Slashdot Mirror

← Back to Stories (view on slashdot.org)

Can AMD Vulnerabilities Be Used To Game the Stock Market? (vice.com)

Posted by msmash on from the setting-wrong-precedence dept.

Earlier this week, a little-known security firm called CTS Labs reported, what it claimed to be, severe vulnerabilities and backdoors in some AMD processors. While AMD looks into the matter, the story behind the researchers' discovery and the way they made it public has become a talking point in security circles. The researchers, who work for CTS Labs, only reported the flaws to AMD shortly before publishing their report online. Typically, researchers give companies a few weeks or even months to fix the issues before going public with their findings. To make things even stranger, a little bit over 30 minutes after CTS Labs published its report, a controversial financial firm called Viceroy Research published what they called an "obituary" for AMD. Motherboard reports: "We believe AMD is worth $0.00 and will have no choice but to file for Chapter 11 (Bankruptcy) in order to effectively deal with the repercussions of recent discoveries," Viceroy wrote in its report. CTS Labs seemed to hint that it too had a financial interest in the performance of AMD stock. "We may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports," CTS Labs wrote in the legal disclaimer section of its report.

On Twitter, rumors started to swirl. Are the researchers trying to make money by betting that AMD's share price will go down due to the news of the vulnerabilities? Or, in Wall Street jargon, were CTS Labs and Viceroy trying to short sell AMD stock? Security researcher Arrigo Triulzi speculated that Viceroy and CTS Lab were profit sharing for shorting, while Facebook's chief security officer Alex Stamos warned against a future where security research is driven by short selling.

[...] There's no evidence that CTS Labs worked with Viceroy to short AMD. But something like that has happened before. In 2016, security research firm MedSec found vulnerabilities in pacemakers made by St. Jude Medical. In what was likely a first, MedSec partnered with hedge fund Muddy Waters to bet against St. Jude Medical's stock. For Adrian Sanabria, director of research at security firm Threatcare and a former analyst at 451 Research, where he covered the cybersecurity industry, trying to short based on vulnerabilities just doesn't make much sense. While it could work in theory and could become more common in the future, he said in a phone call, "I don't think we've seen enough evidence of security vulnerabilities really moving the stock for it to really become an issue." Further reading: Linus Torvalds slams CTS Labs over AMD vulnerability report (ZDNet).

23 of 106 comments (clear)

  1. Seriously? Peddling the fake propaganda a second t by Anonymous Coward · · Score: 5, Interesting

    The last time this shit was posted, we established that the prerequisites for those "vulnerabilities" were ridiculous, requiring *at least* admin access, or even installing a hacked bios first! We also established that CTS labs were in bed with Intel had created the domain for this only right before publishing it. Apart from the fact that everyone agreed that giving AMD only such a short time to react befor publishing it, was completely unprofessional and a "hit job". (To which I agree.)

    So, do you plan on posting it until people believe it because we have given up on remindig everyone, or have you now brought your sock puppet troll army to silence everyone?

    Seriously, in my world, you need to go to prison over this!

  2. Markets dont care by borcharc · · Score: 2

    Markets have shown little care in the face of computer security issues. You may get a few day drop but nothing lasting. Look at Intel, Target, or anyone else. It's just not that big of a deal to investors or consumers.

    1. Re:Markets dont care by gregfortune · · Score: 2

      Sure. So did you find information in your research that's publicly available? No harm, no foul from what I understand.

      How about information that is not publicly available? Now we're in a little different spot. Now let's add that you intentional disseminate that information publicly after having sold the privileged information to a third party who acted on that information to purchase a security with an expectation that your public release of the information will affect price of the security? From what I understand, now you're dealing with securities fraud. I am in no way an expert on the associated laws, but section 9.a.5 of the Securities Exchange Act of 1934 (page 87) seems to apply directly to this situation. You would have to prove intent with that section, but it seems pretty obvious in this case.

      We'd be talking about the same thing if a member of Google Project Zero shorted Intel stock just before the public release of the Meltdown/Spectre fiasco. The purpose behind the regulation is to prevent an unfair advantage in cases where only a select group can be "in the know" and use that information to manipulate the stock price or act on expected changes to the price based on that privileged information.

