AMD Security Vulnerability – The Day After - Seems Financially Motivated

It's funny, i'm going through twitter page after twitter page with random people saying "So and so confirms these flaws are real", so then i go to whatever place these people were talking about, and try and figure out where they stated they "confirmed" it and how they confirmed it....and always come up with nothing.

It's like these people think that if someone reports on the issue, they have therefore "confirmed" the issue is present, because i have found where whatever person or company they stated "confirmed" they were real, had talked about the vulnerabilities, but they have all just talked about them, in a similar way that Guru3d news article did, citing that all their information about said vulnerabilities comes from CTS-Labs, the same as everyone else.

......I mean seriously, how is that a confirmation?

is the fact that i'm writing about it right now, somehow confirming they are real....?

If there is to be a confirmation, then confirm it in a way that can not be disputed, otherwise it's all just he-said she-said.

 

In regards to the PSP and fTPM "vulnerabilities" listed by "CTS_Labs".... Have a read...
https://www.phoronix.com/scan.php?page=news_item&px=AMD-PSP-2018-Vulnerability

The article on Phoronix I linked above (in this same post) confirms the PSP and fTPM "vulnerabilities"....as well as who actually "discovered" them, when they were "discovered" and, coincidentally, when AMD patched the "vulnerabilities".... Good enough for you?

 

Sounds like Intel was trying to give the death blow to AMD.......

 

I was also smelling something fishy but did not take the time or effort to look into it.

Some very interesting points Hilbert, I'm glad someone in the industry has the nounce to call them out on their made up (or greatly exaggerated) BS.

 

If it walks like a duck and quacks like a duck....must be a duck....

For anyone still wondering about AMD's PSP and fTPM "vulnerability"....the actual details can be found here, per Google's own 90-day disclosure policy (this is likely where CTS_Labs actually learned of it, but failed to read the entire disclosure): http://seclists.org/fulldisclosure/2018/Jan/12
For those actually concerned about it, AMD starting releasing the "fix" to motherboard manufacturers on Dec 7, 2017.

 

Lulz @ this "security research company". I mean if you have admin access to the pc you can do/get pretty much anything that you want. And on top of that needing a specially digitally signed driver... oh come on. You don't need a vulnerabilty or amd only pc to do some damage at that stage. Someone's been careless with the drug/alcohol amount they used before coming up with this stuff.

 

Went on tomshardware and trusted them for many years but they are on the same side as CTSLabs and CTSlabs site has tomshardware link in it. Screwwwwwwwwwww you Tomshardware!

 

Who's debating it? Aside from the Intel loyalists anyway....

It's pretty obvious this "news" was nothing but BS from the start. I mean, seriously. It requires access to the PC to flash the UEFI firmware (since you have to know exactly what motherboard is installed, what firmware revision is installed, etc). Then you have to have a modified, yet digitally signed driver from ARM. You also have to have administrator level access. So, by the time someone meets the criteria necessary to exploit the system, they would have been better off just simply stealing the PC and accessing the data at their own leisure.... Oh, btw, lets not forget that with the same degree of access, you could also compromise any Intel system to the exact same extent. So, this is far from being strictly an AMD related series "vulnerabilities". If secureboot is properly implemented and enabled, you're covered since an administrator password would be required to flash the UEFI firmware.

So, if anyone wants to mitigate these "vulnerabilities".....don't download and execute malicious code. Don't download and installed modified, digitally signed drivers from ARM. Enable SecureBoot and set an administrator password. Also, don't ever give unknown software elevated privileges... Quick and simple to mitigate.

You read my mind!!!! Now, stop that unless you're going to tell me wtf I'm thinking....lol

As soon as I saw the article, my first thought was that tomshardware is now a CTS_Labs shill.... I wonder how much they were paid to run such a BS article after the credibility of CTS_Labs was essentially, completely destroyed.

