TechPulseTechPulse
Back to News
Advertisement
Advertisement

⚡ Community Insights

Discussion Sentiment

0% Positive

Analyzed from 397 words in the discussion.

Trending Topics

#https#amd#bug#those#news#com#bounty#idea#lie#vulnerability

Discussion (18 Comments)Read Original on HackerNews

tptacekabout 3 hours ago
AMD didn't deny it was a vulnerability; they denied it was in the scope of the bounty program.

Remember that at giant tech companies, the incentive is to pay out bounties --- there are people on the vendor's team whose performance is measured in part by how much the program pays out.

odyssey7about 3 hours ago
What hair is this splitting? The issue was that AMD allowed a known and serious security vulnerability to exist within their customers’ systems, for months, and acted with a lack of candor while doing so.
tptacekabout 3 hours ago
It's not hair-splitting; it's central to the idea of a bug bounty. Too many people have weird ideas about what bug bounties are for.
Hizonnerabout 2 hours ago
Yeah, like the weird idea that those programs are intended to in some way reduce the number of exploitable bugs actually out there.
sakkuraabout 2 hours ago
They wanted to keep it quiet. As if they did not mind if it was exploited by those with access to international network links.
Benderabout 3 hours ago
The discussion the video references [1]

[1] - https://news.ycombinator.com/item?id=46906947

scwabout 2 hours ago
The original post [1] now includes an update:

  UPDATE! Within a day of this blowing up on Hacker News, AMD reached back 
  out to me and said they would be looking into the matter after all.
[1] https://mrbruh.com/amd2/
bri3dabout 2 hours ago
Actual write-up rather than overwrought YouTube drama: https://mrbruh.com/amd2/

A non-default-installation set of AMD tools (Ryzen Master and probably others) had an auto-updater which used HTTP instead of HTTPS. It's clear this is a feature they'd basically forgotten about; it even pointed to an ATI domain. A third-party bug bounty company rejected it because MITM was out of scope. AMD are incompetent at making software (news at 11), kept asking for extensions, and took an incredible amount of time to deal with it. Eventually they removed this updater entirely and replaced it with one in the app (rather than the installer) that uses HTTPS + a CRC32 (for some reason). The initial vuln was very stupid and should have been fixed faster. As for the current system, if you're mad about HTTPS-protected auto-updaters (which is valid), you've probably got a lot of them to go to war against.

ChrisArchitect35 minutes ago
Some more discussion today via dev's submission:

https://news.ycombinator.com/item?id=48492215

thesuitonymabout 2 hours ago
Gaslighting does not mean lying.
happytoexplainabout 1 hour ago
Yeah, it's annoying. But it's been captured by popular culture as meaning a blatant lie - one where the liar knows the truth is or was available/obvious. A "don't piss on my leg and tell me it's raining" lie.

Or, alternatively, and especially in gender relations, any lie intended to manipulate or demean another person. As opposed to lying to protect yourself, to swindle somebody, or some other reason. This is closer to the original idea, but still not there.

sakkuraabout 2 hours ago
Such a bug could have been exploited by certain big state actors.

Those that have access to international network links.

Those that have the ability to generate new firmware that simply passes the CRC32 checksum.

tptacekabout 1 hour ago
A bug in a nonfunctional autoupdater. Big state actors. Got it.