Slashdot Mirror

← Back to Stories (view on slashdot.org)

Can AMD Vulnerabilities Be Used To Game the Stock Market? (vice.com)

Posted by msmash on from the setting-wrong-precedence dept.

Earlier this week, a little-known security firm called CTS Labs reported, what it claimed to be, severe vulnerabilities and backdoors in some AMD processors. While AMD looks into the matter, the story behind the researchers' discovery and the way they made it public has become a talking point in security circles. The researchers, who work for CTS Labs, only reported the flaws to AMD shortly before publishing their report online. Typically, researchers give companies a few weeks or even months to fix the issues before going public with their findings. To make things even stranger, a little bit over 30 minutes after CTS Labs published its report, a controversial financial firm called Viceroy Research published what they called an "obituary" for AMD. Motherboard reports: "We believe AMD is worth $0.00 and will have no choice but to file for Chapter 11 (Bankruptcy) in order to effectively deal with the repercussions of recent discoveries," Viceroy wrote in its report. CTS Labs seemed to hint that it too had a financial interest in the performance of AMD stock. "We may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports," CTS Labs wrote in the legal disclaimer section of its report.

On Twitter, rumors started to swirl. Are the researchers trying to make money by betting that AMD's share price will go down due to the news of the vulnerabilities? Or, in Wall Street jargon, were CTS Labs and Viceroy trying to short sell AMD stock? Security researcher Arrigo Triulzi speculated that Viceroy and CTS Lab were profit sharing for shorting, while Facebook's chief security officer Alex Stamos warned against a future where security research is driven by short selling.

[...] There's no evidence that CTS Labs worked with Viceroy to short AMD. But something like that has happened before. In 2016, security research firm MedSec found vulnerabilities in pacemakers made by St. Jude Medical. In what was likely a first, MedSec partnered with hedge fund Muddy Waters to bet against St. Jude Medical's stock. For Adrian Sanabria, director of research at security firm Threatcare and a former analyst at 451 Research, where he covered the cybersecurity industry, trying to short based on vulnerabilities just doesn't make much sense. While it could work in theory and could become more common in the future, he said in a phone call, "I don't think we've seen enough evidence of security vulnerabilities really moving the stock for it to really become an issue." Further reading: Linus Torvalds slams CTS Labs over AMD vulnerability report (ZDNet).

106 comments

  1. Seriously? Peddling the fake propaganda a second t by Anonymous Coward · · Score: 5, Interesting

    The last time this shit was posted, we established that the prerequisites for those "vulnerabilities" were ridiculous, requiring *at least* admin access, or even installing a hacked bios first! We also established that CTS labs were in bed with Intel had created the domain for this only right before publishing it. Apart from the fact that everyone agreed that giving AMD only such a short time to react befor publishing it, was completely unprofessional and a "hit job". (To which I agree.)

    So, do you plan on posting it until people believe it because we have given up on remindig everyone, or have you now brought your sock puppet troll army to silence everyone?

    Seriously, in my world, you need to go to prison over this!

  2. Re: Seriously? Peddling the fake propaganda a seco by Anonymous Coward · · Score: 0

    THIS is what people need to go prison over?

    Nice fucking priorities.

  3. Re: Seriously? Peddling the fake propaganda a seco by Anonymous Coward · · Score: 0

    So a guy in shipping or recieving needs to have 'root access' to the cpu chip. Or a guy in the parts crib has a zif socket 'burner' to inject the malware into a tray of processors before they are ever plugged into a board to go in the server.

    Non-volatile embedded malware can be injected into the processor in many ways.

    You guys need to update your concept of 'root access'.

  4. Markets dont care by borcharc · · Score: 2

    Markets have shown little care in the face of computer security issues. You may get a few day drop but nothing lasting. Look at Intel, Target, or anyone else. It's just not that big of a deal to investors or consumers.

    1. Re:Markets dont care by gregfortune · · Score: 1

      I don't think the duration of the drop is really that relevant to the accusation being leveled against CTS Labs. More important is the volume of the drop, the knowledge that it is likely to occur and when it is most likely to occur. If there was indeed collusion and CTS Labs benefited financially from the timing of their announcement, that's illegal.

    2. Re:Markets dont care by Anonymous Coward · · Score: 0

      Which is the perfect type of stock to do this with. If you can guarantee a short-term drop (or gain) that will return to the baseline on a stock worth a between 10 and 100 dollars, that is the dream of these people. Assuming you are sitting on news like this that will cause a drop, first you short when the reach a plateau, drop the news, the stock price drops, you stop the short when the short-term panic stops, and buy the stock, then it recovers and you sell back at the plateau. If the start and stop are at the same point, your profit is twice the difference between the high and low points. On a $10 stock that dips to $9, you make $2 so, your profit is 20% minus any commission. So that means if this group did the short/buy cycle on this, depending on what commission they negotiated and the exact timing of the resell and buy, they would have around a 9% profit over the course of a week for news they were going to release anyway.

    3. Re:Markets dont care by borcharc · · Score: 1

      I am not in agreement that its illegal. I can research a company and find something I think is negative about them and sell that information to a 3rd party who intends to short the stock. No one is accusing CTS labs of having material inside information about AMD. The information CTS has was independently discovered by them. If this was illegal every short equity operation (Muddy Waters, etc) would be shut down. The most troubling thing about this is the text of the Viceroy Research report. Saying a company is going to zero and is headed to bankruptcy, if they don't really believe that, could prove problematic, but no one gets in trouble for stuff like that anyway.

      That being said, I think that shorting companies based on security concerns is a good way to lose money. There have been several people that have attempted this and it never ends well. On top of that Intel has had just as bad or worse issues with their management engine and no one outside of the nerds care.

