de Raat needs to bring it
There's only one thing for it - for de Raat to produce a proof of concept.
Only then, will Intel take de Raat seriously. Let's wait and see....
A prominent software developer with a reputation for making waves in coding circles is doing it again - this time warning that Intel's celebrated Core 2 Duo is vulnerable to security attacks that target known bugs in the processor. Discussion forums on Slashdot and elsewhere were ablaze with comments responding to the claims …
"In 2003 his public criticism of the US-led occupation in Iraq cost OpenBSD a $2m grant from the US Defense Advanced Research Project (DARPA)."
Regardles of one's personal opinion of the war, this says a lot about how far the US has come in respecting the concept of freedom of opinion and speech!
Not to mention tarring-with-the-same-brush (known -- and prohibited -- in more legally consistent regions as guilt-by-association) of the other project members who may or may not have agreed with one outspoken part of their group and are probably mostly guilty of the most un-USian* act of respecting his rights to have and voice a personal opinion.
*I refuse to lump Canada and Central and South America in with this lot! ;-)
I see you wrote a story about the content
of the comment about the errata ala Theo.
He's right it's bunk but he missed some
other points like for example to use 8G
of memory you have to endure half the
bus speed and Linux for example can't
map more than 4G in 32bit mode yet
these are selling points it's ability to
address 8G of memory or use 800MHz
DDR2 ram only 4G of that at 1066. The
errata includes the fact that the no execute
bit can only work on one core. Having
looked at a few benchmarks there is no
reason at all to buy the quad core it's simply
too memory starved to do any good. I wondered
at how Intel whipped out all this new silicon
so quickly easy they didn't test it first.
I agree with Scott on this if Theo shows a proof of concept or 2 it'll pretty much p*** on Intel's parade and then they might go and fix the issue... if he (or someone else) doesn't prove the point then it certainly suggests a bit of stirring up some FUD. i don't really know what outcome to root for though :-s
Well now that's a surprise ! I really don't understand why Intel would so fiercely protect the first CPU it has that trumps AMD after five years of Athlon dominance. I have no idea why Intel would take arms against such comments for a CPU that is being sold by the truckload.
That said, I agree with the first post. If we start seeing an exploit, then any objections will be rendered groundless and something will have to be done. I have a Core Duo myself, and I've never had any issue with it.
Wait and see is my position on just about any vulnerability. If spammers and blackhats don't find an interest in exploiting it, then from my consumer point of view, it is unimportant. If my PC crashes because of it, then it is important and I want something done about it.
Theo de Raadt is involved with products that everybody uses that does anything serious in IT. OpenSSH for example. Also, If I remember correctly, he predicted trouble with wireless devices blobs for wireless devices and guess what happened.
Check his designs and the concepts he routinely uses (privilege separation and all the rest of it). Of all people, he doesn't need to produce a proof of concept to be taken seriously.
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=179928+0+current/freebsd-stable
Theo has a habit of blowing things out of proportion. Every processor has errata, his worry about the MMU was fixed in FreeBSD in April (Fixed 4/21/07 current - 4/25/07 stable), and the microcode update has been available for all our Dell servers from a similar time.
Course, nothing like a bit of rabid tabloid journalism from pumping a non-issue up a notch.
You would think that Intel would have caught this a tad earlier. They're big on DFT and these are the sorts of errors that turn up in simulations. They're also the sorts of errors that should show up on the tester when they get first silicon. Unless they have crap process and don't really use JTAG the way it's supposed to be used.
I'm getting really tired of all the crap people fling around at each other in this industry. Theo is an arrogant prick as far as I'm concerned. Anyone can write about possibilities of things being insecure, its showing proof that matters.
Whining about a CPU being insecure and not providing any actual proof of concept as a programmer is rediculous. This is the type of thing I would have expected to hear from Steve Gibson.
75% of this industry follows a bunch of Media Queens who'd die if they didn't get their 5 minutes of fame. 20% of the Industry just follows anyone who throws them a bone, and there are 5% in the industry that know what they are doing, and rely on people who are actual "Experts."
Just my two cents really, but I think Theo needs to shut up. I'm sick of hearing about Page Colouring from Terry.
Dan Finch
Gods of NOS
I think there's some relevant back history which hasn't been discussed -- mainly that OpenBSD has long been pissed off at American chip companies that won't release documentation or specs for their products. Just look at undeadly.org for a period of time, and you'll see it come up.
OpenBSD wants the specifications for the stuff they're righting code for. non-American companies are much more forthcoming with it.
Intel happens to be the biggest such company.
And of course, as always with Theo, you can look at ulterior motives and read into it what you like, but in the end, he's probably right anyway.
This guy, along with the whole "most famous hackers" toplist, is a media socialite. His OpenBSD operating system is poorly coded, himself citing "page file colouring is broken". How can we trust that Theo at the worst isn't trying to blame Intel because his poor coding acts erratically on their hardware. It's completely plausible!
If so that cements him in the hacker hall of fame for "publicly blaming hardware manufacturer for programming errors". He'll be on Larry King tomorrow night. This guy's boat sailed long ago, sadly for us he wasn't on it.
if he points out real problems, it hardly matters if Theo bites people, is personally unpleasant and eats live puppies for breakfast.
please save the ad hominem attacks and address the topic at hand. i will not be having a drink with Theo any time soon, so i care nothing about his personality. on the other hand, there are many Core 2 Duo products out, so if there are problems, i care that they're publicized, and handled...right now.
if the NX bit only works on one core, and you have more than one core, it's a problem. it's still a problem if Theo cooks and eats your parents.
as far as i'm concerned, he doesn't have to be socially gifted; he does have to be technically competent. that last part has been demonstrated consistently.
i wouldn't want him to date my daughter (i have no kids, good thing), but if he has something to say about security, i will listen and consider it.
Is the article making ad hominem remarks only because the author cannot prove the vulnerability statement incorrect or there are other reasons?
Consider for a split second that Mr. de Raadt have got those 2 million back in 2003. I would be interested to understand how any sum can land in my pocket to cover MY losses if MY server is going to be compromised as result of running ANY operating system other than OpenBSD! If one's answer is "no chance", I can guess it myself with ease.
I personally trust the professional competence of Theo de Raadt, he have proved it enough times. The argument here revolves more around people being pro-Intel and anti-Intel instead of discussing the merrits of de Raadt's conclusions. Hope he will not follow the fate of Cassandra.