When asked about who his client is, without even asking specifically, simply what industry they were in: ---------------------------------- Sorry, can't say whether the Client is Israeli Intelligence/Military
Especially not while an Operation is in progress / or ever
But they do need plausible deniability, so they act like newbs and spread the exploits far and wide to a select group without tracking info in case the operation is noticed
They would never admit to beta testing Flame in the U.S. as far back as 2007 when I first found it either
I think the obvious guess is that the customer is Viceroy, the people who shorted the stock. They probably identified AMD as a vulnerable stock and wanted to look for a way to push it over the edge. Andrew Left does it just by saying he's shorting a stock. But Viceroy wanted an actual story. However, they underestimated the fervor of AMD stock fans and the stock went nowhere. Pretty funny.
Their agenda is obviously to make a good impression on intel and similar corporate scumbags to get on a fat payroll.
I for one don't think intel is behind this, it is far too clumsy and silly even for them.
For the time being, the smart thing would be to simply not give that BS any more publicity. Nobody argues that given administrative access you can do a lot of bad things - but I myself don't consider this to be a security flaw. A security flaw would not have to rely on administrative access to a machine, but would be a way to get administrative access to a machine. Like intel's IME blank hard-coded password for example.
They took basic, common sense issues that any platform is vulnerable to, completely blew it out of proportion, made it as if it is an amd thing and as if it is critical, made up catchy names and flavors to round it up to an impressive and fatally sounding number - 13, and came out pretending to be concerned with the security and well being of mankind.
None of the exploits is critical, as they all rely on an already otherwise compromised platform.
All of the exploits in their operational principle are applicable to every modern CPU architecture out there.
They claim to not know how the exploits can be fixed, but also claim they gave amd only 24 because they knew they wouldn't be able to fix the exploits any time soon. That doesn't add up. Knowing how long amd is going to take to fix it involves knowing how to fix it. They didn't give amd the necessary heads up because they don't care about the insecurity, all they care about is making it look as "worse than it is" as possible.
Their little stunt is obviously aimed at monetary gains. It was obviously coordinated with an attempt to short amd stock which failed. If they were genuine concerned security experts, they wouldn't hire PR guys to make their statements and fake office videos. If their concern was genuine, they'd give amd at least a month, which will be more than enough to patch up most of that stuff, something they clearly didn't want to happen.
Stop giving them publicity, stop giving them exposure, do the right thing - ignore that nonsense. Not doing so will only encourage more of it. If it looks like a duck, it quacks like a duck and swims like a duck, then it is most likely a duck, not a security expert.
As for all the remaining security experts that "verified" their findings - they all got paid off, with the obvious implied agreement to only verify that those things can indeed work in practice, but without any mention of the fact it is not even 1% as severe as cts claims. Sorry folks, money comes first!
"but I myself don't consider this to be a security flaw."
Even the administrator shouldn't be able to access, directly, the secure memory or the secure processor. These are what people in computer security consider security issues. That said, they are not nearly as significant as CTS, and presumably, their customer; wanted people to believe.
Sure, it enables some exploits, but again, your system has to be already compromised.
What's more, if you want to jack a password or two, it will be much, much easier to install a keylogger and erase password history, forcing the user to re-enter it so it can be tapped, rather than digging through layers of hardware and software security.
Their whole case of this announcement being in the public interest falls to pieces, when you consider they knew about these ASMedia vulnerabilities for quite some time, without telling anyone.
"quite a few motherboards and other PCs are affected by these vulnerabilities as well. If you search online for motherboard drivers, such as the ASUS website, and download ASMedia drivers for your motherboard, then those motherboards are likely vulnerable to the same issues as you would find on the AMD chipset. We have verified this on at least six vendor motherboards, mostly the Taiwanese manufacturers. So yeah, those products are affected."
I have found Skylake boards that use the ASM1142 controller, so this really isn't an AMD-only problem. Several Intel and AMD boards use the ASM2142 and ASM3142 controllers, so if they're not at fault, surely this reduces the effect on AMD? If they are indeed faulty, wouldn't that affect Intel as well?
Would have also been appreciated if the falsified workspace images and videos using stock photography were addressed. Why did CTS-Labs attempt to deceive, why was time put into portraying a false image of the company instead of disclosure procedures, and how would a team of supposedly experienced individuals not think anyone would do an image search?
The act itself is in some ways not important. The decision to engage in public deception, right off the bat, speaks to trustworthiness.
So out of all the things to discuss, this is fairly minor. It comes off of hiring a PR firm and wanting to produce a sleek production, to which the argument should be more about the PR firm rather than the PR firm doing its job. This is despite the fact that such a production might be viewed negatively by some segments of the potential audience. In my mind, the green-screen video is such a minor part of a story (that people have got hung up upon) that has some stonkingly bigger elements.
Those bugs have been in the asmedia chip a lot longer than just six years. CTS has proved they can not be trusted by both their own client's and the companies they are exposing or should I say attacking. I say this because of the way in their own papers they are going out of their way to attack AMD as the company itself and are less worried about the techy end of it that makes me wonder what their actual motives are. I am not sure but I do think they has to expose the client that is behind the request but I am sure they will force it until they are threatened with legal action because I am sure I know who it is and I am very sure they were paid a huge sum of money to try to slaughter AMD. This is even worse than that crap Nvidia is pulling with that GPP crap. I am not a AMD fanboy but I feel they are being targeted from all sides right now.
You covered most everything else I'd have asked, which is to say I thought you guys the factually important points. My interest in the PR gaffe would be to elicit a reaction on a something where they have been caught in a falsehood. Calling people on a lie, oddly enough, can produce some of the most honest answers.
Speculation is used to make almost every accusation against CTS-Labs, and is required for all the motives attributed to them. Having them explain their motives for a confirmed deception might yield something unexpected.
I don't question that the way this disclosure was handled raises many questions and is worth discussing, but I think you're making some wrong assumptions along the way:
1. "The standard procedure for vulnerability disclosure is to have a CVE filing and a Mitre numbers" While this might be common practice it's most certainly not mandatory. There are many disclosed vulnerabilities that don't have CVE numbers or for which the CVE ID is still pending at the time of disclosure; including in cases where those flaws have already been patched. Mitre had big issues with the CVE backlog a couple of years ago with researchers waiting for months to get CVE IDs assigned and eventually even stopping trying to get them. That problem has been somewhat alleviated over the past year or so with Mitre deciding to give some large vendors the ability to issue CVE IDs directly, but it's far from resolved. Also, even when issued, CVE IDs remain with status RESERVED and no public information for months even though the vulnerabilities they correspond to have been publicly disclosed and documented. Third, the CVE system doesn't accept vulnerabilities for certain types of products and even miss many vulnerabilities in products that it does cover (read the recent comparative report from Risk Based Security).
2."The use of a PR firm which is non-standard practice for this (and the PR firm were not involved in any way in our call, which is also odd)" The involvement of a PR firm and journalists in the disclosure process is most certainly a very common practice. If a researcher working for a security company finds a major vulnerability, his company will use its PR firm to distribute the report in advance to journalists under "embargo," which is not a legally binding NDA, but a gentleman's agreement. The PR firm will also set up pre-briefings, create infographics, draft the press release and even the detailed report and everything else that a PR firm is supposed to do when it comes to handling public communications. I'm not sure why you think that is "non-standard practice." Maybe it's not common for vulnerabilities found through academic research or by independent researchers, but it's very common when a security firm finds vulnerabilities. Also, PR reps doesn't always sit on the call between journalists and their clients. Sometimes, they just facilitate the exchange of contact information and set up the call. It's the client's decision.
You are correct in saying that CVE ID requests are not mandatory, and in fact, there is very little that is mandatory in the infosec community. There are few international laws that govern the disclosure or infosec research process, and there are pros and cons to that. However: this is separate from the fact that obtaining CVE IDs are considered to be standard practice and, when some disclosure is very significant, it is considered to be even more important to follow this practice. It is a red flag when an organization which claims to have so much infosec experience turns out to not know the basic processes of responsible disclosure!
As for PR firms, no, I cannot think of many occasions where they have been involved in the disclosure process. It is not common practice in my experience, but if you will provide a list of cases where this has been done in similar circumstances, then I am willing to be convinced. In my experience, a company may use a PR firm to handle the backlash from annoyed customers, but this is occurs after the disclosure process is complete. Larger security teams & companies will sometimes have their reports vetted and massaged by in-house PR, but this is not the same as hiring a PR firm to handle a disclosure. In this case, there is simply no reason for CTS Labs to hire a PR firm instead of handling enquiries themselves.
BlueBorne is a relatively recent one that comes to mind, but there are many examples over the years. I don't want to drop names and point fingers, but I work in online publishing and I've personally seen many reports about vulnerabilities over the years that PR firms sent under embargo on behalf of their clients (the companies who found the flaws) before public disclosure. Let me be clear: I'm not talking about zero-days where the affected vendors had not been notified in advance, like in this case. I'm talking about coordinated disclosures, where the companies that found the flaws agreed on a public disclosure date with the affected vendors and then used PR firms to share the reports with journalists under embargo to ensure news stories get written and published on the agreed disclosure dates. It is common practice. In addition to a technical report or blog post, many companies also put out press releases on the day of disclosure. Who writes and vets those press releases? PR firms, unless they're doing PR in-house. Every press release that you find that says "Company X founds major vulnerability in Y" was likely pitched in advance to journalists under embargo. You can also determine when that happens by analyzing the timing of news articles. Sometimes when a big vulnerability is announced, you'll see major tech news outlets publish their stories at the same time, which is also the time when the company that found the bug runs its own blog post and press release. That's an indication that public disclosure was coordinated in advance with journalists, either through PR firms or directly. However, when flaws are published on a researcher's personal blog or by a team of academic researchers with no advance notice to journalists, you'll see that news articles flow in with various delays, depending on how fast reporters jump on it and write it up. But I digress. Bottom line is that PR firms are frequently involved in public vulnerability disclosure and it is very much similar to product releases where news reporters receive information about a product (or even the product itself for testing) in advance if they agree not to publish anything until the official release date. Those who break the embargo will be cut off from future announcements.