    4. Re:Markets dont care by Anonymous Coward · · Score: 0

      The max range of the stock since the news came out is about $1.50 or about 11%. But that's really a theoretical number. In reality, you would be able to capture maybe half of that and that's being generous with any size. Then you need to exit a large short position with buying so maybe you may make 4% on a trade. It's not that good of a risk/reward considering that you are only making $40k per million at risk. If the market goes against you and you get stuck in a short squeeze it turns into a loss faster then you can exit.

    5. Re:Markets dont care by KruiserX · · Score: 1

      They do care about opinions/reports, that's where Viceroy thrives. They were up to similar antics in South Africa, that time in banking. https://www.fin24.com/Companie...

    6. Re:Markets dont care by HiThere · · Score: 1

      Your assertion that those actions aren't illegal is, at best, questionable. IIUC they would be guilty of stock market manipulation and you would be and accessory before the fact.

      OTOH, it is true that such crimes are rarely prosecuted, and are difficult to detect. This doesn't keep them from being crimes.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    7. Re:Markets dont care by Anonymous Coward · · Score: 0

      One note, you make double the profit because you make money on the initial change and then the return back.

    8. Re:Markets dont care by gregfortune · · Score: 2

      Sure. So did you find information in your research that's publicly available? No harm, no foul from what I understand.

      How about information that is not publicly available? Now we're in a little different spot. Now let's add that you intentional disseminate that information publicly after having sold the privileged information to a third party who acted on that information to purchase a security with an expectation that your public release of the information will affect price of the security? From what I understand, now you're dealing with securities fraud. I am in no way an expert on the associated laws, but section 9.a.5 of the Securities Exchange Act of 1934 (page 87) seems to apply directly to this situation. You would have to prove intent with that section, but it seems pretty obvious in this case.

      We'd be talking about the same thing if a member of Google Project Zero shorted Intel stock just before the public release of the Meltdown/Spectre fiasco. The purpose behind the regulation is to prevent an unfair advantage in cases where only a select group can be "in the know" and use that information to manipulate the stock price or act on expected changes to the price based on that privileged information.

  5. Re: Seriously? Peddling the fake propaganda a seco by Anonymous Coward · · Score: 0

    Why is parent modded down? Itâ(TM)s the truth.

  6. Even if true... by fazig · · Score: 3, Funny

    Invulnerabilities of the Security Processor had been reported to AMD last year by researchers from Google. Apparently AMD found a workaround by letting people disable the entire PSP. Considering that both the "Masterkey" and "Ryzenfall" vulnerability groups allegedly depend on exploiting the PSP, these problems already appear to be fixed by AMD, somewhat.
    So if someone with a Ryzen is concerned there's something they can do about it. Source: https://www.bleepingcomputer.c...

    1. Re:Even if true... by fazig · · Score: 2

      Well, I meant vulnerabilities there, not invulnerabilities.

    2. Re:Even if true... by Anonymous Coward · · Score: 0

      Yes, but is the (entire) PSP REALLY disabled?
      Or in other words : is the PSP binary blob inside the BIOS image (containing the PSP firmware) REALLY ignored by the PSP boot code? Does the PSP enter a "disabled" mode in which it executes no operation?

      Or by "disabling", AMD means only disabling the (software) interface btw operating system (or UEFI BIOS) and PSP? (This would mean that the PSP code is still active and could interact with the peripherals like USB or the network interfaces, for example..)

    3. Re:Even if true... by ravenshrike · · Score: 1

      Clearly you should find out by sneaking into CTS Labs, stealing the technical data on the vulnerabilities they purportedly found, hack the PSP itself without removing the code to disable it, and test the hacked PSP while it's disabled to see if it can execute code. Until you do that however, you're just pissing upwind and splattering everyone with it.

    4. Re:Even if true... by Anonymous Coward · · Score: 0

      And a part being arogant and ironical (and even ill-mannered..), have you some constructive remarks Mr ravenshrike?..
      (BTW: my question was addressed primarily to fazig who seems to have real informations, so please mind your bussiness..)

    5. Re:Even if true... by Anonymous Coward · · Score: 0

      I've found myself:
      https://www.phoronix.com/scan.php?page=news_item&px=AMD-PSP-Disable-Option

  7. Securities fraud by Bruce+Perens · · Score: 4, Insightful

    Just in case it isn't clear enough to you, buying a security with insider knowledge of an unannounced problem with the company, then announcing the problem in the expectation that the announcement will manipulate the price of the stock, and attempting to profit from that, is securities fraud. It is the kind of thing that should be investigated by the Securities and Exchange Commission, and charges should be filed if appropriate.

    --
    Bruce Perens.
    1. Re:Securities fraud by Bruce+Perens · · Score: 3, Informative

      And yes, this also applies to purchasing short positions in the same stock before that sort of announcement.

      --
      Bruce Perens.
    2. Re:Securities fraud by macklin01 · · Score: 1, Redundant

      Thanks, Bruce. That was my first question at this story, and I appreciate hearing it from your expertise!!!!

      --
      OpenSource.MathCancer.org: open source comp bio
    3. Re:Securities fraud by ebcdic · · Score: 2

      But is information you have found out yourself, or from someone unrelated to the company, "insider knowledge"? In what sense are these people insiders?

    4. Re:Securities fraud by CajunArson · · Score: 0

      Yeah, except that you glossed over the "insider" part there that has a special meaning under the law unless you are accusing the people at CTS of actually being "insiders" of AMD or having been granted specific confidential information from AMD with a relationship that would make them be considered "insiders".

      Merely digging up information on your own without being an AMD insider or having gained privileged confidential information from AMD isn't enough for them to be prosecuted.

      Once again, CTS is full of sleazy people who won't have long careers in this industry though.

