So this http://AMDflaws.com business... CTS Labs asked us to review their research last week, and sent us a full technical report with PoC exploit code for each set of bugs.
-
-
Adding a FAQ based on the last 24 hours: - "Tell me more about how you were paid"https://twitter.com/dguido/status/973687926692466689 …
Show this thread -
"In a situation like this, would it be common for your firm to discuss disclosure with the vendor?" Yes, and we did. I discussed pros/cons of various options with them and recommended that they report the vulnerabilities to a CERT.
Show this thread -
"Were you made aware of the plans to go public?" No.https://twitter.com/dguido/status/973633990639878144 …
Show this thread -
"How did CTS Labs find you? What is your relationship to them?" Mutual friend. No ongoing relationship.https://twitter.com/dguido/status/973675763319885825 …
Show this thread -
"Do you have any financial position or interest in AMD or Intel stock?" No.https://twitter.com/dguido/status/973986464789868547 …
Show this thread -
If you're looking for clear, technical information about the flaws then see the blog we just published:https://twitter.com/trailofbits/status/974345028498804737 …
Show this thread -
This is my favorite take on the AMD Flaws. They are effectively a "jailbreak" for AMD CPUs.https://twitter.com/OSTIFofficial/status/974348788163928064 …
Show this thread -
This is the truest comment anyone has made about my week so far: https://twitter.com/wildcardNP/status/973921044170989568 …
This Tweet is unavailable.Show this thread -
AMD published an initial technical assessment of the flaws from CTS and, by all indications, it agrees with our own. They even linked to our blog post! https://community.amd.com/community/amd-corporate/blog/2018/03/20/initial-amd-technical-assessment-of-cts-labs-research …
Show this thread
End of conversation
New conversation -
-
-
How would you compare what you saw to Spectre/Meltdown? Is this more or less difficult to address?
-
Meltdown and Spectre required novel research advances. In contrast, all of these latest flaws have been well understood since the 90s. They are not new foundational issues, they are well understood programming flaws.
End of conversation
New conversation -
-
-
when they speak of "local machine elevated admin" they mean that in Windows privilege sense, not as in “I have physical possession of your machine", yes?
-
Yes. Researchers told me there's no need for physical access.
-
thanks. Yeah, that was a pretty awful white paper.
End of conversation
New conversation -
-
-
It would be awesome if cpu manufacturers would allow turning off all those extra features or sell a version that is just a cpu. Same for chipset features.
-
Whichever one of them supplies DOD must sell something without all the bells and whistles, I figure
-
Well it’s documented that ME can be turned off for them.
-
Intel ships non ME versions (usually in form of K series that lack vPro). I'm not sure though that's only for i-series or Xeon processors also are available in ME-free models.
-
Are you confusing ME and AMT? As I understood it all intel processors have ME (used for fan control, etc.) but only vPro-branded ones run AMT?
- End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.