Re: Closed black box firmware
No, AMD doesn't look as bad as Intel, unless you're taken in by all the sparkles and glitter in the news release.
And since when is Intel cheaper? Not in my living memory has Intel been the cheaper option.
CTS-Labs, a security startup founded last year in Israel, sent everyone scrambling and headlines flying today – by claiming it has identified "multiple critical security vulnerabilities and manufacturer backdoors in AMD’s latest Epyc, Ryzen, Ryzen Pro, and Ryzen Mobile processors." Tuesday's glitzy advisory disclosed no …
This post has been deleted by its author
This post has been deleted by its author
The flaws do seem awfully similar to the Intel AMT flaws.
Once details are released to verify existing workarounds to this either work or require additional fixes then we can properly asses the impact.
One day notice, unverified claims and an analyst citing the company being worthless makes this awfully suspicious.
Actually, IIRC Intel AMT flaws are worse, because to exploit those you do not need:
1) root access
2) any local access at all
The only unusual quality of these new AMD attacks is that they can remain under the radar for a very long time, making "evil maid attack" particularly dangerous.
...an analyst who has already been implicated of market manipulation.
https://translate.google.com/translate?hl=en&sl=de&tl=en&u=https%3A%2F%2Fwww.handelsblatt.com%2Funternehmen%2Fit-medien%2Ffinanzmarkzaufsicht-bafin-nimmt-pro-sieben-kritiker-viceroy-ins-visier%2F21061952.html
You do realize that's local root access *at any point in the life of the machine*, right? So how do you know that the person you bought the machine from didn't install malware? How do you even get a copy of a "golden" ROM to restore a potentially infected mainboard / CPU?
There's a lot more to this than just "current local root"...
This is a ridiculous argument and leads right back to "trusting trust".
If you don't trust the manufacturer, the shipper, the prepper, or the administrator of the system, then OF COURSE you don't trust the system. That point should be obvious.
We have had a policy in the unit I was in previously (and now I have brought it to my current company) that "physical access is the final barrier". And that's it. TCM concepts and whatnot are simply never, ever workable. Even the classic "evil maid" attack isn't actually mitigated by UEFI or TCM because the firmware itself can be replaced with physical access (whether or not root on a running system). The softness of software makes it impossible to know anything about any mutual trustworthiness scheme where two soft modules verify one another.
Go write a package manager. Or a "secure" compiler suite. Have fun figuring out where a reasonable "bottom" lies as you start digging into issues about trusting trust.
This was CLEARLY a hit piece on AMD. I don't know if Intel funded it -- it seems highly plausible but unlikely because it could probably be easily traced back to them -- but whoever did certainly had an anti-AMD agenda and picked their moment to counteract the slew of recent Intel flaws.
Whats the bet a Wholly-owned subsidiary of intel letni corp USA
Looking at it it has to be part of the publicity department.
This report is designed to counter the drop in sales if Intel gear to the general public (I know several gamers that were going to get new Intel kit but have now got Ryzen instead and I doubt they are the only ones).
I would tend to agree, the whole website is slickly put together with fancy logos, catchy brand damaging names for bugs 'Ryzenfall' etc. Talk of 'risk to life' and other sensationalist nonsense.
No doubt in my mind its a thoroughly unsubtle Intel smear campaign regardless of whether the bugs are all legit.
Funny how this sort of thing pops up when another company dares to challenge the mighty intel and its bottom line
The names are not 'Ryzenfall' etc. but RYZENFALL - to make it scarier. FALLOUT. CHIMERA. MASTERKEY. DEATHNOTE. EBOLACOLA. ANTANDEC. (I put some of those in as well as the original ones.)
"Rise and fall" also is (the second part) what they seem to have wanted to make happen to AMD's stock price. Which, we are told, has not.
If this was a long time planning, with or without real flaws (or some real and some fake), then maybe the wind was taken out of its sails by Spectre and Meltdown - someone else's discovery of serious security flaws in lots of AMD processors and, if I have this right, more of serious security flaws in Intel processors.
