Re: Closed black box firmware
No, AMD doesn't look as bad as Intel, unless you're taken in by all the sparkles and glitter in the news release.
And since when is Intel cheaper? Not in my living memory has Intel been the cheaper option.
CTS-Labs, a security startup founded last year in Israel, sent everyone scrambling and headlines flying today – by claiming it has identified "multiple critical security vulnerabilities and manufacturer backdoors in AMD’s latest Epyc, Ryzen, Ryzen Pro, and Ryzen Mobile processors." Tuesday's glitzy advisory disclosed no …
This post has been deleted by its author
This post has been deleted by its author
The flaws do seem awfully similar to the Intel AMT flaws.
Once details are released to verify existing workarounds to this either work or require additional fixes then we can properly asses the impact.
One day notice, unverified claims and an analyst citing the company being worthless makes this awfully suspicious.
Actually, IIRC Intel AMT flaws are worse, because to exploit those you do not need:
1) root access
2) any local access at all
The only unusual quality of these new AMD attacks is that they can remain under the radar for a very long time, making "evil maid attack" particularly dangerous.
...an analyst who has already been implicated of market manipulation.
https://translate.google.com/translate?hl=en&sl=de&tl=en&u=https%3A%2F%2Fwww.handelsblatt.com%2Funternehmen%2Fit-medien%2Ffinanzmarkzaufsicht-bafin-nimmt-pro-sieben-kritiker-viceroy-ins-visier%2F21061952.html
You do realize that's local root access *at any point in the life of the machine*, right? So how do you know that the person you bought the machine from didn't install malware? How do you even get a copy of a "golden" ROM to restore a potentially infected mainboard / CPU?
There's a lot more to this than just "current local root"...
This is a ridiculous argument and leads right back to "trusting trust".
If you don't trust the manufacturer, the shipper, the prepper, or the administrator of the system, then OF COURSE you don't trust the system. That point should be obvious.
We have had a policy in the unit I was in previously (and now I have brought it to my current company) that "physical access is the final barrier". And that's it. TCM concepts and whatnot are simply never, ever workable. Even the classic "evil maid" attack isn't actually mitigated by UEFI or TCM because the firmware itself can be replaced with physical access (whether or not root on a running system). The softness of software makes it impossible to know anything about any mutual trustworthiness scheme where two soft modules verify one another.
Go write a package manager. Or a "secure" compiler suite. Have fun figuring out where a reasonable "bottom" lies as you start digging into issues about trusting trust.
This was CLEARLY a hit piece on AMD. I don't know if Intel funded it -- it seems highly plausible but unlikely because it could probably be easily traced back to them -- but whoever did certainly had an anti-AMD agenda and picked their moment to counteract the slew of recent Intel flaws.
Whats the bet a Wholly-owned subsidiary of intel letni corp USA
Looking at it it has to be part of the publicity department.
This report is designed to counter the drop in sales if Intel gear to the general public (I know several gamers that were going to get new Intel kit but have now got Ryzen instead and I doubt they are the only ones).
I would tend to agree, the whole website is slickly put together with fancy logos, catchy brand damaging names for bugs 'Ryzenfall' etc. Talk of 'risk to life' and other sensationalist nonsense.
No doubt in my mind its a thoroughly unsubtle Intel smear campaign regardless of whether the bugs are all legit.
Funny how this sort of thing pops up when another company dares to challenge the mighty intel and its bottom line
The names are not 'Ryzenfall' etc. but RYZENFALL - to make it scarier. FALLOUT. CHIMERA. MASTERKEY. DEATHNOTE. EBOLACOLA. ANTANDEC. (I put some of those in as well as the original ones.)
"Rise and fall" also is (the second part) what they seem to have wanted to make happen to AMD's stock price. Which, we are told, has not.
