|
Catching up on this: https://twitter.com/c7zero/status/973668616183754753 https://twitter.com/c7zero/status/973668833092288513 Dan Guido does appear to have some credentials in the area and Ian Cutress gave him a nod on Twitter. Apparently Ian is going to be interviewing CTS Labs tomorrow (possibly with David Kanter as well). https://twitter.com/IanCutress/status/973678700687450113 https://twitter.com/IanCutress/status/973697525071994880 edit: Tom's has spoken with them as well. https://twitter.com/PaulyAlcorn/status/973693230469517313 A second researcher has hit the towers: https://twitter.com/gadievron/status/973655683269873664 https://twitter.com/gadievron/status/973656014674386945 https://twitter.com/gadievron/status/973656120991547393 https://twitter.com/gadievron/status/973664804417220608 https://twitter.com/gadievron/status/973664942078484480 Paul MaudDib fucked around with this message at 03:46 on Mar 14, 2018 |
# ? Mar 14, 2018 03:04 |
|
|
# ? May 17, 2024 20:29 |
|
Even if this is real, this is irresponsible as gently caress. They can be assed to spend weeks setting their drat site up (domain was registered early Feb), make some lovely promo video like they're some rockstars, but can't give AMD any decent heads up?
|
# ? Mar 14, 2018 04:51 |
|
Titanfall 2 was well made, but the storyline is just Big Hero 6 with less Disney charm and more space marine guns. These security flaws seem like a good reason for AMD to sue ASmedia for a settlement, maybe even delay the X470 into launching alongside the B450 depending on how much effort it takes to close backdoors. But the rest of the list reads like "BFD" issues. Hey, did you guys know that a signed driver could do anything?? Imagine if a Microsoft-licensed vendor used their certification to digitally sign malware (and ruined their business relationship with Microsoft) to spy on your server! What if you were downloading a torrent and installing a pirated game and it was like, "yeah man if you want to play Final Fantasy XV for free first we gotta flash your motherboard's BIOS with this patch that will make the game run" and then the hackers can do anything!
|
# ? Mar 14, 2018 04:55 |
|
Should I know who Gadi Evron is?
|
# ? Mar 14, 2018 04:57 |
Kazinsal posted:Should I know who Gadi Evron is? He's obviously a well respected security researcher and highly regarded member of the infosec twitter community with... *squints* ...1000 followers. ...who passes along "we, a company that popped up out of nowhere and clearly associated with a group heavily shorting AMD stock, failed to follow anything resembling responsible disclosure because we care so much about you, the end user" without batting an eye.
|
|
# ? Mar 14, 2018 05:08 |
|
sincx posted:More info here: Gee, I wonder how many degrees of separation there are between CTS Labs and the Israel-based Intel team.
|
# ? Mar 14, 2018 05:08 |
|
I don't think it matters either way. His statements defending the practices of these people are laughable at best. Oh sure, the public has a right to know that an issue exists but their actions demonstrate how absolutely full of poo poo they are. They don't care about anything but lining their own pockets, hence the super inflammatory website that went up weeks before they even bothered to send AMD the technical details. Even if these are real vulnerabilities, the damage they have attempted to do strips them of all credibility. https://www.gamersnexus.net/industry/3260-assassination-attempt-on-amd-by-viceroy-research-cts-labs Edit: I'm actually angry about this. Because now I don't know who I can trust, they've royally hosed us all. Anarchist Mae fucked around with this message at 05:11 on Mar 14, 2018 |
# ? Mar 14, 2018 05:09 |
|
Bloody Antlers posted:Gee, I wonder how many degrees of separation there are between CTS Labs and the Israel-based Intel team. Yup, there's only one tech company in Israel. You cracked the code, busted Shintel. You know who else is based in Israel? every other tech company with a presence in the Middle East Paul MaudDib fucked around with this message at 05:50 on Mar 14, 2018 |
# ? Mar 14, 2018 05:13 |
|
Paul MaudDib posted:Yup, there's only one tech company in Israel. You cracked the code, busted Shintel. It's ok to accept it as a possibility. Pretending it's actually what happened without any evidence is just loving stupid.
