Linus Torvalds slams CTS Labs

[Darkmaster29]

So this happend:

Linux's creator said he thinks CTS Labs' AMD chip security report "looks more like stock manipulation than a security advisory" and questions an industry.

 

Quote

The startup has jazzed up its discoveries with a research paper, a video describing the vulnerabilities, and, of course, fancy names for them: Ryzenfall, Master Key, Fallout, and Chimera.

 

CTS Labs claimed in an interview they gave AMD less than a day because they didn't think AMD could fix the problem for "many, many months, or even a year" anyway.

Why would they possibly do this? For Torvalds: "It looks more like stock manipulation than a security advisory to me."

These are real bugs though. Dan Guido, CEO of Trail of Bits, a security company with a proven track-record, tweeted: "Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works." But, Guido also admitted, "Yes, all the flaws require admin [privileges] but all are flaws, not expected functionality."

I don't really think CTS has done an impartial job. I really believe that INTEL is behind this "Research paper" if one can call it that way.

 

Quote

What Torvalds really wants from security programmers and researchers, as he spelled out recently, is:

• the first step should *ALWAYS* be "just report it." Not killing things, not even stopping the access. Report it. Nothing else.
• "Do no harm" should be your mantra for any new hardening work.

This is something that the industry has long forgotten. there has to be a spirit of colaboration between all of us.

 

 

Source: http://www.zdnet.com/article/linus-torvalds-slams-cts-labs-over-amd-vulnerability-report/

[Wolther]

gamers nexus also did a video on this. Near the end he shows a statement from intel to gamers nexus stating that they had no part in it. 

 

 

20:14 is the statement 

[Doobeedoo]

The 24h notice and explenation behind it is just bs though. Makes no sense. 

[mynameisjuan]

We really didnt need another thread on this. Especially about Lunus Torvald and his stupid rants. 

[ApolloFury]

8 minutes ago, Wolther said:

gamers nexus also did a video on this. Near the end he shows a statement from intel to gamers nexus stating that they had no part in it. 

 

 

20:14 is the statement 

Of course if you are Intel you will deny it whether it's true or not.

[orbitalbuzzsaw]

Yeah this whole thing was just CTS trying to snipe AMD

[suicidalfranco]

Linus AMD shill confirmed

 

Spoiler

/s

 

[Shreyas1]

 They said they had "16 years of experience " while the company was founded in 2017 according to their own website, and the YouTube channel and domain were registered 3 days ago

[GoldenLag]

35 minutes ago, Shreyas1 said:

 They said they had "16 years of experience " while the company was founded in 2017 according to their own website, and the YouTube channel and domain were registered 3 days ago

They can have experience from before the company, but im dazzled by how they went about this after they discovered it. 24 hours isnt enough for AMD to check their mail. 

[pas008]

so 3 guys here are vouching?

either way didnt need another topic when we have one

 

https://www.anandtech.com/show/12525/security-researchers-publish-ryzen-flaws-gave-amd-24-hours-to-respond

 

Update 3/13 5:40pm ET

Reported over at Motherboard are a few new elements to the story.

Dan Guido, founder of security firm Trail of Bits, was contacted by CTS Labs last week to confirm the exploits and the code.

"Each of them works as described,",

Stated Guido. Guido has confirmed to AnandTech that Trail of Bits has had no prior contact with CTS-Labs, stating that

"they found us through a mutual friend".

Guido goes on to say that CTS-Labs

"sought us out because they were concerned about the validity of their findings".

In a tweet, Guido goes on to say that Trail of Bits was paid for their research time, clarifying further that 

"It was driven by curiosity first and a favor. However, once we received the technical report and fielded their first set of questions, we realized it went beyond a favor. We anticipated 1 bug, not 13, so we asked to get paid."

Reuters has published that Trail of Bits were paid $16000 for the time spent reviewing the code.

Motherboard also stated that due to the escalated privileged required for these attacks, these are 'second stage' vulnerabilities, requiring the attacker to gain administrative access first before installing relevant (potentially undetectable) spying software on a network.

