this post was submitted on 12 Aug 2024
508 points (95.7% liked)

Selfhosted

39877 readers
370 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Here we are - 3600 which was still under manufacture 2-3 years ago are not get patched. Shame on you AMD, if it is true.

you are viewing a single comment's thread
view the rest of the comments
[–] nlgranger@lemmy.world 12 points 2 months ago (2 children)

Consumer usage is not really concerned by the attack scenario of this vulnerability from what I understand. The prerequisite is to have access to the bios so it's already game over at this point.

[–] PM_Your_Nudes_Please@lemmy.world 6 points 2 months ago

Sure, but that feels a little bit like saying “We don’t need guards inside the prison, because we already have them patrolling around the perimeter.”

[–] WhyJiffie@sh.itjust.works 3 points 2 months ago (2 children)

Chip makes should not only treat customer CPUs as possibly-business hardware when adding shit like (Intel) ME, Pluton and (AMD) PSP, but also when patching serious vulnerabilities and providing support!

[–] hangonasecond@lemmy.world 3 points 2 months ago (1 children)

When you pay for enterprise equipment, you are typically paying a premium for longer, more robust support. Consumer products are less expensive because they don't get this support.

[–] WhyJiffie@sh.itjust.works 0 points 2 months ago

But they are already pretending for whatever reason that these are suitable for enterprises, by always includingthe aformentioned remote control components!

[–] nlgranger@lemmy.world 1 points 2 months ago (1 children)

Agreed, firmware security by chip manufacturers has been underwhelming to say the least and we can blame them for that. But in this specific instance I still don't see the benefit of a fix for consumer usage. Companies have a responsibility and accountability toward their users, so a fix is due, for personal laptops/PCs the threat is toward the owners themselves (activists, diplomats, journalists, etc.). The latter do not buy second hand equipment, and if the firmware is compromised while they own it, they are already in danger.

[–] WhyJiffie@sh.itjust.works 1 points 2 months ago* (last edited 2 months ago) (1 children)

The latter do not buy second hand equipment

You are assuming activists are well funded in some way, and that they are not repressed.

This obviously has a benefit for consumer usage too, same as encryption. You're basically saying consumers don't need any kind of antivirus either, because it's not that critical.
This vuln should have been fixed for consumer hardware too, because it basically permanently taints all hardware that is vulnerable to it. And what makes it so hard to release patches for consumer hardware, when patches were already made for the same generations of enterprise hardware? Basically the majority of the work has been done already

[–] nlgranger@lemmy.world 1 points 2 months ago

I'm not saying this is a small issue and nothing should be done. I just noted that the issue is not as big as some other hardware-based vulnerabilities we encountered in the past. And every threat model calls for a corresponding counter-measure.

You are assuming activists are well funded in some way, and that they are not repressed. I'm assuming they are repressed, which is why they have people that buy and configure their equipment and hand it to them so that it hasn't been tampered with. If you cannot afford that your should use your computer as if it was compromised.

You’re basically saying consumers don’t need any kind of antivirus either Where did I write that?

And what makes it so hard to release patches for consumer hardware. AMD focusing on where its money's at and OEM/motherboard manufacturers being cheap and lazy and not pushing forward updates when they have them.