On Wed, Mar 14, 2018 at 3:16 PM, Adam Carter <adamcart...@gmail.com> wrote:
> On Wed, Mar 14, 2018 at 12:32 PM, Philip Webb <purs...@ca.inter.net> > wrote: > >> 180313 Ian Zimmerman wrote: >> > https://v.gd/PZkiuR >> > Does anyone know more details? >> >> See LWN. It is being described as a scam by people shorting AMD stock. > > > Dan Guido / Trail of Bits was paid to review the exploits and has > confirmed they work. I don't think he'd burn his reputation on this. > > The language around AMD shares being worth $0 is clearly absurd and that > source should be ignored. > > >From http://www.theregister.co.uk/2018/03/13/amd_flaws_analysis/?page=2 Jake Williams, founder and president of Rendition Infosec, commented on the above quoted disclaimer via Twitter <https://twitter.com/MalwareJake/status/973608157208461312>, saying, "I'm pretty well convinced that this is designed to manipulate stock prices. That doesn't make the vulnerabilities fake or any less dangerous (though you need admin access to exploit most)." Arrigo Triulzi, a security consultant based in Switzerland, described <https://twitter.com/cynicalsecurity/status/973591954096381952> the paper as "over-hyped beyond belief" and added, "This is a whitepaper worthy of an ICO [cryptocurrency initial coin offering]. And yes, that is meant to be an insult." Google security researcher Tavis Ormandy, responding to Triulzi wrote <https://twitter.com/taviso/status/973622044200919040>, "Nothing in this paper matters until the attacker has already won so hard it's game over. Not something I'm too interested in, but maybe DFIR [Digital Forensics and Incident Response] people are?" Ormandy is referring to the fact that exploiting these supposed flaws require local administrative access, making them significantly less dangerous than vulnerabilities that can be exploited by a remote, unprivileged user.