From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 5B3821382C5 for ; Wed, 14 Mar 2018 04:34:54 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 416EFE0934; Wed, 14 Mar 2018 04:34:41 +0000 (UTC) Received: from mail-qk0-x22b.google.com (mail-qk0-x22b.google.com [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id C1A6DE08E2 for ; Wed, 14 Mar 2018 04:34:40 +0000 (UTC) Received: by mail-qk0-x22b.google.com with SMTP id f25so2179127qkm.0 for ; Tue, 13 Mar 2018 21:34:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=llFdz5k9DyoutarzNLjrCZL70smlWF1KTOmeivD0fpA=; b=YbEY0nN/b8y8BnIx9a8WUBpD9qLCdV0q888Puv3p0TeZwQ+1ncjWAlVAFyq17TB/CE 7xF1wHhT4sVVxRGBJitejbVZxBqaDG3ItVVLWATm3An5UiYFyPsE8zyc3Ndv1OGkgbik 4xycRSxkaTloeGFTOBvNQWUln6u1/RX92ci7H+KikHGqiv5rcSoUhyOFic0ieSPFO/Ci ZD4rP+uZcDZpKJjoU4GxA1oMAZBl93HFLcNstPTRldwve2JiJlG28mxAE1cnULhiQCJw JFzIFayjVI5Fiibb8AOdCcb9BjZEM3O3wn9PrWiiLdBQeuoKASD2746eoTJzLBnwQiyn hSkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=llFdz5k9DyoutarzNLjrCZL70smlWF1KTOmeivD0fpA=; b=NQeGKrFKGtJp4hePysfaplCdI+4/8sJKzBG9BSBYFs6q/Jg56NUBk6KNF2CAtyRqKX LBqoEp8V/RnC9opI1LeaN41CrGiVhth8rBBzhmz68kcbY4LiusEDAXdrePlHxjZ+G9I5 gbYHEazQ53mhNMM9T3xRVNT66uWAXWh96kbAkczHaXoOxy4cWSeFPZYbu+8yCfolI20H COgam/HMnOiFMdIOf69ljFMif5atQcnWcsZNceZBCifCanrV2VJDj6f3ROZUjE5vGQoK Z7qXK0awa+aaPVaaPu5XZnbc5dG6MA7ySg1a7Tj/+sJia10tPM1MQ5Vtp8kQ+70RLDmn AzHg== X-Gm-Message-State: AElRT7Hm+6n6WQP6rHvTgURHFKjlC0WWnpYBivpGEbhXg2R6JIFwJP9w GogMI6RgewVws+pI4MpwHqPZwYmGKg0DfMcHNnmVIANS X-Google-Smtp-Source: AG47ELurY+X/ja3s6EXH6KyVCSVBEeuSj75tFh1/49bhAgZaKJt4hddRhnzzMPQERNv1XNdk/G3BYy8pt05Vd28srbQ= X-Received: by 10.55.104.3 with SMTP id d3mr4562077qkc.306.1521002079808; Tue, 13 Mar 2018 21:34:39 -0700 (PDT) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Received: by 10.12.175.163 with HTTP; Tue, 13 Mar 2018 21:34:39 -0700 (PDT) In-Reply-To: References: <20180314005408.7pfj7jphsmnlkeek@matica.foolinux.mooo.com> <20180314013250.GI2060@ca.inter.net> From: Adam Carter Date: Wed, 14 Mar 2018 15:34:39 +1100 Message-ID: Subject: Re: [gentoo-user] A new AMD CPU weakness? To: gentoo-user@lists.gentoo.org Content-Type: multipart/alternative; boundary="94eb2c057092ab71bf056757e4f3" X-Archives-Salt: 283ecfcd-5339-4e48-9ece-d4fa30bd2bbc X-Archives-Hash: a9a06bbcfdc2be9dd12ec2bee5b4385e --94eb2c057092ab71bf056757e4f3 Content-Type: text/plain; charset="UTF-8" On Wed, Mar 14, 2018 at 3:16 PM, Adam Carter wrote: > On Wed, Mar 14, 2018 at 12:32 PM, Philip Webb > wrote: > >> 180313 Ian Zimmerman wrote: >> > https://v.gd/PZkiuR >> > Does anyone know more details? >> >> See LWN. It is being described as a scam by people shorting AMD stock. > > > Dan Guido / Trail of Bits was paid to review the exploits and has > confirmed they work. I don't think he'd burn his reputation on this. > > The language around AMD shares being worth $0 is clearly absurd and that > source should be ignored. > > >From http://www.theregister.co.uk/2018/03/13/amd_flaws_analysis/?page=2 Jake Williams, founder and president of Rendition Infosec, commented on the above quoted disclaimer via Twitter , saying, "I'm pretty well convinced that this is designed to manipulate stock prices. That doesn't make the vulnerabilities fake or any less dangerous (though you need admin access to exploit most)." Arrigo Triulzi, a security consultant based in Switzerland, described the paper as "over-hyped beyond belief" and added, "This is a whitepaper worthy of an ICO [cryptocurrency initial coin offering]. And yes, that is meant to be an insult." Google security researcher Tavis Ormandy, responding to Triulzi wrote , "Nothing in this paper matters until the attacker has already won so hard it's game over. Not something I'm too interested in, but maybe DFIR [Digital Forensics and Incident Response] people are?" Ormandy is referring to the fact that exploiting these supposed flaws require local administrative access, making them significantly less dangerous than vulnerabilities that can be exploited by a remote, unprivileged user. --94eb2c057092ab71bf056757e4f3 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On W= ed, Mar 14, 2018 at 3:16 PM, Adam Carter <adamcarter3@gmail.com>= ; wrote:
On Wed, Mar 14, 2018 at 12:32 PM, Philip Webb <purslow@ca.= inter.net> wrote:
180313 Ian Zimmerman wrote:
> h= ttps://v.gd/PZkiuR
> Does anyone know more details?

See LWN.=C2=A0 It is being described as a scam by people shorting AM= D stock.

Dan Guido / Trail of Bits w= as paid to review the exploits and has confirmed they work. I don't thi= nk he'd burn his reputation on this.

The language aro= und AMD shares being worth $0 is clearly absurd and that source should be i= gnored.


From http://w= ww.theregister.co.uk/2018/03/13/amd_flaws_analysis/?page=3D2

= Jake Williams, founder and president of Rendition Infosec, commented on the= above quoted disclaimer via Twitter, saying, "I'm pretty well convinced that this is designed to manip= ulate=20 stock prices. That doesn't make the vulnerabilities fake or any less=20 dangerous (though you need admin access to exploit most)."

Arrigo Triulzi, a security consultant based in Switzerla= nd, described the paper as "over-hyped beyond belief" and added, "This is= a=20 whitepaper worthy of an ICO [cryptocurrency initial coin offering]. And=20 yes, that is meant to be an insult."

Google security researcher Tavis Ormandy, responding to = Triulzi wrote, "Nothing in this paper matters until the attacker has already won so= =20 hard it's game over. Not something I'm too interested in, but maybe= DFIR [Digital Forensics and Incident Response] people are?"

Ormandy is referring to the fact that exploiting=20 these supposed flaws require local administrative access, making them=20 significantly less dangerous than vulnerabilities that can be exploited=20 by a remote, unprivileged user.


--94eb2c057092ab71bf056757e4f3--