So this http://AMDflaws.com business... CTS Labs asked us to review their research last week, and sent us a full technical report with PoC exploit code for each set of bugs.
-
-
You can find a measured take that includes my commentary on these vulnerabilities from
@lorenzoFB@motherboard:https://motherboard.vice.com/en_us/article/kzpm5x/amd-secure-processor-ryzen-epyc-vulnerabilities-and-backdoors …Show this thread -
Adding a FAQ based on the last 24 hours: - "Tell me more about how you were paid"https://twitter.com/dguido/status/973687926692466689 …
Show this thread -
"In a situation like this, would it be common for your firm to discuss disclosure with the vendor?" Yes, and we did. I discussed pros/cons of various options with them and recommended that they report the vulnerabilities to a CERT.
Show this thread -
"Were you made aware of the plans to go public?" No.https://twitter.com/dguido/status/973633990639878144 …
Show this thread -
"How did CTS Labs find you? What is your relationship to them?" Mutual friend. No ongoing relationship.https://twitter.com/dguido/status/973675763319885825 …
Show this thread -
"Do you have any financial position or interest in AMD or Intel stock?" No.https://twitter.com/dguido/status/973986464789868547 …
Show this thread -
If you're looking for clear, technical information about the flaws then see the blog we just published:https://twitter.com/trailofbits/status/974345028498804737 …
Show this thread -
This is my favorite take on the AMD Flaws. They are effectively a "jailbreak" for AMD CPUs.https://twitter.com/OSTIFofficial/status/974348788163928064 …
Show this thread -
This is the truest comment anyone has made about my week so far: https://twitter.com/wildcardNP/status/973921044170989568 …
This Tweet is unavailable.Show this thread -
AMD published an initial technical assessment of the flaws from CTS and, by all indications, it agrees with our own. They even linked to our blog post! https://community.amd.com/community/amd-corporate/blog/2018/03/20/initial-amd-technical-assessment-of-cts-labs-research …
Show this thread
End of conversation
New conversation -
-
-
so based on the bugs you gave them, which stock should we short?
-
IOTA
End of conversation
New conversation -
-
-
Oh come on… you update the BIOS with malicious code and you get 0wned: this might not be expected functionality but it is pretty standard. Drivers running as root have flaws allowing you to mess with the system. Not exactly surprising either. Bugs, bad bugs, sure. ZOMG? No.
-
I agree with your sentiment, but your description of the bugs is not accurate.
-
Tweet unavailable
-
Adam, he saw the real technical paper with PoC so he “knows” but cannot talk. I still stand by my threat evaluation.
End of conversation
New conversation -
-
-
Sure, but requiring admin privs is a pretty big deal. A system where an attacker has admin privs is already a compromised system! To paint these bugs as "serious threatening vulnerabilities" strikes me as INCREDIBLY dishonest
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
If you are not able to exploit something WITHOUT getting full access other way (admin, bios update access) it's not a usable flaw however You want to describe it. Even before using it you already had full access. It's like calling lock flawed when you explode whole door.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.