Dubious Research Discovers Ryzen vulnerabilites

[TrixP10]

I'm really not sure what you are referring to - aside from the fact the pro-AMD lot are constantly trying to make comparisons to Intel, as if that matters, which in this context it doesn't - just because someone else is worse doesn't make something wrong less so.

Aside a couple of people who've borderline trolled from the nVidia versus AMD angle there has been little to no contribution from anyone here from the blue team - if you take a moment to read some of my posts I've linked to I've been far more scathing in regard to Intel when it comes to flaws like this than I have of AMD.

The only thing I've been particularly critical of AMD over in this instance is their handling of PR - the rest - well these things happen and the main thing is they are addressed and dealt with as quickly as possible.

I don't like AMD and I've never hid that - I am not a fan of the way they talk big but generally fail to deliver on the talk and then say nothing at all when they should be talking and can't support them as a company because of that. To read from that that I have to be pro-Intel is misguided at best. My position on Intel is ambiguous at best I've made positive and negative comments about them in roughly equal measure - I don't love them, don't really hate them though there are things they do such as lack of transparency or control over AMT features and incremental performance increases, holding back tech progress as there hasn't been much competition before Zen came along and ever increasing prices and at times anti-competitive practises which don't really enamour me with the company.

Now nVidia fanboy you could put me in that camp, though I'm not a huge fan of the company but I do like their products and they generally deliver when they say they will, mostly.

OK, just a quick yes or no.

Do you think CTS-Labs were trying to influence the stock market?

 

[humbug]

I think this thread has become very tribal - blue team vs red team.

I'm ALL AMD and none of these current threats bother me in the slightest. I do get the feeling that some of the blue team (not all) are still smarting from the Meltdown debacle. Meltdown patches - what Meltdown patches. Yeah - Meltdown, that serious threat. When all said and done CTS-Labs pr stunt was a pure attempt at market manipulation. AMD has recently become quite a threat to the big boys and subsequently since their success they have been a target of short sellers and dubious 'market analysts'. That topic is a more worthy discussion than CTS-scams.labs.

completely.

 

[Rroff]

OK, just a quick yes or no.

Do you think CTS-Labs were trying to influence the stock market?

CTS-Labs themselves I can't make a call on that - there isn't enough information about the company internally and I've turned up nothing while looking at the main employee's Linkedin and past social media presence that would indicate any bias - one of the main guys has a background in financial stuff so its possible there was vision there.

The evidence digging into the past of the founders of the company suggests that they decided to go into business for themselves about a year ago as a hardware/software security company after a past history of working for such companies - the most likely explanation here is that they went off half-cocked having dug some bugs up looking for their 15 minutes of fame and making a name for their company - this tends to be born out by the fact they've now been furiously back-pedalling and backfilling information and testing that should have been in the initial disclosure and wasn't - if this was an intentionally planned in advance attempt by themselves or as puppets of someone like Intel it is far more likely this would have either been a "link and run" with no further updates on the web-site etc. or a slickly executed affair with in-depth technical details from the start rather than the bumbling effort this has been.

What seems to have happened is that in their rush to get their names in the limelight and taking shortcuts instead of the established procedures they've been taken advantage of in their inexperience by the first media company they approached to try and get their names out there who've seen the opportunity financially and tried to use it to their advantage.

There isn't a quick yes or no answer to this - anyone who says there is at this point isn't taking into account all the facts (and lack of facts in some areas).

 

[TrixP10]

CTS-Labs themselves I can't make a call on that - there isn't enough information about the company internally and I've turned up nothing while looking at the main employee's Linkedin and past social media presence that would indicate any bias - one of the main guys has a background in financial stuff so its possible there was vision there.

The evidence digging into the past of the founders of the company suggests that they decided to go into business for themselves about a year ago as a hardware/software security company after a past history of working for such companies - the most likely explanation here is that they went off half-cocked having dug some bugs up looking for their 15 minutes of fame and making a name for their company - this tends to be born out by the fact they've now been furiously back-pedalling and backfilling information and testing that should have been in the initial disclosure and wasn't - if this was an intentionally planned in advance attempt by themselves or as puppets of someone like Intel it is far more likely this would have either been a "link and run" with no further updates on the web-site etc. or a slickly executed affair with in-depth technical details from the start rather than the bumbling effort this has been.