  3. Even if true... by fazig · · Score: 3, Funny

    Invulnerabilities of the Security Processor had been reported to AMD last year by researchers from Google. Apparently AMD found a workaround by letting people disable the entire PSP. Considering that both the "Masterkey" and "Ryzenfall" vulnerability groups allegedly depend on exploiting the PSP, these problems already appear to be fixed by AMD, somewhat.
    So if someone with a Ryzen is concerned there's something they can do about it. Source: https://www.bleepingcomputer.c...

    1. Re:Even if true... by fazig · · Score: 2

      Well, I meant vulnerabilities there, not invulnerabilities.

  4. Securities fraud by Bruce+Perens · · Score: 4, Insightful

    Just in case it isn't clear enough to you, buying a security with insider knowledge of an unannounced problem with the company, then announcing the problem in the expectation that the announcement will manipulate the price of the stock, and attempting to profit from that, is securities fraud. It is the kind of thing that should be investigated by the Securities and Exchange Commission, and charges should be filed if appropriate.

    --
    Bruce Perens.
    1. Re:Securities fraud by Bruce+Perens · · Score: 3, Informative

      And yes, this also applies to purchasing short positions in the same stock before that sort of announcement.

      --
      Bruce Perens.
    2. Re:Securities fraud by ebcdic · · Score: 2

      But is information you have found out yourself, or from someone unrelated to the company, "insider knowledge"? In what sense are these people insiders?

    3. Re:Securities fraud by Actually,+I+do+RTFA · · Score: 2

      Look at Mark Cuban's investor newspaper. Its business model was to research and publish news about companies, but between research and publication Mark would invest in them (long or short positions). The SEC sued him. His blog has a lot of details.

      --
      Your ad here. Ask me how!
    4. Re:Securities fraud by Luthair · · Score: 3, Informative

      Its not clear that this would be considered insider knowledge to me. The normal modus operandi for short sellers is to do a significant amount of research on companies looking for flaws, wrong doing, etc. purchase a position then try to build uncertainty by hyping a press release.

      Previously unknown security vulnerabilities don't seem much different than accounting fraud assuming neither has a source inside the company.

    5. Re:Securities fraud by Train0987 · · Score: 3, Insightful

      Manipulating the markets even without insider knowledge is also technically illegal but virtually impossible to prove or prosecute. People are allowed to have opinions and publish them even if they are wrong. People are also allowed to speculate financially based on their opinions.

    6. Re:Securities fraud by borcharc · · Score: 2

      Wrong. If a 3rd party independently discovers information that is non-public but adverse to a public company they can do whatever they wish with it. If AMD employees in possession of non-public information made trades based on it, they would be in trouble. But in that situation, AMD would have had to know prior to any public release. As it stands now, the information is public and anyone can trade based on it.

    7. Re:Securities fraud by imrahilj · · Score: 2

      "Someone looks in the trashcan, picks up the folder, reads the results, and decides to trade on the stock based on the financial results. This person is NOT guilty of insider trading."

      Tell that to Martha Stewart. She went to prison for selling her position in ImClone based on a tip from a broker who noticed ImClone's CEO was dumping his stock. That's all it took for her to be guilty of insider trading.

      Trading based on information not known to the public at large is all it takes to be in violation of insider-trading laws regardless of how you came into that information.

      Didn't she go to prison for lying about what she did, rather than directly for what she did?

  5. Re:Obvious stock market manipulation by Khyber · · Score: 2

    Slashdot is helper number two given they're spreading this bullshit without any good reason. I wonder if slashdot has some skin in this game?

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  6. Nothing suspicious here by TimothyHollins · · Score: 2

    Hey guys, I'm one of you, a neutral third party financially uninvolved in any of this.
    Let's all go and buy Intel processors because they don't have any of these critical security flaws that are just so much more noteworthy than boring and harmless Spectre and Meltdown. And who even remembers those? They are so 2017, am I right?

    Also did you know that when you support Intel you support small independent security researchers of the highest ethical and moral standards? Wow, if that isn't standing up for the little guy (just like you and me!) I don't know what is.

    1. Re: Nothing suspicious here by nedlohs · · Score: 2

      Ford's market cap is $43.61B, General Motor's market cap is $52.80B. One is 83% of the size of the other.

      AMD's market cap is $10.94B. Intel's' market cap is $239.19B. On is 5% of the size of the other.