      --
      AntiFA: An abbreviation for Anti First Amendment.
    5. Re:Securities fraud by Actually,+I+do+RTFA · · Score: 2

      Look at Mark Cuban's investor newspaper. Its business model was to research and publish news about companies, but between research and publication Mark would invest in them (long or short positions). The SEC sued him. His blog has a lot of details.

      --
      Your ad here. Ask me how!
    6. Re:Securities fraud by Luthair · · Score: 3, Informative

      Its not clear that this would be considered insider knowledge to me. The normal modus operandi for short sellers is to do a significant amount of research on companies looking for flaws, wrong doing, etc. purchase a position then try to build uncertainty by hyping a press release.

      Previously unknown security vulnerabilities don't seem much different than accounting fraud assuming neither has a source inside the company.

    7. Re:Securities fraud by Train0987 · · Score: 1

      First, the SEC only has civil jurisdiction, meaning they can ONLY fine people and companies. The SEC brings civil suits, most of which are settled for pennies while the targets never have to admit any wrongdoing. Only the most egregious fraud gets the attention of the FBI who can pursue criminal charges.

      Oh, and everything being claimed in the article is completely legal if the author of the hit pieces disclosed their position. And yes, saying "we may or may not have a financial interest in publishing this" is a valid disclosure according to the law.

      These rules exist because of the caveat emptor principle: buyer beware. There used to be a time when people didn't automatically believe whatever they read, and average spectators weren't gambling in financial markets like it's a nickel slot.

    8. Re:Securities fraud by Train0987 · · Score: 3, Insightful

      Manipulating the markets even without insider knowledge is also technically illegal but virtually impossible to prove or prosecute. People are allowed to have opinions and publish them even if they are wrong. People are also allowed to speculate financially based on their opinions.

    9. Re:Securities fraud by borcharc · · Score: 2

      Wrong. If a 3rd party independently discovers information that is non-public but adverse to a public company they can do whatever they wish with it. If AMD employees in possession of non-public information made trades based on it, they would be in trouble. But in that situation, AMD would have had to know prior to any public release. As it stands now, the information is public and anyone can trade based on it.

    10. Re:Securities fraud by DivineKnight · · Score: 1

      Indeed. But now we have to contend with mismanaged funds (always a problem), and idiot savants using AI algorithms to scour newsfeeds for good / bad information (and automatically engage in buying / selling).

      And they really went SEO over this one. The Asus forums I frequent all had interesting "posts" about this problem, typically followed by a single post stating that one must acquire admin rights before anything can be exploited (and if they already have admin rights, they don't exactly need an exploit at that point...).

    11. Re:Securities fraud by Anonymous Coward · · Score: 0

      Just in case it isn't clear enough to you, buying a security with insider knowledge of an unannounced problem with the company, then announcing the problem in the expectation that the announcement will manipulate the price of the stock, and attempting to profit from that, is securities fraud.

      You don't understand insider trading.

      Example: the CEO is walking down the street, looks in his folder with the latest financial results (which aren't public yet), and throws the folder in a sidewalk trashcan.

      Someone looks in the trashcan, picks up the folder, reads the results, and decides to trade on the stock based on the financial results. This person is NOT guilty of insider trading.

      Or I'm in the same elevator as two engineers talking about their company's great new product and how they are selling millions of them and making lots of money.

      I'm not guilty of insider trading.

      etc, etc.

    12. Re:Securities fraud by Anonymous Coward · · Score: 0

      Yeah, except that you glossed over the "insider" part there that has a special meaning under the law unless you are accusing the people at CTS of actually being "insiders" of AMD or having been granted specific confidential information from AMD with a relationship that would make them be considered "insiders".

      Merely digging up information on your own without being an AMD insider or having gained privileged confidential information from AMD isn't enough for them to be prosecuted.

      Once again, CTS is full of sleazy people who won't have long careers in this industry though.

      I'm baffled as to your -1 mod for an entirely reasonable response. The only thing I can think of as to why you were negatively modded is that there are a lot of Slashdotters here that want to slurp Peren's penis.

      C'mon Bruce, fight your own battles and call off your sycophant mod brigade.

    13. Re:Securities fraud by Anonymous Coward · · Score: 0

      You forgot to note that Mark Cuban prevailed in court against the SEC and was cleared of the insider trader charge.

    14. Re:Securities fraud by Anonymous Coward · · Score: 0

      Here's the problem with your post, the second they disclosed it to AMD, legally they became insiders. Partners of companies have inside information about how that company operates and has inside knowledge of issues they're experiencing, and informing the company makes you a partner. Yes, if you discovered the flaw, made your stock trades and then released it to the wild, you wouldn't be an insider, but then there's the computer fraud stuff that you might run afoul with.

    15. Re:Securities fraud by Train0987 · · Score: 1

      "Someone looks in the trashcan, picks up the folder, reads the results, and decides to trade on the stock based on the financial results. This person is NOT guilty of insider trading."

      Tell that to Martha Stewart. She went to prison for selling her position in ImClone based on a tip from a broker who noticed ImClone's CEO was dumping his stock. That's all it took for her to be guilty of insider trading.

      Trading based on information not known to the public at large is all it takes to be in violation of insider-trading laws regardless of how you came into that information.

    16. Re:Securities fraud by ripvlan · · Score: 1

      ah ha - answered my own question

      https://en.wikipedia.org/wiki/...

      This might be considered "Short and Distort"

    17. Re:Securities fraud by Khyber · · Score: 1

      "People are allowed to have opinions and publish them even if they are wrong."

      Not if it involves being done to intentionally damage a company and is wholly misleading and defamatory, it sure as fuck is not.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    18. Re:Securities fraud by imrahilj · · Score: 2

      "Someone looks in the trashcan, picks up the folder, reads the results, and decides to trade on the stock based on the financial results. This person is NOT guilty of insider trading."

