"amdflaws.com" - What is this?

[FIVR]

https://www.amdflaws.com


The website claims to be some kind of consumer advocacy site that says it found all sorts of flaws in AMD products and claims that "people should consider using products other than AMD's in mission critical products".

It seems like a total hit job. I hope Lisa Su makes an announcement addressing this soon. Anybody else seen anything like this before?


Edit: They even take swipes at ASUS

AMD’s outsource partner, ASMedia, is a subsidiary of ASUSTeK Computer, a company with poor security track record that has been penalized by the Federal Trade Commission for neglecting security vulnerabilities, and must now undergo independent security audits for the next 20 years.

 

[NTMBK]

The researchers gave AMD less than 24 hours to look at the vulnerabilities and respond before publishing the report. Standard vulnerability disclosure calls for 90 days notice, so companies have time to address flaws properly.

"At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings," an AMD spokesman said.

https://www.cnet.com/news/amd-has-a-spectre-meltdown-like-security-flaw-of-its-own/

I'll wait for third party confirmation of the issues before panicking. If it's legit, then it's very bad for AMD- but these guys seem more than a little shady.

 

[FIVR]

The white paper ends by saying all of these vulnerabilities require admin-level privileges. So... basically nothing like Spectre or Meltdown. The whole thing is plastered with marketing slogans and AMD logos and they even make recommendations for using other companies products. It looks like a brochure for a video game. This seems like a total hit job.

 

[NTMBK]

The white paper ends by saying all of these vulnerabilities require admin-level privileges. So... basically nothing like Spectre or Meltdown. The whole thing is plastered with marketing slogans and AMD logos and they even make recommendations for using other companies products. It looks like a brochure for a video game. This seems like a total hit job.

So if you've already pwned the system, you can pwn it? Cool exploit.

 

[FIVR]

INTC up 3%, AMD down 3%


Mission Accomplished.

 

[Glo.]

I am wondering - who is actually responsible, and connected to this site...?

Because it appears like the same type marketing Intel did with their "4 CPUs glued together on single package" mud slinging marketing.

 

[FIVR]

Some of these "exploits" are a complete joke.

Accessing the Secure Processoris done through a vendor supplied driver that is digitally signed.

 

[thecoolnessrune]

So "CTS-Labs" shows up on Wayback machine back in 2012, and doesn't even look like they had anything (but a lot of references to Telemarketing). Suddenly, in January of 2018, their current home page appears.

A Security Firm pops up its presence almost overnight, with no mention of clients, accolades, or really even an explanation of what they do except for some generic statements about various offerings for security testing. Note that all these offerings lead to extremely sparse pages that use other links from other random websites to provide evidence.

Then they create amdflaws.com which looks like a total mud-slinging effort against AMD. Then they give AMD less than 24 hours to respond vs. the months Intel was provided for Meltdown / Spectre?

This looks nothing like Meltdown / Spectre. This looks shady as all hell. Even if these vulnerabilities turn out to be true, this is a completely unprofessional downright disgusting effort by CTS-Labs, which casts them in an even worse light as a Security Company. Why would a security company with almost no historic foothold in the industry crush some of the most basic disclosure tenants in the industry? Just a lot of stuff not adding up here.

 

[Hitman928]

Is this standard for a legal disclaimer in this type of whitepaper?

Although we strive for accuracy and completeness to support our opinions, and we have a good faith belief in everything we write, all such information is presented "as is," without warranty of any kind whether express or implied and CTS does not accept responsibility for errors or omissions. CTS reserves the right to change the contents of this White Paper and the restrictions on its use, with or without notice, and CTS reserves the right to refrain from updating this White Paper even as it becomes outdated or inaccurate.

 

[Glo.]

So "CTS-Labs" shows up on Wayback machine back in 2012, and doesn't even look like they had anything (but a lot of references to Telemarketing). Suddenly, in January of 2018, their current home page appears.

A Security Firm pops up its presence almost overnight, with no mention of clients, accolades, or really even an explanation of what they do except for some generic statements about various offerings for security testing. Note that all these offerings lead to extremely sparse pages that use other links from other random websites to provide evidence.

Then they create amdflaws.com which looks like a total mud-slinging effort against AMD. Then they give AMD less than 24 hours to respond vs. the months Intel was provided for Meltdown / Spectre?

This looks nothing like Meltdown / Spectre. This looks shady as all hell. Even if these vulnerabilities turn out to be true, this is a completely unprofessional downright disgusting effort by CTS-Labs, which casts them in an even worse light as a Security Company. Why would a security company with almost no historic foothold in the industry crush some of the most basic disclosure tenants in the industry? Just a lot of stuff not adding up here.

As Ashraf Eassa said on Twitter: "Follow the money" .

 

[zinfamous]

Looks like Intel is pants-pooping scared of Epyc and their own growing, persistent issues with 10nm.

 

[zinfamous]

Is this standard for a legal disclaimer in this type of whitepaper?

basically: "We reserve the right to be wrong forever, and leave this page as-is."

 

[realibrad]

So here is what I found so far.

CFO of CTS-Labs
https://www.linkedin.com/in/yaron-luk-zilberman-09a1795

Former employment
NineWells Capital Management
'NineWells Capital Management, LLC is a privately owned investment manager. The firm manages hedge funds for its clients. NineWells Capital Management is based in New York, New York."

It sure looks like an attempt to drop the stock price.

