- 6 hours
I guess nobody’s reporting security issues to AMD anymore then. Have fun guys.
7 hoursDoes AMD want their own Nightmare-Eclipse or what. And that researcher went rogue because MS has the habit to not credit researchers and claiming that vulnerabilities are not vulnerabilities while quietly fixing them.
- kuhli@lemmy.dbzer0.comEnglish11 hours
Y’all really need to read past the headline:
the bug that Paul found seemingly wouldn’t be triggered anyway, as the relevant section of the code wasn’t being called to begin with
- monotremata@lemmy.caEnglish58 minutes
Okay, yes, but that’s because they had messed up their application enough that the updater itself couldn’t be updated, which they presumably discovered in the process of trying to remedy his bug. That is, the flaw he found couldn’t actually be exploited only because of a deeper flaw he hadn’t found. (Shades of the Sirius Cybernetics Corporation there, whose deep fundamental design flaws were almost totally hidden by their superficial design flaws.) He still led them to a critical vulnerability that took them months to fix.
I guess it’s one of those “justifiable but unwise” sort of things. If your company is doing a bug bounty program to stay on top of security vulnerabilities, what you don’t want is to create the perception that the work of devs who look for these vulnerabilities isn’t appreciated, for example, by skimping on bounties over technicalities.
Paying the 10k doesn’t ruin the company and allows them to fix a section of code that may become a vulnerability in the future. Not paying the 10k saves them 10k at the price of the devs’ trust that keeps this program effective. From a financial point of view, this is some very poor decision making.
- grinning_serpent@lemmy.worldEnglish3 hours
It encourages people who find these bugs to use them rather than report them.
- Smoogs@lemmy.worldEnglish5 hours
Sure however it’s still worth calling out click bait headlines and reactionary posters are all being bad actors here in the misinformation spread.
Probably more important as then developers don’t back out over being emotionally manipulated by fake bullshit.
- schema@lemmy.worldEnglish11 hours
The woman in the stock photo looks like she’s about to pilot an X-Wing.
- 🇨🇦 tunetardis@piefed.caEnglish13 hours
Researcher commenting on the patch:
he remarks that the software only checks the validity of the downloaded file using the ancient CRC32 hash that isn’t considered cryptographically secure anymore
I have to respect the researcher for his incredibly charitable wording here. CRC32 is not even remotely crypto. That’s never been its purpose, and using it for digital signing is patently insane!
I fear I would have had a much shorter temper after what he’s been through, and yet here he is keeping his cool and his criticism constructive. Good on him.
- teohhanhui@lemmy.worldEnglish3 hours
Although it is true that they now fully use HTTPS, the claim about signature verification is untrue; they only perform a CRC-32 check on the downloaded executable, which is not cryptographically secure.
This is the wording from the blog post. Tom’s Hardware just rephrased it very poorly. (see e.g. https://www.reddit.com/r/hardware/comments/1ixgas1/articles_from_tomshardwarecom_should_be_banned/)
- Buddahriffic@lemmy.worldEnglish3 hours
My version of questioning this is if the same source is providing both the file and the hash, does it matter how hard it is to fake the hash? It could just generate a new hash for the fake file, couldn’t it?
- lemmyvore@feddit.nlEnglish6 hours
HTTPS is privacy in transit. It has no say into what’s being downloaded.
- DevDave@piefed.socialEnglish5 hours
A drug dealer with a heavily armed escort delivers a package of white powder. New problem: is it cocaine, cleaning detergent, anthrax, or some mixture of the former?
- 🇨🇦 tunetardis@piefed.caEnglish5 hours
I suppose if the only way to obtain the patch were through an automated download from the AMD website, the authentication through the site certificate would be better than nothing. But this is a security patch, and I think the researcher is right in pointing out that the bar needs to be higher?
- Nurse_Robot@lemmy.worldEnglish2 hours
Are you saying that to yourself? Yes, you should read the article.
Psychopaths naturally rise to the top in environments like large corporations, because of their ability to manipulate people and not give a fuck about hurting others.
- iturnedintoanewt@lemmy.worldEnglish16 hours
Holy crap. I’d say not to buy AMD if you value your security (i have an AMD CPU and the Deck too). You already know the next vulnerability they’re going to be the last ones to find out. In the news, probably.
- Cocodapuf@lemmy.worldEnglish4 hours
Ok, so the alternative is buying Intel/Nvidia. Surely they’ve never done anything problematic, so this is a good plan.
The Steam Deck does run Linux right? Generally that means the used drivers are not written by AMD and also do not have an auto-updater from AMD. The deck is supposed to update through it’s OS’es package manager and supposedly has the Mesa and Linux Foundation drivers in use.
- BlackLaZoR@lemmy.worldEnglish11 hours
Under Linux, AMD GPU is the only sane solution tho, due to open source drivers. And Intel CPUs have history of cookin hard.
It’s not. RISC-V and ARM exist. You can buy laptops based on either of these architectures for a very reasonable price, compared to Intel and AMD’s x86 offerings.
Of course, that means no AAA gaming, for the most part at least. But then again, who even plays AAA games these days?
- BlackLaZoR@lemmy.worldEnglish6 hours
But then again, who even plays AAA games these days?
Gaming industry is way bigger than movie industry. Almost everyone plays games.
Steam alone has like 40 million concurrent players right now.
- Link@rentadrunk.orgEnglish9 hours
But then again, who even plays AAA games these days?
Err many people? And Linux gaming is on the rise too.
Consumer ARM hardware mostly needs customized images for each board. Plus, depending on your CPU manufacturer you’ll be stuck on an ancient kernel version to get full functionality.
- 7 hours
(Serious) is there really a reasonably priced arm laptop? Which one? I only see apple silicon and some over 2k dollars laptops. Does it have good battery life and performance?
- 15 hours
AMD now with their security stuff and Intel with the crashing and quick degradation stuff a while ago. Sigh.
- ferrule@sh.itjust.worksEnglish3 hours
It was physics and battery sizes to blame for why we have drifted from the 5 GHz x86 CPU to the 32 core x86 CPU. I never thought the rush to ARM/RISC-V would be because Intel and AMD are run by morons.
- Brkdncr@lemmy.worldEnglish16 hours
Researches should publish after 90 days. That would solve the problem.
If anyone could provide an AMD email to ask for a statement concerning this issue, that would be nice.
- kuhli@lemmy.dbzer0.comEnglish11 hours
I don’t think a statement is really needed here, this wasn’t a vulnerability, the code was never called. Even if the code were called, the $10,000 bounty is for a different type of bug entirely too
- baines@lemmy.cafeEnglish3 hours
so stacking vulnerabilities is a thing
if the code exists it can be called
this is a valid bug and it’s silly to rule lawyer something like this
so good job amd, you are ‘actually’ right,
this totally won’t cost you in the long run at all
god damn do lawyers and business majors need to stop making tech decisions