      Tell that to Martha Stewart. She went to prison for selling her position in ImClone based on a tip from a broker who noticed ImClone's CEO was dumping his stock. That's all it took for her to be guilty of insider trading.

      Trading based on information not known to the public at large is all it takes to be in violation of insider-trading laws regardless of how you came into that information.

      Didn't she go to prison for lying about what she did, rather than directly for what she did?

    19. Re:Securities fraud by ravenshrike · · Score: 1

      I wonder how they got the digitally signed drivers to test with. Depending on any contracts signed that very well could put them in the wheelhouse of insider trading. Either that or that portion of the 'security flaws' is entirely a theoretical attack with no actual proof of concept done on it at all.

    20. Re:Securities fraud by Anonymous Coward · · Score: 0

      There is no reason to say "technically". It is illegal and is often theft on a grand scale. If we tied criminal penalties directly to cost to law-abiding society for all crimes as many scholars have suggested, these crimes would be among the highest.

      I believe there may be enough information out there today to detect and prosecute this on a large scale - not reliably but even a few percent of the cases could be game changing. Search and other internet histories are often now used as evidence in crimes. They are also available in large-scale databases from tracking firms. Most perform their trades through the internet and follow patterns like visiting a page from the stock in question before performing the trade. It would take some effort and investment, but it should be possible to detect and prove patterns of planning, posting hit pieces, and trading that are different when manipulation is in the mind as opposed to honest trading. People forget that beyond reasonable doubt is judged by people, not machines and is not a requirement of absolute proof.

      On the other hand, I think a well-funded automatic trading operation could use similar tech to detect manipulation and piggy-back on it. It would help to buy a tracking company or at least buy real-time access to one or more major tracking databases. I do not believe that would be insider trading so much as trading on projected swings in public sentiment that are recognized as opposed to controlled. I know they already feed trading blogs into these automatic trading algorithms, but don't think they've yet approached the scale of plugging into full tracking histories of all the users of those sites.

      Another way to make money off of this would be to provide the evidence to the companies being hit for a fee. The companies could then start pursuing civil cases where the evidence standard is more like "yeh, they probably did it". They would be unlikely to make real money unless they caught a trader for something like Goldman Sachs doing it, but they could get a handle on the problem.

    21. Re:Securities fraud by Anonymous Coward · · Score: 0

      Assuming they do not work for AMD they are not insiders. They found some problems with a product and want to play the stock market based on that. This can be frowned upon but I do not see something obviously illegal here. Have a look at insider trading definitions and common laws surrounding that: https://en.wikipedia.org/wiki/Insider_trading

    22. Re:Securities fraud by Anonymous Coward · · Score: 0

      Thanks, Bruce. That was my first question at this story, and I appreciate hearing it from your expertise!!!!

      Auto-fellatio is strong today.

    23. Re:Securities fraud by DRJlaw · · Score: 1

      Here's the problem with your post, the second they disclosed it to AMD, legally they became insiders.

      Not even close. An "insider" is a person with a fiduaciary or similar duty to the company, and "insider trading" requires trading on information obtained from such a person, whether one is an insider or not.

      An outsider disclosing information to AMD does not become a fiduciary to AMD or come under some similar duty unless they've gone and done something like signed a non-disclosure agreement. Giving outsider information to AMD does not magically transform that outsider information into "insider information" for the outsider.

    24. Re:Securities fraud by Agripa · · Score: 1

      Tell that to Martha Stewart. She went to prison for selling her position in ImClone based on a tip from a broker who noticed ImClone's CEO was dumping his stock.

      "Stewart was found guilty in March 2004 of felony charges of conspiracy, obstruction of an agency proceeding, and making false statements to federal investigators."

      Which is another way of saying she talked her way into jail and should have taken legal advice to shut up.

  8. Its criminally minded people trying this out by gweihir · · Score: 1

    So far, it does not seem to work against AMD, good. And the attempt was on low amateur level in addition, like a lot of crime. Of course, a lot of the press response was also on low amateur level (whatever happened to verifying stories before publishing?), so some small-time investors may have gotten spooked. I hope the SEC and others looks into this ruthlessly.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  9. AMD is down! by Anonymous Coward · · Score: 1

    As of this posting, AMD is down by a whopping -0.06. I do not think this does what you wanted it to do.

  10. Obvious stock market manipulation by Khyber · · Score: 1

    And Dan Guido is prime helper number one in this crime.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    1. Re:Obvious stock market manipulation by Khyber · · Score: 2

      Slashdot is helper number two given they're spreading this bullshit without any good reason. I wonder if slashdot has some skin in this game?

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    2. Re:Obvious stock market manipulation by Anonymous Coward · · Score: 0

      Slashdot is helper number two given they're spreading this bullshit without any good reason. I wonder if slashdot has some skin in this game?

      Bots have no skin.

    3. Re: Obvious stock market manipulation by Anonymous Coward · · Score: 0

      Slashdot knows there are fanboys to whip up into a frenzy.

  11. Re: Seriously? Peddling the fake propaganda a seco by Anonymous Coward · · Score: 0

    What about that suggests he has his priorities mixed up? I agree that, perhaps, he's showing a lack of perspective, but at no point did he suggest that we should pursue these bullshit pushers over, say, serial murderers. It's not clear how you arrived at this conclusion; please explain.

  12. Nothing suspicious here by TimothyHollins · · Score: 2

    Hey guys, I'm one of you, a neutral third party financially uninvolved in any of this.
    Let's all go and buy Intel processors because they don't have any of these critical security flaws that are just so much more noteworthy than boring and harmless Spectre and Meltdown. And who even remembers those? They are so 2017, am I right?

    Also did you know that when you support Intel you support small independent security researchers of the highest ethical and moral standards? Wow, if that isn't standing up for the little guy (just like you and me!) I don't know what is.