Although if Intel is behind RYZENSHINE as well, maybe Spectre etc is where they got the idea, and perhaps they wanted to equalise after arguably coming off worst that time. They knew about those problems a long time before we did.
it is an intentional smear campaign...if this issue has been KNOWN about for 6+ years, how is it that we just hear about it NOW, let alone only 24 hours ago from a company that HIDES all their actual info for contact to contact etc..they use GoDaddy FFS...smear campaign period, last I checked Intel was very much sided with their israel team (who was the prime design team behind core solo (and since all the Core base designs e.g core 2 duo core 2 quad, core i series et al)
I have a feeling it is meant to be a "short" to drive stock price down so that Intel can make a little side action purchasing, especially because the updated Ryzen 2000 series as well as more substantial x4xx motherboard line is very soon to come out, Intel is likely scrambling the best way they can to avoid loss of revenue, if they smear them enough, than perhaps it will mean some countries/vendors will not bother going with AMD.
However, AMD deals with NASDAQ, which is new york based, if AMD pulls this other company into court for defamation/slander/libel they can be awarded triple damages (if win)..and likely Intel will have gotten crafty to make sure they are "ept at a distance" because of the fact that Intel had to pay out billions to AMD (from my understanding still have not paid this sum in full)
Intel will do whatever they possibly can to make sure their largest direct cpu competitor gets the lowest amount of potential market share as possible (5-6% would be a drop in the bucket for Intel revenue but a massive gain for AMD funding) Ryzen very much caught Intel off guard, they have been forced to rush products out, had many teething issues that could have and should have easily been avoided.
Anyways, IMHO this sounds like a duck, it quacks like a duck therefore it can only be....FFS a brand new security firm in Intel "home" design land this company formed a at least as far as the godaddy account almost 2 months to the day BEFORE Ryzen launched, seems to me they had AMPLE time to "let folks know" they did not, I call pure BS on them outright.
In Intel's defence, this looks too much like shorting AMD for ANY listed company to get involved with.
If any links are found to Intel in this, expect a lot of rapid terminations to try and distance themselves from any SEC retaliation.
As for the security agencies, I suspect they would have preferred it wasn't publicly released. Maybe a former employee looking to cash in after finding themselves short of work?
This post has been deleted by its author
This post has been deleted by its author
I think you will find money trails are a lot harder to follow than working out how to diagnose the most obtuse security problems. Which is strange when, of modern business skills, accountancy is the one that should be most easy to make completely transparent and traceable.
Strange that.
Intel are a massive employer in Israel (10,000s), so it wouldn't be surprising if a few Intel workers had also worked in security and would like a bite at AMD following Intel's woes..
There's a lot of geo-political business related tension in Israel recently, the most valuable company in Israel (Teva Pharmaceutical) just had the patent rights expire on a blockbuster drug (~$4bn pa revenue, big news for a small ~ 8m population), so with Intel and Teva on the ropes, it's not surprising some of their workers would potentially consider pointing out flaws in the opposition.
Do not underestimate the power of finance share geezers shorting a stock to make £100m in a day either by posting 'market changing information' in public - it would not be the first time, that's usually the US or London traders though.
I say a comment somewhere which proved the people from "CTS" were using a green screen for their promotional video. They easily found stock photos of the backgrounds used in the video.
https://i.imgur.com/OkWlIxA.jpg
Regardless, something is not right when you give a company 24 hours to fix a security hole. And the AMD flaws website (what was it again?) was registered in late February, so they at least knew for over 24 hours. And something is not right when the WHOIS records for your websites are registered using Domains by Proxy. Why would would a serious company go to such trouble to conceal their identity? Everything about this feels wrong.
@Wade Burchette: "I say a comment somewhere which proved the people from "CTS" were using a green screen"
*Yawn*
Meltdown... Spectre... and now this.
The only question I'm asking is have these chip 'flaws' surpassed Y2K yet as the biggest non event in computing history?
Gotta keep that good old 'security company' money making gravy train rolling along... I'm sure MS love it too as it enables them to maintain control of peoples' computers with the never ending updates.
Perhaps we might have a more peaceful, 'security flaw' free computing experience if these security companies went out of business.
Not sure what the downvotes are all about for my last post?
