So this http://AMDflaws.com business... CTS Labs asked us to review their research last week, and sent us a full technical report with PoC exploit code for each set of bugs.
-
-
I initially responded to their request out of curiosity -- "Hey, do you want to see our new processor bugs before we release them?" "hell yes I do" -- but after their asks continued to grow billed them our week rate for the work.
Show this thread -
I spent all morning talking to reporters, mostly to correct twitter hot takes. Yes, all the flaws require admin privs but all are _flaws_ not expected functionality.https://twitter.com/cynicalsecurity/status/973595697902706688 …
Show this thread -
You can find a measured take that includes my commentary on these vulnerabilities from
@lorenzoFB@motherboard:https://motherboard.vice.com/en_us/article/kzpm5x/amd-secure-processor-ryzen-epyc-vulnerabilities-and-backdoors …Show this thread -
Adding a FAQ based on the last 24 hours: - "Tell me more about how you were paid"https://twitter.com/dguido/status/973687926692466689 …
Show this thread -
"In a situation like this, would it be common for your firm to discuss disclosure with the vendor?" Yes, and we did. I discussed pros/cons of various options with them and recommended that they report the vulnerabilities to a CERT.
Show this thread -
"Were you made aware of the plans to go public?" No.https://twitter.com/dguido/status/973633990639878144 …
Show this thread -
"How did CTS Labs find you? What is your relationship to them?" Mutual friend. No ongoing relationship.https://twitter.com/dguido/status/973675763319885825 …
Show this thread -
"Do you have any financial position or interest in AMD or Intel stock?" No.https://twitter.com/dguido/status/973986464789868547 …
Show this thread -
If you're looking for clear, technical information about the flaws then see the blog we just published:https://twitter.com/trailofbits/status/974345028498804737 …
Show this thread -
This is my favorite take on the AMD Flaws. They are effectively a "jailbreak" for AMD CPUs.https://twitter.com/OSTIFofficial/status/974348788163928064 …
Show this thread -
This is the truest comment anyone has made about my week so far: https://twitter.com/wildcardNP/status/973921044170989568 …
This Tweet is unavailable.Show this thread -
AMD published an initial technical assessment of the flaws from CTS and, by all indications, it agrees with our own. They even linked to our blog post! https://community.amd.com/community/amd-corporate/blog/2018/03/20/initial-amd-technical-assessment-of-cts-labs-research …
Show this thread
End of conversation
New conversation -
-
-
Most commentary I saw didn't doubt the existence of actual vulnerabilities, just criticized the almost parodically-hyped presentation and so-reported lack of vendor notification. TPM bugs are real, and interesting, just not (and quite far from) general-public interesting
-
It all plays very well with CTS Labs stated mission of reviewing hardware security. They did exactly that, and did it very well. I would do the publication a little differently, but for a commercial entity they played the news cycle just right.
-
I look forward to the SEC investigation
End of conversation
New conversation -
-
-
If an attacker can reflash the BIOS and install programs with Admin privileges, anything works and the company is already f-ed, Captain Obvious.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Bugs that require root access or flashing firmware to work... hahahaha... Good one. I'm not a "researcher" but a free tip for you... Once you got root access, you are God of that machine anyways - No matter which processor. lolllll xD
-
while generally true, some things like for example TPMs or smartcards are supposed to NEVER let the keys out even to root, just do stuff with the keys like decryption or signing or whatever upon authentication. you can input keys, do stuff with them but not get them out.
-
IF and just IF there is a vulnerability on a device supposed to work this way, it's well... not good to say the least.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.