Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
Darkmaster29

Linus Torvalds slams CTS Labs

Recommended Posts

Posted · Original PosterOP

So this happend:

Linux's creator said he thinks CTS Labs' AMD chip security report "looks more like stock manipulation than a security advisory" and questions an industry.

 

Quote

The startup has jazzed up its discoveries with a research paper, a video describing the vulnerabilities, and, of course, fancy names for them: Ryzenfall, Master Key, Fallout, and Chimera.

 

CTS Labs claimed in an interview they gave AMD less than a day because they didn't think AMD could fix the problem for "many, many months, or even a year" anyway.

Why would they possibly do this? For Torvalds: "It looks more like stock manipulation than a security advisory to me."

These are real bugs though. Dan Guido, CEO of Trail of Bits, a security company with a proven track-record, tweeted: "Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works." But, Guido also admitted, "Yes, all the flaws require admin [privileges] but all are flaws, not expected functionality."

I don't really think CTS has done an impartial job. I really believe that INTEL is behind this "Research paper" if one can call it that way.

 

Quote

What Torvalds really wants from security programmers and researchers, as he spelled out recently, is:

  • the first step should *ALWAYS* be "just report it." Not killing things, not even stopping the access. Report it. Nothing else.
  • "Do no harm" should be your mantra for any new hardening work.

This is something that the industry has long forgotten. there has to be a spirit of colaboration between all of us.

 

 

Source: http://www.zdnet.com/article/linus-torvalds-slams-cts-labs-over-amd-vulnerability-report/

Link to post
Share on other sites
8 minutes ago, Wolther said:

gamers nexus also did a video on this. Near the end he shows a statement from intel to gamers nexus stating that they had no part in it. 

 

 

20:14 is the statement 

Of course if you are Intel you will deny it whether it's true or not.


I don't read the reply to my posts anymore so don't bother.

Link to post
Share on other sites

Yeah this whole thing was just CTS trying to snipe AMD


Asus & Arctic loyalist bordering on self-aware fanboy; Anti-MSi and Hyper 212 crusader; lover of ASUS Prime motherboards & the Arctic Freezer 33 eSports / BioniX fan. Licensed memer.

DIOCLETIAN III : CPU: Core i7-8700K @5.0GhZ || CPU COOLER : BeQuiet! Dark Rock Pro 4 || MOBO : ASUS STRIX Z370-E || GPU: ASUS GTX 1080 Ti STRIX OC || RAM: 2 (2x more coming) x8GB GeIL Super Luce RGB Sync || Pile of SSDs lol: 970 EVO 250GB (Boot), 850 EVO 1TB, MX500 1TB | PSU: Corsair RM650x & Corsair Premium cables || Phanteks Enthoo Pro M TG RGB SE|| Monitor: Samsung 28" 4K60HZ ||  KEYBOARD: Corsair K95 RGB Platinum (MX Browns) || Mouse: SteelSeries Rival 310 with XXL mouse mat || Audio: SteelSeries Arctis 5, Blue Snowball iCE || Case Fans : 2x Phanteks 140mm Halos RGB'd fans||

MAXIMIAN II  : CPU: Ryzen 5 1600 @ 3.9GhZ|| CPU COOLER : Cooler Master ML240L || MOBO : MSI X370 Gaming Pro Carbon|| GPU: ASUS GTX 1080 Strix || RAM: 2x8GB G.Skill Aegis (2666) || SSD: TeamGroup L5 Lite 3D 240GB, Intel 545s 256GB || HDD: Barracuda 2TB || PSU: SeaSonic Focus+ Gold 650W w/ Cablemod Basics extensions || CASE: Phanteks P300 Black || Monitor: ACER KG1 1440p 144HZ ||  KEYBOARD: Razer BlackWidow X Chroma TE  || Mouse: SteelSeries Rival 310 || Audio: HyperX Cloud II || Case Fans : 3x Corsair SP120 Blue LED||

LAPTOP - 3XS L15 Vengeance Pro, Incoming : CPU: Core i7-8750H || GPU: GTX 1060 6GB || RAM: 2*8GB DDR4-2666 SODIMM || SSD: 500GB 860 Evo, 500GB 850 Evo || CASE: 15" Laptop - Black || Monitor: 15" 1080p 60HZ ||  KEYBOARD: Laptop keyboard  || Mouse: Probably a Rival 310 (Yes I have three) || Audio: Depends

