
Our Interesting Call with CTS-Labs - zdw
https://www.anandtech.com/show/12536/our-interesting-call-with-cts-labs
======
tptacek
This is crazymaking. I posted the Trail of Bits technical summary earlier
today:

[https://news.ycombinator.com/item?id=16595184](https://news.ycombinator.com/item?id=16595184)

Trail of Bits --- which has a reputation in the field approaching
"unimpeachable" \--- confirmed a series of serious vulnerabilities. Whether
there are real findings involved in this report isn't in question, and hasn't
been since the day of the announcement, when Dan Guido from Trail of Bits
confirmed that they'd reviewed and confirmed the finding.

It's ironic, or maybe it isn't, that after CTS-Labs published their findings
in a manner basically optimized for innuendo than Anandtech has run a story
that is basically composed of innuendo. Given how charged people's feelings
about AMD seem to be, this is probably manna from heaven for them, and since
CTS-Labs isn't publishing the full technical details, it'll be raining bread
for them for many days to come.

I wouldn't care, except that after the original monster thread about the CTS-
Lab announcement, it's become apparent that HN commenters have a very poor
understanding of how vulnerability research actually works, and Anandtech is
perpetuating some of those myths, like the idea that researchers invariably
(or even routinely) arrange for CVE allocation when publishing new flaws.

~~~
bri3d
I wish they'd gotten some answers for the Viceroy situation, which is the main
sketchy part of this endeavor. Beyond that it seems like a set of real vulns
with pretty real impact hindered for the HN crowd by an overly glitzy PR push.
The ToB blog post is what should have come out concurrently to satisfy the
overly cynical HN crowd - maybe good notes for CTS for next time. It's ironic
that the overall reaction here was so jaded when people are up in arms about
Intel ME every time it's so much as mentioned.

~~~
tptacek
That is not Trail's job.

~~~
bri3d
I'm referring to the interview, which I believed was the context of this
conversation.

~~~
tptacek
My mistake, sorry.

------
newprint
Strange thing about article, is that CTS-Labs founders admit that they used to
work for intelligence. I know several people, who worked for intelligence.
They never say "I worked for intelligence" and instead, tell you what they
currently do and completely bypass "intelligence".

~~~
nl
People from Unit 8200 aren't too private about. They have a pretty good
reputation for founding big, successful companies.

[https://www.forbes.com/sites/richardbehar/2016/05/11/inside-...](https://www.forbes.com/sites/richardbehar/2016/05/11/inside-
israels-secret-startup-machine/#651d7841a519)

[https://en.wikipedia.org/wiki/Unit_8200#Companies_founded_by...](https://en.wikipedia.org/wiki/Unit_8200#Companies_founded_by_alumni)

------
disconnected
Relevant: trail of bits posted a summary of this situation on their blog:

[https://blog.trailofbits.com/2018/03/15/amd-flaws-
technical-...](https://blog.trailofbits.com/2018/03/15/amd-flaws-technical-
summary/)

~~~
disconnected
(replying to myself, sorry if inappropriate)

Possibly also relevant, previous HN discussion on another vulnerability on
AMD's PSP, reported and fixed in December 2017 (but only disclosed in January
2018):

[https://news.ycombinator.com/item?id=16081141](https://news.ycombinator.com/item?id=16081141)

~~~
proaralyst
Just FYI: you can edit your original comment, which is likely the better
method in the future.

------
chx
One note here: David Kanter from RealWorldTech is the, well, real deal. Few,
if any have a better understanding of the chipmaking industry. " semiconductor
industry consultant, " is a very modest description of someone leading RWT for
16 years now.

~~~
jabl
Yeah, though unfortunately it's quite seldom there's new articles on RWT these
days. Mr Kanter is somewhat active on the forum, though.

------
nimrod0
Before anyone claims they know wtf they are talking about, answer the
following real technical questions -- I haven't seen a single one who has
(including the so-called "Trail of Bits"):

1\. Can Ryzenfall and Fallout be exploited without code signed by AMD?