You ain't gonna get squat on the record. Your best bet is to get what you can OFF the record and just express your findings in vague general terms that won't get you in hot water.
Thank you for actually taking the time to gather information before creating your own opinions and publishing this article, rather than immediately pushing something out.
A truly professional AnandTech piece right here. Anand would be proud at how you guys handled this.
And CTS, on the other hand, almost went out of their way to look amateur on the call. It started out quite cordial and quickly escalated as you brought the heat...almost like they had a lawyer listening in telling them to bail toward the end.
Well Samus, as a longtime security researcher who has seen these types of operations before, I suspect that "IF" these problems are real, Israel already has a live operation in progress
This is why they must act like noobs and distribute the exploit info to select others without any hidden tracking numbers to identify who leaked this info when their operation is uncovered
It's called plausible deniability
They would never suggest that Israeli Intel has or is using these exploits, but would want any info on who can mitigate their exploits
By failing to use unique hidden tracking info for each of the groups given the exploit information, they can say the exploits came from anywhere if an operation is uncovered
Selective Kill switches have been on Intel branded motherboards for more than a decade now and I have yet to see any reliable researchers going near the topic or ridiculing anyone who does
I've also found that several identical wi-fi adapters can be remotely killed (permanently and simultaneously) as far back as 2005 but probably much earlier
They do not appear to be idiots or newbies
Something else is going on and we can all agree on that one point
Yeah Ian did a great job here. Especially with the mini-analysis at the end. People aren't saying that the vulnerabilities don't exist, but rather that:
A) They're dirty and are overblowing these secondary attacks intentionally for financial reasons. B) They're acting irresponsibly, also for financial reasons. C) The ASMedia exploits are lumped in as "AMD" exploits when they're actually... ASMedia exploits. See A and B.
The whole thing smelt incredibly fishy at first glance and this confirms we're right to be suspicious. I'll give CTS some credit, they do appear to have done some impressive work but they've ruined that by handling it terribly and falling to answer the questions when given the chance. Hard to imagine too many credible companies wanting to deal with these guys!
It's really hard to give CTS credit for anything here aside from actually discovering the vulnerabilities. The way they have handled this, and the way they answered the second half of the questions, is quite poor.
I doubt this is the work of CTS. They appear to have been briefed. The bugs must have been fed to them by someone judging from how they responded to the questions.
Holy cow... The smell from those answers! THE SMELL!
I don't even... They're either incredibly smart, but have zero clue on how things actually work in big corporations, or they were just toyed from head to toe by a 3rd party with an agenda.
It's either market manipulation and then the SEC needs to see what it can do about it, or opposition research in plain view and that could become quite funny as there would be such "scandals" every other day.
IS THIS THE OPINION OF CTS LABS OR IS THIS A FACT?
From CTS
"The report and all statements contained herein are opinions of CTS and are not statements of fact."
And this......
"Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports."
Excerpted from below...
"Legal Disclaimer
CTS is a research organization. This website is intended for general information and educational purposes. This website does not offer the reader any recommendations or professional advice. The opinions expressed in this report are not investment advice nor should they be construed as investment advice or any recommendation of any kind.
It summarizes security vulnerabilities, but purposefully does not provide a complete description of such vulnerabilities to protect users, such that a person with malicious intent could not actually exploit the vulnerabilities and try to cause harm to any user of the products described herein. Do not attempt to exploit or otherwise take advantage of the security vulnerabilities described in the website.
The report and all statements contained herein are opinions of CTS and are not statements of fact. To the best of our ability and belief, all information contained herein is accurate and reliable, and has been obtained from public sources we believe to be accurate and reliable. Our opinions are held in good faith, and we have based them upon publicly available facts and evidence collected and analyzed, which we set out in our research report to support our opinions. We conducted research and analysis based on public information in a manner that any person could have done if they had been interested in doing so. You can publicly access any piece of evidence cited in this report or that we relied on to write this report. Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports. Any other organizations named in this website have not confirmed the accuracy or determined the adequacy of its contents.
You may republish this website in whole or in part as long as CTS is clearly and visibly credited and appropriately cited, and as long as you do not edit content.
Although we strive for accuracy and completeness to support our opinions, and we have a good-faith belief in everything we write, all such information is presented "as is," without warranty of any kind– whether express or implied – and CTS does not accept responsibility for errors or omissions. CTS reserves the right to change the contents of this website and the restrictions on its use, with or without notice, and CTS reserves the right to refrain from updating this website even as it becomes outdated or inaccurate."
The wordy language used by CTS is a legal safety net. You can pick at it how you want, or skew it how you want, but the only answer I would expect from them is that it indemnifies them should there be any inaccuracies or certain links may or may not be exposed.
I'm not too hung up on the washy language when there are bigger parts of the story to discuss. If there is a financial conflict worthy of investigation, then there are legal frameworks beyond my expertise and jurisdiction that should be put into motion.
Part of the skill of an interviewer is knowing which questions will be answered, and which ones will not. If I ask if it is factual, the response would automatically be 'to the best of our ability, yes, but for legal reasons we have to use this wording'. I'm not going to spend my limited time asking questions that I know what the answer will be.
I'm not going to sit here and pick through your statements. You start from all caps, and fail to form a cogent argument worth responding to. Even your translation about your assumptions of what the text is trying to hide has no linking merit except for your gut feeling or belief that there is something more nefarious going on.
If you actually have evidence that CTS has a financial stake in AMD, beyond interpreting a wordy disclaimer (which isn't evidence), then please provide it.
As an honest journalist, I won't be forming conjecture without it. Innocent until proven guilty.
Who are you? Just save your caps for a few days. At this point it looks like the vulnerabilities are real. Probably in a few days we will get various confirmation.
"You can pick at it how you want, or skew it how you want, but the only answer I would expect from them is that it indemnifies them should there be any inaccuracies or certain links may or may not be exposed."
Hey Edmund R Moron; just what is there to skew about "The report and all statements contained herein are opinions of CTS and are not statements of fact."
Do you have reading comprehension problems or are you deliberately ignoring "not statements of fact" with malicious intent to cause AMD harm? Is ANAND deliberately spreading malicious rumours with the intent to cause harm?
CTS has come right out and said the whole thing is BULLSHYTE and you are still eating it up.
Are you a Russian troll or just someone that can't wrap there head around the facts? If CTS puts vague wording on their site and in their whitepaper, then what makes you think they're going to answer the question you want asked?
Are you somehow under the impression that if Ian asks "are these facts or opinions" they will burst into flames, exposing them to be the vampiric frauds they really are?
Well done, Ryan. I was actually surprised Ian even cared to answer these comments as they continued to get more and more ridiculous. Initially I too thought to myself why Ian didn't ask about the disclaimer CTS had on the bottom of the web page, but I didn't need Ian to explain it to figure out that CTS' answer to that would just have been, well that it's a disclaimer for legal reasons in case they turn out to be accidentally wrong about something they firmly believe to be true. And whilst there's definitely still something fishy about the whole thing, I do believe that part to be true
Excellent reporting. Things about this story just don't sound right. Thanks for digging to expose what you can, and not assuming what you can't confirm.
Incredible journalism on this one. It actually brought me a lot of joy just how well this article was written and the work that'd gone into digging up all you can, preparing the right questions, and asking them in the right way. Absolutely a brillant write-up at the end as well. Perfectly balanced and brillant
this whole articles is just a phishing expedition and doesn't clarify pretty much on anything, only ads supposition from the author instead of researching if the vulnerabilities are actually real
That is one reason why I literally stopped reading most of the other Tech site. Anandtech, may be the "only" site that has done some detail investigation into it? As in, actual Journalism?
So it pains me when they say Tomshardware was their sister site. Because I read the toms's pieces a few times, trying to convince myself what they put out was ok.
In the end I cant. Utter Crap. And removing them from my RSS feed.
Thank you Ian and David for the follow-up. And I guess thank you to not only Ian but Anandtech as a publication for looking at the claims and then choosing a more reserved title for the initial article, unlike some other publications. It is important to express any misgivings with the initial claims in the title of the article(instead of simply "AMD SECURITY ISSUES"), because Joe Consumer will probably not read past the title or lead paragraph. Good work.
Excellent interview, thank you Ian & David for some very good questions and analysis. At this point, judging by their answers, I am not even sure that they did the research themselves - they seem to be entirely clueless about some critical things! Perhaps someone else did the research and got these clueless flunkies to whip up a company and put some branding on it? And in 2018, claiming that there is any real debate in the security community over a minimum 90-day period is just insane.
I hope that Viceroy/Intel/whoever paid them an enormous sum of money, because I can guarantee that they're not going to get legitimate business as an infosec firm after this fiasco. Being brash is one thing. Being brash and also being too incompetent to understand the basics of vulnerabilities you're disclosing, and of the disclosure process itself, is quite another thing.
The way this interview ends says it all. They happily gave details about the accusations, but when questions turned to details about them and the customer that ordered this, they "had to drop". No shit. I really do hope they end up in court and pay BIG money or better, with some jail, because of this. They probably won't, but I really hope it happens.
Hi Ian, long time no speak...........Cambridge was the last time i think ? Thanks for posting the interview, interesting stuff and says more about CTS-Labs unprofessional conduct than the vulnerabilities themselves. For a startup company to shoot themselves in the foot straight out the starting gate tells me they have no intention of being around for very long.
I don't contest this all smells fishy but if these attacks can infect a PC and stay there despite OS reinstall then it's quite a thing, someone could install one of these exploits at the production of the PC and then ship the PC with the exploit already in...
To be honest, the more information I read about this, the more I think this "Security Firm" is really dodgy. This entire fiasco appears to be trying to do harm to AMD, turns out to be affecting their reputation substantially more even if the mentioned security flaws are legit.
I am surprised so many people think that they are going to be done for stock manipulation. Doing research and then publishing your opinion of available facts is what analysts do all the time and they are allowed to have positions in the stock provided that the fact is disclosed. Unless the claims that they have found vulnerabilities are disproven, I find it hard to believe that anything will come out of it despite the fact they did not stick to industry norms. And let's be realistic, those industry norms are designed to protect the industry, not users. It is interesting that if a company is the victim of a cyberattack resulting from a vulnerability, they can get charged and fined if they don't immediately tell clients, but a tech company gets 90 days to fix a vulnerability while customers are blissfully unaware they may be exposing themselves. Of course, disclosing the vulnerability would let attack potentially utilise it while a fix is being worked on, so I am not sure what the answer is.
