Bitcoin Forum
November 14, 2018, 08:55:52 PM *
News: Latest Bitcoin Core release: 0.17.0 [Torrent].
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Everything Surrounding The New AMD Security Allegations Reek of a Smear Job  (Read 34 times)
Hydrogen
Hero Member
*****
Offline Offline

Activity: 966
Merit: 687



View Profile
March 14, 2018, 01:52:43 PM
 #1

Quote
Earlier today, we covered news that a previously unknown security research firm, CTS-Labs, has accused AMD of 13 serious security flaws within its products. If these security flaws exist, it’s critically important AMD deal with them immediately. Nothing about their provenance or the process by which they were communicated to the press changes that. But we’d be remiss if we didn’t note the perplexing nature of how they were communicated. Security researchers are also raising the alarm regarding some highly suspicious disclosures and framing of the underlying issues.

With Spectre and Meltdown, an early disclosure spilled the beans about a week earlier than Intel, AMD, ARM, and Google had collectively planned. All of the companies in question had been aware of Spectre and Meltdown since June (meaning, for months) and had been working on fixes throughout that time. Google, in fact, had given the various hardware companies an extended deadline to get fixes ready before disclosing the existence of the bugs. That’s standard operating procedure in security disclosures; vendors are typically given at least a 90-day window to implement solutions. But in this case, AMD was notified a day ahead of the disclosure by an Israeli firm, CTS-Labs.

CTS-Labs has hired a PR firm to handle press inquiries and its website, AMDFlaws.com, doesn’t exactly follow typical disclosure methodology. In fact, the text of the site absolutely drips with scareism, with quotes like:



Image link: https://www.extremetech.com/wp-content/uploads/2018/03/AMD-Security-Lives.png

Under the section for “How long until a fix is available?” the site states:



Image link: https://www.extremetech.com/wp-content/uploads/2018/03/HowLongBeforeFix.png

If you want to know how long it’s going to take to fix a security flaw, you typically ask the company in question after telling them you’ve found one. This just isn’t how security researchers disclose product flaws. Compare the language above from Google’s own work on Meltdown and Spectre, where it details how the attacks work, links to actual, formal white papers that detail how these attacks work, and then goes into an in-depth breakdown of the attacks with code samples and examples.

CTS-Labs website and white paper completely lack this in-depth technical discussion, but the site is stuffed with pretty infographics and visual designs depicting which AMD products are affected by these issues. It’s exactly the kind of thing you might create if you were more interested in launching a PR blitz as opposed to a security notification.

AMD was given so little notice, it can’t even state if the attacks are valid or not. The company’s statement reads: “At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings.”

Good security firms don’t put users at risk by launching zero-day broadsides against companies when the security flaws in question could take months to resolve. Good security firms don’t engage in rampant scareism. Good security firms don’t use websites like “AMDFlaws” to communicate technical information, any more than they’d use “IntelSecuritySucks” to communicate security flaws related to Spectre, Meltdown, or the Intel Management Engine. Good security firms do not draw conclusions; they convey information and necessary context.

The reason good security firms don’t do these things is because good security firms are more concerned with finding and fixing problems than they are with publicity. When Embedi found recent flaws in the Intel Management Engine and F-Secure discovered problems within Intel’s Active Management Technology, they emphasized communicating the situation clearly and concisely (F-Secure’s blog post does have a touch of hyperbole, but doesn’t approach what CTS-Labs is doing here).

We aren’t the only site to notice. There’s a notification on CTS-Labs site that it may have a financial interest in the companies it investigates (shorting AMD stock is practically a pastime in financial circles). Other security researchers have absolutely trashed the manner in which the findings were communicated, the likely financial entanglements, and the way the brief has been communicated.

If these security flaws are real, AMD has a lot of work to do to fix them. It absolutely deserves criticism for failing to catch them in the first place, and there is at least one security researcher who has seen the code and believes the matter to be serious. But even if CTS-Labs findings are genuine, it has communicated them in a manner completely at odds with best practices in the security community. Its manner and method of communicating its findings have much more in common with a PR firm hired to do a hit job on a competitor or a company looking to make a financial killing by shorting stock than a reputable security firm interested in establishing a name for itself. Finding 13 major security flaws in a major microprocessor was guaranteed to make the news all on its own.

It’s entirely possible that CTS-Labs is a relatively new company comprised of researchers who decided to debut with a splash and sacrificed the best practices of security disclosures to do it. It’s also possible it isn’t. The company has done itself no favors with these shenanigans.

Update:

CTS-Labs has acknowledged to Reuters that it shares its research with companies that pay for the data and that it’s a firm with just six employees. Meanwhile, Viceroy Research, a short-seller firm, has published a 25-page “obituary” for AMD based on this data in which it declares AMD is worth $0.00 and believes no one should purchase AMD products on any basis, for any reason whatsoever. It also predicts AMD will be forced to file for bankruptcy on the basis of this “report.”

