"amdflaws.com" - What is this?

[CatMerc]

https://techreport.com/news/33379/cts-labs-defends-its-public-disclosure-of-amd-vulnerabilities

The author then describes CTS' motivations to publish its findings immediately rather than providing ASMedia and AMD several weeks to work on fixing the problems. His primary argument is that public disclosure forces the vendor to begin work on mitigating the flaws immediately. Luk-Zilberman concludes the letter by saying that his group could have provided its proof-of-concept code to more than one party (in this case, Dan Guido from Trail of Bits) before making its claims public.

What he expects: "Alright guys we have 90 days to fix this. Let's just sit on our touchus for 80 days and smoke pot and then only fix a critical vulnerability in the remaining 10 days"
Reality: "We need to get it fixed as fast as possible so we can patch systems against this critical vulnerability and clearly explain the ins and outs so the public is informed and not panic over nothing"

All I see this doing in practice is create rushed out broken patches and public confusion. Which if your goal was stock manipulation - Great!

 

[Markfw]

https://techreport.com/news/33379/cts-labs-defends-its-public-disclosure-of-amd-vulnerabilities



What he expects: "Alright guys we have 90 days to fix this. Let's just sit on our touchus for 80 days and smoke pot and then only fix a critical vulnerability in the remaining 10 days"
Reality: "We need to get it fixed as fast as possible so we can patch systems against this critical vulnerability and clearly explain the ins and outs so the public is informed and not panic over nothing"

All I see this doing in practice is create rushed out broken patches and public confusion. Which if your goal was stock manipulation - Great!

Patches ? Like remove the ability to do bios updates ? and have microsoft revoke all admin rights, and only they can install any programs ?

This whole thing is a joke, a BAD joke, and not a problem, just a lot of BS.

You do know what ALL of these require either physical access to do a BIOS update, or admin privs.

 

[DaveSimmons]

CTS' behavior is not consistent with that of any reputable security researcher. There is no reason other than supporting the short-selling scam to provide the information to their paid collaborator a week early but not also to AMD.

Their reason is not credible. How can AMD not having the information for an extra week or more possibly speed up the creation of fixes? Answer: it can't, and no person without other motives like stock manipulation would think it could.

 

[Mockingbird]

I'm surprised no one has done this before, particularly for a company with volatile stock like AMD you can't loose. I suspect we'll see more of this in the future, with more companies setup to give those who've found something like this a way to make a lot of money - you bring the exploit, they bring the money to invest and the stock market know-how. You both make money.

In 2016, security research firm MedSec found vulnerabilities in pacemakers made by St. Jude Medical. In what was likely a first, MedSec partnered with hedge fund Muddy Waters to bet against St. Jude Medical’s stock.

 

[Mr Evil]

Synopsis:

"To violate these systems you first need to violate these systems"

Laughable.

And anyone saying that while the company is shady the threats might be real, really really really has no clue about this staff. The "vulnerability" is basically that superadmins have superadmin powers and that is a tool to do whatever they want. Exactly as it should be by design, or the role wouldn't exist.

As I wrote earlier in the thread, this could be a real issue for anyone using full-disc encryption with a TPM, e.g. BitLocker. The whole point of FDE is to prevent someone who has physical access to the system from reading data off it. A vulnerability in the PSP could allow the attacker to make the TPM just decrypt the drive unconditionally.

Of course it's not as serious as they are trying to make it appear; a remote exploint in the Intel ME was found not long ago that similarly allowed encyption to be bypassed, and it didn't cause as much drama as this has. Don't dismiss it entirely just because of the sleazy source though (assuming they didn't just make the whole thing up).

 

[Jan Olšan]

CTS' behavior is not consistent with that of any reputable security researcher. There is no reason other than supporting the short-selling scam to provide the information to their paid collaborator a week early but not also to AMD.

Their reason is not credible. How can AMD not having the information for an extra week or more possibly speed up the creation of fixes? Answer: it can't, and no person without other motives like stock manipulation would think it could.

The main problem hardly anybody mentions is that those fraudsters are putting users and the public at risk.

It is highly unprofessional and at odds with principles that security research should follow. Their irresponsible publication puts users at risk and the fact that they held back the findings for months instead of reporting to vendor ASAP has prolonged the time that users will be left vulnerable by months.

And they even shared the findings with many parties that could have leaked to cyber criminals and other bad actors, BEFORE they reported the bugs to vendor. According to some sources, they even enforced NDAs with media so that they don't warn the vendor.

This security researcher (so-called...) has increased the risk to users significantly through their behaviour. Their professional community should condemn and stay away from such practices.

 

[Markfw]

The main problem hardly anybody mentions is that those fraudsters are putting users and the public at risk.

It is highly unprofessional and at odds with principles that security research should follow. Their irresponsible publication puts users at risk and the fact that they held back the findings for months instead of reporting to vendor ASAP has prolonged the time that users will be left vulnerable by months.

And they even shared the findings with many parties that could have leaked to cyber criminals and other bad actors, BEFORE they reported the bugs to vendor. According to some sources, they even enforced NDAs with media so that they don't warn the vendor.

This security researcher (so-called...) has increased the risk to users significantly through their behaviour. Their professional community should condemn and stay away from such practices.

I don't see how anyone is at risk right now. These so-called "flaws" require admin privileges to implement, which makes them not "flaws" at all. Any admin EVER could always do this.

 

[Stuka87]

The main problem hardly anybody mentions is that those fraudsters are putting users and the public at risk.

It is highly unprofessional and at odds with principles that security research should follow. Their irresponsible publication puts users at risk and the fact that they held back the findings for months instead of reporting to vendor ASAP has prolonged the time that users will be left vulnerable by months.