What seems to have happened is that in their rush to get their names in the limelight and taking shortcuts instead of the established procedures they've been taken advantage of in their inexperience by the first media company they approached to try and get their names out there who've seen the opportunity financially and tried to use it to their advantage.

There isn't a quick yes or no answer to this - anyone who says there is at this point isn't taking into account all the facts (and lack of facts in some areas).

I'll take that as a no then.

 

[Rroff]

I'll take that as a no then.

Take whatever you want from it - I've made a reasoned and balanced post with references to information you can independently check for yourself - to make a firm yes or no on CTS-Labs themselves at this point would only come from bias not an objective look at the information available.

That someone has weaponised this information and attempted to use it for ill-gotten gain whether financially or out of some interest in seeing AMD fall I think is however indisputable.

 

[TrixP10]

Take whatever you want from it - I've made a reasoned and balanced post with references to information you can independently check for yourself - to make a firm yes or no on CTS-Labs themselves at this point would only come from bias not an objective look at the information available.

That someone has weaponised this information and attempted to use it for ill-gotten gain whether financially or out of some interest in seeing AMD fall I think is however indisputable.

Well at least we agree on something.

 

[humbug]

CTS-Labs themselves I can't make a call on that - there isn't enough information about the company internally and I've turned up nothing while looking at the main employee's Linkedin and past social media presence that would indicate any bias - one of the main guys has a background in financial stuff so its possible there was vision there.

The evidence digging into the past of the founders of the company suggests that they decided to go into business for themselves about a year ago as a hardware/software security company after a past history of working for such companies - the most likely explanation here is that they went off half-cocked having dug some bugs up looking for their 15 minutes of fame and making a name for their company - this tends to be born out by the fact they've now been furiously back-pedalling and backfilling information and testing that should have been in the initial disclosure and wasn't - if this was an intentionally planned in advance attempt by themselves or as puppets of someone like Intel it is far more likely this would have either been a "link and run" with no further updates on the web-site etc. or a slickly executed affair with in-depth technical details from the start rather than the bumbling effort this has been.

What seems to have happened is that in their rush to get their names in the limelight and taking shortcuts instead of the established procedures they've been taken advantage of in their inexperience by the first media company they approached to try and get their names out there who've seen the opportunity financially and tried to use it to their advantage.

There isn't a quick yes or no answer to this - anyone who says there is at this point isn't taking into account all the facts (and lack of facts in some areas).

I can shorten this and at the same time actually say something about it.

• CTS-Labs are not a real company, they don't even have offices and used stock photos of office spaces to pretend they did.
• They have not done anything prior to this.
• Their work is full of inaccuracies, lies and their understanding of the subject is lacking.
  
• They sent their apparent findings to an investment firm before they told AMD anything.
• They have been discredited by the very computing security firm they hired to validate their work
• Established and respected industry insiders have also pointed to the flaws of their work and their bias agenda with it.

CTS-Labs are not just a fake entity with fake work, they had a personal agenda with it, they even put their intentions with this into plain text, to paraphrase "our intention are financially motivated" they also said this "we believe these issues are so serious that AMD is worth $0.00 and should file for bankruptcy Immediately"

There is no doubt or anything grey about it, as Roff twists it, they are exactly what the industry have categorized them at, a discredited fake element with its own agenda.

 

[opethdisciple]

These guys are going to get sued badly soon right?

 

[humbug]

These guys are going to get sued badly soon right?

Hopefully.

It needs to happen because if they are allowed to get away with it then any smuck who wants to make some easy money manipulating the stock markets by betting against one on it and then setting out to destroy them in this way then it will open the flood gates.

 

[Rroff]

These guys are going to get sued badly soon right?

