back to article OK, deep breath, relax... Let's have a sober look at these 'ere annoying AMD chip security flaws

CTS-Labs, a security startup founded last year in Israel, sent everyone scrambling and headlines flying today – by claiming it has identified "multiple critical security vulnerabilities and manufacturer backdoors in AMD’s latest Epyc, Ryzen, Ryzen Pro, and Ryzen Mobile processors." Tuesday's glitzy advisory disclosed no …

This post has been deleted by its author

Re: Closed black box firmware

No, AMD doesn't look as bad as Intel, unless you're taken in by all the sparkles and glitter in the news release.

And since when is Intel cheaper? Not in my living memory has Intel been the cheaper option.

91
2

This post has been deleted by its author

Silver badge

Re: Closed black box firmware

but Intel's cheaper

Thanks for stopping by from your strange parallel universe...

70
0

Re: Closed black box firmware

intel cheaper LMFAO, cheaper when it comes to their "design" philosophy maybe, but not at all when it comes to the finished product.

32
2
Anonymous Coward

Re: Closed black box firmware

Lots of AMD fanboys here. Enjoy your AMD/blackhat-controlled processors!

2
59
Silver badge
Headmaster

Re: Closed black box firmware

"but Intel's cheaper"

Their what is cheaper?

36
3
Bronze badge

Re: Closed black box firmware

Enjoy your remotley pwnable without creds Intel processor with the AMT flaw.

I'll stick to an AMD with a requires local root access to do anything

40
0
Anonymous Coward

Re: Closed black box firmware

The flaws do seem awfully similar to the Intel AMT flaws.

Once details are released to verify existing workarounds to this either work or require additional fixes then we can properly asses the impact.

One day notice, unverified claims and an analyst citing the company being worthless makes this awfully suspicious.

24
0
Silver badge

Re: Closed black box firmware

Actually, IIRC Intel AMT flaws are worse, because to exploit those you do not need:

1) root access

2) any local access at all

The only unusual quality of these new AMD attacks is that they can remain under the radar for a very long time, making "evil maid attack" particularly dangerous.

14
0

Re: Closed black box firmware

...an analyst who has already been implicated of market manipulation.

https://translate.google.com/translate?hl=en&sl=de&tl=en&u=https%3A%2F%2Fwww.handelsblatt.com%2Funternehmen%2Fit-medien%2Ffinanzmarkzaufsicht-bafin-nimmt-pro-sieben-kritiker-viceroy-ins-visier%2F21061952.html

6
0
Bronze badge
Megaphone

Re: Closed black box firmware

You do realize that's local root access *at any point in the life of the machine*, right? So how do you know that the person you bought the machine from didn't install malware? How do you even get a copy of a "golden" ROM to restore a potentially infected mainboard / CPU?

There's a lot more to this than just "current local root"...

1
2
Bronze badge

Re: Closed black box firmware

Not everyone uses current Intel or AMD chips, for what it's worth. AC probably uses something else, like one of the old ME-free CPUs or even one of the non-x86 options out there.

3
0
Silver badge

Re: Closed black box firmware

Thanks for stopping by from your strange parallel universe...

Perhaps he works for Viceroy Research. They see the world differently. Up is down, black is white, higher prices are cheaper, stock-price manipulation is ethical.

9
0

Re: Closed black box firmware

This is a ridiculous argument and leads right back to "trusting trust".

If you don't trust the manufacturer, the shipper, the prepper, or the administrator of the system, then OF COURSE you don't trust the system. That point should be obvious.

We have had a policy in the unit I was in previously (and now I have brought it to my current company) that "physical access is the final barrier". And that's it. TCM concepts and whatnot are simply never, ever workable. Even the classic "evil maid" attack isn't actually mitigated by UEFI or TCM because the firmware itself can be replaced with physical access (whether or not root on a running system). The softness of software makes it impossible to know anything about any mutual trustworthiness scheme where two soft modules verify one another.

Go write a package manager. Or a "secure" compiler suite. Have fun figuring out where a reasonable "bottom" lies as you start digging into issues about trusting trust.

This was CLEARLY a hit piece on AMD. I don't know if Intel funded it -- it seems highly plausible but unlikely because it could probably be easily traced back to them -- but whoever did certainly had an anti-AMD agenda and picked their moment to counteract the slew of recent Intel flaws.

