Re: [gentoo-user] A new AMD CPU weakness?

2018-03-13 Thread Adam Carter 
On Wed, Mar 14, 2018 at 3:16 PM, Adam Carter  wrote:

> On Wed, Mar 14, 2018 at 12:32 PM, Philip Webb 
> wrote:
>
>> 180313 Ian Zimmerman wrote:
>> > https://v.gd/PZkiuR
>> > Does anyone know more details?
>>
>> See LWN.  It is being described as a scam by people shorting AMD stock.
>
>
> Dan Guido / Trail of Bits was paid to review the exploits and has
> confirmed they work. I don't think he'd burn his reputation on this.
>
> The language around AMD shares being worth $0 is clearly absurd and that
> source should be ignored.
>
>
>From http://www.theregister.co.uk/2018/03/13/amd_flaws_analysis/?page=2

Jake Williams, founder and president of Rendition Infosec, commented on the
above quoted disclaimer via Twitter
, saying, "I'm
pretty well convinced that this is designed to manipulate stock prices.
That doesn't make the vulnerabilities fake or any less dangerous (though
you need admin access to exploit most)."

Arrigo Triulzi, a security consultant based in Switzerland, described
 the paper
as "over-hyped beyond belief" and added, "This is a whitepaper worthy of an
ICO [cryptocurrency initial coin offering]. And yes, that is meant to be an
insult."

Google security researcher Tavis Ormandy, responding to Triulzi wrote
, "Nothing in this
paper matters until the attacker has already won so hard it's game over.
Not something I'm too interested in, but maybe DFIR [Digital Forensics and
Incident Response] people are?"

Ormandy is referring to the fact that exploiting these supposed flaws
require local administrative access, making them significantly less
dangerous than vulnerabilities that can be exploited by a remote,
unprivileged user.

Re: [gentoo-user] A new AMD CPU weakness?

2018-03-13 Thread Adam Carter 
On Wed, Mar 14, 2018 at 12:32 PM, Philip Webb  wrote:

> 180313 Ian Zimmerman wrote:
> > https://v.gd/PZkiuR
> > Does anyone know more details?
>
> See LWN.  It is being described as a scam by people shorting AMD stock.


Dan Guido / Trail of Bits was paid to review the exploits and has confirmed
they work. I don't think he'd burn his reputation on this.

The language around AMD shares being worth $0 is clearly absurd and that
source should be ignored.

Re: [gentoo-user] A new AMD CPU weakness?

2018-03-13 Thread Pengcheng Xu 
Actually there’s a more memorable link that describes the matter concisely:

https://amdflaws.com

Pengcheng Xu
i...@jsteward.moe



> H30/03/14 10:15、taii...@gmx.comのメール:
> 
> Here is a non-shortened link.
> https://it.slashdot.org/story/18/03/13/1558221/researchers-find-critical-vulnerabilities-in-amds-ryzen-and-epyc-processors-but-they-gave-the-chipmaker-only-24-hours-before-making-the-findings-public
> 
> All the more reason to avoid the ME/PSP garbage and instead buy the 
> equivalently priced, owner controlled and higher performance OpenPOWER arch 
> systems such as the libre firmware TALOS 2.
> 
> Pretty much someone found a bug in AMD's version of ME which *how terrible* 
> in other words you can use this to defeat hollywoods AMD PSP DRM which is the 
> true reason of existence for ME/PSP, to prevent people from owning and 
> controlling their devices.
> 
> I can't believe the new normal is not being able to really buy a mainstream 
> computer because you don't own it and everyone in the tech press and so 
> called experts says its a good thing, oh it is to "keep you safe from 
> hackers" and they pretend like it has always been this way as if it wasn't 
> just a recent change that for some reason all the major OEM's did at the 
> exact same timeI wonder why.
> 
> "The corporate sector asked for this" - MYTH - They already had it, it is a 
> BMC/LOM chip and it was owner controlled. I doubt any company with IP worth 
> something wants a super insecure black box supervisor processor that they 
> don't control on every computer of theirs.
> 
> 
> If you need secure remote management you can use OpenBMC which is present on 
> the TALOS 2 (IBM OpenBMC) and also the KCMA-D8 and KGPE-D16 pre-PSP x86 
> boards (you can replace the crappy non-free ASUS firmware on the ASMB module 
> with the facebook version of OpenBMC which was recently ported to it via 
> crowdfunding)
> 



signature.asc
Description: Message signed with OpenPGP

Re: [gentoo-user] A new AMD CPU weakness?

2018-03-13 Thread taii...@gmx.com 

Here is a non-shortened link.
https://it.slashdot.org/story/18/03/13/1558221/researchers-find-critical-vulnerabilities-in-amds-ryzen-and-epyc-processors-but-they-gave-the-chipmaker-only-24-hours-before-making-the-findings-public

All the more reason to avoid the ME/PSP garbage and instead buy the 
equivalently priced, owner controlled and higher performance OpenPOWER 
arch systems such as the libre firmware TALOS 2.


Pretty much someone found a bug in AMD's version of ME which *how 
terrible* in other words you can use this to defeat hollywoods AMD PSP 
DRM which is the true reason of existence for ME/PSP, to prevent people 
from owning and controlling their devices.


I can't believe the new normal is not being able to really buy a 
mainstream computer because you don't own it and everyone in the tech 
press and so called experts says its a good thing, oh it is to "keep you 
safe from hackers" and they pretend like it has always been this way as 
if it wasn't just a recent change that for some reason all the major 
OEM's did at the exact same timeI wonder why.


"The corporate sector asked for this" - MYTH - They already had it, it 
is a BMC/LOM chip and it was owner controlled. I doubt any company with 
IP worth something wants a super insecure black box supervisor processor 
that they don't control on every computer of theirs.



If you need secure remote management you can use OpenBMC which is 
present on the TALOS 2 (IBM OpenBMC) and also the KCMA-D8 and KGPE-D16 
pre-PSP x86 boards (you can replace the crappy non-free ASUS firmware on 
the ASMB module with the facebook version of OpenBMC which was recently 
ported to it via crowdfunding)

Re: [gentoo-user] A new AMD CPU weakness?

2018-03-13 Thread taii...@gmx.com 

On 03/13/2018 08:54 PM, Ian Zimmerman wrote:


https://v.gd/PZkiuR

Does anyone know more details?


A shortened link? really? not clicking that.

Re: [gentoo-user] A new AMD CPU weakness?

2018-03-13 Thread Philip Webb 
180313 Ian Zimmerman wrote:
> https://v.gd/PZkiuR
> Does anyone know more details?

See LWN.  It is being described as a scam by people shorting AMD stock.

-- 
,,
SUPPORT ___//___,   Philip Webb
ELECTRIC   /] [] [] [] [] []|   Cities Centre, University of Toronto
TRANSIT`-O--O---'   purslowatchassdotutorontodotca

[gentoo-user] A new AMD CPU weakness?

2018-03-13 Thread Ian Zimmerman 
https://v.gd/PZkiuR

Does anyone know more details?

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
To reply privately _only_ on Usenet and on broken lists
which rewrite From, fetch the TXT record for no-use.mooo.com.