Doubtful - some of the media might have exposed themselves to charges possibly - unfortunately I've forgotten where it is off the top of my head but there is a long discussion in the user comments at the end of one of the linked articles on the legal aspect of it - largely, especially as they are in Israel, there isn't likely to be be much comeback as far as the law goes unless it can be linked to insider trading, etc.

They are pretty much finished as a company though after this debacle.

EDIT: One of the guys involved seems to have offices for another company in New York however so there is a legal exposure there dunno assuming there was ever a legal case to answer. He also has a background in finance and markets with somewhat dubious past which might raise some eyebrows.

 

[humbug]

Doubtful - some of the media might have exposed themselves to charges possibly - unfortunately I've forgotten where it is off the top of my head but there is a long discussion in the user comments at the end of one of the linked articles on the legal aspect of it - largely, especially as they are in Israel, there isn't likely to be be much comeback as far as the law goes unless it can be linked to insider trading, etc.

They are pretty much finished as a company though after this debacle.

Sadly this is the one and only thing i can agree on with Roff in all this, there is no real interest to bring something like this to book and Israel protects its citizens from almost all external legal challenges.

 

[r7slayer]

All this stuff affects Intel also. You're mentioning stuff as well as CTS Labs that is things that does not matter what CPU or motherboard/chipset you have under the hood, hackers gain access through traditional methods which require security patches. They use loops holes not anything similar to spectre or meltdown.

It's the same methodology if i allow a hacker access to my computer physically they could use all sorts of vulnerabilities to their disposal but prevent that access, remove that loophole and boom. That prevents them using these so called vulnerabilities. So the vulnerabilities isnt the hardware more further up the chain. Stop that then you stop it dead until hackers find another loophole.

I'm just sick of people such as these CTS labs using this to attack AMD and people actually entertaining it. I mean gamer Nexus did a great video on this and literally just embarrassed CTS labs attempt at giving AMD a bad name.
and for your info im rocking 8700k and have been using intel for years. Not been AMD since bulldozer came out rocking the 6 core chip and that was quickly replaced when i realised it wasn't great. So no bias over here like you keep seeming to assume.

 

[Rroff]

https://www.google.co.uk/maps/place...e52fd6073f16946!8m2!3d32.0605061!4d34.7742262

Possibly their "offices" in Tel-Aviv. Though I get the feeling their "CFO" is actually operating from New York.

All this stuff affects Intel also.

Broadly yes - but there are several specifics to AMD's Promontory chipset that give it something of note in this instance. People seem to be missing, possibly wilfully, the importance of that factor and why it is distinguishing as far as it goes in this specific case.

As I mentioned before Intel had their own dose of fail along similar lines and in fact worse around a year back but that is patched these days - so it isn't really noteworthy at this point.

 

[TrixP10]

Doubtful - some of the media might have exposed themselves to charges possibly - unfortunately I've forgotten where it is off the top of my head but there is a long discussion in the user comments at the end of one of the linked articles on the legal aspect of it - largely, especially as they are in Israel, there isn't likely to be be much comeback as far as the law goes unless it can be linked to insider trading, etc.

They are pretty much finished as a company though after this debacle.

EDIT: One of the guys involved seems to have offices for another company in New York however so there is a legal exposure there dunno assuming there was ever a legal case to answer. He also has a background in finance and markets with somewhat dubious past which might raise some eyebrows.

I read recently (can't remember the link) but there might be moves against the company / companies as of defamation of company name AMD. They have explicatively used the companies name and product name(s) and also implicated (ie amdflaws.com) in a defamatory way. There could also be more action regarding stock manipulation.
At the end of the day, even if there is a comprehensive case I think AMD will think long and hard about this. Depends on company image.

At least now they don't have to worry about if they can pay the legal bills.

 

[humbug]

https://www.google.co.uk/maps/place...e52fd6073f16946!8m2!3d32.0605061!4d34.7742262

Possibly their "offices" in Tel-Aviv. Though I get the feeling their "CFO" is actually operating from New York.



Broadly yes - but there are several specifics to AMD's Promontory chipset that give it something of note in this instance. People seem to be missing, possibly wilfully, the importance of that factor and why it is distinguishing as far as it goes in this specific case.