1
0
Anonymous Coward

Martin Shkreli or Paul Singer?

John Fraser Perring sounds like either Martin Shkreli or Paul Singer, depending upon your druthers, of the technical world, in other words, parasites looking to make money on other's misfortune. And as usual, Linus Torvalds has a great quote.

51
2
Silver badge
Thumb Up

Re: Martin Shkreli or Paul Singer?

"And as usual, Linus Torvalds has a great quote."

Yep

44
2
Silver badge

Linus, I love you....

... but we only have 14 hours left to save the Earth!

15
0
Silver badge
Unhappy

Odiferous Rodent

This whole thing stinks. A security company nobody's ever heard of. Instant 'disclosure'. No truly independent confirmation. No context. This can't possibly be anything except an attempt to damage AMD.

98
2
Pint

Re: Odiferous Rodent

Certainly looks like an intel smear campaign doesn't it. Intel are known to have a big presence in Israel, I wonder if they have recently invested in any 'security' startups.

54
3
Silver badge
Facepalm

Re: Odiferous Rodent

CTS-Labs, a security startup founded last year in Israel

Whats the bet a Wholly-owned subsidiary of intel letni corp USA

42
2

Re: Odiferous Rodent

I would tend to agree, the whole website is slickly put together with fancy logos, catchy brand damaging names for bugs 'Ryzenfall' etc. Talk of 'risk to life' and other sensationalist nonsense.

No doubt in my mind its a thoroughly unsubtle Intel smear campaign regardless of whether the bugs are all legit.

Funny how this sort of thing pops up when another company dares to challenge the mighty intel and its bottom line

42
2
Anonymous Coward

Re: Odiferous Rodent

Don't forget the significant funding from the NSA, Mossad and all the other usual suspects who just love, really love backdoors.

10
2

Re: Odiferous Rodent

it is an intentional smear campaign...if this issue has been KNOWN about for 6+ years, how is it that we just hear about it NOW, let alone only 24 hours ago from a company that HIDES all their actual info for contact to contact etc..they use GoDaddy FFS...smear campaign period, last I checked Intel was very much sided with their israel team (who was the prime design team behind core solo (and since all the Core base designs e.g core 2 duo core 2 quad, core i series et al)

I have a feeling it is meant to be a "short" to drive stock price down so that Intel can make a little side action purchasing, especially because the updated Ryzen 2000 series as well as more substantial x4xx motherboard line is very soon to come out, Intel is likely scrambling the best way they can to avoid loss of revenue, if they smear them enough, than perhaps it will mean some countries/vendors will not bother going with AMD.

However, AMD deals with NASDAQ, which is new york based, if AMD pulls this other company into court for defamation/slander/libel they can be awarded triple damages (if win)..and likely Intel will have gotten crafty to make sure they are "ept at a distance" because of the fact that Intel had to pay out billions to AMD (from my understanding still have not paid this sum in full)

Intel will do whatever they possibly can to make sure their largest direct cpu competitor gets the lowest amount of potential market share as possible (5-6% would be a drop in the bucket for Intel revenue but a massive gain for AMD funding) Ryzen very much caught Intel off guard, they have been forced to rush products out, had many teething issues that could have and should have easily been avoided.

Anyways, IMHO this sounds like a duck, it quacks like a duck therefore it can only be....FFS a brand new security firm in Intel "home" design land this company formed a at least as far as the godaddy account almost 2 months to the day BEFORE Ryzen launched, seems to me they had AMPLE time to "let folks know" they did not, I call pure BS on them outright.

34
2
Silver badge

Re: Odiferous Rodent

Don't forget the significant funding from the NSA, Mossad and all the other usual suspects who just love, really love backdoors.

If this is the case then why would they publicise the flaws?

10
0
Anonymous Coward

Re: Odiferous Rodent

In Intel's defence, this looks too much like shorting AMD for ANY listed company to get involved with.

If any links are found to Intel in this, expect a lot of rapid terminations to try and distance themselves from any SEC retaliation.

As for the security agencies, I suspect they would have preferred it wasn't publicly released. Maybe a former employee looking to cash in after finding themselves short of work?

