Initial AMD Technical Assessment of CTS Labs Research

[Fx]

I wonder if anyone will come respond to this revelation, that administrative access is required, which means you would have complete control of a machine anyway...

Nah probably not, that would require more work than the typical "low quality" poster is capable of.

Yeah, I couldn't be any less interested. These "findings" are all bunk as far as I'm concerned. Any business has bigger problems than this if they don't have proper security measures in place which prevents unauthorized administrative access in the first place.

 

[RejZoR]

Eeeerm, no. That's like saying, every car is a death trap. If brake assist fails. And also brakes fail. And airbags fail. And seatbelts fail. And crumple zones collapse in an unexpected way. When all this aligns perfectly, the car is a death trap. That's the extent of how serious this issue is. It is expected that chain of secured events fail in order for this thing to even be feasible.

 

[ikeke]

If this wasn't a worry, AMD would have refuted these things instead of acknowledging them, putting them in a proper context, and offering fixes for everything.

Why would they do anything like that?

AMD did however give these proper context and timeline for fixes, both of which differ almost diametrically from CTS-Labs assessment. Which (CTS-Labs threat assessment), can we agree on this at least, was OTT.

Most would even say they (CTS-Labs) were spreading FUD as wording and timelines of informing AMD were hostile and not following industry agreed timelines.

 

[EarthDog]

Correct. But they are real, contrary to about a dozen others here currently who couldn't look past the debauchery of CTS. Nobody ever said their methods were good! Yet, that keeps coming up like anyone disagrees, LOL!

 

[ikeke]

Real in a very specific scenario, which you can almost 100% avoid via day-to-day IT security.
Again, CTS-Labs were saying that

Is my organization currently at risk?
If you have an AMD Ryzen, Ryzen Pro, Ryzen Mobile or EPYC machine on your network, and that machine is compromised, your network is at risk.
How long before a fix is available?
We don't know. CTS has been in touch with industry experts to try and answer this question. According to experts, firmware vulnerabilities such as MASTERKEY, RYZENFALL and FALLOUT take several months to fix. Hardware vulnerabilities such as CHIMERA cannot be fixed and require a workaround. Producing a workaround may be difficult and cause undesired side-effects

This is FUD.

 

[EarthDog]

...and it comes up again...

You are welcome to keep going back to CTS' horrific presentation, but, that doesn't really change anything. How many times do I(anyone) need to say CTS fucked up? I acknowledged AMD corrected things before... are you trying to prod and argue??? Let it go man... shit is real and not a big deal, CTS is a joke, we get it!

 

[ikeke]

Until you keep saying the threat is real

It actually isn't, in nearly all cases. A lot of basic errors in IT security have to be made for the threat to be real.

 

[EarthDog]

I am saying the threat is real. I am also saying it isn't close to as severe as CTS brought it up to be. That doesn't mean it isn't real.

Ive been in IT for nearly 20 years. From Mainframe Operations to Data Center Mangement. I've watched bad teams make basic errors, I have seen great team make basic errors. We are human and we make mistakes. Lots of them.

AMD has some holes to patch, period.

I digress. I'm getting dizzy watching you people defend them.

 

[Vya Domus]

How many times do I(anyone) need to say CTS fucked up?

Well , it could have been said a millions times and it wouldn't matter , because that's not the issue. They didn't fuck up at all , it was very much intentional , the FUD I mean.

 

[ssdpro]

What is all this scrabbling?!??! The vulnerabilities are real, AMD is escalating a response and will fix the bugs. All will be good in a few months, right?

 

[EarthDog]

Well , it could have been said a millions times and it wouldn't matter , because that's not the issue. They didn't fuck up at all , it was very much intentional , the FUD I mean.

Maybe? We don't know that... you can speculate until you are Vya Domus in the face bud. I'm not going there, but I can see your logical leap . I need facts.

You would think it IS the issue considering how many times by how many people mentioned it and believed this wasn't true at all. I've been through the threads and the list of people denying it is longer than one might expect.


EDIT: Bwaaaaaaaaaaaaaaaahahha, I just realized a Freudian slip... wants to say "you are blue in the face" but typed our your name???????????

What is all this scrabbling?!??! The vulnerabilities are real, AMD is escalating a response and will fix the bugs. All will be good in a few months, right?

A few weeks, and yes.

 

[ikeke]

*weeks.

 

[Vya Domus]

I need facts.

Such as ... the FUD ? I don't think that was up to debate. The claims ? Yes , but not this.

You don't name something "RYZENFALL" by mistake. Let's not kid ourselves , you can't seriously imply those things were an "error".

 

[EarthDog]

Yeah, you are right... I took it hook line and sinker and was spreading that FUD... my posts show that too (just in case, this was sarcastic). I feel like I should apologize...

It seems nobody knows the efficacy of the report at this time.

I fully believe these problems exist. I fully believe the severity of these are blown out of proportion and the notification process by CTS was abhorrent. Anything else is just lemming adding fuel to the fire, one post and jump off the cliff at a time.

 

[thesmokingman]

Maybe? We don't know that... you can speculate until you are Vya Domus in the face bud. I'm not going there

So you chose your own narrative but others cannot? What's kind of scary is this is the only forum that I've noticed that many posters are behind the fake news giving it credence. WTF?

 

[EarthDog]

So you chose your own narrative but others cannot?

LOL, this isn't about me . Did I say he couldn't? To me, without facts, I can't believe that narrative - didn't mention nor allude to him not being able to chose and discuss a narrative. I also noted I saw the logical leap he is making, but I simply can't do it without facts. Seems like a really far cry from saying he can't choose a narrative. I just said I can't buy it.