I thought it would be obvious by now that we are all being played for suckers with these never ending security issues. I know of a group of people (using Windows 7) who have not updated for nearly a year now and they have had ZERO security issues with their computers. And, yes... they do use them online (unlike myself, who has taken the wise step of keeping Windows 7 offline for good now and using Linux Mint for everything I do online).
I'm convinced that the world would never hear about things like Meltdown, Spectre, etc. if these so called security companies kept their mouths shut instead the constant "Ooohh... look what I've found" boasting that we see constantly these days. Reminds me of a juvenile dick measuring contest. Of course, their big fat pay cheques no doubt have a lot to do with it as well.
I'll bet the average hacker wannabe/script kiddie would never discover the majority of these so called security vulnerabilities in a million years.
I thought it would be obvious by now that we are all being played for suckers with these never ending security issues. I know of a group of people (using Windows 7) who have not updated for nearly a year now and they have had ZERO security issues with their computers.
The think they've had ZERO security issues. FTFY. The point of some of these exploits is it is near impossible to tell. More so for people who haven't updated in 12 months and have saloon doors for security.
> I know of a group of people (using Windows 7) who have not updated for nearly a year now and they have had ZERO security issues with their computers.
>...I'm convinced that the world would never hear about things like Meltdown, Spectre, etc. if these so called security companies kept their mouths shut instead the constant "Ooohh... look what I've found"
I know a group of people who have never been killed in a car crash, therefore car safety is overrated.
I know a group of people who drive without seatbelts, and none of them have died in a car accident, seatbelts are overrated.
I know a group of people who haven't vaccinated their kids, vaccines are overrated.
I know a group of people who haven't died from cancer, cancer is overrated.
I can continue drawing false equivalencies like you have if you like.
@Carl D - Y2K was a big issue, and the problems were real. The software we used at the time would have broken if unpatched, I tested it and the scheduling went haywire.
It's probably fair to say a reasonable amount of the defects were display issues, but then again, if you're writing 19100 out to a file and it's being used elsewhere...
Sure but the warnings that your washing machine will self-combust because it thinks that Queen Victoria is back on the Throne were probably a bit overdone.
"As we emerge from the bunker and see not a world in flames, but merely several websites displaying the date as 19100 and a frantically back-pedalling Ed Yourdon, we have come to regret our decision to trade NTK's webserver for eight sacks of lentils."
http://www.ntk.net/2000/01/07/
That's unavoidable due to humans and business. Someone is always going to try and make a quick buck, so yes, the average user buying a patch to stop their software displaying 19100 is probably wasting their time.
No-one sells papers by saying 'IT industry are responsible, there will be no problem' when they can sell papers twice by first claiming it will be a disaster, and afterwards that it was hot air.
The message had to be broadcast, as everyone uses computers these days. A side effect to any large event is always someone trying to exploit it.
"Not sure what the downvotes are all about for my last post?"
Like many here I was deeply involved in fixing Y2K issues, and the problem was very real - most of them embarrassingly so.
We expect ill-informed comments like that from the tabloids, not El Reg readers.
What if Y2K when it happened had caused loads of real problems? The tabloids would have moaned that with all their warnings, and "all the money thrown on it [by poor tax payers already propping up immigrants and doleys]", we still couldn't sort it out.
P.S. Incorrect use of question marks bugs me. Are you not sure, or unsure whether you're not sure?
</grumpyoldgit>
> Like many here I was deeply involved in fixing Y2K issues
Whereas, like many others here, I was involved in wasting my time confirming that none of our software or IT equipment would be affected by the Y2K issues. (And just to make the point, I'll point out that it was repeatedly hyped as a "millennium bug", when it was merely a "century bug".)
"I know of a group of people (using Windows 7) who have not updated for nearly a year now and they have had ZERO security issues with their computers.!"
How do they know?
Hey look I've house full of IoT stuff I bought of eBay for a fiver and I've never had security issues!
Are they actually worth worrying about? Do they have corporate secrets on there? Are they Domain administrators on a 100,000 strong network? Are they running websites?
Or is it just Dave, Mildred and uncle Arthur playing solitaire?
The only question I'm asking is have these chip 'flaws' surpassed Y2K yet as the biggest non event in computing history?
