I gotta say , the dude types pretty fast. Pretty much the only noteworthy observation.

They already dug up their hole , there ain't no getting out of it.

It still looks like...

sudo rm -rf /*

and actually it is a joke...

hardcore_gamerI hope you take this as constructive criticism. As journalists, you're supposed to represent us when you do a Q&A with a company. I'd rate TPU's Q&A with the CTS labs much lower than Anandtech's . Focusing on technical details isn't an excuse for not asking questions about their motives, hyperbole and inaccuracies in the website they've created, their relationships with short-sellers and the way they've handled this whole thing. There's a reason why the readers are disappointed. If I just read TPU and no other tech news sources, I'd have probably believed viceroy reaserch's claim that AMD is doomed and their shares are worth $0. That's my 2 cents of finger wagging as a TPU reader of many years.

Considering I'm a tech-hobbyist myself and having started following the media on TechPowerUp originally, the content isn't as engaging as it used to be. One-sided story-telling and sensational half-truths never passed before as the orthodox coverage here. Just my fair share of criticism given enough musing about the subject.

hardcore_gamerAs journalists

There are no journalists here on TPU. You are trying to hold us to a standard that doesn't exist. Anyone who says they are a journalist must hold a degree for that, and none of us do.

Yes, we have tech news aggregation. Yes, we cover popular topics. Yes, we have opinions. But just because we cover a news story doesn't mean we hold to the opinion presented in the story. What it actually means is that we value your opinion, and want to hear what you think about the subject, presented in the light it is given. It's not financially motivated, either... we just care about what you think, and want to hear what you have to say. So please, say it, but please don't misinterpret our intent.

cadavecaYou are trying to hold us to a standard that doesn't exist. Anyone who says they are a journalist must hold a degree for that, and none of us do.

Nice formal excuse. Why even say that ? I honestly can't tell if that was meant to be a joke of some sort.

Any entity covering news/rumors/interviews and showing it to a public counts as journalism.

I kind of like that TPU went purely technical... Everything out there tries to tell me how to think while being extremely vague on detail.

This was actually kind of refreshing - I learned quite a bit reading about these vulnerabilities.

hardcore_gamerFocusing on technical details isn't an excuse for not asking questions about their motives, hyperbole and inaccuracies in the website they've created, their relationships with short-sellers and the way they've handled this whole thing.

I think they made their motives pretty clear in this non-technical article:

www.techpowerup.com/242480/viceroy-research-and-cts-labs-make-their-positions-known-on-amd-flaws

It's obvious what cts is trying to do, so i denounce anything they do. I trust the developer of the arch on fixes before a 3rd party such as CTS.

I wonder if AMD might pursue a lawsuit for libel.

Each of these "vulnerabilities" seem overblown to me. A lot of these seem to rely on getting access to deeper systems which, in my opinion as an enthusiast, block people from doing whatever they want (I mean, I'd love to be able to edit my own Pascal GPU BIOS like I did in the old days). To actually be attacked with these particular vulnerabilities, you already have to be in a perfect storm of shit anyways. I'd be less worried about these vulnerabilities themselves and more worried about how somebody was able to compromise my systems to the point where these vulnerabilities became an option for them.

I also suspect ulterior motives myself given the nature of these CTS people and those connected to them. At best they seem to have found some vulnerabilities of questionable (in my opinion) severity (they're bad, but really hard to pull off) and are looking to profit from it. They're definitely not a legitimate security firm in my eyes, and their report is obviously made to benefit them, not to merely alert those concerned to the vulnerabilities.

That said, I've followed up on this for a while and read a lot of comments before immediately reaching for my e-torch and e-pitchfork... I don't dismiss the flaws as fake, rather overhyped because they would be very difficult to use in an actual attack against target systems. I also lump CTS in the came category as patent trolls and people who sue other people because their phone also has "rounded corners".

eidairaman1It's obvious what cts is trying to do, so i denounce anything they do. I trust the developer of the arch on fixes before a 3rd party such as CTS.

I wonder if AMD might pursue a lawsuit for libel.

Yup. It's a bug, its a flaw... but an exploit is something that gets you admin access, doesn't require it...
STH had a nice write-up on it from a legal perspective.

hardcore_gamerI hope you take this as constructive criticism. As journalists, you're supposed to represent us when you do a Q&A with a company. I'd rate TPU's Q&A with the CTS labs much lower than Anandtech's . Focusing on technical details isn't an excuse for not asking questions about their motives, hyperbole and inaccuracies in the website they've created, their relationships with short-sellers and the way they've handled this whole thing. There's a reason why the readers are disappointed. If I just read TPU and no other tech news sources, I'd have probably believed viceroy reaserch's claim that AMD is doomed and their shares are worth $0. That's my 2 cents of finger wagging as a TPU reader of many years.

