AMD chip flaw
-
-
Torvalds wades into CTS Labs' AMD chip security report
https://www.fudzilla.com/news/45819-torvalds-wades-into-cts-labs-amd-chip-security-report
"looks more like stock manipulation than a security advisory".
"If you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?' Yeah."
"I just found a flaw in all of the hardware space. No device is secure: if you have physical access to a device, you can just pick it up and walk away. Am I a security expert yet?"
"News flash: If an attacker has the root password, your system is already completely hosed. Everything else is just details."
"It's the security industry that has taught everybody to not be critical of their findings."
He also thinks, "there are real security researchers". For many of the rest, it's all about giving even the most minor security bug. In Torvalds' words: "A catchy name and a website is almost required for a splashy security disclosure these days."
"security people need to understand that they look like clowns because of it. The whole security industry needs to just admit that they have a lot of sh*t going on, and they should use -- and encourage -- some critical thinking."
-
-
@emad-r said in AMD chip flaw:
Torvalds wades into CTS Labs' AMD chip security report
https://www.fudzilla.com/news/45819-torvalds-wades-into-cts-labs-amd-chip-security-report
"looks more like stock manipulation than a security advisory".
"If you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?' Yeah."
"I just found a flaw in all of the hardware space. No device is secure: if you have physical access to a device, you can just pick it up and walk away. Am I a security expert yet?"
"News flash: If an attacker has the root password, your system is already completely hosed. Everything else is just details."
"It's the security industry that has taught everybody to not be critical of their findings."
He also thinks, "there are real security researchers". For many of the rest, it's all about giving even the most minor security bug. In Torvalds' words: "A catchy name and a website is almost required for a splashy security disclosure these days."
"security people need to understand that they look like clowns because of it. The whole security industry needs to just admit that they have a lot of sh*t going on, and they should use -- and encourage -- some critical thinking."
This seems to sum it up. This is all way too "weird" to be authentic.
-
-
-
-
Looks like there is more to the story from a financial perspective: https://www.bloomberg.com/news/articles/2018-03-20/amd-confirms-chip-vulnerability-says-report-exaggerated-danger.
-
@kelly said in AMD chip flaw:
Looks like there is more to the story from a financial perspective: https://www.bloomberg.com/news/articles/2018-03-20/amd-confirms-chip-vulnerability-says-report-exaggerated-danger.
I'm not surprised at all.
-
Here is the CTSLabs "Proof of Concept" video: https://www.youtube.com/watch?v=RrhVhFHTe9o. I think they're trying to demonstrate that they can flash the UEFI with a BIOS whose hash doesn't match a valid one. I'm not entirely sure. They lost a ton of credibility when they stated that a typical way for an attacker to hack a server is using the BUILTIN\Administrator account and then copy over the BIOS file to the C$.
