TechPulseTechPulse
Back to News
Advertisement
Advertisement

⚡ Community Insights

Discussion Sentiment

38% Positive

Analyzed from 1742 words in the discussion.

Trending Topics

#amd#software#gpu#cuda#mitm#don#problem#https#data#why

Discussion (42 Comments)Read Original on HackerNews

Terr_about 2 hours ago
> Final update: A couple of days before the embargo ended (and after I wrote the majority of this blog post), AMD told me what their patch for this vulnerability is [...] Although it is true that they now fully use HTTPS, the claim about signature verification is untrue; they only perform a CRC-32 check on the downloaded executable, which is not cryptographically secure.

So solves the MITM, but massive infection is still trivial if someone compromises the webserver.

tlbabout 4 hours ago
It's ridiculous to consider MITM attacks out of scope for taking over your computer. Also, there are probably ways to exploit this without a true MITM like DNS cache poisoning. But it's best to just assume the whole internet is MITMed.
amiga386about 3 hours ago
MITM where attacker needs to install their own CA certs on the victim's device -- sure, out of scope.

MITM because you used http instead of https and you don't have any other verified cryptographic signature on your data -- get tae fuck, fix it pronto.

pietervdvnabout 3 hours ago
I'd even count this as "having local access to the device", as that is what is needed to install such a cert
arcfourabout 1 hour ago
I think it's fair to say that requiring local administrative access to the device is out of scope, since you have already completely pwned the device in that case, which is what what you need to install a CA cert on any OSes.
joxdosbaabout 2 hours ago
Why would anyone ever exclude true mitm?

Various domain registrars have been compromised over and over again (often by children!), resulting in companies like Tesla and Cloudflare getting owned.

The reality is that any vaguely competent attacker can compromise a court clerk and just compel e.g. the .com registry to hand over whatever domain they want.

Although I suppose the aforementioned problem has significant implications beyond dns…

gruezabout 2 hours ago
>Why would anyone ever exclude true mitm?

Same reason security programs exclude social engineering, even though that's a pretty common way for companies to get pwned.

zullnabout 1 hour ago
Excluding SE is to make sure people do not spam customer support and launch annoying phishing campaigns. None of that is applicable for local software running on your own computer.
tuckerpoabout 3 hours ago
Out of scope in this case means "we don't wanna pay you"
cogman10about 1 hour ago
Apparently it also means "We don't want to pay our engineers to fix this".
sigmoid10about 4 hours ago
Out of scope does not necessarily mean out of impact. It is merely a question of how far a company wants to be responsible for the environment their software is run in. Most of the time that answer is "not much."
dlcarrierabout 3 hours ago
But I use a Wi-Fi password, so my phone says it's secure!
asveikau24 minutes ago
> 124 days to get AMD to add an s to a couple of HTTP URLs!

I disagree that they should only add HTTPS and call it done. They should also add some kind of signing check before running the payload.

If anything I'd say HTTPS is optional if they do that part.

nickdothuttonabout 3 hours ago
AMD's inability to make good software has been a recurring problem for decades. Many years ago I had some success with their optimising compiler, but everything else I've touched was bad. A real pity.
RachelF21 minutes ago
Yes, their software is terrible across CPUs and GPUs, and continues to be. So many trivial bugs just never fixed.

It has literally cost them a Trillion dollars in market cap - Nvidia's CUDA is a big reason they're so much bigger than AMD.

Bilal_io11 minutes ago
Their pay is shit. I interviewed with them 3 years ago and they offered me peanuts I rejected their offer.
dcminterabout 4 hours ago
The "signature verification" in the fix being CRC32 is pretty hilariously clueless.
jeroenhdabout 3 hours ago
It's technically possible (though I don't know if they actually do this) that they're not referring to a signature check in the download part, but are verifying the code signing signature of the executable downloaded. You'd only notice the CRC if you were looking at the downloaded content, but if the updater refuses to launch an executable that isn't signed by AMD's cert then they would be fine.

Given the way AMD has been treating this issue, I'm assuming they're just incompetent, though.

