The obvious solution to this is to not seek the bug bounty. The next time a critical security vulnerability is found, sell it to the highest bidder. I’m sure there are black hats out there willing to pay the money that the megacorp refuses to pay out.
Well shiiiiiiiiiit balls.
I was thinking just pay the 10k amd
For those that don’t read the article - Paul AGREED to no payment, and later regret it. Why should amd pay? They made it clear their policy doesn’t cover MITM attacks and so there is no bounty available for this vulnerability. Amd had and has no obligation to make the pay out, ESPECIALLY when the researcher agreed to no pay out!
Damn that might make me read the article
I feel for people wanting to be security researchers with a conscience. They used to get thrown in jail or hit with lawsuits. Things progressed to where they could get a tiny fraction of the black market value as a bug bounty, and possibly even make a basic living doing that, but we are probably headed back in the other direction.
Meanwhile, black hats are sitting in a resort pool somewhere spending the half million some authoritarian regime paid them for a simmilar exploit, trying to drink enough all-inclusive booze to avoid thinking of the people getting their fingernails pried off in some goulag after getting exposed via said exploit.
That is essentially the behavior AMD is incentivizing here.
Another proof mega corporations are the equivalent of a selfish sociopath, unreliable, can’t be trusted and must be kept under scrutiny at all times
The impulsive guy in me is thinking that I should cancel AMD over something like this while the rational one remembers that (at least for non-Apple PCs) it’s basically a duopoly and if I cancel the other player over something stupid that they do, I’d be out of choices.
What do you guys think?
Do yourself a favor and actually read the article. Not saying AMD is in the right here, but they aren’t in the wrong for not paying Paul when he agreed to no pay out.
Buy used, compensate for the loss in power with algorithmic ingenuity, yadda yadda.
Also, if you can do the thing the app does on paper, you should just do it on paper and can save the computer for more difficult tasks like the old-timers that paved the way for our modern-day laziness.
Use the public library, also.
I dunno, man. Seems like all the convenient options at this point require you to capitulate to some asshole trying to jack up prices and deny payouts, and the only option now is to take high roads that are unpaved.
My problem with buying used is that some things barely survive the warranty period, so if I can get those two years of warranty, I will. I usually aim towards buying the latest thing and using it for at least 3-4 years for the things that go old the fastest (CPUs, mobos, RAM, GPUs). Other things might last longer - i.e. I just retired a case and a PSU that are 10+ years old (bought new).
I somewhat agree with your sentiment, but indeed it seems like the more we want to vote with our wallets, the further we stray from practicality.
Buy used
This right here. If people trusted each other more and maintained their stuff more, companies would starve.
But no. Instead people treat their belongings like disposable trash, and trillionaires take advantage of it.
It’s our fucking fault. All our fault.
Honestly? Fuck technology. I’m probably just in a bad mood, but that’s how I feel right now. Get rid of all of it. If you can’t figure it out on an abacus, you don’t really need to know it!
Algorism outpaced the abacus for a reason, and the slide rule outpaced algorism for a reason as well, but they’re all good skills to have some practice with. Have you ever had to do long division on an abacus? It ain’t pretty.
Same. Unless I live like a hermit in the woods, I am definitely using, directly or not, something (many things) made by a company that has done unforgivable shit. And even if I personally decide “to hell with all this, I can survive just fine”, who will be there to stop them from destroying the whole forest I am supposedly in? Definitely not me
This does not make things all right as they stand, but it does mean quitting the game is not an option
Bye bye responsible disclosure, hello actively exploited 0days.
I guess nobody’s reporting security issues to AMD anymore then. Have fun guys.
Instead, report the security issues to malicios third parties who pay more than AMD.
Does AMD want their own Nightmare-Eclipse or what. And that researcher went rogue because MS has the habit to not credit researchers and claiming that vulnerabilities are not vulnerabilities while quietly fixing them.
They could have worse. The extreme geeks who worked as engineers for AMD pushed to open source their firmware, PSP, everything at one point.
Can you imagine Nightmare but with PSP or Intel ME? It would be EPYC™
Y’all really need to read past the headline:
the bug that Paul found seemingly wouldn’t be triggered anyway, as the relevant section of the code wasn’t being called to begin with
Pretty sure ur the only commentator here that actually opened the link LMFAO
If it’s in the code, it’s a bug. If it’s not used, then remove it entirely. Everything in the code should be treated as operational.
ding ding ding!
no, don’t comment it out.
no, don’t soft-block it.
no, don’t not call it.
just fucking delete it.
Even if it was that simple, this is still a vulnerability that is basically a time bomb. The day that code would have been triggered would have been disastrous.
But this isn’t new, bug bounties tend to have terms as strict as they can to deny you the bounty while they obviously end up fixing issues that don’t qualify for the bounty. All because of reason X or Y that turns out to be a subjective interpretation of a vague enough eligibility requirement.
