AMD chip flaw
-
@irj said in AMD chip flaw:
https://www.cnet.com/news/amd-has-a-spectre-meltdown-like-security-flaw-of-its-own/
And there it goes, but I will still use AMD products.
b -
@zachary715 said in AMD chip flaw:
You keep mentioning third parties here, and I agree about that, but I'm talking about the manufacturers.
The manufacturers are a third party. The flaw exists in systems owned by customers. The flaws at the manufacturer are minor, the flaws at the customer are the concern.
It's like finding out that Ford has cars without the breaks working, and warning Ford and giving them time to fix the breaks before you warn drivers that they might kill their families.
Once the sale is made, the owner with the moral obligation to be warned is the customer and the manufacturer is out of the picture.
-
@zachary715 said in AMD chip flaw:
I have zero skills to fix this issue myself, therefore I'm relying on AMD to solve the problem before others can exploit it.
That's not true. You have the skills to find an alternative vendor, to protect yourself against exposure, to shut off systems, etc.
-
@zachary715 said in AMD chip flaw:
You are correct we do not know the amount of activity going on prior to these types of disclosures, but I feel pretty confident that once these vulnerabilities are disclosed, traffic significantly increases because now EVERYONE knows.
Yes, but once announced, customers can protect themselves.
The question is... how long do we protect the guilty before we inform the innocent? If there is one party with a right to know, it is the innocent consumer. There is an ethical obligation there. Sure, as the researcher, you are beholden to no one and can just sell it to any criminal organization you want. But as the vendor, if they know for one moment and don't tell their customers, they should be held accountable as if they were any other malware vendor caught red handed.
Obscurity is never security.
-
-
This YouTube video points out all the issues with CTS labs and reports.
-
-
All these situations look weird. Have anyone seen the official AMD response?
-
@eonkraft said in AMD chip flaw:
All these situations look weird. Have anyone seen the official AMD response?
Not seen anything yet.
-
@scottalanmiller said in AMD chip flaw:
@eonkraft said in AMD chip flaw:
All these situations look weird. Have anyone seen the official AMD response?
Not seen anything yet.
I wonder if these guys were trying to pick up stock really cheap or something. Although Intel wasnt really affected too much with Meltdown/Spectre
-
@irj said in AMD chip flaw:
@scottalanmiller said in AMD chip flaw:
@eonkraft said in AMD chip flaw:
All these situations look weird. Have anyone seen the official AMD response?
Not seen anything yet.
I wonder if these guys were trying to pick up stock really cheap or something. Although Intel wasnt really affected too much with Meltdown/Spectre
Intel's marketing machine does good damage control. AMD is much more at the whims of the media.
-
-
Torvalds wades into CTS Labs' AMD chip security report
https://www.fudzilla.com/news/45819-torvalds-wades-into-cts-labs-amd-chip-security-report
"looks more like stock manipulation than a security advisory".
"If you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?' Yeah."
"I just found a flaw in all of the hardware space. No device is secure: if you have physical access to a device, you can just pick it up and walk away. Am I a security expert yet?"
"News flash: If an attacker has the root password, your system is already completely hosed. Everything else is just details."
"It's the security industry that has taught everybody to not be critical of their findings."
He also thinks, "there are real security researchers". For many of the rest, it's all about giving even the most minor security bug. In Torvalds' words: "A catchy name and a website is almost required for a splashy security disclosure these days."
"security people need to understand that they look like clowns because of it. The whole security industry needs to just admit that they have a lot of sh*t going on, and they should use -- and encourage -- some critical thinking."
-
-
@emad-r said in AMD chip flaw:
Torvalds wades into CTS Labs' AMD chip security report
https://www.fudzilla.com/news/45819-torvalds-wades-into-cts-labs-amd-chip-security-report
"looks more like stock manipulation than a security advisory".
"If you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?' Yeah."
"I just found a flaw in all of the hardware space. No device is secure: if you have physical access to a device, you can just pick it up and walk away. Am I a security expert yet?"
"News flash: If an attacker has the root password, your system is already completely hosed. Everything else is just details."
"It's the security industry that has taught everybody to not be critical of their findings."
He also thinks, "there are real security researchers". For many of the rest, it's all about giving even the most minor security bug. In Torvalds' words: "A catchy name and a website is almost required for a splashy security disclosure these days."
"security people need to understand that they look like clowns because of it. The whole security industry needs to just admit that they have a lot of sh*t going on, and they should use -- and encourage -- some critical thinking."
This seems to sum it up. This is all way too "weird" to be authentic.
-
-
-
-
Looks like there is more to the story from a financial perspective: https://www.bloomberg.com/news/articles/2018-03-20/amd-confirms-chip-vulnerability-says-report-exaggerated-danger.
-
@kelly said in AMD chip flaw:
Looks like there is more to the story from a financial perspective: https://www.bloomberg.com/news/articles/2018-03-20/amd-confirms-chip-vulnerability-says-report-exaggerated-danger.
I'm not surprised at all.
