Wolf480pl is a user on niu.moe. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.
Wolf480pl @Wolf480pl

Ok, so these "AMD flaws" are nowhere near anything like Meltdown or Spectre.

According to their "whitepaper", it lets you pwn your PSP and chipset if you already have root access on the main CPU. In the worst case, it's like the Intel ME BUP bug from december.
It's useful for researchers, coreboot porting, breaking DRM, etc. But it's no use for a remote (or even unprivileged local) attacker.

Their website makes it look way more dangerous than it is.

Β· 9 Β· 9

Then there's a lot of fishy stuff, like
- too much effort went into the website's design
- the website has lots of infographics and not-very-specific text, repeating the same things over and over again
- the whitepaper doesn't look like a whitepaper, and seems to be written with non-technical people in mind, especially the first few pages
- they have a huge legal disclaimer that says they may have financial interest in the value of AMD shares
- cts-labs.com exists for less than 1 year

I'm not saying these "AMD flaws" findings aren't real, but it looks like these people are trying to spread way more fear than necessary.

Also, this whole "if we found such vulnerabilities, the manufactureres probably pay no attention to security whatsoever" part on the website and at the beginning of the report... it's so obnoxious... and I think it qualifies as FUD. (Couldn't find criteria of when sth is FUD, wikipedia isn't very helpful here :/ )

@Wolf480pl also they only gave AMD 24 hours notice. 'responsible' disclosure my ass.

@samis @Wolf480pl I don't know what website you two are talking about, but picking on researchers for disclosing PSP flaws is, IMO, ridiculous.

PSP itself is a flaw. A malignant tumor that shouldn't exist.

Shame on you two for defending it.

@taoeffect @samis
I'm not defending PSP, but it's problematic only as long as we can't control it.

And I'm not picking on researchers for disclosing the flaws. I'm picking on them for making it look like a CPU flaw, like-Meltdown-except-worse. And telling people that their network is in danger because of it.

Also, the researchers didn't disclose any technical details, ust a bunch of noise.
It just looks like a hoax or an attempt to harm AMD by spreading FUD.


@Wolf480pl @taoeffect also I don't think these flaws are even good for cracking open the PSP unless your mobo accepts unsigned firmware updates.

@samis @taoeffect only one of them requires flashing the firmware.

@Wolf480pl @samis PSP is like-Meltdown-except-worse. I see nothing wrong with that description of it.

@taoeffect @Wolf480pl PSP isn't worse than Meltdown, given that barely anyone can actually use the damn thing, never mind use it maliciously. Not so for Meltdown.

@taoeffect @samis No it isn't. You can't exploit a flaw in PSP from an unprivileged process. Or from JS running in the browser. You have to be root to exploit PSP. At which point, why bother doing that, you got root anyway.

@Wolf480pl @samis Meltdown doesn't give you total control over a computer. PSP does (my understanding), and it does so with no defense or mitigation possible.

A purposefully-built unstoppable backdoor is worse than an accidental design-flaw.

@taoeffect @samis But you have to already have total control over a computer in order to use PSP to gain total control over the computer.

@Wolf480pl @samis Eh, I doubt that. Is there proof that there's no master key?

@Wolf480pl @samis I'm more than OK with websites bringing up PSP and Intel ME and throwing as much fear and doubt on those abominations as possible. Not enough of that being done.

@taoeffect @samis

But this is false information. They're telling people that because of these vulns, their computers are in danger, while in fact they aren't.

Also, they're doing it asymmetrically. It looks like it's designed to make everyone switch from AMD to Intel. And even if it's not on purpose, that'll be the effect. And Intel has enough power as it is.

@Wolf480pl @taoeffect The purpose isn't hidden due to the disclaimer - they have an economic interest in AMD, so the most likely reason is that they found and released these to profit from the changes in AMD's stock price after the announcement.

@samis @taoeffect
And PSP is a bad thing only because we can't decide what code runs on it.
And the reason AMD made it is IMO to have anti-user features such as DRM or their equivalent of SGX. And the reason they want that is that Intel has it.

@Wolf480pl @samis

> while in fact they aren't.

