Dan Guido on Twitter: "This is my favorite take on the AMD Flaws. They are effectively a "jailbreak" for AMD CPUs. https://t.co/kbdsKxHpYa"

Country	Code	For customers of
United States	40404	(any)
Canada	21212	(any)
United Kingdom	86444	Vodafone, Orange, 3, O2
Brazil	40404	Nextel, TIM
Haiti	40404	Digicel, Voila
Ireland	51210	Vodafone, O2
India	53000	Bharti Airtel, Videocon, Reliance
Indonesia	89887	AXIS, 3, Telkomsel, Indosat, XL Axiata
Italy	4880804	Wind
3424486444	Vodafone
» See SMS short codes for other countries

Dan Guido‏ @dguido 13 Mar 2018

Report Tweet
Report NetzDG Violation

Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works.

19 replies 55 retweets 72 likes

Show this thread

Dan Guido‏ @dguido 13 Mar 2018

Report Tweet
Report NetzDG Violation

I initially responded to their request out of curiosity -- "Hey, do you want to see our new processor bugs before we release them?" "hell yes I do" -- but after their asks continued to grow billed them our week rate for the work.

7 replies 4 retweets 17 likes

Show this thread

Dan Guido‏ @dguido 13 Mar 2018

Report Tweet
Report NetzDG Violation

Dan Guido Retweeted Arrigo Triulzi

I spent all morning talking to reporters, mostly to correct twitter hot takes. Yes, all the flaws require admin privs but all are _flaws_ not expected functionality.https://twitter.com/cynicalsecurity/status/973595697902706688 …

Dan Guido added,

Arrigo Triulzi @cynicalsecurity

Now onto the “vulnerabilities”: 1) MASTERKEY: if you allow unauthorised BIOS updates you are screwed. Threat level: No shit, Sherlock! 2) RYZENFALL: again, loading unauthorised code on the Secure Processor as admin. Threat level: No shit, Sherlock!

Show this thread

13 replies 16 retweets 44 likes

Show this thread

Dan Guido‏ @dguido 13 Mar 2018

Report Tweet
Report NetzDG Violation

You can find a measured take that includes my commentary on these vulnerabilities from @lorenzoFB @motherboard:https://motherboard.vice.com/en_us/article/kzpm5x/amd-secure-processor-ryzen-epyc-vulnerabilities-and-backdoors …

7 replies 47 retweets 60 likes

Show this thread

Dan Guido‏ @dguido 14 Mar 2018

Report Tweet
Report NetzDG Violation

Dan Guido Retweeted Dan Guido

Adding a FAQ based on the last 24 hours: - "Tell me more about how you were paid"https://twitter.com/dguido/status/973687926692466689 …

Dan Guido added,

Dan Guido @dguido

Replying to @IanCutress

It was driven by curiosity first and a favor. However, once we received the technical report and fielded their first set of questions, we realized it went beyond a favor. We anticipated 1 bug, not 13, so we asked to get paid.

2 replies 0 retweets 0 likes

Show this thread

Dan Guido‏ @dguido 14 Mar 2018

Report Tweet
Report NetzDG Violation

"In a situation like this, would it be common for your firm to discuss disclosure with the vendor?" Yes, and we did. I discussed pros/cons of various options with them and recommended that they report the vulnerabilities to a CERT.

1 reply 0 retweets 0 likes

Show this thread

Dan Guido‏ @dguido 14 Mar 2018

Report Tweet
Report NetzDG Violation

Dan Guido Retweeted Dan Guido

"Were you made aware of the plans to go public?" No.https://twitter.com/dguido/status/973633990639878144 …

Dan Guido added,

Dan Guido @dguido

Replying to @chronic

I did not see the whitepaper, video, media release, or anything else until a reporter sent it to me. Unlike everyone else, I only had the technical report and none of the media info.