As one of a large number of people who worked pretty hard to make sure that everything worked reasonably well come 01/01/2000, I think that I can guess why you might have a few downvotes on this post.
> Why not just make the firmware read-only with a hardware switch?
Many dumb users would find that too complicated.
For many years the only way to flash BIOS was to boot from a floppy disk with a minimal OS (e.g. just DOS or QDOS or similar) and flash that way. But in the name of convienience many manufacturers have made it possible to flash from a multi-user, network-connected operating system using auto-updates.
For many years the only way to flash BIOS was to boot from a floppy disk with a minimal OS
Sure, and at some point they stopped making floppy drives, which kinda forced everyone to use more convenient ways. Not to mention that very few laptops today could even fit a 3.5" drive inside even if we wanted to.
And hey, it is not as if nobody were ever infected by leaving a diskette in the drive before restarting.
In all fairness, compared to the 80s and 90s, I think we are better off now security wise.
Not to mention that very few laptops today could even fit a 3.5" drive inside even if we wanted to.
Most laptops today could fit an SD card slot in, but often hard to to find one.
I've a mobo with several different methods of updating the BIOS (including dedicated USB socket), all seem over-complex and flawed.
Ended up going back to the old method, if with cut-down OS on a USB stick rather than an 8', 4.25 or 3.5' 'floppy'.
Sigh.
OK, you have just firmly put yourself into the "dumb users" category. Therefore let me spell it out a bit more clearly for you, rather than the generic shorthand "boot from floppy" which I believe most people would understand to mean "boot from external media, no matter what form that external media takes".
For many years, the only way to flash BIOS was to boot into a single-user, non-multitasking OS that had minimal drivers loaded (no networking, no SCSI, no tape drives, no heavy-weight GPU drivers, and so on) and either explicitly invoke the 'flash' command (unless the boot media was specifically crafted for flashing BIOS, in which case it might automatically invoke the flash command). This method was orginally done via floppy disks (5 1/4" when I started, older people will remember 8" or even audio-tape-based drives). It could also be accomplished by other externally booted media, e.g. eSATA, USB, Zip drive, firewire, serial, or whatever method your specific hardware supported. Alternatively, you could have a boot-loader that oftered the choice of booting into such an O/S that (might have) had its own tiny dedicated partition.
Or even, if using a UNIXy system where the OS itself supported many different boot modes, you could explicitly boot into single-user mode or, if it is/was actually a UNIX workstation of some manufacture, you would probably do it from the boot PROM or similar environment (for those of you not with a history of actual workstations, they had a UEFI-like system for decades, but it wasn't graphical, it was command-line based, so you could boot up into the 'UEFI' (on a SUN workstation STOP-A would dump you into it) and perform some hardware-based tasks like this).
Or even in more modern windows, at least booting into 'safe' mode (without networking) would give you a semblance of doing something similar.
The key takeaway, which I suspect most people (other than you) would have gotten was:
For the convienience of the average user, manufacturers have sacrificed security and reliablity for user convienience. It is a bad idea to be able to flash a systems firmware from a connected, online, multi-user operating environment where someone sitting on the other side of the world could be flashing a compromised firmware onto a system unknown to the user who might actually be using the system at that time and not know this is going on.
What you are describing is security by obscurity.
I really don't care. If you manage to get to root level on my box, then it is game over for me.
Besides: Ahem... If you manage to get to root... AFAIK you have kernel access. Which means you are free to install whatever device driver you like. Which in turn... Tadaa... you can flash whatever you can flash from a DOS boot device, be it your old trusty floppy or SD card.
If you find yourself frequently updating the firmware for obscure security chips, might not that be an indication that either 1) The code for those chips is not very high quality, and/or 2) The chips are doing way too many things and therefore have an overly large attack surface, and/or 3) The whole notion that computers are securable is nonsense and that we better start rethinking what we use them for and what we choose to do and not do digitally?
The idea of an off/open by default switches or jumpers for "firmware" updates seems to me to make a lot of sense.
@ Walter Bishop:
I have -- lessee -- 86 nodes in a Hadoop cluster.