As I mentioned before Intel had their own dose of fail along similar lines and in fact worse around a year back but that is patched these days - so it isn't really noteworthy at this point.

This was CTS-Labs line, almost word for word, like CTS-Labs as an entity this has been debunct, Intel use the same Chip-Sets and in the same way, its born out of one of Intel's original Spectre exploits that this has come to light, AMD use the same Chip-Sets so perhaps they have the same vulnerability? well it turns out that is indeed true. And we already know this.

 

[Freddie1980]

I don't like AMD and I've never hid that - I am not a fan of the way they talk big but generally fail to deliver on the talk and then say nothing at all when they should be talking and can't support them as a company because of that.

One of the rules of business is no matter what product you end up manufacturing or develop even if engineers and marketing teams all know that the product isn't half as good as they would have hoped for you still have to talk it up as if it's the next big thing to get it over with buyers if you don't and just accept it's crap and communicate that to your clients then you may as well just not bother releasing it. I don't blame AMD for doing this and would expect them to keep doing it in the future.

 

[BongoHunter]

Apologies if this has been posted before (had a crack at searching first), seems like a pretty good summary

Final Words
If you are tallying the bizarre, we have:

• An alleged security firm that cannot secure its domain with HTTPS that
• Is not sure what its legal entity name is
• Whose methods relied upon public information stated that
• The vulnerabilities they are talking about are not factual and
• Were disclosed publicly in 24 hours instead of the standard 90 days

Then the question of who could be behind this comes into play. The production quality on video seems to be decent and there is a good amount of content. I have gotten several pings, and I frankly would be shocked if this was Intel. It would not be how I would expect them to compete and the legal disclaimer is too sloppy to be Intel.

While we do not know exactly who this is, best guess, the SEC will be looking into groups of short sellers as it seems like a higher-dollar scare tactic akin to a pump and dump on a Bitcoin/ alt-coin forum rather than an actual security vulnerability disclosure.

There may, indeed, be a set of vulnerabilities with AMD EPYC and Ryzen. In fact, in all likelihood, there are undiscovered bugs and vulnerabilities as we see in any chip design from any modern vendor.

https://www.servethehome.com/bizarre-amd-epyc-ryzen-vulnerability-disclosure/

 

[Rroff]

One of the rules of business is no matter what product you end up manufacturing or develop even if engineers and marketing teams all know that the product isn't half as good as they would have hoped for you still have to talk it up as if it's the next big thing to get it over with buyers if you don't and just accept it's crap and communicate that to your clients then you may as well just not bother releasing it. I don't blame AMD for doing this and would expect them to keep doing it in the future.

Agreed on that aspect but that is only a portion of what I'm talking about. Before a couple of new generations around the 200 series for instance there was stuff going on publicly between AMD reps and Dice graphics programmers who had the cards a couple of months ahead of release on twitter bad mouthing nVidia and saying how nVidia was finished and it would take them two generations to catch up with this level of performance, etc. and we all know how that turned out. Along with other digs at the competition which they never lived upto, etc.

Apologies if this has been posted before (had a crack at searching first), seems like a pretty good summary



https://www.servethehome.com/bizarre-amd-epyc-ryzen-vulnerability-disclosure/

Unfortunately that summary is somewhat drawing unsubstantiated conclusions - even though they seem likely - the video production quality isn't that great - largely well done but there are issues with the keying, etc. (the Kippah appearing and disappearing is kind of amusing) nothing beyond the kind of level that the average experienced YouTuber these days can come out with.

The execution is not particularly good in general - they've obviously rushed many aspects to try and give the impression of a more rounded out company than is actually the case and this is where I differ a bit from the conclusions some of the tech sites are coming up with - its obvious that despite the bumbling execution they do actually care about their company name (though it is pretty much finished now) - if this had unfolded as an orchestrated hit from the start it is unlikely they'd have bothered going back and trying to substantiate the technical details, backtracking on some aspects and putting in some details of testing belatedly that weren't there originally - it is more likely if this was the efforts of a bad actor from the start they'd have either linked and run with the site as is with a sacrificial company and disappeared or had a slickly orchestrated disclosure that had the technical details and so on down pat with a much harder to penetrate visage.

