AMD chip flaw





  • Thoughts @scottalanmiller ?



  • This is freaking scary: "Researchers find 13 vulnerabilities in AMD’s Ryzen and EPYC chips, which could let attackers install malware on highly guarded portions of the processor."



  • Very glad to see CTS not going by the 90 day "cover up" window so many so-called research firms do. That part is good, for sure.



  • The article makes it sound like only Windows is affected by the big one.



  • Did you read the comments? Something seems weird with all of it.



  • @stacksofplates said in AMD chip flaw:

    Did you read the comments? Something seems weird with all of it.

    Very possible. Too early to tell.



  • the comments are definitely all very fishy.



  • This looks fake.
    Zero technical details on the website or whitepaper.
    The website is new.
    The CFO is a hedge fund manager.





  • @scottalanmiller said in AMD chip flaw:

    Very glad to see CTS not going by the 90 day "cover up" window so many so-called research firms do. That part is good, for sure.

    Not sure why you see it this way. If an exploit or vulnerability is discovered, yet is probably getting little to zero traffic at the time, why disclose it publicly immediately before allowing the vendor/manufacturer to research the issue and patch. Otherwise, you run the risk of a lot more people trying to exploit this in the meantime. And I'm not specifically referring to this issue because I don't know much about the risks involved, I'm just speaking generally here.

    But yes this does all look suspicious. Some short-selling firms involved trying to make a buck it looks like. Paid for by Intel?? 😉



  • @zachary715 said in AMD chip flaw:

    @scottalanmiller said in AMD chip flaw:

    Very glad to see CTS not going by the 90 day "cover up" window so many so-called research firms do. That part is good, for sure.

    Not sure why you see it this way.

    Because I believe that security information should never, ever be kept from the people who are vulnerable. The vendor should not get "special secret information" that their customers are insecure. Sharing that information with anyone that isn't the customers should be illegal.

    Imagine if your house's locks and security system were discovered by researchers to have vulnerabilities that with a special knock would let anyone just waltz into your house undetected, anytime that they wanted to.

    Now imagine that instead of telling you, the home owner, that this was true, they secretly told it to third parties that you may or may not trust, and may or may not know, instead of you? Now someone, who isn't you, and isn't the researcher has been brought in on something that can be used illegally, but secretly, against you.

    Would you be happy to find out that third parties are conspiring about YOUR security?



  • @zachary715 said in AMD chip flaw:

    If an exploit or vulnerability is discovered, yet is probably getting little to zero traffic at the time, why disclose it publicly immediately before allowing the vendor/manufacturer to research the issue and patch.

    That bit is an unknown. We have to assume that if one researcher has found something, others might have, too. We can never make the assumption that it is not already a broadly known and used exploit.

    If a researcher was a true white hat, they'd always be looking to warn the victims, not third parties that have a reputation to defend.

    The current trend of telling vendors, not victims, is about "big business' reputations are more important ideologically than customer's safety."



  • @irj

    the core of there argument is ASmedia controllers, which AMD uses.

    they state they have backdoors, but still no real demos on it, especially since asmedia is being used also on intel, and I reckon BIOS update can deal with them.



  • @scottalanmiller said in AMD chip flaw:

    @zachary715 said in AMD chip flaw:

    @scottalanmiller said in AMD chip flaw:

    Very glad to see CTS not going by the 90 day "cover up" window so many so-called research firms do. That part is good, for sure.

    Not sure why you see it this way.

    Because I believe that security information should never, ever be kept from the people who are vulnerable. The vendor should not get "special secret information" that their customers are insecure. Sharing that information with anyone that isn't the customers should be illegal.

    Imagine if your house's locks and security system were discovered by researchers to have vulnerabilities that with a special knock would let anyone just waltz into your house undetected, anytime that they wanted to.

    Now imagine that instead of telling you, the home owner, that this was true, they secretly told it to third parties that you may or may not trust, and may or may not know, instead of you? Now someone, who isn't you, and isn't the researcher has been brought in on something that can be used illegally, but secretly, against you.

    Would you be happy to find out that third parties are conspiring about YOUR security?

    In this scenario, I wouldn't want them sharing this info with just anyone or third parties, but I wouldn't have a problem with them disclosing it to the manufacturer or those necessary to resolve the issue with time to fix before the public is notified. What good would notifying me do if I'm not equipped to fix it? All this does is make me stress while the "bad guys" learn how to easily bypass this mechanism. What few, maybe no bad guys were aware of beforehand is now made fully aware and can be used against me until fixed.



  • @scottalanmiller said in AMD chip flaw:

    @zachary715 said in AMD chip flaw:

    If an exploit or vulnerability is discovered, yet is probably getting little to zero traffic at the time, why disclose it publicly immediately before allowing the vendor/manufacturer to research the issue and patch.