MARCUS AURELIUS II : CPU: i5-7500 || CPU COOLER : Enermax ET-ST40 Fit || MOBO : Gigabyte Z270XP-SLI || GPU: Gigabyte GTX 1060 3GB || RAM: 1x8GB G.Skill Aegis (2666) || SSD: 240GB TeamGroup L5 Lite 3D|| HDD: WD Green 500GB || PSU: Corsair CX750M || CASE: MasterBox Lite 5 || Monitor: ViewSonic generic 22" ||  KEYBOARD: Razer BlackWidow Ultimate 2016  || Mouse: HyperX Pulsefire || Audio: Not yet || Case Fans : 1x Phanteks case fan, 1x included fan, 1x NZXT case fan

Mobile: Galaxy S7, Honor 7X || Kindle Fire 10" & 7" - Running Android 6.0 ||

Forum salt merchant so granted by @dizmo, Grand Deacon of the Glorious Brethren and Guardians of the Most High Overlords Asus and Arctic Cooling. All hail thy lord and savior the Arctic Freezer 33 eSports ONE

Link to post
Share on other sites

Linus AMD shill confirmed

 

Spoiler

/s

 


One day I will be able to play Monster Hunter Frontier in French/Italian/English on my PC, it's just a matter of time... 4 5 6 7 8 9 years later: It's finally coming!!!

Phones: iPhone 4S/SE | LG V10 | Lumia 920

Laptops: Macbook Pro 15" (mid-2012) | Compaq Presario V6000

Link to post
Share on other sites

 They said they had "16 years of experience " while the company was founded in 2017 according to their own website, and the YouTube channel and domain were registered 3 days ago


 

Spoiler
Spoiler
Spoiler
Spoiler
Spoiler
Spoiler
Spoiler
Spoiler
Spoiler
Spoiler
Spoiler
Spoiler
Spoiler
Spoiler
Spoiler
Spoiler
Spoiler
Spoiler
Spoiler
Spoiler
Spoiler

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Original Config

 

CPU: i5 6500, Graphics Card:  ASUS dual gtx 1070, Case: thermaltake core v21, PSU: EVGA 600B, Motherboard: msi b150m bazooka, HDD: WD blue 1tb, SSD: Sandisk z400s 250GB, RAM: Corsair Vengeance LPX DDR4 3000MHz 8gb (x2)

 

 

Link to post
Share on other sites
35 minutes ago, Shreyas1 said:

 They said they had "16 years of experience " while the company was founded in 2017 according to their own website, and the YouTube channel and domain were registered 3 days ago

They can have experience from before the company, but im dazzled by how they went about this after they discovered it. 24 hours isnt enough for AMD to check their mail. 

Link to post
Share on other sites

so 3 guys here are vouching?

either way didnt need another topic when we have one

 

https://www.anandtech.com/show/12525/security-researchers-publish-ryzen-flaws-gave-amd-24-hours-to-respond

 

Update 3/13 5:40pm ET

Reported over at Motherboard are a few new elements to the story.

Dan Guido, founder of security firm Trail of Bits, was contacted by CTS Labs last week to confirm the exploits and the code.

"Each of them works as described,",

Stated Guido. Guido has confirmed to AnandTech that Trail of Bits has had no prior contact with CTS-Labs, stating that

"they found us through a mutual friend".

Guido goes on to say that CTS-Labs

"sought us out because they were concerned about the validity of their findings".

In a tweet, Guido goes on to say that Trail of Bits was paid for their research time, clarifying further that 

"It was driven by curiosity first and a favor. However, once we received the technical report and fielded their first set of questions, we realized it went beyond a favor. We anticipated 1 bug, not 13, so we asked to get paid."

Reuters has published that Trail of Bits were paid $16000 for the time spent reviewing the code.

Motherboard also stated that due to the escalated privileged required for these attacks, these are 'second stage' vulnerabilities, requiring the attacker to gain administrative access first before installing relevant (potentially undetectable) spying software on a network.

Also reported at Motherboard, CTS-Labs CEO, Ido Li On, has stated that the issues are

"very, very bad. This is probably as bad as it gets in the world of security,"

CTS-Labs decided to state to Motherboard when they notified AMD of the issue, but CTO Yaron Luk-Zilberman defended their timing decisions, calling it a "public interest disclosure". Luk-Zilberman is also quoted as saying

"We are letting the public know of these flaws but we are not putting out technical details and have no intention of putting out technical details, ever"

CTS-Labs has reached out to discuss the issue, but have not responded to my email.

Update 3/14 4:45am ET

We have arranged a call with CTS-Labs today.

