Ok, so these "AMD flaws" are nowhere near anything like Meltdown or Spectre.
According to their "whitepaper", it lets you pwn your PSP and chipset if you already have root access on the main CPU. In the worst case, it's like the Intel ME BUP bug from december.
It's useful for researchers, coreboot porting, breaking DRM, etc. But it's no use for a remote (or even unprivileged local) attacker.
Their website makes it look way more dangerous than it is.
Then there's a lot of fishy stuff, like
- too much effort went into the website's design
- the website has lots of infographics and not-very-specific text, repeating the same things over and over again
- the whitepaper doesn't look like a whitepaper, and seems to be written with non-technical people in mind, especially the first few pages
- they have a huge legal disclaimer that says they may have financial interest in the value of AMD shares
- cts-labs.com exists for less than 1 year
I'm not saying these "AMD flaws" findings aren't real, but it looks like these people are trying to spread way more fear than necessary.
Also, this whole "if we found such vulnerabilities, the manufactureres probably pay no attention to security whatsoever" part on the website and at the beginning of the report... it's so obnoxious... and I think it qualifies as FUD. (Couldn't find criteria of when sth is FUD, wikipedia isn't very helpful here :/ )
@Wolf480pl also they only gave AMD 24 hours notice. 'responsible' disclosure my ass.
And I'm not picking on researchers for disclosing the flaws. I'm picking on them for making it look like a CPU flaw, like-Meltdown-except-worse. And telling people that their network is in danger because of it.
Also, the researchers didn't disclose any technical details, ust a bunch of noise.
It just looks like a hoax or an attempt to harm AMD by spreading FUD.
But this is false information. They're telling people that because of these vulns, their computers are in danger, while in fact they aren't.
Also, they're doing it asymmetrically. It looks like it's designed to make everyone switch from AMD to Intel. And even if it's not on purpose, that'll be the effect. And Intel has enough power as it is.
> while in fact they aren't.
Who says they aren't? There's every reason to believe they are. Again, show me proof a master key doesn't exist.
(Does PSP have a built-in server constantly listening in like Intel ME?)
> It looks like it's designed to make everyone switch from AMD to Intel.
Where do they do that? "Intel" isn't mentioned on the page.
>"Intel" isn't mentioned on this page
Think for a minute.
This page is clearly not made with tech gurus who know RISC-V in mind. It's for an average reader who knows just 2 CPU makes: Intel and AMD. It says AMD is bad. If you have only AMD and Intel to choose from, and AMD is bad, you buy Intel.
As for "they aren't in danger", I didn't make myself clear:
These flaws do not cause these computers to be in danger. They aren't any more in danger than they would be if these flaws didn't exist.
As for the master key, due to Occam's Razor, it doesn't exist until there's a proof that it does exist.
I have never had to hard-reset a computer on the other end of the city, but if I did I would have someone go there (or someone who is already there) and hard reset it.
These are not features consumers asked for, want, or need.
@samis the only place I've seen this is cnet. And I don't know if that means 24h from yesterday to releasing the "whitepaper", or from today to releasing full details.
If the latter, then yeah, reasonable my ass, but also not really harmful unless you run random programs as root, or flash a BIOS from a sketchy russian site.
If the former, then it's not a disclosure from the security POV, only from PR POV, which makes it look even more awful.
@Wolf480pl re disclosure period: 'AMD is in the process of responding to the claims, but was only given 24 hours of notice rather than the typical 90 days for standard vulnerability disclosure. No official reason was given for the shortened time.'
@Wolf480pl AMD's verbatim announcement doesn't make them sound much better though. 'just received' doesn't imply any reasonable period.