17
0
Silver badge

Re: Odiferous Rodent

"If this is the case then why would they publicise the flaws?"

Maybe they think Intel are easier to compromise than AMD.

9
0
Anonymous Coward

Re: Odiferous Rodent

Whats the bet a Wholly-owned subsidiary of intel letni corp USA

Looking at it it has to be part of the publicity department.

This report is designed to counter the drop in sales if Intel gear to the general public (I know several gamers that were going to get new Intel kit but have now got Ryzen instead and I doubt they are the only ones).

13
0
Silver badge

Re: Odiferous Rodent

The names are not 'Ryzenfall' etc. but RYZENFALL - to make it scarier. FALLOUT. CHIMERA. MASTERKEY. DEATHNOTE. EBOLACOLA. ANTANDEC. (I put some of those in as well as the original ones.)

"Rise and fall" also is (the second part) what they seem to have wanted to make happen to AMD's stock price. Which, we are told, has not.

If this was a long time planning, with or without real flaws (or some real and some fake), then maybe the wind was taken out of its sails by Spectre and Meltdown - someone else's discovery of serious security flaws in lots of AMD processors and, if I have this right, more of serious security flaws in Intel processors.

Although if Intel is behind RYZENSHINE as well, maybe Spectre etc is where they got the idea, and perhaps they wanted to equalise after arguably coming off worst that time. They knew about those problems a long time before we did.

14
0
Silver badge

Re: Odiferous Rodent

"Odiferous Rodent"

Brilliant name for the next major release of Windows.

6
0
Silver badge
Boffin

Re: Odiferous Rodent

Re "Brilliant name for the next major release of Windows."

Or the next release of Umbongo with added systemd?

5
0
Anonymous Coward

Cui bono?

I wonder if the money trail leads back to Intel? I hope not, but sometimes competitors lose their minds and do crazy stuff.

39
1
Anonymous Coward

Re: Cui bono?

"I wonder if the money trail leads back to Intel?"

Especially given that Intel has a major facility in Israel.

29
2
Anonymous Coward

Re: I wonder if the money trail leads back to Intel?

Guess that depends on how good Intel's accountants are.....

15
0

Re: Cui bono?

Intel are a massive employer in Israel (10,000s), so it wouldn't be surprising if a few Intel workers had also worked in security and would like a bite at AMD following Intel's woes..

There's a lot of geo-political business related tension in Israel recently, the most valuable company in Israel (Teva Pharmaceutical) just had the patent rights expire on a blockbuster drug (~$4bn pa revenue, big news for a small ~ 8m population), so with Intel and Teva on the ropes, it's not surprising some of their workers would potentially consider pointing out flaws in the opposition.

Do not underestimate the power of finance share geezers shorting a stock to make £100m in a day either by posting 'market changing information' in public - it would not be the first time, that's usually the US or London traders though.

18
0

This post has been deleted by its author

Anonymous Coward

Re: I wonder if the money trail leads back to Intel?

and lawyers - corporate black ops goes via the legal departments so they can appeal to client confidentiality ... allegedly

2
0
Silver badge

Re: I wonder if the money trail leads back to Intel?

I think you will find money trails are a lot harder to follow than working out how to diagnose the most obtuse security problems. Which is strange when, of modern business skills, accountancy is the one that should be most easy to make completely transparent and traceable.

Strange that.

8
0

Something is not right

I say a comment somewhere which proved the people from "CTS" were using a green screen for their promotional video. They easily found stock photos of the backgrounds used in the video.

https://i.imgur.com/OkWlIxA.jpg

Regardless, something is not right when you give a company 24 hours to fix a security hole. And the AMD flaws website (what was it again?) was registered in late February, so they at least knew for over 24 hours. And something is not right when the WHOIS records for your websites are registered using Domains by Proxy. Why would would a serious company go to such trouble to conceal their identity? Everything about this feels wrong.

73
1
Silver badge
Alien

Re: Something is not right

@Wade Burchette: "I say a comment somewhere which proved the people from "CTS" were using a green screen"

AMD Flaws Interview

5
0

Re: Something is not right

https://youtu.be/ZZ7H1WTqaeo

Gamers Nexus call it an assassination attempt.

3
0

*Yawn*

Meltdown... Spectre... and now this.

The only question I'm asking is have these chip 'flaws' surpassed Y2K yet as the biggest non event in computing history?

Gotta keep that good old 'security company' money making gravy train rolling along... I'm sure MS love it too as it enables them to maintain control of peoples' computers with the never ending updates.

Perhaps we might have a more peaceful, 'security flaw' free computing experience if these security companies went out of business.

3
32

Not sure what the downvotes are all about for my last post?

I thought it would be obvious by now that we are all being played for suckers with these never ending security issues. I know of a group of people (using Windows 7) who have not updated for nearly a year now and they have had ZERO security issues with their computers. And, yes... they do use them online (unlike myself, who has taken the wise step of keeping Windows 7 offline for good now and using Linux Mint for everything I do online).

I'm convinced that the world would never hear about things like Meltdown, Spectre, etc. if these so called security companies kept their mouths shut instead the constant "Ooohh... look what I've found" boasting that we see constantly these days. Reminds me of a juvenile dick measuring contest. Of course, their big fat pay cheques no doubt have a lot to do with it as well.

I'll bet the average hacker wannabe/script kiddie would never discover the majority of these so called security vulnerabilities in a million years.

1
34
Silver badge

I thought it would be obvious by now that we are all being played for suckers with these never ending security issues. I know of a group of people (using Windows 7) who have not updated for nearly a year now and they have had ZERO security issues with their computers.

The think they've had ZERO security issues. FTFY. The point of some of these exploits is it is near impossible to tell. More so for people who haven't updated in 12 months and have saloon doors for security.

18
1
Silver badge

> I know of a group of people (using Windows 7) who have not updated for nearly a year now and they have had ZERO security issues with their computers.

>...I'm convinced that the world would never hear about things like Meltdown, Spectre, etc. if these so called security companies kept their mouths shut instead the constant "Ooohh... look what I've found"

I know a group of people who have never been killed in a car crash, therefore car safety is overrated.

I know a group of people who drive without seatbelts, and none of them have died in a car accident, seatbelts are overrated.

I know a group of people who haven't vaccinated their kids, vaccines are overrated.

I know a group of people who haven't died from cancer, cancer is overrated.

I can continue drawing false equivalencies like you have if you like.

48
0

The only question I'm asking is have these chip 'flaws' surpassed Y2K yet as the biggest non event in computing history?

As one of a large number of people who worked pretty hard to make sure that everything worked reasonably well come 01/01/2000, I think that I can guess why you might have a few downvotes on this post.

35
0
Silver badge

@Carl D - Y2K was a big issue, and the problems were real. The software we used at the time would have broken if unpatched, I tested it and the scheduling went haywire.

It's probably fair to say a reasonable amount of the defects were display issues, but then again, if you're writing 19100 out to a file and it's being used elsewhere...

17
0
Silver badge

Sure but the warnings that your washing machine will self-combust because it thinks that Queen Victoria is back on the Throne were probably a bit overdone.

"As we emerge from the bunker and see not a world in flames, but merely several websites displaying the date as 19100 and a frantically back-pedalling Ed Yourdon, we have come to regret our decision to trade NTK's webserver for eight sacks of lentils."

http://www.ntk.net/2000/01/07/

9
1
Silver badge

That's unavoidable due to humans and business. Someone is always going to try and make a quick buck, so yes, the average user buying a patch to stop their software displaying 19100 is probably wasting their time.

No-one sells papers by saying 'IT industry are responsible, there will be no problem' when they can sell papers twice by first claiming it will be a disaster, and afterwards that it was hot air.

The message had to be broadcast, as everyone uses computers these days. A side effect to any large event is always someone trying to exploit it.

5
0
Silver badge

"Not sure what the downvotes are all about for my last post?"

Like many here I was deeply involved in fixing Y2K issues, and the problem was very real - most of them embarrassingly so.

We expect ill-informed comments like that from the tabloids, not El Reg readers.

What if Y2K when it happened had caused loads of real problems? The tabloids would have moaned that with all their warnings, and "all the money thrown on it [by poor tax payers already propping up immigrants and doleys]", we still couldn't sort it out.

P.S. Incorrect use of question marks bugs me. Are you not sure, or unsure whether you're not sure?

</grumpyoldgit>

13
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018