Announcement

Collapse
No announcement yet.

Google Even Fear Intel ME, Reduce Their Attack Vector With NERF

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    Originally posted by chithanh View Post
    Actually, there is an answer since then, and it is much worse than a simple "no":

    AMD said that they don't plan to open source PSP, and that instead they give the code to 3rd party auditors. As if that were in any way an adequate substitute.
    I don't know what y'all were expecting anyway. This is low-level closed hardware. They likely have licensed crap from someone else, because that's how it works in the real world.

    Coupled with the fact that their driver team apparently does not see security as a priority, that doesn't shed a good light on the company. At all.

    https://www.youtube.com/watch?v=UMzXMvOaTZk
    There was also another AMD driver that installed a web service accessible from outside, the PSP drivers https://www.reddit.com/r/Amd/comment...y_pc_publicly/

    Anyway, AMD still has a huge lead on this, as they aren't integrating this broken webserver bs in the chipset itself like some other unnamed company does. They are cutting on development of non-critical stuff, which is unfortunate but can be understandable for now, and PSP is still much less dangerous than ME.

    This is just plain crappy utility software developed by some random intern in half the time needed to make a decent job, that can be easily reconfigured or locked down or firewalled from inside the OS, and on Linux does not work and isn't even remotely necessary.

    Comment


    • #32
      The fact that the software stack shipped with the RAID utilities contains known vulnerabilities, is remotely accessible by default, and runs with system privileges says all. This clearly shows that nobody with knowledge in security has oversight over what software AMD ships.

      And while AMD not open sourcing PSP is deplorable, the reasoning "we show it to 3rd party auditors instead" is much worse than if they had simply said "no". This also shows a total lack of understanding about security.
      Last edited by chithanh; 10-29-2017, 05:42 PM.

      Comment


      • #33
        Originally posted by chithanh View Post
        The fact that the software stack shipped with the RAID utilities contains known vulnerabilities, is remotely accessible by default, and runs with system privileges says all. This clearly shows that nobody with knowledge in security has oversight over what software AMD ships.
        yeah, because all AMD software, from drivers to random crap like this utility uses the same QA, and is under the same pressure.

        Just look at Intel. Their Raid configuration utility is done decently, it is stable and isn't comically unsafe. But their ME runs a server that allows you to login without a password (more or less). And in december there is another ME vulnerability being discussed, and the more white hats dig into the hole the more crap they will find.

        If they used the same QA that vetted their Raid utility they might have catched some of that bugs, but they didn't.

        And while AMD not open sourcing PSP is deplorable, the reasoning "we show it to 3rd party auditors instead" is much worse than if they had simply said "no". This also shows a total lack of understanding about security.
        Oh man, how bad they are. They could have:
        -not answered at all, not even an acknowledge (Intel)
        -not given their code to 3rd party auditors at all (Intel)

        That's totally better and safer.

        They can't opensource licensed stuff so having third party auditors is the best they can realistically do.
        Last edited by starshipeleven; 10-29-2017, 06:29 PM.

        Comment


        • #34
          Originally posted by starshipeleven View Post
          They can't opensource licensed stuff so having third party auditors is the best they can realistically do.
          They could, like Intel does with their "High-Assurance Program", provide a way to disable the PSP. And if they wanted to be good citizens, they could have had that option available to everyone and not just 3-letter agencies like Intel does. But no, instead we get BS about 3rd party auditors. Sheesh..

          Comment


          • #35
            Originally posted by starshipeleven View Post
            They can't opensource licensed stuff so having third party auditors is the best they can realistically do.
            Then allow us to turn it off. Is AMD going to pay for data loss, loss of use, loss of revenue, etc. when the PSP is inevitably hacked, or are they just providing lip service here with no real financial skin in the game?

            The only way the current closed source, non-replaceable, non-disableable PSP might be possibly acceptable is if AMD permanently indemnifies all machine owners against all forms of loss and/or financial harm traceable in any way to the presence of the PSP. No "your system is no longer supported" or "you can't prove the PSP did that", but actual, real indemnification including for all time lost.

            So, what do you say AMD? Are you confident enough in the PSP to offer this?
            Last edited by madscientist159; 10-30-2017, 02:33 PM.

            Comment


            • #36
              Originally posted by jabl View Post
              They could, like Intel does with their "High-Assurance Program", provide a way to disable the PSP. And if they wanted to be good citizens, they could have had that option available to everyone and not just 3-letter agencies like Intel does. But no, instead we get BS about 3rd party auditors. Sheesh..
              Having that option available to everyone seems to not be what whoever asked for these feature wants.

              Comment


              • #37
                Originally posted by madscientist159 View Post
                Then allow us to turn it off. Is AMD going to pay for data loss, loss of use, loss of revenue, etc. when the PSP is inevitably hacked, or are they just providing lip service here with no real financial skin in the game?
                Is this even a real question? They won't unless sued by someone that can stand their ground against them, same story as with Intel (that is also much bigger).

                Comment


                • #38
                  Originally posted by starshipeleven View Post
                  Just look at Intel. Their Raid configuration utility is done decently, it is stable and isn't comically unsafe. But their ME runs a server that allows you to login without a password (more or less). And in december there is another ME vulnerability being discussed, and the more white hats dig into the hole the more crap they will find.
                  Oh spare me the whataboutism.

                  Plus Intel ME is vulnerable in this case not because of the poor design. Software bugs happen and sometimes lead to vulnerabilities. The AMD RAID utility issue is not a simple software bug, but instead displays a shocking amount of ignorance (and lack of oversight) when it comes to security.

                  Originally posted by starshipeleven View Post
                  Oh man, how bad they are. They could have:
                  -not answered at all, not even an acknowledge (Intel)
                  -not given their code to 3rd party auditors at all (Intel)

                  That's totally better and safer.
                  Often it is better to remain silent than to say things that trigger bullshit detectors in a major way. And it is obviously something which AMD said to placate their customers.

                  Comment


                  • #39
                    Originally posted by starshipeleven View Post
                    SMM is a CPU feature reserved as CPU firmware, which is why they are either trying to disable it or giving full control of this feature to the embedded Linux kernel that is replacing the higher functions of UEFI.
                    SMM is not for _CPU_ firmware at all, it is for board control logic, fans and such. Which is much more scary that "CPU" firmware, as board / BIOS vendors are not particularly known for writing the most awesome code, ... :-/

                    Comment

                    Working...
                    X