|
# ? Mar 14, 2018 05:17 |
|
Measly Twerp posted:It's ok to accept it as a possibility. Pretending it's actually what happened without any evidence is just loving stupid. Nuance? In MY AMD thread??
|
# ? Mar 14, 2018 05:23 |
|
Measly Twerp posted:It's ok to accept it as a possibility. Pretending it's actually what happened without any evidence is just loving stupid. Sure, it just doesn't mean anything either way. Israel is the Silicon Valley of the Middle East, it would be equally a possibility if they were based in Dallas or Palo Alto or Seattle or London or something. There are like, dozens of major tech companies with offices in Israel and the same mix of small companies and startups as you'd find in any other tech hub. See also: people who are intimating something sinister based on the fact that the guy worked in Israeli Intelligence. You know, in a country with compulsory military service. Shocker, people often touch computers in the military and then later go on to touch computers as a civilian, because they are good at touching computers. I'm not even sure what being in the military is supposed to imply anyhow, but it means doubly nothing in a country where everyone is in the military for at least a couple years. People here haven't done the latter, but Reddit is on a full-on anti-semitic meltdown. It's an Israeli company, guys! Paul MaudDib fucked around with this message at 05:38 on Mar 14, 2018 |
# ? Mar 14, 2018 05:27 |
|
https://www.gamersnexus.net/industry/3260-assassination-attempt-on-amd-by-viceroy-research-cts-labs Gotta short sell them stocks my homies!
|
# ? Mar 14, 2018 05:28 |
|
I didn't say it in my last post but I wanted to, the amount of passive-aggressive antisemitism that I've seen on tech boards due to the company being based in Israel is shocking, if only because of how drat casual it always is. GamersNexus is operating outside their usual waters here, but at least got an Intel rep to say on the record that they want nothing to do with this.
|
# ? Mar 14, 2018 05:41 |
|
Eagerly awaiting a press conference livestream from Lisa Su........in a Monstertruck!
|
# ? Mar 14, 2018 05:48 |
|
Paul MaudDib posted:People here haven't done the latter, but Reddit is on a full-on anti-semitic meltdown. It's an Israeli company, guys! As far as these "exploits" go it sounds like half overblown BS that any system would be vulnerable to and/or stuff that is patchable with a BIOS or driver update with no major issues. The rest of the details about these guys screams scammy as gently caress too. Eh maybe some good will come out of stuff like this if it keeps popping up and AMD and Intel end up deciding to drop PSP/IME. I think they're both way more trouble than they're worth in the long run.
|
# ? Mar 14, 2018 06:22 |
|
.
sincx fucked around with this message at 05:50 on Mar 23, 2021 |
# ? Mar 14, 2018 06:26 |
|
sincx posted:I sure hope they lost money on their short, since AMD closed up today. Little did they know that $AMD is stuck in permanent Opposite Day. Yet another reason AMD is a surefire choice for the comedy-hungry investor Paul MaudDib fucked around with this message at 06:32 on Mar 14, 2018 |
# ? Mar 14, 2018 06:28 |
|
PC LOAD LETTER posted:Reddit is loaded with Nazis and trolls, you flat out can't read hardly anything that trends there anymore without running into either overt racist BS or more subtle attempts at that poo poo. IIRC the stormfront types are actively engaged in "red-pilling" on Reddit to try and recruit more people to their cause. But gaming forums are a cesspit in general. Yeah the exploits are pretty serious but I don't see any reason this won't be patched in a week or two, and so far the technical details/PoCs themselves aren't in the open. And yeah, this is basically exactly what people were worried about with the PSP. So much for AMD's security audits, if a two-bit outfit like this managed to drum up a whole bunch of breaks that doesn't really say much. Paul MaudDib fucked around with this message at 07:07 on Mar 14, 2018 |
# ? Mar 14, 2018 06:40 |
|
Paul MaudDib posted:And yeah, this is basically exactly what people were worried about with the PSP. So much for AMD's security audits, if a two-bit outfit like this managed to drum up a whole bunch of breaks that doesn't really say much. Until they manage to find a "yeah, send a blank password strong to port 5675 on any vPro laptop to get root IME access" type remotely exploitable CVE, this is basically a 'yeah, patch your BIOS once it's out' kind of deal.
