It doesn't seem sensationalized to me, but I don't know much about the domain. Other ways to phrase a comment are "This isn't very dangerous in practice" or "This won't work on modern hardware" or "The risk in this article is exaggerated".
Trust me, it's sensationalized to the point of being highly irresponsible reporting. This research first made the rounds early this year, and I analyzed it in depth. Properly explaining all the caveats behind this "attack" requires more space than this entire article.
Among other things, making a successful attack would require sufficient privilege level to bypass all layers of read caches (and probably also all write caches), a target SSD that doesn't use modern 3D NAND, and intimate knowledge of the internals of the SSD controller and firmware, potentially up to the internal state of the LFSR or AES used to scramble data before it is written to the flash.
There's interesting stuff in this research; it highlights aspects of the unreliability of flash memory that I haven't previously seen emphasized so clearly. But since everything about SSD design already assumes that the flash memory is thoroughly unreliable and untrustworthy, these corner cases don't rise to the level of a real-world vulnerability.
> They claim to be able to extract the key using hdparm.
No, they claim only to be able to use hdparm to extract the logical block address at which a file is stored. Whether that gives you any useful information is entirely dependent on the internals of the SSD.
I think the meme of "never say anything harsh lest you make someone sad" is counterproductive. It's very important to productive discourse that people are able to express the entire range of intensity with which they may feel an opinion. In particular, if something is stupid you should be able to say so.
You can be as harsh as you need without being a dick. Just address the content and what's wrong with it, not how stupid you think the author is. On the very rare occasion that it's useful to talk about someone's intelligence, you should say more than "you're an idiot".
I don't want to get into an argument about definitions or semantics. Those phrases are different, but they come across similarly to me and many others, at least in this context. That's really all that matters in a casual discussion like this.
I understand not everyone will have the same reaction. I don't pretend to speak for everyone, but I suspect I speak for the majority.
You're right. If the author lied, say that. Don't just say "idiocy".
Also, those sentences aren't contradictory. "Note that this result does not depend on whether you are using an SSD, a disk, or any other storage for your filesystem." Meaning the attack might apply to someone using an SSD, but the SSD has nothing to do with the vulnerability. It is useful to precisely define a model case in the paper so your results can be easily reproduced, even if some details are not required to demonstrate the vulnerability.
Why is intensity at all relevant? Are ad-hominem attacks fair-play? The original poster called this 'idiocy' - is that an engineering term? This isn't about trying not to "make someone sad" - the OP has gone much further than "making someone sad".
Because "I disagree with this" is semantically different from "this is stupid". They communicate different ideas. You can disagree with something without thinking it's stupid. A reader can and probably should react differently to a post being intelligent, but wrong, versus being just plain idiotic.
The post on question also didn't call the author an idiot, just said that the paper was idiocy. That's not ad hominem at all.
