Here we are - 3600 which was still under manufacture 2-3 years ago are not get patched. Shame on you AMD, if it is true.

170 points

That’s so stupid, also because they have fixes for Zen and Zen 2 based Epyc CPUs available.

Intel vs. AMD isn’t “bad guys” vs. “good guys”. Either company will take every opportunity to screw their customers over. Sure, “don’t buy Intel” holds true for 13th and 14th gen Core CPUs specifically, but other than that it’s more of a pick your poison.

permalink
report
reply
61 points

Tangent: If we started buying risc-v systems we might get to a point where they can actually compete.

permalink
report
parent
reply
46 points

That’s still far away from us as a consumer standpoint, but I’m eagerly waiting for a time when I could buy a RISC V laptop with atleast midrange computing capabalities

permalink
report
parent
reply
7 points

I‘m more on the builder/tinkerer side so I‘m pretty much in starting position with risc-v now. But yes, its going to be some time before any of it is user ready as a pc.

permalink
report
parent
reply
15 points

I’m not buying hardware that doesn’t suit my needs as an investment hoping maybe it eventually will.

permalink
report
parent
reply
3 points

This is one of the hardest earned lessons I’ve ever learned, and I’ve had to learn it over and over again. I think it’s mostly stuck now but I still make the same mistake from time to time.

permalink
report
parent
reply
1 point

Yeah, thats the reason why we‘re in this capitalist hellhole. Perfection comes from billionaire money, nothing else.

permalink
report
parent
reply
13 points

Jeff Geerling had a video recently about the state of RISC V for desktop. https://youtu.be/YxtFctEsHy0?si=SUQBiepSeOne8-2u

permalink
report
parent
reply
7 points

I really enjoyed watching it. Thanks for referring to it.

permalink
report
parent
reply
6 points

I’m waiting to see how DeepComputing’s RISC-V mainboard for the Framework turns out. I’m aware that this is very much a development platform and far from an actual end-user product, but if the price is right, I might jump in to experiment.

permalink
report
parent
reply
3 points

Sounds like a cool idea! :)

permalink
report
parent
reply
6 points

At the rate we are going Qualcomm might pivot to Risc-V (they are being sued by ARM)

permalink
report
parent
reply
2 points

Interesting! Thanks for chiming in. I‘ll read up about it.

permalink
report
parent
reply
1 point

“Both sides”

“Vote third party!”

Wtf seriously this isn’t the same thing remotely but the arguments used are.

permalink
report
parent
reply
2 points

cmon man

permalink
report
parent
reply
-39 points

How is AMD “screwing us over”? Surely they aren’t doing this on purpose? That seems very cynical.

permalink
report
parent
reply
67 points
*

They are 100% not patching old chips intentionally by not allocating resources to it. It’s a conscious choice made by the company, it is very much “on purpose”.

permalink
report
parent
reply
-12 points

That’s not what I was referring to. I was referring to the act of “adding vulnerabilities”. Surely they aren’t doing that on purpose. And surely they would add fixes for it if it was economically viable? It’s a matter of goodwill and reputation, right?

I don’t know, I just don’t think it’s AMD’s business model to “screw over” their customers. I just don’t.

permalink
report
parent
reply
106 points

Really not good enough from AMD. I wonder if Intel wasn’t a complete dumpster fire right now if they would still cut off the fix at Zen 3 (I doubt it). There’s really no reason not to issue a fix for these other than they don’t want to pay the engineers for the time to do it, and they think it won’t cost them any reputational damage.

I hate that every product and company sucks so hard these days.

permalink
report
reply
5 points

They did issue a fix: “Buy a new CPU please!”

That’s why they don’t mind the reputation hit. If 1 person swears allegiance to Intel as a result but 2 people buy new AMD chips, they’re still ahead. And people will forget eventually. But AMD won’t forget the Q3 2024 sales figures.

permalink
report
parent
reply
2 points
*

Well, guess who’s not buying next gen Ryzen?

They are doing similar stuff with deliberately delaying Linux driver capabilities for Radeon 7xxx series, to make more GPUs die out faster, by overheating (zero RPM fan until 60°+).

permalink
report
parent
reply
2 points
Deleted by creator
permalink
report
parent
reply
79 points

Attackers need to access the system kernel to exploit the Sinkclose vulnerability, so the system would have to already be compromised. The hack itself is a sophisticated vector that is usually only used by state-sponsored hackers, so most casual users should take that into account.

So it’s a vulnerability that requires you to.already have been compromised. Hardly seems like news.