Exadata (Dev/qa) -> Full rack, 6 DB nodes and 11 Storage nodes
Exa (Prod) two racks, 4/6 each
32 Sas systems in a cluster,
Wanna come up date *all* my firmware one Saturday night with switches?
(And we aren't even looking at DRP yet, nor the 4,000 odd other systems in our various data centers..... And Cloudfront would shoot you)
On a broader front it does give food for thought on how our processors are designed, trusted, and generally run. This issue is only likely to intensify with the increase in services a cpu is designed to supply.
From my own perspective i'm old fashioned I like a RISC architecture CPU that just processes instructions(no microcode involved), that way I can trust it to do what its told.
As a broad genalisation, good security must be place in from the start, attempting to retrofit security almost always fails.
The "WinTel" platform started from a stand alone, single process, single privileged user platform to one that is now networked, has had multiple users and multiple concurrent applications added with security tacked on top almost as an afterthought. I don't really consider these failures malicious, more a symptom of how the platforms (processors, chipsets and operating systems) evolved and what they evolved from.
- Intel's MELTDOWN and SPECTRE issues were disclosed in late January 2018.
- amdflaws.com registered 22nd of Feb 2018
- AMD informed of the issues 12th of March 2018
- actual disclosure / news release 13th of March 2018
Three things:
This looks like an Intel-sponsored hit on AMD to 'level the playing field'
The web domain was registered well in advance of any warning being given to AMD - because we're a security company, so fuck security we've got marketing to do: flashy website and high-production-value YouTube videos here we come!
Just like hacking evolved from a hobby into serious criminal enterprise, security disclosure has turned from noble and responsible act (with some self-advertising for employment purposes) to blatant stock market manipulation.
Other things:
- The amdflaws.com domain was registered with a 2-year expiry (22/02/2018 - 22/02/2020)
- The cts-labs.com domain was registered with a 1-year expiry (25/06/2017 - 25/06/2018)
- Both were registered with GodAddy
- Linus Torvalds gets more respectable the more outbursts I read about
https://doublepulsar.com/on-amd-flaws-from-cts-labs-f167ea00e4e8
"You may have seen media reports about flaws in AMD chipsets. AMD are currently reviewing the report, as they were given less than a day notice of vulnerabilities that CTS Labs claim put lives at risk (via their website, AMDflaws.com). This is a highly unusual and reckless disclosure of security flaws."
and...
"I would encourage security researchers not to disclose vulnerabilities like this. If you have vulnerabilities that you truly think are serious and truly want to provide information so people can protect themselves, work to get them resolved and work with the cyber security community around mitigations.
The only real public exploit here at the moment is a press exploit. This situation should not be happening."
Yep, absolutely correct.
"The advisory claims the backdoors were introduced, accidentally or otherwise, by Taiwanese chip manufacturer ASMedia, owned by ASUSTeK, which used its own insecure integrated circuits in AMD's Promontory chip, found in AMD's Ryzen and Ryzen Pro lines."
Well, I guess THIS is why I was able to purchase a used ASUS motherboard for under $20.00 on eBay.
The computer went to a 9 year old child so if any keyloggers are in place some miscreant is getting the passwords to RoBlox.
If this is primarily a securities ploy to weaken AMD then this may backfire massively.
This sound like a processor where the user gets full control of their hardware back. If you don't want to use the increasingly irrelevant windows 10 and are annoyed at lock down of the hardware you own, this sounds like maybe the last chance to get a CPU where you will have full control of the hardware you own.
I was looking for an upgrade path to my aging hardware and now I want one of these CPUs because of these 'vulnerabilities'.
At the moment these parts of your hardware ,PSP etc are black boxes which are not accessible to the end user. If these 'exploits' allows a root user to view, check and record the contents at least there is a level of certainty for the administrator that the hardware has not been compromised. Any changes in these black boxes could be logged, diffs made, and if unhappy potentially rolled back to a state that the end user is happy with.
