Linus Torvalds lashes out against CTS-Labs

The 13 critical security vulnerabilities in AMD's Zen-based processors were yesterday's big news item. However, a lot of controversy arose about the severity of the flaws, and especially about the way CTS-Labs made the discovery public. It's a company no one had ever heard of before, and they gave AMD less than 24 hours notice, versus the typical 90 days.

Linux founder Linus Torvalds analyzed the bugs and slammed the security researchers, stating the IT security world just hit a new low:

Linus Torvalds has, without taking names, slammed the direction in which the IT security industry is going. The timing of Torvalds' comments is key. They come on a day when CTS-Labs published a press-release chronicling what they claim to be 13 critical security vulnerabilities with AMD "Zen" CPU microarchitecture. "It looks like the IT security world has hit a new low," Torvalds begins. "If you work in security, and think you have some morals, I think you might want to add the tag-line: "No, really, I'm not a whore. Pinky promise" to your business card. Because I thought the whole industry was corrupt before, but it's getting ridiculous," he continues. "At what point will security people admit they have an attention-whoring problem?"

In related news, it appears that you need administrative access to implement these exploits. This basically means you can only use these 13 vulnerabilities if you already have a compromised system.

So it looks like these AMD exploits all require admin rights to implement. They may be flaws, but whatever machine they are being applied to has already been compromised.

— Josh Walrath (@JoshDWalrath) 13 maart 2018