AMD Security Vulnerability – The Day After - Seems Financially Motivated

Discussion in 'Frontpage news' started by Hilbert Hagedoorn, Mar 14, 2018.

  1. Texter

    Texter Ancient Guru

    Messages:
    3,133
    Likes Received:
    221
    GPU:
    Club3d GF6800GT 256MB AGP
    ^ Well a RFID-tag should suffice for that...attached to the key:p
     
  2. 386SX

    386SX Master Guru

    Messages:
    865
    Likes Received:
    875
    GPU:
    AMD Vega64 RedDevil
    But the burglar asked so nicely ... ;-)
     
  3. PrMinisterGR

    PrMinisterGR Ancient Guru

    Messages:
    7,082
    Likes Received:
    164
    GPU:
    Sapphire 7970 Quadrobake
    Especially if the vulnerabilities are real, then it matters.

    There are laws around this (and that company is actually breaking them), that forces security companies to disclose to affected parties a minimum of 90 days before taking anything public. For an Israeli company like them, the limit is six months.

    Has any of you read their "papers"?

    They are quite laughable. All the "exploits" require root access, and one of them requires a bios flash.
     
    Aura89, __hollywood|meo and Embra like this.
  4. fantaskarsef

    fantaskarsef Ancient Guru

    Messages:
    11,472
    Likes Received:
    3,457
    GPU:
    2080Ti @h2o
    ... which is against everything you can read up that promotes two step verification for the small gain of not entering a few numbers after you enter the door. Great concept for "security".
     

  5. Noisiv

    Noisiv Ancient Guru

    Messages:
    6,864
    Likes Received:
    608
    GPU:
    2070 Super
    A burglar eventually needs to get out of your house:
    Neighbors will notice him, a postman will wonder who is this guy. He can't move in, and throw parties every night.
    It's a hazardous occupation.

    This is more like a licensed burglar,
    ie. a burglar which has all the necessary papers that prove he is a legit owner of the burglarized house, and all he need to do is find a way to get in.
     
  6. fantaskarsef

    fantaskarsef Ancient Guru

    Messages:
    11,472
    Likes Received:
    3,457
    GPU:
    2080Ti @h2o
    That's how it works in Russia. At least sometimes.
     
  7. Noisiv

    Noisiv Ancient Guru

    Messages:
    6,864
    Likes Received:
    608
    GPU:
    2070 Super
    Hey why not :D :D

    Su casa es mi casa!
     
  8. sykozis

    sykozis Ancient Guru

    Messages:
    21,561
    Likes Received:
    876
    GPU:
    MSI RX5700
    There's key codes, RFID, bluetooth and various other ways of disabling a security system to gain entry besides just a simple key.
     
  9. Killian38

    Killian38 Master Guru

    Messages:
    312
    Likes Received:
    88
    GPU:
    1060
    The biggest flaw in hardware is "Us". Intel and AMD did nothing wrong.
     
  10. Aitortxo

    Aitortxo Member

    Messages:
    42
    Likes Received:
    2
    GPU:
    MSI GTX 1080ti TRIO
    Very good read, Hilbert! Thanks for all the info. There's definitely something fishy going on here...
     

  11. fantaskarsef

    fantaskarsef Ancient Guru

    Messages:
    11,472
    Likes Received:
    3,457
    GPU:
    2080Ti @h2o
    Honestly, that sounds like your security system isn't worth the cost then if I can simply walk in.
    But we're talking quite speculative here, nobody gives their key to a burglar in the first place, right? Oh wait... with the internet, some people do :D
     
  12. D3M1G0D

    D3M1G0D Ancient Guru

    Messages:
    2,123
    Likes Received:
    1,358
    GPU:
    2 x GeForce 1080 Ti
    It seems the media is taking a more critical look at CTS Labs.

    https://www.anandtech.com/show/12536/our-interesting-call-with-cts-labs
    https://www.extremetech.com/computi...ith-amd-security-disclosures-digs-deeper-hole

    What's interesting is that CTS Labs stated that they had found flaws in ASMedia chips (which are used in many Intel boards as well), but then presented the flaw as something that is exclusive to AMD.

    From Anandtech:
    From Extremetech:
     
  13. scatman839

    scatman839 Ancient Guru

    Messages:
    14,092
    Likes Received:
    477
    GPU:
    1080, KD55XD800
    https://www.reddit.com/r/Amd/comments/84uk0q/david_kanters_comment_on_cts_labs_interview

    I N S I D E R T R A D I N G

    What a dodgy company, did you hear about the short stock seller that produces a 32 page pdf 2 hours after the announcement?

    AMD – The Obituary -
    https://www.google.co.uk/url?sa=t&s...FjAAegQIBRAB&usg=AOvVaw1-o88MRpgJRYUcUYm__3is


    I'm not a fan of amd, I'm not a fan of intel, a computer's a computer and I get what I can afford and what benchmarks best at the time. I really do not think either company has anything at all to do with this. Hell it affects chips on both from what I just saw
     
  14. Noisiv

    Noisiv Ancient Guru

    Messages:
    6,864
    Likes Received:
    608
    GPU:
    2070 Super
    Glad to see that Anandtech is clearly bifurcating this into two issues.
    Scope of these vulnerabilities is a technical issue, and has nothing to do with CTS labs and their motives.