I get what you are saying Speedfriend. The one thing I would say is that with their announcement came an article 25 freaking pages long analyzing this. Released at the same time they announced it. This means that those single guys and no one else had this information a long time before announcement. It was a financial write-up and not a technical (another red flag) and even specified a stock value (sub $1) and used the phrase "AMD will have to file for Chapter 11, to recover from these vulnerabilities".
The fishyness on how they ended the call basically explains it. Those guys were the customers and they wanted to short sell AMD stock.
If it was just that these guys Zero'dayed AMD it would look bad (and like someone else said if they were a real security company they just shot themselves in the foot). But it would mostly blow over. It's their presentation, the people they informed first, those guys presentation, and what the vulnerabilities actually are (all need a compromised system to become more compromised) altogether makes these guys seem like a joke/hitmen. Which in a way is sad. Sure AMD will patch the issues if their legitimate. Intel needs to as well because 90% of them apply to them as well. But it's sooooo poorly handled by CTS that even if this was Meltdown it would be hard to look past the trolling that CTS is a part of to look at the issue. They wagged the dog on themselves.
They may have been trying to cover their previous short, meaning they already shorted AMD stock a while back, but now the stock has gone up and stayed, they are in trouble, so they hope (or engineer) a stock dip to reduce their short failure.
So you have a company that doesn't need AMD money for founding flaws. They were not after bounties, they were paid already... and THIS IS totally incredible. It gives precedence to two options:
1. It was intentional (which I totally believe); or 2. They are incompetent
Anyway, they lost the trust from the industry and are probably find the next little while difficult financially.
However, I want to know the client. As of now, AMD should sue and gain access to that information legally. This is pure marketed industrial sabotage.
Maybe someone that was shorting AMD and could afford to spend a bunch to improve their position, cover their short, or short some more. There definitely could’ve been enough money at stake there for them to give this a shot.
Your questions sounds like you are on the side of the company with the flawed product.
"IC: On the website, CTS-Labs states that the 0-day/1-day way of public disclosure is better than the 90-day responsible disclosure period commonly practiced in the security industry. Do you have any evidence to say that the paradigm you are pursuing with this disclosure is any better?"
They did not go public with the technical details of how to use the exploits. Publishing the vulnerabilities this way forces the manufacturer to fix them as fast as possible.
Obviously it's always better this way for the consumers, it just screwed up AMD and some of their tech fan sites.
Or he's skeptical of the claims of an unknown company with unorthodox practices.
"Publishing the vulnerabilities this way forces the manufacturer to fix them as fast as possible."
As opposed to the 90-day policy which allows companies to sit around and do nothing to resolve the problem...
The 90-day policy allows companies who are affected to understand the vulnerability and begin to formulate a fix before the annoucement. Is it really better for consumers for AMD (or any other company) to be blindsided by a vulnerability and have nothing to show that they have some sort of fix planned? CTS even admits that they wouldn't necessarily do the same if they published the Spectre/Meltdown paper:
"IC: Say, for example, CTS-Labs were in charge of finding Meltdown and Spectre, you would have also followed the same path of logic?
YLZ: I think that it would have depended on the circumstances of how we found it, how exploitable it was, how reproducible it was. I am not sure it would be the case. Every situation I think is specific."
"Obviously it's always better this way for the consumers."
Which is why Google waited 90 days before disclosing Spectre and Meltdown, two significantly more dangerous vulnerabilities. Spectre/Meltdown took much longer than 90 days to fix, but at least with those 90 days Intel could analyze and understand the vulnerabilities before the public was informed.
USGroup1, can you provide links to some "AMD tech fan sites"? I'm currently an AMD fanboy and haven't yet seen a one. Amazing that I could have missed them all, but there it is. Your info would be most helpful.
Thank you Ian I have been waiting for this. Also thank you David. I've been following AnandTech since 1997 and while I miss Anand this is the best piece here that I have seen ever.
David's commentary over at Real World Technologies sums this all up:
It's telling how quickly they bailed on the call once I started asking about their company. Also, they seemed to not understand "chicken bits" at all or the basic HW design principles. The ramblings about FPGAs were fascinating.
I read a little bit of that thread. Got a kick out of Juangra being called out for a shill by Linus Torvalds. Once you have gotten to the point that Linus has gotten wind of your BS and not only that but knows the BS by name, you might as well give up or at least start using a new ID.
No address, no land line, 4 nobody con men "SOMEWHERE in Israel" set up after June 2017 (after Intel's "Meltdown inside"), ..., but just a website ($4.95/month) and a mobile number +1-585-233-0321!
From CTS (Cheap Technical Scammers?), why media even bother to tango with it: "The report and all statements contained herein are opinions of CTS and are NOT STATEMENTS OF FACT."
"you are advised that we may have, either directly or indirectly, AN ECONOMIC INTEREST in the performance of THE SECURITIES OF THE COMPANIES whose products are the subject of our reports."
They did disclose the above, but it’s up to media and people to read interpret it.
From the person who reviewed their findings for $16K:
"For the attacks to work, an attacker must first obtain ADMINISTRATOR ACCESS to a targeted network, Guido said."
For the car thief to steal the car, the car thief must first obtain the car key and access to the car, CommonSense said. What a car thief!
The 4 nobody con men "SOMEWHERE in Israel" successfully used media (particularly technical sites) to generate the FUD and got the publicity and economic interest, and one person got $16K.
Some more facts:
On 3/15/17, from Intel CEO: “We See Ourselves as an Israeli Company as Much as a U.S. Company.”
On 3/13/18, 4 nobody con men "SOMEWHERE in ISRAEL (Intel inside)" without a business address and land lines had media generate the FUD on AMD's new competitive products.
On 3/15/18, from Intel CEO: "Advancing Security at the Silicon Level" instead of fixing the bug of not following the privilege levels defined by ourselves.
Housekeeper entering with key and stealing = House having a design bug of being vulnerable to stealing?
Can anyone of so called "security experts" tell builders how to design and build houses that are 100% stealing proof?
Didn't the Intel Core design come from Israel? And would a bios flash remove this persistent malware? Or would it require a flash that rewrites all system firmware?
There are 2 potential issues with removing this type of malware by BIOS re-flash:
1) If you have a lot of PCs on your network, you don't actually know which one is infected. Because the malware can be installed and run on the Security Processor and resides in a protected domain, it is invisible to malware scanners.
2) Because the malware would be running in privileged mode on the Security Processor, it could actually circumvent, block, or otherwise sabotage or silently auto-rollback a BIOS re-flash if/when one is attempted...
2. It would be quite hard to fake a bios update if it would update more than invisible code. Like a version numbering on the background image, add extra options.... but yes, it could theoretically block the update of the PSP. Which can also be outed by the very same basic method: adding a new endpoint to the PSP. The old, compromised PSP does not know what it would have to reply to such a request.
this is fake news straight out of russia and trump playbook, i'm not even sure it's worth mentioning anymore. frightening is the fact that now we have these "security" companies crying wolf and should be treated as suspect going forward. this could be Intel's counterplay to spread doubts to future security claim so that they can get away with blaming the "security" folks after this debacle (hurting AMD is a bonus obviously) will be proven as fake news.
There was a great podcast a couple of years ago by NPR's Planet Money on shorting stocks - the principle of selling high and buying low makes sense, but it's a lot trickier than just the mechanics of it. If the market knew what you know, the stock would already be priced accordingly. Therefore, if you want to short a stock, you're assuming you know something everyone else doesn't. Well - the price won't move unless everyone else knows what you know, so you have to get your ducks in a row (have your positions in place), then publicize what you know to the world so the market can adjust.
This whole thing seems to have little do with improving security and everything to do with blasting news out there because someone has shorted the stock. I don't think it has anything to do with Intel, or that these guys are tied to Intel at all. Someone wanted to make money shorting AMD, guaranteed.
How does the public find out if this is just a few fools trying to make a quick buck by making a company then making many mistakes or if this was a plot by viceroy to short AMD or if this is a conspiracy by AMD competitors to threaten the world to maintain market share. My gut says it’s that last option since it has the most signs pointing towards it: EPYC performed beyond pre 2017 expectations and Intel is losing market share in their bread and butter market segments for the first time in over a decade. They also have a history of malicious anti competetive behavior. Long gone are the days of Noyce and Moore. A final, less believable option is thag there is a party that has something to gain from the nature of cybersecurity and trust between companies seeing a shift. Since this is such a small operation handled so sloppily I doubt any NWO tier conspiracies are going on.
"Since this is such a small operation handled so sloppily I doubt any NWO tier conspiracies are going on." ------------------------------------------------------- Except that they appear to be trying to look like clueless newbs
With their apparent Military/Intelligence background, I doubt they are the clueless newbs they are trying to portray
Handing out the exploit info to select groups creates plausible deniability should a live intelligence operation be found out
and limiting their exploit findings to AMD hardware looks to be a diversionary tactic
Look, Look over there at those AMD exploits!
No, No, don't look over here where we may already be exploiting asmedia chips on INTEL hardware
When a live operation is found in the wild, remember it was these guys who disseminated the info required to that select group of researchers to have you running around looking at all the possible ways these exploits could have gone live
Don't get me wrong here..... Others will use these exploits "IF" they are real and THAT is the plausible deniability they seek But Israel would not have released this type of info for any reason I can think of unless they already have an operation planned and not just for AMD systems
They are trying to make you look elsewhere for the problem they have created
Remember this post when the exploits turn out to be real
Personally, I will be looking at INTEL systems if and when that happens, not just AMD
Oh look! That bullish flag looks RIPE AF yaul! It's been a while, but instead of buying their hardware I guess it's time to start building longs. Can I please get another dip?
Where's HStewart? I really wanted to see him popup by now to try and defend these clowns at "CTS-Labs" and continue his nonsense that Meltdown and Spectre were smears targeted solely at Intel whom also has never ever ever ever done wrong.