    1. Re: Nothing suspicious here by Anonymous Coward · · Score: 0

      AMD isn't the little guy.

      This is Ford vs. Chevy stuff.

    2. Re: Nothing suspicious here by drinkypoo · · Score: 1

      AMD isn't the little guy.
      This is Ford vs. Chevy stuff.

      No, not even close. Ford and GM are on roughly equal footing. Sometimes one leads the other. But the courts have decided more than once now that Intel not only has a dominant position in the market, but that they have abused it — specifically against AMD.

      You, cowardly sir, are an Intel shill.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    3. Re: Nothing suspicious here by nedlohs · · Score: 2

      Ford's market cap is $43.61B, General Motor's market cap is $52.80B. One is 83% of the size of the other.

      AMD's market cap is $10.94B. Intel's' market cap is $239.19B. On is 5% of the size of the other.

      Those are nothing like similar.

    4. Re:Nothing suspicious here by TooManyNames · · Score: 1

      Can't recall off the top of my head, but I think Spectre is an Intel-specific variant of the generic Meltdown vulnerability, which basically impacts all speculative processors (so everything currently in use). In other words, the vulnerability isn't just Intel's problem.

      Also, I very much doubt that Intel had anything to do with this security firm's announcement, or the investment journal's "obituary." I'd suspect that that's more just run-of-the-mill profiteering from basically worthless outlets looking to make a quick buck at someone else's (AMD's) expense. This isn't to suggest that Intel doesn't engage in shady practices, but I highly doubt that they're behind this particular issue.

      --
      "Is not a sentence" is not a sentence. Well damn.
    5. Re:Nothing suspicious here by Xtifr · · Score: 1

      The other way around, actually. Meldown is the Intel-specific* (and far more severe) of the three related vulnerabilities. (The other two are collectively called Spectre.) Meltdown requires drastic changes to the OS kernels, which have a big impact on performance. Linux, at least, put an "if (cpu_vendor != AMD)" around their performance-inhibiting Meltdown fixes. The Spectre vulnerabilities, on the other hand, don't require the same sort of low-level OS patches. They need changes to apps, and we'll be dealing with them for years. They're a nightmare no matter which vendors we use. But on the bright side, the fixes don't have the same negative impact on performance.

      The key takeaway here is that while these vulnerabilities weren't just Intel's problem, the bulk of the performance impact was!

      All of which makes Intel a reasonable target for suspicion here. They may or may not be involved, but it's pretty easy to see their motives if they are. "You don't have to give up performance if you use our chips" is a great selling point for AMD, and Intel is almost certainly going to want to counter that somehow.

      * Meltdown actually affects a few recent ARM64 chips as well, but that's a side issue. In the x86 world, it's Intel-specific.

    6. Re:Nothing suspicious here by HiThere · · Score: 1

      IIUC Spectre requires hardware level changes to all processors that engage in speculative execution. Also it requires a level of access not required by the Meltdown flaw (i.e. Intel) and is also not as privilege breaking.

      That said, Spectre still needs to be addressed, it's just that no remote exploits are yet known. But Meltdown (Intel) is remotely exploitable by, e.g., web browser javascript.

      The current articles attaching AMD are almost certainly either psychowar or attempted market manipulation (or some of each, possibly by independent parties). That said, the announced flaws could actually be real, and they could actually be serious. The info I've run across doesn't allow me to decide whether or not it's propaganda fraud as well as psychowar and possibly stock market fraud.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
  13. Re: Seriously? Peddling the fake propaganda a sec by theshowmecanuck · · Score: 2

    Manipulating markets with lies. Actually I thought that *was* grounds for prison.

    --
    -- I ignore anonymous replies to my comments and postings.
  14. Someone wants a Wintel monopoly by Anonymous Coward · · Score: 0

    Someone wants the world to use intel only processors on pcs. We must make them responsbile for this vandalism. A couple of security vulnablities shoudn't bankrupt a company. Intel never went under when they got FOOFed. It looks like all the dirty work in the cryptocurrency markets is spreading into stocks as well.

  15. Not without your help, duche! by xxxLCxxx · · Score: 2

    Not without your help, duche!
    I can't believe this is still being spread...

  16. Gaming the Stock Market by Anonymous Coward · · Score: 0

    Only if Goldman Sachs is using AMD based computers.. ;-)

  17. Re:Securities fraud? or not. by Anonymous Coward · · Score: 0

    Just in case it isn't clear enough to you, buying a security with insider knowledge of an unannounced problem with the company, then announcing the problem in the expectation that the announcement will manipulate the price of the stock, and attempting to profit from that, is securities fraud. It is the kind of thing that should be investigated by the Securities and Exchange Commission, and charges should be filed if appropriate.

    Who says that when an outside organization finds security flaws it constitutes insider trading? I strongly dispute that opinion.

    If the flaws are real, anyone in the marketplace with sufficient smarts and motivation could buy a stack of Ryzen and EPYC chips and find the flaws. I see nothing "insider" about that.

    While I don't approve of CTS giving AMD less than 24 hrs notice, and I am not yet convinced CTS has found real flaws, I don't see it as criminal when your business model is based on finding real flaws, investing to capitalize on them, and announcing them.

    Suppose Goldman Sachs had a big division that investigated consumer products for dangerous flaws and both announced and invested accordingly. As long as the flaws are real, wouldn't that be a service to society? Wouldn't we all be better off if the VW diesel cheating had been found sooner, even if it were found by a competitor who then profited?

  18. Re: Seriously? Peddling the fake propaganda a sec by theshowmecanuck · · Score: 2

    So someone is going to hire a crew of thousands in some mythical shipping department to individually inject malware into chips individually so that it actually becomes much of a threat. You don't happen to with for the mythological Intel associated CTS labs so you? What a fucking moron.

