So this http://AMDflaws.com business... CTS Labs asked us to review their research last week, and sent us a full technical report with PoC exploit code for each set of bugs.
-
-
I spent all morning talking to reporters, mostly to correct twitter hot takes. Yes, all the flaws require admin privs but all are _flaws_ not expected functionality.https://twitter.com/cynicalsecurity/status/973595697902706688 …
Show this thread -
You can find a measured take that includes my commentary on these vulnerabilities from
@lorenzoFB@motherboard:https://motherboard.vice.com/en_us/article/kzpm5x/amd-secure-processor-ryzen-epyc-vulnerabilities-and-backdoors …Show this thread -
Adding a FAQ based on the last 24 hours: - "Tell me more about how you were paid"https://twitter.com/dguido/status/973687926692466689 …
Show this thread -
"In a situation like this, would it be common for your firm to discuss disclosure with the vendor?" Yes, and we did. I discussed pros/cons of various options with them and recommended that they report the vulnerabilities to a CERT.
Show this thread -
"Were you made aware of the plans to go public?" No.https://twitter.com/dguido/status/973633990639878144 …
Show this thread -
"How did CTS Labs find you? What is your relationship to them?" Mutual friend. No ongoing relationship.https://twitter.com/dguido/status/973675763319885825 …
Show this thread -
"Do you have any financial position or interest in AMD or Intel stock?" No.https://twitter.com/dguido/status/973986464789868547 …
Show this thread -
If you're looking for clear, technical information about the flaws then see the blog we just published:https://twitter.com/trailofbits/status/974345028498804737 …
Show this thread -
This is my favorite take on the AMD Flaws. They are effectively a "jailbreak" for AMD CPUs.https://twitter.com/OSTIFofficial/status/974348788163928064 …
Show this thread -
This is the truest comment anyone has made about my week so far: https://twitter.com/wildcardNP/status/973921044170989568 …
This Tweet is unavailable.Show this thread -
AMD published an initial technical assessment of the flaws from CTS and, by all indications, it agrees with our own. They even linked to our blog post! https://community.amd.com/community/amd-corporate/blog/2018/03/20/initial-amd-technical-assessment-of-cts-labs-research …
Show this thread
End of conversation
New conversation -
-
-
So they gave you a week for QAing those exploits, but not even 24h for AMD to react?
-
In their eyes, it was unfinished research before we reviewed it. I probably would have handled it differently but they are not my bugs, and they have no obligation to provide notice.
- 1 more reply
New conversation -
-
-
Why would you do work for people who are obviously crooked? This is so transparently manipulative. How much will lawyers bill you when the SEC comes around for a chat?
-
Asking the real questions
End of conversation
New conversation -
-
-
are you sure you are a ceo? i cant believe you publicly said you got paid to publish such a paper that cite as an exploit something that needs admin access local access and a driver signed by the parent company (amd) in order to work!
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Did they pay the bill you sent them?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.