So this http://AMDflaws.com business... CTS Labs asked us to review their research last week, and sent us a full technical report with PoC exploit code for each set of bugs.
Show this thread
-
I spent all morning talking to reporters, mostly to correct twitter hot takes. Yes, all the flaws require admin privs but all are _flaws_ not expected functionality.https://twitter.com/cynicalsecurity/status/973595697902706688 …
Show this thread
You can find a measured take that includes my commentary on these vulnerabilities from @lorenzoFB @motherboard:https://motherboard.vice.com/en_us/article/kzpm5x/amd-secure-processor-ryzen-epyc-vulnerabilities-and-backdoors …
-
-
Adding a FAQ based on the last 24 hours: - "Tell me more about how you were paid"https://twitter.com/dguido/status/973687926692466689 …
Show this thread -
"In a situation like this, would it be common for your firm to discuss disclosure with the vendor?" Yes, and we did. I discussed pros/cons of various options with them and recommended that they report the vulnerabilities to a CERT.
Show this thread -
"Were you made aware of the plans to go public?" No.https://twitter.com/dguido/status/973633990639878144 …
Show this thread -
"How did CTS Labs find you? What is your relationship to them?" Mutual friend. No ongoing relationship.https://twitter.com/dguido/status/973675763319885825 …
Show this thread -
"Do you have any financial position or interest in AMD or Intel stock?" No.https://twitter.com/dguido/status/973986464789868547 …
Show this thread -
If you're looking for clear, technical information about the flaws then see the blog we just published:https://twitter.com/trailofbits/status/974345028498804737 …
Show this thread -
This is my favorite take on the AMD Flaws. They are effectively a "jailbreak" for AMD CPUs.https://twitter.com/OSTIFofficial/status/974348788163928064 …
Show this thread -
This is the truest comment anyone has made about my week so far:https://twitter.com/wildcardNP/status/973921044170989568 …
Show this thread -
AMD published an initial technical assessment of the flaws from CTS and, by all indications, it agrees with our own. They even linked to our blog post! https://community.amd.com/community/amd-corporate/blog/2018/03/20/initial-amd-technical-assessment-of-cts-labs-research …
Show this thread
End of conversation
New conversation -
-
-
How would you compare what you saw to Spectre/Meltdown? Is this more or less difficult to address?
-
Meltdown and Spectre required novel research advances. In contrast, all of these latest flaws have been well understood since the 90s. They are not new foundational issues, they are well understood programming flaws.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.