David89

That's an oversimplification however. Some people value a car more than others, and use it differently. In my case I enjoy driving and drive a convertible (BMW E93) that has decent speed. (about 7-7,5 secs to 100kph/62mph). For some people this doesn't matter, but I really enjoy it.
 
You could argue the same for people who pay insane amounts every month, but not only do a lot of them severely struggle to pay, which I don't, and the diminishing returns of buying new vs a similar car that is 10+ years old, is just bad. New cars are 1 of the worst ways to spend your money from a monetary standpoint. Buying them through some plan makes it even worse. Add that if you can barely afford it, and it amounts to people being really stupid.

This is a ridiculous statement. In the US under 10% of new car sales are electric. 
If one has the means and desire to purchase electric, it's a good choice, but it's certainly not a necessity. Electric vehicles, their technology, and the surrounding infrastructure are, by comparison, still it's it's infancy. 
 
Yes, that's true, but it was also prior to entire suburban and metro infrastructure being built assuming you had a vehicle to transport you from A to B. You can't say "well cars worked in the 1920s prior to gas stations being on every corner so we deal with the sub-optimal infrastructure for electric!" because you can't live on sub-optimal infrastructure and live in the modern world. I need to know that my car is going to be able to take me where I need to go without worry and without question or hiccup because I can't accept anything less and be a functional adult in the US. 

On this, I disagree, but I wish it would be possible to get EV conversion kits/engines for relatively recent cars that made sense economically (and engineering-wise) for those vehicles you speak of in a junkyard.

I just don't agree with this point specifically, assuming buying a new car is a necessity. I think its too broad of a conclusion for how the most of the world's infrastructure is setup, including maintenance. I imagine a local mechanic could 'service' a new EV, but they probably won't be able to do much if they don't have the right equipment.
 
I'm even looking at adding several KW of solar panels to my new house, which may or may not justify buying an EV. Though that's just normal traffic, and I'd rather still have the reliability/consistency of an ICE vehicle. I'm basically forced to use a truck for various reasons and its not that I couldn't afford an expensive EV truck, its just simply not worth it. I am looking at EV dual sport DOT approved bikes though, which would be an economically/ecologically friendly way of commuting my soon to be shorter commute. I've also had electric yard equipment for the last several years, since buying an ICE lawnmower/weed-wacker just felt dumb.

To me, the funniest thing about that argument is, one can apply that to everything. Why use a 7950X, when a 7600 is more than sufficient?
 
The simple fact of the matter is: We could all go back to planned economy and only produce that, that's actually needed and "the best" for all. Does anyone in their right mind want that? No. Thing x is more expensive, yes, does it matter? No, if that's what i want or if that product is better suited for what i need it do to.
 
Apart from that, that number is mighty different in all parts of the world. For the BEV example, if you rent an apartment in Germany, you have to drive to chargers. Most of these are fast chargers, making them ridiculously expensive (like 80 cents per kwh). Even with projected E-Fuel/Synthetic Fuel prices of ~ 2,50 Euro per Liters, a BEV that averages 18 kWh/100km  would cost in excess of 14 Euros per 100 km. My Mazda CX-60 Diesel can be driven with less than 5 l/100 km, at 2,50 Euro per Liter that would make for 12,50 per 100 km. The funny thing is, I'm fueling up with HVO Diesel at the moment (synthetic fuel, 90% less Co2)...for 1,82 Euros per Liter. It's expected that the price rises to roughly 2 Euros, but not much more than that, making it 10 Euros per 100 km. Sure, there are BEVs that are using only 14 kWh per 100 km and you could argue that most flats/apartments will get chargers that are a lot cheaper...but that's at least 10 years off.
 
