13 Major Vulnerabilities Discovered in AMD Zen Architecture, Including Backdoors

[ikeke]

They also said they don't have any affiliation with Viceroy who pushed FUD on this right after amdflaws went public..
edit: general public is not what I said, I said highest bidder for 0-day.

Them possibly making money on this is written on amdflaws disclaimer.

I find it hard to trust someone who lies.

 

[R-T-B]

They also said they don't have any affiliation with Viceroy who pushed FUD on this right after amdflaws went public..
edit: general public is not what I said, I said highest bidder for 0-day.

Them possibly making money on this is written on amdflaws disclaimer.

I find it hard to trust someone who lies.

You can make money and still be "greyhat" or even whitehat. You just can't create a malicious security risk and have to at least have the intent to fix something. There is no hard proof of malicious intent yet, from a security perspective.

I don't know enough about them either way to make any claims, yet.

 

[ikeke]

I dont know them either, but financial gains due to amdflaws is written into the disclaimer on amdflaws.

 

[EarthDog]

I find it hard to trust someone who lies.

Let's strip away the name AMD...aren't they finding these for profit anyway? Someone pays them and they look for exploits for company X. Isn't that a financial gain? I get why people were flagged on the statement, but.... have an open mind.

Which could simply be legally covering their ass. It's not proof of a motive or even action.

THIS!!! Its worth sucking up into my post for thanks and reiteration, lol!

 

[R-T-B]

I dont know them either, but financial gains due to amdflaws is written into the disclaimer on amdflaws.

Which could simply be legally covering their ass. It's not proof of a motive or even action.

 

[ikeke]

Viceroy posting FUD right after amdflaws went public, though, is.

 

[bug]

Viceroy posting FUD right after amdflaws went public, though, is.

Just cool it. It's not like AMD will give free stuff if you kiss their asses enough.
Plus, you're only attacking the messenger here, so it's not like you're making valid arguments.

 

[ikeke]

How am i kissing AMDs anything here?

 

[anubis44]

The perspectives offered by "anubis44" focus on the politics of the people making the discoveries rather than the facts and details of the discoveries themselves, which is not helpful or constructive. "abubis44" is also calling out TPU for reporting on the information claiming some sort of bias or defaming effort on their part which is complete rubbish and narrow minded thinking. Again, not helpful or constructive. TPU is reporting information as it comes to light and doing a damn good job keeping updated and up to speed with developments as they occur. "anubis44" also made a veiled "threat" of abandoning the site if they didn't discontinue what "anubis44" considers unacceptable. My response to that sad little remark implied "don't let the door hit you on the way out".

The occurrence of "certain" people "getting outraged" over silly things that ultimately don't matter has been on the rise lately. The staff have had to deal with it even more than us users. Both groups are getting tired of it.

The technical details were not released with the announcement, only the conceptual details. This seems to be a continuing misunderstanding on the part of the general public. The technical details and proof of concept samples were only released to AMD and other responsible party's/entity's to be validated and fixed. The announcement was the only part of this release that was done with only 24hr notice, which CTS Labs admitted they could have handled better. Everything else was handled in a seemingly appropriate manner.

Trying to vilify and berate a group for what is clearly a minor mistake by conjuring up fanciful conspiracies is an effort of foolishness, not objectivity.

Thank you, Intel PR, for your input.

Look, the fact is, leaving this 'story' up on the main page of TechPowerUp lends credibility to the entire hit-piece. It's something like a guy who purports to be a private investigator, who hates somebody famous, going to the press, and accusing the famous person of being a pedophile. So a news site then puts up a story titled 'It looks like so-and-so is a pedophile!' Once the information comes to light that the 'private investigator' is actually not really a private investigator, but someone who hates the famous person for personal reasons, and that they had a vested interest in damaging the reputation of the famous person, AND there's no evidence the famous person IS a pedophile, should the news site continue to leave up the story with that title?

It would be irresponsible for the news site to continue to leave the article up, with the title, 'It looks like so-and-so is a pedophile!' because the accusation itself is disparaging in a manner that is not accurately reflective on the accused. Once the credibility of the accuser/accusations are proven to be false, it's bad journalism to keep the headline implying the now-proven-to-be-false accusation.

 

[EarthDog]

Viceroy posting FUD right after amdflaws went public, though, is.

Correlation is not causation.

Thank you, Intel PR, for your input. Look, the fact is, leaving this 'story' up on the main page of TechPowerUp lends credibility to the entire hit-piece. It's something like a guy who pro-ports to be a private investigator, who hates somebody famous accusing the famous person of being a pedophile, and so a news site has a story titled 'Is so-and-so a pedophile?!' Once the information comes to light that the 'private investigator' is actually not a private investigator, and there's no evidence the famous person IS a pedophile, it would be irresponsible for the news site to continue to leave the article up, with the title, 'Is so-and-so a pedophile?!' Once the credibility of the accuser/accusations are proven to be false, it's bad journalism to keep the headline asking the now-proven-to-be-false accusation.

Again, the method of delivery leaves a lot to be desired, they even admitted as such. However, the vulnerabilities are REAL. Perhaps they are not as severe as presented, but that isn't the point here. Look past the trees and see the forest. There will be CVEs, they have said they submitted them. AMD has also yet to make a statement after their findings (remember it took 4-5 days using the exploits to do it). Also, 2 3rd party orgs supported their findings. One a bit dubious indeed, the other, unrelated and found the same things.

