Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works.
Afficher cette discussion
So this http://AMDflaws.com business... CTS Labs asked us to review their research last week, and sent us a full technical report with PoC exploit code for each set of bugs.
-
-
-
I initially responded to their request out of curiosity -- "Hey, do you want to see our new processor bugs before we release them?" "hell yes I do" -- but after their asks continued to grow billed them our week rate for the work.
Afficher cette discussion -
I spent all morning talking to reporters, mostly to correct twitter hot takes. Yes, all the flaws require admin privs but all are _flaws_ not expected functionality.https://twitter.com/cynicalsecurity/status/973595697902706688 …
Afficher cette discussion -
You can find a measured take that includes my commentary on these vulnerabilities from
@lorenzoFB@motherboard:https://motherboard.vice.com/en_us/article/kzpm5x/amd-secure-processor-ryzen-epyc-vulnerabilities-and-backdoors …Afficher cette discussion -
Adding a FAQ based on the last 24 hours: - "Tell me more about how you were paid"https://twitter.com/dguido/status/973687926692466689 …
Afficher cette discussion -
"In a situation like this, would it be common for your firm to discuss disclosure with the vendor?" Yes, and we did. I discussed pros/cons of various options with them and recommended that they report the vulnerabilities to a CERT.
Afficher cette discussion -
"Were you made aware of the plans to go public?" No.https://twitter.com/dguido/status/973633990639878144 …
Afficher cette discussion -
"How did CTS Labs find you? What is your relationship to them?" Mutual friend. No ongoing relationship.https://twitter.com/dguido/status/973675763319885825 …
Afficher cette discussion -
"Do you have any financial position or interest in AMD or Intel stock?" No.https://twitter.com/dguido/status/973986464789868547 …
Afficher cette discussion -
If you're looking for clear, technical information about the flaws then see the blog we just published:https://twitter.com/trailofbits/status/974345028498804737 …
Afficher cette discussion -
This is my favorite take on the AMD Flaws. They are effectively a "jailbreak" for AMD CPUs.https://twitter.com/OSTIFofficial/status/974348788163928064 …
Afficher cette discussion -
This is the truest comment anyone has made about my week so far: https://twitter.com/wildcardNP/status/973921044170989568 …
Ce Tweet est indisponible.Afficher cette discussion -
AMD published an initial technical assessment of the flaws from CTS and, by all indications, it agrees with our own. They even linked to our blog post! https://community.amd.com/community/amd-corporate/blog/2018/03/20/initial-amd-technical-assessment-of-cts-labs-research …
Afficher cette discussion
Fin de la conversation
Nouvelle conversation -
-
-
Have you had any previous dealings with CTS Labs, or the people therein? Any reason why a company like this would reach out to you in this way, before disclosing to AMD? Not trying to pick, just trying to understand if this is standard practice
-
They found us through a mutual friend. I had never spoken to them before, and I have no ongoing relationship with them. They sought us out because they were concerned about the validity of their findings.
-
Additional, just because I've seen people thinking you are being paid, having billed CTS for the work: Did you start investigating the issues first, then discuss billing arrangements, or did a contract come first? (People love to think everyone works for free, sadly)
-
-
Yeah, I saw that, hence my question. Just getting a secondary confirm about the order of events to ensure no ambiguity.
-
It was driven by curiosity first and a favor. However, once we received the technical report and fielded their first set of questions, we realized it went beyond a favor. We anticipated 1 bug, not 13, so we asked to get paid.
-
Awesome, thanks again.
Fin de la conversation
Nouvelle conversation -
Le chargement semble prendre du temps.
Twitter est peut-être en surcapacité ou rencontre momentanément un incident. Réessayez ou rendez-vous sur la page Twitter Status pour plus d'informations.