"amdflaws.com" - What is this?

[krumme]

Lmao at Ian Cutress' tweet calling vulnerabilities that require administrator privileges to exploit "real".

I think him not reading his own site is not news unfortunately.

Yeaa can someone explain this to me?

What level of hardware access are we talking here?
What level of admin priviledges?

I mean you need to balance openness vs security in all situations also cpu.

 

[moinmoin]

Reminder on what "vulnerabilities" we are talking about:

1) MASTERKEY: if you allow unauthorised BIOS updates you are screwed.
Threat level: No shit, Sherlock!

2) RYZENFALL: again, loading unauthorised code on the Secure Processor as admin.
Threat level: No shit, Sherlock!

3) FALLOUT: vendor-supplied *signed* driver allows access to Secure Processor.
Threat level: No shit, Sherlock!

4) CHIMERA¹: outsourced chipset has an internal ucontroller which can be 0wned via digitally signed driver.
__
¹ read about my Chimaera Processor: far sexier stuff.

https://twitter.com/cynicalsecurity/status/973591954096381952

 

[USER8000]

Lmao at Ian Cutress' tweet calling vulnerabilities that require administrator privileges to exploit "real".

I think him not reading his own site is not news unfortunately.

CTS-Labs are using a public relations firm located in NY. Just saw this on another forum:

http://www.bevelpr.com/expertise/

Our Services
We specialize in a variety of communications areas. Our team of influencers will help you develop a customized communications plan that is uniquely designed to drive success for your business.

143 West 29th Street, 7th Floor
New York, NY 10001
P +1 (917) 819-5738
newyork@bevelpr.com

The chap from trailofbits:

https://twitter.com/dguido

Brooklyn, NY

 

[krumme]

Just because you need higher privileges to execute doesn't mean it isn't a vulnerability... It does make it a lot less severe though.

How is that. What excactly do you need top level keys for then?

 

[William Gaatjes]

Just because you need higher privileges to execute doesn't mean it isn't a vulnerability... It does make it a lot less severe though.

When you are root or admin, what do you expect a root ar admin should be capable of...

 

[USER8000]

Someone needs to tweet Ian Cutress this thread,as its going to be a joke when enthusiasts uncover more of these conflicts of interests than tech journalists.

They seem to be unaware of the dodginess!

 

[moinmoin]

Linus on g plus https://plus.google.com/+LinusTorvalds


"It looks like the IT security world has hit a new low"

Linus says how it is.

When was the last time you saw a security advisory that was basically "if you replace the BIOS or the CPU microcode with an evil version, you might have a security problem"? Yeah.

No, the real problem is the mindless parroting of the security advisory (it's "Top Story" on at least one tech news site right now), because security is so much more important than anything else, and you can never question it.

"AnandTech - Proud to be part of the problem"

 

[xblax]

If any of these flaws are real, most of them could probably be fixed by PSP firmware updates. The only third party backing this up seems to be "Dan Guido" https://twitter.com/dguido - his company looks to be somewhat reputable based on their publications https://www.trailofbits.com/research-and-development/published-research/

But however this turns out, the only purpose of this shady amdflaws.com disclosure was to manipulate the stock marked. This "Viceroy Research" paper [1] is a piece of joke. It was released at the same time these "security flaws" were disclosed. That means they had access long time before AMD was notified. The pepole behind this are criminals and shoud be treated that way. Calling them "Researchers" and giving them any credibility like Ian does in his news report is an insult to anyone doing honest research.

[1] https://viceroyresearch.files.wordpress.com/2018/03/amd-the-obituary-13-mar-2018.pdf

 

[USER8000]

If any of these flaws are real, most of them could probably be fixed by PSP firmware updates. The only third party backing this up seems to be "Dan Guido" https://twitter.com/dguido - his company looks to be somewhat reputable based on their publications https://www.trailofbits.com/research-and-development/published-research/

But however this turns out, the only purpose of these pulications was to manipulate the stock marked. This "Viceroy Research" paper [1] is a peace of joke. It was released at the same time these "security flaws" were disclosed. That means they had access long time before AMD was notified. The pepole behind this are criminals and shoud be treated that way. Calling them "Researchers" and giving them any credibility like Ian does in his news report is an insult to anyone doing honest research.

