Anonymous Coward

    https://regmedia.co.uk/2015/07... [regmedia.co.uk]

    WORD--;

  • by Qbertino ( 265505 ) <moiraNO@SPAMmodparlor.com> on Thursday March 15, 2018 @04:48PM (#56266539)

    ... some blowhard douche. Nice. Like it.
    Sadly the fight is so short there's no point in getting popcorn. ...
    Ok, so it *was* some kretin looking for attention. I have that suspicion when I saw the report on some tech blog yesterday.

  • by Anonymous Coward

    If you replace the BIOS or microcode with something not expected it wont work as expected.

    This doesn't seem any more malicious then issuing a command like

    dd if=/dev/random of=/dev/bios count=1024 bs=1024 to overwrite the BIOS with garbage and brick the machine on next boot

    Maybe we need to go back to the days of removable BIOS chips where on the cheap end one could snip the write enable pin on the BIOS chip or on the slightly more expensive end there were devices that could sit between the BIOS chip and the

  • by Anonymous Coward

    "To everyone who does patch management, inflammatory security reports are annoying distractions from getting real work done."

    Torvalds was not the only person this irritated. I was irritated too. Where's my Slashdot post?

  • My word, but there are a lot of trolls posting on this story. I do wonder how many are being paid to do so...and who would fund an astroturf campaign, though they don't all seem to have the same playbook.

  • So... (Score:5, Funny)

    by Yunzil ( 181064 ) on Thursday March 15, 2018 @05:48PM (#56266769) Homepage

    They require a system administrator to be almost criminally negligent to work.

    You might want to sit down for this....

  • Beyond the hype (Score:5, Insightful)

    by Lorens ( 597774 ) on Thursday March 15, 2018 @05:59PM (#56266803) Journal

    I have read through the documents (for work). Once stripped of the hype, I would not be surprised if these "vulnerabilities" are literally correct as described. There is a whole lot of hedging going on down in the details, which gut the document of any really critical vulnerabilities. It would have been so easy to leave out a sentence to make any one of those bugs earth-shaking, but no. This makes me think that the document is carefully written to be as alarming, as scare-mongering, as possible, while not actually giving in to blatant lies that could land someone in prison.

    *If* the vulnerabilities are as described, then the real-world impact is that you will no longer be able to really trust a pre-owned computer. Governments and security-conscious companies will no longer be able to take any computer (new or pre-owned), format or replace the disks, and declare the computer secure. Those "bugs" will need to be taken into account. Same thing for computer forensics.

    Of course, this was already somewhat the case. You should already reflash the BIOS, and some hard disks and ethernet cards have flashable firmware, but it would seem that the impact of these bugs are that the manufacturer's manual for cleaning the system, more or less unchanged for decades, now has a few holes in it.

    To sum it up, I suspect we paranoid people will need a much more hard-core procedure to sanitize hardware. A format/reinstall isn't going to cut it any more.

  • He then suplexed Fox news for disingenuous reporting and triple axle-kicked the those who think 'slams' isn't the most goddamn overused headline verb.

  • ...this airtight hatchway."

    "Yes, all the flaws require admin [privileges] but all are flaws, not expected functionality."

    Relevant: https://www.google.com/search?q=site%3Ablogs.msdn.com%2Fb%2Foldnewthing%2F+%22airtight+hatchway%22 [google.com]

    If there is no privilege escalation, they are not security flaws, just boring ol' bugs.

  • by cas2000 ( 148703 ) on Thursday March 15, 2018 @09:28PM (#56267551)

    The following will cause an Intel CPU to fail catastrophically:

      * pouring petrol on the Intel CPU and then igniting it.
      * smashing the Intel CPU with a hammer
      * dousing the Intel CPU in highly concentrated sulphuric acid
      * urinating on the motherboard containing the Intel CPU
      * increasing the voltage supplied to the Intel CPU to 100 volts.
      * installing a computer with an Intel CPU in a cage with an angry Tyrannosaurus Rex
      * targetting the Intel CPU with a nuclear bomb

    These flaws are so severe that Intel should withdraw all of their CPUs from the market and file for bankruptcy immediately. Nobody should ever use an Intel CPU for anything.

    I am releasing this vital information now without prior notice to Intel because I believe that they have no hope of fixing this flaw in any reasonable time frame.

    Disclaimer (hidden deep within the near-impenetrable legalese on an obscure URL of my web site, just like CTS's disclaimer): the reader should assume that I may have a position on the stocks of any company mentioned in this press release.

  • The only thing that would make this news is if it read:

    "Linus reacts proportionally to something he doesn't like and actually has something new and insightful to contribute."

    I'm sick of hearing tech news about this idiot whinging about stuff. Linus, act like a normal person mate.

    • He's generally a pretty bright guy, but I almost pissed myself at the claim of a requirement of criminal negligence from an administrator.
      I've made a living finding privilege escalations in *his* goddamn operating system.
      I've never before been able to say, with this root escalation, I can now render this machine forever owned. Now I can.
      I just really hope it drives home the silliness of allowing any kind of code to run on the goddamn chipsets, and special security domains running at ring -1.

No spitting on the Bus! Thank you, The Mgt.

Working...