AMD processors impacted by 13 serious flaws, says CTS Labs

[aidanjt]

They say they have redacted the public version of the report - the un-redacted version being with AMD.

So they say. But that's still not typical industry practice. Usually when vulnerabilities are discovered and written about, the authors contact the parties responsible for the development of the product or service and give them a reasonable timeframe to patch them before public disclosure of the report, as is. It might have something to do with the fact that this 'research' company didn't exist before last year. And what they're calling 'vulnerabilities' are really obvious consequences of having privileged access to the machine. Their legal disclaimer doesn't help their credibility, either.

You should watch the video above to see what we're talking about.

[CAT-THE-FIFTH]

Oh what a tangled web we weave when we practice to deceive.

Talking from experience??!!

Not sure what it has to do with the matter in hand.

[peterb]

Oh what a tangled web we weave when we practice to deceive.

Q. Whats the difference between a white hat and a black hat?
A. One files annual tax returns and the other doesn't.

We're led to believe that the guy that saved the planet from Wannacry also wrote malware, so whats your point? A black hat one day wakes up with a conscience, or is it a white hat decides he's not earning enough doing the right thing? They both have the same capabilities and present the same threats to global populace. They're both mercenaries, just that one decides to work for their own good and the other is drinking someone elses coolaid.

Like it or not, the good guys and the bad guys are the same people. It just depends on what side of the bed they got out of on a particular day. A bi-polar hacker - now that's a scary thought. Just saying.

I’m not sure what it is you are “Just saying”.

It does seem to me that your posts fall into two categories, one group that tries to p,ah down the effects of the vulnerabilities exposed in Intel’s preocessors, and those that play up weaknesses and shortcomings in AMD’s products, which does give an impression of manufacurer/product bias... Why that might be is open to conjecture of course....

Just saying.

[rainman]

So they say. But that's still not typical industry practice. Usually when vulnerabilities are discovered and written about, the authors contact the parties responsible for the development of the product or service and give them a reasonable timeframe to patch them before public disclosure of the report, as is. It might have something to do with the fact that this 'research' company didn't exist before last year.

Oh I completely agree. And I totally understand why folk are so whipped up about the apparent validity of the organisation, I mean you'd have to be dead from the neck up to not be even slightly intrigued as to whether there may be an association with another entity with a financial interest in seeing AMD on it's heels.
Just that reading through this thread there appear to be a fair few that seem prepared to throw the baby out with the bathwater.

And what they're calling 'vulnerabilities' are really obvious consequences of having privileged access to the machine.

This is where I strongly disagree and where a lot of people seem to have not grasped the very nature of the threat. Exploiting hardware is not and should not be an obvious consequence of having admin rights. Software should not be able to pwn hardware, even with admin rights. If it can then it's a vuln, plain and simple.

Their legal disclaimer doesn't help their credibility, either.

I can't argue with that. I completely agree.

[aidanjt]

This is where I strongly disagree and where a lot of people seem to have not grasped the very nature of the threat. Exploiting hardware is not and should not be an obvious consequence of having admin rights. Software should not be able to pwn hardware, even with admin rights. If it can then it's a vuln, plain and simple.

OK, well, the only way to prevent that is to disable firmware updates. That's not a good idea. And once that bar has been raised, what's next? Calling it a vulnerability if you can swap out the EEPROM and security chip? At some point you need to draw the line between sensible and stupid.

[Mr_Jon]

We specialize in a variety of communications areas. Our team of influencers will help you develop a customized communications plan that is uniquely designed to drive success for your business.

It appears they have also plagiarised my CV.

[rainman]

I’m not sure what it is you are “Just saying”.

It does seem to me that your posts fall into two categories, one group that tries to p,ah down the effects of the vulnerabilities exposed in Intel’s preocessors, and those that play up weaknesses and shortcomings in AMD’s products, which does give an impression of product bias... Why that might be is open to conjecture of course....

Just saying.

I've said nothing about Intel vulns at all at any stage, so please Mr Forum Moderator, don't put words in my mouth.

