AMD chip flaw
-
@zachary715 said in AMD chip flaw:
I have zero skills to fix this issue myself, therefore I'm relying on AMD to solve the problem before others can exploit it.
That's not true. You have the skills to find an alternative vendor, to protect yourself against exposure, to shut off systems, etc.
-
@zachary715 said in AMD chip flaw:
You are correct we do not know the amount of activity going on prior to these types of disclosures, but I feel pretty confident that once these vulnerabilities are disclosed, traffic significantly increases because now EVERYONE knows.
Yes, but once announced, customers can protect themselves.
The question is... how long do we protect the guilty before we inform the innocent? If there is one party with a right to know, it is the innocent consumer. There is an ethical obligation there. Sure, as the researcher, you are beholden to no one and can just sell it to any criminal organization you want. But as the vendor, if they know for one moment and don't tell their customers, they should be held accountable as if they were any other malware vendor caught red handed.
Obscurity is never security.
-
-
This YouTube video points out all the issues with CTS labs and reports.
-
-
All these situations look weird. Have anyone seen the official AMD response?
-
@eonkraft said in AMD chip flaw:
All these situations look weird. Have anyone seen the official AMD response?
Not seen anything yet.
-
@scottalanmiller said in AMD chip flaw:
@eonkraft said in AMD chip flaw:
All these situations look weird. Have anyone seen the official AMD response?
Not seen anything yet.
I wonder if these guys were trying to pick up stock really cheap or something. Although Intel wasnt really affected too much with Meltdown/Spectre
-
@irj said in AMD chip flaw:
@scottalanmiller said in AMD chip flaw:
@eonkraft said in AMD chip flaw:
All these situations look weird. Have anyone seen the official AMD response?
Not seen anything yet.
I wonder if these guys were trying to pick up stock really cheap or something. Although Intel wasnt really affected too much with Meltdown/Spectre
Intel's marketing machine does good damage control. AMD is much more at the whims of the media.
-
-
Torvalds wades into CTS Labs' AMD chip security report
https://www.fudzilla.com/news/45819-torvalds-wades-into-cts-labs-amd-chip-security-report
"looks more like stock manipulation than a security advisory".
"If you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?' Yeah."
"I just found a flaw in all of the hardware space. No device is secure: if you have physical access to a device, you can just pick it up and walk away. Am I a security expert yet?"
"News flash: If an attacker has the root password, your system is already completely hosed. Everything else is just details."
"It's the security industry that has taught everybody to not be critical of their findings."
He also thinks, "there are real security researchers". For many of the rest, it's all about giving even the most minor security bug. In Torvalds' words: "A catchy name and a website is almost required for a splashy security disclosure these days."
"security people need to understand that they look like clowns because of it. The whole security industry needs to just admit that they have a lot of sh*t going on, and they should use -- and encourage -- some critical thinking."
-
-
@emad-r said in AMD chip flaw:
Torvalds wades into CTS Labs' AMD chip security report
https://www.fudzilla.com/news/45819-torvalds-wades-into-cts-labs-amd-chip-security-report
"looks more like stock manipulation than a security advisory".
"If you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?' Yeah."
"I just found a flaw in all of the hardware space. No device is secure: if you have physical access to a device, you can just pick it up and walk away. Am I a security expert yet?"
"News flash: If an attacker has the root password, your system is already completely hosed. Everything else is just details."
"It's the security industry that has taught everybody to not be critical of their findings."
He also thinks, "there are real security researchers". For many of the rest, it's all about giving even the most minor security bug. In Torvalds' words: "A catchy name and a website is almost required for a splashy security disclosure these days."
"security people need to understand that they look like clowns because of it. The whole security industry needs to just admit that they have a lot of sh*t going on, and they should use -- and encourage -- some critical thinking."
This seems to sum it up. This is all way too "weird" to be authentic.
-
-
-
-
Looks like there is more to the story from a financial perspective: https://www.bloomberg.com/news/articles/2018-03-20/amd-confirms-chip-vulnerability-says-report-exaggerated-danger.
-
@kelly said in AMD chip flaw:
Looks like there is more to the story from a financial perspective: https://www.bloomberg.com/news/articles/2018-03-20/amd-confirms-chip-vulnerability-says-report-exaggerated-danger.
I'm not surprised at all.
-
Here is the CTSLabs "Proof of Concept" video: https://www.youtube.com/watch?v=RrhVhFHTe9o. I think they're trying to demonstrate that they can flash the UEFI with a BIOS whose hash doesn't match a valid one. I'm not entirely sure. They lost a ton of credibility when they stated that a typical way for an attacker to hack a server is using the BUILTIN\Administrator account and then copy over the BIOS file to the C$.
