Have they not understood what currently is happening with Microsoft?
Advertising that you stiff smart people who know your architecture? Good luck AMD.
Well the next time someone finds a bug in their software they will have to find other ways to monetize it.
A long time ago I felt like bug bounty programs would be an amazing way forward… Now I’m firmly in the camp of fuck it, sell it to the highest bidder.
The only issue with doing that is selling it to a nefarious party hurts the users and not really AMD. Or at least it isn’t hurting AMD anywhere near as much as it might hurt an innocent party.
And that is a risk AMD is willing to take.
Depends if the company has a history of honoring bounties or not.
This is going to work out really well for AMD. Any future vulnerabilities will most certainly be reported to them, responsibly. Right?
Totally. If they happen to be the highest bidder on the dark web that is
My favourite part was when they rejected the flaw saying it’s out of scope for their bounty program but still wanted him to keep it secret because of the rules of the bounty program. The same bounty program that didn’t cover it.
Didn’t Microsoft just pull this same thing and now there’s all these 0-days getting released publicly as vengeance? I swear, all these companies are sharing the same brain cell…
all these companies are sharing the same brain cell…
This cell is called investors.
all these companies are sharing the same brain cell…
they all have upper management that went to the same schools and the same classes, so they’re all indoctrinated the same way.
And the people in the houses
All went to the university
Where they were put in boxes
And they came out all the sameAnd there’s doctors and lawyers
And business executives
And they’re all made out of ticky-tacky
And they all look just the sameAnd they all play on the golf course
And drink their martinis dry
And they all have pretty children
And the children go to schoolAnd the children go to summer camp
And then to the university
Where they are put in boxes
And they come out all the samePlus they are following the lead of the leadership of the country, which is cheating everyone that you are able to.
Trump too has a degree in economics and went to a prestigious finance school so that tracks.
‘Donald Trump was the dumbest goddamn student I ever had!’
Trump didn’t pass any of his classes or do any of his own work, though. He didn’t learn anything because he’s fucking stupid.
Exactly. The engineering teams are in the background saying to pay him.
Yep, the Nightmare Eclipse* crashout continues to be endlessly entertaining and a train wreck for Microsofts security devs.
*Thanks for yhe name correction.
*Nightmare Eclipse
AMD told MrBruh that all update communications now use HTTPS and that updates undergo signature verification. The researcher says he verified the HTTPS claim, but found only a CRC32 check on the downloaded executable, which is not considered a cryptographic signature.
This is the most shocking part. You’d think that AMD as a high-tech company has some smart people working for them. These are very basic things that any half decent programmers should get right. If at no part of the process of implementing this anyone brought up that this is not secure, that is extremely worrying and indicative of a very broken development process. It’s not like a proper cryptographic signature costs extra. This is just pure incompetence.
The very smart people working on their architecture and chip design are very much not the same people who are working on their desktop software.
Not surprising at all. I work in IT and security is by and large reactionary and based on scans that are often rudimentary. As far as training devs on good security practices there’s next to nothing. You learn from getting your hand slapped or you don’t learn at all.
As someone who is frequently the one slapping hands (and backs of heads), I can confirm this.
And still they don’t learn.
Well the next time someone finds a bug in their software they will have to find other ways to monetize it.
AMD has always sucked at making software. The reason why NVidia gained the AI market is because NVidia worked to write and support all the CUDA libraries. AMD devs are so bad they even struggle to just replicate the APIs NVidia already designed year earlier (ROCm/HIP projects). Even Intel who arrived much later almost managed to catch up with their own HW/SW stack (I think they gave up afterward).
The problem with using CRC32 is it reversible and has high collusion rate. An attacker can easily make a file the generates the same hash. This tool a few minutes of searching online. It appears that people who work at AMD don’t even know how to do proper research. All they have to do is look up how to make a secure updating process.
The problem is that a CRC32 checksum is not a signature. Doesn’t matter if they use the most complex checksum in the world or not, what they need here is a signature
Day by day, vibe-code all the way…
What does it matter if it’s CRC or sha512 if they are using an unsecured connection to transmit them? A stranger who has already acquired capability to modify the payload in transit can also modify the checksum. A better hash will not solve this problem.
They use https now, but use CRC for signature verification:
AMD told MrBruh that all update communications now use HTTPS and that updates undergo signature verification. The researcher says he verified the HTTPS claim, but found only a CRC32 check on the downloaded executable, which is not considered a cryptographic signature.
I could be wrong here, but I believe they should use a combination of SHA256 and PGP for signature verification.
Oh, okay, so maybe I misread the sentence. I thought the implication was they used crc32 as opposed to HTTPS. Not sure why you need an additional layer in addition to https- as long as the certificate chain is setup properly. And again, you’re not gaining additional security if you submit the hash (or a gpg key) through the same channel. So if they already use https and just want to check for broken downloads, crc32 is perfectly fine. It’s just security theater at that point.
An attacker can still send a compromised payload if there’s no signature verification of the update. It takes a more sophisticated attack (e.g. supply chain attack, hijacking AMD’s update website, etc.) but it has happened before to other companies. If the payload is signed and verified, an attacker would also need to gain access to AMD’s private key to successfully send out a bad update. Assuming reasonable security, getting that private key would be a lot harder to get on top of somehow compromising AMD’s update web service.
Also CRC checks over the internet are sort of silly and redundant since every packet sent would already be subject to a similar CRC check and bad packets would be ignored (dropped and re-requested). It would only prevent corruption on disk or in memory which are a lot less likely than transmission corruption.
I swear, AMD and Microsoft are two brain cells competing for third place
What a stupid expectation. A company with a market cap of 700 billion can’t just throw 10.000 bucks around. Ya’ll need to think of the sustainability of the company.
Nothing quite like creating a specific incentive for researchers to seek “alternative” sources of income as payment for their research efforts.
Microsoft tried this … seems to be working out for them … not.
But they saved themselves a whopping $10,000. It’s not like AMD has that kind of money to throw around.
They really do be stepping over dollars to pick up pennies.
Or in this case, to save them.
Fuuuuuck. I guess I’m switching back to Intel. I really don’t want to give money to NVidia, þough.
All tech companies suck at some level. I choose AMD cause I’ve had good experiences with their products. Not for any moral reasons. There is no moral consumerism when it comes to silicone. So just choose what you like and try not to think too hard about it.
That’s the dumbest reason why. Intel is a shitty company
AMD seems to be trying hard to catch up in þat area.
Nvidia has a large, multibillion dollar stake in Intel. Additionally, the federal government has a 10% stake in Intel.
Oh, yeah. I forgot about Trump’s graft project. Well, hopefully it won’t be too long before a RISCV CPU becomes a viable alternative, but I’m not too optimistic. My experience wiþ ARM64 is þat a lot of software still isn’t available and doesn’t compile for it, and RISCV is so far behind. Even if it catches up to ARM in speed (much less AMD64), it’s going to be forever before þe cornucopia of FOSS catches up.