Fake tech news. Apperently failure to follow long established protocol in the security biz has bigger consequences when only a bit of surface digging reveals quite a bit more here. Well done.
This is all very interesting. It seems that much of this has already been verified, so there really isn’t much question of whether it’s real.
The question of why they released with such short notice is interesting as well. As we know, it’s taking months to come up with a new hardware fix for meltdown and specter. Software fixes still took a bit of time after release, and I’d bet that if release hadn’t come, we would still be waiting for them.
In this context, I wonder if the release of this, with the short timing matters. It will take some time for fixes to be implemented. Onths, possibly a couple of years for it to all go away. Considering that, the arguments about this company doesn’t really matter that much.
I would also like to say that I see too much dismissal of these, major exploits. It bothers me that individuals who should know better are some of those poo pooing this.
Many, if not most, organizational exploits are from those who already have access. That’s either from employees, contractors, or others. Given that, it would then be easy to take advantage of their access to install these exploits.
Whether they then remain with the organization, or not, they would have ready access. Pretending that this isn’t so is just foolish, ignorant, or both. Acting as though exploiters need to first get access is ignoring this fact that they likely already have it.
No this is not spam forum ai. Shame on 911-nation's CTS for their hitjob! Interesting none-the-less. If anything hopefully it will encourage AMD to get on it. AMD's own website, blog, and forum haven't released any data about any patches. The link also falsely cites, like AMD's blog, outdated and or incorrect data, falsely claiming these exploits are only possible with admin access, whereas CVEdetails & NIST.GOV clearly state they are remote exploits capable over the network and do not require permissions or authentication
All 13 exploits are exploitable remotely over the network, with zero privileges, meaning no admin access necessary, as reported by NIST.GOV & cvedetails
HP appears to be the only one releasing patches: HP's website, like AMD cites the same outdated and or incorrect information. HP patched their servers which USE this chipset. HP's statements about "Commercial Desktop workstations not being impacted", they use Intel chipsets. They are patching "Commercial desktops and notebooks" for HP & Compaq computers. A great sign, however we are not seeing any of this with major third party motherboard vendors such as ASRock, ASUS, or MSI.
Regarding Chimera backdoors, disabling the ASmedia chipset via bios would be a choice worth having until something better potentially comes along. 3rd party USB 3 controllers could be installed via PCI-E expansion slots.
There is a new firmware released on Nov 15, 2018 for the Asmedia ASM-1042A to ASM-1074 USB 3.x Controllers that should allow users to flash over any CHIMERA malware hiding in the firmware. Problem is if the malware gets in thereafter, you may have to wait for a future FW update. Most flashing utils and or chipsets wont allow flashing the same installed, or older firmware. In the age of chimera, not being able to flash over the same version FW is not a very wise policy. The last time an update was released was over a year ago, and before that, 2014; according to the previous link.
I don't see anything suggesting FW level chimera vulnerabilities were addressed in this firmware, but a re-flash will overwrite any malware regardless...
If ASmedia could release a security tool that automates this, running this regularly will ensure no hardware level exploits can remain intact on the chipset. I'm unaware if asmedia locks users out from reflashing the same firmware.
We’ve updated our terms. By continuing to use the site and/or by logging into your account, you agree to the Site’s updated Terms of Use and Privacy Policy.
Facebook
Twitter
RSS
122 Comments
Back to Article
Kef71 - Thursday, March 15, 2018 - link
WTF?Samus - Thursday, March 15, 2018 - link
When asked about who his client is, without even asking specifically, simply what industry they were in:"Guys I’m sorry we’re really going to need to jump off this call but feel free to follow up with any more questions."
Wow.
ಬುಲ್ವಿಂಕಲ್ ಜೆ ಮೂಸ್ - Thursday, March 15, 2018 - link
When asked about who his client is, without even asking specifically, simply what industry they were in:----------------------------------
Sorry, can't say whether the Client is Israeli Intelligence/Military
Especially not while an Operation is in progress / or ever
But they do need plausible deniability, so they act like newbs and spread the exploits far and wide to a select group without tracking info in case the operation is noticed
They would never admit to beta testing Flame in the U.S. as far back as 2007 when I first found it either
Yojimbo - Friday, March 16, 2018 - link
I think the obvious guess is that the customer is Viceroy, the people who shorted the stock. They probably identified AMD as a vulnerable stock and wanted to look for a way to push it over the edge. Andrew Left does it just by saying he's shorting a stock. But Viceroy wanted an actual story. However, they underestimated the fervor of AMD stock fans and the stock went nowhere. Pretty funny.WinterCharm - Friday, March 16, 2018 - link
I hope they all lost money over it :Diter - Friday, March 16, 2018 - link
Their agenda is obviously to make a good impression on intel and similar corporate scumbags to get on a fat payroll.I for one don't think intel is behind this, it is far too clumsy and silly even for them.
For the time being, the smart thing would be to simply not give that BS any more publicity. Nobody argues that given administrative access you can do a lot of bad things - but I myself don't consider this to be a security flaw. A security flaw would not have to rely on administrative access to a machine, but would be a way to get administrative access to a machine. Like intel's IME blank hard-coded password for example.
They took basic, common sense issues that any platform is vulnerable to, completely blew it out of proportion, made it as if it is an amd thing and as if it is critical, made up catchy names and flavors to round it up to an impressive and fatally sounding number - 13, and came out pretending to be concerned with the security and well being of mankind.
None of the exploits is critical, as they all rely on an already otherwise compromised platform.
All of the exploits in their operational principle are applicable to every modern CPU architecture out there.
They claim to not know how the exploits can be fixed, but also claim they gave amd only 24 because they knew they wouldn't be able to fix the exploits any time soon. That doesn't add up. Knowing how long amd is going to take to fix it involves knowing how to fix it. They didn't give amd the necessary heads up because they don't care about the insecurity, all they care about is making it look as "worse than it is" as possible.
Their little stunt is obviously aimed at monetary gains. It was obviously coordinated with an attempt to short amd stock which failed. If they were genuine concerned security experts, they wouldn't hire PR guys to make their statements and fake office videos. If their concern was genuine, they'd give amd at least a month, which will be more than enough to patch up most of that stuff, something they clearly didn't want to happen.
Stop giving them publicity, stop giving them exposure, do the right thing - ignore that nonsense. Not doing so will only encourage more of it. If it looks like a duck, it quacks like a duck and swims like a duck, then it is most likely a duck, not a security expert.
As for all the remaining security experts that "verified" their findings - they all got paid off, with the obvious implied agreement to only verify that those things can indeed work in practice, but without any mention of the fact it is not even 1% as severe as cts claims. Sorry folks, money comes first!
Dug - Friday, March 16, 2018 - link
"I for one don't think intel is behind this, it is far too clumsy and silly even for them"That's what I thought too about their heat spreaders. I was proven wrong.
danjw - Sunday, March 18, 2018 - link
"but I myself don't consider this to be a security flaw."Even the administrator shouldn't be able to access, directly, the secure memory or the secure processor. These are what people in computer security consider security issues. That said, they are not nearly as significant as CTS, and presumably, their customer; wanted people to believe.
iter - Sunday, March 18, 2018 - link
Sure, it enables some exploits, but again, your system has to be already compromised.What's more, if you want to jack a password or two, it will be much, much easier to install a keylogger and erase password history, forcing the user to re-enter it so it can be tapped, rather than digging through layers of hardware and software security.
Tewt - Friday, March 16, 2018 - link
Yeah, wow! After being asked about clients and funding they got uncomfortable very quick.mode_13h - Thursday, March 15, 2018 - link
Their whole case of this announcement being in the public interest falls to pieces, when you consider they knew about these ASMedia vulnerabilities for quite some time, without telling anyone."quite a few motherboards and other PCs are affected by these vulnerabilities as well. If you search online for motherboard drivers, such as the ASUS website, and download ASMedia drivers for your motherboard, then those motherboards are likely vulnerable to the same issues as you would find on the AMD chipset. We have verified this on at least six vendor motherboards, mostly the Taiwanese manufacturers. So yeah, those products are affected."
tamalero - Friday, March 16, 2018 - link
Also, dont these ASmedia chips affect intel too? why focus exclusively in a laser way to AMD like they somehow were the only and only culprits?andychow - Friday, March 16, 2018 - link
ASmedia makes the southbridge for AMD, but not for Intel. So the ASmedia chips they are talking about only affect AMD.SaturnusDK - Friday, March 16, 2018 - link
Incorrect the asm1042, asm1142 and asm1143 that are mentioned are used on almost all Intel motherboards.http://www.tomshardware.co.uk/answers/id-3122999/m...
StevoLincolnite - Friday, March 16, 2018 - link
My Intel LGA2011 board from 7 years ago uses the ASM 1042 controller.silverblue - Friday, March 16, 2018 - link
I have found Skylake boards that use the ASM1142 controller, so this really isn't an AMD-only problem. Several Intel and AMD boards use the ASM2142 and ASM3142 controllers, so if they're not at fault, surely this reduces the effect on AMD? If they are indeed faulty, wouldn't that affect Intel as well?Galcobar - Thursday, March 15, 2018 - link
Would have also been appreciated if the falsified workspace images and videos using stock photography were addressed. Why did CTS-Labs attempt to deceive, why was time put into portraying a false image of the company instead of disclosure procedures, and how would a team of supposedly experienced individuals not think anyone would do an image search?The act itself is in some ways not important. The decision to engage in public deception, right off the bat, speaks to trustworthiness.
