CTS Labs Speaks: Why It Blindsided AMD With Ryzenfall And Other Vulnerabilities

Page 4 - Seeking answers? Join the Tom's Hardware community: where nearly two million members share solutions and discuss the latest tech.
Toggle sidebar Toggle sidebar
Status
Not open for further replies.
Its to ruin AMDS stock nothing more nothing less when intel took a hit as well but they where forwarned... So who is CTS working for? someone with deep pockets and they just showed they can be bought so with that said I look at it as a grain of salt .. Just pure BS...
 

Security researchers asked them to provide proof for the 13 AMD Security Flaws, but they just kept avoiding that saying is real...
Is most likely some sort of illegal multiplication tactics and fraud by CTS Lab and Dan Guido.


http://www.zdnet.com/article/linus-torvalds-slams-cts-labs-over-amd-vulnerability-report/
Even ​Linux Torvalds sees the same direction.
 
Yeah, no. This is a targeted attack of the most asinine and obvious kind. The white paper, none of which has yet to be specifically verified or authenticated outside of ONE GUY who was paid by them to do so, is loaded with ad hominem attacks against AMD and their chip manufacturer in Taiwan. The fact that tech sites continue to give this things legs to run around on is completely irresponsible. The only site I've seen do any real work on investigating this is Gamer's Nexus.

While reporting it from a general sense may be prudent, it should have been very light reporting at most until the genuine details became available to be independently tested and verified. Otherwise, they continue to win and the flames continue to be fanned. Google did it right by keeping their investigation of Spectre and Meltdown under wraps until such a time had passed was the way this should have been handled.

I'm hopeful the SEC cuts the head off this business and revokes that guy's license.
 
Before they speak, they should have a business address and business land lines!

No address, no land line, 4 con men "SOMEWHERE in Israel" set up after June 2017 (after Intel's "Meltdown inside"), ..., but just a website ($4.95/month) and a mobile number +1-585-233-0321!

From CTS (Cheap Technical Scammers?):

"The report and all statements contained herein are opinions of CTS and are NOT STATEMENTS OF FACT."

"you are advised that we may have, either directly or indirectly, AN ECONOMIC INTEREST in the performance of THE SECURITIES OF THE COMPANIES whose products are the subject of our reports."

From the person who reviewed their findings for $16K:

"For the attacks to work, an attacker must first obtain administrator access to a targeted network, Guido said."

For the car thief to steal the car, the car thief must first obtain the car key and access to the car, CommonSense said. What a car thief!

The 4 nobody con men "SOMEWHERE in Israel" got the publicity and economic interest, and one person got $16K.

The mission of having media generate the FUD has been accomplished!
 

And perhaps even more so when it comes to tech industries. Just look at the big tech companies that were once top of their field and looked unstoppable before eventually collapsing, and are no longer around, or are just a shadow of their former selves. AOL was once the most recognized name in web services. Atari and Sega were once among the largest game console / arcade companies. Polaroid and Kodak were once leaders in photography, but didn't really survive the transition to digital photography. Palm was the biggest name in pocketable touchscreen computing devices prior to modern smartphones becoming a thing. Even Apple pretty much collapsed back around the early 90s after previously being the biggest name in home computers for many years, although in that case the company managed to reinvent itself and make a comeback. All it takes is some bad business decisions or failure to properly adapt to a changing market, or sometimes even things outside the direct control of a company, and even the largest can fall.

It's certainly possible that Intel might be more resilient against failure than many smaller companies, but that doesn't make them impervious to it. Will Intel be around in a hundred years? Maybe, but it's also very possible they could fall from their leading position within the coming decades, either to an existing or new competitor. What happens when x86-based processors near their limits, and major changes in architecture become necessary to move performance forward? Will Intel still be be playing a leading role, or will some other company with an innovative new design push things forward while Intel is still trying to extract a couple percent more performance out of their existing chip designs? We've already seen something similar in the mobile computing space, where Intel was slow to put out hardware that could compete with ARM, and got left behind.
 
I would guess CTS only gave 24 hours due to the bugs may no longer be relevant to sales. The CTS report would mean little after the 2000 series launch's. Forbes has an article about AMD conforming the 2000-series in April with the X470 chipset.
 