Who says they aren't? There's every reason to believe they are. Again, show me proof a master key doesn't exist.

(Does PSP have a built-in server constantly listening in like Intel ME?)

> It looks like it's designed to make everyone switch from AMD to Intel.

Where do they do that? "Intel" isn't mentioned on the page.

@taoeffect @samis
>"Intel" isn't mentioned on this page
Think for a minute.
This page is clearly not made with tech gurus who know RISC-V in mind. It's for an average reader who knows just 2 CPU makes: Intel and AMD. It says AMD is bad. If you have only AMD and Intel to choose from, and AMD is bad, you buy Intel.

@Wolf480pl @samis I don't care.

They'll go to ask their friends about this, and their friends will instantly point to the more widely known and heard of "Intel ME", same thing, possibly even worse.

@Wolf480pl @samis This website helps move the conversation forward. A heck of a lot more than what most people are doing.

@samis @taoeffect
As for "they aren't in danger", I didn't make myself clear:
These flaws do not cause these computers to be in danger. They aren't any more in danger than they would be if these flaws didn't exist.

As for the master key, due to Occam's Razor, it doesn't exist until there's a proof that it does exist.

@Wolf480pl @samis That's not how Occam's Razor works.

The simplest explanation for why they would build a hardware-remote-control is to [expletive]ing remote control computers.

@Wolf480pl @samis One doesn't need _HARDWARE_ to remote control a computer. You can do it with hundreds of available software. Why would they go to the trouble of making hardware? β€” to make it unstoppable.

@taoeffect @samis Have you ever installed an OS remotely?
Or have you ever had to hard-reset a computer on which all software was hanging, and the computer was at the other end of the city?

@samis @taoeffect I rarely have to do these things, but when I need it, I need it immediately.

@Wolf480pl @samis Yes, I have installed OS's remotely, and it never required the use of Intel ME or AMD PSP.

I have never had to hard-reset a computer on the other end of the city, but if I did I would have someone go there (or someone who is already there) and hard reset it.

These are not features consumers asked for, want, or need.

@Wolf480pl @samis This is, OTOH, bullshit that these companies spread to give themselves plausible deniability for designing backdoors into their products.

@taoeffect @samis these are features that are required in server rooms, and in places where you have a ton of workstations all alike, managed by a central IT team.
Like a computer room at a school or university. Or in a big corpo.

@Wolf480pl @taoeffect (also IPMI likely does them better, being purpose-build for that thing)

@samis @taoeffect still, IPMI requires some hardware to listen to it. AFAIK you either have a separate BMC, or the Intel network card and Intel ME take care of handling it.

@Wolf480pl @samis I haven't heard of specific universities or companies using Intel ME or AMD PSP β€” I'm sure some exist, but I _know_ they don't need PSP/ME to do such admin.

The point is that these are insane backdoors that shouldn't exist in consumer products in the first place.

@Wolf480pl @samis These are backdoors that one is welcome to offer as a speciality product for a niche market that's interested in such backdoors.

@Wolf480pl @samis Consumer products, OTOH, should be Backdoor Freeβ„’ by default.

@taoeffect @samis Your definition of backdoor seems pretty broad. Do you also consider an ssh daemon to be a backdoor?

@Wolf480pl @samis Not if you installed it yourself (unless sshd has a built-in backdoor I'm not aware of).

@taoeffect @samis ok, so if you put an iso of your favourite Linux distro, run the installer, and it installs sshd by default, then it's a backdoor?

@Wolf480pl @samis Uh, without your permission? Definitely going into backdoor territory then.

Unauthenticated β€” definite backdoor.

Authenticated with password β€” most-likely a backdoor.

Authenticated with pubkey only β€” questionable practice.

@taoeffect @samis well, for me, it's not a backdoor unless there was a malicious intent behind it.

@Wolf480pl @samis For me intent isn't relevant because it's almost impossible to tell one way or the other.

It's the harm that's caused to users that ultimately matters.

Were you negligent in your design? Should you have known better? Did you practice questionable practices?



And ultimately, if it can be used as a backdoor, it's a backdoor.

