LinkBack URL
About LinkBacksOriginally Posted by rainman
Me and the other staff. In this case, he's fine.
Me and the other staff. In this case, he's fine.
Half dev, Half doge. Some say DevDoge
Feel free to message me if you find any bugs or have any suggestions.
If you need me urgently, PM me
If something is/was broke it was probably me. ¯\_(ツ)_/¯
CAT-THE-FIFTH (14-03-2018),chinf (15-03-2018),peterb (14-03-2018),Pleiades (15-03-2018),Tabbykatze (14-03-2018),Zak33 (14-03-2018)
CTS-Labs response to all of this:
http://www.tomshardware.com/news/cts...pyc,36660.html
CTS Labs Speaks: Why It Blindsided AMD With Ryzenfall And Other Vulnerabilities
by Nathaniel Mott March 14, 2018 at 8:45 AM
Researchers often reveal new vulnerabilities with flashy websites, clever branding, and a concerted effort to make sure the problems are covered by media outlets (like this one). The newly announced flaws in AMD's Ryzen and EPYC processors are no exception to this rule--in fact, their revelation was even more focused on garnering attention from the public than many other disclosures. It was just missing one thing: time for AMD to respond.
90 Days Vs. 1 Day
We spoke with CTS Labs, the Israel-based company that says it discovered flaws in AMD's Ryzen and EPYC processors to ask why it conducted its disclosure in such a dramatically unorthodox--and many would say unfair--manner.
When researchers discover vulnerabilities in products, they typically give companies 90 days to respond before disclosing their findings to the public. Some flaws are deemed so dangerous that companies are given even longer to respond--Google afforded Intel and AMD some 200 days to fix Meltdown and Spectre before revealing them to the world at large, for example, and other disclosures have been coordinated between victim and researcher.
But CTS Labs offered AMD no such courtesy. It told AMD about the vulnerabilities just 24 hours before they were revealed to the public. That's clearly not long enough for AMD to address the issues, or even possibly for it to notice CTS Labs' message, considering how many bug reports the company receives on a daily basis.
CTS Labs told us that it bucked the industry-standard 90-day response time because, after it discussed the vulnerabilities with manufacturers and other security experts, it came to believe that AMD wouldn't be able to fix the problems for "many, many months, or even a year." Instead of waiting a full year to reveal these vulnerabilities, CTS Labs decided to inform the public of its discovery.
That isn't to say that CTS Labs revealed the problems without checking their veracity. The company told us that it consulted with other security experts and manufacturers about the issue, provided them with proofs of concept and tutorials for exploiting the vulnerabilities, and waited for their responses before preparing the flaws for public disclosure. Trail of Bits CEO Dan Guido confirmed that his company backed up the findings, for example.
To What End And For What Purpose?
Yet it's important to note that the circumstances surrounding the vulnerabilities' disclosure, and the fact that this is a new company, have raised questions about CTS Labs' intentions. It feels like a hit job on AMD, aimed at torpedoing its stock price. That may be unfair to CTS Labs, but optics and decorum are important to perception, and perception is reality for many.
Yaron Luk-Zilberman and Ido Li On, the company's CFO and CEO, respectively, told us they founded CTS Labs in January 2017 to investigate the security of hardware products. These vulnerabilities are their first major discovery.
The disclosure process itself also raised questions. Though we were told AMD, Trail of Bits, and others were given proofs of concept and instructions for how to exploit the vulnerabilities, that information was not released to the general public. Luk-Zilberman and Li On said that was because the flaws are "practical" and "fit well in the different scenarios and stages of a cyber attack." In other words, they don't want to enable those attacks by revealing too much. That, of course, creates a catch-22 of credibility, because with the details under wraps, most of us in the media (not to mention the curious public) can't examine and evaluate the findings and allegations for ourselves. And because CTS Labs is a new company with no track record to speak of, we can't simply give them the benefit of the doubt.
None of that stopped CTS Labs from putting together a dedicated website for the vulnerabilities, shooting videos explaining them, or briefing (a few) members of the media before discussing the flaws with AMD. In fact, Luk-Zilberman and Li On told us that they have yet to hear from AMD despite all the attention their disclosure has garnered from enthusiasts and journalists. (We asked AMD if this is true; we'll update if the company responds to that question.)
CTS Labs' CTO, Ilia Luk-Zilberman, has now posted a letter on the AMDflaws site that says much of what he told us. It's a somewhat curious screed in which he expounds on his distaste for the 90-day response window and his views on why it's not helpful. Partly, he said that he thinks alerting everyone at once (that is, consumers, media, and companies) puts public pressure on the companies to fix the vulnerabilities (it certainly does), and that by doing so without disclosing the actual technical details, no one is actually at risk. But that creates obvious problems, such as causing widespread FUD, and it invites backlash upon the security researchers, all of which he alluded to in the letter. The salient passage reads in part:
This model has a huge problem; how can you convince the public you are telling the truth without the technical details. And we have been paying that price of disbelief in the past 24h. The solution we came up with is a third party validation, like the one we did with Dan from trailofbits. In retrospect, we would have done this with 5 third party validators to remove any doubts. A lesson for next time.