      Those are nothing like similar.

  7. Re: Seriously? Peddling the fake propaganda a sec by theshowmecanuck · · Score: 2

    Manipulating markets with lies. Actually I thought that *was* grounds for prison.

    --
    -- I ignore anonymous replies to my comments and postings.
  8. Not without your help, duche! by xxxLCxxx · · Score: 2

    Not without your help, duche!
    I can't believe this is still being spread...

  9. Re: Seriously? Peddling the fake propaganda a sec by theshowmecanuck · · Score: 2

    So someone is going to hire a crew of thousands in some mythical shipping department to individually inject malware into chips individually so that it actually becomes much of a threat. You don't happen to with for the mythological Intel associated CTS labs so you? What a fucking moron.

    --
    -- I ignore anonymous replies to my comments and postings.
  10. Cuban won by raymorris · · Score: 4, Informative

    The SEC went after Mark Cuban and Cuban won. The Cuban case is an example of what is NOT insider trading.

    Also if you look at the SEC web site it says illegal insider trading is:
    --
      buying or selling a security, in breach of a fiduciary duty or other relationship of trust and confidence,
    --

    The fiduciary duty is the duty that corporate officers, the company's lawyer, etc, have to look out for the interests of the company (stockholders) rather than their own personal gain. I have no "relationship of trust and confidence", no fiduciary duty, with Intel or AMD. Therefore, according to the SEC I can buy and sell AMD or Intel stock based on WHATEVER information I have, as long as I didn't get that information secretly from someone who has a "relationship of trust and confidence" with the company, such as a corporate officer.

  11. Re: Seriously? Peddling the fake propaganda a sec by ShanghaiBill · · Score: 4, Insightful

    Manipulating markets with lies. Actually I thought that *was* grounds for prison.

    They are not lying. They are stating facts and opinions, and mixing them to confuse naive investors. They preface many sentences with "We believe" and "We may". This "obituary" was almost certainly reviewed by lawyers, to ensure that it got as close to "the line" as possible, without crossing it.

    You can fool some of the people some of the time, and for securities manipulation, that is enough.

  12. Re: Seriously? Peddling the fake propaganda a sec by theshowmecanuck · · Score: 2

    I don't think regulators will let people hide behind 'opinions' anymore. Especially when they say it is such an extremely dire vulnerability, when in fact it is not so dire. Moderate at best. It seems pretty evident when (their lawyers obviously did tell them to include that) they have financial interest in AMD and are partnering with a financial brokerage. If they bought stocks hoping them to rise they wouldn't make such extreme (likely bullshit) proclamations and then give AMD only a day to look at them. They wouldn't do something that would make them lose money. So the only way they could make money doing something like this is to short the stock. So this is plainly manipulation and should be investigated by the regulators. Even more so if some comments are to be believed that the security researchers website is quite new.

    --
    -- I ignore anonymous replies to my comments and postings.
  13. Rule 10b-5 by raymorris · · Score: 2

    Stewart wasn't held liable for most of the things in the SEC complaint because she was neither an officer of the company nor did she get the information from one. She basically went to prison for lying about the whole thing (obstruction of justice, etc.)

    Pump and dump is covered under rule 10b-5: Employment of Manipulative and Deceptive Practices. What's illegal is to LIE about a company in order to fraudulently manipulate the stock price. Telling the truth about a company is not only okay, but encouraged. Several offenses related to investing are only offenses if you fail to reveal the truth about the issues. If a company has security risks, or any other risks, certain people are REQUIRED to publish that information. Publishing true statements not only isn't a crime, it's how you avoid being charged with other crimes. Here's the full text if Rule 10b-5, the pump and dump rule.

    It shall be unlawful for any person, directly or indirectly, by the use of any means or instrumentality of interstate commerce, or of the mails or of any facility of any national securities exchange,
    (a) To employ any device, scheme, or artifice to defraud,
    (b) To make any untrue statement of a material fact or to omit to state a material fact necessary in order to make the statements made, in the light of the circumstances under which they were made, not misleading, or
    (c) To engage in any act, practice, or course of business which operates or would operate as a fraud or deceit upon any person,
    in connection with the purchase or sale of any security."

    Another thing that's been done regarding pump and dump is restrictions on who can trade penny stocks and how, since fraudsters often use penny stocks.