I guess it’s one of those “justifiable but unwise” sort of things. If your company is doing a bug bounty program to stay on top of security vulnerabilities, what you don’t want is to create the perception that the work of devs who look for these vulnerabilities isn’t appreciated, for example, by skimping on bounties over technicalities.
Paying the 10k doesn’t ruin the company and allows them to fix a section of code that may become a vulnerability in the future. Not paying the 10k saves them 10k at the price of the devs’ trust that keeps this program effective. From a financial point of view, this is some very poor decision making.
It encourages people who find these bugs to use them rather than report them.
things like that should give a pause for other corporations, when they consider where they buy their stuff from.
I mean, you get paid an awful lot more if you sell it on the dark web, so why wouldn’t you at this point?
I hope they do.
Sure however it’s still worth calling out click bait headlines and reactionary posters are all being bad actors here in the misinformation spread.
Probably more important as then developers don’t back out over being emotionally manipulated by fake bullshit.
Okay, yes, but that’s because they had messed up their application enough that the updater itself couldn’t be updated, which they presumably discovered in the process of trying to remedy his bug. That is, the flaw he found couldn’t actually be exploited only because of a deeper flaw he hadn’t found. (Shades of the Sirius Cybernetics Corporation there, whose deep fundamental design flaws were almost totally hidden by their superficial design flaws.) He still led them to a critical vulnerability that took them months to fix.
Sirius cybernetics corporation ? They’re a bunch of mindless jerks who’ll be the first against the wall when the revolution comes.
Excellent way to encourage responsible disclosure.
/s
They should ask Microsoft about those current troubles.
Either you pay bug bounties, or crypto locker ransoms.
Every major company is fucking evil
And stupid
We let the psychopaths get their way
Psychopaths naturally rise to the top in environments like large corporations, because of their ability to manipulate people and not give a fuck about hurting others.
Yep stabbing your way to the top is the fastest way
There’s always Costco
Read the article
Are you saying that to yourself? Yes, you should read the article.
I did. That’s how I know you didn’t and just reactionary posted to the title to emotionally manipulate other posters for Updoots.
You’re the evil one here.
At this point, I’m going to assume you’re trolling. I’m moving on and will not respond to any more of your comments.
Researcher commenting on the patch:
he remarks that the software only checks the validity of the downloaded file using the ancient CRC32 hash that isn’t considered cryptographically secure anymore
I have to respect the researcher for his incredibly charitable wording here. CRC32 is not even remotely crypto. That’s never been its purpose, and using it for digital signing is patently insane!
I fear I would have had a much shorter temper after what he’s been through, and yet here he is keeping his cool and his criticism constructive. Good on him.
Although it is true that they now fully use HTTPS, the claim about signature verification is untrue; they only perform a CRC-32 check on the downloaded executable, which is not cryptographically secure.
This is the wording from the blog post. Tom’s Hardware just rephrased it very poorly. (see e.g. https://www.reddit.com/r/hardware/comments/1ixgas1/articles_from_tomshardwarecom_should_be_banned/)
Do you really need signing if you’re using HTTPS though?
Lots of downvotes but no actual answer to your question.
I assume it’s in case some third parties redistribute the binaries so end users can still check them? Mirrors, internal IT update mechanisms, idk
HTTPS is privacy in transit. It has no say into what’s being downloaded.
A drug dealer with a heavily armed escort delivers a package of white powder. New problem: is it cocaine, cleaning detergent, anthrax, or some mixture of the former?
I suppose if the only way to obtain the patch were through an automated download from the AMD website, the authentication through the site certificate would be better than nothing. But this is a security patch, and I think the researcher is right in pointing out that the bar needs to be higher?
My version of questioning this is if the same source is providing both the file and the hash, does it matter how hard it is to fake the hash? It could just generate a new hash for the fake file, couldn’t it?
The woman in the stock photo looks like she’s about to pilot an X-Wing.
Holy crap. I’d say not to buy AMD if you value your security (i have an AMD CPU and the Deck too). You already know the next vulnerability they’re going to be the last ones to find out. In the news, probably.
Ok, so the alternative is buying Intel/Nvidia. Surely they’ve never done anything problematic, so this is a good plan.
No no no. You buy half an intel chip, and half of an AMD chip. Then mush them together!
ooooooh boy do I have a surprise for you! ungodly amalgation of an Intel CPU with a mobile AMD GPU
(first time posting a picture here ever so there’s a 99% chance I’m gonna screw this up)
Ya know…being alive isn’t really that fun anymore. I’ve always loved the surreal humor, and absurdity that you can create nonsense from. How am I supposed to be a surrealist comedian if every stupid thing I say is actually real, and already happened??? Not to mention the rise of AI where even the stupid things that aren’t real can be claimed as real? Old people already have enough issues understanding real life when everything is real life. I’m 42, and AI imagery and videos are starting to become hard to tell when something is fake. Imagine how indistinguishable it will be by the time I’m 80. The technology will be so advanced that AI will CREATE reality.
