AMDFLAWS: a series of potentially devastating (but controversial) attacks on AMD processors


#1

Originally published at: https://boingboing.net/2018/03/14/ring-minus-one.html


#2

Quis custodiet ipsos custodes?


#3

This was an interesting topic of discussion in certain areas yesterday.


#4

It’s dodgy and people suspect these guys are just shorting the stock.


#5

If this coprocessor is insecure enough that a malicious program can install bad code on it, surely it must also be insecure enough that an anti-virus program can get in to check the code using the same loopholes?


#6

Cory, please, do stick to stuff you know something about. The only “devastating” thing here is that an infosec company with no history/reputation (started last year!), with fake offices (yay for greenscreen and stock images: https://www.reddit.com/r/Amd/comments/846gpm/how_cts_labs_created_their_offices_out_of_thin_air/) publishes tall claims with hysterical “THE WORLD IS ABOUT TO END!!!” quotes for gullible journalists to pick up and trumpet to the world without thinking.

The alleged bugs are on the level - “if you manage to defeat all the protections that are in place to prevent an attacker from doing a bad thing and you install bad code, then the hardware will do bad things”. What a surprise … Pretty much any computer platform would be “vulnerable” to something like that. Oh and there is no proof of concept or any evidence that those bugs are actually real neither.

Linus Torvalds has actually made a pretty scathing comments today about this “security research”. Look at the comments of this posts, plenty of juicy details there:

Another good analysis here:

Oh and they openly admit that they have financial interest in the performance of the stock of the affected company/companies (aka = “we have a lot of stock shorted and are waiting for the price to fall to get rich”):
https://plus.google.com/u/0/photos/photo/107691710289083956125/6532506318903860002?icm=true&iso=false&ftu=false

It is most likely a security fraud that is exploiting clueless journalists to hopefully start a market panic and drive down AMD’s stock price, so that a few fellows can line their pockets. Classic “pump and dump” scam, just in reverse.


#7

What does that even mean?

Beyond the superficial, that is. Okay, it checks to see if the OS is valid and untampered. How? Check the signature on the updated Linux kernel I just updated, against what?

Searching on “validating the operating system AMD” gives this article suspiciously high in the results.


#8

so the takeaway here people is that if someone has physical access to your system, you are in trouble. I know this comes as a big shock to most of us but we will somehow assimilate this information so we can all continue to do nothing different.


#9

This flaw is very disconcerting, and we should fix it right away, but before we do that, we ought to take the guys at CTS Labs out back and knock them upside the head for only giving AMD 24 hours notice before going public with their findings.


#10

#11

There’s no evidence for it whatsoever, but I have to admit, my initial thought on seeing these headlines was-

Wow. Intel were really pissed off at meltdown being tagged as a problem with their chips.


#12

They only started last year, but they’re connected to another company, Viceroy Research, who are notorious for pulling shady tricks to manipulate stock prices. They’re basically malicious short-sellers, they go in, short a bunch of stock, and them mysteriously find some major problem that harms the stock price. They pulled a very similar trick on ProSieben, a German cable network, they pulled one against Capitec Bank in South Africa, and a few other companies.

This is a straight-up scam, sure as sure.


#13

Linux Weekly News has a few interesting bits mixed in with the comments, particularly,

Looks like the sky isn’t falling after all.


#14

[not in citation], or am I overlooking something?


#15

From the disclaimer:

That’s very clearly what Cory was refering to.


#16

https://imgur.com/OkWlIxA


#17

The most insulting thing is that it’s not even good green-screen. That’s some rank amateur chroma-keying, look at those bright and obvious edges! The shit blending, the non-matching light. Fucking disappointing, if you’re going to run a scam, at least put some basic effort in to do it right.


#18

This topic was automatically closed after 5 days. New replies are no longer allowed.