But not vulnerable. This is like saying a local root exploit is the Worst Vulnerability Ever in a system that was correctly firewalled from its earliest implementations.
"Worst" implies harm, not just potential. It doesn't get to be The Worst until something happens, no matter how much it offends your personal design sensibilities or confirms your conspiracy priors.
Sorry, but "running but not vulnerable" is not nearly good enough nowadays. This means that a real exploit (e.g., via yet another insert-your-favorite-spooky-agency tool leak) can be quickly scaled to a large fraction of computers worldwide.
If you are saying that when assessing the vulnerabilities, potential harm is not important, only actual is, would you feel that putting remotely activated bombs on all planes is not a major vulnerability as long as no one has a password?
You're talking past me. It's an important flaw. It should be fixed where possible. It should be mitigated where not possible.
It's not remotely The Worst Vulnerability Ever and any attempt to hyperbolize in that direction is hurting the efforts of the people actually trying to protect you.
I think you're right it's not remotely The Worst Vulnerability Ever. Personally I'm a bit worried that we're just one exploit away from it being that in the future though. :/
I usually like to include a metaphor to explain the equivalence as I see it, but I'm struggling to come up with any other thing where we've built in a problem like this that's waiting for a single event that could effect nearly everyone. The closest I can come up with is Snow Crash, and having to reach that far into science fiction leads me to think we likely have a poor grasp on how to assess this risk (since we as a species are fairly bad at assessing and mitigating risk for events we haven't encountered before). Hopefully it's just an extreme failure of imagination on my part.
The backdoor code that a user, who bought the hardware, cannot shut down is a major flaw. It is, IMO, far from The Worst Vulnerability Ever, but it is a flaw that the manufacturer is not inclined to address; in fact, it is seeing this as a feature.
Thus advocacy, including overstating its impact, is likely the only option for those who want it changed.
> any attempt to hyperbolize in that direction is hurting the efforts of the people actually trying to protect you
Can you clarify this -- who are those trying to protect us and why do they want this mis-feature to stay? Are you talking about spooks who use this as a backdoor in their own cyber attacks? If so, this IMO only adds urgency to the need to close this backdoor -- such tools often leak and backfire.
>Sorry, but "running but not vulnerable" is not nearly good enough nowadays.
What does that mean practically? What you said applies to every networked device and tech. All routers, all computers, all OSs, all voip phones, etc, etc are 'one vulnerability away'. from total compromise.
Mitigation does not necessarily mean to entirely protect. Having less of a homogeneous ecosystem mitigates the risk of any one vulnerability, as it's unlikely to affect as many systems. It's not a solution, but it may help.
1. You have no idea if it's vulnerable or not. For starters, you don't have the source code and nobody you trust has seen it. You would have to take Intel's word that "disabling" it actually works, and hope that there is no other vulnerability Intel doesn't know about.
2. It doesn't have to be "vulnerable" to be used in an attack; it's essentially designed to be an attack. So any government agency or leaked Intel info may be sufficient to abuse.
3. You can't reliably check/audit if it is being exploited or not since it runs at a higher privilege than any diagnostics you might try to run on your own computer.
Disclaimer: I am not an expert in computer security.
"Worst" implies harm, not just potential. It doesn't get to be The Worst until something happens, no matter how much it offends your personal design sensibilities or confirms your conspiracy priors.