If this was a long time planning, with or without real flaws (or some real and some fake), then maybe the wind was taken out of its sails by Spectre and Meltdown - someone else's discovery of serious security flaws in lots of AMD processors and, if I have this right, more of serious security flaws in Intel processors.
Although if Intel is behind RYZENSHINE as well, maybe Spectre etc is where they got the idea, and perhaps they wanted to equalise after arguably coming off worst that time. They knew about those problems a long time before we did.
it is an intentional smear campaign...if this issue has been KNOWN about for 6+ years, how is it that we just hear about it NOW, let alone only 24 hours ago from a company that HIDES all their actual info for contact to contact etc..they use GoDaddy FFS...smear campaign period, last I checked Intel was very much sided with their israel team (who was the prime design team behind core solo (and since all the Core base designs e.g core 2 duo core 2 quad, core i series et al)
I have a feeling it is meant to be a "short" to drive stock price down so that Intel can make a little side action purchasing, especially because the updated Ryzen 2000 series as well as more substantial x4xx motherboard line is very soon to come out, Intel is likely scrambling the best way they can to avoid loss of revenue, if they smear them enough, than perhaps it will mean some countries/vendors will not bother going with AMD.
However, AMD deals with NASDAQ, which is new york based, if AMD pulls this other company into court for defamation/slander/libel they can be awarded triple damages (if win)..and likely Intel will have gotten crafty to make sure they are "ept at a distance" because of the fact that Intel had to pay out billions to AMD (from my understanding still have not paid this sum in full)
Intel will do whatever they possibly can to make sure their largest direct cpu competitor gets the lowest amount of potential market share as possible (5-6% would be a drop in the bucket for Intel revenue but a massive gain for AMD funding) Ryzen very much caught Intel off guard, they have been forced to rush products out, had many teething issues that could have and should have easily been avoided.
Anyways, IMHO this sounds like a duck, it quacks like a duck therefore it can only be....FFS a brand new security firm in Intel "home" design land this company formed a at least as far as the godaddy account almost 2 months to the day BEFORE Ryzen launched, seems to me they had AMPLE time to "let folks know" they did not, I call pure BS on them outright.
In Intel's defence, this looks too much like shorting AMD for ANY listed company to get involved with.
If any links are found to Intel in this, expect a lot of rapid terminations to try and distance themselves from any SEC retaliation.
As for the security agencies, I suspect they would have preferred it wasn't publicly released. Maybe a former employee looking to cash in after finding themselves short of work?
This post has been deleted by its author
This post has been deleted by its author
I think you will find money trails are a lot harder to follow than working out how to diagnose the most obtuse security problems. Which is strange when, of modern business skills, accountancy is the one that should be most easy to make completely transparent and traceable.
Strange that.
Intel are a massive employer in Israel (10,000s), so it wouldn't be surprising if a few Intel workers had also worked in security and would like a bite at AMD following Intel's woes..
There's a lot of geo-political business related tension in Israel recently, the most valuable company in Israel (Teva Pharmaceutical) just had the patent rights expire on a blockbuster drug (~$4bn pa revenue, big news for a small ~ 8m population), so with Intel and Teva on the ropes, it's not surprising some of their workers would potentially consider pointing out flaws in the opposition.
Do not underestimate the power of finance share geezers shorting a stock to make £100m in a day either by posting 'market changing information' in public - it would not be the first time, that's usually the US or London traders though.
I say a comment somewhere which proved the people from "CTS" were using a green screen for their promotional video. They easily found stock photos of the backgrounds used in the video.
https://i.imgur.com/OkWlIxA.jpg
Regardless, something is not right when you give a company 24 hours to fix a security hole. And the AMD flaws website (what was it again?) was registered in late February, so they at least knew for over 24 hours. And something is not right when the WHOIS records for your websites are registered using Domains by Proxy. Why would would a serious company go to such trouble to conceal their identity? Everything about this feels wrong.
