[Update] Security flaws discovered in AMD zen processors : AMD's meltdown?

[NinjaQuick]

2 hours ago, mr moose said:

I don't think I've seen a single person happy with the way they have carried out their business much less defend them in this thread.

 

Everyone uses stock photos,  when you try to pad out an accusation with irrelevant info it devalues your argument.  CTS might well be the evil everyone paints them. Their motivation is obviously questionable, But the issue is now how do we deal with the issue this raises.  If you want to trivialize the threats simply because some company was smart enough to use them to try and manipulate stock then by all means, but don't go adding irrelevant information.

 

 

No, just no,  you can't accuse someone of being unreliable because they were hired to do their job.  How would you like it if people accused you of being unreliable because you get paid for your services?

 

 

 

We can only judge whats happening with the information we have in front of use, when people manipulate the information because they don't like the insinuation then we have an issue (we are still fighting the trope that AMD runs hot).   Unless you have evidence trail of bits is in on this stock manipulation then provide it, otherwise stick to the facts. 

 

 

Facts are this whole thing requires admin access or access to the hardware.

Those are the *only* facts that exist. Trail of Bits is the only 'security' company that has verified this, and has provided no information as to how it is verified other than the same 'oh trust us, we do this in good will (and to because we were paid by the people that found it).

 

The fact of the matter is this exploit doesn't matter - it requires access to hardware which necesarily means fully compromised security before running this exploit. It is as relevant as an exploit that steals your chrome data by logging into a system, plugging in a usb drive and running a batch file that copies from %APPDATA%\Roaming\Google\Chrome to said USB drive.

 

So having a security team even talk about it is fishy.

[Blademaster91]

31 minutes ago, sambarr said:

Most of what they do is read the news aloud. Not a lot of insight. Spinrite 6 didn't save my bacon (yet) either.

 

Steve Gibson usually makes it interesting, Spinrite 6 advertisements aside last podcast I've heard their observations on spectre/meltdown were good,and the inspectre is a helpful tool. Though I wonder if AMD knew of the ASmedia security hole while paying them for the chips.

[sambarr]

10 minutes ago, Blademaster91 said:

Steve Gibson usually makes it interesting, Spinrite 6 advertisements aside last podcast I've heard their observations on spectre/meltdown were good,and the inspectre is a helpful tool. Though I wonder if AMD knew of the ASmedia security hole while paying them for the chips.

Love that grey mustache. 

It took until Feb 24 to get a working Dell meltdown-updated bios (2.7.1) for most servers.... about 50 days. Patching in the future is a full-time job.

 

AMD will do something about it... just don't hold your breath.

[Shakaza]

7 hours ago, Taf the Ghost said:

CTS has said a lot of things without any proof, so far, so we're going to have to wait for some real confirmation.

yes. Yes. YES. This. Exactly this.

 

To address the people participating in this thread:

 

I am not well-versed in the inner workings of processors and the finer points of security in computers, so I appreciate the information provided by such people as @leadeater, @LAwLz, and of course the spoop I'm quoting. So far, I'm hearing contradicting things, and from what I can gather, the gist of the situation is this: These exploits do not seem excessively severe, such as in the ease of compromising a system or an ability to subsequently compromise other systems on the same network, but they are present. LAwLz has also presented evidence that these specific issues are unique to AMD's processors, meaning they may have relevance over other "one size fits all" exploits if it's easier to do it this way. If, however, he turns out to be wrong, I would say this isn't really an issue at all, but may still need to be addressed in the future. I would also tend to trust his judgement on this more than a couple of the people who have posted here, because of the fact that he seems to err on the side of security and has not evidenced a preference for any one company in this thread. I can trust that he is relatively unbiased in his assessment of the severity of this bug. Taf and Leadeater have exhibited the same qualities while also demonstrating a thorough knowledge of this topic.

 

Because of this, I would judge that this discussion needs to keep going, especially as new information comes to light. At this point, I don't think anyone here can validly claim that this is a nonissue or the most severe issue ever; we should treat this as a real security threat. But, first, there are some important things to keep in mind. First, forget that the company to expose these vulnerabilities is completely biased and probably did so in order to achieve some ulterior goal. It doesn't matter at this point; what we need to care about is what they revealed. On the flip-side, take nothing they have to say at face value unless it's verified by an independent, reliable source. They may have more information, but it's possible that they may try to slander AMD (further?). This is a complex issue that requires a constant critical eye; blatant fanboyism has no place here, because it will only serve to obfuscate the real problem. Please, leave your fanboyism at the door; the people treating this as real aren't supporting CTS's biased practices, nor are they attempting to make AMD look bad(security problems exist. In this regard, AMD, Intel, and all the others are equal.). As well, I would like to hope that the people treating this as real aren't doing so because of a hatred of AMD. It's not the solution, it never has been, and never will be.

 

Be respectful, be intelligent, be rational.

 

Also, I'm sorry if I sounded preachy, because who the heck is this random weirdo to talk? But, I mean, ya'll brought it on yourselves. There appears to be a lot of misinformation going about, and it really oughta stop. Maybe an explicit reminder will help? Is anyone listening? Hello?

