Re: Torvalds Slams Theoretical Security

On 10/23/24 8:36 AM, Phillip Frabott wrote:

On 10/23/2024 03:07, 186282@ud0s4.net wrote:

On 10/21/24 3:07 PM, Lester Thorpe wrote:

Distro maintainers, and their lackey consumers, who bloat their GNU/Linux
distros with performance degrading security "features" should take note
of the latest exclamations of Linus Torvalds:
>
"Honestly, I'm pretty damn fed up with buggy hardware and completely theoretical
attacks that have never actually shown themselves to be used in practice."
>
https://linux.slashdot.org/story/24/10/21/1533228/linus-torvalds- growing-frustrated-by-buggy-hardware-theoretical-cpu-attacks
>
Tell 'em, Linus!  Those paranoid freaks are ruining desktop computing!

>
   Linus is "kind-of right", but "kind-of not".
>
   The problem is State-funded actors these days
   and the MASSIVE computing power they can bring
   to bear. At least SOME of those "theoretical"
   attack vectors CAN become real attack vectors.
>
   But WHICH ???
>
   Yes, you can go totally overboard on "security",
   and, mostly, it won't do much good. Paranoia can
   push this to extremes where you can barely use
   the system/apps (think Vista) - and I think that's
   what Linus is concerned with.
>
   However there ARE 'sensible' security measures
   that go beyond mere Linux passwords and a few
   port blocks.
>

 I think the point that Linus was making was just that, even if these 'theoretical' attack vectors were actual issues, the CPU manufacturer's need to be the one patching it with a firmware update.

   SOME of it is CPU, SOME is 'system', SOME will be
   peripherial chips/drivers.
   There's no ONE attack vector. Vlad's boyz have the
   resources to put the proverbial battering ram to
   every portal.
   Oh, and CPU makers will ALWAYS be behind the curve.
   This is the ever-repeating paradigm for attacks and
   I don't think it can be fixed.

Hardware related attacks need to be fixed by the hardware MFG and Linux should only fix software related attack vectors. I think that was the point Linus was making here. The kernel should not be the go-to agency for fixing hardware-specific security issues, nor should it be the kernel's job anyways. It's like, Boeing having a problem with an engine from another manufacturer. Who fixes the engine? It should be the engine manufacturer not some Boeing software engineer adding something to the throttle control system to 'mitigate' the issue.

   But again the TIME factor gets involved. No maker
   "just knows" all the weaknesses of their chips/system/
   apps. Their response is usually REACTIVE - but by then
   the damage has been done. This is the Real Life bummer.

At least that was how I took it. I don't think Linus was trying to downplay the security aspect of it. I think it's just, it's not a "Linux Problem". Go fix your sh*t Intel/AMD. But that's just my take on the article.

   Linus is super-smart and practical - no question. But
   even he can't guess ALL potential attack vectors, and
   they MAY revolve around tiny flaws created a decade,
   or decades, ago.
   SOME of the ultra-paranoid, oft "committee" derived,
   potential security issues ARE gonna be pure BS. The
   question is WHICH ? External critics always go hawg
   wild to make themselves look good, but they're not
   wrong about *everything*.
   It's a problem.
   Now a SERIOUS problem as the cyber-wars are escalating
   very rapidly.
   SO ... what the hell do we DO ???
   Ah ... C64s with dial-up and System-in-ROM  !
   Should have kept my C64 ... DO have a VIC-20
   stashed somewhere though .... the executors of
   my estate are gonna HATE my vast "weird stuff"
   inventory, but, hey, I won't care  :-)
   He who dies with the most toys ...........
   Hmm - wonder if my Sanyo mostly-pc-compatible
   is worth anything ? Tandy proto-laptop with
   actual Bill Gates code in it ? ZX-81 ? 8051
   chip inventory ? Apple-II ???  :-)