 

I find it so effing funny, that within a year, 13 vulnerabilties have been found, as remarkable as Spectre or Meltdown, which took that 10y to find.
Now, suddently, 13 are found, and none of them are bugging Intels cpu´s?
And mentioned very many times now, they gave AMD 24h to "fix" it?

There are so many things wrong, when thinking with commonmind or maybe they really have issues with Ryzen architecture... For now, i don´t believe it.
If and just IF, Intel is behind this, they don´t deserve my money. But let´s see where this all goes first. Just speculating.

 

I doubt Intel was behind it. CTS_Labs was setting up a short sale for NineWells Capital Management and Viceroy Research.... plain and simple. CTS_Labs is a small company consisting of only 6 employees. A CEO, CFO, CTO and 3 "security researchers".... There's no way possible that they managed to find 13 security vulnerabilities and thoroughly test each vulnerability that quickly without major funding and assistance. I doubt that assistance came from Intel though. I guess I'll go ahead and put the final nail in the coffin here though. This "research" focuses solely on AMD processors. There is no consideration of the fact that Intel systems would also be compromised by modified UEFI firmware or modified, digitally signed drivers, or administrator access. For this "research" to be valid, the same exploits would have to be tested against Intel processors and multiple operating systems. The entire process would take YEARS.... Also, it's highly likely that Google would have found such vulnerabilities around the same time they discovered Spectre and Meltdown. Google has considerably more "security researchers" than CTS_Labs does and Google had already notified AMD of vulnerabilities in their PSP and fTPM implementations, which any real security researcher would have been aware of and would have had to test against the "fix" for those vulnerabilities as well. When taking modified UEFI firware into account, especially UEFI firmware that's modified for malicious behavior, the system becomes vulnerable to the point that no mitigation is possible. This is a flaw in every system that uses an EEPROM chip for UEFI firmware, whether it be AMD, Intel, ARM, VIA or MIPS. The UEFI firmware ultimately has total control over the system. So, the only real "fix" would be to return to EPROM or PROM chips for UEFI to ensure the firmware can't be overwritten with modified/malicious firmware.

 

Well, if AMD officially debunks those leaks, I believe AMD. I've yet to read a statement, but of course investigating something like this takes time.
I find it interesting that they are working to get AMD stock value down when they probably could have done all that months ago, with an already lower base price to start with...

Reading further into things I have to say, from a technical point of view (which is the only one interesting to me, idc about stock value), it seems like it's way less drastic than I thought.

Doing something that most people here seem to not know, sorry for argueing, I guess I was wrong. Still I'd like to read AMD saying "it's bs".

 

Beside all the fancy stuff, i still get your point. Yes, i had the thought, "Why google Experts haven´t found them, or any known company...?".

But i´m still questioning, "Why coulnd´t it have been Intel?". I mean, you can redirect money kinda "easily", w/o getting noticed. Or did someone deliver a case of cash to them?

Or is this just a full troll against AMD?

 

Zen+ behind corner. They simply took note about mechanisms driving AMD's stock. And likely expected it to go up and up again once Zen+ is out next month.

 

Yeah... cool story bro

 

After reading the article I just knew that some clown would go and blame the joos. And then to equate those who object to his accusations to being SJW's when in fact SJW's hate the state of Israel. As someone who is a Christian and is friends with a former Israeli ambassador, i'd love to get further into this topic but that belongs on a different thread on a different forum entirely.

 

lol wtf is he even talking about

 

I have no idea but I don' fancy watching the movie to try and get it.

 

I just discovered a serious bug on all systems, ranging decades back:

If you have admin / root access, you may do damage to anything you have access to!!!111!1!oneoneeleven!1!1! And this is even possible on the so-secure Linux, on O/S2 Warp and even DOS, too!!!1!1! And Intel is as much affected as AMD!!!!1!1!

WE ARE ALL GONNA DIIIIIIEEEEE!
(Puts tinfoil hat on)

No wait ...

Btw.: I am a Cyrix fanboy!!

 

Isnt this basically the same as being told if you give your house key to a burglar, your home security is compromised?

 

Well, your home security usually needs a code along the key to the door