Also reported at Motherboard, CTS-Labs CEO, Ido Li On, has stated that the issues are

"very, very bad. This is probably as bad as it gets in the world of security,"

CTS-Labs decided to state to Motherboard when they notified AMD of the issue, but CTO Yaron Luk-Zilberman defended their timing decisions, calling it a "public interest disclosure". Luk-Zilberman is also quoted as saying

"We are letting the public know of these flaws but we are not putting out technical details and have no intention of putting out technical details, ever"

CTS-Labs has reached out to discuss the issue, but have not responded to my email.

Update 3/14 4:45am ET

We have arranged a call with CTS-Labs today.

Update 3/14 5:00am ET

Reported by Ars Technica, a second security firm has now spoken publicly about being contacted by CTS-Labs for verification of the vulnerabilities. Gadi Evron, CEO of Cymmetria, stated in a series of tweets that:

1. He knows CTS-Labs and vouches for their technical capabilities, but has no knowledge of their business model
2. All the vulnerabilites do not require physical access (a simple exe is all that is needed)
3. Fallout does not require a reflash of the BIOS
4. CTS-Labs believes that the public has a right to know if a vendor they are using makes them vulnerable, which is why no substantial lead time was given.

Quoted by Ars is David Kanter, founder of Real World Technologies and industry consultant, who verifies that even though these are secondary stage attacks, they can still be highly important. David states that while

"All the exploits require root access - if someone already has root access to your system, you're already compromised. This is like if someone broke into your home and they got to install video cameras to spy on you".

Ars also quotes Dan Guido, who states that all that is needed to enable these exploits is the credentials of a single administrator: 

"Once you have administrative rights, exploiting the bugs is unforunately not that complicated."

[dalekphalm]

There are clearly two issues here:

 

1. AMD vulnerabilities - 13 of them. While they are second stage vulnerabilities, they are still potentially pretty bad. Let's not dismiss the severity of these vulnerabilities. AMD needs to inspect these vulnerabilities, and announce a road map to patch them ASAP.

 

2. The complete and utter ethical violations of CTS-Labs in disclosing the vulnerabilities (even with the technical document or code), after 24h of notifying AMD.

 

Claiming that they didn't think AMD could ever fix them, or that it would take months or years is a 100% bullshit response. Only AMD (or someone with access to the source code and hardware design specs) can know how long it'll take. It very well might take 6 months to fix... you know, just like Meltdown and Spectre.

 

They should have approached AMD, given them 90 days, then release the info. By doing so now, they've put people at a greater risk. Yes, we don't know if any hackers have figured out the code to exploit these, but it's only a matter of time. And you can be damn sure that hackers are now carefully analyzing every bit of information released on these vulnerabilities, to attempt to reverse engineer an exploit.

 

Also, if the potential for Stock Manipulation turns out to be true? Then that would be very illegal in the US, and - if true - they should face the full consequences of the law (And AMD should still patch the vulnerabilities too).

 

So let's be clear, we can be outraged at both issues. We should be outraged at both issues. Yes, get mad at CTS-Labs, if you want. But also, these are significant vulnerabilities that must be fixed immediately.

[ATFink]

5 hours ago, Darkmaster29 said:

I don't really think CTS has done an impartial job. I really believe that INTEL is behind this "Research paper" if one can call it that way.

Could be a hedge fund manager that has massive short positions in AMD that look REALLY bad right now. I seriously doubt Intel would directly fund or encourage this action since the info was purposely supposed to released to the public for maximum impact in the first place. That's a very openly shady tactic. Intel does shady practices behind closed doors.

[dalekphalm]

11 minutes ago, ATFink said:

Could be a hedge fund manager that has massive short positions in AMD that look REALLY bad right now. I seriously doubt Intel would directly fund or encourage this action since the info was purposely supposed to released to the public for maximum impact in the first place. That's a very openly shady tactic. Intel does shady practices behind closed doors.

IF Intel is involved (and I'm not convinced that they are), they did it very much behind the scenes. There's next to no chance of direct involvement.

 

Why do I think that? They're smart enough to avoid obvious, easily detectable anti-competitive actions.

 

As far as I'm aware, there is zero evidence of Intel involvement - from what I can tell, someone just straight up made up that accusation, and people are foolishly running with it.

[Drak3]

2 minutes ago, dalekphalm said:

IF Intel is involved (and I'm not convinced that they are), they did it very much behind the scenes. There's next to no chance of direct involvement.

