AMD Gaslights Security Researcher, Changes Rules Retroactively [video](www.youtube.com)
23 pointsby SockThief4 hours ago6 comments
  • tptacek3 hours ago
    AMD didn't deny it was a vulnerability; they denied it was in the scope of the bounty program.

    Remember that at giant tech companies, the incentive is to pay out bounties --- there are people on the vendor's team whose performance is measured in part by how much the program pays out.

    • odyssey73 hours ago
      What hair is this splitting? The issue was that AMD allowed a known and serious security vulnerability to exist within their customers’ systems, for months, and acted with a lack of candor while doing so.
      • tptacek3 hours ago
        It's not hair-splitting; it's central to the idea of a bug bounty. Too many people have weird ideas about what bug bounties are for.
        • Hizonner3 hours ago
          Yeah, like the weird idea that those programs are intended to in some way reduce the number of exploitable bugs actually out there.
          • tptacek3 hours ago
            That's in fact often not their core purpose!
            • JumpCrisscross3 hours ago
              What is it?
              • tptacek2 hours ago
                (First, I'm sorry I was so terse upthread; I had to get up early for a meeting and was scrolling HN in bed while it was happening without my reading glasses on; I should learn to stop commenting when I'm like that.)

                I've written about this before here, but to sum it up:

                * Unless something wild happens in software engineering (formal methods, &c) as a result of AI, there's no such thing as eradicating security vulnerabilities. Focused programs can eliminate low-hanging fruit, but at the point where you're offering significant bounties part of the premise is that all that fruit has been plucked. The marginal security impact of a single bounty award, by itself, is immaterial.

                * What bounty programs can do is focus internal engineering attention. Large product teams have huge backlogs of issues and security design punch lists. For features and feature bugs, there's a closed loop that prioritizes the work: the market. For security vulnerabilities, bounties serve a similar purpose. This is why many bounties are tightly scoped; the whole point of the program is to direct the efforts of specific product teams.

                * When we're talking about 10,000+ person engineering teams, the most important thing to know about bug bounty programs is that the company is incentivized to pay out. No major tech company that runs a bounty is "covering up" vulnerabilities. There's no reason for them to do so. They're running a program that ostentatiously pays rewards to people who report vulnerabilities! There are people on the teams managing the bounties who in effect get paid more when the program pays out more: that's what success looks like.

                You add all this stuff up and all the drama about AMD (or Google or whoever) being shady or stingy basically never add up.

            • Hizonner2 hours ago
              ... which is why the rest of us should give them, and those who operate them, zero respect.

              Nobody but AMD gives a fuck about AMD's internal policies or motivations.

              • tptacek2 hours ago
                I have thought about AMD's security team and their practices once in the past 18 months, and it was this morning, reading this thread. I do not care about AMD or what you think about AMD. AMD has absolutely nothing to do with my point.
    • sakkura3 hours ago
      They wanted to keep it quiet. As if they did not mind if it was exploited by those with access to international network links.
  • Bender4 hours ago
    The discussion the video references [1]

    [1] - https://news.ycombinator.com/item?id=46906947

    • scw3 hours ago
      The original post [1] now includes an update:

        UPDATE! Within a day of this blowing up on Hacker News, AMD reached back 
  out to me and said they would be looking into the matter after all.
      [1] https://mrbruh.com/amd2/
  • bri3d3 hours ago
    Actual write-up rather than overwrought YouTube drama: https://mrbruh.com/amd2/

    A non-default-installation set of AMD tools (Ryzen Master and probably others) had an auto-updater which used HTTP instead of HTTPS. It's clear this is a feature they'd basically forgotten about; it even pointed to an ATI domain. A third-party bug bounty company rejected it because MITM was out of scope. AMD are incompetent at making software (news at 11), kept asking for extensions, and took an incredible amount of time to deal with it. Eventually they removed this updater entirely and replaced it with one in the app (rather than the installer) that uses HTTPS + a CRC32 (for some reason). The initial vuln was very stupid and should have been fixed faster. As for the current system, if you're mad about HTTPS-protected auto-updaters (which is valid), you've probably got a lot of them to go to war against.

  • ChrisArchitectan hour ago
    Some more discussion today via dev's submission:

    https://news.ycombinator.com/item?id=48492215

  • thesuitonym2 hours ago
    Gaslighting does not mean lying.
    • happytoexplain2 hours ago
      Yeah, it's annoying. But it's been captured by popular culture as meaning a blatant lie - one where the liar knows the truth is or was available/obvious. A "don't piss on my leg and tell me it's raining" lie.

      Or, alternatively, and especially in gender relations, any lie intended to manipulate or demean another person. As opposed to lying to protect yourself, to swindle somebody, or some other reason. This is closer to the original idea, but still not there.

  • sakkura3 hours ago
    Such a bug could have been exploited by certain big state actors.

    Those that have access to international network links.

    Those that have the ability to generate new firmware that simply passes the CRC32 checksum.

    • tptacek2 hours ago
      A bug in a nonfunctional autoupdater. Big state actors. Got it.