From Cnet
"When those two security flaws were announced in January, AMD said it was not affected because of the differences in its architecture. These new security vulnerabilities break down into four categories, according to CTS-Labs co-founder and Chief Financial Officer Yaron Luk-Zilberman.

All of the vulnerabilities essentially allow an attacker to target the secure processor, which is crucial to protecting the sensitive information on your device.

"You're virtually undetectable when you're sitting in the secure processor," Luk-Zilberman said. "An attacker could sit there for years without ever being detected."

So you have a CFO from a tech security company that used to work for an investment company tanking the stock price of AMD.

 

[Glo.]

Guys, just take a second, for a step back, and think, what will happen when/if it will be proven that this mud slinging attempt was payed by someone to bash AMD?

I have no idea who has so dumb idiots in its marketing department. But the amount of targets for this is very narrow...

 

[thecoolnessrune]

It gets richer. There's also another CTSLabs website http://www.ctslabsinc.com/index.html who apparently make salves, tonics, and other generic stuff that seems to border on the line of Homeopathy. Not a big deal right? Could just be a completely different company that's located in Greenville, OH vs. Tel Aviv. Except that their CFO, Yaron Luk-Zilberman is listed on Linked-In as an employee on the CTS Labs Profile that has the above link: https://www.linkedin.com/company/cts-labs-inc

So why is the CFO of a high end Security Company like CTS Labs (located in Israel) also listed as an employee of a tonic and lotion company in Greenville, OH by nearly the same name that makes its web pages off of Yahoo Sitebuilder that looks like a throwback to the 90s?

<!--$sitebuilder version="2.9.0" extra="Java(1.8.0_71)" md5="cdc12eff0f737de716161caacf6caaec"$-->
<!--$templateKey Religious|Sunset - Navy|2.0$-->

Something continues to seem really really strange about all this.

 

[zinfamous]

Oh wow.

Also strange that CNET was so quick to run with this, eh? I haven't had much use for CNET in years, but I only because I thought of them as mostly useless, advertisement-driven pablum when it came to tech reviews. This would be the first time I would consider them jumping extremely quickly onto something so thoroughly shady.

 

[dacostafilipe]

Damn, you guys seems like "CSI Anandtech" here ...

 

[NTMBK]

And here's the other half of the hatchet job:

In light of CTS’s discoveries, the meteoric rise of AMD’s stock price now appears to be totally unjustified and entirely unsustainable. We believe AMD is worth $0.00 and will have no choice but to file for Chapter 11 (Bankruptcy) in order to effectively deal with the repercussions of recent discoveries.

https://viceroyresearch.org/2018/03/13/amd-the-obituary/

 

[Hitman928]

So why is the CFO of a high end Security Company like CTS Labs (located in Israel) also listed as an employee of a tonic and lotion company in Greenville, OH by nearly the same name that makes its web pages off of Yahoo Sitebuilder that looks like a throwback to the 90s?

That's probably just a linked-in mistake. When he created his new job on linked in he probably just typed out cts labs and then clicked on the first company that came up, not realizing it wasn't the right one. Obviously I don't know this for sure but I've had friends that have made this mistake before.

 

[IEC]

Report Suspected Securities Fraud or Wrongdoing

[URL='https://www.sec.gov/tcr'] https://www.sec.gov/tcr[/URL]

 

[Hitman928]

Here's their VP of research and development, in case you were curious.

https://www.linkedin.com/in/uri-farkas-11382497/

 

[thecoolnessrune]

That's probably just a linked-in mistake. When he created his new job on linked in he probably just typed out cts labs and then clicked on the first company that came up, not realizing it wasn't the right one. Obviously I don't know this for sure but I've had friends that have made this mistake before.

I can agree it could be a mistake on his part, but you can see those companies as part of your profile. Why would the CFO of a Security Firm leave such a basic mistake for at least a year? You would think there would have been a little oversight or caution.

 

[zinfamous]

And here's the other half of the hatchet job:


https://viceroyresearch.org/2018/03/13/amd-the-obituary/

heh, I wouldn't be surprised if this was more of a project from one of Goldman's teams, as they seem to be rather involved in AMD stock manipulation for the last couple of years, at least: constantly lowering valuations, then buying up huge chunks. Again and again.

Or not just Goldman: a direct manipulation scheme for any kind of fun or investment bank; not so much Intel or actual competitors. ....this would be catastrophically stupid of Intel to attempt such a thing, obviously.

 

[Atari2600]

The white paper ends by saying all of these vulnerabilities require admin-level privileges.

BAHAHAHAHAHAHA

Seriously?

 

[Hitman928]

Grabbed this from reddit as I don't have time to go through the whole whitepaper so I don't know if accurate, but based on comments from others who have at least browsed through it, it seems accurate.

Basically, these vulnerabilities come down to, if you completely own the system with privilege to do whatever you want, you can then further and needlessly exploit the system through included AMD hardware.

MASTERKEY: Exploiting MASTERKEY requires an attacker to be able to re-flash the BIOS with a specially crafted BIOS update.
RYZENFALL: Exploitation requires that an attacker be able to run a program with local-machine elevated administrator privileges.
FALLOUT: Exploitation requires that an attacker be able to run a program with local-machine elevated administrator privileges.
CHIMERA: A program running with local-machine elevated administrator privileges. Access to the device is provided by a driver that is digitally signed by the vendor.