It is much more likely that CTS-Labs itself started down this road in good faith albeit a half-cocked effort at making a name for a fledgling company and getting their names up in lights lacking the experience to really carry it out and at some point this has been opportunistically hijacked either by an individual working within the company and/or the company they first went to to get media exposure (possibly a combination of both).

Also despite these vulnerabilities being unproven in practical use the concepts themselves do check out and while a good bit of it is fairly pedestrian are still potentially significant if AMD find they check out as nothing, even if it does need admin, should be able to penetrate some of the security barriers inside the system like that and 1-2 angles do facilitate much more sophisticated second level attacks than is generally possible - albeit requiring significant resources to do so which narrows their scope of use.

EDIT: There isn't (last time I checked) a regulatory body enforced standard for security disclosures though there are legal aspects and incentives for people to use one of the standard procedures - at the end of the day its industry recommended, but voluntary, best practise. I don't really buy their reasoning for not following it but some people are portraying the process in a manner that it isn't.

 

[SiDeards73]

oh dear

 

[humbug]

Agreed on that aspect but that is only a portion of what I'm talking about. Before a couple of new generations around the 200 series for instance there was stuff going on publicly between AMD reps and Dice graphics programmers who had the cards a couple of months ahead of release on twitter bad mouthing nVidia and saying how nVidia was finished and it would take them two generations to catch up with this level of performance, etc. and we all know how that turned out. Along with other digs at the competition which they never lived upto, etc.



Unfortunately that summary is somewhat drawing unsubstantiated conclusions - even though they seem likely - the video production quality isn't that great - largely well done but there are issues with the keying, etc. (the Kippah appearing and disappearing is kind of amusing) nothing beyond the kind of level that the average experienced YouTuber these days can come out with.

The execution is not particularly good in general - they've obviously rushed many aspects to try and give the impression of a more rounded out company than is actually the case and this is where I differ a bit from the conclusions some of the tech sites are coming up with - its obvious that despite the bumbling execution they do actually care about their company name (though it is pretty much finished now) - if this had unfolded as an orchestrated hit from the start it is unlikely they'd have bothered going back and trying to substantiate the technical details, backtracking on some aspects and putting in some details of testing belatedly that weren't there originally - it is more likely if this was the efforts of a bad actor from the start they'd have either linked and run with the site as is with a sacrificial company and disappeared or had a slickly orchestrated disclosure that had the technical details and so on down pat with a much harder to penetrate visage.

It is much more likely that CTS-Labs itself started down this road in good faith albeit a half-cocked effort at making a name for a fledgling company and getting their names up in lights lacking the experience to really carry it out and at some point this has been opportunistically hijacked either by an individual working within the company and/or the company they first went to to get media exposure (possibly a combination of both).

Also despite these vulnerabilities being unproven in practical use the concepts themselves do check out and while a good bit of it is fairly pedestrian are still potentially significant if AMD find they check out as nothing, even if it does need admin, should be able to penetrate some of the security barriers inside the system like that and 1-2 angles do facilitate much more sophisticated second level attacks than is generally possible - albeit requiring significant resources to do so which narrows their scope of use.

EDIT: There isn't (last time I checked) a regulatory body enforced standard for security disclosures though there are legal aspects and incentives for people to use one of the standard procedures - at the end of the day its industry recommended, but voluntary, best practise. I don't really buy their reasoning for not following it but some people are portraying the process in a manner that it isn't.

You're still missing a few key points with this long winded defense of CTS-Labs.

• The computing security firm who CTS-Labs hired to validate their work have completely discredited them.
• Their intention by their own addition was not as you put it "in good faith" but motivated by attacking AMD for financial gain.
• Its categorized by the industry as a none issue that effects Intel and AMD equally.

I'm happy to lay it all out in a long winded wall of text that has little, or rather in my case much actual substance if you like?