Now - if we do that exact calculation with used cars...BEVs are even more expensive. One of the cheapest BEVs right now is the Fiat 500E or in Europe especially the Dacia Spring (which is not a car i would driven, even gifted). The Fiat in Germany is roughly 30k Euros. No idea how it is in Canada, but for 10k Euros you get lot's of cars, like a Golf 1.6 TDI that's really easy to drive at around 5 l/100km (probably even less). Let's add 5k in savings to keep the car "alive" for the next 10 years and add the costs for driving it 200.000 km (20k per year is on the upper end for Germany...probably the same for canada?) - plus 18k in fuel, plus let's say 14k in upkeep (insurance, tax, etc). 34k in 10 Years - that's pretty cheap (roughly 280 Euros per Month)
 
Every single BEV will be more expensive...hence, buying a new car is stupid.

(Oh noes, a whole 4 cents a mile / 2.5c a kilometer, whatever shall I do).  Consumable, like electricity. Not caring.  Sure, you may pay less per km, but on a long trip I don't need to worry about range anxiety, nor sitting in one place for an hour while my car charges.

You can say the word 'gas', you know. You won't get struck down by the EV Fairy.
 

Wrong. Scroll Down why...
 
 
See above, wrong, scroll down why...
 
 
Yep...also wrong.
 
 
Exactly.
 
Got a HP 6475b. One of the best i ever owned. Unfortunatly it's not available with an A10 in Germany, so i had to Change it. 1600x900 14" Screen wich has very good sRGB colours (calibrated with a Colorimeter). I get about 10 hours of battery life while surfing, writing and all that stuff on a normal university day. It runs very cool, quiet and boot time is about 30 Seconds with an SSD. If i add the slice battery, i get about 16-17 Hours. Under Full Power (CAD, Gaming and other Stuff) 4 1/2 hours - no problem.
 
TDP has absolutly nothing to do what the notebook is really using on power. And the TDP from AMD is with the GPU, Intel gives them without. So, not even a little bit comparable. And TDP is also only a theoretical value, wich is totaly nonsense for practical uses
 
I can run a lot of games at 1600x900 and with OpenCL it's nearly as fast as a Core i7-3770K in Photoshop, Premier and 7-ZIP.

Yes, they have. But unfortunatly there is quite a lot of "plastic-crap" out there...the HP 6475b is one of the exceptions i know of, with it's magnesium body and aluminium display cover...

That's nonsense. And would be illegal in the UK.
 
I buy a car and only the manufacturer has the parts I need to fix it. But has no idea how to supply it plus can't recommend any third party service repairs. Mainly as they don't like third party repairs.
 
As for that Rufus video response. He's got an annoying voice and needs to change it.
 
It's a simple non warranty repair.
 
What's hard to understand?
 

@LAwLz i actually talked to someone who works as cybersec tech about these exploit(s) and according to him they dont even matter 
you can do what these exploits claim to enable on ANY SYSTEM w/ the priviliges they require remotely , does not matter what OS , what vendor or what year 

as "real" as these exploits might be , they dont make it any easier nor enable someone to do more than he already can 


also CTS and that other lab are shady as shit , unknown firm w/ next to no record and plenty of connections to stock manipulation and FUD 
also breaking many standards for reporting and publishing of this kind (weird wp , 24 deadline , claiming AMD stock should be 0$ and AMD @ chapter 11) 

Interesting. Anyone noticed, that Gadi Evron was in the same military unit, as the other guys from CTS...?
Also, that BOTH Ido Li On and Yaron Luk-Zilberman contradicted Gadi Evron, who said "I can confirm they have a PoC on everything."
 
I'm still going with my first assessment of the whole ordeal: Gadi Evron was part of the whole thing from the beginning...
 
And Trail of Bits right away said, it's no where near as bad, as they say.

Personally, i REALLY would like to know, how and why Dan Guido has said anything at all. Many other Security Experts are saying that pretty much all of that is - at least until now - absolute bullcrap.
 
 
BTW, The much bigger question is: IF there is some merit to the PSP being vulnerable (read: Same problem as Intels ME, that STILL haven't been fixed fully, mind you!) - how can it be possible to bypass the Windows 10 VSM, that Microsoft praised as one of the absolute killer security features? By design it should be impossible to run unprotected code, that isn't hashed correctly by the LSASS.
 
