New AMD vulns posted

[pendrachken]

AMD refuses to admit to them too... great job there team RED.

https://it.slashdot.org/story/20/03/09/ ... lashdot%29

[Deb-fan]

Read about this and it's just more of the side channel mania that's sweeping the gnu/nix world. For all practical purposes the "vulnerability" doesn't exist. Thing I'd read said with unfettered access, being able to install malicious software on the target system, they were able to get some "bits of metadata". So basically they would already need root on that system to even exploit it and didn't get any significant info anyway. People have been facing much more real and relevant exploits forever, these side channel things for personal system nixer's (desktop), in non-shared hardware, non-untrusted multi-user settings are a joke. Long term snooping/spying in applicable enterprise environments, yeah. Virtual machines, vps's, cloud services etc, definitely. Someone still needs access to shared cores/caches and ideally a decent amount of time for this to matter.

So don't blame AMD a bit for such a response. It'd be like me letting some stranger use my box, giving them root password and then going OMG gnu/Linux is wide open and completely vulnerable, people(with root)can do whatever harm they wish! If a malicious person had all they'd need to use these terrible "silicon level" exploits bothering with using them would be a total waste of time.

Also the study was funded with some generous gifts from Intel, they've taken some massive hits in terms of trust/dependability both in enterprise (where side-channel could be a real concern in usecases) and with personal computer users too. They're saying ... no, no, no, we've been totally open about funding this, people behind the findings very open about acknowledging "generous gifts" from Intel too but think it is/was find something/anything ... even if it's just leaking tiny bits of useless metadata under ridiculous conditions where the "attacker" already has root on the target system anyway. The power of FUD should not be taken lightly.

[Deb-fan]

Curiosity made me look and yep, the mighty FUD machine cranked into full gear, ranging from quotes from a guy directly involved in study/findings saying ..

While these attacks present a security risk, Daniel Gruss, one of the researchers that discovered the attacks, stated on Twitter that they aren't as dangerous as Meltdown and Zombieload. He said in response to another Twitter user, "The attacks leak a few [bits] of meta-data. Meltdown and Zombieload leak tons of actual data."

That's consistent with what I'd seen on this topic. To tech content writers making it sound like if you've got an AMD based system, may as well just throw it in the trash. However teenie, tiny bit of common sense, remote familiarity with how the real world works, tells someone many of these writers aren't even competent techies, aren't IT sec pros. Their job is to generate web content, the more controversial or sensational the better, more attention, more views. Also many popular tech content writers on the popular venues are not above taking a "generous gift" from Intel and Intel's certainly not above spreading around some cash to try to divert some of the well earned heat and poop-storm they're in onto AMD any way they can.

Though any competent techie, sys admin or esp IT pro's deal in facts not FUD's.