this post was submitted on 14 Jun 2026
642 points (98.9% liked)

Technology

85420 readers
3899 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 3 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
642
AMD denies researcher a $10,000 bug bounty after fixing critical auto-updater vulnerability — security flaw took 124 days to patch (www.tomshardware.com)
submitted 21 hours ago by sanitation@lemmy.today to c/technology@lemmy.world
49 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] tunetardis@piefed.ca 49 points 16 hours ago (2 children)

Researcher commenting on the patch:

he remarks that the software only checks the validity of the downloaded file using the ancient CRC32 hash that isn't considered cryptographically secure anymore

I have to respect the researcher for his incredibly charitable wording here. CRC32 is not even remotely crypto. That's never been its purpose, and using it for digital signing is patently insane!

I fear I would have had a much shorter temper after what he's been through, and yet here he is keeping his cool and his criticism constructive. Good on him.

[–] teohhanhui@lemmy.world 5 points 7 hours ago* (last edited 7 hours ago)

Although it is true that they now fully use HTTPS, the claim about signature verification is untrue; they only perform a CRC-32 check on the downloaded executable, which is not cryptographically secure.

This is the wording from the blog post. Tom's Hardware just rephrased it very poorly. (see e.g. https://www.reddit.com/r/hardware/comments/1ixgas1/articles_from_tomshardwarecom_should_be_banned/)

[–] Giooschi@lemmy.world -3 points 11 hours ago (4 children)

Do you really need signing if you're using HTTPS though?

[–] lemmyvore@feddit.nl 8 points 9 hours ago

HTTPS is privacy in transit. It has no say into what's being downloaded.

[–] DevDave@piefed.social 4 points 9 hours ago

A drug dealer with a heavily armed escort delivers a package of white powder. New problem: is it cocaine, cleaning detergent, anthrax, or some mixture of the former?

[–] Buddahriffic@lemmy.world 1 points 6 hours ago

My version of questioning this is if the same source is providing both the file and the hash, does it matter how hard it is to fake the hash? It could just generate a new hash for the fake file, couldn't it?

[–] tunetardis@piefed.ca 1 points 9 hours ago

I suppose if the only way to obtain the patch were through an automated download from the AMD website, the authentication through the site certificate would be better than nothing. But this is a security patch, and I think the researcher is right in pointing out that the bar needs to be higher?