CTS Labs (Chipset Issues)

I think this is a good place to post but I had some queries about how the linux kernel or even the BSD kernel can be secure when issues like this:

Which affects pretty much most motherboards made for the past while. This seems to undermine everything done to make OS’s secure and it makes a big mockery of the idea that we as consumers can have a secure system in the first place…

Its very frustrating to see this happening from what I understand is that a huge amount of the flaws have been independently verified.

Is there any solutions to this other than forcing the Open Source community making their own secure processor and mobo.

1 Like

i really think it is completely made up to destroy a company, as many other people think (someone said linus torvalds?)

talk is cheap, let’s wait for the real code, as it usually happens when real security companies find real bugs

1 Like

I have heard that too however given the Meltdown flaws which people laughed at when a 1986 design review hypothesised that they would become a problem in the future and it turned out true. If it is a hatchet job then fair enough but my concern is with multiple hacking conference speakers talking about firmware vulnerabilities and mathematical backdoors in encryption technologies currently available this type of issue tends to make sense.

“Except that’s not what actually happened. Few reputable publications have questioned the existence of the flaws themselves, particularly when Dan Guido of TrailofBits declared that he’d validated and confirmed that all 13 exist.”

I think they are only the scratching the surface. These issues make sense from a logical point of view. Especially when it comes to competition between markets that cost cutting would cause testing to suffer.

Also an issue that Linus never seems to understand that bugs that require admin access are perfect for long term infiltration and are extremely useful for attacking enterprise servers as well as banks and such forth. Being able to use them allows to bypass significant counter measures to prevent intrusions. Having admin access is only part of the ball game having as many bugs as possible at every level helps.

Anyways I could be wrong.



you don’t have unprivileged RCE permissions on bank servers. desktop computers with web browsers are the true victims of this kind of vulnerability since javascript executes remote code into your local computer.

maybe such vulnerabilities may be used on infected machines to do privilege escalation or lateral movement on other nodes.

what i am really afraid of is all the shit happening with EFI backdoors and firmware-level malware that we can’t just detect or stop