@taoeffect @samis then there's no marked that's intrested in such backdoors, because when out-of-band management hardware is installed with these people's permission, it's not a backdoor anymore.

@taoeffect @samis you said that the manufacturers should provide backdoors only for the niche markets that request it.
But if a backdoor is requested by the buyer, it's no longer a backdoor.
So you can't provide backdoors for people who request them.

@Wolf480pl @samis lol, yes, that's the whole point. Backdoors are a bad thing.

@taoeffect @samis so there should be no backdoors on any hardware, not just consumer hardware.

@taoeffect @samis so what you want is that any remote management hardware should be on a separate hardware module that the computer owner has to explicitely put it in place for it to work. A software way of disabling it is in your opinion unacceptable?

@Wolf480pl @samis Uh, yes, basically make good processors, and give your backdoor-prone processors to those who explicitly ask for them.

Assume most of your users don't want to be pwn'ed, and aren't an enemy you're trying to take down.

@Wolf480pl @samis It's also OK to supply backdoor'd processors to an actual enemy, but again, if you're treating your users as an enemy, you should go to jail.

@taoeffect @samis btw. Intel ME is in the chipset, not in the CPU, but w/e.

Ok, now we have another problem:
users (think they) want netflix
netflix wants DRM
DRM will be broken, unless it has support from some hardware that doesn't obey the user

@Wolf480pl @samis Well, figure it out without selling backdoor'd CPUs. Don't make your little DRM dilemma an excuse to backdoor the world.

@taoeffect @samis ok, now tell me how PSP is a backdoor as opposed to just a DRM thingy?

@Wolf480pl @samis I don't know whether AMD PSP is as bad as Intel ME.

ME is a backdoor for obvious reasons (server that listens for remote commands).

I don't know if PSP does that by default. But PSP bypasses the CPU, and control of PSP is control over CPU etc. That sounds like a bad idea, and depending on the details, it could be a fatal idea.

@Wolf480pl @samis A big problem with these companies is they're closed source. No way to really tell what's going on, and there's little reason to trust them.

@taoeffect @samis yes. But we have no proof that there's something evil going on in PSP, we have only a suspicion.

@Wolf480pl @samis Yeah, and good reason to believe there might be, given what Intel did with ME, and given the fact that this piece of hardware shouldn't exist in a consumer product in the first place.

@taoeffect @samis still, not a reason to manupulate stock prices and market share by pretending to have a proof that you can be pwned by means of PSP.

@samis @taoeffect *that people can be pwned by means of PSP

@taoeffect @samis AFAIK PSP doesn't even have any remote management features. If I'm wrong, please point me to a link talking about such features.

@Wolf480pl @samis It's possible PSP isn't as bad as ME, I'm not sure on that one way or another.

@taoeffect @samis there's not.
But that's not what the researchers found.
Can we agree that the flaws in PSP that the researchers found are not dangerous to a reasonably security-conscious user?
Then we can discuss the PSP itself if you like.

@samis the only place I've seen this is cnet. And I don't know if that means 24h from yesterday to releasing the "whitepaper", or from today to releasing full details.

If the latter, then yeah, reasonable my ass, but also not really harmful unless you run random programs as root, or flash a BIOS from a sketchy russian site.

If the former, then it's not a disclosure from the security POV, only from PR POV, which makes it look even more awful.

@Wolf480pl re disclosure period: 'AMD is in the process of responding to the claims, but was only given 24 hours of notice rather than the typical 90 days for standard vulnerability disclosure. No official reason was given for the shortened time.'

@samis I guess they got that info from AMD, but I still don't trust it as much as if I saw this on AMD's official website, or even on amdflaws.com.

@Wolf480pl AMD's verbatim announcement doesn't make them sound much better though. 'just received' doesn't imply any reasonable period.

This whole thing is very fishy.
Also look how the pdf was made.
@mangeurdenuage @wolf480pl Read the list of "Services" - it's just a list of boilerplate nonsense with some links to other standards.

(Website totally not funded by Intel, I'm sure.)
@mangeurdenuage @wolf480pl That website is literally trying to hard to fit in. It's all nonsense and garbage.