Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works.
-
-
Show this thread
-
I initially responded to their request out of curiosity -- "Hey, do you want to see our new processor bugs before we release them?" "hell yes I do" -- but after their asks continued to grow billed them our week rate for the work.
Show this thread -
I spent all morning talking to reporters, mostly to correct twitter hot takes. Yes, all the flaws require admin privs but all are _flaws_ not expected functionality.https://twitter.com/cynicalsecurity/status/973595697902706688 …
Show this thread -
You can find a measured take that includes my commentary on these vulnerabilities from
@lorenzoFB@motherboard:https://motherboard.vice.com/en_us/article/kzpm5x/amd-secure-processor-ryzen-epyc-vulnerabilities-and-backdoors …Show this thread -
Adding a FAQ based on the last 24 hours: - "Tell me more about how you were paid"https://twitter.com/dguido/status/973687926692466689 …
Show this thread -
"In a situation like this, would it be common for your firm to discuss disclosure with the vendor?" Yes, and we did. I discussed pros/cons of various options with them and recommended that they report the vulnerabilities to a CERT.
Show this thread -
"Were you made aware of the plans to go public?" No.https://twitter.com/dguido/status/973633990639878144 …
Show this thread -
"How did CTS Labs find you? What is your relationship to them?" Mutual friend. No ongoing relationship.https://twitter.com/dguido/status/973675763319885825 …
Show this thread -
"Do you have any financial position or interest in AMD or Intel stock?" No.https://twitter.com/dguido/status/973986464789868547 …
Show this thread -
If you're looking for clear, technical information about the flaws then see the blog we just published:https://twitter.com/trailofbits/status/974345028498804737 …
Show this thread -
This is my favorite take on the AMD Flaws. They are effectively a "jailbreak" for AMD CPUs.https://twitter.com/OSTIFofficial/status/974348788163928064 …
Show this thread -
This is the truest comment anyone has made about my week so far: https://twitter.com/wildcardNP/status/973921044170989568 …
This Tweet is unavailable.Show this thread -
AMD published an initial technical assessment of the flaws from CTS and, by all indications, it agrees with our own. They even linked to our blog post! https://community.amd.com/community/amd-corporate/blog/2018/03/20/initial-amd-technical-assessment-of-cts-labs-research …
Show this thread
End of conversation
New conversation -
-
-
Have you had any previous dealings with CTS Labs, or the people therein? Any reason why a company like this would reach out to you in this way, before disclosing to AMD? Not trying to pick, just trying to understand if this is standard practice
-
They found us through a mutual friend. I had never spoken to them before, and I have no ongoing relationship with them. They sought us out because they were concerned about the validity of their findings.
-
Additional, just because I've seen people thinking you are being paid, having billed CTS for the work: Did you start investigating the issues first, then discuss billing arrangements, or did a contract come first? (People love to think everyone works for free, sadly)
-
-
Yeah, I saw that, hence my question. Just getting a secondary confirm about the order of events to ensure no ambiguity.
-
It was driven by curiosity first and a favor. However, once we received the technical report and fielded their first set of questions, we realized it went beyond a favor. We anticipated 1 bug, not 13, so we asked to get paid.
-
Awesome, thanks again.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.