Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
Good morning. How's everyone doing today? Let me just make sure uh the light is up here. There we go. Perfect. That's better. All right. So as you can tell back in my normal habitat, um spent a fantastic week at South by Southwest down in Austin first time at the conference.
As you know, uh when you tuned in the last couple of days, um had an amazing, positive, wonderful experience. A couple of things happened late Tuesday and Wednesday that I want to talk about today because I think I'm probably going to be making a video about it this afternoon.
So a security research company um who previously really didn't have any reputation on the scene nobody really knew about came out and released a couple major vulnerabilities for AM DC P US. Now, I talked about CPU vulnerabilities on my youtube channel and here on Facebook start of the year because we had two big classifications of vulnerabilities called meltdown and specter.
Everyone was worried and rightfully so there were significant significant issues. Um This one's different and it's different for a number of reasons and it actually ties back to something I was talking about the last couple of days, which is around um messaging towards the audience.
And it's a huge problem. And pet peeve of mine is that when we talk about cybersecurity, we don't normally talk to the audience um appropriately, let's say, um we tend to do a lot of hype. There's not a lot of perspective around risk.
Um It tends to be, this is possible. So everyone needs to freak out about it. Now, when it came to specter and meltdown, this affected almost every major CPU out there to some extent. And it was worth getting a bit riled up about.
There were serious issues that needed to be addressed and there was a process that everybody is working through and while that disclosed early, while it leaked out to the public early, it was still managed through a relatively reasonable and appropriate process this week.
Not so much. This previously unheard of company dropped this white paper with all the technical details stripped. They said they had shared a fully technical paper with some key security folks. I didn't see that one. Not that I'm necessarily a key security folk, but I haven't seen the full technical paper.
I've read what they've released publicly. They only gave AMD 24 hours which is insufficient time in anyone's definition of a disclosure window to actually fix the problem, let alone a hardware issue. Um So the problem one disclosure massive issue problem two in the paper themselves, they say they may have a financial interest in a MD who was mentioned.
Now they, uh, since then come out and said, no, no, no, we don't. But again, you don't put that in the paper, um, unless you actually do. So there's a question of motivation here. Um And then they also said, you know, there's no way a MD would have been able to fix this within a reasonable time period, which is why they didn't bother to give them the sort of semi standard 90 day window.
Again, I'm gonna call bullshit on that. Um You know, just not appropriate. So the problem is people looked at this and said, you know, is this a real issue or not? And there are flaws in this paper that are detailed out that could be significant.
However, um and this ties to a conversation I actually ended up having with somebody um at South by Southwest, how do you as a reader or how does a journalist ask the right question when there is a legitimate issue here?
And the right question here is how does that issue have to be exploited? So where we saw a meltdown, inspector were normal programs, we're able to execute this to get access to privileged space. So something that normally is executing on your computer and we all have that programs normally executing, we're able to exploit this flaw to get access to privileged information.
So that's an escalation of privilege. It's getting access to something you shouldn't have in this paper, all of the attacks and all the flaws that are leveraged by these attacks need significant and ridiculous levels of privilege in order to execute.
And that means the possibility or the probability of them happening is much lower or at least the um reaction needs to be much more tempered. So I'll give you an example, one of these attacks. Um and they, they go under the names of uh rise and fall master key chimera.
Um And I think followed as the last one. So one of them actually needs you to rewrite the bios of your computer. Now, that might not mean much to you. But the bios is a basic input output system. It's what lets your computer load up as an attacker as a bad guy.
If I have the ability to rewrite the basic instruction set of your computer, the CPU vulnerability is the last thing that I'm going to be taking advantage of. So, again, as a defender, I don't really care about this one because you know what it will get fixed at some point.
In the meantime, I'm going to keep implementing my normal procedures that make sure people can't write the fundamental, rewrite the fundamental code of all of my computers. And then all the other attacks already require administrative privileges. And again, it basically comes down to this, if an attacker already has admin privileges or if they already have the ability to rewrite the core code of your computing device, they've already won.
So, worrying about these particular flaws is really not important. Do they have to be handled? Yes. Should they be mitigated somewhat? It's a question of probability they are significant in impact, but the probability of them actually being executed is pretty low.
So you don't have to worry about them. So there's a fishy disclosure around a hyped up issue. Anytime I see a name associated to a vulnerability, I really start to worry because I know people are going for maximum splash and sometimes that's important.
We saw that with heart bleed and shell shock where there's just massive massive installed base of people at very real risk. This not so much so as far as rise and fall, as far as Chimera, um it's not a huge concern, which is why I'm probably gonna be pulling a video together this afternoon and put that up on youtube and push it out through my normal channels, just like I did for meltdown inspector.
I basically letting people know um you know that they shouldn't be freaking out about this. And that really comes back to the kind of continuing theme that I pulled away from South by is that we need to do a better job.
And I'm definitely going to put far more of my efforts this year into speaking to people in their own language and at the right level, it's not that people can't understand the complexities of these issues. It's that why would you bother learning them unless you're specifically into hardware vulnerabilities or in the cybersecurity field as a user, as a technologist, as a builder, you really don't need to worry about the finer details of this.
You need a high level view. Do I need to worry about it? Do I not? And this was sort of echoed in my talk itself by this year was, you know, here's robots aren't what you think they are. They're built on a foundation in the industrial world that isn't really more in the industrial ecosystem that isn't really as strong as we think it is.
Here are some issues you should be aware of and you know, if you need more then come back and we'll go deeper. But at a high level, that message needs to get out. And I think that's really what we're missing and hopefully I can add in this coming year is talking to a broader audience at the right level to really make a difference and to make an impact.
So I'm excited about that. Like I said, in the last couple of videos, I'm excited about, you know, moving forward here. I think this particular issue while it ticked me off as a security professional, it's a good opportunity to illustrate and sort of be the voice of reason of like, hey, you don't need to freak out about this stuff.
Thankfully, it's not really been picked up huge in the news cycle, but it's still kind of lingering around. So that video either later today or tomorrow. Um And uh I hope you guys have a great day as always looking to discuss, looking to see what uh what your thought is, is, you know, is the security community really, uh Are we getting any better at talking about this stuff?
Are we still just freaking out for? No reason? Let me know in the comments below. Um Whether you're seeing this on youtube or Facebook, um always hit me up on social at market NC. A happy to chat, love to chat. That's really what drives this conversation forward.
Um I hope you have a fantastic day. We'll talk to you soon.