Ian Cutress - Thursday, March 15, 2018 - link
So out of all the things to discuss, this is fairly minor. It comes off of hiring a PR firm and wanting to produce a sleek production, to which the argument should be more about the PR firm rather than the PR firm doing its job. This is despite the fact that such a production might be viewed negatively by some segments of the potential audience. In my mind, the green-screen video is such a minor part of a story (that people have got hung up upon) that has some stonkingly bigger elements.mode_13h - Thursday, March 15, 2018 - link
Why not ask why they delayed announcement of the ASMedia vulnerabilities, rather than announce them as they were discovered?Ian Cutress - Thursday, March 15, 2018 - link
They said the vulnerabilities have existed for six years. I made the assumption that they've been public for that long. I have not looked into it yet.rocky12345 - Thursday, March 15, 2018 - link
Those bugs have been in the asmedia chip a lot longer than just six years. CTS has proved they can not be trusted by both their own client's and the companies they are exposing or should I say attacking. I say this because of the way in their own papers they are going out of their way to attack AMD as the company itself and are less worried about the techy end of it that makes me wonder what their actual motives are. I am not sure but I do think they has to expose the client that is behind the request but I am sure they will force it until they are threatened with legal action because I am sure I know who it is and I am very sure they were paid a huge sum of money to try to slaughter AMD. This is even worse than that crap Nvidia is pulling with that GPP crap. I am not a AMD fanboy but I feel they are being targeted from all sides right now.BoneHurtingJuice - Saturday, March 17, 2018 - link
Do you have any reads about the AsMedia chip bugs? Tried finding everywhere but it always end up pointing to the CTS 'whitepaper'.Galcobar - Friday, March 16, 2018 - link
You covered most everything else I'd have asked, which is to say I thought you guys the factually important points. My interest in the PR gaffe would be to elicit a reaction on a something where they have been caught in a falsehood. Calling people on a lie, oddly enough, can produce some of the most honest answers.Speculation is used to make almost every accusation against CTS-Labs, and is required for all the motives attributed to them. Having them explain their motives for a confirmed deception might yield something unexpected.
Maddor - Friday, March 16, 2018 - link
I don't question that the way this disclosure was handled raises many questions and is worth discussing, but I think you're making some wrong assumptions along the way:1. "The standard procedure for vulnerability disclosure is to have a CVE filing and a Mitre numbers" While this might be common practice it's most certainly not mandatory. There are many disclosed vulnerabilities that don't have CVE numbers or for which the CVE ID is still pending at the time of disclosure; including in cases where those flaws have already been patched. Mitre had big issues with the CVE backlog a couple of years ago with researchers waiting for months to get CVE IDs assigned and eventually even stopping trying to get them. That problem has been somewhat alleviated over the past year or so with Mitre deciding to give some large vendors the ability to issue CVE IDs directly, but it's far from resolved. Also, even when issued, CVE IDs remain with status RESERVED and no public information for months even though the vulnerabilities they correspond to have been publicly disclosed and documented. Third, the CVE system doesn't accept vulnerabilities for certain types of products and even miss many vulnerabilities in products that it does cover (read the recent comparative report from Risk Based Security).
2."The use of a PR firm which is non-standard practice for this (and the PR firm were not involved in any way in our call, which is also odd)" The involvement of a PR firm and journalists in the disclosure process is most certainly a very common practice. If a researcher working for a security company finds a major vulnerability, his company will use its PR firm to distribute the report in advance to journalists under "embargo," which is not a legally binding NDA, but a gentleman's agreement. The PR firm will also set up pre-briefings, create infographics, draft the press release and even the detailed report and everything else that a PR firm is supposed to do when it comes to handling public communications. I'm not sure why you think that is "non-standard practice." Maybe it's not common for vulnerabilities found through academic research or by independent researchers, but it's very common when a security firm finds vulnerabilities. Also, PR reps doesn't always sit on the call between journalists and their clients. Sometimes, they just facilitate the exchange of contact information and set up the call. It's the client's decision.
Carmen00 - Friday, March 16, 2018 - link
You are correct in saying that CVE ID requests are not mandatory, and in fact, there is very little that is mandatory in the infosec community. There are few international laws that govern the disclosure or infosec research process, and there are pros and cons to that. However: this is separate from the fact that obtaining CVE IDs are considered to be standard practice and, when some disclosure is very significant, it is considered to be even more important to follow this practice. It is a red flag when an organization which claims to have so much infosec experience turns out to not know the basic processes of responsible disclosure!As for PR firms, no, I cannot think of many occasions where they have been involved in the disclosure process. It is not common practice in my experience, but if you will provide a list of cases where this has been done in similar circumstances, then I am willing to be convinced. In my experience, a company may use a PR firm to handle the backlash from annoyed customers, but this is occurs after the disclosure process is complete. Larger security teams & companies will sometimes have their reports vetted and massaged by in-house PR, but this is not the same as hiring a PR firm to handle a disclosure. In this case, there is simply no reason for CTS Labs to hire a PR firm instead of handling enquiries themselves.
Maddor - Friday, March 16, 2018 - link
BlueBorne is a relatively recent one that comes to mind, but there are many examples over the years. I don't want to drop names and point fingers, but I work in online publishing and I've personally seen many reports about vulnerabilities over the years that PR firms sent under embargo on behalf of their clients (the companies who found the flaws) before public disclosure. Let me be clear: I'm not talking about zero-days where the affected vendors had not been notified in advance, like in this case. I'm talking about coordinated disclosures, where the companies that found the flaws agreed on a public disclosure date with the affected vendors and then used PR firms to share the reports with journalists under embargo to ensure news stories get written and published on the agreed disclosure dates. It is common practice. In addition to a technical report or blog post, many companies also put out press releases on the day of disclosure. Who writes and vets those press releases? PR firms, unless they're doing PR in-house. Every press release that you find that says "Company X founds major vulnerability in Y" was likely pitched in advance to journalists under embargo. You can also determine when that happens by analyzing the timing of news articles. Sometimes when a big vulnerability is announced, you'll see major tech news outlets publish their stories at the same time, which is also the time when the company that found the bug runs its own blog post and press release. That's an indication that public disclosure was coordinated in advance with journalists, either through PR firms or directly. However, when flaws are published on a researcher's personal blog or by a team of academic researchers with no advance notice to journalists, you'll see that news articles flow in with various delays, depending on how fast reporters jump on it and write it up. But I digress. Bottom line is that PR firms are frequently involved in public vulnerability disclosure and it is very much similar to product releases where news reporters receive information about a product (or even the product itself for testing) in advance if they agree not to publish anything until the official release date. Those who break the embargo will be cut off from future announcements.Kef71 - Thursday, March 15, 2018 - link
I hope the nvidia GPP doesn't bite you in the a**.Ryan Smith - Thursday, March 15, 2018 - link
Que?https://twitter.com/RyanSmithAT/status/97428159925...
Kef71 - Thursday, March 15, 2018 - link
Good luck.Alexvrb - Friday, March 16, 2018 - link
You ain't gonna get squat on the record. Your best bet is to get what you can OFF the record and just express your findings in vague general terms that won't get you in hot water.Dr. Swag - Thursday, March 15, 2018 - link
Thank you for actually taking the time to gather information before creating your own opinions and publishing this article, rather than immediately pushing something out.mode_13h - Thursday, March 15, 2018 - link
Agreed. This is some of the best reporting on the issue that I've seen thus far.Samus - Thursday, March 15, 2018 - link
A truly professional AnandTech piece right here. Anand would be proud at how you guys handled this.And CTS, on the other hand, almost went out of their way to look amateur on the call. It started out quite cordial and quickly escalated as you brought the heat...almost like they had a lawyer listening in telling them to bail toward the end.
ಬುಲ್ವಿಂಕಲ್ ಜೆ ಮೂಸ್ - Thursday, March 15, 2018 - link
Well Samus, as a longtime security researcher who has seen these types of operations before, I suspect that "IF" these problems are real, Israel already has a live operation in progressThis is why they must act like noobs and distribute the exploit info to select others without any hidden tracking numbers to identify who leaked this info when their operation is uncovered
It's called plausible deniability
They would never suggest that Israeli Intel has or is using these exploits, but would want any info on who can mitigate their exploits
By failing to use unique hidden tracking info for each of the groups given the exploit information, they can say the exploits came from anywhere if an operation is uncovered
Selective Kill switches have been on Intel branded motherboards for more than a decade now and I have yet to see any reliable researchers going near the topic or ridiculing anyone who does
I've also found that several identical wi-fi adapters can be remotely killed (permanently and simultaneously) as far back as 2005 but probably much earlier
They do not appear to be idiots or newbies
Something else is going on and we can all agree on that one point
Alexvrb - Friday, March 16, 2018 - link
Yeah Ian did a great job here. Especially with the mini-analysis at the end. People aren't saying that the vulnerabilities don't exist, but rather that:A) They're dirty and are overblowing these secondary attacks intentionally for financial reasons.
B) They're acting irresponsibly, also for financial reasons.
C) The ASMedia exploits are lumped in as "AMD" exploits when they're actually... ASMedia exploits. See A and B.
karthik.hegde - Thursday, March 15, 2018 - link
I think despite of knowing "ASMedia vulnerabilities" for sometime, not publishing the same and going towards Ryzen with it makes the whole deal fishy.draylor - Thursday, March 15, 2018 - link
Excellent article, good work by all.The whole thing smelt incredibly fishy at first glance and this confirms we're right to be suspicious. I'll give CTS some credit, they do appear to have done some impressive work but they've ruined that by handling it terribly and falling to answer the questions when given the chance. Hard to imagine too many credible companies wanting to deal with these guys!
Samus - Thursday, March 15, 2018 - link
It's really hard to give CTS credit for anything here aside from actually discovering the vulnerabilities. The way they have handled this, and the way they answered the second half of the questions, is quite poor.LastQuark - Friday, March 16, 2018 - link
I doubt this is the work of CTS. They appear to have been briefed. The bugs must have been fed to them by someone judging from how they responded to the questions.YukaKun - Thursday, March 15, 2018 - link
Holy cow... The smell from those answers! THE SMELL!I don't even... They're either incredibly smart, but have zero clue on how things actually work in big corporations, or they were just toyed from head to toe by a 3rd party with an agenda.
Cheers!
Glowtape - Thursday, March 15, 2018 - link
So they contacted OEMs and other security companies, but not AMD themselves? What?samvee - Thursday, March 15, 2018 - link
How come the CTS guys did not mention that they were advised by Trail of Bits to go through the regular process with CERT? https://www.itwire.com/security/82115-israeli-firm...jjj - Thursday, March 15, 2018 - link
These new levels of nasty are quite amusing.It's either market manipulation and then the SEC needs to see what it can do about it, or opposition research in plain view and that could become quite funny as there would be such "scandals" every other day.