    That bit is an unknown. We have to assume that if one researcher has found something, others might have, too. We can never make the assumption that it is not already a broadly known and used exploit.

    If a researcher was a true white hat, they'd always be looking to warn the victims, not third parties that have a reputation to defend.

    The current trend of telling vendors, not victims, is about "big business' reputations are more important ideologically than customer's safety."

    You keep mentioning third parties here, and I agree about that, but I'm talking about the manufacturers. If AMD has a chip flaw, I don't believe Facebook should be made aware much, if at all, before me, but I have no problem with AMD and whoever AMD employs to resolve the issue is aware 90-180 days prior to my knowing. I have zero skills to fix this issue myself, therefore I'm relying on AMD to solve the problem before others can exploit it.

    You are correct we do not know the amount of activity going on prior to these types of disclosures, but I feel pretty confident that once these vulnerabilities are disclosed, traffic significantly increases because now EVERYONE knows. Unless there's something significant that I can do as a workaround in the meantime, I just assume keep it private until the issue is resolved or the company is unwilling to resolve the issue in a timely manner and needs public shaming.



  • @irj said in AMD chip flaw:

    https://www.cnet.com/news/amd-has-a-spectre-meltdown-like-security-flaw-of-its-own/

    And there it goes, but I will still use AMD products.

    0_1521050446439_2018-03-14 20_00_34-AMD stock - Google Search.png b



  • @zachary715 said in AMD chip flaw:

    You keep mentioning third parties here, and I agree about that, but I'm talking about the manufacturers.

    The manufacturers are a third party. The flaw exists in systems owned by customers. The flaws at the manufacturer are minor, the flaws at the customer are the concern.

    It's like finding out that Ford has cars without the breaks working, and warning Ford and giving them time to fix the breaks before you warn drivers that they might kill their families.

    Once the sale is made, the owner with the moral obligation to be warned is the customer and the manufacturer is out of the picture.



  • @zachary715 said in AMD chip flaw:

    I have zero skills to fix this issue myself, therefore I'm relying on AMD to solve the problem before others can exploit it.

    That's not true. You have the skills to find an alternative vendor, to protect yourself against exposure, to shut off systems, etc.



  • @zachary715 said in AMD chip flaw:

    You are correct we do not know the amount of activity going on prior to these types of disclosures, but I feel pretty confident that once these vulnerabilities are disclosed, traffic significantly increases because now EVERYONE knows.

    Yes, but once announced, customers can protect themselves.

    The question is... how long do we protect the guilty before we inform the innocent? If there is one party with a right to know, it is the innocent consumer. There is an ethical obligation there. Sure, as the researcher, you are beholden to no one and can just sell it to any criminal organization you want. But as the vendor, if they know for one moment and don't tell their customers, they should be held accountable as if they were any other malware vendor caught red handed.

    Obscurity is never security.





  • This YouTube video points out all the issues with CTS labs and reports.





  • All these situations look weird. Have anyone seen the official AMD response?



  • @eonkraft said in AMD chip flaw:

    All these situations look weird. Have anyone seen the official AMD response?

    Not seen anything yet.



  • @scottalanmiller said in AMD chip flaw:

    @eonkraft said in AMD chip flaw:

    All these situations look weird. Have anyone seen the official AMD response?

    Not seen anything yet.

    I wonder if these guys were trying to pick up stock really cheap or something. Although Intel wasnt really affected too much with Meltdown/Spectre



  • @irj said in AMD chip flaw:

    @scottalanmiller said in AMD chip flaw:

    @eonkraft said in AMD chip flaw:

    All these situations look weird. Have anyone seen the official AMD response?

    Not seen anything yet.

    I wonder if these guys were trying to pick up stock really cheap or something. Although Intel wasnt really affected too much with Meltdown/Spectre

    Intel's marketing machine does good damage control. AMD is much more at the whims of the media.





  • @irj

    Torvalds wades into CTS Labs' AMD chip security report

    https://www.fudzilla.com/news/45819-torvalds-wades-into-cts-labs-amd-chip-security-report

    "looks more like stock manipulation than a security advisory".

    "If you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?' Yeah."

    "I just found a flaw in all of the hardware space. No device is secure: if you have physical access to a device, you can just pick it up and walk away. Am I a security expert yet?"

    "News flash: If an attacker has the root password, your system is already completely hosed. Everything else is just details."

    "It's the security industry that has taught everybody to not be critical of their findings."

    He also thinks, "there are real security researchers". For many of the rest, it's all about giving even the most minor security bug. In Torvalds' words: "A catchy name and a website is almost required for a splashy security disclosure these days."

    "security people need to understand that they look like clowns because of it. The whole security industry needs to just admit that they have a lot of sh*t going on, and they should use -- and encourage -- some critical thinking."




Log in to reply