Having to need physical access to the machine is a must in all of those cases, so even IF there are real flaws in the System from "the inside" - what do they matter if the attacker has physical access to your machine?

Interesting. Anyone noticed, that Gadi Evron was in the same military unit, as the other guys from CTS...?
Also, that BOTH Ido Li On and Yaron Luk-Zilberman contradicted Gadi Evron, who said "I can confirm they have a PoC on everything."
 
I'm still going with my first assessment of the whole ordeal: Gadi Evron was part of the whole thing from the beginning...
 
And Trail of Bits right away said, it's no where near as bad, as they say.

Because I somehow read your post that I responded to as
rather than your actual statement of 
which is a completely different meaning and makes me seem a bit pedantic as a result, sorry!

Yes...and No. Here's the thing, software/firmware has bugs, live with it. Some of the bugs are in Security subsystems. There is a three part trade-off to all projects, time-resources-quality (or doneness). You can get perfect or near perfect quality if you have infinite time and resources, but your company will go out of business. You can have impossibly short deadlines with infinite resources and bad quality.
 
Basically at some point you have to "shoot the engineer and ship the product", i.e., an engineer (no matter what kind of engineer) wants everything absolutely perfect and will work on a project until nothing is wrong including low probability issues.  On the other hand sometimes you also have to "Shoot marketing and keep the product in Engineering" because marketing will ship the product with fatal flaws to get "something to market now". And on the third hand sometimes you have to "Shoot the Product, because it is a lost cause and will never be finished", if you don't do that it can kill the company. I have worked for two companies who couldn't learn the third lesson and are no more because they couldn't learn that lesson. 
 
So, the question that needs to be answered (and only AMD can really answer) is "how many resources are these flaws worth?". My (admittedly educated guess), is lots due to the high profile that they have gotten. So inside AMD I would guess there are multiple near "infinite resource" projects going on to fix these right now.

I just managed to read through this whole massive thread and want to make one point that I don't think anyone has made yet.
 
It looks to me like all of these take some form of signed driver. Now I have been writing driver code in one form or another for going on 30 years now, and frankly once I have a driver installed I own part of that system. So depending on what driver is compromised (and they didn't seem to specify), the fact that they were able to make persistent changes is not a surprise. In fact I would be surprised if they couldn't make persistent and possibly damaging changes, heck I can think of three or four driver level places off the top of my head that if I wrote replacements for those drivers and got them signed I would be able to read or write anything on the system regardless of the upper level security settings, and if I wrote into the device's firmware (say a network card) my changes would be persistent and could be made invisible to security. Yes, writing it to the Secure Processor on the CPU gives it some additional panache but really? This is just one more case of "if you have a malicious device driver your screwed", which has been true since computers were created.

https://www.realworldtech.com/forum/?threadid=175139&curpostid=175169
 
For those who are unaware of "chicken bits": (electronics) A bit on a chip that can be used to disable one of the features of the chip if it proves faulty or negatively impacts performance. 
 
Now for the great part about the interview:
 
Considering that scummy scam company, Viceroy, got their hands on this paper as one of the first, and the entire paper is written in a very manipulative way, it's hardly difficult to figure out who paid for this.
 
At the end of the day Asmedia and AMD needs to fix any and all security holes, just like every one else. But this is blown way way out of proportion, and the incentive to do so, is clear as day: Stock market manipulation. 
 
Anyone who is taking these security issues seriously, requiring elevated admin privileges, as a consumer, is being a useful idiot for this investment conspiracy.

Man. Those guys are absolutely laughable.
 
Hey, maybe i should search for some random fourth stage attacks, that haven't been fixed for years. For those who do not know what the stages are:
Although you could even argue, that those are stage six attacks, since you are corrupting "something" (be it the ASMedia Controller or the PSP)
 
I also just had a bit of a play with deactivating the PSP in my UEFI. That works and there is no PSP and TPM Device anymore.
 