10000truthsabout 1 hour ago
The article has a screenshot of the decompiled code showing that they're just running the downloaded executable immediately, without any additional checks on the content.
LgWoodenBadgerabout 3 hours ago
A manager somewhere made the embarrassingly wrong decision to not fix this, and they’re too egotistical to correct their mistake.

That’s my take.

throwway120385about 3 hours ago
Especially because if they had read about or studied this problem they would find tons of prior art where CRC32 was considered not secure for solving the problem. CRC32 solves a different problem -- how do you verify that the data that was received is identical to the data that was sent. It makes no guarantees about who is sending the data, which is the real problem signatures solve.
wat10000about 3 hours ago
More specifically, it solves the problem of verifying that the data received was not accidentally corrupted somehow. Unlike cryptographic hashes, CRC32 does not do much to defend against deliberate, malicious modification. It's too easy to craft some different data that matches a given CRC32 value.
AlotOfReadingabout 3 hours ago
Computing a CRC is equivalent to attacking it. The checksum is the value that produces a certain fixed constant when appended to the data. This is why you'll often see checksums as the last field in a message. It allows for hardware to verify the entire message by checking if the CRC of the bytes equals that fixed constant without having to parse it.
sitkackabout 3 hours ago
They should have done base64 encryption before the crc32. noobs
bwfan123about 4 hours ago
> In my frustration, I decided to punish this software

Love this. I am frustrated by idiot software features everywhere, but am not triggered yet to punish them. AI automation is coming close however.

hilariouslyabout 2 hours ago
I got so mad at plex/jellyfin's crap I vibe coded an entire entertainment system out of spite.

Works great!

OkayPhysicistabout 3 hours ago
AMD's utter incompetence when it comes to the software side of things is truly, truly baffling to me. It's not like you need a mountain of developers, a team or two on the right project would do wonders for their market share.

For example: Implement the CUDA. CUDA's won, hands down, that toothpaste is solidly outside the tube. Luckily, to the outside observer CUDA is just an API, and API's aren't copyrightable. Literally nothing is stopping AMD from hiring a relatively small team of developers to make AMD GPUs CUDA-compatible.

20k15 minutes ago
AMD's entire software development strategy is insane. OpenCL was doing reasonably well, and then AMD have just fully dropped support for some reason. For the - albeit not huge - but actual cross platform API that people were using to develop for their GPUs. For a while, a few cross platform tools had OpenCL backends, but nobody has been able to get AMD to fix any of the damn bugs. In my testing, bug latency for even the most trivial but important bugfixes is often 4+ years, which is utterly mad. Some parts of their compute stack is so broken its clear that nobody has ever used it. There are exploitable privilege escalation vulnerabilities caused by threaded race conditions that are wontfix

They could support OpenCL 3.0. Nvidia do. AMD just chooses not to, even though they're the ones that desperately needs to support it most

Instead, we got ROCm which has been a disaster from start to end. It barely supports windows or consumer GPUs, for some reason. Its a buggy mess, for some reason. HIP/ROCm has worse performance than OpenCL, because they downgraded their compiler and stopped extracting read/write information on variables leading to a massive loss of parallelism and utilisation on their GPUs.. for some reason. Why? What are they doing? How is this so rubbish?

Literally ALL of this is WONTFIX, and I don't have a clue why. I've filed bugs, was part of their vanguard supporter program, have tried to reach out to AMD people to (gently) explain why good support is important. Or even just figure out what technology they're even intending to support for GPU development. Is ROCm deprecated? What should we be using on windows for GPU compute on consumer hardware AMD? For the love of god amd I want to make you money

As of 2026, the best cross platform cross vendor API for doing GPU compute is.. drumroll.. OpenCL 1.2. Vulkan is getting there, but its still missing a bunch of stuff. And this is literally AMDs direct fault at this point

hgoel42 minutes ago
HIP tries to be like this, almost API compatible with CUDA such that you just need to do find and replace. I think they even had a script to do this for you.

But the issue remains that the actual support and debugging tools remain so atrocious that it doesn't help to combat the CUDA monopoly. They've further burned a lot of trust by never really delivering on their promises to do better unless you're a customer large enough to get personalized attention from their engineers.