The whole thing is a full blown paid chill "research" piece.

Your own Anandtech guys did an interview and they refused (in a veryshady way) to provide the information on WHO paid them to release the papers. And a lot of people already know that Viceroy (a well known stock and market manipulator) is behind this.
 
I wonder if they were paid by Intel to investigate or report AMD flaws??? Good way to deflect from issues the Intel processors have!
 
I'll say this right now, criminal charges need brought to bear on CTS. This isn't an AMD fanboy crap, this sets a dangerous precedence in the industry if this is how discovered security holes are handled.

Also Tom's, you are full of crap and you entirely contradict CTS's own reasoning on releasing it so early. I quote:

"Some flaws are deemed so dangerous that companies are given even longer to respond--Google afforded Intel and AMD some 200 days to fix Meltdown and Spectre before revealing them to the world at large, for example, and other disclosures have been coordinated between victim and researcher."

But we have CTS, who apparently know better then the rest of the world stating:

"CTS Labs told us that it bucked the industry-standard 90-day response time because, after it discussed the vulnerabilities with manufacturers and other security experts, it came to believe that AMD wouldn't be able to fix the problems for "many, many months, or even a year." Instead of waiting a full year to reveal these vulnerabilities, CTS Labs decided to inform the public of its discovery."

That reeks of irresponsibility, an ulterior motive and is an absolute B.S. reason to release it that shortly. The company needs sued into oblivion as this is a child response not a profession security researcher.

Show me an example of a security research group announcing it to the public in just as short of a time before informing the manufacturer and I'll shut up.
 


I'm pretty sure the following line was written with an heavy dose of sarcasm.
But we have CTS, who apparently know better then the rest of the world stating:
Click to expand...
I read this as Tom's being extremely skeptical of CTS's reasoning.
 


I want to be clear here. If you think my statement is a blanket attack on all ARM processors, you are misunderstanding me. I simply believe that if 1)AMD is using a commonly used and unmodified ARM core for their secure processor and 2)they are implementing TrustZone as it was designed to be implemented, then it is unlikely that the ability to compromise this security processor is unique to AMD. We have enough information to conclude (1) is true and AMD is allowed to use their TrustZone branding so (2) is probable as ARM's licensing model includes testing and verification. On the other hand, whether this specific issue is AMD specific or not, I would think that ARM would want to know so that they could provide proper guidance to their customers to avoid such issues. Since they have a lot of customers using TrustZone in a lot of devices we use, I think it is a poor decision not to inform them of the potentially relevant security issue.

It doesn't seem that you are very familiar with how TrustZone works. Perhaps this will help. If you can compromise the secure processor on virtually any TrustZone implementation, you are not going to be able to detect it from the normal world application processor. The whole point of the secure world is to create a place that normal world applications can't interfere with. So using your words, if you can modify the code on the secure world processor, you can "create a near-perfect rootkit / spyware solution". This is true regardless of who implemented it. You have to make sure only trusted code gets run in secure world.
 
CTS Labs' explanation smells like half-truths and downright lies to most of us reading their responses. Something is still not quite right. And no apologies whatsoever. Yup, if I were AMD, I would sue CTS Labs and take them for every penny.
 
CTS never said they did not inform the manufacturer before the public; they say they informed AMD but they claim to believe AMD would not fix it for a long amount of time whereas they deem it more necessary that AMD fixes it as fast as possible. As if AMD said "We'll worry about that later" and CTS didn't like that. Whether or not this is true we cannot know, but their claim is that releasing it to the public after 1 day could possibly be one of two things:

-they're fed up with companies unethically not fixing vulnerabilities as fast as they can. If AMD won't try to fix a security flaw now then fine, let the public know. That's your punishment AMD.
-CTS themselves is the unethical company exploiting vulnerabilities that AMD is already trying to fix as fast as possible. This is aligned with what most you think.
 
I do understand that these flaws are most likely true and AMD should address them. However, all these flaws need admin rights (basically full access to system) to execute.