Altogether, it seems that AMD customers may be justified in worrying about these vulnerabilities. If CTS Labs' description of them is accurate, they are remotely exploitable flaws that could allow attackers to install persistent malware in the deepest recesses of a system. That puts consumers at risk, and it could also undermine businesses' secure networks simply because they rely on Ryzen or EPYC processors.
But that brings us back to the curious fact that AMD had little time to respond to these allegations. Even if you take CTS Labs' stated reasoning for ignoring the industry standard 90-day windows at face value, it doesn't seem to make much sense. Because CTS Labs won't release more detailed information about the vulnerabilities to the public--a wise choice, technically, if they are indeed actually easy to exploit--we won't have concrete confirmation of their existence until AMD has had a chance to examine the problem. If CTS Labs did provide all the research it has to AMD, that shouldn't take long. We expect to learn more about the issue over the coming days--and to witness its potential aftermath over the coming weeks, months, and years.
Me and the other staff. In this case, he's fine.
/\ that.. with big non AMD and NON Intel biased bells on it.
Peterb is well within the right side of right. He volunteers to do this work, and to try to mediate between you lot. He gets no dough, no favours and no reward. But he's pretty bloody good at it.
CAT and I disagree a fair bit on stuff. And I think he's a tad biased on the odd occassion.... but we rub along and often he makes me laugh hard too.
I expect EVERYONE to rub along
thanks
CAT-THE-FIFTH (14-03-2018),peterb (14-03-2018),satrow (14-03-2018),Tabbykatze (14-03-2018)
How you've decided to "colloquially" address other members is relevant. We have rules on insulting other members, and that kind of put-down crosses it. That decision, by the way, is the sole perogative of the mod team, under our instructions from the site owner.
Our remit is to encourage POLITE discussion, and loaded terms just put peoples backs up and encourage flame wars.
As for "escalating" this, good luck with that. But if such implied threats continue, I can assure you now that I will unilaterally escalate an immediate account suspension, in order to mitigate any further 'risk'.
And for what it matters, on the subject of the actual thread, my inclination is to your point of view, though both sides have some good points.
I don't care which side is right, but it WILL be discussed in a polite manner without name-calling, and that applies to all parties.
How hard can it be, everyone, to have a rational adult discussion, politely disagree without calling people shills, or accusing them of bias?
Mind you, judging by the House of Commons, maybe it's not that easy. Come on, surely we can do better than politicians?
My major concern with this,is generally when it comes to potential issues being highlighted,is companies are given a minimum period to do look at it - the response by CTS-Labs to TH,is them in a reality distortion sphere. The whole aspect of why they informed the media first,apparently have links with investment firms and companies which might profit from this,paid other researchers to kind of do their dirty work for them essentially,etc is not really on. Even the whole point,they tried to bury the fact they made mining malware for a living,etc.
I might understand if AMD sat on this for six months and did eff all - but under 24 hours?? What does telling the press beforehand,actually help in terms of security unless you want to try and manipulate stock,or have some weird issue with a company??
It also makes anyone question why they were only started looking at the security of AMD CPUs in 2017(apparently they had earlier companies before that which didn't do that it appears) - so it would be intriguing why they chose AMD Ryzen,but not apparently Intel CPUs which there are 10X more off. Speculation on my part is whether someone had shopped around a nugget of info(its not like any of these companies even AMD have not done that before).
This is the point some people need to understand - in scientific research you have to be 100% transparent - if not you will be ripped apart by the community and it has happened. This is to prevent research being published with potentially vested interests. The whole system is geared towards that to a degree and TBH its still a fight(especially when politicians get involved). If not science would fall apart. Nobody cares if your methods look nice,if the starting point is less than stellar. If not this thread would invoke Godwins Law pretty quickly!
If this is allowed to stand,even if you have a love for Intel/Nvidia,etc - what if this sets a precedent for other cowboys to start doing the same for them for loads of tech companies?? Instead of doing what security researchers are meant to do,which is find flaws,inform companies of said flaws,and only then talk about it,once the companies can at least have some time to act(or not act on it).
Like I said companies do pay people for doing this and do employ them too. These people seem more interested in causing a blind panic. Thats not to say there isn't a potential set of issues,but funny how Intel got six months grace period for an issue that has existed for 20 years apparently.
At some point,what happens when one oversteps the mark,to outdo another cowboy competitor,and it leaks a big issue that no one has any time to try and do anything about?? Will we all be saying "cool" then??
Instead they just make clickbait names,articles and flashy websites,which seem more like easy consumption for the general public and non-technical investors,and the general echo chamber.
Last edited by CAT-THE-FIFTH; 14-03-2018 at 06:44 PM.
I'm not buying the claim that saying there's an exploit without providing technical details does puts public pressure on the companies to fix the vulnerabilities, if no one knows how it's done it may as well not exist.