|
# ? Mar 14, 2018 07:13 |
|
Ehh its more like everyone has been worried about PSP/IME since they were announced. They both basically require a ~~perfect~~ security implementation to really be secure in the long run and that just isn't possible so dumbass bugs and exploits of some sort will always be popping up for both every now and again over the years. There'll never really be a end to the patches they'll have to do, they'll both just end up eventually dropping support for the legacy stuff that'll inevitably still be in widespread use for years in the wild and "well go buy something new" isn't exactly a good solution to most people. And neither AMD, Intel, or any of the OEM's are really interested in trying to properly support them over the long run either anyways. If they can't do it right and/or won't support it properly its flat out dumb to do it and I don't really know why both AMD or Intel insist on doing this poo poo. Like I get why in theory its great to have and all but the real world implementations are clearly falling short here. At least AMD seems to have allowed the ability to disable PSP now with the latest AGESA update and some mobo vendors have passed along that option in the latest BIOS's. I know I turned mine off as soon as I could.
|
# ? Mar 14, 2018 07:17 |
|
https://youtu.be/ZZ7H1WTqaeo
|
# ? Mar 14, 2018 07:28 |
|
Paul MaudDib posted:Catching up on this:
|
# ? Mar 14, 2018 08:22 |
|
It is possible for shady investor groups to take large short positions and then try to manipulate the stock without Intel being involved
|
# ? Mar 14, 2018 08:49 |
|
Wiggly Wayne DDS posted:please stop embarrassing yourself. none of those people have credibility in the security industry and look how many have quietly said they were paid or know cts-labs (which no one in sec has) David Guido and his organization appear to have something to lose if it turns out they're lying about seeing PoCs, and has stated that he wasn't on their payroll when they showed him their research (it was a big enough release he wanted to bill for it). The other guy isn't famous, but he's spoken at DefCon several times before, so he's not exactly unknown even if he's not a huge name, so he has at least something to lose if it turns out he was just lying about seeing PoCs. Anandtech should be interviewing them this morning and David Kanter may have been invited, I'm willing to take their word on it. Shooting the messenger is really irrelevant here, I don't care if they are a 3-man startup who only incorporated a couple weeks ago and is still faking it with greenscreens, I don't care if they are an (((Israeli company with ex-military personnel))), and it doesn't even matter if they were funded by Viceroy or whoever. If Intel wants to pay to audit AMD's processors for them, who cares? The exploits either exist or they don't, that's really all that matters. It's either a hilarious internet drama, or it's going to get patched pretty quick, so why so serious Mr YosPos? Paul MaudDib fucked around with this message at 09:46 on Mar 14, 2018 |
# ? Mar 14, 2018 09:24 |
|
Paul MaudDib is a pretty bad poster.
|
# ? Mar 14, 2018 09:41 |
|
Paul MaudDib posted:The exploits either exist or they don't please read the loving thread https://twitter.com/cynicalsecurity/status/973596410896683008 the "exploits" are "just run this as admin"
|
# ? Mar 14, 2018 09:51 |
|
I was gonna ask why Paul linked the post history of some dude demonizing the term Responsible Disclosure as "Orwellian" as his example of why responsible disclosure is bad but by the time I went to quote the post it was already removed.
|
# ? Mar 14, 2018 10:00 |
|
First the monstertruck hate now this tisk tsik
|
# ? Mar 14, 2018 10:04 |
|
Nation state hackers, cryptocurrency, manipulation of the masses through social media technology and CPU hardware exploits being used to manipulate the stock market, we truly live in the lamest cyberpunk future year 2018. Where's the cool poo poo like jacking off your brain into microchips or whatever.