Alexvrb - Friday, March 16, 2018 - link
Who says it isn't both? A little opposition research with a dash of making money on the side.jcc5169 - Thursday, March 15, 2018 - link
This situation has all the earmarks of a hit-piece designed to support significant short-selling of AMD shares.lefty2 - Thursday, March 15, 2018 - link
Some one on reddit checking into the history of CTS labs found that previously this company was called "Flexagrid syetems", the author of Crowdcores adware: https://www.reddit.com/r/Amd/comments/84cbtr/ctsla...forgerone - Thursday, March 15, 2018 - link
ANAND FAILED TO ASK ONE VERY SIMPLE QUESTION.IS THIS THE OPINION OF CTS LABS OR IS THIS A FACT?
From CTS
"The report and all statements contained herein are opinions of CTS and are not statements of fact."
And this......
"Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports."
Excerpted from below...
"Legal Disclaimer
CTS is a research organization. This website is intended for general information and educational purposes. This website does not offer the reader any recommendations or professional advice. The opinions expressed in this report are not investment advice nor should they be construed as investment advice or any recommendation of any kind.
It summarizes security vulnerabilities, but purposefully does not provide a complete description of such vulnerabilities to protect users, such that a person with malicious intent could not actually exploit the vulnerabilities and try to cause harm to any user of the products described herein. Do not attempt to exploit or otherwise take advantage of the security vulnerabilities described in the website.
The report and all statements contained herein are opinions of CTS and are not statements of fact. To the best of our ability and belief, all information contained herein is accurate and reliable, and has been obtained from public sources we believe to be accurate and reliable. Our opinions are held in good faith, and we have based them upon publicly available facts and evidence collected and analyzed, which we set out in our research report to support our opinions. We conducted research and analysis based on public information in a manner that any person could have done if they had been interested in doing so. You can publicly access any piece of evidence cited in this report or that we relied on to write this report. Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports. Any other organizations named in this website have not confirmed the accuracy or determined the adequacy of its contents.
You may republish this website in whole or in part as long as CTS is clearly and visibly credited and appropriately cited, and as long as you do not edit content.
Although we strive for accuracy and completeness to support our opinions, and we have a good-faith belief in everything we write, all such information is presented "as is," without warranty of any kind– whether express or implied – and CTS does not accept responsibility for errors or omissions. CTS reserves the right to change the contents of this website and the restrictions on its use, with or without notice, and CTS reserves the right to refrain from updating this website even as it becomes outdated or inaccurate."
https://amdflaws.com/discla...
CTS is telling the world it is ALL bullshyte and they have a financial stake in AMD.
Yet the on-line media is writing about nothing else.
Ian Cutress - Thursday, March 15, 2018 - link
Anand hasn't worked at the site for a few years.The wordy language used by CTS is a legal safety net. You can pick at it how you want, or skew it how you want, but the only answer I would expect from them is that it indemnifies them should there be any inaccuracies or certain links may or may not be exposed.
I'm not too hung up on the washy language when there are bigger parts of the story to discuss. If there is a financial conflict worthy of investigation, then there are legal frameworks beyond my expertise and jurisdiction that should be put into motion.
forgerone - Thursday, March 15, 2018 - link
Why are you defending a LIE?There is nothing wordy about it.
CTS is clearly saying that everything in their report is NOT A STATEMENT OF FACT.
In case you have language problems allow me to REQUOTE IT FOR YOU.
"The report and all statements contained herein are opinions of CTS and are not statements of fact."
So why did you fail to ask the question.
Why did you fail to ask if the report was factual YES OR NO.
CTS Founders are bragging that they are Isreali Intelligence Operatives from Unit 8200 and the on-line media believes these people.
SPIES ARE TRAINED TO LIE.
Viceroy is also under investigation in Germany for illegal stock manipulation.
https://derstandard.at/2000075923443/Marktaufsicht...
http://www.handelsblatt.com/unternehmen/it-medien/...
There are NO FACTS. Why are you defending these people?
compudog - Thursday, March 15, 2018 - link
I don't see how Ian is defending them. What CTS did was wrong, they are a unscrupulous organization. The whole thing stinks.compudog - Thursday, March 15, 2018 - link
Although I agree they did fail to ask if it was factual. But my guess is Ian didn't want to be nonobjective.Ian Cutress - Thursday, March 15, 2018 - link
Part of the skill of an interviewer is knowing which questions will be answered, and which ones will not. If I ask if it is factual, the response would automatically be 'to the best of our ability, yes, but for legal reasons we have to use this wording'. I'm not going to spend my limited time asking questions that I know what the answer will be.I'm not going to sit here and pick through your statements. You start from all caps, and fail to form a cogent argument worth responding to. Even your translation about your assumptions of what the text is trying to hide has no linking merit except for your gut feeling or belief that there is something more nefarious going on.
If you actually have evidence that CTS has a financial stake in AMD, beyond interpreting a wordy disclaimer (which isn't evidence), then please provide it.
As an honest journalist, I won't be forming conjecture without it. Innocent until proven guilty.
Or is that defending a lie?
Yojimbo - Friday, March 16, 2018 - link
Who are you? Just save your caps for a few days. At this point it looks like the vulnerabilities are real. Probably in a few days we will get various confirmation.garbagedisposal - Friday, March 16, 2018 - link
You're a fucking moron. Lots of those lately.forgerone - Thursday, March 15, 2018 - link
"You can pick at it how you want, or skew it how you want, but the only answer I would expect from them is that it indemnifies them should there be any inaccuracies or certain links may or may not be exposed."Hey Edmund R Moron; just what is there to skew about "The report and all statements contained herein are opinions of CTS and are not statements of fact."
Do you have reading comprehension problems or are you deliberately ignoring "not statements of fact" with malicious intent to cause AMD harm? Is ANAND deliberately spreading malicious rumours with the intent to cause harm?
CTS has come right out and said the whole thing is BULLSHYTE and you are still eating it up.
ANAND is a YELLOW JOURNALISM RAG.
forgerone - Thursday, March 15, 2018 - link
Everything here has been copyclipped and sent to the SEC.You people know this has ZERO basis in fact yet you are still defending it and reporting it as a fact.
jordanclock - Friday, March 16, 2018 - link
Are you a Russian troll or just someone that can't wrap there head around the facts? If CTS puts vague wording on their site and in their whitepaper, then what makes you think they're going to answer the question you want asked?Are you somehow under the impression that if Ian asks "are these facts or opinions" they will burst into flames, exposing them to be the vampiric frauds they really are?
Ryan Smith - Thursday, March 15, 2018 - link
I have not needed to ban anyone in quite some time. But this kind of abuse of my editors is unacceptable.casperes1996 - Thursday, March 15, 2018 - link
Well done, Ryan. I was actually surprised Ian even cared to answer these comments as they continued to get more and more ridiculous. Initially I too thought to myself why Ian didn't ask about the disclaimer CTS had on the bottom of the web page, but I didn't need Ian to explain it to figure out that CTS' answer to that would just have been, well that it's a disclaimer for legal reasons in case they turn out to be accidentally wrong about something they firmly believe to be true. And whilst there's definitely still something fishy about the whole thing, I do believe that part to be trueRandSec - Friday, March 16, 2018 - link
"it's a disclaimer for legal reasons in case they turn out to be accidentally wrong about something"Assuming any error would be "accidental" is an argumental bias: It may not be "accidental" at all.
forgerone - Thursday, March 15, 2018 - link
VICEROY IS UNDER INVESTIGATION IN GERMANY FOR ILLEGAL STOCK MANIPULATION.http://www.handelsblatt.com/unternehmen/it-medien/...
forgerone - Thursday, March 15, 2018 - link
AND HERE:https://derstandard.at/2000075923443/Marktaufsicht...
chobao - Thursday, March 15, 2018 - link
Hey Ian,check this one out..if you haven't already :) - TOB BLOG...maybe it is a little different in terms of the account of events..written by DAN himself
https://blog.trailofbits.com/2018/03/15/amd-flaws-...
Ian Cutress - Thursday, March 15, 2018 - link
Yup, saw that. A couple of really interesting phrases there.chobao - Thursday, March 15, 2018 - link
Awesome Write up btw :) Good Job!!PreacherEddie - Thursday, March 15, 2018 - link
Excellent reporting. Things about this story just don't sound right. Thanks for digging to expose what you can, and not assuming what you can't confirm.Sunrise089 - Thursday, March 15, 2018 - link
This is the most proud I’ve been of Anandtech is years. Impressive combo of technical expertise and speaking truth to power. Keep it up Ian!casperes1996 - Thursday, March 15, 2018 - link
Incredible journalism on this one. It actually brought me a lot of joy just how well this article was written and the work that'd gone into digging up all you can, preparing the right questions, and asking them in the right way. Absolutely a brillant write-up at the end as well. Perfectly balanced and brillantStuka87 - Thursday, March 15, 2018 - link
Well done Ian. Happy you got David in on the call too!zmeul - Friday, March 16, 2018 - link
this whole articles is just a phishing expedition and doesn't clarify pretty much on anything, only ads supposition from the author instead of researching if the vulnerabilities are actually realiwod - Friday, March 16, 2018 - link
That is one reason why I literally stopped reading most of the other Tech site. Anandtech, may be the "only" site that has done some detail investigation into it? As in, actual Journalism?So it pains me when they say Tomshardware was their sister site. Because I read the toms's pieces a few times, trying to convince myself what they put out was ok.
In the end I cant. Utter Crap. And removing them from my RSS feed.