CTS labs may have multiple motives but what we know for sure it that they were paid quite a bit to look into these issues and that they will not reveal their client or even the industry that their client is in. I mean they spent $14,000 just to validate their exploits.

So honestly from what we know: They tried to act altruistic in their original disclosure all the while doing a hit and run on AMD. Their legal disclaimer directly contradicted that and they definitely received money for the job done in addition to leaking information to short sellers, possibly getting extra cash in that manner as well.

The security community agrees as well. Any future work by these guys is going to be tained by "well who's paying them this time?". I would not be surprised at all if this is the last public report this company does. They would be far better off creating a new company and trying to trick people that way.

thesmokingmanAnd TPU apparently lol.

ChaitanyaTpu has dug itself into the hole to the point that they have no option but to cover this or else they will admit they were wrong in covering that 1st story without any research.

ikekeI held TPU to higher quality previously.

This TPU bashing crap needs to stop. Bashing CTS for for what you perceive as various wrongs is one thing. Bashing TPU staff and the founder for reporting actual industry news is quite another. They are doing their job. Nothing more, nothing less. If you people can't figure out that very simple concept, then maybe this isn't someplace for you to be.

Edit; just watched that video. This is, as demonstrated, not insignificant. This is serious and can be done quickly as the video shows.

lexluthermiesterEdit; just watched that video. This is, as demonstrated, not insignificant. This is serious and can be done quickly as the video shows.

No, it is not serious. If you are already in a privilidged shell, nothing else matters anymore. Not the OS, not the CPU. The system is yours. With or without flaws. And I expect a well regarded website like TPU to point that out to readers.

JadawinNo, it is not serious.

That is only your misinformed opinion. When the company effected by these problems commits resources to releasing full bios revisions for said problems, they are automatically qualified as serious.

JadawinIf you are already in a privileged shell, nothing else matters anymore. Not the OS, not the CPU. The system is yours. With or without flaws. And I expect a well regarded website like TPU to point that out to readers.

Thanks for the tip. Because really, that hasn't been mentioned already by other users... :rolleyes:
This constant and pathetically lame referencing to "priviledged shell" or "admin authority" and whatnot is not the issue certain "people" are trying(and failing) to make it out to be. Finding systems on a network that have admin is not a difficult task, nor is artificially granting admin to a system that doesn't have it. If you don't understand these points, you have the problem.

lexluthermiesterEdit; just watched that video. This is, as demonstrated, not insignificant. This is serious and can be done quickly as the video shows.

The people who got payed $14,000 by CTS-Labs differ with you.

TOBThere is no immediate risk of exploitation of these vulnerabilities for most users. Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities. This level of effort is beyond the reach of most attackers

The reason they slowly drag out videos is to keep their relevancy up. Why release it all at once if you can drag your name through news for weeks and months. CTS Labs is shit. For a bunch of smart people they act really dumb.

XzibitThere is no immediate risk of exploitation of these vulnerabilities for most users. Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities. This level of effort is beyond the reach of most attackers

Most not all. The majority of the script-kiddies out there are of little concern, true, but it's the ones with real skills that are of concern. And there are a lot of them. Do you want to be the nitwit who told their boss it was nothing to worry about and then was victimized by the very same problem? You'd be out of a job so fast it would make your head spin. EVERY vulnerability like this is a serious vulnerability which requires serious attention and consideration. It would be irresponsible, negligent, reckless and unprofessional to treat this with less seriousness than any other system cracking vulnerability.

RejZoRThe reason they slowly drag out videos is to keep their relevancy up. Why release it all at once if you can drag your name through news for weeks and months. CTS Labs is shit. For a bunch of smart people they act really dumb.

Enough with the FUD. Try taking off the tin hat and seeing the problems for what they are.

lexluthermiesterMost not all. The majority of the script-kiddies out there are of little concern, true, but it's the ones with real skills that are of concern. And there are a lot of them. Do you want to be the nitwit who told their boss it was nothing to worry about and then was victimized by the very same problem? You'd be out of a job so fast it would make your head spin. EVERY vulnerability like this is a serious vulnerability which requires serious attention and consideration. It would be irresponsible, negligent, reckless and unprofessional to treat this with less seriousness than any other system cracking vulnerability.