Not saying what you posted is AI. I’m just saying that when I posted that, my line of thinking was “Ok, what’s something really really stupid I can say as a concept?”. That was what I came up with for something so stupid it has to be absurd.
And then you showed me it’s real, and already happened. How is my absurdist humor supposed to compete with real life when real life is SOOOOOO stupid already, and getting dumber by the day??? Oh, hey, did you guys see any of that UFC cage fight on the front lawn of the white house? I promise you, I’m NOT making this up. That’s real. That happened. We’ve changed the genre of Idiocracy from comedy, to documentary.
We live in the dumbest timeline.
(btw, I upvoted you. I’m mad at real life, not at you)
Oh man… That is wild. How is that a thing?
It’s just that Intel NUC and a bunch of select laptops needed beefy (well, beefier than Intel HD at least) onboard GPU that Intel was unable to produce at the time, soooo, this… thing was born.
Under Linux, AMD GPU is the only sane solution tho, due to open source drivers. And Intel CPUs have history of cookin hard.
It’s not. RISC-V and ARM exist. You can buy laptops based on either of these architectures for a very reasonable price, compared to Intel and AMD’s x86 offerings.
Of course, that means no AAA gaming, for the most part at least. But then again, who even plays AAA games these days?
But then again, who even plays AAA games these days?
Gaming industry is way bigger than movie industry. Almost everyone plays games.
Steam alone has like 40 million concurrent players right now.
Gaming industry is way bigger than movie industry. Almost everyone plays games.
Most money goes into mobile money traps, though.
But then again, who even plays AAA games these days?
Err many people? And Linux gaming is on the rise too.
Linux gaming is perfectly fine.
ARM gaming isn’t. Let alone RISC-V gaming. Not AAA at least. You can play pretty much all older and lighter games on anything starting from Snapdragon 8 Gen 2. Which is perfectly fine for me personally. However, if you want to play more demanding titles, ARM isn’t gonna cut it at the moment.
Err many people?
Well, many people smoke too. Could not care less about it.
RISC-V and ARM exist. You can buy laptops based on either of these architectures for a very reasonable price, compared to Intel and AMD’s x86 offerings.
Have fun dealing with that Device Tree bullshit because hardware autodetection is so 1998.
It’s all a matter of [relatively minor] investment into R&D. Would you prefer being a subject of Intel and AMD’s perpetual x86 duopoly forever?
They can set whatever prices they like, because nobody else is allowed to touch their little instruction set. With the tiny exception of a Chinese company whose best CPU is the equivalent of an 8th gen i5.
You’ll pay whatever they demand or you won’t have a PC. Yeah, this is so much fun compared to ‘dealing with ARM bullshit’.
This entire architecture has lived way past its time. Intel and AMD being utter garbage corporations did not help in the least.
Let it die along with those two dumpster fires, and move on.
Would you prefer being a subject of Intel and AMD’s perpetual x86 duopoly forever?
That’s not how patents work. x64 patents lapse sometime THIS YEAR. Everyone can make 64bit x86 CPUs.
those are not consumer friendly
As opposed to Intel, AMD, and Nvidia being super consumer friendly?
Consumer ARM hardware mostly needs customized images for each board. Plus, depending on your CPU manufacturer you’ll be stuck on an ancient kernel version to get full functionality.
And the performance/watt is not that exceptional.
(Serious) is there really a reasonably priced arm laptop? Which one? I only see apple silicon and some over 2k dollars laptops. Does it have good battery life and performance?
AMD now with their security stuff and Intel with the crashing and quick degradation stuff a while ago. Sigh.
It was physics and battery sizes to blame for why we have drifted from the 5 GHz x86 CPU to the 32 core x86 CPU. I never thought the rush to ARM/RISC-V would be because Intel and AMD are run by morons.
The Steam Deck does run Linux right? Generally that means the used drivers are not written by AMD and also do not have an auto-updater from AMD. The deck is supposed to update through it’s OS’es package manager and supposedly has the Mesa and Linux Foundation drivers in use.
AMD does contribute to MESA and kernel driver. It’s all open source, but they do lot of heavy lifting regardless
Researches should publish after 90 days. That would solve the problem.
If anyone could provide an AMD email to ask for a statement concerning this issue, that would be nice.
I don’t think a statement is really needed here, this wasn’t a vulnerability, the code was never called. Even if the code were called, the $10,000 bounty is for a different type of bug entirely too
so stacking vulnerabilities is a thing
if the code exists it can be called
this is a valid bug and it’s silly to rule lawyer something like this
so good job amd, you are ‘actually’ right,
this totally won’t cost you in the long run at all
god damn do lawyers and business majors need to stop making tech decisions
