I did think at one point that amd might have a hand in this… (the leak I mean) simply as its an nvidia playbook move (and amd are learning from nvidia )
e.g do something that is harmful to everyone, but harms you the least e.g tesselation nonsense
Leaving it until the 9th so that intel could control the message (the medium is the message) would have not been in amd’s best interests.
When AMD learned that researchers had discovered a new CPU attack targeting the speculative execution functionality used by multiple chip companies’ products, we immediately engaged across the ecosystem to address the teams’ findings.
As the security landscape continues to evolve, a collaborative effort of information sharing in the industry represents the strongest defense.
Total protection from all possible attacks remains an elusive goal and this latest example shows how effective industry collaboration can be.
TLDR: AMD didn’t finish their report in time and posted a short form blurb instead while deferring to details already published by others. It’s kind of a lazy thing to do. But I don’t run AMD.
It’s true that AMD didn’t actually reveal the details of the flaw before the embargo was up, but one of the company’s developers came very close. Just after Christmas, an AMD developer contributed a Linux patch that excluded AMD chips from the Meltdown mitigation. In the note with that patch, the developer wrote, “The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.”
It was this specific information—that the flaw involved speculative attempts to access kernel data from user programs—that arguably led to researchers figuring out what the problem was. The message narrowed the search considerably, outlining the precise conditions required to trigger the flaw.
For a company operating under an embargo, with many different players attempting to synchronize and coordinate their updates, patches, whitepapers, and other information, this was a deeply unhelpful act. While there are certainly those in the security community that oppose this kind of information embargo and prefer to reveal any and all information at the earliest opportunity, given the rest of the industry’s approach to these flaws, AMD’s action seems, at the least, reckless.
so… they should have tried to commit to git repo WITHOUT leaving developer comments on what the code is actually there for?
yeah, like that would have gone down well and not caused equal suspicion.
Ironically he is blaming ‘pesky open source and good developer practice’, least that is how it feels like.
Man if they had access to some of the pre-disclosure mailing lists…
But seriously is nobody going to call me out for unassumingly leading everyone around by the nose, feeding you info in nibbles since the start of this thread?
I would think that would be more appropriate for the Intel Management Engine. While these vulnerabilities could certainly be used for spying, I’ve seen no evidence so far that this was intentional, nor anywhere near as convenient for such use like IME.
Spectre will basically affect anything under the sun with speculative execution / branch predict.
Meltdown - Intel & ARM. AMD unknown but strongly believed by AMD not to be affected. (Internal testing)