Linus Torvalds attacks AMD security report - claims security researchers 'look like clowns'

Linus Torvalds: AMD CPU security report is "garbage" and the security industry a "circus"

No-nonsense Linux creator Linus Torvalds has launched a scathing attack on this week's report from security start-up CTS Labs claiming a series of security vulnerabilities in AMD Ryzen and Epyc CPUs.

Torvalds has accused the firm of using the issues as a marketing ploy, rather than serious research. "I refuse to link to that garbage. But, yes, it looks more like stock manipulation than a security advisory to me.

It looks more like stock manipulation than a security advisory to me

"When was the last time you saw a security advisory that was basically if you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?"

CTS Labs was widely criticised because it only made AMD aware of the security vulnerability a day before the advisory was set to go live - compared to the standard courtesy of providing 30-, 60- or 90 days notice for the vendor to test the hypotheses and provide fixes.

The under-fire security start-up responded by suggesting that AMD would not have been able to fix the vulnerabilities even if it knew a year in advance.

Security people need to understand that they look like clowns because of it. The whole security industry needs to just admit that they have a lot of shit going on

But despite the drama surrounding the announcement, other researchers given privileged access to the technical details have confirmed the bugs. Dan Guido, CEO of Trail of Bits, wrote on Twitter that "the bugs are real".

Ilia Luk-Zilberman, chief technology officer of CTS Labs, has since published an open letter defending the report.

He said: "This model has a huge problem: how can you convince the public you are telling the truth without the technical details? And we have been paying that price of disbelief in the past 24 hours.

https://twitter.com/dguido/status/973628933034991616?ref\\_src=twsrc%5Etfw

"The solution we came up with is a third-party validation, like the one we did with Dan from Trail of Bits. In retrospect, we would have done this with five third-party validators to remove any doubts. A lesson for next time".

Torvalds continued his criticism, though. He does not necessarily believe that CTS Labs is lying, but takes the view that security firms often exaggerate and mishandle these situations.

He admitted that there are "real security researchers" who understand the industry's problems, while others "lament the security circus".

He added: "Security people need to understand that they look like clowns because of it. The whole security industry needs to just admit that they have a lot of shit going on, and they should use - and encourage - some critical thinking."