This ends up being a double whammy because not only are you pushing away smaller businesses, you're also pushing away single developers that go on to influence purchasing/development decisions.

z3ratul163071about 1 hour ago
likewise. i'm bewildered throughout the years.

my suspicion is that it is the company culture: the hardware engineers are the real engineers. software is a triviality left for the lesser minds. the consequence is they mess up every product... everything they do needs software.

actionfromafar44 minutes ago
The argument I have read here on HN, is that CUDA is made for NVidia hardware, and the AMD hardware is not the best fit.

Essentially it forces AMD to play by NVidias rules, exactly like how they were forced to follow Intel rules. (Ignore for a second that the API / ISA boundary is different.)

But despite that, I also believe AMD would be better off just implementing CUDA.

qrobitabout 3 hours ago
previously https://news.ycombinator.com/item?id=46906947
ezoeabout 3 hours ago
> If you are an AMD user...

Don't bother to use Windows?

leecommamichaelabout 3 hours ago
Thank you for looking into this, I also have the annoying pop-up and have been suspicious of it…
Dweditabout 3 hours ago
There's two requests involved for the auto updater, one to grab the XML file, and one to grab the driver file over plain http.

If the autoupdater can't handle the redirection when grabbing the XML file, then it's a case of accidental safety by mistake that would prevent grabbing the plain http file.

Advertisement
greenavocadoabout 2 hours ago
Congratulations, you found the government backdoor!
xystabout 1 hour ago
Multi billion dollar company, by the way.
dmitrygrabout 2 hours ago
I think we can all agree that MiTM is a valid attack vector and this should have paid out the bounty. AMD won't do it, but perhaps we can crowdsource it - the dude deserves it. Join me in doing this: https://ko-fi.com/mrbruhh (identical link to the one in the write up, feel free to verify).

I started it with $100 - https://ko-fi.com/transactions/03df753c-09b0-4972-8e53-adf06...

rirzeabout 4 hours ago
Seems like white hat work is pretty fruitless nowadays. Disappointing.
inigyouabout 3 hours ago
They keep choosing to work whitehat instead of blackhat, which is all AMD ever wanted.
mrguyoramaabout 3 hours ago
AMD software is often utter trash.

I am a diehard fanboy of their GPUs, and have been since they were still ATI but I had to finally purchase an nvidia GPU because of how bad AMDs software quality is.

My powerful 5700XT spent two years basically broken, because the default, driver provided fan curve locked the fan at 27%. For two years, I couldn't figure out why my GPU constantly crashed, because it was overheating, because the default fan curve prevented the GPU from keeping itself cool and it would eventually just give up.

That diagnoses was complicated by the fact that AMD GPUs just resetting is very common. There's a watchdog timer in Windows that resets parts of the GPU stack because Microsoft is traumatized by 60% of Windows Vista BSODs being caused by bad nvidia drivers. Apparently sometimes if you increase this watchdog timer, the GPU eventually finishes whatever was giving it trouble.

But I still love AMD, and the ryzen line is a great value in the mid range. So I bought another AMD CPU and am very happy with it. But it somehow included software and this specific auto updater utility. Which I don't need, since I don't want to update the drivers for a GPU that I shouldn't be using (maybe except some video encoding lift, but my GPU can do that too). But I could not figure out a way to kill or prevent this stupid little autoupdater utility which always steals focus, for no reason at all. It shouldn't even be popping up a CLI! Windows task scheduling is incredible and would do this without a problem, and give you all the infrastructure to notice this was happening!

LooseMarmosetabout 2 hours ago
Drivers got better after ATI merged/got bought by AMD, but ATI has a loooooong legacy of terrible drivers in Windows.

The funny thing is, in Linux, the drivers are pretty great as far as I can tell. It's not like there aren't bugs, probably, but mostly everything "just works". You can't depend on FSR in Linux, for example - Doom Eternal just goes blank if you turn it on. I can live without it, though, and everything else seems fine, including performance.

Nvidia linux drivers make me quite upset - they're fine once you finally get them working, but you approach Nvidia driver updates with extreme caution in Linux