0siris - Friday, March 16, 2018 - link
Thank you Ian and David for the follow-up. And I guess thank you to not only Ian but Anandtech as a publication for looking at the claims and then choosing a more reserved title for the initial article, unlike some other publications. It is important to express any misgivings with the initial claims in the title of the article(instead of simply "AMD SECURITY ISSUES"), because Joe Consumer will probably not read past the title or lead paragraph. Good work.Ranger1065 - Friday, March 16, 2018 - link
Well done Anandtech. Good expose on the Israeli scumbags. That picture of Cutress in a Tux borders on comical though.Ian Cutress - Friday, March 16, 2018 - link
Hey, that was from my wedding! 😁😁 I am a few years older now though.chobao - Friday, March 16, 2018 - link
ya you look cooler in that chem suit >.<r3loaded - Friday, March 16, 2018 - link
Hope they and their friends at Viceroy have got a good legal team, because financial authorities are going to be breathing down their neck right now.Carmen00 - Friday, March 16, 2018 - link
Excellent interview, thank you Ian & David for some very good questions and analysis. At this point, judging by their answers, I am not even sure that they did the research themselves - they seem to be entirely clueless about some critical things! Perhaps someone else did the research and got these clueless flunkies to whip up a company and put some branding on it? And in 2018, claiming that there is any real debate in the security community over a minimum 90-day period is just insane.I hope that Viceroy/Intel/whoever paid them an enormous sum of money, because I can guarantee that they're not going to get legitimate business as an infosec firm after this fiasco. Being brash is one thing. Being brash and also being too incompetent to understand the basics of vulnerabilities you're disclosing, and of the disclosure process itself, is quite another thing.
yeeeeman - Friday, March 16, 2018 - link
The way this interview ends says it all. They happily gave details about the accusations, but when questions turned to details about them and the customer that ordered this, they "had to drop". No shit. I really do hope they end up in court and pay BIG money or better, with some jail, because of this.They probably won't, but I really hope it happens.
crotach - Friday, March 16, 2018 - link
I would not be surprised to see these security researchers behind bars for running a pump&dump scheme on the AMD stock.kitfit1 - Friday, March 16, 2018 - link
Hi Ian, long time no speak...........Cambridge was the last time i think ?Thanks for posting the interview, interesting stuff and says more about CTS-Labs unprofessional conduct than the vulnerabilities themselves. For a startup company to shoot themselves in the foot straight out the starting gate tells me they have no intention of being around for very long.
Strunf - Friday, March 16, 2018 - link
I don't contest this all smells fishy but if these attacks can infect a PC and stay there despite OS reinstall then it's quite a thing, someone could install one of these exploits at the production of the PC and then ship the PC with the exploit already in...RandSec - Friday, March 16, 2018 - link
"if these attacks can infect a PC and stay there despite OS reinstall then it's quite a thing"No different, really, from any malicious BIOS re-flash. Once an attacker can run code on a target machine no security exists.
eva02langley - Friday, March 16, 2018 - link
I just read the two first questions so far... and basically these guns are guns for hire. "Find dirt"... this is disgusting.eva02langley - Friday, March 16, 2018 - link
"these guys"B3an - Friday, March 16, 2018 - link
Filthy subhuman jews.Carmen00 - Friday, March 16, 2018 - link
While you're on that "user ban" screen, Ryan, just take a quick peek at the above account?It's amazing how this story has brought the crazies out of the woodwork.
B3an - Friday, March 16, 2018 - link
Go jump off a bridge you censoring fascist.watzupken - Friday, March 16, 2018 - link
To be honest, the more information I read about this, the more I think this "Security Firm" is really dodgy. This entire fiasco appears to be trying to do harm to AMD, turns out to be affecting their reputation substantially more even if the mentioned security flaws are legit.Speedfriend - Friday, March 16, 2018 - link
I am surprised so many people think that they are going to be done for stock manipulation. Doing research and then publishing your opinion of available facts is what analysts do all the time and they are allowed to have positions in the stock provided that the fact is disclosed. Unless the claims that they have found vulnerabilities are disproven, I find it hard to believe that anything will come out of it despite the fact they did not stick to industry norms.And let's be realistic, those industry norms are designed to protect the industry, not users. It is interesting that if a company is the victim of a cyberattack resulting from a vulnerability, they can get charged and fined if they don't immediately tell clients, but a tech company gets 90 days to fix a vulnerability while customers are blissfully unaware they may be exposing themselves. Of course, disclosing the vulnerability would let attack potentially utilise it while a fix is being worked on, so I am not sure what the answer is.
Topweasel - Friday, March 16, 2018 - link
I get what you are saying Speedfriend. The one thing I would say is that with their announcement came an article 25 freaking pages long analyzing this. Released at the same time they announced it. This means that those single guys and no one else had this information a long time before announcement. It was a financial write-up and not a technical (another red flag) and even specified a stock value (sub $1) and used the phrase "AMD will have to file for Chapter 11, to recover from these vulnerabilities".The fishyness on how they ended the call basically explains it. Those guys were the customers and they wanted to short sell AMD stock.
If it was just that these guys Zero'dayed AMD it would look bad (and like someone else said if they were a real security company they just shot themselves in the foot). But it would mostly blow over. It's their presentation, the people they informed first, those guys presentation, and what the vulnerabilities actually are (all need a compromised system to become more compromised) altogether makes these guys seem like a joke/hitmen. Which in a way is sad. Sure AMD will patch the issues if their legitimate. Intel needs to as well because 90% of them apply to them as well. But it's sooooo poorly handled by CTS that even if this was Meltdown it would be hard to look past the trolling that CTS is a part of to look at the issue. They wagged the dog on themselves.
mikato - Wednesday, April 25, 2018 - link
They may have been trying to cover their previous short, meaning they already shorted AMD stock a while back, but now the stock has gone up and stayed, they are in trouble, so they hope (or engineer) a stock dip to reduce their short failure.eva02langley - Friday, March 16, 2018 - link
So you have a company that doesn't need AMD money for founding flaws. They were not after bounties, they were paid already... and THIS IS totally incredible. It gives precedence to two options:1. It was intentional (which I totally believe); or
2. They are incompetent
Anyway, they lost the trust from the industry and are probably find the next little while difficult financially.
However, I want to know the client. As of now, AMD should sue and gain access to that information legally. This is pure marketed industrial sabotage.
LastQuark - Friday, March 16, 2018 - link
It was intentional and they are incompetent.mikato - Wednesday, April 25, 2018 - link
Maybe someone that was shorting AMD and could afford to spend a bunch to improve their position, cover their short, or short some more. There definitely could’ve been enough money at stake there for them to give this a shot.USGroup1 - Friday, March 16, 2018 - link
Your questions sounds like you are on the side of the company with the flawed product."IC: On the website, CTS-Labs states that the 0-day/1-day way of public disclosure is better than the 90-day responsible disclosure period commonly practiced in the security industry. Do you have any evidence to say that the paradigm you are pursuing with this disclosure is any better?"
They did not go public with the technical details of how to use the exploits. Publishing the vulnerabilities this way forces the manufacturer to fix them as fast as possible.
Obviously it's always better this way for the consumers, it just screwed up AMD and some of their tech fan sites.
Inteli - Friday, March 16, 2018 - link
Or he's skeptical of the claims of an unknown company with unorthodox practices."Publishing the vulnerabilities this way forces the manufacturer to fix them as fast as possible."
As opposed to the 90-day policy which allows companies to sit around and do nothing to resolve the problem...
The 90-day policy allows companies who are affected to understand the vulnerability and begin to formulate a fix before the annoucement. Is it really better for consumers for AMD (or any other company) to be blindsided by a vulnerability and have nothing to show that they have some sort of fix planned? CTS even admits that they wouldn't necessarily do the same if they published the Spectre/Meltdown paper:
"IC: Say, for example, CTS-Labs were in charge of finding Meltdown and Spectre, you would have also followed the same path of logic?
YLZ: I think that it would have depended on the circumstances of how we found it, how exploitable it was, how reproducible it was. I am not sure it would be the case. Every situation I think is specific."
"Obviously it's always better this way for the consumers."
Which is why Google waited 90 days before disclosing Spectre and Meltdown, two significantly more dangerous vulnerabilities. Spectre/Meltdown took much longer than 90 days to fix, but at least with those 90 days Intel could analyze and understand the vulnerabilities before the public was informed.
Arbie - Saturday, March 17, 2018 - link
USGroup1, can you provide links to some "AMD tech fan sites"? I'm currently an AMD fanboy and haven't yet seen a one. Amazing that I could have missed them all, but there it is. Your info would be most helpful.dilacerated - Friday, March 16, 2018 - link
Thank you Ian I have been waiting for this. Also thank you David. I've been following AnandTech since 1997 and while I miss Anand this is the best piece here that I have seen ever.David's commentary over at Real World Technologies sums this all up:
"So I actually interviewed these guys along with Ian Cuttress of AnandTech: https://www.anandtech.com/show/12536/our-interesti...
It's telling how quickly they bailed on the call once I started asking about their company. Also, they seemed to not understand "chicken bits" at all or the basic HW design principles. The ramblings about FPGAs were fascinating.
David"
Topweasel - Friday, March 16, 2018 - link
I read a little bit of that thread. Got a kick out of Juangra being called out for a shill by Linus Torvalds. Once you have gotten to the point that Linus has gotten wind of your BS and not only that but knows the BS by name, you might as well give up or at least start using a new ID.dilacerated - Monday, March 19, 2018 - link
Yes that was rich indeed. Juangra is really making the rounds on this.wow&wow - Friday, March 16, 2018 - link
Thank you for the information.Below are simple facts.
No address, no land line, 4 nobody con men "SOMEWHERE in Israel" set up after June 2017 (after Intel's "Meltdown inside"), ..., but just a website ($4.95/month) and a mobile number +1-585-233-0321!
From CTS (Cheap Technical Scammers?), why media even bother to tango with it:
"The report and all statements contained herein are opinions of CTS and are NOT STATEMENTS OF FACT."
"you are advised that we may have, either directly or indirectly, AN ECONOMIC INTEREST in the performance of THE SECURITIES OF THE COMPANIES whose products are the subject of our reports."
They did disclose the above, but it’s up to media and people to read interpret it.
From the person who reviewed their findings for $16K:
"For the attacks to work, an attacker must first obtain ADMINISTRATOR ACCESS to a targeted network, Guido said."
For the car thief to steal the car, the car thief must first obtain the car key and access to the car, CommonSense said. What a car thief!
The 4 nobody con men "SOMEWHERE in Israel" successfully used media (particularly technical sites) to generate the FUD and got the publicity and economic interest, and one person got $16K.
Some more facts:
On 3/15/17, from Intel CEO: “We See Ourselves as an Israeli Company as Much as a U.S. Company.”
