The impulsive guy in me is thinking that I should cancel AMD over something like this while the rational one remembers that (at least for non-Apple PCs) it’s basically a duopoly and if I cancel the other player over something stupid that they do, I’d be out of choices.
What do you guys think?
Honestly? Fuck technology. I’m probably just in a bad mood, but that’s how I feel right now. Get rid of all of it. If you can’t figure it out on an abacus, you don’t really need to know it!
Same. Unless I live like a hermit in the woods, I am definitely using, directly or not, something (many things) made by a company that has done unforgivable shit. And even if I personally decide “to hell with all this, I can survive just fine”, who will be there to stop them from destroying the whole forest I am supposedly in? Definitely not me
This does not make things all right as they stand, but it does mean quitting the game is not an option
Bye bye responsible disclosure, hello actively exploited 0days.
I guess nobody’s reporting security issues to AMD anymore then. Have fun guys.
Instead, report the security issues to malicios third parties who pay more than AMD.
Does AMD want their own Nightmare-Eclipse or what. And that researcher went rogue because MS has the habit to not credit researchers and claiming that vulnerabilities are not vulnerabilities while quietly fixing them.
They could have worse. The extreme geeks who worked as engineers for AMD pushed to open source their firmware, PSP, everything at one point.
Can you imagine Nightmare but with PSP or Intel ME? It would be EPYC™
Y’all really need to read past the headline:
the bug that Paul found seemingly wouldn’t be triggered anyway, as the relevant section of the code wasn’t being called to begin with
If it’s in the code, it’s a bug. If it’s not used, then remove it entirely. Everything in the code should be treated as operational.
ding ding ding!
no, don’t comment it out.
no, don’t soft-block it.
no, don’t not call it.
just fucking delete it.
Even if it was that simple, this is still a vulnerability that is basically a time bomb. The day that code would have been triggered would have been disastrous.
But this isn’t new, bug bounties tend to have terms as strict as they can to deny you the bounty while they obviously end up fixing issues that don’t qualify for the bounty. All because of reason X or Y that turns out to be a subjective interpretation of a vague enough eligibility requirement.
Okay, yes, but that’s because they had messed up their application enough that the updater itself couldn’t be updated, which they presumably discovered in the process of trying to remedy his bug. That is, the flaw he found couldn’t actually be exploited only because of a deeper flaw he hadn’t found. (Shades of the Sirius Cybernetics Corporation there, whose deep fundamental design flaws were almost totally hidden by their superficial design flaws.) He still led them to a critical vulnerability that took them months to fix.
Sirius cybernetics corporation ? They’re a bunch of mindless jerks who’ll be the first against the wall when the revolution comes.
I guess it’s one of those “justifiable but unwise” sort of things. If your company is doing a bug bounty program to stay on top of security vulnerabilities, what you don’t want is to create the perception that the work of devs who look for these vulnerabilities isn’t appreciated, for example, by skimping on bounties over technicalities.
Paying the 10k doesn’t ruin the company and allows them to fix a section of code that may become a vulnerability in the future. Not paying the 10k saves them 10k at the price of the devs’ trust that keeps this program effective. From a financial point of view, this is some very poor decision making.
It encourages people who find these bugs to use them rather than report them.
things like that should give a pause for other corporations, when they consider where they buy their stuff from.
I mean, you get paid an awful lot more if you sell it on the dark web, so why wouldn’t you at this point?
I hope they do.
Sure however it’s still worth calling out click bait headlines and reactionary posters are all being bad actors here in the misinformation spread.
Probably more important as then developers don’t back out over being emotionally manipulated by fake bullshit.
Excellent way to encourage responsible disclosure.
/s
They should ask Microsoft about those current troubles.
Either you pay bug bounties, or crypto locker ransoms.
Researcher commenting on the patch:
he remarks that the software only checks the validity of the downloaded file using the ancient CRC32 hash that isn’t considered cryptographically secure anymore
I have to respect the researcher for his incredibly charitable wording here. CRC32 is not even remotely crypto. That’s never been its purpose, and using it for digital signing is patently insane!
I fear I would have had a much shorter temper after what he’s been through, and yet here he is keeping his cool and his criticism constructive. Good on him.
Although it is true that they now fully use HTTPS, the claim about signature verification is untrue; they only perform a CRC-32 check on the downloaded executable, which is not cryptographically secure.