While turning a blind eye to things isn't a great idea, neither is sticking your head in the sand and pretending it isn't real.

 

[ikeke]

Benefit of a doubt goes a long way, it seems.

 

[EarthDog]

Benefit of a doubt goes a long way, it seems.

Conspiracy theories run deep, it seems.

Just because you smell smoke, doesn't mean there is currently fire. I agree, it stinks, the delivery... but to completely blow off the security issues is a bit myopic as well.

 

[ikeke]

How does me concluding on facts and statements by CTS-Labs equal conspiracy?

If it smells like smoke and looks like smoke, then perhaps, there is some smoke somewhere?

 

[EarthDog]

Because you concluded it was a fact (the financial statement). I just posted this....

Let's strip away the name AMD...aren't they finding these for profit anyway? Someone pays them and they look for exploits for company X. Isn't that a financial gain? I get why people were flagged on the statement, but.... have an open mind.

A financial disclaimer in and of itself from a security company isn't anything new. They are FOR PROFIT companies.

We don't SEE smoke. Until we SEE smoke, there isn't a fire. We can smell it... but that doesn't mean there is currently a fire. Surely, it stinks, I feel you. But again, denying there are security issues is just as myopic.

Again, their delivery and things surrounding this are questionable. I think we all get that and are waiting to see how it shakes out. But again, to outright deny there are security issues here which need to be handled is sticking your head in the sand over the issue.

Time will tell. Let's hear AMD's response, let's see these when the come out as CVE's... and so on.

 

[ikeke]

I've referenced the facts, not much more i can do here.

 

[EarthDog]

You've extrapolated your belief from their financial disclaimer. If you believe what you said there was a fact, then you are correct, there isn't much more you can do here for your mind is already made up.

We'll see you when AMD responds and the CVEs come out.

 

[lexluthermiester]

Thank you, Intel PR, for your input.

That's it? You're just going to call me a fanboy?

Look, the fact is, leaving this 'story' up on the main page of TechPowerUp lends credibility to the entire hit-piece.

Not fact, opinion. It is your opinion, and only your opinion. That opinion is based on assumptions that have no credibility.

I'm not going to remark on the rest of that drivel. Let it go, seriously.

 

[ikeke]

Theres more behind the "belief" than the financial disclaimer.
Again, im not denying the possible exploits, im saying that these exploits, based on information currently available, are very specific and require very specific sets of requirements to be filled in order for someone to exploit them.

They are not what CTS-Labs is saying they are.

 

[EarthDog]

are very specific and require very specific sets of requirements to be filled in order for someone to exploit them.

Que? This isn't new. CTS-labs didn't say any dick, tom, or jane could do it...what lines are you reading between? I'm not trying to be an ass, but, I am not seeing what you are saying...



And completely unrelated... for some reason, TPU isn't on their front page linking back to the other thread as they were a week ago.....................................................why?

 

[ikeke]

You need to have admin and the system has to be on baremetal install of Windows, as per current information. Also, currently "validated" on 2 motherboards for Epyc.

I'd say thats quite specific.

vs

Am I affected?
Any consumer or organization purchasing AMD Servers, Workstations, or Laptops are affected by these vulnerabilities.

https://amdflaws.com/

 

[EarthDog]

So, nothing new. CTS didn't say it was easy... not sure how you believe they are doing so...

2 validations... in two tests... right? They only sent it out to two groups so far who have tested and confirmed? Isn't that batting 1.000? What do the motherboards have to do with it anyway? Didn't TPU just post a video of PoC? Was that one of the two boards you are talking about? Can you link to me the two boards this was confirmed on?

 

[ikeke]

video @8:10
https://www.techpowerup.com/242521/cts-labs-releases-masterkey-exploit-proof-of-concept-video

 

[EarthDog]

2/2 it seems...and again, CTS didn't say it was easy, so isn't that point bunk?

I'm sorry the information wasn't all vomited out at once. Perhaps that would have helped those thinking these aren't true? No idea.

 

[lexluthermiester]

im saying that these exploits, based on information currently available, are very specific and require very specific sets of requirements to be filled in order for someone to exploit them.

True, but then again, so is everything else these days. Meltdown & Spectre require even more specific conditions to be exploited. And those are taken seriously. The main reasons certain groups of people are calling foul is that these are mostly AMD specific vulnerabilities coming out of an Intel friendly country from an unknown group who made a mistake concerning the announcement. The same kind of group kept bashing Intel over Meldown & Spectre calling them flaws of design, which they are not. Then it came to light that Spectre affected every CPU made, with few exceptions, since 1993. Then those same people stopped whining and looked at the problems for what they were. Now we have information that shows Intel platforms are affected to some degree by these new vulnerabilities.

What the people complaining seem to be missing is that these discoveries are beneficial to everyone. It doesn't matter who likes what company, who profits from them, who made a mistake in timing of announcement or what level of specific expertise is needed to pull off an effective exploit. What matters is the knowledge we all gain from these discoveries and the benefit from that knowledge for future advancements.

 

[Veradun]

True, but then again...

Read again the headline of this thread. Done? Good.

I wouldn't say that a vulnerability that needs an already deeply exploited system to be exposed is to be considered "major".