    --
    -- I ignore anonymous replies to my comments and postings.
  19. What kind of Intel shill paid for this? by Anonymous Coward · · Score: 0

    Seriously? AMD has to go bankrupt? They're going to pull that out of their ass and report it as news? Fuck out of here....

  20. Viceroy? CT(O)S Labs? by Anonymous Coward · · Score: 0

    So where is Aiden Pearce?

  21. maybe CTS Labs can find out what happen drop soap by Joe_Dragon · · Score: 1

    maybe CTS Labs can find out what happens when you drop the soap!

  22. Re: Seriously? Peddling the fake propaganda a seco by Anonymous Coward · · Score: 0

    Yes, cool down little anonymous (greatparent).. cool down..

    Anyway, what it is clear is that the way the PSP was designed by AMD, IS a serious security concern for users. I for one stopped buying AMD processors since they introduced PSP, before that I was an AMD fanboy, but nevermind... (BTW, the same could be said about Intel with their ME..)

    My point is that features like PSP and ME should be thoroughly investigated by the security research comunity, because of their immense (devastating!) potential of destruction if exploited by malicious entities!

    The key problem is that the owner of the system (with features like PSP or ME) has ABSOLUTELY no mean (zero, nil, nada!!..) to mitigate the threat, other that have trust in AMD or Intel for doing well their job... (explanation for the non experts : nobody outside Intel or AMD is authorised to touch the code of ME or PSP....)

    Now for the fact that some people used the pretext of a legitimate security research for leveraging stock market manipulations is an another story which should concern primarily the judicial authorities..

  23. Re: Seriously? Peddling the fake propaganda a se by Anonymous Coward · · Score: 0

    Why the hyperbolic attack? The guy in the parts crib knows exactly which boxes those processors are going into. Other guys on his team are ready and waiting. Why would the team care about thousands of processsors? They have specific targets.

  24. Cuban won by raymorris · · Score: 4, Informative

    The SEC went after Mark Cuban and Cuban won. The Cuban case is an example of what is NOT insider trading.

    Also if you look at the SEC web site it says illegal insider trading is:
    --
      buying or selling a security, in breach of a fiduciary duty or other relationship of trust and confidence,
    --

    The fiduciary duty is the duty that corporate officers, the company's lawyer, etc, have to look out for the interests of the company (stockholders) rather than their own personal gain. I have no "relationship of trust and confidence", no fiduciary duty, with Intel or AMD. Therefore, according to the SEC I can buy and sell AMD or Intel stock based on WHATEVER information I have, as long as I didn't get that information secretly from someone who has a "relationship of trust and confidence" with the company, such as a corporate officer.

  25. Re: Seriously? Peddling the fake propaganda a seco by Alain+Williams · · Score: 1

    I for one stopped buying AMD processors since they introduced PSP

    So: who did you warn about the PSP (introduced about 2013) ? If you did not use AMD or Intel processors, what were you using ?

  26. There are three main guys behind this... by Anonymous Coward · · Score: 0

    and the should all be in jail. This is not the first time they have done this type of thing. I hope the SEC nails them to the wall and hands the case over to the justice department for criminal charges and extradition (they are foreign nationals - two Aussies and one Britt).

    Probably they will get a slap on the wrist and be free to try again with another stock on another exchange. If they do it in China, maybe we as a species will be lucky and see them put up against a wall and shot as they well deserve.

  27. The Securities Exchange Commission disagrees with by raymorris · · Score: 1

    The statute, and the SEC, disagree with you.

    If you look at the SEC web site it says illegal insider trading is:
    --
        buying or selling a security, in breach of a fiduciary duty or other relationship of trust and confidence,
    --

    The fiduciary duty is the duty that corporate officers, the company's lawyer, etc, have to look out for the interests of the company (stockholders) rather than their own personal gain. I have no "relationship of trust and confidence", no fiduciary duty, with Intel or AMD. Therefore, according to the SEC I can buy and sell AMD or Intel stock based on WHATEVER information I have, as long as I didn't get that information secretly from someone who has a "relationship of trust and confidence" with the company, such as a corporate officer.

    I can decide to sell my Intel stock today because I haven't pooped yet, or because a groundhog saw his shadow. What's prohibited is people employed to take care of the company (corporate officers, etc) must not abrogate that responsibility for their own personal gain.

  28. Re: Seriously? Peddling the fake propaganda a seco by Anonymous Coward · · Score: 1

    PrePSP processors..

  29. Re: Seriously? Peddling the fake propaganda a seco by RhettLivingston · · Score: 1

    AMD investors are down a few 100 million dollars right now. The lab is an "insider" in this case. If any portion of that ended up in pockets of people who were given information ahead of time that enabled them to make money on shorts, they committed insider trading. There is no reason why this form of stealing should get different time than any other. It would certainly have involved enough money to qualify as grand larceny.

  30. Re: Seriously? Peddling the fake propaganda a seco by Anonymous Coward · · Score: 0

    " IS a serious security concern for users"
    No it really isn't. It only becomes a concern if there has been wide spread exploitation that directly harms the users. The flaw reported requires a long list of prerequisites before you can even attempt to exploit it. The research firm and the hedge fund firm have opened themselves up to SEC scrutiny and contrary to popular belief the SEC has a history of not only prosecuting but leveling serious punishments to those it deems guilty. The SEC evaluates and enforces it's regulations and associated federal laws using both the letter and spirit of the law.

  31. Re:Securities fraud- Market manipulation? by ripvlan · · Score: 1

    That's what I came here to ask. It seems like market manipulation - similar to the penny stock pump and dump schemes.