Apparently they have found a way around that - next time find 5 people to "verify" what they said(who no doubt they will pay to "verify" it) and then they can make a big song and dance about it,with some nice graphics and a marketing company which uses "social media influencers" and finding the "right reporters, bloggers, analysts and influencers who will understand your business". Screw consequences,as long as you have your 5 minutes of fame,its all cushty.,right?? So basically computer security for a social media generation. Rollo would be proud.
Maybe I need to tell my mates who are in science they have a better chance of getting grants if they hire a marketing company to "social media influence" their next paper!
Last edited by CAT-THE-FIFTH; 14-03-2018 at 05:56 PM.
The above post by ohmaheid has bern deleted.
What part of POLITE discussion, without slinging accusations about, don't you get?
If I have to delete further posts, having already warned of this, twice now, the poster responsible will be getting a 7 day posting holiday to think about it.
I mean it, everybody.
On the face of it, had they ditched the "flashy website" (who else does this even?) and didn't actually have a vested interest in the stocks of AMD as per their disclaimer, as well as followed the responsible disclosure process which is effectively the industry normality, they may have had a different response from the community.
CTS labs offers no proof they have consulted with manufacturers, they certainly haven't "consulted" with other "security experts", simply paid them to follow a process to confirm or deny it works. There have been no CVE numbers relating to these vulnerabilities disclosed, such as Google Project Zero would provide (without the flashy website). Also CTS labs has decided that allowing the basic 90 day responsible disclosure has no merits according to them.CTS Labs told us that it bucked the industry-standard 90-day response time because, after it discussed the vulnerabilities with manufacturers and other security experts, it came to believe that AMD wouldn't be able to fix the problems for "many, many months, or even a year." Instead of waiting a full year to reveal these vulnerabilities, CTS Labs decided to inform the public of its discovery.
They haven't been transparent, there certainly don't seem to be objective based in their approach and I because of this I find myself less concerned about any potential vulnerabilities and much more concerned about the validity of their research, as well as the motivations behind that.
Certainly not a good start for a company, first impressions count.
This outfit's modus operandi seems far more like a malware writer rather than a security researcher.
That is, when a 'normal' exploit is found by malware 'researchers' they try and find a way to monetise it either by writing an exploit or selling it to some bigger criminal gangs etc.
Since these flaws appear to be in the security processor and in AMD's equiv. to the Intel Management Engine (which has plenty of flaws itself), they were unlikely to be readably monetizable, so what was a malware 'researcher' like CTS Labs to do?
Maybe get together with a company specialising in share short selling and then release their 'findings' in the most sensational way possible?
Or at least that is one possible explantation.
MLyons (14-03-2018)
Well they made CrowdCores which quietly gets onto people's computers to mine Bitcoins and then changed the name of the company,etc to hide the fact they did it.Their CFO worked for the unit who were according to the media behind things like Stuxnet(look on their own website as he boasts about having served with them).
Cryptocoin malware and Stuxnet. So not just straight malware 'researchers' but with possible links to state actors. Since Intel is such a huge part of the Israeli tech and wider economy this may all be even more sinister than mere stock market manipulation.
Not that I'm saying that Intel has anything to do with this, but due to the nature of Israeli nationalism and its close ties to their their security state, someone may do this kind of thing by themselves; and if consequently they enrich themselves with a bit of stock market manipulation...
That might also explain how a 3 person upstart in the security business was able to find all these 'flaws' so quickly.
Pleiades (15-03-2018)
I was only reading the AT thread on it,but decided to look at their biography page properly:
http://cts-labs.com/management-team
Worth a read.
Last edited by CAT-THE-FIFTH; 14-03-2018 at 07:20 PM.
Oh dear - it appears I've missed the mud slinging. I'm not worried as on first thoughts these problems are no worse or better than other ones that have come up.
On the moderation note - I've not agreed with several people on here. Saracen and cat-the-right especially. But if I saw them in the pub I'd buy them a pint and have a nice strong debate about something, probably the beer! That's because although I don't necessarily agree with them I appreciate they can be right or wrong but debate fairly. Without too much name calling... which is damn right how it should be!
Old puter - still good enuff till I save some pennies!
CAT-THE-FIFTH (14-03-2018),DavidM (15-03-2018),peterb (15-03-2018),Saracen (15-03-2018)
GamersNexus did a real good video on this: https://youtu.be/ZZ7H1WTqaeo
Basically if the exploit is true it would pretty much require physical/local access to the computer, as Steve says in the video a bit like someone leaving their login details on a post-it note stuck to the monitor would be needed to take advantage of these exploits.
I just stumbled across this XKCD prediction of 2018 vulnerabilities and was reminded of this thread
https://xkcd.com/1957/
"An attacker can execute malicious code on their own machine an no-one can stop them"
afiretruck (16-03-2018),aidanjt (15-03-2018),CAT-THE-FIFTH (14-03-2018),chinf (15-03-2018),Kanoe (15-03-2018),Output (15-03-2018),peterb (15-03-2018),Pleiades (15-03-2018),satrow (15-03-2018),Xlucine (14-03-2018)
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Reply With Quote