Update 3/14 5:00am ET

Reported by Ars Technica, a second security firm has now spoken publicly about being contacted by CTS-Labs for verification of the vulnerabilities. Gadi Evron, CEO of Cymmetria, stated in a series of tweets that:

  1. He knows CTS-Labs and vouches for their technical capabilities, but has no knowledge of their business model
  2. All the vulnerabilites do not require physical access (a simple exe is all that is needed)
  3. Fallout does not require a reflash of the BIOS
  4. CTS-Labs believes that the public has a right to know if a vendor they are using makes them vulnerable, which is why no substantial lead time was given.

Quoted by Ars is David Kanter, founder of Real World Technologies and industry consultant, who verifies that even though these are secondary stage attacks, they can still be highly important. David states that while

"All the exploits require root access - if someone already has root access to your system, you're already compromised. This is like if someone broke into your home and they got to install video cameras to spy on you".

Ars also quotes Dan Guido, who states that all that is needed to enable these exploits is the credentials of a single administrator: 

"Once you have administrative rights, exploiting the bugs is unforunately not that complicated."

Link to post
Share on other sites

There are clearly two issues here:

 

1. AMD vulnerabilities - 13 of them. While they are second stage vulnerabilities, they are still potentially pretty bad. Let's not dismiss the severity of these vulnerabilities. AMD needs to inspect these vulnerabilities, and announce a road map to patch them ASAP.

 

2. The complete and utter ethical violations of CTS-Labs in disclosing the vulnerabilities (even with the technical document or code), after 24h of notifying AMD.

 

Claiming that they didn't think AMD could ever fix them, or that it would take months or years is a 100% bullshit response. Only AMD (or someone with access to the source code and hardware design specs) can know how long it'll take. It very well might take 6 months to fix... you know, just like Meltdown and Spectre.

 

They should have approached AMD, given them 90 days, then release the info. By doing so now, they've put people at a greater risk. Yes, we don't know if any hackers have figured out the code to exploit these, but it's only a matter of time. And you can be damn sure that hackers are now carefully analyzing every bit of information released on these vulnerabilities, to attempt to reverse engineer an exploit.

 

Also, if the potential for Stock Manipulation turns out to be true? Then that would be very illegal in the US, and - if true - they should face the full consequences of the law (And AMD should still patch the vulnerabilities too).

 

So let's be clear, we can be outraged at both issues. We should be outraged at both issues. Yes, get mad at CTS-Labs, if you want. But also, these are significant vulnerabilities that must be fixed immediately.


For Sale (lots of stuff):

Spoiler

[FS] [CAD] Various things

 

 

* Intel i7-4770K * ASRock Z97 Anniversary * 16GB RAM * 750w Seasonic Modular PSU *

* Crucial M4 128GB SSD (Primary) * Hitachi 500GB HDD (Secondary) *

* Gigabyte HD 7950 WF3 * SATA Blu-Ray Writer * Logitech g710+ * Windows 10 Pro x64 *

 

Link to post
Share on other sites
5 hours ago, Darkmaster29 said:

I don't really think CTS has done an impartial job. I really believe that INTEL is behind this "Research paper" if one can call it that way.

Could be a hedge fund manager that has massive short positions in AMD that look REALLY bad right now. I seriously doubt Intel would directly fund or encourage this action since the info was purposely supposed to released to the public for maximum impact in the first place. That's a very openly shady tactic. Intel does shady practices behind closed doors.


CPU: i7 4790k @ 4.7 GHz

GPU: GTX 780 3GB

Cooling: Corsair h100i

Mobo: Asus z97-A 

RAM: 4x8 GB 1600 MHz Corsair Vengence (originally had 16 GB, got the other 16 GB of the exact same type of RAM for free)

PSU: Corsair HX850 (Also free, thanks little brother!)

Case: NZXT S340 Elite Tempered glass edition ($50 on craigslist... couldn't say no)

Display: LG 29UM68-P

Keyboard: Roccat Ryos MK FX RGB

Mouse: Logitech g900 Chaos Spectrum

Headphones: Sennheiser HD6XX

OS: Windows 10 Home

Link to post
Share on other sites
11 minutes ago, ATFink said:

Could be a hedge fund manager that has massive short positions in AMD that look REALLY bad right now. I seriously doubt Intel would directly fund or encourage this action since the info was purposely supposed to released to the public for maximum impact in the first place. That's a very openly shady tactic. Intel does shady practices behind closed doors.

IF Intel is involved (and I'm not convinced that they are), they did it very much behind the scenes. There's next to no chance of direct involvement.

 

Why do I think that? They're smart enough to avoid obvious, easily detectable anti-competitive actions.