1 reply 1 retweet 1 like

Show this thread

Dan Guido‏ @dguido 14 Mar 2018

Report Tweet
Report NetzDG Violation

Dan Guido Retweeted Dan Guido

"How did CTS Labs find you? What is your relationship to them?" Mutual friend. No ongoing relationship.https://twitter.com/dguido/status/973675763319885825 …

Dan Guido added,

Dan Guido @dguido

Replying to @IanCutress

They found us through a mutual friend. I had never spoken to them before, and I have no ongoing relationship with them. They sought us out because they were concerned about the validity of their findings.

3 replies 0 retweets 0 likes

Show this thread

Dan Guido‏ @dguido 14 Mar 2018

Report Tweet
Report NetzDG Violation

Dan Guido Retweeted Dan Guido

"Do you have any financial position or interest in AMD or Intel stock?" No.https://twitter.com/dguido/status/973986464789868547 …

Dan Guido added,

Dan Guido @dguido

Replying to @audiemmm

No, I do all my investing with an automated portfolio from @Betterment. I have no positions on AMD stock, and I have no arrangement to benefit with a 3rd party. Thanks for asking.

2 replies 1 retweet 4 likes

Show this thread

Dan Guido‏ @dguido 15 Mar 2018

Report Tweet
Report NetzDG Violation

Dan Guido Retweeted Trail of Bits

If you're looking for clear, technical information about the flaws then see the blog we just published:https://twitter.com/trailofbits/status/974345028498804737 …

Dan Guido added,

Trail of Bits @trailofbits

We published a technical summary of the "AMD Flaws" so they can be of use to the security community without the distraction of the surrounding disclosure issues. https://blog.trailofbits.com/2018/03/15/amd-flaws-technical-summary/ …

Show this thread

1 reply 8 retweets 8 likes

Show this thread

Dan Guido‏ @dguido 15 Mar 2018

Report Tweet
Report NetzDG Violation

Dan Guido Retweeted OSTIF Official

This is my favorite take on the AMD Flaws. They are effectively a "jailbreak" for AMD CPUs.https://twitter.com/OSTIFofficial/status/974348788163928064 …

Dan Guido added,

OSTIF Official @OSTIFofficial

Replying to @trailofbits

Wait, back up for a second... Does this mean that MasterKey provides a way to disable the AMD PSP? Is this the way to @coreboot_org and @libreboot that we have been waiting for?

11:24 AM - 15 Mar 2018

18 Retweets
32 Likes

2 replies 18 retweets 32 likes

1. 74810b012346c9a6‏ @orionwl 16 Mar 2018
  
  Report Tweet
  
  Report NetzDG Violation
  Replying to @dguido
  
  This^ made me somewhat excited too. I'd been trying to break into the PSP of my AMD laptop, but no luck yet. Spent some time re'ing a similar ARM PSP bootloader (https://github.com/coreboot/blobs/tree/master/soc/amd/stoneyridge/PSP …). Then two week later this announcement goes out! Too bad there's so little details.
  
  2 likes
  Thanks. Twitter will use this to make your timeline better. Undo
  
  Undo
1. 2 more replies

Loading seems to be taking a while.

Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

Tweets

Dan Guido

@dguido

Tweets

Loading seems to be taking a while.

false

Saved searches

Tweets

Dan Guido

@dguido

Tweets

Go to a person's profile

Saved searches

Promote this Tweet

Block

Tweet with a location

Your lists

Create a new list

Copy link to Tweet

Embed this Tweet

Embed this Video

Preview

Why you're seeing this ad

Log in to Twitter

Sign up for Twitter

Not on Twitter? Sign up, tune into the things you care about, and get updates as they happen.

Two-way (sending and receiving) short codes:

Confirmation

Welcome home!

Tweets not working for you?

Say a lot with a little

Spread the word

Join the conversation

Learn the latest

Get more of what you love

Find what's happening

Never miss a Moment

Loading seems to be taking a while.

Promoted Tweet

false