[1] https://viceroyresearch.files.wordpress.com/2018/03/amd-the-obituary-13-mar-2018.pdf

It seems too convenient,that they got sent the paper a week before AMD got it,for less than 24 hours,and the CEO worked in the same city for an investment fund and even hired a NY based company for marketing.

Perhaps they need to look at the possibility this outfit is using them for nefarious means.

 

[krumme]

The reddit thread is pretty fun. I havnt had so much fun in a long time. Tears is running...

 

[DaveSimmons]

My recent CPU purchase was a Coffeelake 8700 and before that a 7700 for work and an i5-2500 for home. Team Intel!

This is a stock manipulation scam. Wildly exaggerated vulnerabilities released without a chance for mitigation by a "security company" that's probably just a sockpupper for a known short-seller.

Ignore it and keep buying Ryzens, you have nothing to worry about unless someone breaks into your house so that they can flash your BIOS with an Evil Twin.

 

[USER8000]

This has been pointed out on Overclockers UK forums:

https://forums.overclockers.co.uk/t...-vulnerabilites.18814131/page-3#post-31665276
https://forums.overclockers.co.uk/posts/31666030/

From their website

We specialize in a variety of communications areas. Our team of influencers will help you develop a customized communications plan that is uniquely designed to drive success for your business.

Another bit from their own website:

"We are known for our extensive media relationships and network. Let us connect you with the right reporters, bloggers, analysts and influencers who will understand your business and share your perspective with the markets."

Why would a security outfit need a marketing company which uses influencers??

 

[krumme]

Perhaps Ian wants a motherboard that can not have its bios upgraded?

You never know a tech journalist nasty hidden fantasies. I tell you.

 

[Panino Manino]

It's incredible. They may write at the end that it's all shaddy and suspicious, but nothing prevents the tech sites to publish the news with alarmist clickbait titles.

 

[USER8000]

This is getting even more dodgier:

https://www.cnbc.com/2018/03/13/reu...israeli-firm-says-it-finds-amd-chip-flaw.html

"March 13 (Reuters) - An Israeli cyber security research firm with six employees on Tuesday said it had found flaws in Advanced Micro Devices microprocessors that made them vulnerable to hacks.

AMD said it was investigating the claims, which were followed by heavy trade in AMD shares. The stock closed up 1 percent to $11.64 after a day of volatile trade. AMD traded between $11.10 and $12.04 following release of the report from Tel Aviv-based CTS Labs.

CTS executives told Reuters that they had shared their findings with some clients who pay the firm for proprietary research on vulnerabilities in computer hardware. They declined to identify their clients or say when they had provided them with data on the vulnerability.

"I cant really talk about my clients," said Yaron Luk-Zilberman, chief financial officer at the firm that was founded in January 2017.

Short-seller Viceroy Research published a 25-page report on the vulnerabilities on Tuesday, betting its shares will fall.

AMD said that the report took it by surprise.

"This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings," AMD said in a note to customers on its website.

Viceroy founder Fraser Perring told Reuters that somebody anonymously emailed him a draft of the report at about 4 p.m. on Monday. The firm spent much of the evening analyzing the situation and ended up taking a "sizeable" short position in AMD, he said.

There has been increased investor interest in AMD since the beginning of the month, with options drawing large trades that appeared to be betting on increased near-term gyrations in the shares.

Puts, options contracts that protect against a drop in the share price, were particularly active. Last week, the cumulative number of open put contracts outnumbered open calls 1.5-to-1, the most defensive this measure has been in more than two years, according to options analytics firm Trade Alert data. That measure declined slightly by Tuesday.

On Friday and Monday, short selling of AMD's stock increased by about 15 million shares, according to S3 Partners, a financial analytics firm. That brought overall short interest in the chipmaker to about 180 million shares, the most since at least 2010.