Edit: Even Trail of Bits says, those attacks are not viable. https://blog.trailofbits.com/2018/03/15/amd-flaws-technical-summary/
 

i am not wrong thought, to call this as a meltdown level exploit is lying way too much, meltdown and spectre don't need anywhere near as much privileges, and can even be run through a web page, this is much harder to exploit, the document and the company behind it are at the very least shady, this is not the work of a security company, in my eyes right now they have less legitimacy than wccftech.
 

Want to have a chance to contest claims of researchers at the LHC? Here you go: Link to one of the papers about it. They present their methods and working hypothesis, as well as detailed results and the explanation on why their results prove significance of their hypothesis. If you are knowledgeable enough, you can assess the quality if the results and their validity yourself. That's the point. It can be disproved because there is a thought path presented that can be possibly attacked. In our case, we do not have anything to go on except the words of the publishers and some other people.
 
They could be saying it's real because it's real, because it isn't but they think it is, because it isn't but they have something to gain by saying the opposite etc.. maybe they say it's true because some part is true but they haven't assessed or left out purposely the part where it's wrong.
Thing is it is just a matter of opinion right now. Your opinion is that they are to be trusted, it may be even reasonable to do so, but they aren't necessarily to be trusted so you could believe otherwise.
 
Remains that the way things were handled are absolutely not satisfying and the way their paper is written is unprofessional enough to question reasonably their claimed results, independently of everything else. That's why I think it is not true until I can see proof of it. Amd or whatever could say it's garbage and researchers could say it is genius, I'd still wait until something concrete would be published.

I'm going to stop explaining myself to you now, because you seem more intent on "winning" than on discussing the issue.  I already know what you're talking about, and I believe you know what I meant, you're just trying to win on an argument of semantics.

Those additional things all require a malicious firmware replacement and/or a signed driver (by AMD or Asmedia, going by 'requires vendor signing') to get the firmware on to the chip or to talk to the chip to exploit it.
 
These are all risks for any system that has co-processors and logic chips like this.
 
The general issue is basically everything in this research paper requires malicious modification of the technologies involved which requires other mechanisms to be broken, like getting your malicious driver signed by AMD/Asmedia or being able to modify an existing driver that is already signed while also not invalidating it's digital signature. The details on that is very unclear, but what is clear is there are requirements that almost always put this outside the bounds of the AMD technologies being referenced as having a security vulnerability with them themselves.
 
To simplify my point it's like getting an HDD with an infected OS installed on it then plugging it in to a computer, turning that system on then saying the computer is infected.
 
To be very clear I'm not saying you can't exploit these AMD systems, what I'm saying is these sound like they are not vulnerabilities with said systems themselves. The only parts that look like potential candidates for actual vulnerabilities are these signed driver requirements, but like I said no details on how they are doing it. Those signed drivers are the attack vectors in to the chips, but don't go thinking that is unique to AMD. If you break in to any chipset or platform security module you get the same types of access from any manufacturer, we should be more worried about the ability to break in to them.
 
https://www.anandtech.com/show/12525/security-researchers-publish-ryzen-flaws-gave-amd-24-hours-to-respond
https://safefirmware.com/amdflaws_whitepaper.pdf
https://safefirmware.com/amdflaws_whitepaper.pdf
 
Summary: Masterkey requires a bios flash to a maliciously crafted one, similar attack is possible on any system if you're going to the extent of creating malicious bios firmware. Many systems also implement the mentioned digital signature required for bios update images so you're either reliant on the ability to exploit other security vulnerabilities or have a system that will trust just any random bios firmware image, admittedly that's most cheap gaming motherboard but not high end ones or OEM systems by HP/Dell etc.
 
https://www.anandtech.com/show/12525/security-researchers-publish-ryzen-flaws-gave-amd-24-hours-to-respond
 
 
Requires a driver signed by AMD/Asmedia to talk to the chip to be able to exploit it, no details given on how they achieved this or modified an existing driver without invalidating it's signature. I 100% believe they were able to do it but zero details given on how. Further assertions were made that after such access is gained to the chipset they could load malicious firmware on to it.
 