@Wade Burchette: "I say a comment somewhere which proved the people from "CTS" were using a green screen"
*Yawn*
Meltdown... Spectre... and now this.
The only question I'm asking is have these chip 'flaws' surpassed Y2K yet as the biggest non event in computing history?
Gotta keep that good old 'security company' money making gravy train rolling along... I'm sure MS love it too as it enables them to maintain control of peoples' computers with the never ending updates.
Perhaps we might have a more peaceful, 'security flaw' free computing experience if these security companies went out of business.
Not sure what the downvotes are all about for my last post?
I thought it would be obvious by now that we are all being played for suckers with these never ending security issues. I know of a group of people (using Windows 7) who have not updated for nearly a year now and they have had ZERO security issues with their computers. And, yes... they do use them online (unlike myself, who has taken the wise step of keeping Windows 7 offline for good now and using Linux Mint for everything I do online).
I'm convinced that the world would never hear about things like Meltdown, Spectre, etc. if these so called security companies kept their mouths shut instead the constant "Ooohh... look what I've found" boasting that we see constantly these days. Reminds me of a juvenile dick measuring contest. Of course, their big fat pay cheques no doubt have a lot to do with it as well.
I'll bet the average hacker wannabe/script kiddie would never discover the majority of these so called security vulnerabilities in a million years.
I thought it would be obvious by now that we are all being played for suckers with these never ending security issues. I know of a group of people (using Windows 7) who have not updated for nearly a year now and they have had ZERO security issues with their computers.
The think they've had ZERO security issues. FTFY. The point of some of these exploits is it is near impossible to tell. More so for people who haven't updated in 12 months and have saloon doors for security.
> I know of a group of people (using Windows 7) who have not updated for nearly a year now and they have had ZERO security issues with their computers.
>...I'm convinced that the world would never hear about things like Meltdown, Spectre, etc. if these so called security companies kept their mouths shut instead the constant "Ooohh... look what I've found"
I know a group of people who have never been killed in a car crash, therefore car safety is overrated.
I know a group of people who drive without seatbelts, and none of them have died in a car accident, seatbelts are overrated.
I know a group of people who haven't vaccinated their kids, vaccines are overrated.
I know a group of people who haven't died from cancer, cancer is overrated.
I can continue drawing false equivalencies like you have if you like.
@Carl D - Y2K was a big issue, and the problems were real. The software we used at the time would have broken if unpatched, I tested it and the scheduling went haywire.
It's probably fair to say a reasonable amount of the defects were display issues, but then again, if you're writing 19100 out to a file and it's being used elsewhere...
Sure but the warnings that your washing machine will self-combust because it thinks that Queen Victoria is back on the Throne were probably a bit overdone.
"As we emerge from the bunker and see not a world in flames, but merely several websites displaying the date as 19100 and a frantically back-pedalling Ed Yourdon, we have come to regret our decision to trade NTK's webserver for eight sacks of lentils."
http://www.ntk.net/2000/01/07/
That's unavoidable due to humans and business. Someone is always going to try and make a quick buck, so yes, the average user buying a patch to stop their software displaying 19100 is probably wasting their time.
No-one sells papers by saying 'IT industry are responsible, there will be no problem' when they can sell papers twice by first claiming it will be a disaster, and afterwards that it was hot air.
The message had to be broadcast, as everyone uses computers these days. A side effect to any large event is always someone trying to exploit it.
"Not sure what the downvotes are all about for my last post?"
Like many here I was deeply involved in fixing Y2K issues, and the problem was very real - most of them embarrassingly so.
We expect ill-informed comments like that from the tabloids, not El Reg readers.
What if Y2K when it happened had caused loads of real problems? The tabloids would have moaned that with all their warnings, and "all the money thrown on it [by poor tax payers already propping up immigrants and doleys]", we still couldn't sort it out.
P.S. Incorrect use of question marks bugs me. Are you not sure, or unsure whether you're not sure?
</grumpyoldgit>