Security belongs to the owner of the hardware not the manufacturer.
especially as AMD deals with NASDAQ who is in new york and in new york if you are "fined" for damages, the "win" is triple damages...I can see Intel doing this, because they would just keep paying the fines and not bother paying the full amount for years and years (just like they did with the what was it 2.5billion they had to pay AMD, they still have not to my knowledge...they just keep reinvesting, keep "taking a loss" and keep tying the court up so essentially never have to pay it)
10 years or more screwing AMD by forcing vendors to NOT use AMD and use them with "sweetheart deals" likely the amount Intel "has to pay" is a very small drop in the mentioned bucket compared to the loss in revenue AMD suffered because of this since then and now (they still do this crap, but, have gotten crafty at it, and do it in countries that do not have any laws against them acting this way)
Ok looking at Nasdaq there was notable trading reported on Tuesday.
"Especially high volume was seen for the $11.50 strike put option expiring March 16, 2018 , with 38,495 contracts trading so far today, representing approximately 3.8 million underlying shares of AMD. Below is a chart showing AMD's trailing twelve month trading history, with the $11.50 strike highlighted in orange:
So if share price remains above $11.50 for two days then these dumpers have lost their premium. I suspect the markets have already taken note and no doubt will keep these options worthless.
On put options: the current price is $11.35 , so put option at $11.50 is "in the money". However, the price has been climbing up, from the lowest point today $11.28, so those who bought these options when the shares were cheap will not make profit, unless the price falls again. It might, or it might not - if it does then it would be not on the "strength" of the security "discovery" discussed here.
So if you can get physical access, you can reflash the firmware.
Yes, of course you can. You can do that on practically any hardware that has programmable non-volatile memory.
Assuming everything they claim is true, the TPM flaw is the only one of consequence - being able to extract the key by any means is very bad, reflashing firmware should wipe the keys.
As for the rest - exactly how does one update a BIOS/UEFI/chipset/GPU-BIOS/insert-device-here without the ability to install said firmware?
All Intel chips and chipsets have near-identical "flaws". The only true mitigation is ROM - and good luck updating that when there is a real problem.
Yes, please, bring back those UV-eraseable EPROM chips. With 25V programming voltage.
Not only do they look cool, quartz windows and all that, but using those will probably teach them script kiddies a bit of real work.
/my coat has a box of 2708's in its pocketses, thank you/
"reflashing firmware should wipe the keys."
Wouldn't doing that render, at very least, lost of access to DRMed files (assuming the BSAss, MPAssA and RIAssA mandates that the OS stores decryption keys for the DRMed media you bought off Google Play/iTunes/Windows Store on the TPM if one is available) and at worst, lost of the content of the entire hard drive (assuming the user encrypted the entire drive and the key is stored on the TPM)?
I think leaving the TPM untouched is more for the convenience of the user. Who has the time to go through reformatting an entire PC and deal with data loss just because the firmware was updated?
Although, imo, the world would be a better place without TPM. The only thing TPM does is it gives big corporations even more control over your own PC and what you have installed.
re
The biz apparently gave AMD only one day of advance notice it was going public, an amount of time that precludes addressing the flaws prior to publication and deviates from security industry norms of responsible disclosure.
Curious, how much advance warning did the register give Intel?
Plus Intel had known about the flaw for six months by the time the Register reported on it. If you can point to an incident where the Register independently discovered a CPU flaw and gave 24 hours notice before publishing an article, please feel free to educate us. Idiot.
I wouldn't believe any of the claims until we hear from AMD that a claimed security issue actually exists. We saw in prior reports that AMD's CPU architecture did not suffer from the security violations baked into Intel branded chippies. It would not surprise me one bit to have Intel spend millions to get some unknown entity to make claims that are untrue to confuse consumers and make it appear that all CPUs suffer from the security issues Intel intentionally created in all of their CPUs by violating command execution protocol.
Seems more likely that it's a bunch of 20-somethings who started a company last year, stumbled across something clever and have spent the last three weeks (since 22nd February) putting together a self-promotion campaign to get the most press coverage possible without considering things such as responsible disclosure.
