AMD Security Vulnerability – The Day After - Seems Financially Motivated

^ Well a RFID-tag should suffice for that...attached to the key

 

But the burglar asked so nicely ... ;-)

 

Especially if the vulnerabilities are real, then it matters.

There are laws around this (and that company is actually breaking them), that forces security companies to disclose to affected parties a minimum of 90 days before taking anything public. For an Israeli company like them, the limit is six months.

Has any of you read their "papers"?

They are quite laughable. All the "exploits" require root access, and one of them requires a bios flash.

 

... which is against everything you can read up that promotes two step verification for the small gain of not entering a few numbers after you enter the door. Great concept for "security".

 

A burglar eventually needs to get out of your house:
Neighbors will notice him, a postman will wonder who is this guy. He can't move in, and throw parties every night.
It's a hazardous occupation.

This is more like a licensed burglar,
ie. a burglar which has all the necessary papers that prove he is a legit owner of the burglarized house, and all he need to do is find a way to get in.

 

That's how it works in Russia. At least sometimes.

 

Hey why not

Su casa es mi casa!

 

There's key codes, RFID, bluetooth and various other ways of disabling a security system to gain entry besides just a simple key.

 

The biggest flaw in hardware is "Us". Intel and AMD did nothing wrong.

 

Very good read, Hilbert! Thanks for all the info. There's definitely something fishy going on here...

 

Honestly, that sounds like your security system isn't worth the cost then if I can simply walk in.
But we're talking quite speculative here, nobody gives their key to a burglar in the first place, right? Oh wait... with the internet, some people do

 

It seems the media is taking a more critical look at CTS Labs.

https://www.anandtech.com/show/12536/our-interesting-call-with-cts-labs
https://www.extremetech.com/computi...ith-amd-security-disclosures-digs-deeper-hole

What's interesting is that CTS Labs stated that they had found flaws in ASMedia chips (which are used in many Intel boards as well), but then presented the flaw as something that is exclusive to AMD.

From Anandtech:

From Extremetech:

 

https://www.reddit.com/r/Amd/comments/84uk0q/david_kanters_comment_on_cts_labs_interview

I N S I D E R T R A D I N G

What a dodgy company, did you hear about the short stock seller that produces a 32 page pdf 2 hours after the announcement?

AMD – The Obituary -
https://www.google.co.uk/url?sa=t&s...FjAAegQIBRAB&usg=AOvVaw1-o88MRpgJRYUcUYm__3is


I'm not a fan of amd, I'm not a fan of intel, a computer's a computer and I get what I can afford and what benchmarks best at the time. I really do not think either company has anything at all to do with this. Hell it affects chips on both from what I just saw

 

Glad to see that Anandtech is clearly bifurcating this into two issues.
Scope of these vulnerabilities is a technical issue, and has nothing to do with CTS labs and their motives.

Everyone agrees they are dodgy as hell. That much is clear.
Intel might or might not have something to do with this. But right now I wouldn't put my hand in fire either way.

 

There are "security systems" that use RFID tags to disable. There are "security systems" that use bluetooth connections to disable. There are "security systems" that use an app over a network connection to disable. There are "security systems" that use key codes to disable. Most can be disabled by cutting the phone or power...lol There are a few that depend on cellular networks with battery backup though.

If you let a criminal into your house and provide them with keys, no security system will be effective though.

 

tomshardware ran another article about CTS_Labs today..... Now they appear to be having doubts after someone at AnandTech did a phone interview with the CEO of CTS_Labs and apparently got a few contradictory answers to questions about disclosure. Judging from the article, they didn't seem too concerned with the apparently lack of knowledge though.

 

tpu did it too

like its been said, quick fake damage control before launch.

 

That was a pretty good read. Thanks for posting the link. That article pretty much qualified my belief in regards to CTS_Labs...

 

Well a bit late to the party, but here it comes, nevertheless

http://www.zdnet.com/article/linus-torvalds-slams-cts-labs-over-amd-vulnerability-report/

Linus Torvalds doesn't buy it.Not a bit.

I am no security expert, and maybe a struggled a bit to wrap my head around the white papers and all CTS labs disclosed, but I can't shake the feeling of pointing the finger to something that may be real and quantified, but in such a way that isolates AMD and makes the other team look pristine and vulnerability free.

 

He makes a very good point. These idiots came out of nowhere. They created a website detailing "security vulnerabilities" and slamming AMD. They provided the information to media and prepped them for public disclosure prior to even providing the claimed data to AMD themselves. Coincidentally, they also acknowledged that the "flaws" are not specific to AMD when they openly state that there are claimed backdoors in the ASMedia USB hub chipset. AMD doesn't design the ASMedia USB hub chipset and the same chipsets they claim to be "vulnerable" are more widely used on Intel based motherboards. Strangely enough, they intentionally failed to mention that any "security vulnerability" relating to ASMedia's USB Hub will impact Intel. They made it a point to attack AMD. Coincidentally, CTS_Labs admitted that they never tested their claimed "code" against the latest AGESA update, which any professional security researcher with even a week's time in the cybersecurity field would have done PRIOR to going public. Also, these idiots claim to have 16 years experience in cybersecurity but have no clue at all how to do a public disclosure properly? Sorry. If you've been around PCs or cybersecurity for 16 years, you've seen a proper public disclosure. Google does them regularly.

Security Researchers have 1 main responsibility. Report their findings to the product developer.
Security Developers have the responsibility of developing and testing mitigation code to ensure it's both functional and doesn't break anything.

Now, if it requires "root" or "admin" or physical access or modified firmware, it's not a major issue. It's just an annoyance.

As for Guido.... He's a blooming idiot.... Since he opened his mouth and made a false statement, AMD could easily pursue legal action against him. What false statement? He stated publicly that the claimed "security flaw" that affects ASMeda's USB Hub is specific to AMD. Coincidentally, since Viceroy Research (a company known for stock manipulation) was directly involved in the public disclosure, should this matter be properly investigated by law enforcement, he could easily be charged as an accomplice to securities fraud... Now, had he come out and stated that the ASMedia related "security vulnerability" affects all PCs utilizing the concerned ASMedia USB Hub chip models, he'd be free and clear. BUT....he didn't. He was a puppet in the commission of securities fraud perpetrated by CTS_Labs and Viceroy. (Btw, he reported accepted $16,000 to make said fraudulent statement.....)