 

Also, listen to the people I mentioned earlier. They seem to be among the more rational (and knowledgeable) people in this thread, so good job to you fellas.

[NinjaQuick]

There's no real security hole, at least not something literally any other hardware would present. This requires DIRECT ACCESS to the HARDWARE. Not some kind of decentralized or remote access, or even installation on low-privilege accounts, it requires full admin system access, on the local machine. Even the only alleged verification explains this - it isn't some scary thing even remotely like meltdown or specter. The exploits require hardware flashing, not buffer-overflows you can get using JS. Calling this an exploit at all is ludicrous, everyone other than one sec team is saying this, and yet discrediting the one sec team that was paid to say they verified it is somehow an issue.

[Shakaza]

1 minute ago, NinjaQuick said:

There's no real security hole, at least not something literally any other hardware would present. This requires DIRECT ACCESS to the HARDWARE. Not some kind of decentralized or remote access, or even installation on low-privilege accounts, it requires full admin system access, on the local machine. Even the only alleged verification explains this - it isn't some scary thing even remotely like meltdown or specter. The exploits require hardware flashing, not buffer-overflows you can get using JS.

@LAwLz would claim otherwise, and he has cited sources. I would recommend reading his earlier posts in the thread to learn more. The point here is that information about these exploits is still emerging, and it would be wise to consider (consider, not follow blindly, by the way) what everyone has to say for now because a consensus hasn't been reached. It may be my inexperience in the field shining through here, but I cannot come to a reasonable conclusion about the severity of these findings yet.

[sambarr]

Anyone out there running as administrator with any kind of sensitive information to protect is a dumbass.

 

Congrats to all the idiots of this world if this news is shocking to you.

[NinjaQuick]

1 minute ago, sambarr said:

Anyone out there running as administrator with any kind of sensitive information to protect is a dumbass.

 

Congrats to all the idiots of this world if this news is shocking to you.

A million times this. Most, if not all, of these exploits are probably easily portable or doable with similar methods for all hardware vendors, not just AMD...

[Razor01]

9 minutes ago, NinjaQuick said:

A million times this. Most, if not all, of these exploits are probably easily portable or doable with similar methods for all hardware vendors, not just AMD...

 

 

They can't be done the same way.  The method can be the same, but the approach (injected code) is going to be vastly different.  So if one is familiar with AMD's secure processor, that doesn't mean they can do it with Intel processors the same way.  The results may be similar or may not be because without understanding how the two different ASIC's work that is very hard to determine.  Remember the way AMD's processors and Intel processors set up their security barriers are very different.

 

This is why Meltdown and Specter and all their variants work differently on AMD and Intel, sure there are overlaps but different non the less.

[WkdPaul]

Thread cleaned (might need more cleaning TBH).

 

Please keep the discussion civil and keep the CS in mind ;

Quote

• Ensure a friendly atmosphere to our visitors and forum members.
• Encourage the freedom of expression and exchange of information in a mature and responsible manner.
• "Don't be a dick" - Wil Wheaton.
• "Be excellent to each other" - Bill and Ted.
• Remember your audience; both present and future.

 

[NinjaQuick]

That was my point, they aren't gonna be exploited identically, but the process would be very similar.

[Razor01]

24 minutes ago, NinjaQuick said:

That was my point, they aren't gonna be exploited identically, but the process would be very similar.

 

Well they might not be able to do it either lol, With Intel chips once its sets up its security barriers, it doesn't allow any changes from even admin changes to take place,  This actually makes currently programs unable to use Intel's security features.  So drivers and what not, completely redone.  Now if they were to use a new driver or later drivers, already signed that will be easier to do, but I don't know the ins and outs of this so its better for others to talk about it lol.

 

All I know is through memory and virtual memory hacking so...... yeah AMD's page file security is vastly different from Intel's.

[NinjaQuick]

3 hours ago, mr moose said:

I don't think I've seen a single person happy with the way they have carried out their business much less defend them in this thread.

 

Everyone uses stock photos,  when you try to pad out an accusation with irrelevant info it devalues your argument.  CTS might well be the evil everyone paints them. Their motivation is obviously questionable, But the issue is now how do we deal with the issue this raises.  If you want to trivialize the threats simply because some company was smart enough to use them to try and manipulate stock then by all means, but don't go adding irrelevant information.

 

 

No, just no,  you can't accuse someone of being unreliable because they were hired to do their job.  How would you like it if people accused you of being unreliable because you get paid for your services?

 

 

 

We can only judge whats happening with the information we have in front of use, when people manipulate the information because they don't like the insinuation then we have an issue (we are still fighting the trope that AMD runs hot).   Unless you have evidence trail of bits is in on this stock manipulation then provide it, otherwise stick to the facts. 

 

 

They are in on it inasmuch as they knew the stance of the company, have connections to the company and still accepted payment and promoted the company involved in stock manipulation. This is called being an accomplice.

[mr moose]

3 hours ago, Bananasplit_00 said:

https://www.videocardbenchmark.net/gpu.php?gpu=S3+ProSavageDDR&id=1835

 

perfection!