And they even shared the findings with many parties that could have leaked to cyber criminals and other bad actors, BEFORE they reported the bugs to vendor. According to some sources, they even enforced NDAs with media so that they don't warn the vendor.

This security researcher (so-called...) has increased the risk to users significantly through their behaviour. Their professional community should condemn and stay away from such practices.

The way they released this "data" is certainly in poor taste, and against all known security protocols.

However, their flaws are not real flaws IMO. If an attack requires the attacker to have source code and certs in order to impersonate a company and then install compromised drivers/firmware, plus admin privs on the machine they are attacking, its NOT a flaw.

 

[formulav8]

CTS Labs Responds to Allegations of Bad Faith Over AMD CPU Security Disclosures, Digs Itself a Deeper Hole

Looks like they're also claiming they compromised Intel motherboards with ASMedia chips as well.

Should have been asmediaflaws.com if anything.

 

[urvile]

So have we seen proof of concept exploits yet?

 

[sandorski]

CTS Labs Responds to Allegations of Bad Faith Over AMD CPU Security Disclosures, Digs Itself a Deeper Hole

Looks like they're also claiming they compromised Intel motherboards with ASMedia chips as well.

Should have been asmediaflaws.com if anything.

I suspect some people are going to jail. Some Grifters just couldn't pull off the big score.

 

[Glo.]

So have we seen proof of concept exploits yet?

Nope.

 

[Panino Manino]

Good and all if they found something, but now it's even more clear that what they did was criminal.
It pains me imagining "the press" insisting on giving those bandits audience (and profit's).
"See, the vulnerabilities were true after all, we were not wrong about giving CTS the 'benefit of the doubt'".

 

[urvile]

Nope.

Oh. That's surprising.

I think this morning before I go to work. I am going to write a white paper claiming I found a security flaw in my microwave ovens firmware. That will allow an attacker to change the heat setting without a users knowledge and burn their food.

CTS Labs and viceroy are making some very big claims without providing any evidence. Everyone is still taking a wait and see approach though.

 

[PeterScott]

I suspect some people are going to jail. Some Grifters just couldn't pull off the big score.

Unfortunately I doubt it. A sliver of truth in what they claimed may be enough to keep them out of prosecution.

 

[IRobot23]

I am still asking myself same question... why would anyone do site/company only to investigate one lineup of processors on the market? I mean literally they investigated single die.

If you want to help security of processors on the this planet, you will look only one lineup? Amazing.

 

[urvile]

You can all see how the hype train works though. Right? Do you wonder after spectre etc. how many established and reputable researchers have been testing other CPU architectures to see if they are vulnerable to exploits?

The whole thing is bizarre hopefully there are no vulnerabilities but who knows? That's the beauty of it.

 

[Hitman928]

So have we seen proof of concept exploits yet?

A select few (none are independent from what I've seen) have said that they've seen the PoCs and that they work as described in the technical report (different than the publicly released white paper). What the PoCs actually do or what the technical report says and how it may be different than what is described in the white paper is still a big unknown.

According to the "researchers", we won't see PoC or technical report until all the vulnerabilities are fixed, because they are concerned about public safety 🙄.

 

[urvile]

A select few (non are independent from what I've seen) have said that they've seen the PoCs and that they work as described in the technical report (different than the publicly released white paper). What the PoCs actually do or what the technical report says and how it may be different than what is described in the white paper is still a big unknown.

According to the "researchers", we won't see PoC or technical report until all the vulnerabilities are fixed, because they are concerned about public safety 🙄.

People saying they have seen the exploits means nothing. That's the thing. The caveat on that though would be if it was a highly reputable researcher or one of the companies that CTS labs claim they have sent their research too. Publicly confirms they have received the POC exploits*. Otherwise it's BS. Just my opinion of course. I am certainly no expert in this field**.

*Although those companies haven't denied it either. Or have they? 🙂

**I did once read an article called smashing the stack for fun and profit by aleph one. When I was at university. It's a bit dated now though but hey.

 

[Schmide]

I've been trying to wrap my head around this for a couple days. To me this just seems like a first man in line attack.

The PSP is in charge of provisioning environments. If I'm first in line, I set up the first environment as everything including the request vector for any future requests. To them the new boss looks exactly the same as the old boss.

 

[Kenmitch]

Oh. That's surprising.

I think this morning before I go to work. I am going to write a white paper claiming I found a security flaw in my microwave ovens firmware. That will allow an attacker to change the heat setting without a users knowledge and burn their food.

CTS Labs and viceroy are making some very big claims without providing any evidence. Everyone is still taking a wait and see approach though.

If I could spel and use corect gramoar I'd make one two.

My idea involes self drive kars and smash up derby

 

[urvile]

If I could spel and use corect gramoar I'd make one two.

My idea involes self drive kars and smash up derby

Synapse collision? Or are you well on your way to being blackout drunk?

 

[Kenmitch]

Synapse collision? Or are you well on your way to being blackout drunk?

You can't type that drunk....Takes skill and concentration to defeat auto correct.

 

[urvile]

You can't type that drunk....Takes skill and concentration to defeat auto correct.

Ah. Well you should drink. It makes anandtech more readable. When I was at university. I had an academic supervisor for my final year project and I used to drive him nuts with my grammar (or lack thereof). He once told me in an almost horrified way that I can't start a sentence with a conjunction and I was like what's a conjunction?

I do know computer security though (phrack is still good) and BS when I see it. Maybe it's not BS though? Who can say? It's good isn't it?

 

[Stuka87]

Here is a video with Ian Cutress talking about all this: https://www.youtube.com/watch?v=cj3_AILPvU0