This is probably where we diverge. From where I stand, "end users" are incapable of making a meaningful decision about security at this level. It would be awesome if they weren't, and god knows I have spent a decent amount of time in my life trying to bootstrap people into such a position, but it doesn't...like...work. There is a computing priesthood, as much as we have tried to democratize this stuff, and it's all goddamn nonsense to those outside of it. The set of people I know who do not actively work in tech and can make meaningful decisions about the technology they work with is...my girlfriend, probably. Can't really think of anyone else who isn't reliant on "do this" the advice of others, whether it's correct or not.
Continued education to help end users get to the point where they can make meaningful and educated decisions is great, and should be pursued, and I do it where I can (though most of the time there's just a shrug and a "whatever"). But, barring that, somebody's gotta make choices on their behalf, and there's a Jerry Garcia quote for this one, you know? With great power comes great responsibility, and we gave ourselves that power. And, outside of a security context, this is why I unflinchingly come down on people who work for shit companies that hurt people, why I'd never hire someone who worked for, say, a toolbar vendor in the 90's/00's and why I have fired clients before when I discovered they were doing shitty things with data gleaned from people who trust them: because we have ethical responsibilities to the people downstream of us who are ill-equipped to make meaningful, educated decisions. I can't compel anyone to do as I do--but I can say that one should, because it's decent.
I can't agree that the power switch is a reasonable mitigation in 2018. In the nineties, sure, but too much of life revolves around this garbage we invented and keep mostly creaking along. (Should it? Probably not. Does it? Yeah.) We are on a ratchet, we can't go back, and kicking the decision down to people who literally-literally lack the tools to make a wise decision while painting a target on them for bad actors who can take advantage of them is profoundly disturbing to me.
This particular vulnerability is a post-compromise privilege escalation flaw, yes. But it strikes me that the conversation must be bigger than that, because the same arguments are used for both. This? Low stakes. Heartbleed? Incalculably high stakes. But the same argument could/would (if it were found by shitheads rather than people with a certain amount of decency to them) be used for the latter instead of the former, and that's what makes me itch.
(And to be clear, irrespective of this conversation, you know I am a big fan.)
So the 11 billion dollar vendor who shipped vulnerabilities in the first place gets to treat these problems as an externality, but 4 dudes in a basement who did a basic research project have to be restrained from speaking?
I don't get how you get to me thinking the vendor gets to treat these problems as an externality? I am all in favor of slagging vendors who release buggy shit. For hardware (and some software) manufacturers I'd be in favor of significant legal remedies available to people who purchase hardware later found to contain security vulnerabilities.
But I think that should be done after mitigations are in place to protect end users, or if the vendor is not taking good-faith steps to mitigate the problem.
And I am not saying one should be "restrained from speaking" at all. I am saying that choosing to do so makes one an asshole, and that decent people should strive to not be assholes.
I don't understand the chronology you're working from. The timeline here shouldn't start from "when the independent researchers find something in their basement". It should, rather, start from "when the first MRD for the product is sent from the PM to the development team". That's when the clock starts ticking on mitigation. AMD had years.
An eye for an eye works only until everyone is blind.
You seem to have several deeply misguided premises.
1. We don't know ARM knowingly shipped these chips although they were vulnerable. Bugs happen.
2. Even if this was the case, an individual can show, and ought to, show decency and empathy towards others.
3. This last comment of yours is a straw man and I doubt you are incapable of seeing this. You parent's argument was much more nuanced and elaborate than your rebuttal.
I don't think you understand the dynamics here. I don't think anyone knowingly shipped vulnerabilities. That's an impossibly low bar: all you have to do to "not know" is to not spend any money on security verification. The complaint here is that AMD was outdone on verification by 4 dudes in a basement.
I think saying that they were outdone by 4 dudes in a basement is being intellectually dishonest. There are a lot of dudes in a lot of basements looking for vulnerabilities all the time. Those four happened to find it, but there were hundreds of others looking. There’s no amount of money that amd can spend that would make them not outgunned eventually by all the hackers and intelligence services and security researches looking to break it.
Why do you assume that there were hundreds of other people looking for these vulnerabilities? Chances are, when we learn the technical details, we're going to find out that they're bog-standard memory corruption flaws in driver code, and that the thing that prevented anyone from discovering them was that nobody looked for them.
Have you ever worked with a code base before? Even when you scrutinize for bugs, they still can go unspotted. Sometimes hundreds of people can look at the same code and not see anything wrong with it. Software has the benefit of having higher levels of abstraction, I haven't designed any hardware but as far as I'm aware it's not easy to abstract it. That will make it much harder to find things. While 4 guys in a basement may have found this vulnerability, it doesn't mean they will find every vulnerability or that anyone else would have this as they had. Throwing money at verification will not make it fool proof.
Continued education to help end users get to the point where they can make meaningful and educated decisions is great, and should be pursued, and I do it where I can (though most of the time there's just a shrug and a "whatever"). But, barring that, somebody's gotta make choices on their behalf, and there's a Jerry Garcia quote for this one, you know? With great power comes great responsibility, and we gave ourselves that power. And, outside of a security context, this is why I unflinchingly come down on people who work for shit companies that hurt people, why I'd never hire someone who worked for, say, a toolbar vendor in the 90's/00's and why I have fired clients before when I discovered they were doing shitty things with data gleaned from people who trust them: because we have ethical responsibilities to the people downstream of us who are ill-equipped to make meaningful, educated decisions. I can't compel anyone to do as I do--but I can say that one should, because it's decent.
I can't agree that the power switch is a reasonable mitigation in 2018. In the nineties, sure, but too much of life revolves around this garbage we invented and keep mostly creaking along. (Should it? Probably not. Does it? Yeah.) We are on a ratchet, we can't go back, and kicking the decision down to people who literally-literally lack the tools to make a wise decision while painting a target on them for bad actors who can take advantage of them is profoundly disturbing to me.
This particular vulnerability is a post-compromise privilege escalation flaw, yes. But it strikes me that the conversation must be bigger than that, because the same arguments are used for both. This? Low stakes. Heartbleed? Incalculably high stakes. But the same argument could/would (if it were found by shitheads rather than people with a certain amount of decency to them) be used for the latter instead of the former, and that's what makes me itch.
(And to be clear, irrespective of this conversation, you know I am a big fan.)