    So is it? It's hard to believe that the folks at CTS et al aren't aware of SEC rules, esp brazenly including a comment in the disclosure. It's kind of like those YouTube disclaimers "I don't own this content - any Copyrighted material is owned by other entities" -- yeah that makes it all better.

    And as somebody else above noted - the security holes aren't really all that concerning requiring too many pre-reqs to the point that "you've been pwned" already.

    This is kind of interesting story within a story. Nothing to see here - except fake news and propaganda carried by news orgs that aren't capable to providing analysis, and wrapped in a possible fraud made possible by the Blogger fake news pipeline.

  32. Re: Seriously? Peddling the fake propaganda a seco by Anonymous Coward · · Score: 0

    I was not speaking about the "flaws" CTS claims having discovered, but about the PSP feature per-se.
    And more to the point : the user has absolutely no control about this .. feature!..
    I know some people say that recently(?) AMD permited the disabling of the PSP, but I don't believe that...
    The day when someone proves me that the PSP firmware has no backdors (or more generaly is NOT remotely exploitable), THEN I will trust again AMD..

  33. Re:The Securities Exchange Commission disagrees wi by ripvlan · · Score: 1

    hmm... you might want to ask Martha Stewart about that definition. She received a tip that the CEO of the company had sold all his shares - and she acted accordingly. But I don't believe she was an officer of the company.

    Pump and Dump schemes are illegal too. https://en.wikipedia.org/wiki/...

    Actually this CTS instance might be considered "Short and Distort"

  34. Security 'Researchers' by Anonymous Coward · · Score: 0

    What did everyone expect with all the rent seeking security 'researchers'. You pay them a bug bounty or they sell to someone else.

    This is just the next step.

  35. Questions. by NormanHaga2580 · · Score: 1

    1. What is Intel's stake in putting AMD out of business.
    2. How much is Intel paying for this hit piece?

    1. Re:Questions. by Anonymous Coward · · Score: 1

      I don't think Intel had anything to do with this. This was a group of people trying to profit on a short term drop in AMD stock at a time of their choosing. Very sleezy and illegal manipulation. Long term it would help AMD and make Intel look bad if it were to come out Intel had anything to do with it.

      If AMD ever does go under, Intel will be facing ant-trust issues... it needs to keep a competitor for that alone.

    2. Re:Questions. by Anonymous Coward · · Score: 0

      Extremely unlikely. If Intel wanted AMD out of business, they certainly would not be licensing video technology from AMD or putting AMD video processors in their CPUs.

    3. Re:Questions. by HiThere · · Score: 1

      Valid questions, but you put too much certainty behind them. Certainly I suspect that Intel somehow sponsored this, but I don't see any reason to feel certain. MS also has derived some benefit from this, as it's distracted people from complaining about MSWindows10 misdeeds. And it could be a pure attempt at financial gain by manipulating the stock market. There are probably a few other possibilities.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
  36. Re: Seriously? Peddling the fake propaganda a sec by HiThere · · Score: 1

    IIRC someone did something similar for some Cisco routers. It was a targeted attack, not a global attack, but it wasn't narrowly targeted.

    So the scenario isn't unreasonable. A state actor would be the most likely perpetrator, and the attacks would be mildly targeted (systems shipped from location X to foreign location Y between dates D1 and D2). Saying this can't be done is denying that things that have been detected once can happen again.

    --

    I think we've pushed this "anyone can grow up to be president" thing too far.
  37. She wasn't convicted of Securities Fraud by rsilvergun · · Score: 1

    Martha Stewart was convicted of lying to an officer. She tried to cover up what she did. Also, she was on the board of directors of the Stock Exchange, which probably gave her a fiduciary duty (tangentially). But even that wouldn't have stuck if she'd just come clean.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  38. Re: Seriously? Peddling the fake propaganda a sec by theshowmecanuck · · Score: 1

    Not denying it, but this is a (pretty much extreme) edge case. The only place where it would cause widespread issues is, per your example, at router manufacturers. Those are the only items where few instances can affect many. I don't see people doing this on every chip going into workstations or servers. It just isn't practical.

    --
    -- I ignore anonymous replies to my comments and postings.
  39. Re: Seriously? Peddling the fake propaganda a seco by Anonymous Coward · · Score: 0

    The day when someone proves me that the PSP firmware has no backdors (or more generaly is NOT remotely exploitable), THEN I will trust again AMD..

    Do you even science bro?

  40. Re:The Securities Exchange Commission disagrees wi by Anonymous Coward · · Score: 0

    It also applies to anyone who receives the information from someone with a fiduciary duty.

    Otherwise you'd be able to get away with it by simply getting your spouse, cat or buddy from the bar to do it.

    Dumb fuck.

  41. Re: Seriously? Peddling the fake propaganda a sec by ShanghaiBill · · Score: 4, Insightful

    Manipulating markets with lies. Actually I thought that *was* grounds for prison.

    They are not lying. They are stating facts and opinions, and mixing them to confuse naive investors. They preface many sentences with "We believe" and "We may". This "obituary" was almost certainly reviewed by lawyers, to ensure that it got as close to "the line" as possible, without crossing it.

    You can fool some of the people some of the time, and for securities manipulation, that is enough.

  42. Re:Seriously? Peddling the fake propaganda a secon by thegarbz · · Score: 1

    The last time this shit was posted, we established that the prerequisites for those "vulnerabilities" were ridiculous, requiring *at least* admin access

    All of which has nothing to do with TFA or TFS which is all about how perception can affect stock market changes. Take a breath, read the summary, participate in intellectual conversations and wipe the froth from your mouth.