The TPM issue (if as described) does seem concerning. I'm sure I can't be alone in using the combination of TPM plus Bitlocker to keeps the data on PCs secure with minimum inconvenience to the user. I guess AMD-based machines are going to need a BIOS boot password now.
https://amdflaws.com/disclaimer.html
"The report and all statements contained herein are opinions of CTS and are not statements of fact. To the best of our ability and belief, all information contained herein is accurate and reliable, and has been obtained from public sources we believe to be accurate and reliable. Our opinions are held in good faith, and we have based them upon publicly available facts and evidence collected and analyzed, which we set out in our research report to support our opinions. We conducted research and analysis based on public information in a manner that any person could have done if they had been interested in doing so. You can publicly access any piece of evidence cited in this report or that we relied on to write this report. Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports. Any other organizations named in this website have not confirmed the accuracy or determined the adequacy of its contents. "
Yeah, doesn't sound shady at all...
it's not just the fancy names. Example: "Exploiting MASTERKEY requires an attacker to be able to re-flash the BIOS ...". Hello? If an attacker is in a position to flash the BIOS on any machine whatsoever, that's well and truly game over.
Security ALERT: An attacker can compromise AMD-based computer if in the position to take a pee on the mainboard. We need a name for that: PIDDLE-NADO-APOCALYPSE. Yeah, that's fitting.
Sorry, not beer ------>
They should absolutely be taken seriously and, if possible, fixes released.
However, giving AMD only 24 hours notice is just irresponsibile.
Yes, try to find them, yes report them to AMD but for the love of computers give them a chance to at least investigate it. 24 hours is no time at all, at best you could check a few chipsets in a day, but no way would you have time to fix them all in 24 hours.
Bear in mind, fixes would have to be tested also prior to release (to check for brickage, we're talking cpus and chipsets here, a bad update is a bricked machine).
In my opinion the security team handled this poorly, even Google Security Team gives you a week!
That's because it's either:-
1) a deliberate attempt to manipulate the AMD share price to make a profit via shorting AMD's shares
or;
2) a hit peice from a certain well known company which has recently been discovered to have both a shockingly wide variety of severely dangerous remotely exploitable security flaws in it's products and a well known historical track record for having a predeliction towards illegal dirty tricks being ultimately responsible, and using a share price scheme as semi plausible cover for trying to prevent to competition from exploiting their shortcomings.
This whole thing stinks to the heavens and I'm not talking about AMD's security. A company I've never heard of, a report that was published without responsible disclosure, no POC code, no CVE numbers, the vendor given 24h notice yet a random security researcher (who I've also never heard of) was supposedly given a week with the report and POC code... Meanwhile some investment company is citing it and calling for people to sell AMD stock? My local fishmonger smells less fishy.
That there are flaws in the processor is not that surprising - it's a new design, and this stuff is hard if not impossible to reason about.
The interesting question is whether AMD are able to patch these systems to resolve the flaws.
Another explanation for the lack of disclosure delay would be that CTS-Labs are well aware that these problems are easy to fix, and hence they would have a non-story if they delayed publication.
When people find that your products suffer from meltdown, do you:
1) focus on fixing the problem, or
2) put large spectacles, wig and fake moustaches, point at a rodent passing nearby competitor's factory, and shout "oh look, squirrel!"
Credit to Torvalds for naming these guys for what they are.
Viceroy Research? The one who shorted Capitec Bank in South Africa and then claimed Capitec's financial statements were false and they were a loan shark heading for insolvency? And then when the Reserve Bank and the national Treasury said they had no concerns about Capitec, doubled down and said they'd both accepted the supposedly false accounts at face value, and would discover Viceroy was right and put Capitec into receivership if only they did a proper audit? That Viceroy Research?
Also worth of note:
The company Viceroy Research has just recently been implicated in attempted stock market manipulation by german stock market / banking authority BAFIN (similar to US SEC).
https://translate.google.com/translate?hl=en&sl=de&tl=en&u=https%3A%2F%2Fwww.handelsblatt.com%2Funternehmen%2Fit-medien%2Ffinanzmarkzaufsicht-bafin-nimmt-pro-sieben-kritiker-viceroy-ins-visier%2F21061952.html
This is very dodgy.
AMD: "Secure Processor, it locks you down not out (like all the others) - Well not true you are all locked out."
Pththththththththt !
If you want a Secure Processor, Bios or Hard Drive allow the user to check-sum the device (even old md5 & sha1 together) and save in an non-battery-backed manner on a chip (aka in 80's music electronics).
