AMD chip flaw
-
@scottalanmiller said in AMD chip flaw:
@zachary715 said in AMD chip flaw:
If an exploit or vulnerability is discovered, yet is probably getting little to zero traffic at the time, why disclose it publicly immediately before allowing the vendor/manufacturer to research the issue and patch.
That bit is an unknown. We have to assume that if one researcher has found something, others might have, too. We can never make the assumption that it is not already a broadly known and used exploit.
If a researcher was a true white hat, they'd always be looking to warn the victims, not third parties that have a reputation to defend.
The current trend of telling vendors, not victims, is about "big business' reputations are more important ideologically than customer's safety."
You keep mentioning third parties here, and I agree about that, but I'm talking about the manufacturers. If AMD has a chip flaw, I don't believe Facebook should be made aware much, if at all, before me, but I have no problem with AMD and whoever AMD employs to resolve the issue is aware 90-180 days prior to my knowing. I have zero skills to fix this issue myself, therefore I'm relying on AMD to solve the problem before others can exploit it.
You are correct we do not know the amount of activity going on prior to these types of disclosures, but I feel pretty confident that once these vulnerabilities are disclosed, traffic significantly increases because now EVERYONE knows. Unless there's something significant that I can do as a workaround in the meantime, I just assume keep it private until the issue is resolved or the company is unwilling to resolve the issue in a timely manner and needs public shaming.
-
@irj said in AMD chip flaw:
https://www.cnet.com/news/amd-has-a-spectre-meltdown-like-security-flaw-of-its-own/
And there it goes, but I will still use AMD products.
b -
@zachary715 said in AMD chip flaw:
You keep mentioning third parties here, and I agree about that, but I'm talking about the manufacturers.
The manufacturers are a third party. The flaw exists in systems owned by customers. The flaws at the manufacturer are minor, the flaws at the customer are the concern.
It's like finding out that Ford has cars without the breaks working, and warning Ford and giving them time to fix the breaks before you warn drivers that they might kill their families.
Once the sale is made, the owner with the moral obligation to be warned is the customer and the manufacturer is out of the picture.
-
@zachary715 said in AMD chip flaw:
I have zero skills to fix this issue myself, therefore I'm relying on AMD to solve the problem before others can exploit it.
That's not true. You have the skills to find an alternative vendor, to protect yourself against exposure, to shut off systems, etc.
-
@zachary715 said in AMD chip flaw:
You are correct we do not know the amount of activity going on prior to these types of disclosures, but I feel pretty confident that once these vulnerabilities are disclosed, traffic significantly increases because now EVERYONE knows.
Yes, but once announced, customers can protect themselves.
The question is... how long do we protect the guilty before we inform the innocent? If there is one party with a right to know, it is the innocent consumer. There is an ethical obligation there. Sure, as the researcher, you are beholden to no one and can just sell it to any criminal organization you want. But as the vendor, if they know for one moment and don't tell their customers, they should be held accountable as if they were any other malware vendor caught red handed.
Obscurity is never security.
-
-
This YouTube video points out all the issues with CTS labs and reports.
-
-
All these situations look weird. Have anyone seen the official AMD response?
-
@eonkraft said in AMD chip flaw:
All these situations look weird. Have anyone seen the official AMD response?
Not seen anything yet.
-
@scottalanmiller said in AMD chip flaw:
@eonkraft said in AMD chip flaw:
All these situations look weird. Have anyone seen the official AMD response?
Not seen anything yet.
I wonder if these guys were trying to pick up stock really cheap or something. Although Intel wasnt really affected too much with Meltdown/Spectre
-
@irj said in AMD chip flaw:
@scottalanmiller said in AMD chip flaw:
@eonkraft said in AMD chip flaw:
All these situations look weird. Have anyone seen the official AMD response?
Not seen anything yet.
I wonder if these guys were trying to pick up stock really cheap or something. Although Intel wasnt really affected too much with Meltdown/Spectre
Intel's marketing machine does good damage control. AMD is much more at the whims of the media.
-
-
Torvalds wades into CTS Labs' AMD chip security report
https://www.fudzilla.com/news/45819-torvalds-wades-into-cts-labs-amd-chip-security-report
"looks more like stock manipulation than a security advisory".
"If you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?' Yeah."
"I just found a flaw in all of the hardware space. No device is secure: if you have physical access to a device, you can just pick it up and walk away. Am I a security expert yet?"
"News flash: If an attacker has the root password, your system is already completely hosed. Everything else is just details."
"It's the security industry that has taught everybody to not be critical of their findings."
He also thinks, "there are real security researchers". For many of the rest, it's all about giving even the most minor security bug. In Torvalds' words: "A catchy name and a website is almost required for a splashy security disclosure these days."
"security people need to understand that they look like clowns because of it. The whole security industry needs to just admit that they have a lot of sh*t going on, and they should use -- and encourage -- some critical thinking."
-
-
@emad-r said in AMD chip flaw:
Torvalds wades into CTS Labs' AMD chip security report
https://www.fudzilla.com/news/45819-torvalds-wades-into-cts-labs-amd-chip-security-report
"looks more like stock manipulation than a security advisory".
"If you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?' Yeah."
"I just found a flaw in all of the hardware space. No device is secure: if you have physical access to a device, you can just pick it up and walk away. Am I a security expert yet?"
"News flash: If an attacker has the root password, your system is already completely hosed. Everything else is just details."
"It's the security industry that has taught everybody to not be critical of their findings."
He also thinks, "there are real security researchers". For many of the rest, it's all about giving even the most minor security bug. In Torvalds' words: "A catchy name and a website is almost required for a splashy security disclosure these days."
"security people need to understand that they look like clowns because of it. The whole security industry needs to just admit that they have a lot of sh*t going on, and they should use -- and encourage -- some critical thinking."
This seems to sum it up. This is all way too "weird" to be authentic.
-
-
-
-
Looks like there is more to the story from a financial perspective: https://www.bloomberg.com/news/articles/2018-03-20/amd-confirms-chip-vulnerability-says-report-exaggerated-danger.