|
# ? Mar 14, 2018 10:13 |
|
Paul MaudDib posted:David Kanter may have been invited, I'm willing to take their word on it. Kanter has already said they look like scammers over on RWT FWIW. That seems to be the concensus over there. https://www.realworldtech.com/forum/?threadid=175139&curpostid=175145 Unless they do a real solid PoC to back their claims I think its reasonable to assume they're full of it for the most part at this point.
|
# ? Mar 14, 2018 10:19 |
|
You know, I thought you just had this hate-boner for AMD you just couldn't resist playing with in public, but Christ your posting is terrible.
|
# ? Mar 14, 2018 10:19 |
|
SwissCM posted:Nation state hackers, cryptocurrency, manipulation of the masses through social media technology and CPU hardware exploits being used to manipulate the stock market, we truly live in the lamest cyberpunk future year 2018. Where's the cool poo poo like jacking off your brain into microchips or whatever. Is the brainstem your brain's dick? -- The above sentence contributes about as much to the world of security as this AMDFlaws.com poo poo that looks and feels straight out of a clickbait "related content" ad next to "Local Semiconductor Process is 10, looks 7!". Sinestro fucked around with this message at 10:24 on Mar 14, 2018 |
# ? Mar 14, 2018 10:21 |
|
Sinestro posted:Is the brainstem your brain's dick? Yes, heres 10 reasons why.
|
# ? Mar 14, 2018 10:30 |
|
Seems our friends at Viceroy have a history of not being able to keep their noses clean.quote:German financial watchdog Bafin said on Monday that short-seller Viceroy Research breached German securities law with a research report on ProSiebenSat.1 as it did not notify the regulator of its activities. Sound familiar? https://www.reuters.com/article/prosieben-media-accounts/germanys-bafin-says-viceroy-breached-rules-with-prosieben-report-idUSFWN1QU0QP Article dated 2018-03-12. SwissArmyDruid fucked around with this message at 11:23 on Mar 14, 2018 |
# ? Mar 14, 2018 11:21 |
|
My dudes this is standard shortselling tactics cf the st Jude medical thing or muddy waters in general. It is 100% OK to independently investigate and publish bad news with a short position as long as it isn't insider poo poo. That said the vulnerabilities are not fake, they just require conditions that render them less serious. They are real but will need a bios patch at best afaict Of course this unknown security outfit is acting in bad faith, they just wanna make a buck. It ain't exactly news.
|
# ? Mar 14, 2018 11:33 |
|
SwissCM posted:Yes, heres 10 reasons why. But-but-but I must trust everything that is said on the Internet in TYOOL 2018 because
|
# ? Mar 14, 2018 11:53 |
Hey let's say I'll get my hands on the cheapest April model, which mb chip I'm supposed to look for? It's confusing.
|
|
# ? Mar 14, 2018 12:03 |
|
PC LOAD LETTER posted:Ehh its more like everyone has been worried about PSP/IME since they were announced. Has there been any testing to make sure it's 100% disabled? The last AMD CPU I was using didn't have PSP, but on the Intel side of things, every option to disable IME/AMT (if the manufacturer is even being that generous) is purely cosmetic, and mostly just stops it from appearing in the device manager, as it'll still continue to do God-knows-what whether you like it or not. If you want IME gone 100%, you either need to be using an ancient board that supports Coreboot, or patch it out entirely using ME Cleaner, and Intel is so committed to forcing IME on people that removing it the wrong way in the past punished you with restarts every 15 minutes IME has been just as vulnerable/skeevy forever, so the fact that hidden and undocumented CPU subsystems are now magically-bad since AMD has them showcases just how obvious this "controversy" is
|
# ? Mar 14, 2018 12:13 |
|
Shy posted:Hey let's say I'll get my hands on the cheapest April model, which mb chip I'm supposed to look for? It's confusing. Probably B450, cheaper than X470 and supports Pinnacle Ridge out of the box unlike X370/B350/A350.
|
# ? Mar 14, 2018 12:23 |
|
|
# ? May 17, 2024 20:29 |
Arzachel posted:Probably B450, cheaper than X470 and won't need bios updates unlike X370/B350/A350. Cool, thanks. B450 is released simultaneously with the CPUs, right?
|
|
# ? Mar 14, 2018 12:25 |