AMD told MrBruh that all update communications now use HTTPS and that updates undergo signature verification. The researcher says he verified the HTTPS claim, but found only a CRC32 check on the downloaded executable, which is not considered a cryptographic signature.
This is the most shocking part. You’d think that AMD as a high-tech company has some smart people working for them. These are very basic things that any half decent programmers should get right. If at no part of the process of implementing this anyone brought up that this is not secure, that is extremely worrying and indicative of a very broken development process. It’s not like a proper cryptographic signature costs extra. This is just pure incompetence.
Not surprising at all. I work in IT and security is by and large reactionary and based on scans that are often rudimentary. As far as training devs on good security practices there’s next to nothing. You learn from getting your hand slapped or you don’t learn at all.
Well the next time someone finds a bug in their software they will have to find other ways to monetize it.
AMD has always sucked at making software. The reason why NVidia gained the AI market is because NVidia worked to write and support all the CUDA libraries. AMD devs are so bad they even struggle to just replicate the APIs NVidia already designed year earlier (ROCm/HIP projects). Even Intel who arrived much later almost managed to catch up with their own HW/SW stack (I think they gave up afterward).
This is the most shocking part. You’d think that AMD as a high-tech company has some smart people working for them. These are very basic things that any half decent programmers should get right. If at no part of the process of implementing this anyone brought up that this is not secure, that is extremely worrying and indicative of a very broken development process. It’s not like a proper cryptographic signature costs extra. This is just pure incompetence.
Not surprising at all. I work in IT and security is by and large reactionary and based on scans that are often rudimentary. As far as training devs on good security practices there’s next to nothing. You learn from getting your hand slapped or you don’t learn at all.
The very smart people working on their architecture and chip design are very much not the same people who are working on their desktop software.
AMD has always sucked at making software. The reason why NVidia gained the AI market is because NVidia worked to write and support all the CUDA libraries. AMD devs are so bad they even struggle to just replicate the APIs NVidia already designed year earlier (ROCm/HIP projects). Even Intel who arrived much later almost managed to catch up with their own HW/SW stack (I think they gave up afterward).