In relation to Cat the fifth's posts, it seems to assume that there is a line between the guys that do wrong and the good guys that know how to do wrong. I'm saying that there isn't a line, or if there is one then it's so thin as to be only visible under a microscope and we can only guess at how many times a so-called good guy decided to cross the line, and vice versa.

Whilst Cat also points to Linus Torvold's comments on the shady nature of the security industry he seems to miss that this is the exact point that LT is making. He's right, it's damned shady, and thats almost completely unavoidable due to the nature of the beast, such as it is. The point I was trying to make was that in the security landscape leopards do change their spots continually and everyone has a price. They are all just weighing up just how much they're prepared to have on their conscience vs they're income, and their own personal level of risk is just as likely to change day to day. Just because a bad guy comes out with news that you don't like reading, doesn't mean it's not true. Equally, we have a some good guys with an awesome reputation, who's work on which I rely on a daily basis but how would anyone even know if they did actually work in both camps?

It is an industry that is completely Machiavellian at every level, and we'd all do well to realise that. So I guess I'm "just saying" assume nothing and trust no one. If you've ever had to pay an auditor to carry out a pen test, and then wondered just what it was you just paid for then you might have some semblance of the level of conflict that it leaves you with, or is that just me?

[CAT-THE-FIFTH]

It appears they have also plagiarised my CV.

Maybe,AMD needs your help!!

I am still perplexed why a security firm needs to have influencers,etc??

This too:

right reporters, bloggers, analysts and influencers

Right reporters and bloggers?? Why would you need to control the message to the media if the message has nothing to hide??

Surely if what you done is up to scratch the results will defend themselves. I mean in many cases,companies will pay people if you find an issue in their software or hardware too,and companies might even contract you for some services.

[peterb]

I've said nothing about Intel vulns at all at any stage, so please Mr Forum Moderator, don't put words in my mouth.

I noticed you added that as an afterthought. You have defended Intel in some other threads on the forum.

However it is true that you have also declined to comment on the Intel vulnerabilities, while making a point about AMD's. You have also made a point of attacking those that may prefer AMDs offerings with terms such as 'fanbois' and 'shills' without really offering any supporting evidence - while ignoring those that may be avid Intel enthusiasts!

If you consider that as putting 'words in your mouth' then I apologise for giving that impression.

[Corky34]

They say they have redacted the public version of the report - the un-redacted version being with AMD. So until AMD confirm it or not then you're not in much of a different position if they'd told they had exploits or not ... other than to feed your paranoia and/or manipulate the market.

Very true, however that still leaves us in the position of not knowing, that's why most people working in computer security follow responsible disclosure practices, it gives the effected company time to address the vulnerability and if they don't then it becomes public knowledge so the community can verify if the vulnerability actual exists and that the effected company isn't just BS'ing people by saying nothing wrong here.

EDIT: Sorry i just read aidanjt's reply that says pretty much the same thing, apologies treading on his/her toes.

[CAT-THE-FIFTH]

Very true, however that still leaves us in the position of not knowing, that's why most people working in computer security follow responsible disclosure practices, it gives the effected company time to address the vulnerability and if they don't then it becomes public knowledge so the community can verify if the vulnerability actual exists and that the effected company isn't just BS'ing people by saying nothing wrong here.

EDIT: Sorry i just read aidanjt's reply that says pretty much the same thing, apologies treading on his/her toes.

Well considering they made Bitcoin malware in the past under a different name,do you honestly think they believe in responsible practices??

CTS-Labs is "Catenoid Security" which was formally Flexagrid Systems Inc

A company that produced the Computer Hijacking "CrowdCores"

See for instance: "How to remove CrowdCores from your computer"

From their old website dated 17-01-2018:

This hijacker was used to run BitCoin mining software on the hijacked computers to make money at the expense of unsuspecting PC owners.

https://web.archive.org/web/20170130...s.com/FAQ.html

From the wayback machine because access to http://www.crowdcores.com/ is now blocked.