    Everyone agrees they are dodgy as hell. That much is clear.
    Intel might or might not have something to do with this. But right now I wouldn't put my hand in fire either way.
     
  15. sykozis

    sykozis Ancient Guru

    Messages:
    21,561
    Likes Received:
    876
    GPU:
    MSI RX5700
    There are "security systems" that use RFID tags to disable. There are "security systems" that use bluetooth connections to disable. There are "security systems" that use an app over a network connection to disable. There are "security systems" that use key codes to disable. Most can be disabled by cutting the phone or power...lol There are a few that depend on cellular networks with battery backup though.

    If you let a criminal into your house and provide them with keys, no security system will be effective though.
     

  16. sykozis

    sykozis Ancient Guru

    Messages:
    21,561
    Likes Received:
    876
    GPU:
    MSI RX5700
    tomshardware ran another article about CTS_Labs today..... Now they appear to be having doubts after someone at AnandTech did a phone interview with the CEO of CTS_Labs and apparently got a few contradictory answers to questions about disclosure. Judging from the article, they didn't seem too concerned with the apparently lack of knowledge though.
     
  17. -Tj-

    -Tj- Ancient Guru

    Messages:
    16,775
    Likes Received:
    1,718
    GPU:
    Zotac GTX980Ti OC
    tpu did it too

    like its been said, quick fake damage control before launch.
     
    Last edited by a moderator: Mar 17, 2018
  18. sykozis

    sykozis Ancient Guru

    Messages:
    21,561
    Likes Received:
    876
    GPU:
    MSI RX5700
    That was a pretty good read. Thanks for posting the link. That article pretty much qualified my belief in regards to CTS_Labs...
     
    Last edited by a moderator: Mar 17, 2018
  19. anticupidon

    anticupidon Ancient Guru

    Messages:
    4,927
    Likes Received:
    1,488
    GPU:
    Polaris/Vega/Navi
    Well a bit late to the party, but here it comes, nevertheless

    http://www.zdnet.com/article/linus-torvalds-slams-cts-labs-over-amd-vulnerability-report/

    Linus Torvalds doesn't buy it.Not a bit.

    I am no security expert, and maybe a struggled a bit to wrap my head around the white papers and all CTS labs disclosed, but I can't shake the feeling of pointing the finger to something that may be real and quantified, but in such a way that isolates AMD and makes the other team look pristine and vulnerability free.
     
    386SX likes this.
  20. sykozis

    sykozis Ancient Guru

    Messages:
    21,561
    Likes Received:
    876
    GPU:
    MSI RX5700
    He makes a very good point. These idiots came out of nowhere. They created a website detailing "security vulnerabilities" and slamming AMD. They provided the information to media and prepped them for public disclosure prior to even providing the claimed data to AMD themselves. Coincidentally, they also acknowledged that the "flaws" are not specific to AMD when they openly state that there are claimed backdoors in the ASMedia USB hub chipset. AMD doesn't design the ASMedia USB hub chipset and the same chipsets they claim to be "vulnerable" are more widely used on Intel based motherboards. Strangely enough, they intentionally failed to mention that any "security vulnerability" relating to ASMedia's USB Hub will impact Intel. They made it a point to attack AMD. Coincidentally, CTS_Labs admitted that they never tested their claimed "code" against the latest AGESA update, which any professional security researcher with even a week's time in the cybersecurity field would have done PRIOR to going public. Also, these idiots claim to have 16 years experience in cybersecurity but have no clue at all how to do a public disclosure properly? Sorry. If you've been around PCs or cybersecurity for 16 years, you've seen a proper public disclosure. Google does them regularly.

    Security Researchers have 1 main responsibility. Report their findings to the product developer.
    Security Developers have the responsibility of developing and testing mitigation code to ensure it's both functional and doesn't break anything.

    Now, if it requires "root" or "admin" or physical access or modified firmware, it's not a major issue. It's just an annoyance.

    As for Guido.... He's a blooming idiot.... Since he opened his mouth and made a false statement, AMD could easily pursue legal action against him. What false statement? He stated publicly that the claimed "security flaw" that affects ASMeda's USB Hub is specific to AMD. Coincidentally, since Viceroy Research (a company known for stock manipulation) was directly involved in the public disclosure, should this matter be properly investigated by law enforcement, he could easily be charged as an accomplice to securities fraud... Now, had he come out and stated that the ASMedia related "security vulnerability" affects all PCs utilizing the concerned ASMedia USB Hub chip models, he'd be free and clear. BUT....he didn't. He was a puppet in the commission of securities fraud perpetrated by CTS_Labs and Viceroy. (Btw, he reported accepted $16,000 to make said fraudulent statement.....)
     
    Embra, __hollywood|meo and Aura89 like this.

Share This Page