  43. Re: Seriously? Peddling the fake propaganda a sec by theshowmecanuck · · Score: 2

    I don't think regulators will let people hide behind 'opinions' anymore. Especially when they say it is such an extremely dire vulnerability, when in fact it is not so dire. Moderate at best. It seems pretty evident when (their lawyers obviously did tell them to include that) they have financial interest in AMD and are partnering with a financial brokerage. If they bought stocks hoping them to rise they wouldn't make such extreme (likely bullshit) proclamations and then give AMD only a day to look at them. They wouldn't do something that would make them lose money. So the only way they could make money doing something like this is to short the stock. So this is plainly manipulation and should be investigated by the regulators. Even more so if some comments are to be believed that the security researchers website is quite new.

    --
    -- I ignore anonymous replies to my comments and postings.
  44. Re: Seriously? Peddling the fake propaganda a seco by Anonymous Coward · · Score: 0

    Why this question?
    Have you understood what was my point little guy?

  45. Re: Seriously? Peddling the fake propaganda a sec by Anonymous Coward · · Score: 0

    I have a box of Pentium Pro processors, too, but no motherboards any longer. I was just saving them as collectables and for their significant scrap gold value.

    I think I still have an AMD K5 motherboard, too.

  46. Re: Seriously? Peddling the fake propaganda a sec by Anonymous Coward · · Score: 0

    You do it on the chips going into the Work Order for the workstations being shipped to the power plant.

  47. Re: Seriously? Peddling the fake propaganda a sec by Anonymous Coward · · Score: 0

    Because you can't prove a negative. That applies to literally everything and everyone.

    So I guess you won't be buying any electronics ever again because you could never prove that backdoors don't exist.

  48. Re:Seriously? Peddling the fake propaganda a secon by Anonymous Coward · · Score: 0

    If root access allows you to hack the PSP that is bad, Intel Management Engine cant be hacked in that way. It means your hardware can never truly be clean, because once somebody hacks your PSP there is no way to fix it, whether thats from somebody intercepting your physical processor or what.

  49. Re:The Securities Exchange Commission disagrees wi by Anonymous Coward · · Score: 0

    It depends on how the tip is conveyed. Recent rule changes at the SEC have been made after several court cases where the defense raised the trader's lack of knowledge that the trade used insider information. A trade done by an outsider can only be classified as insider trading if the person who trades on the basis of material nonpublic information is aware that it was material nonpublic information when making the purchase or sale.

  50. Rule 10b-5 by raymorris · · Score: 2

    Stewart wasn't held liable for most of the things in the SEC complaint because she was neither an officer of the company nor did she get the information from one. She basically went to prison for lying about the whole thing (obstruction of justice, etc.)

    Pump and dump is covered under rule 10b-5: Employment of Manipulative and Deceptive Practices. What's illegal is to LIE about a company in order to fraudulently manipulate the stock price. Telling the truth about a company is not only okay, but encouraged. Several offenses related to investing are only offenses if you fail to reveal the truth about the issues. If a company has security risks, or any other risks, certain people are REQUIRED to publish that information. Publishing true statements not only isn't a crime, it's how you avoid being charged with other crimes. Here's the full text if Rule 10b-5, the pump and dump rule.

    It shall be unlawful for any person, directly or indirectly, by the use of any means or instrumentality of interstate commerce, or of the mails or of any facility of any national securities exchange,
    (a) To employ any device, scheme, or artifice to defraud,
    (b) To make any untrue statement of a material fact or to omit to state a material fact necessary in order to make the statements made, in the light of the circumstances under which they were made, not misleading, or
    (c) To engage in any act, practice, or course of business which operates or would operate as a fraud or deceit upon any person,
    in connection with the purchase or sale of any security."

    Another thing that's been done regarding pump and dump is restrictions on who can trade penny stocks and how, since fraudsters often use penny stocks.

  51. Re: Seriously? Peddling the fake propaganda a se by Anonymous Coward · · Score: 1

    AMD could open source the code for review to prove there are no backdoors.

  52. Re: Seriously? Peddling the fake propaganda a se by jimtheowl · · Score: 0

    So could Intel, Microsoft and everybody else for that matter. It is not going to happen.

  53. Re:Securities fraud- Market manipulation? by Anonymous Coward · · Score: 0

    CTS could be aware of the rules, but CTS isn't based in the USA.

  54. WTF is up with the ads on this site???!!! by Anonymous Coward · · Score: 0

    For crying out loud, the unscrollable ad with it's annoying automation is making it freaking impossible to read this site.

    It's almost like content providers are trying to make the reading experience as annoying as possible for their customers.

    Remember the good old days (90s) when tech companies actually liked their customers and tried to do right by them?

  55. Re: Seriously? Peddling the fake propaganda a sec by lsatenstein · · Score: 1

    Manipulating markets with lies. Actually I thought that *was* grounds for prison.

    They are not lying. They are stating facts and opinions, and mixing them to confuse naive investors. They preface many sentences with "We believe" and "We may". This "obituary" was almost certainly reviewed by lawyers, to ensure that it got as close to "the line" as possible, without crossing it.

    You can fool some of the people some of the time, and for securities manipulation, that is enough.

    I have a Intel q9650 system. It has no EFI bios, it relies on Linux and Selinux security features. The TPM for my Asus P5Q is a plug in chip.
    So, the TPM is replaceable by someone when a technician comes over and pretends he is installing new hardware, as opposed to replacing a Security chip with one allowing dual access.
    Yes, anyone who has physical access to the computer can install new bios's, replace TPMs and even replace CPU Microcode fixes.
    This problem is no different from my taking my car to a local garage which has a workaround diagnostic and programming machine usually provided to dealers. If I brought my system to Geek Squad, want to bet that they have put in software that indicates who in their organization handled the system last, and what is the bypass (insecure) password.

    CTS had a financial interest in dropping the AMD stock prices. And when they hit bottom, to buy them back. AMD is ok, the problem or issue, if any, may rest with the mother board manufacturer.

    --
    Leslie Satenstein Montreal Quebec Canada