 

As far as I'm aware, there is zero evidence of Intel involvement - from what I can tell, someone just straight up made up that accusation, and people are foolishly running with it.


For Sale (lots of stuff):

Spoiler

[FS] [CAD] Various things

 

 

* Intel i7-4770K * ASRock Z97 Anniversary * 16GB RAM * 750w Seasonic Modular PSU *

* Crucial M4 128GB SSD (Primary) * Hitachi 500GB HDD (Secondary) *

* Gigabyte HD 7950 WF3 * SATA Blu-Ray Writer * Logitech g710+ * Windows 10 Pro x64 *

 

Link to post
Share on other sites
2 minutes ago, dalekphalm said:

IF Intel is involved (and I'm not convinced that they are), they did it very much behind the scenes. There's next to no chance of direct involvement.

 

Why do I think that? They're smart enough to avoid obvious, easily detectable anti-competitive actions.

 

As far as I'm aware, there is zero evidence of Intel involvement - from what I can tell, someone just straight up made up that accusation, and people are foolishly running with it.

Also, having AMD around means no splitting the company due to monopolization laws.


On the endless quest
So far into the west
Where history and destiny collide


Your luck will last forever and
The truth will never die
The fates shall be eternal on your side
Prepare to roll the dice just one more time


With the stars in the sky our guide
Voyage ever onwards
Set a course to the other side
Of the endless oceans blue

Treasure Island
Oh, the legends told of a land of rum and plunder
Treasure Island
On a quest for gold we'll sail the seven seas
 

Pyo.

Link to post
Share on other sites
6 hours ago, Darkmaster29 said:

I don't really think CTS has done an impartial job. I really believe that INTEL is behind this "Research paper" if one can call it that way.

Conspiracy theorist much? Intel is a company that has done a lot of controversial things in recent memory, but they are not stupid enough to do this. Well... that's not exactly true. If they were desperate enough they could do this, but they really aren't in an overly bad position. Ryzen is basically unknown to the average consumer and is only being purchased by a small number of enthusiasts. So, while their market share is decreasing, we still don't know what Zen 2 - Ryzen 3 - is going to look like - which, in my opinion, will determine the future of AMD in the CPU market - so Intel really isn't in a position where the reward of bashing AMD's name outweighs the risk of making CTS labs and releasing this paper the way they did.

 

It's far more likely - in my opinion - that CTS labs and Viceroy are finically invested in AMD and would benefit from their stock price dropping in the short-term. If my hypothesis is true and they are caught, the US government is going to have a field day with them - in the worst way possible, of course.

Link to post
Share on other sites
15 minutes ago, anthonyjc2010 said:

Conspiracy theorist much? Intel is a company that has done a lot of controversial things in recent memory, but they are not stupid enough to do this. Well... that's not exactly true. If they were desperate enough they could do this, but they really aren't in an overly bad position. Ryzen is basically unknown to the average consumer and is only being purchased by a small number of enthusiasts. So, while their market share is decreasing, we still don't know what Zen 2 - Ryzen 3 - is going to look like - which, in my opinion, will determine the future of AMD in the CPU market - so Intel really isn't in a position where the reward of bashing AMD's name outweighs the risk of making CTS labs and releasing this paper the way they did.

 

It's far more likely - in my opinion - that CTS labs and Viceroy are finically invested in AMD and would benefit from their stock price dropping in the short-term. If my hypothesis is true and they are caught, the US government is going to have a field day with them - in the worst way possible, of course.

so 3 other companies would vouch for them risking their rep?

Link to post
Share on other sites

I'm on board with the idea that this could be stock manipulation by a hedge fund of some sort that doesn't like it's current standings in its investment with AMD.


| Whoosh - The Airplane and Airline Thread |

:x@Dan Castellaneta x @pinksnowbirdie || Jake x Tyler :x 52ever :x
Current Rig:
Spoiler

}} Titania  *December 22, 2017* {{

~Ryzen 7 1700 - Asus TUF B350 - Cryorig H7 - Crucial Ballistix Sport LT 8GB @ 2400MHz - XFX Double Dissipation RX 470 4GB - SanDisk SSDPlus 120GB - Toshiba 1TB HDD (2.5" 5400rpm) - Cooler Master Silencio 352 - LG DVD/CD Drive - EVGA SuperNova G2 550W - Windows 10 Education - Logitech G610 (MX Browns) - Corsair m65 Pro RGB~

Planned Upgrades:

