03-12-2020, 03:37 AM
https://www.extremetech.com/computing/30...ridiculous
Quote:What they don’t say upfront is that LVI is a theoretical attack. There’s a distinct difference in tone between the messaging in the Bitdefender PDF and the messaging on the Bitdefender blog. The blog states:
...
The “Real-life exploit” section of the Bitdefender whitepaper is rather different. “Creating a real-life exploit,” it says, “poses some significant challenges.” Those challenges are:
...
The Bitdefender whitepaper contains none of the inflammatory language in the company’s blog or used on the LVI disclosure website. It states that the attack only currently exists as a synthetic proof of concept and discusses multiple problems related to actually taking advantage of the flaw. In other words, the papers contain the actual data telling you that this isn’t a current threat, while the public-facing blog posts are amped to deliver maximum scare-city.
...
All such significant issues need to be fixed, and I’m 100 percent in favor of holding vendors accountable. But a recent story on LVI by ZDNet exemplifies how the marketing arm of the security industry and the actual research arm don’t seem to have much to do with each other these days.
...
The PR-friendly tendency to maximize fear around security disclosures must stop, not because companies deserve to have their flaws overlooked, but because using maximalist language in these types of disclosures makes it impossible for anyone to estimate the actual degree of risk. Statements like “This type of attack is much harder to pull off in practice,” need to be made in both the body of the formal report and on the websites where these disclosures are made. We’re starting to hear about ‘theoretical’ risks to both Intel and AMD and threats that could emerge someday, but, you know, don’t actually exist right now. There’s nothing wrong with planning ahead, but given the long development cycles that CPUs See Amazon ET commerce go through, there’s no practical way for Intel to build a 2020 CPU to handle every possible security flaw that might be found in software, hardware, or both by 2025. The nature of security flaws is that after you patch one, people go out and find another.
I’m increasingly convinced that Intel isn’t being treated fairly by these reports, and it’s not just Intel. Earlier this week we covered another instance where the PR verbiage around an AMD flaw didn’t match what the actual security researchers said in public. I don’t want to impugn the good work that security researchers do, especially since I don’t know if the people writing the public-facing website copy are the same people actually performing the work, but the disconnect between PR blasts and whitepaper reports is becoming untenable.
You don’t see many journalists write stories downplaying security issues for a simple reason: Nobody wants to be the guy who swore that a security problem wasn’t an issue right before it explodes into a major problem. Frankly, I don’t either. At the same time, the way these reports are being sold to the public is making it actively harder to do my job. If Intel has an obvious interest in downplaying any security report and the company who found the flaw is doing everything it can to paint that flaw in the most apocalyptic language possible, it’s much harder for us journalists to know what to tell people.
I’m not going to say that LVI isn’t an issue or that Intel shouldn’t fix it. Intel has, in fact, already released some software updates intended to correct the problem. With that said, Meltdown and Spectre have now existed for over two years and no malware has yet been found to use them. What I will say is that when the head of a company’s threat-analysis division doesn’t believe an issue is worth patching, it also may not deserve to be front-page news declaring that yet another flaw has been found in Intel chips. There’s giving readers good information about pressing threats and there’s being used by PR teams to pump up a company in the news under the guise of security reporting. I’m always interested in the former and completely disinterested in the latter.