Otherwise just means to lock out users.
I tend to agree with those who point out that "flaws" which can only exploited if the machine is already compromised at root level are much less significant than those which can burrow in under the radar and obtain that kind of access.
It's a bit like worrying about mission protocols when the captain of the aircraft carrier is already a foreign agent: you lost the game long before having to worry about how many planes to keep on CAP. Your job is to employ good, loyal captains. Your job is also to worry about important threats, like (say) a new sea-skimming missile that your radar can't detect, which makes the question of mission protocols important if the captain hasn't been compromised.
And yes, this whole thing stinks like a week-old haddock, and per my title, I suggest it is clumsily obvious, to the point of witlessness. I won't trouble to detail the points made so well by others, regarding timing, attempted anonymity, suspicious abruptness with which this latest crew apparated: it all simply stinks of an unsubtle, heavy-cack-handed and slimy attempt to smear AMD.
As to who is really behind it, well, the same folks who are always responsible when corporations do dishonest, dishonourable things which strangely benefit it to the tune of billions: "A small group of junior employees gone rogue who acted beyond their authority and completely without the knowledge of senior management."
They do get around, those guys.
One flaw in your argument: the claimed AMD flaws are such that if you metaphorically detect that the aircraft carrier captain is a foreign agent and you replace him with a good one, the bad captain may have still ineradicably compromised the aircraft carrier itself. That's to say: the bad operating system has infected the Secure Processor and/or the motherboard firmware. It looks like a real risk.
That is a shame!!! Not AMD, because bugs are bugs and there is a process to fix. For the company expense. What CTS-Labs did was "good piracy" and my suggestion is to do what normal people do with ANY pirate - hang them! They are not about security, they are about money and getting it in the most dirty way. In InfoSec world of terms. I would suggest NOT to deal with the company, otherwise one day your own hands will get dirty as well. Or they trade you for yet another money.
But, they are not only greedy but also stupid! They expected AMD stocks react on their "news". Well, the case of Meltdown etc. shows that the reaction is minimal if at all. Investors use different criteria. and judge by different information.
Frankly, I've been in InfoSec since 2003 and do not remember such misconduct of vulnerability announcement. May be they need PR themselves? But that is not about Information Security. That works in Hollywood.
From CTS
"The report and all statements contained herein are opinions of CTS and are not statements of fact."
And this......
"Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports."
Excerpted from below...
"Legal Disclaimer
CTS is a research organization. This website is intended for general information and educational purposes. This website does not offer the reader any recommendations or professional advice. The opinions expressed in this report are not investment advice nor should they be construed as investment advice or any recommendation of any kind.
It summarizes security vulnerabilities, but purposefully does not provide a complete description of such vulnerabilities to protect users, such that a person with malicious intent could not actually exploit the vulnerabilities and try to cause harm to any user of the products described herein. Do not attempt to exploit or otherwise take advantage of the security vulnerabilities described in the website.
The report and all statements contained herein are opinions of CTS and are not statements of fact. To the best of our ability and belief, all information contained herein is accurate and reliable, and has been obtained from public sources we believe to be accurate and reliable. Our opinions are held in good faith, and we have based them upon publicly available facts and evidence collected and analyzed, which we set out in our research report to support our opinions. We conducted research and analysis based on public information in a manner that any person could have done if they had been interested in doing so. You can publicly access any piece of evidence cited in this report or that we relied on to write this report. Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports. Any other organizations named in this website have not confirmed the accuracy or determined the adequacy of its contents.
You may republish this website in whole or in part as long as CTS is clearly and visibly credited and appropriately cited, and as long as you do not edit content.
Although we strive for accuracy and completeness to support our opinions, and we have a good-faith belief in everything we write, all such information is presented "as is," without warranty of any kind– whether express or implied – and CTS does not accept responsibility for errors or omissions. CTS reserves the right to change the contents of this website and the restrictions on its use, with or without notice, and CTS reserves the right to refrain from updating this website even as it becomes outdated or inaccurate."
https://amdflaws.com/discla...
CTS is telling the world it is ALL bullshyte and they have a financial stake in AMD.
Yet the on-line media is writing about nothing else.