Spoiler

}} Titania II  *Late 2018/Early 2019* {{

~Ryzen 7 1700 - Asus TUF B350 - Cryorig H7 - Corsair Vengeance LPX 16GB @ 3000MHz - XFX Double Dissipation RX 470 4GB- Samsung 860 Evo 500GB - Hitachi Ultrastar 7K3000 2TB HDD - Cooler Master Silencio 352 - LG DVD/CD Drive - AverMedia GC570 Capture Card - EVGA SuperNova G2 550W - Windows 10 Education - Logitech G610 (MX Browns) - Corsair m65 Pro RGB~

 

Link to post
Share on other sites
Posted (edited)
1 hour ago, dalekphalm said:

IF Intel is involved (and I'm not convinced that they are), they did it very much behind the scenes. There's next to no chance of direct involvement.

 

Why do I think that? They're smart enough to avoid obvious, easily detectable anti-competitive actions.

 

As far as I'm aware, there is zero evidence of Intel involvement - from what I can tell, someone just straight up made up that accusation, and people are foolishly running with it.

I agree. Precisely why I said I highly doubt Intel would directly fund or encourage this behavior. I honestly believe someone with a horrible stock position funded the research for this in an attempt to cover some of their losses with an agendized white paper.

 

Gamers Nexus has a great video about the matter:

This doesn't negate the fact that Ryzen security flaws exist, but I believe they were highly exaggerated to sound more compromising than they really are.

 

There probably should be a lawsuit about this with regards to attempted sabotage since there was only a 24 hour notice.

 

EDIT:

...whoops, I didn't realize the first response to this thread was the very video in my post. Sorry for the duplicate info.

Edited by ATFink

CPU: i7 4790k @ 4.7 GHz

GPU: GTX 780 3GB

Cooling: Corsair h100i

Mobo: Asus z97-A 

RAM: 4x8 GB 1600 MHz Corsair Vengence (originally had 16 GB, got the other 16 GB of the exact same type of RAM for free)

PSU: Corsair HX850 (Also free, thanks little brother!)

Case: NZXT S340 Elite Tempered glass edition ($50 on craigslist... couldn't say no)

Display: LG 29UM68-P

Keyboard: Roccat Ryos MK FX RGB

Mouse: Logitech g900 Chaos Spectrum

Headphones: Sennheiser HD6XX

OS: Windows 10 Home

Link to post
Share on other sites
6 hours ago, pas008 said:

so 3 other companies would vouch for them risking their rep?

How Did they vouch for them though? From what you posted it seems like the companies more said that the exploits are real not that the company itself isn't shady. I mean just because the exploits are real doesn't mean that the way the information was handled and conveyed wasn't incredibly biased and seemed to target AMDs reputation. I mean that's like saying that someone isn't black mailing someone because 3 other people have said that the person black mailing has real dirt on the person instead of fake. All I know is that if they did short AMD they are incredibly stupid. They will get in alot of trouble if something like that comes to light.

Link to post
Share on other sites

Irrelevant, angry man continues to yell at things.

 

More, at eleven.


On the endless quest
So far into the west
Where history and destiny collide


Your luck will last forever and
The truth will never die
The fates shall be eternal on your side
Prepare to roll the dice just one more time


With the stars in the sky our guide
Voyage ever onwards
Set a course to the other side
Of the endless oceans blue

Treasure Island
Oh, the legends told of a land of rum and plunder
Treasure Island
On a quest for gold we'll sail the seven seas
 

Pyo.

Link to post
Share on other sites
1 hour ago, JoostinOnline said:

Linus Torvald is so annoying.  He can't go 5 minutes without ranting about something.

I know right some suspicious company trying to kill of the manufacturer that is keeping CPUs affordable, but our bigger concern is the guy who put up the red flag


Please quote my post in your reply, so that I will be notified and can respond to it. Thanks.

I do not offer free or paid insurance coverage to anyone let alone bungee jumpers and skydivers.

I do not work in a profession or for a business that has anything to do with the tech/gaming industry.

Link to post
Share on other sites
2 minutes ago, huilun02 said:

I know right some suspicious company trying to kill of the manufacturer that is keeping CPUs affordable, but our bigger concern is the guy who put up the red flag

Baseless accusations don't help anyone though.  And let's not pretend like AMD is some white knight making sacrifices to help the consumer.


Make sure to quote or tag me (@JoostinOnline) or I won't see your response!

PSU Tier List  |  How to build a gaming PC for $400US or less   |  The Real Reason Delidding Improves Temperatures

Link to post
Share on other sites
Guest
This topic is now closed to further replies.

Buy VPN

×