On 3/13/18, 4 nobody con men "SOMEWHERE in ISRAEL (Intel inside)" without a business address and land lines had media generate the FUD on AMD's new competitive products.
On 3/15/18, from Intel CEO: "Advancing Security at the Silicon Level" instead of fixing the bug of not following the privilege levels defined by ourselves.
Housekeeper entering with key and stealing = House having a design bug of being vulnerable to stealing?
Can anyone of so called "security experts" tell builders how to design and build houses that are 100% stealing proof?
wow&wow - Friday, March 16, 2018 - link
Two more facts:1) Giving AMD only "one day" instead of 90 days.
2) Targeting only AMD's new successful, competitive CPU products.
toyotabedzrock - Friday, March 16, 2018 - link
Didn't the Intel Core design come from Israel?And would a bios flash remove this persistent malware? Or would it require a flash that rewrites all system firmware?
boeush - Friday, March 16, 2018 - link
There are 2 potential issues with removing this type of malware by BIOS re-flash:1) If you have a lot of PCs on your network, you don't actually know which one is infected. Because the malware can be installed and run on the Security Processor and resides in a protected domain, it is invisible to malware scanners.
2) Because the malware would be running in privileged mode on the Security Processor, it could actually circumvent, block, or otherwise sabotage or silently auto-rollback a BIOS re-flash if/when one is attempted...
nagi603 - Friday, March 16, 2018 - link
2. It would be quite hard to fake a bios update if it would update more than invisible code. Like a version numbering on the background image, add extra options.... but yes, it could theoretically block the update of the PSP. Which can also be outed by the very same basic method: adding a new endpoint to the PSP. The old, compromised PSP does not know what it would have to reply to such a request.SteelRing - Friday, March 16, 2018 - link
this is fake news straight out of russia and trump playbook, i'm not even sure it's worth mentioning anymore. frightening is the fact that now we have these "security" companies crying wolf and should be treated as suspect going forward. this could be Intel's counterplay to spread doubts to future security claim so that they can get away with blaming the "security" folks after this debacle (hurting AMD is a bonus obviously) will be proven as fake news.Moizy - Friday, March 16, 2018 - link
There was a great podcast a couple of years ago by NPR's Planet Money on shorting stocks - the principle of selling high and buying low makes sense, but it's a lot trickier than just the mechanics of it. If the market knew what you know, the stock would already be priced accordingly. Therefore, if you want to short a stock, you're assuming you know something everyone else doesn't. Well - the price won't move unless everyone else knows what you know, so you have to get your ducks in a row (have your positions in place), then publicize what you know to the world so the market can adjust.This whole thing seems to have little do with improving security and everything to do with blasting news out there because someone has shorted the stock. I don't think it has anything to do with Intel, or that these guys are tied to Intel at all. Someone wanted to make money shorting AMD, guaranteed.
willis936 - Friday, March 16, 2018 - link
How does the public find out if this is just a few fools trying to make a quick buck by making a company then making many mistakes or if this was a plot by viceroy to short AMD or if this is a conspiracy by AMD competitors to threaten the world to maintain market share. My gut says it’s that last option since it has the most signs pointing towards it: EPYC performed beyond pre 2017 expectations and Intel is losing market share in their bread and butter market segments for the first time in over a decade. They also have a history of malicious anti competetive behavior. Long gone are the days of Noyce and Moore. A final, less believable option is thag there is a party that has something to gain from the nature of cybersecurity and trust between companies seeing a shift. Since this is such a small operation handled so sloppily I doubt any NWO tier conspiracies are going on.ಬುಲ್ವಿಂಕಲ್ ಜೆ ಮೂಸ್ - Saturday, March 17, 2018 - link
"Since this is such a small operation handled so sloppily I doubt any NWO tier conspiracies are going on."-------------------------------------------------------
Except that they appear to be trying to look like clueless newbs
With their apparent Military/Intelligence background, I doubt they are the clueless newbs they are trying to portray
Handing out the exploit info to select groups creates plausible deniability should a live intelligence operation be found out
and limiting their exploit findings to AMD hardware looks to be a diversionary tactic
Look, Look over there at those AMD exploits!
No, No, don't look over here where we may already be exploiting asmedia chips on INTEL hardware
When a live operation is found in the wild, remember it was these guys who disseminated the info required to that select group of researchers to have you running around looking at all the possible ways these exploits could have gone live
Don't get me wrong here.....
Others will use these exploits "IF" they are real and THAT is the plausible deniability they seek
But Israel would not have released this type of info for any reason I can think of unless they already have an operation planned and not just for AMD systems
They are trying to make you look elsewhere for the problem they have created
Remember this post when the exploits turn out to be real
Personally, I will be looking at INTEL systems if and when that happens, not just AMD
lilmoe - Sunday, March 18, 2018 - link
Oh look! That bullish flag looks RIPE AF yaul!It's been a while, but instead of buying their hardware I guess it's time to start building longs. Can I please get another dip?
lilmoe - Sunday, March 18, 2018 - link
Hmmm, hope a target of $20 a share isn't unrealistic. We'll see. Treading carefully here.dilacerated - Monday, March 19, 2018 - link
Where's HStewart? I really wanted to see him popup by now to try and defend these clowns at "CTS-Labs" and continue his nonsense that Meltdown and Spectre were smears targeted solely at Intel whom also has never ever ever ever done wrong.mazz7 - Tuesday, March 20, 2018 - link
I am not even as smart you guys in Anandtech forum, but i do really know it from the beginning, this is utter BS, it is so smelly in my nose.Brodz - Thursday, March 22, 2018 - link
Onya Ian! You go get 'em! mongrels picking on AMD while they're trying to get back on their feet, that's not sporting at all.Thankfully it's backfired, AMD will patch the vulnerabilities soon, and no on will remember CTS Labs unless they end up in court.
whodat5432q - Thursday, March 22, 2018 - link
Fake tech news. Apperently failure to follow long established protocol in the security biz has bigger consequences when only a bit of surface digging reveals quite a bit more here. Well done.melgross - Thursday, March 22, 2018 - link
This is all very interesting. It seems that much of this has already been verified, so there really isn’t much question of whether it’s real.The question of why they released with such short notice is interesting as well. As we know, it’s taking months to come up with a new hardware fix for meltdown and specter. Software fixes still took a bit of time after release, and I’d bet that if release hadn’t come, we would still be waiting for them.
In this context, I wonder if the release of this, with the short timing matters. It will take some time for fixes to be implemented. Onths, possibly a couple of years for it to all go away. Considering that, the arguments about this company doesn’t really matter that much.
melgross - Thursday, March 22, 2018 - link
I would also like to say that I see too much dismissal of these, major exploits. It bothers me that individuals who should know better are some of those poo pooing this.Many, if not most, organizational exploits are from those who already have access. That’s either from employees, contractors, or others. Given that, it would then be easy to take advantage of their access to install these exploits.
Whether they then remain with the organization, or not, they would have ready access. Pretending that this isn’t so is just foolish, ignorant, or both. Acting as though exploiters need to first get access is ignoring this fact that they likely already have it.
yagma - Sunday, November 18, 2018 - link
No this is not spam forum ai. Shame on 911-nation's CTS for their hitjob! Interesting none-the-less. If anything hopefully it will encourage AMD to get on it. AMD's own website, blog, and forum haven't released any data about any patches. The link also falsely cites, like AMD's blog, outdated and or incorrect data, falsely claiming these exploits are only possible with admin access, whereas CVEdetails & NIST.GOV clearly state they are remote exploits capable over the network and do not require permissions or authenticationAll 13 exploits are exploitable remotely over the network, with zero privileges, meaning no admin access necessary, as reported by NIST.GOV & cvedetails
HP appears to be the only one releasing patches:
HP's website, like AMD cites the same outdated and or incorrect information. HP patched their servers which USE this chipset. HP's statements about "Commercial Desktop workstations not being impacted", they use Intel chipsets. They are patching "Commercial desktops and notebooks" for HP & Compaq computers. A great sign, however we are not seeing any of this with major third party motherboard vendors such as ASRock, ASUS, or MSI.
Regarding Chimera backdoors, disabling the ASmedia chipset via bios would be a choice worth having until something better potentially comes along. 3rd party USB 3 controllers could be installed via PCI-E expansion slots.
There is a new firmware released on Nov 15, 2018 for the Asmedia ASM-1042A to ASM-1074 USB 3.x Controllers that should allow users to flash over any CHIMERA malware hiding in the firmware. Problem is if the malware gets in thereafter, you may have to wait for a future FW update. Most flashing utils and or chipsets wont allow flashing the same installed, or older firmware. In the age of chimera, not being able to flash over the same version FW is not a very wise policy. The last time an update was released was over a year ago, and before that, 2014; according to the previous link.
I don't see anything suggesting FW level chimera vulnerabilities were addressed in this firmware, but a re-flash will overwrite any malware regardless...
If ASmedia could release a security tool that automates this, running this regularly will ensure no hardware level exploits can remain intact on the chipset. I'm unaware if asmedia locks users out from reflashing the same firmware.
yagma - Sunday, November 18, 2018 - link
Sorry, I could not post links here, it labeled my post as spam, just new.startpage.com it.yagma - Sunday, November 18, 2018 - link
Lets see if i can get the hp patches on here: https://support.hp.com/gb-en/document/c05950716yagma - Sunday, November 18, 2018 - link
All 13 exploits are exploitable remotely over the network, with zero privileges, meaning no admin access necessary, as reported by NIST.GOV & cvedetails.comhttps://www.cvedetails.com/vulnerability-list/vend...
https://nvd.nist.gov/vuln/detail/CVE-2018-8936
https://nvd.nist.gov/vuln/detail/CVE-2018-8935
https://nvd.nist.gov/vuln/detail/CVE-2018-8934
https://nvd.nist.gov/vuln/detail/CVE-2018-8933
https://nvd.nist.gov/vuln/detail/CVE-2018-8932
https://nvd.nist.gov/vuln/detail/CVE-2018-8931
https://nvd.nist.gov/vuln/detail/CVE-2018-8930
yagma - Sunday, November 18, 2018 - link
The latest ASmedia USB 3.0 firmware is at the bottom of this page here: https://bit.ly/2QQTKtJ