If a hacker could obtain full access to your system, I think these flaws are least of your worries. No software patch could work because the hacker (with admin rights) could remove all of them. The hacker could do way more than these exploits. He could simply install malware and make your antivirus think that its legitimate software. Bypass your firewall, create backdoor etc......

If a hacker could obtain your admin password and access your server remotely, I don't think even Intel systems are safe. Even if you use Linux or Unix etc....its not going to help. If someone could access your servers physically, then I have to say your are totally screwed.

Of course, its very very hard to obtain admin password (unless the server uses a poor password or its given to you). So, this explain why I feel its rather non-existence issue. Its simply easier to find other loopholes than to crack your admin password.
 

No, we can verifiably say that is false. They themselves state that they didn't contact AMD about their findings until the day before the public announcement, and it's likely that AMD didn't even get a chance to review their report before hearing about it in the "news". According to them, they let plenty of other companies know about their supposed findings before contacting AMD, and they admit to never asking AMD about how long something like this might take to fix, but just based their estimate on feedback from the suggestions of other, unnamed companies. And they also admit that this entire "research project" was paid for by another company, who they won't name, or even suggest what field of business that company is involved with. The head of this small company also has ties to companies involved with stock trading, and there is plenty of evidence pointing to their strange attack on AMD as being an attempt to manipulate stock prices.

The real question should be whether stock manipulation is the actual goal, or if that's just a red herring designed to divert people's attention from another reason someone might want to make AMD look bad shortly before their new processors launch.
 


Interesting, could I see where they said this, since this article didn't mention anything about it? Thanks!
 

I've seen information about this detailed in a few articles elsewhere. The AnandTech interview that I read yesterday asked them about some of it. Tom's added an article today summarizing certain parts of that Interview, though it might be worth clicking through from there to read the interview itself and AnandTech's take on it...

http://www.tomshardware.com/news/cts-labs-responds-amd-vulnerability-disclosure,36680.html

There are other tech news sources and some videos that take a look into some of the oddities surrounding this as well though. Sure, there could be the possibility that these guys are just doing abnormal things to promote a new security research company, but the evidence seems to point toward something else going on. The vulnerabilities themselves are likely real, though it's unknown how much of an impact they might actually have due to the lack of information available, and the lack of time for AMD to look into them. It definitely seems like there was more of a focus on attempting to make AMD look bad than on doing anything to help the public though.

As for the potential of other motivations aside from stock manipulation being behind it, that's more speculation, but it's at least worth keeping an open mind about the possibility.
 


I just like to be speculative of claims in general. You know how word of mouth goes: people have pre-supposed biases against CTS labs, so people can say anything negative about CTS labs and they'll probably believe it and spread it elsewhere on the Internet without an original source. Most of the negative stuff I'm hearing about them is coming from people in this comment section with no source or direct quotes backing themselves up.

Good social experiment (make up something about CTS labs and see how it spreads) but I believe something similar has already been done with the "you swallow so many spiders per year" thing that most people in America now believe. Unless, of course, the actual lie is that the spider thing is a lie, in which case the point is still proven because the lie about the lie got adopted by many people also.

I'm not going to make any judgements against CTS until I find some more sources, if I get time I'll try to check out the Anandtech interview and see if I can verify most of the claims I see people making or determine if many of them are downright false but not criticized since the majority here is against CTS.
 


Criminals
 
There might even be other chips affected, and these cover the vast majority of all motherboards in use today!

What seems to make these vulnerabilities so special is that they allow a (from a public perspective) completely new level of threat:
1. Use any of the vast plethora of tools to gain illegal access using (previously) known vulnerabilities.
2. Once inside, you now can do whatever you want, cover all tracks of having done it, and set up a persistant back door that can neither be found nor removed.

As someone spelled it out:
Like breaking into a bank vault. Steal all the money. Install a personal back door to the vault. Then cover all tracks so nobody can notice that there's been a break in and money is missing.
(After that you can just use the back door to get back covertly and loot the place repeatedly whenever you feel like it.)

So the alledged vulnerabilities seems really bad, but it's still also the question on why CTS is verbally going so very hard on AMD instead of just focusing on the technical issues...
 
Status
Not open for further replies.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom