back to article AMD security flaw saga, browsers broken, Lamo dead at 37, and more

The lingering fallout of security flaws in AMD processor chipsets has dominated the news this week, and it ain't over yet. The initial flaw disclosure on Tuesday was short on details and high on hype, and some thought that either the issue was massively overhyped or was being used to try and manipulate AMD's stock price. The …

  1. el kabong

    To be effective potential needs wisdom...

    or it will go to waste, you can see that happening all the time.

    "...a tragic end for someone who showed so much potential."

    Unfulfilled potential, there's plenty of that to go around.

    1. Destroy All Monsters Silver badge
      Paris Hilton

      Re: To be effective potential needs wisdom...

      Also, uncalled-for pious platitudes.

      Shows potential: Excellent work in Galois theory at age 20

      Tragic end: Stupidly killed in a duel (in which he should have ripped out everyone's throat and shat down their necks but wans't trained to so)

      This is not that.

    2. oiseau Silver badge
      FAIL

      Re: To be effective potential needs wisdom...

      Sure ...

      But not just wisdom.

      Personal ethics (principles and values) are of paramount importance.

      His record seems to show he had nothing of the sort.

      He has been quoted (The Guardian 20180316) as saying:

      “Had I done nothing, I would always have been left wondering whether the hundreds of thousands of documents that had been leaked to unknown third parties would end up costing lives, either directly or indirectly.”

      My take?

      Utter bullshit.

      Cheers.

    3. Anonymous Coward
      Anonymous Coward

      Re: To be effective potential needs wisdom...

      As per Zeroday initiative blog:

      "As we do every year, the competition order was decided by random drawing in the contest room on the first day of the competition."

      So if things are first or last to fall is rather meaningless.

  2. Anonymous Coward
    Anonymous Coward

    "I think that a better way, would be to notify the public on day zero that there are vulnerabilities and what is the impact," he wrote.

    He forgot to add that doing so would help Intel's bottom line and prepare for the announcement of the new improved backdoored Intel processors.

    1. Anonymous Coward
      Anonymous Coward

      If you're going to be THAT paranoid, you might as well assume ALL processors are backdoored in some way and accessible to SOME entity you don't like. Even if you try to look for some open-specced processor, you can't be sure that the final result will be identical, nor can you be assured that all the rest of the chips are similarly safe (and many don't have substitutes because they're patent-protected).

      1. Jack of Shadows Silver badge
        WTF?

        There's a small community of people working hard to address this problem. Verifiable hardware and software including the tools and supply chains. As we repeatedly find, trust is badly broken in our current methods and systems. Whether by intent, or no, really doesn't matter.

        Anyway, keeps me amused as we turns things upside down, shake them, and shit keeps falling out.

        1. Anonymous Coward
          Anonymous Coward

          There's still some classes of chips for which substitutes are impossible, such as radio chips, because they're legally protected from being copycatted (for the radio chips, due to SEPs usually).

    2. Michael Wojcik Silver badge

      He forgot to add that doing so would help Intel's bottom line and prepare for the announcement of the new improved backdoored Intel processors.

      More likely he's simply shorting AMD stock. There's already evidence that was the plan, including CTSL's own admission of financial interest.

      Personally, I don't give a goddamn what some mercenary asshat like Luk-Zilberman, who shows no understanding of the long and complex debates over reasonable disclosure, thinks about disclosure policies. Spare us that sophomoric bullshit. Even if he's sincere, he hasn't made a substantial argument about disclosure, and he hasn't done anything to earn the assumption that he has one to make.

      I'm happy to see that CTSL has been roundly condemned by reputable security professionals. I hope this taints them for a good little while.

  3. steviebuk Silver badge

    I've been saying....

    ...for years how poor the lottery sites security is. For years they only allowed numbers and letters for a password and a small length. The originally didn't have a reset password option, you had to call them and it was clear the weak password policy was to cut down all support calls.

    Eventually they allowed special characters but they don't tell you this when you change your password, they still have the wording numbers and letters.

    They still have yet to implement 2 factor authentication.

    I'm suprised they haven't been hit sooner.

    1. Adam 1 Silver badge

      Re: I've been saying....

