Comment by tlb
4 days ago
It's ridiculous to consider MITM attacks out of scope for taking over your computer. Also, there are probably ways to exploit this without a true MITM like DNS cache poisoning. But it's best to just assume the whole internet is MITMed.
It's not out of scope "for taking over your computer". It's out of scope for the specific goals of the bug bounty program. Bug bounties are (usually) about prioritizing internal engineering effort; they are to vulnerability remediation what market feedback is to feature/function decisions in the rest of the product.
Everyone's judging this by the standard of "how good a bug" this is. But that's not necessarily how a bug bounty should function. Important prior to frame this with: neither any individual bug bounty submission nor the sum of all valid submissions materially alters the security of a serious product, at least not on their own. The system they feed into (for instance: security engineers taking a validated bounty submission and then quickly auditing the entire tree for variants of the same bug) can move the dials. The bounty bugs themselves though are mostly a sideshow.
What's especially weird (you didn't say this, but the sentiment has popped up on all 3 threads about this story) is the idea that AMD would be trying to cover this up. Why would they care? They run a bug bounty program. They've accepted the premise that they have vulnerabilities.
(From earlier today, in add'n: https://news.ycombinator.com/item?id=48492908).
But it should be their job to protect against MitM in their threat model. There is no rational reason to exclude them from the bug bounty. Doing so only leaves MitM attacks like this undisclosed.
I just gave a rational reason to exclude them from the bug bounty, which I can summarize as "the bug bounty is not their entire security program and does not have the goal you've axiomatically derived for it".
Cards on the table I am not a fan of bug bounty programs, and the fact that they're an engineering process that turns out to be impossible to have public engineering discussions about is definitely one of many reasons why. Most companies should not run bug bounty programs.
2 replies →
MITM where attacker needs to install their own CA certs on the victim's device -- sure, out of scope.
MITM because you used http instead of https and you don't have any other verified cryptographic signature on your data -- get tae fuck, fix it pronto.
I'd even count this as "having local access to the device", as that is what is needed to install such a cert
I think it's fair to say that requiring local administrative access to the device is out of scope, since you have already completely pwned the device in that case, which is what what you need to install a CA cert on any OSes.
1 reply →
The list of preinstalled CAs is long. I think its a safe bet that many nation-states have covert control over at least one CA on that list. (Or they have one of the root signing certs). HTTPS is way better than HTTP. But I'd personally rather if these random organisations didn't have RCE on my computers.
I've never heard of most of them. AAA Certificate Services? AC RAIZ FNMT-RCM? ACCVRAIZ1? Actalis? AffirmTrust? Even Godaddy is in there. I know I don't trust those guys.
Trust has gotta start somewhere. But its much better to TOFU, then pin signing keys in the updater.
Why would anyone ever exclude true mitm?
Various domain registrars have been compromised over and over again (often by children!), resulting in companies like Tesla and Cloudflare getting owned.
The reality is that any vaguely competent attacker can compromise a court clerk and just compel e.g. the .com registry to hand over whatever domain they want.
Although I suppose the aforementioned problem has significant implications beyond dns…
>Why would anyone ever exclude true mitm?
Same reason security programs exclude social engineering, even though that's a pretty common way for companies to get pwned.
Excluding SE is to make sure people do not spam customer support and launch annoying phishing campaigns. None of that is applicable for local software running on your own computer.
1 reply →
Sure, but this is more akin to dismissing a 1click RCE as “social engineering” because an employee has to be convinced to click a link.
Out of scope does not necessarily mean out of impact. It is merely a question of how far a company wants to be responsible for the environment their software is run in. Most of the time that answer is "not much."
Out of scope in this case means "we don't wanna pay you"
Apparently it also means "We don't want to pay our engineers to fix this".
But I use a Wi-Fi password, so my phone says it's secure!