Wednesday, March 14th 2018
CTS Labs Sent AMD and Other Companies a Research Package with Proof-of-Concept Code
CTS Labs, the Israel-based IT security research company behind Tuesday's explosive AMD Ryzen security vulnerabilities report, responded to questions posed by TechPowerUp. One of the biggest of these, which is also on the minds of skeptics, is the ominous lack of proof-of-concept code or binaries being part of their initial public report (in contrast to the Meltdown/Spectre reports that went into technical details about the exploit). CTS Labs stated to TechPowerUp that it has sent AMD, along with other big tech companies a "complete research package," which includes "full technical write-ups about the vulnerabilities," "functional proof-of-concept exploit code," and "instructions on how to reproduce each vulnerability." It stated that besides AMD, the research package was sent to Microsoft, HP, Dell, Symantec, FireEye, and Cisco Systems, to help them develop patches and mitigation.
An unwritten yet generally accepted practice in the IT security industry upon discovery of such vulnerabilities, is for researchers to give companies in question at least 90 days to design a software patch, harden infrastructure, or implement other mitigation. 90 days is in stark contrast to the 24 hours AMD got from CTS Labs. CTS Labs confirmed to TechPowerUp that it indeed shared its research package with AMD (and the other companies) just 24 hours prior to making its report public, but urged those disgruntled with this decision to look at the situation objectively. "If you look at the situation in the following way: right now the public knows about the vulnerabilities and their implications, AMD is fully informed and developing patches, and major security companies are also informed and working on mitigation."
This is in contrast to the unintentional consequence of keeping Meltdown/Spectre away from the public domain for over half a year, allowing Intel's senior executives to dump company stock, and for big cloud computing providers to harden their infrastructure, giving themselves a competitive advantage over smaller providers. But unlike with Meltdown/Spectre, these vulnerabilities aren't industry-wide (i.e. they don't affect Intel), placing AMD at a disadvantage in both the stock markets, and in the retail markets.
CTS Labs, through the sequence of its actions, has attempted to shift the burden of proof from itself to AMD, which is extremely uncommon in the IT security industry. With the lack of proof-of-concept of these vulnerabilities in the public domain, an environment of fear, uncertainty, and doubt (FUD) is being developed, with AMD being occupied with testing its chips for these vulnerabilities, and still far away from releasing patches, if the vulnerabilities are real. This places anyone with a shorting position against AMD stock at a distinct advantage. The strategy of AMD investor relations and corporate communications should now be to allay many of those fears among people without access to the proof-of-concept, and to ask investors to refrain from giving in to FUD.
An unwritten yet generally accepted practice in the IT security industry upon discovery of such vulnerabilities, is for researchers to give companies in question at least 90 days to design a software patch, harden infrastructure, or implement other mitigation. 90 days is in stark contrast to the 24 hours AMD got from CTS Labs. CTS Labs confirmed to TechPowerUp that it indeed shared its research package with AMD (and the other companies) just 24 hours prior to making its report public, but urged those disgruntled with this decision to look at the situation objectively. "If you look at the situation in the following way: right now the public knows about the vulnerabilities and their implications, AMD is fully informed and developing patches, and major security companies are also informed and working on mitigation."
CTS Labs, through the sequence of its actions, has attempted to shift the burden of proof from itself to AMD, which is extremely uncommon in the IT security industry. With the lack of proof-of-concept of these vulnerabilities in the public domain, an environment of fear, uncertainty, and doubt (FUD) is being developed, with AMD being occupied with testing its chips for these vulnerabilities, and still far away from releasing patches, if the vulnerabilities are real. This places anyone with a shorting position against AMD stock at a distinct advantage. The strategy of AMD investor relations and corporate communications should now be to allay many of those fears among people without access to the proof-of-concept, and to ask investors to refrain from giving in to FUD.
93 Comments on CTS Labs Sent AMD and Other Companies a Research Package with Proof-of-Concept Code
ir.amd.com/news-releases/news-release-details/view-our-corner-street-0
normally you get 80 days time to react to such statements.
in the case of spectre4+meltdown it was 180 days.
linus has something to say:
plus.google.com/+LinusTorvalds/posts/PeFp4zYWY46
viceroyresearch.org/2018/03/13/amd-the-obituary/
And that's assuming such tricks were needed. Malware that rely on admin/root privs can be less of a worry for enterprise machines maintained by an IT dept who know their job, but your average joe and jane would click the yes on the UAC prompt before the background finishes dimming.
UAC itself wasn't particularly that resilient, if I remembered correctly.
Looking at the broader picture "objectively": NVIDIA and AMD don't have a presence in Israel, Intel has a significant presence in Israel.
www.gamersnexus.net/industry/3260-assassination-attempt-on-amd-by-viceroy-research-cts-labs
Are these really vulnerabilities ? If I have admin credentials I can flash the bios of my video card. Does that make my video card vulnerable?
...and also to this bloke a week prior : twitter.com/dguido
"I initially responded to their request out of curiosity -- "Hey, do you want to see our new processor bugs before we release them?" "hell yes I do" -- but after their asks continued to grow billed them our week rate for the work."
:laugh:
and there careers are officially over
*assuming AMD doesn't sue them into the ground first
and honestly my opinion is if these clowns can find it then its probably already been in the wild for awhile
these guys are security researchers like 12 year olds, on a gokart at the daytona 500 pretending are racecar drivers
I think ANY CPU is vulnerbale to a host of problems once admin right is exploited and those exploits precede the CTS-Lab claims.
...curious why that tidbit made another news post personally.I think a fundamental lack of knowledge is the biggest issue with tech sites, and especially members (me included). I mean I see people here and everywhere who can't troubleshoot their way out of a wet paper bag suddenly has all the answers here??? LULZ.
Also, delivery of the message on several tech sites was abhorrent. Many sites would rather get clicks than to take a bit of time and investigate. I don't think anyone was paid to do so. But it is a bit telling that the amdflaws website has listed several tech sites and each and every one, was direct about the issue being real not once questioning the validity of it. In the other shitstorm thread, I linked a more sourced and measured take in hopes to bring reason to the insanity that set in.There is something, scratch that, A LOT to be said for journalistic integrity...
1st Bean Counter " Hey I Have an Idea on Making some Money"
Rest of Team " tell us then"
1st Bean Counter " We Get our People in an Associated security Company to Release a Story about a bunch of AMD CPU Vulnerability's and watch their Stock Price Drop like a stone when its low we buy and then sell when it recovers as we know it will.
Rest of team shout "Great plan lets do it "
then a lone Voice Squeeks from the Back of the room
"Is that not Insider Trading ???"
"Definitely Not says" 1st Bean Counter
"Its Not our Stock and so its not Insider trading" >>>>>:):):)