      For anyone responsible for the design of a password handling system, please remember that your users are almost certainly the weakest link in your design. Our brains are not good at random and not good at memorising character sequences with no pattern or overlaying meaning. We (users in general) fail to see how our password choice on catappreciation.com matters. It's not my bank after all. Inevitably, we put a 1 on the end of we're forced to add a number, and change a to @ for the symbol requirements to construct a simple to crack but hard to remember password.

      My suggesting to system designers:

      1. Get the server side right. Forget build your own hashing with sha-whatever. You need to be looking at bcrypt/scrypt/argon to manage things.

      2. Guide your users well. Let them paste passwords so they can use a password manager. Integrate your (re)set password screen to pwndpasswords API (the V2 one) to reject stupid choices (or download the torrent and roll your own private version if you don't trust Troy). There are plenty of public libraries for nuget/mom/pretty much anything you can name already, so you are talking about an hour of effort to really practically boost your users' security.

  4. Walter Bishop Silver badge
    1. GrumpenKraut Silver badge
      Mushroom

      Re: AMD less than 24 hours' notice about the issue

      The whole letter is a monument of "pants on fire".

      How stupid does this person assume everyone to be?

    2. Tomato42 Silver badge

      Re: AMD less than 24 hours' notice about the issue

      while Torvald's sentiment of "security problems are primarily 'just bugs'." has a ring of truth to it, it also has a basic assumption behind it: you're running either the latest release or close to it.

      Well, newsflash: sensors living on underwater cables are not running the latest release, industrial equipment in general doesn't.

      So in the end of day, security bugs need to be handled differently, whether we like it or not.

  5. david 12 Bronze badge

    "tortured"

    O ffs. What's next, "tortured" by being fed Marmite? "tortured" by being forced to listen to your ashole neighbours car engine tuneing and late-night music?

    Manning was held naked in solitary confinement for long perionds.

    Not even English has a separate word for every separate concept, but that's not an excuse for being deliberately misleading.

    1. Anonymous Coward
      Anonymous Coward

      Re: "tortured"

      Yes naked in solitary, while under a regimen straight out of the psychological warfare manual. Addtional treatment including forcing him to wake-ups constantly ensure dangerously extended sleep deprivation, stress positions, cold exposure, etc. etc.

      In short, everything that they though they could get away with and skirt the limits of the constitution. Only as it turns out after the new regime took over they decided they had overstepped those bounds and had jeopardized being able to take him to trial.

      Be careful how you let your government treat other people. You may be one some day, through no fault of your own.

      I also wonder if we'd be reading this headline about Adrian Lamo if Manning had gotten a fair treatment and a real trial. Unfortunatly the names Manning or Lamo or Swartz don't get you the same special access to the legal system as names like Clinton, Trump, Bush or Kennedy.

  6. This post has been deleted by its author

  7. Anonymous Coward
    Anonymous Coward

    RIP Lamo

    To die so young is a tragedy, we mourn his passing with great sadness.

    If anything it reiterates how important it is to ensure that we remember that those on the other side

    of the screen are still fragile and emotional human beings and treat them with respect.

    This is not the time for people to criticize political views and suchlike, so please do not.

    -Anonymous

  8. Anonymous Coward
    Anonymous Coward

    Just a stock manipulation program

    There are no actual defects in the AMD CPUs. The only means to alter the secure area of the AMD CPUs is if you have full administrative privileges. The FUD claims of CTS Labs and others appear to be an effort to manipulate stock prices and divert attention away from Intel's documented CPU defects that can't be fixed. Some believe that Intel is behind the meritless security claims on AMD CPUs. When the smoke clears it looks like some folks will be spending a lot of time in the Iron Bar Hotel and Intel may be forking over billions to AMD before Intel declares bankruptcy for their decades productions of defective CPUs.

    1. Charles 9 Silver badge

      Re: Just a stock manipulation program

      And if Intel takes the cheaper router of just bribing everyone to make it all go away?

  9. chivo243 Silver badge
    Pint

    Color me Purple

    Holding my breathe until Flash is gone... 2 years!

  10. Anonymous Noel Coward
    Coat

    That headline

    That's one hell of an AMD flaw if it's enough to kill someone at 37.

  11. woakesd

    National lottery

    I was asked to change my password. Thing is I am completely certain the password was unique...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019