This is the wording from the blog post. Tom’s Hardware just rephrased it very poorly. (see e.g. https://www.reddit.com/r/hardware/comments/1ixgas1/articles_from_tomshardwarecom_should_be_banned/)
Do you really need signing if you’re using HTTPS though?
HTTPS is privacy in transit. It has no say into what’s being downloaded.
A drug dealer with a heavily armed escort delivers a package of white powder. New problem: is it cocaine, cleaning detergent, anthrax, or some mixture of the former?
My version of questioning this is if the same source is providing both the file and the hash, does it matter how hard it is to fake the hash? It could just generate a new hash for the fake file, couldn’t it?
I suppose if the only way to obtain the patch were through an automated download from the AMD website, the authentication through the site certificate would be better than nothing. But this is a security patch, and I think the researcher is right in pointing out that the bar needs to be higher?
Every major company is fucking evil
There’s always Costco
And stupid
We let the psychopaths get their way
Psychopaths naturally rise to the top in environments like large corporations, because of their ability to manipulate people and not give a fuck about hurting others.
Yep stabbing your way to the top is the fastest way
Read the article
Are you saying that to yourself? Yes, you should read the article.
The woman in the stock photo looks like she’s about to pilot an X-Wing.
Holy crap. I’d say not to buy AMD if you value your security (i have an AMD CPU and the Deck too). You already know the next vulnerability they’re going to be the last ones to find out. In the news, probably.
Ok, so the alternative is buying Intel/Nvidia. Surely they’ve never done anything problematic, so this is a good plan.
No no no. You buy half an intel chip, and half of an AMD chip. Then mush them together!
ooooooh boy do I have a surprise for you! ungodly amalgation of an Intel CPU with a mobile AMD GPU
(first time posting a picture here ever so there’s a 99% chance I’m gonna screw this up)
Oh man… That is wild. How is that a thing?
Under Linux, AMD GPU is the only sane solution tho, due to open source drivers. And Intel CPUs have history of cookin hard.
It’s not. RISC-V and ARM exist. You can buy laptops based on either of these architectures for a very reasonable price, compared to Intel and AMD’s x86 offerings.
Of course, that means no AAA gaming, for the most part at least. But then again, who even plays AAA games these days?
But then again, who even plays AAA games these days?
Gaming industry is way bigger than movie industry. Almost everyone plays games.
Steam alone has like 40 million concurrent players right now.
Gaming industry is way bigger than movie industry. Almost everyone plays games.
Most money goes into mobile money traps, though.
RISC-V and ARM exist. You can buy laptops based on either of these architectures for a very reasonable price, compared to Intel and AMD’s x86 offerings.
Have fun dealing with that Device Tree bullshit because hardware autodetection is so 1998.
But then again, who even plays AAA games these days?
Err many people? And Linux gaming is on the rise too.
those are not consumer friendly
Consumer ARM hardware mostly needs customized images for each board. Plus, depending on your CPU manufacturer you’ll be stuck on an ancient kernel version to get full functionality.
And the performance/watt is not that exceptional.
(Serious) is there really a reasonably priced arm laptop? Which one? I only see apple silicon and some over 2k dollars laptops. Does it have good battery life and performance?
AMD now with their security stuff and Intel with the crashing and quick degradation stuff a while ago. Sigh.
It was physics and battery sizes to blame for why we have drifted from the 5 GHz x86 CPU to the 32 core x86 CPU. I never thought the rush to ARM/RISC-V would be because Intel and AMD are run by morons.
The Steam Deck does run Linux right? Generally that means the used drivers are not written by AMD and also do not have an auto-updater from AMD. The deck is supposed to update through it’s OS’es package manager and supposedly has the Mesa and Linux Foundation drivers in use.
AMD does contribute to MESA and kernel driver. It’s all open source, but they do lot of heavy lifting regardless
Researches should publish after 90 days. That would solve the problem.
If anyone could provide an AMD email to ask for a statement concerning this issue, that would be nice.
I don’t think a statement is really needed here, this wasn’t a vulnerability, the code was never called. Even if the code were called, the $10,000 bounty is for a different type of bug entirely too
so stacking vulnerabilities is a thing
if the code exists it can be called
this is a valid bug and it’s silly to rule lawyer something like this
so good job amd, you are ‘actually’ right,
this totally won’t cost you in the long run at all
god damn do lawyers and business majors need to stop making tech decisions