[The Hand]

Hardware Unboxed:



If CTS wanted to sound impartial and be taken seriously, why did they call alleged flaws Ryzenfall? It's like calling a flaw with Intel chips Smintel or Core i0!

[rainman]

I noticed you added that as an afterthought. You have defended Intel in some other threads on the forum.

The only comment I'd would have made about Intel vs AMD would have been on technical differences between the products and their capabilities ... just what has that got to do with this?

However it is true that you have also declined to comment on the Intel vulnerabilities, while making a point about AMD's.

I've never participated in any threads relating to Intel vulnerabilities, which isn't the same as "declining to comment". Also, I've not made any point about AMD vulnerabilities either ... simply because I (like everyone else except possibly some entity that may or may not have reported something valid to AMD), don't know anything about them other than some one-line descriptions - which is partly my point.

If you'd actually read my posts in this thread (because you clearly haven't) I'm not commenting on a brand or any aspect inherent to a particular companies products. My argument is completely platform agnostic and doesn't have anything to do with AMD or Intel per say. I am merely stating that the belief that an exploit needing admin rights to pwn hardware somehow makes it a non-issue is extremely misguided - and that's all I'm saying. So I'll say it again "don't put words in my mouth".

You would do well to put aside your bias based on any previous posts on a completely unrelated matter.

[Iota]

So, no CVE numbers for the alleged "flaws"?

Dubious company that doesn't follow responsible disclosure practices? Clear disclaimer they want to make money from shorting AMD stocks?

I'm not saying there are not any flaws, but considering that if someone has root access you're already wtfpwned, I can't say these are any flaws I'm overly concerned about when taking into account the above points. I'm sure AMD are able to fix these problems and not require completely new hardware fixes (unlike Intel *cough*).

*disclaimer, I use Intel hardware currently!*

[peterb]

The only comment I'd would have made about Intel vs AMD would have been on technical differences between the products and their capabilities ... just what has that got to do with this?



I've never participated in any threads relating to Intel vulnerabilities, which isn't the same as "declining to comment". Also, I've not made any point about AMD vulnerabilities either ... simply because I (like everyone else except possibly some entity that may or may not have reported something valid to AMD), don't know anything about them other than some one-line descriptions - which is partly my point.

If you'd actually read my posts in this thread (because you clearly haven't) I'm not commenting on a brand or any aspect inherent to a particular companies products. My argument is completely platform agnostic and doesn't have anything to do with AMD or Intel per say. I am merely stating that the belief that an exploit needing admin rights to pwn hardware somehow makes it a non-issue is extremely misguided - and that's all I'm saying. So I'll say it again "don't put words in my mouth".

You would do well to put aside your bias based on any previous posts on a completely unrelated matter.

And yet you attacked those who have posted opposing views to you as ‘fanbois’ and ‘shils’ so I am quite justified in drawing such inferences as I wish based on the tone and language of those posts.

And of course while you are free to choose the tech that works for you, so are other posters.

So you would do well to be moderate in your posting tone, in case others might draw the same conclusions.

[rainman]

And yet you attacked those who have posted opposing views to you as ‘fanbois’ and ‘shils’ so I am quite justified in drawing such inferences as I wish based on the tone and language of those posts.

However I've decided to colloquially address a particular subset of users on these forums, you are most definitely NOT justified in implying that I have made comments or consciously declined to comment on subjects and threads where I have most definitely not partaken at all, and I'd go as far as suggesting that in you doing so amounts to a libel, against myself. So perhaps you'd like to just review your accusations before this escalates somewhere to the benefit of neither of us?

And of course while you are free to choose the tech that works for you, so are other posters.

I've never posted anything to suggest that this is not the case.

So you would do well to be moderate in your posting tone, in case others might draw the same conclusions.

Are you moderating me or is this just your personal opinion? Maybe you want to do this in a PM? I don't see that I'm the one that needs to moderate anything but right now I'm wondering "who moderates the moderator"?