Sold, I am going to get that winner winner chicken dinner now.

 

47 minutes ago, NinjaQuick said:

Facts are this whole thing requires admin access or access to the hardware.

Those are the *only* facts that exist. Trail of Bits is the only 'security' company that has verified this, and has provided no information as to how it is verified other than the same 'oh trust us, we do this in good will (and to because we were paid by the people that found it).

 

The fact of the matter is this exploit doesn't matter - it requires access to hardware which necesarily means fully compromised security before running this exploit. It is as relevant as an exploit that steals your chrome data by logging into a system, plugging in a usb drive and running a batch file that copies from %APPDATA%\Roaming\Google\Chrome to said USB drive.

 

So having a security team even talk about it is fishy.

I really have no idea what you are trying to say here, it sounds like you are insinuating we should ignore these threats under the presumption they require access to hardware (which has been shown several times in this thread not to be the case), but without any evidence as to their actual severity that would be foolish thing to say. 

 

As far as the rest of my post goes are you saying it is o.k to accuse someone of being unreliable without evidence?  Maybe I am alone in my thinking,  but claiming using stock photos is proof someone is wrong is being disingenuous.

[mr moose]

2 minutes ago, NinjaQuick said:

They are in on it inasmuch as they knew the stance of the company, have connections to the company and still accepted payment and promoted the company involved in stock manipulation. This is called being an accomplice.

Have you got some evidence or are you just assuming all this?

[NinjaQuick]

1 minute ago, mr moose said:

Sold, I am going to get that winner winner chicken dinner now.

 

I really have no idea what you are trying to say here, it sounds like you are insinuating we should ignore these threats under the presumption they require access to hardware (which has been shown several times in this thread not to be the case), but without any evidence as to their actual severity that would be foolish thing to say. 

 

As far as the rest of my post goes are you saying it is o.k to accuse someone of being unreliable without evidence?  Maybe I am alone in my thinking,  but claiming using stock photos is proof someone is wrong is being disingenuous.

Remote desktop into a system is virtually the same as logging in to the local system, you cannot execute these exploits without already having the keys to the kingdom, so to speak.

[NinjaQuick]

3 minutes ago, mr moose said:

Have you got some evidence or are you just assuming all this?

https://twitter.com/dguido/status/973922593152659456

 

He has also said he has seen the whole document, read it, I am assuming he understands the language. That means he understands that the company he is advertising (by confirming their findings) paid him to promote their findings (he is the expert they needed to validate their claims for their purposes). This means he is knowingly an accomplice to their scheme, even if he only profits in as much as what they've paid him.

[ARikozuM]

Did this thread lose four pages? I could have sworn it was at page 24. I should probably take some laudanum. 

[Shakaza]

1 minute ago, ARikozuM said:

Did this thread lose four pages? I could have sworn it was at page 24. I should probably take some laudanum. 

Well, it was just cleaned, so you're probably not hallucinating.

[mr moose]

1 minute ago, NinjaQuick said:

https://twitter.com/dguido/status/973922593152659456

 

He has also said he has seen the whole document, read it, I am assuming he understands the language. That means he understands that the company he is advertising (by confirming their findings) paid him to promote their findings (he is the expert they needed to validate their claims for their purposes). This means he is knowingly an accomplice to their scheme, even if he only profits in as much as what they've paid him.

But have you got proof or are you just assuming they are in this together?

 

 

[NinjaQuick]

Just now, mr moose said:

But have you got proof or are you just assuming they are in this together?

 

 

He did receive payment, didn't he?

[mr moose]

1 minute ago, NinjaQuick said:

He did receive payment, didn't he?

All validation work is paid for, it's not a free service from anyone.  How does being paid prove intention to defraud?

[Blademaster91]

8 minutes ago, ARikozuM said:

Did this thread lose four pages? I could have sworn it was at page 24. I should probably take some laudanum. 

Four pages? I didn't really see that much that was offensive, oh well.  I think discussing this either way is good until there is some actual evidence.

10 minutes ago, NinjaQuick said:

https://twitter.com/dguido/status/973922593152659456

 

He has also said he has seen the whole document, read it, I am assuming he understands the language. That means he understands that the company he is advertising (by confirming their findings) paid him to promote their findings (he is the expert they needed to validate their claims for their purposes). This means he is knowingly an accomplice to their scheme, even if he only profits in as much as what they've paid him.

So you're implying he's a shill just by the fact he got paid to research their findings? That is simply assuming and ignoring that a few of these vulnerabilities may be a thing similar to Intel's ME,which ironically enough everyone totally bashed all over that while AMD having a similar issue gets shrugged off as "oh remote access? no big deal not to worry".

[NinjaQuick]

Just now, mr moose said:

All validation work is paid for, it's not a free service from anyone.  How does being paid prove intention to defraud?

You may be assuming I am saying something different. He is an accomplice to the plan of the sec team that found it (short stocks). As soon as that came to light he should have withdrawn public comments. 

[Razor01]

5 minutes ago, Shakaza said:

Well, it was just cleaned, so you're probably not hallucinating.

LSD man wonder drug!