"Over the last several days there was a spike in short selling that was completely out of the norm," said Ihor Dusaniwsky, S3 Partners head of research.

New York-based cyber security firm Trail of Bits told Reuters that it had verified the findings from CTS, which paid $16,000 for a review of the AMD vulnerabilities.

A Trail of Bits analyst spent a week reviewing detailed technical reports from CTS, along with "proof of concept" code that could be used to launch attacks on computers running vulnerable AMD chips, Trail of Bits Chief Executive Dan Guido told Reuters.

"These are real security issues in AMD code and processors" that hackers could exploit to manipulate or steal secure data, he said.

For the attacks to work, an attacker must first obtain administrator access to a targeted network, Guido said. ( Reporting by Jim Finkle in Toronto, Arjun Panchadar; Additional reporting by Noel Randewich in New York, Saqib Ahmed in New York and Shariq Khan in Bengalure; Editing by Susan Thomas and Grant McCool)"

 

[DaveSimmons]

A Trail of Bits analyst spent a week reviewing detailed technical reports from CTS, along with "proof of concept" code that could be used to launch attacks on computers running vulnerable AMD chips, Trail of Bits Chief Executive Dan Guido told Reuters.

As mentioned by others, he was given this info a week before AMD was. Aside from pointing out how sleazy the (possible sockpuppet) CTS is, that also make me wonder if he is receiving some benefit (like payments) for providing a not-really-impartial confirmation of the alleged flaws.

 

[ao_ika_red]

Another funny thing is, unlike Meltdown/Spectre in the past, these vulnerabilities go straight up to mainstream tech-media outlet. I remember some quiet whisper around multiple forums about Meltdown/Spectre before it went live on mainstream media.

 

[Panino Manino]

As mentioned by others, he was given this info a week before AMD was. Aside from pointing out how sleazy the (possible sockpuppet) CTS is, that also make me wonder if he is receiving some benefit (like payments) for providing a not-really-impartial confirmation of the alleged flaws.

He just did a favor for "a mutual friend" in good will.

 

[FIVR]

I can't believe anandtech ran with this story. Pretty much tells you they will buy anything anti-AMD or pro-intel.

 

[Glo.]

I can't believe anandtech ran with this story. Pretty much tells you they will buy anything anti-AMD or pro-intel.

I can actually understand Ian's way of thinking about this. Security concerns lately are hot topic, and very important topic at the same time. No matter how stupid the claims can be - you have to inform about situation.

 

[Mockingbird]

CTS Labs is a fake security "company" that is funded by Viceroy Research.

Viceroy Research taking a "sizeable" short position in AMD

https://www.cnbc.com/2018/03/13/reuters-america-update-2-after-short-selling-surge-israeli-firm-says-it-finds-amd-chip-flaw.html

 

[positivedoppler]

So Admin rights and even a bios flash is required for this "vulnerability"....what am I missing here? Its possible for robbers to rob my house if they have a copy of my front door key and alarm code.

 

[Malogeek]

The fact that this garbage was posted in the way it was by Anandtech is disturbing. Looks like Ian Cutress had the information for awhile before it was made public. Did he even contact AMD himself or prefer to post a nice dramatic article for page hits?

 

[Zstream]

The fact that this garbage was posted in the way it was by Anandtech is disturbing. Looks like Ian Cutress had the information for awhile before it was made public. Did he even contact AMD himself or prefer to post a nice dramatic article for page hits?

I can't bash him for it, but if he knew before AMD, that is bull.

 

[.vodka]

The fact that this garbage was posted in the way it was by Anandtech is disturbing. Looks like Ian Cutress had the information for awhile before it was made public. Did he even contact AMD himself or prefer to post a nice dramatic article for page hits?

The fact that this crap is still up in the front page is disturbing.

https://twitter.com/IanCutress/status/973598276925689856

More or less every tech site with major reach has been notified here as to who is behind all this insanity. At the very least they should all take it down and apologise.

AMD should sue, scorched earth style, no mercy.