2\. Can Masterkey be exploited even after disabling the PSP in the BIOS which
AMD has allowed since January?

~~~
hoistbypetard
Regarding your first question, why would that matter if the code that is
signed by AMD is out in the wild already and can be executed in a manner that
makes the exploit work?

That is how I read the situation, anyway; I don't think these people who
didn't contact AMD in advance are getting new code signed by AMD to run their
exploit. If they have some means of getting AMD to sign anything they want,
that's bigger news than any of the vulnerabilities they are currently talking
about.

My read was that they're exploiting a flaw in some readily available, already
signed-by-AMD code to load something new and behave badly. If that's the case,
I don't see why the answer to (question 1) would be meaningful. If that's not
the case, do you have a link to the explanation that claims getting new code
signed by AMD is necessary?

------
HugoDaniel
"C: Say, for example, CTS-Labs were in charge of finding Meltdown and Spectre,
you would have also followed the same path of logic?

YLZ: I think that it would have depended on the circumstances of how we found
it, how exploitable it was, how reproducible it was. I am not sure it would be
the case. Every situation I think is specific."

------
dman
Am curious if it is legal to fund security research to find flaws in a
competitors product. If so then going forward this might become a tool used by
hardware / software companies to go after their competition.

~~~
jlgaddis
Google (Project Zero) has found and published plenty of vulnerabilities in
Microsoft products.

~~~
sangnoir
(Part of) HN got real salty after Google auto-published after the 90-day
disclosure deadline expired,but before MS had a patch out. I wonder what the
reaction would be if Project Zero adopted a 24-hour disclosure...

~~~
exikyut
What was this on?

~~~
sangnoir
I believe it was for this remotely exploitable IE/Edge[1] bug.

1\. [https://arstechnica.com/information-
technology/2017/02/high-...](https://arstechnica.com/information-
technology/2017/02/high-severity-vulnerability-in-edgeie-is-third-unpatched-
msft-bug-this-month/)

------
ComputerGuru
I think it was very quickly obvious to everyone what the deal here was. Why
are we still giving them the limelight?

~~~
mizzao
Can you please elaborate?

~~~
Arbalest
Gamers Nexus did a good video. Long story short, looks like an investment
propaganda attempt to try and get a profit out of shorting AMD stock. Whether
this is a cover for anything else is getting deep into conspiracy.

Edit: Not truly fake news

~~~
tptacek
Except that we know it _isn 't_ fake, as Trail of Bits validated the findings
and confirmed serious vulnerabilities.

~~~
ComputerGuru
I have no doubt that the findings are real, but they are more along the lines
of bugs rather than “halt the press” gaping security holes.

We’ve all publicly disclosed and written patches for countless security
vulnerabilities in open source code that’s widely distributed with zero
fanfare - not even a cve - because we realize the difference between a
security bug and a world-stopping, corporation-killing security bug. And the
arrogance of saying something along the lines of “if I gave them a day or a
million years it wouldn’t matter because this bug is too big to fix,” is
beyond comment.

At no point did I give RedHat 24 hours to patch something before coming out
with a well-orchestrated PR campaign with the hype engine on overdrive. Just
submit a patch, make sure they admit they’re wrong and will take the
appropriate measures, and move on.

Now if they found a remote exploit that could let me run arbitrary code on any
AMD processor even in a sandboxes environment... we’d be having a different
discussion altogether.

~~~
tptacek
If you have admin access to these machines, you can persist into the secure
coprocessor. In the presence of these vulnerabilities, it is actually _worse_
to have a secure coprocessor than not to have one at all. They are serious
vulnerabilities; about the worst you can have in an enclave scheme. If SGX had
a comparable problem, it would be headline news.

Does that mean the stock should head to zero, like some crazy prop trading
firm claimed they should? The fuck should I know? I am cynical about the
impact vulnerabilities have on stock prices and don't think consumers
generally care.

~~~
ComputerGuru
I’m with you, but again, context. A compromised machine used to be a hosed
machine until you reinitialized the drive and started clean. People are just
starting to wake up to the fact that there’s another computer in your computer
to which the same maxims apply.

Anyone that is serious about security hopefully knows this.

(I have no skin in the AMD/Intel CPU game. Too many machines running both to
bother. I can’t believe I have to say this on HN, it’s what I’d expect of
[H]ard in 2004.)

------
stuaxo
Dodgy AF,I don't see how anyone with any credibility could work with then in
the future.