I can understand AMD only patching server chips that by definition will be under greater threat. On the other hand it’s probably not worth the bad publicity not to fix more.

permalink
report
reply
28 points

The reason that this is news is because it allows malware to embed itself into the processor microcode once kernel is breached. IE: If it is exploited for compromise, you either have to have the knowledge and hardware to reset the processor microcode manually (Requires an SPI flash tool) or you toss the hardware entirely. There’s no just ‘blow the drive away and reinstall the OS’ solution available.

permalink
report
parent
reply
18 points

This sounds weird. I was in the impression that operating systems load updated cpu microcode at every boot, because it does not survive a power cycle, and because the one embedded in the BIOS/UEFI firmware is very often outdated. But then how exactly can a virus persist itself for practically forever?

permalink
report
parent
reply
4 points

The OS can’t get to the point of loading cpu microcode without that outdated, embedded microcode. The reason it can persist is because there aren’t a lot of good ways to see what that UEFI microcode actually is once it’s installed. Plus, only the UEFI tells you that it has successfully updated itself. There is no other more authoritative system to verify that against. So the virus could just lie and say it’s gone and you would never know. Hence needing to treat it as the worst case scenario, that it never leaves.

permalink
report
parent
reply
13 points

And that introduces a specific type of supply chain threat: someone who possesses a computer can infect their own computer, sell it or transfer it to the target, and then use the embedded microcode against the target, even if the target completely reformats and reinstalls a new OS from scratch.

That’s not going to affect most people, but for certain types of high value targets they now need to make sure that the hardware they buy hasn’t already been infected in the supply chain.

permalink
report
parent
reply
1 point

I don’t think it gets to the microcode but the UEFI.

permalink
report
parent
reply
16 points

It’s important because it allows them to directly modify the CPU’s microcode. Basically, the CPU has its own set of instructions, called microcode, which controls how the chip functions on a physical level. If they manage to change your microcode, even a full system reformat won’t kill the virus; You’ll need to either re-flash the CPU (which is not something the standard user or even power user will know how to do) or replace the entire CPU.

permalink
report
parent
reply
13 points

That being said it builds up vulnerabilities in anti-cheats to another beautiful crowstrike like domino cluster fuck

permalink
report
parent
reply
2 points

I personally agree. I think it’s being somewhat overhyped. If step one is physical access to get things rolling… like for sure some machines are in more public areas than others. But for me, someone would have to break into my house first, then access my machine, just to run exploits later. The exploit is pretty massive, but I think needs to be tempered with “first they need physical access”. Because physically controlling machines has always been number 1 for security.

permalink
report
parent
reply
64 points

I feel like this is the perfect place for Right to Repair legislation: the product is broken? And it’s outside your support window? Then give customers what they need to make the fix themselves. It’s not good enough to say “meh, guess you gotta buy one of our newer chips then 🤷”

permalink
report
reply
12 points

Especially since the Linux community are the types to go way overkill

permalink
report
parent
reply
9 points

Yep, every intel or AMD CPU vulnerability get patched in the kernel before the official firmware patches

permalink
report
parent
reply
55 points

The enterprise models are getting patched but the consumer ones aren’t. Shame on them.

permalink
report
reply
12 points

Consumer usage is not really concerned by the attack scenario of this vulnerability from what I understand. The prerequisite is to have access to the bios so it’s already game over at this point.

permalink
report
parent
reply
6 points

Sure, but that feels a little bit like saying “We don’t need guards inside the prison, because we already have them patrolling around the perimeter.”

permalink
report
parent
reply
3 points

Chip makes should not only treat customer CPUs as possibly-business hardware when adding shit like (Intel) ME, Pluton and (AMD) PSP, but also when patching serious vulnerabilities and providing support!

permalink
report
parent
reply
3 points

When you pay for enterprise equipment, you are typically paying a premium for longer, more robust support. Consumer products are less expensive because they don’t get this support.

permalink
report
parent
reply
1 point

Agreed, firmware security by chip manufacturers has been underwhelming to say the least and we can blame them for that. But in this specific instance I still don’t see the benefit of a fix for consumer usage. Companies have a responsibility and accountability toward their users, so a fix is due, for personal laptops/PCs the threat is toward the owners themselves (activists, diplomats, journalists, etc.). The latter do not buy second hand equipment, and if the firmware is compromised while they own it, they are already in danger.

permalink
report
parent
reply
5 points

I like my eBay “business” class machines

permalink
report
parent
reply
5 points

Any news on the “pro” line? They were installed on business PCs and had additional security features built in. For instance there is a 3600 pro model.

permalink
report
parent
reply

Selfhosted

!selfhosted@lemmy.world

Create post

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.

Rules:

  1. Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

Community stats

  • 3.7K

    Monthly active users

  • 2K

    Posts

  • 23K

    Comments