 

Why do I think that? They're smart enough to avoid obvious, easily detectable anti-competitive actions.

 

As far as I'm aware, there is zero evidence of Intel involvement - from what I can tell, someone just straight up made up that accusation, and people are foolishly running with it.

Also, having AMD around means no splitting the company due to monopolization laws.

[pas008]

15 minutes ago, anthonyjc2010 said:

Conspiracy theorist much? Intel is a company that has done a lot of controversial things in recent memory, but they are not stupid enough to do this. Well... that's not exactly true. If they were desperate enough they could do this, but they really aren't in an overly bad position. Ryzen is basically unknown to the average consumer and is only being purchased by a small number of enthusiasts. So, while their market share is decreasing, we still don't know what Zen 2 - Ryzen 3 - is going to look like - which, in my opinion, will determine the future of AMD in the CPU market - so Intel really isn't in a position where the reward of bashing AMD's name outweighs the risk of making CTS labs and releasing this paper the way they did.

 

It's far more likely - in my opinion - that CTS labs and Viceroy are finically invested in AMD and would benefit from their stock price dropping in the short-term. If my hypothesis is true and they are caught, the US government is going to have a field day with them - in the worst way possible, of course.

so 3 other companies would vouch for them risking their rep?

[handymanshandle]

I'm on board with the idea that this could be stock manipulation by a hedge fund of some sort that doesn't like it's current standings in its investment with AMD.

[ATFink]

1 hour ago, dalekphalm said:

IF Intel is involved (and I'm not convinced that they are), they did it very much behind the scenes. There's next to no chance of direct involvement.

 

Why do I think that? They're smart enough to avoid obvious, easily detectable anti-competitive actions.

 

As far as I'm aware, there is zero evidence of Intel involvement - from what I can tell, someone just straight up made up that accusation, and people are foolishly running with it.

I agree. Precisely why I said I highly doubt Intel would directly fund or encourage this behavior. I honestly believe someone with a horrible stock position funded the research for this in an attempt to cover some of their losses with an agendized white paper.

 

Gamers Nexus has a great video about the matter:

This doesn't negate the fact that Ryzen security flaws exist, but I believe they were highly exaggerated to sound more compromising than they really are.

 

There probably should be a lawsuit about this with regards to attempted sabotage since there was only a 24 hour notice.

 

EDIT:

...whoops, I didn't realize the first response to this thread was the very video in my post. Sorry for the duplicate info.

Edited March 15, 2018 by ATFink

[Humbug]

So this is attempted stock manipulation?

These guys must be quite bemused that it hasn't worked LOL.

[JoostinOnline]

Linus Torvald is so annoying.  He can't go 5 minutes without ranting about something.

[Brooksie359]

6 hours ago, pas008 said:

so 3 other companies would vouch for them risking their rep?

How Did they vouch for them though? From what you posted it seems like the companies more said that the exploits are real not that the company itself isn't shady. I mean just because the exploits are real doesn't mean that the way the information was handled and conveyed wasn't incredibly biased and seemed to target AMDs reputation. I mean that's like saying that someone isn't black mailing someone because 3 other people have said that the person black mailing has real dirt on the person instead of fake. All I know is that if they did short AMD they are incredibly stupid. They will get in alot of trouble if something like that comes to light.

[Drak3]

Irrelevant, angry man continues to yell at things.

 

More, at eleven.

[JoostinOnline]

2 minutes ago, huilun02 said:

I know right some suspicious company trying to kill of the manufacturer that is keeping CPUs affordable, but our bigger concern is the guy who put up the red flag

Baseless accusations don't help anyone though.  And let's not pretend like AMD is some white knight making sacrifices to help the consumer.

[2FA]

14 hours ago, mynameisjuan said:

We really didnt need another thread on this. Especially about Lunus Torvald and his stupid rants. 

Funny enough, his famous "Fuck you Nvidia" comment is the reason why their support for Linux improved.

[colonel_mortis]

As all the replies here seem to be talking about the wider issue rather than Linus Torvalds's response specifically, I'm going to lock this topic and direct you to the main topic on this story, so that all of the discussion is contained in one place and the inevitable flame wars can be noticed and extinguished as soon as possible.