Summary: Real issue is being able to bypass the signed driver restriction not the access that then gives you or the malicious firmware. CTS are bundling what they can do with malicious firmware in with vulnerability and calling them one and the same. This type of access to any chipset will give you the same level of access, this is not AMD specific.
 
https://www.anandtech.com/show/12525/security-researchers-publish-ryzen-flaws-gave-amd-24-hours-to-respond
 
 
Again another one that requires a signed driver, same comments apply. Believe it but zero details explaining anything.
 
Summary: This one is a big issue. This, as is no loading malicious firmware on or any other modifications, allows you to read protected areas of memory. This is an actual direct vulnerability with the PSP on all Ryzen systems, more limited impact on Ryzen Pro (no read access of protected memory areas only write).
 
https://www.anandtech.com/show/12525/security-researchers-publish-ryzen-flaws-gave-amd-24-hours-to-respond
https://safefirmware.com/amdflaws_whitepaper.pdf
 
Summary: As Ryzenfall, this one actually is an issue with the secure processor in the EPYC processor that does not require any modifications or loading on malicious firmware.
 
tl;dr Ryzenfall and Fallout are the only two that I can see that are direct security vulnerabilities with the AMD technologies. These are also serious and give access to protected memory areas and encryption keys, along with allowing you to load on malicious firmware further compromising the system. Masterkey is worrying but if an attacker is able to load malicious firmware on to your system then it honestly doesn't matter who's processor/system your using is you're screwed no matter.

That is a different circumstance though, thought it depends on what you mean by that. The company doing the review to get paid is probably all above board, further reading of Anandtech article basically confirms this, it was a favor at first until they were given 13 to verify.
 
It was important to note that they only verified the steps to execute the exploits, basically they can say you can carry them out as documented. There's still the question of are all of these actually security vulnerabilities with the effected technologies. Because like I mentioned if your replacing firmware or using a signed driver by the vendor (this is very unclear to me exactly what this entails) are these vulnerabilities at all, by that I mean with the technologies themselves.
 
My point really was though that literally everything that can be firmware updated falls under this, like EVERYTHING. Do we need a security whitepaper released for every product on earth that falls under this to tell us "Hey if someone replaces the firmware with a malicious one you're at risk", think this falls under stating the obvious.
 
To make a highly inaccurate joke, you don't need a warning label on a hammer saying "If you hit your hand it will hurt".

The basis around how they get paid varies, it's more common practice to either work together and share payment from the effected company through a bounty program or by an entity like CERT, iDefense or TippingPoint.
 
Your point is pricey why Responsible Disclosure is a thing and it covers aspects like payment and financial gain. These are all efforts to professionalize the security industry and introduce standards, it used to be the wild west so how things were done and should be done can be different.
 
Analysis of things like financial gain is an important step, not the only step, for verify validity. It should not be ignored.
 
Edit:
Or be directly contracted by the company to find security flaws.
 
See Gamers Nexus video, specifically the responses from those security experts.
 
No 3 are for the bios. Ryzenfall, Masterkey and Chimera all utilize replacing firmware in the PSP (not bios) or chipset. If your putting malicious firmware on to an IC is it a security flaw of said IC or are you just using your privilege access to compromise the system. If a system has the capability for it's firmware to be updated then malicious firmware will always be an attack vector, there is no way to prevent this other than removing the ability to update the firmware which is a terrible idea because then you could never update it if it does have a security vulnerability.
 
You ignored the parts after I said bios, PSP and IME are not bios and related to a different vulnerability in the white paper.
 
No I'm saying it can't even be confirmed as true. Not being true doesn't mean fake it simply means not confirmed.
 
Which all backs the point that it was easy to see Meltdown and Spectre were legitimate from the get go.

then go deal with it yourself because i ain't got the patience to satisfy your craving because you can't go read a stinken article or have a look at the links provided by the topic poster. 
 
People aren't obliged to do your work for you because you are too LAZY