Same thing with those who feel Intel is behind this... I can see why people think that, but, again, until we see proof, I will withhold judgement.

 

[thesmokingman]

LOL, this isn't about me . Did I say he couldn't? To me, without facts, I can't believe that narrative - didn't mention nor allude to him not being able to chose and discuss a narrative. I also noted I saw the logical leap he is making, but I simply can't do it without facts. Seems like a really far cry from saying he can't choose a narrative. I just said I can't buy it.

Same thing with those who feel Intel is behind this... I can see why people think that, but, again, until we see proof, I will withhold judgement.

Proof of what? WTF??? You cannot come to a conclusion on your own? How many leaders of this industry need to come out and denounce CTS before it sinks in??????? You expect CTS to come clean and incriminate themselves or something?? CTS said that they didn't expect AMD to be able to fix this within a year, therefore they did what they did. AMD fixes this in a couple days. Hello?

 

[EarthDog]

AMD will fix these in a few *WEEKS*. They are not fixed already.... but I got your point.

What are you trying to pin on me bud? I'm with you! CTS' delivery was a joke!!!! They are terrible!! That doesn't mean these vulnerabilities were not true though!! That is all I am trying to say. Simple.

Can people F up and it be intentional??? Come on guys... they F'd up, period. But we simply do not know, FOR A FACT, the intentions. Writing is on the wall, I can see it, but I(we all) don't have the facts... just correlation. Time will tell if this was malicious by them or not. I am not holding judgement until we know more. You can make the leap, boys, have at it!

EDIT: Some of those 'industry leaders' also said they didn't think the vulnerabilities weren't true in the first place... so, there is that as well.

 

[Vya Domus]

To me, without facts, I can't believe that narrative

Facts are not required in certain situations when the subject in question is in front of your eyes and there is nothing obscured by it. If you cannot come to terms with that , that just a skewed perception you chose to have and that hasn't got much to do with facts.

 

[EarthDog]

That is your opinion and you are certainly entitled to it.

 

[thesmokingman]

AMD will fix these in a few *WEEKS*. They are not fixed already.... but I got your point.

What are you trying to pin on me bud? I'm with you! CTS' delivery was a joke!!!! They are terrible!! That doesn't mean these vulnerabilities were not true though!! That is all I am trying to say. Simple.

Can people F up and it be intentional??? Come on guys... they F'd up, period. But we simply do not know, FOR A FACT, the intentions. Writing is on the wall, I can see it, but I(we all) don't have the facts... just correlation. Time will tell if this was malicious by them or not. I am not holding judgement until we know more. You can make the leap, boys, have at it!

You still are giving them the benefit of the doubt. AMD is filing with the authorities over this.

AMD saw reports of unusual trading activity in its stock about a week ago when an Israeli company called CTS Labs went public with a report on the flaws and has reported it to the relevant authorities.

And on point.

There’s no evidence that of any of those holes has been used for malevolent purposes, and it would be extremely difficult to use any of them to attack computers, the Sunnyvale, California-based company said.

https://www.bloomberg.com/news/arti...-vulnerability-says-report-exaggerated-danger

 

[EarthDog]

Indeed I am giving them the benefit of the doubt. I could be wrong, its happened before, quite a bit at times even. Time will tell.

So far I am batting 1.000 though.. its real, regardless of how shady it looks/will prove/not prove to be, and so many here couldn't even fathom that concept these were real regardless of the severity - this was a caveat in all my posts since it happened 3/14.

But please, please continue to attack my position... should I ask if I am allowed to have one? Is now the right time? Sure feels like I am getting beat up over mine when I simply said I didn't agree with someone else's...

Maybe? We don't know that... you can speculate until you are Vya Domus in the face bud. I'm not going there, but I can see your logical leap . I need facts.

....that goose, that gander.

 

[R-T-B]

Pascal VBios can be read and modified and flashed, you just need some hardware-tools.

Not the latest versions. Believe me, I've messed with it.

...actaully, there is a chance I missed something. You mind me pming you as this is OT? I have a Titan XP Star Wars I'd very much like to modify, and yes I have the hardware...

 

[Vya Domus]

Sure feels like I am getting beat up over mine when I simply said I didn't agree with someone else's...

That's because you are constantly switching between saying that you are certain about something and that you are not and how we should not state our conclusions yet.

Come on guys... they F'd up, period. But we simply do not know, FOR A FACT, the intentions.

Indeed I am giving them the benefit of the doubt.

That just sort of annoys people and I can't help but think that you are doing it intentionally.

You can't have the cake and eat it as well. But you are doing your best to do so , I can give you that.

 

[EarthDog]

Consider those responses in context and what they are responding to, please.

They F'd up in their DELIVERY. There isn't really a question there. Not giving them the normal 90 days for example...poor delivery!

What is a question is the shady tactics or not behind the poor delivery. Hence why I am giving them the benefit of the doubt on that front. You two clearly disagree with that assertion and have your reasons. That is ok! Time will tell gents, time will tell. Now, can we stop making this about 'us'? There was ZERO reason to pin me on a wall here boys...

EDIT: It is entirely possible I am simply wrong in giving them the benefit of the doubt... that is also OK to be wrong!!! Something many members of this forum have a huge problem with (admitting it). If I see another post by a certain user that denies Intel CPUs throttle, I'm going to vomit... too much of that here... waaaaaaaaaaaaay too much.