Drama much?

People in such positions wouldn't be screaming the sky is falling either or running to replace the entire network when ever they get whim of a new exploit.

Lets weight this one out. Forum warriors screaming the sky is falling vs Security firm with 6yrs experience in the industry that got payed to review it with all the tools. Hmm.. tough call >Sarcasm<

lexluthermiesterbut it's the ones with real skills that are of concern

They are probably busy trying to bypass the latest Meltdown and Spectre patches, or find other vulnerabilities, because all big corporations/banks/whatever and all governments are still using equipment based on Intel CPUs.

lexluthermiesterEVERY vulnerability like this is a serious vulnerability

It's only serious because CTS gave no time to AMD to prepare patches before the info gone public. But it's not as serious as Meltdown was and let's not forget that Intel had to work for a couple of more months after Meltdown was known to prepare patches for older CPUs and fix some of the first patches that where leading to system instability. I wonder if there where IT heads spinning when Meltdown was gone public and until the date Intel gave stable patches for all latest generation CPUs. Also in the case of ASmedia we have no reply from Intel, motherboard manufacturers or ASMedia itself, as fas as I know, so probably some heads are still spinning, while trying to disable throught the BIOS, ASMedia chips on board of Intel motherboards.

XzibitDrama much?

Only responding to your comment. I didn't start it.

XzibitPeople in such positions wouldn't be screaming the sky is falling either or running to replace the entire network when ever they get whim of a new exploit.

Perhaps not, but what they will do is fix the problem by updating the affected systems and review their network security SOP's, looking for and implementing better methodologies as needed. No network is perfect and there is always room for improvement. These vulnerabilities serve as yet another wake-up-call to the dangers that exist in the technological world and why it is important to stay on top of your game.

XzibitForum warriors screaming the sky is falling

No one is screaming the "the sky is falling". Us "forum warriors" are advocating that these problems are to be taken seriously. Anything less would be...

lexluthermiesterirresponsible, negligent, reckless and unprofessional

lexluthermiesterThis TPU bashing crap needs to stop.

How was I bashing? Which part of my statement can be taken like bashng? I was merely stating my own opinion.

That and the point there still is no valid update on CTS-Labs original "13 world-ending exploits" claim.

Just for the lulz, somebody actually made a CTSflaws website.

www.ctsflaws.com


Man these guys are probably looking to short CTS stock value. Oh wait, nvm

ikekeHow was I bashing? Which part of my statement can be taken like bashing? I was merely stating my own opinion. That and the point there still is no valid update on CTS-Labs original "13 world-ending exploits" claim.

Stop trolling please.

lexluthermiesterMost not all. The majority of the script-kiddies out there are of little concern, true, but it's the ones with real skills that are of concern. And there are a lot of them. Do you want to be the nitwit who told their boss it was nothing to worry about and then was victimized by the very same problem? You'd be out of a job so fast it would make your head spin. EVERY vulnerability like this is a serious vulnerability which requires serious attention and consideration. It would be irresponsible, negligent, reckless and unprofessional to treat this with less seriousness than any other system cracking vulnerability.

Enough with the FUD. Try taking off the tin hat and seeing the problems for what they are.

What FUD? Only FUD is from CTS side. It's a TERRIBLE EXPLOIT OH MAH GOD, WAVING WITH HANDS IN THE AIR. And none of these exploits even work without admin rights. LOL? It's more of an inconvenience or a design flaw than exploit or whatever. Given that AMD has responded with a microcode fix for all of them, I see it as a non issue. I do still have a problem how CTS pushed the info out giving AMD just 24 hours, that slandering shit from Viceroy and the fact they keep on making it all about AMD even though what really seems to be the real problem is ASMEDIA which surprisingly no one seems to talk about much. ASMEDIA chipsets come on Intel boards as well and yet all the focus is on AMD for some dumb reason. But sure, it's my tin hat...

I'm actually of the opinion that as an exploitable issue, these don't amount to much. There are very targeted use cases in which some very select users may be concerned, but that's it.

What's more disturbing is that they point to lax practices inside AMD and ASMedia in general. I don't like that. Not that that's anything unusual these days, but that's even more disturbing.

Seriously, if you are going to push "hardware security" try and give a shit about how the hardware thinks, please?