Linus Torvalds doesn’t take anything that’s being hyped and made bigger than what it is. In a Google+ thread, he slammed the Israel-based security company CTS Labs by calling their security advisory a “garbage”.
Just a couple of days back, CTS researchers exposed more than a dozen ‘critical’ vulnerabilities in AMD chips marketed under the brand names Ryzen and Epyc. The company also claimed that a backdoor exists in AMD processors. Their revelation came with a well-decorated website, a whitepaper, and a video.
“I refuse to link to that garbage. But yes, it looks more like stock manipulation than a security advisory to me,” Torvalds said without taking any name or going into specific details.
“When was the last time you saw a security advisory that was basically “if you replace the BIOS or the CPU microcode with an evil version, you might have a security problem”? Yeah,” he said in the same thread.
CTS Labs was questioned and faced criticism for notifying AMD only 24 hours before the public disclosure. The company defended themselves by saying that AMD couldn’t have fixed the issue even if a year’s time was given.
However, this doesn’t mean that the bugs disclosed are a hoax. The researchers from the Trail of Bits, Inc. verified them. It’s CEO Dan Guido tweeted that the “bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works.”
While Torvalds agrees that the bugs exist, what possibly annoys him is the hype built around it.
And maybe, if there is any serious threat to the real world or not.
Security is important, and people don’t raise questions. Amid all the pomp and show, and splashy security warnings, the real problem doesn’t get the required attention.
“Security people need to understand that they look like clowns because of it. The whole security industry needs to just admit that they have a lot of shit going on, and they should use – and encourage – some critical thinking.”
Linux’s daddy believes there are “real security researchers” who might admit what’s going wrong in the industry. But then there are others who will “lament the security circus,” but when their own work comes in the picture, it shouldn’t be questioned.