We stand by what we said regarding the flaws themselves — we’ll wait to hear from AMD on how that shakes out and what the risks are — but the actual reporting of the flaws appears to have been done in profound bad faith and with an eye towards enriching a very particular set of clients. ExtremeTech denounces, in the strongest possible terms, this scheme’s apparent perversion of the security flaw disclosure process.

https://www.extremetech.com/computing/265582-everything-surrounding-new-amd-security-allegations-reeks-hit-job

....

This is extremely interesting news from a centralization versus decentralization perspective.

Intel versus AMD is one of the best real world examples of how market decentralization benefits consumers, fuels innovation, drives prices down and forces businesses to offer fairer end user terms to the public. If AMD were eliminated from the equation, the CPU market would become centralized. Prices would increase. Innovation would cease.

It is possible that this latest news of false allegations regarding AMD processors having vulnerabilities is motivated by an intent to centralize the processsor market under intel. And also to wipe from the world examples of how decentralization and market competition provide benefits to the world.

Note: market centralization/decentralization may be defined as an economics topic & so I hope I posted this in the correct place.  Smiley

1542228952
Hero Member
*
Offline Offline

Posts: 1542228952

View Profile Personal Message (Offline)

Ignore
1542228952
Reply with quote  #2

1542228952
Report to moderator
1542228952
Hero Member
*
Offline Offline

Posts: 1542228952

View Profile Personal Message (Offline)

Ignore
1542228952
Reply with quote  #2

1542228952
Report to moderator
1542228952
Hero Member
*
Offline Offline

Posts: 1542228952

View Profile Personal Message (Offline)

Ignore
1542228952
Reply with quote  #2

1542228952
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1542228952
Hero Member
*
Offline Offline

Posts: 1542228952

View Profile Personal Message (Offline)

Ignore
1542228952
Reply with quote  #2

1542228952
Report to moderator
1542228952
Hero Member
*
Offline Offline

Posts: 1542228952

View Profile Personal Message (Offline)

Ignore
1542228952
Reply with quote  #2

1542228952
Report to moderator
1542228952
Hero Member
*
Offline Offline

Posts: 1542228952

View Profile Personal Message (Offline)

Ignore
1542228952
Reply with quote  #2

1542228952
Report to moderator
Mometaskers
Hero Member
*****
Offline Offline

Activity: 952
Merit: 544



View Profile
March 14, 2018, 09:35:13 PM
 #2

Haven't bought a new laptop in a while so haven't been paying attention but yeah, it's easy to see what would happen if Intel gain a monopoly. Didn't they had a team-up last year? I believe they were supposed to be working on a chip together. Considering that, should AMDs stocks do plummet, it's possible that Intel would try to buy up the company. You know, just like Google is fond of doing after "shit happens" to companies they target.
Beerwizzard
Full Member
***
Offline Offline

Activity: 378
Merit: 112


View Profile
March 14, 2018, 11:04:35 PM
 #3

If AMD were eliminated from the equation, the CPU market would become centralized. Prices would increase. Innovation would cease.
The text is interesting but on our centralization / decentralization thoughts you are missing one key point. We don't live in some magic cryptoworld (or Ancapistan). In our world everything works under the patronate of the governments which have anti-monopolistic laws (that sometimes are obviously destructive) and companies have to obey them. Intel shouldn't become a pure monopolist.
Back in 1997 there was a similar case when Apple had some really bad times and Microsoft bought 150 mln $  worth of Apple stocks just in order to save a "competition" and not to become a monopolist.
Hydrogen
Hero Member
*****
Offline Offline

Activity: 966
Merit: 687



View Profile
March 15, 2018, 06:27:40 PM
 #4

In our world everything works under the patronate of the governments which have anti-monopolistic laws (that sometimes are obviously destructive) and companies have to obey them. Intel shouldn't become a pure monopolist.

Many nations like china and japan have no anti-trust laws. There's a question of whether anti-trust laws have a potential to handicap or cripple american businesses while empowering foreign corporations who have no such restrictions.

If AMD ever folded, Intel would definitely become a monopoly and the CPU market would become heavily centralized. There would be nothing that would stop that from occurring. Not long ago, microsoft was fined for its monopoly over the operating system market. That's the best the government can do and it is wholly ineffective.

Back in 1997 there was a similar case when Apple had some really bad times and Microsoft bought 150 mln $  worth of Apple stocks just in order to save a "competition" and not to become a monopolist.

One might say the reason healthcare in the united states is unaffordable has to do with healthcare being monopolized on a state level. Virtually everything that is expensive or is a result of dysfunctional workmanship in america is typically associated with a centralized monopoly of some type. Of course the same thing happens with universal healthcare in foreign countries. Socialised healthcare is a monopoly and the lack of competition inherent in that arrangement makes things sloppy and unaffordable over the long term.

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!