Can AMD Vulnerabilities Be Used To Game the Stock Market?

Earlier this week, a little-known security firm called CTS Labs reported, what it claimed to be, severe vulnerabilities and backdoors in some AMD processors. While AMD looks into the matter, the story behind the researchers' discovery and the way they made it public has become a talking point in security circles. The researchers, who work for CTS Labs, only reported the flaws to AMD shortly before publishing their report online. Typically, researchers give companies a few weeks or even months to fix the issues before going public with their findings. To make things even stranger, a little bit over 30 minutes after CTS Labs published its report, a controversial financial firm called Viceroy Research published what they called an "obituary" for AMD. Motherboard reports: "We believe AMD is worth $0.00 and will have no choice but to file for Chapter 11 (Bankruptcy) in order to effectively deal with the repercussions of recent discoveries," Viceroy wrote in its report. CTS Labs seemed to hint that it too had a financial interest in the performance of AMD stock. "We may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports," CTS Labs wrote in the legal disclaimer section of its report.

On Twitter, rumors started to swirl. Are the researchers trying to make money by betting that AMD's share price will go down due to the news of the vulnerabilities? Or, in Wall Street jargon, were CTS Labs and Viceroy trying to short sell AMD stock? Security researcher Arrigo Triulzi speculated that Viceroy and CTS Lab were profit sharing for shorting, while Facebook's chief security officer Alex Stamos warned against a future where security research is driven by short selling.

[...] There's no evidence that CTS Labs worked with Viceroy to short AMD. But something like that has happened before. In 2016, security research firm MedSec found vulnerabilities in pacemakers made by St. Jude Medical. In what was likely a first, MedSec partnered with hedge fund Muddy Waters to bet against St. Jude Medical's stock. For Adrian Sanabria, director of research at security firm Threatcare and a former analyst at 451 Research, where he covered the cybersecurity industry, trying to short based on vulnerabilities just doesn't make much sense. While it could work in theory and could become more common in the future, he said in a phone call, "I don't think we've seen enough evidence of security vulnerabilities really moving the stock for it to really become an issue." Further reading: Linus Torvalds slams CTS Labs over AMD vulnerability report (ZDNet).

Seriously? Peddling the fake propaganda a second t

[Anonymous Coward]

The last time this shit was posted, we established that the prerequisites for those "vulnerabilities" were ridiculous, requiring *at least* admin access, or even installing a hacked bios first! We also established that CTS labs were in bed with Intel had created the domain for this only right before publishing it. Apart from the fact that everyone agreed that giving AMD only such a short time to react befor publishing it, was completely unprofessional and a "hit job". (To which I agree.)

So, do you plan on posting it until people believe it because we have given up on remindig everyone, or have you now brought your sock puppet troll army to silence everyone?

Seriously, in my world, you need to go to prison over this!

Re: Seriously? Peddling the fake propaganda a sec

[theshowmecanuck]

Manipulating markets with lies. Actually I thought that *was* grounds for prison.

Re: Seriously? Peddling the fake propaganda a sec

[ShanghaiBill]

Manipulating markets with lies. Actually I thought that *was* grounds for prison.

They are not lying. They are stating facts and opinions, and mixing them to confuse naive investors. They preface many sentences with "We believe" and "We may". This "obituary" was almost certainly reviewed by lawyers, to ensure that it got as close to "the line" as possible, without crossing it.

You can fool some of the people some of the time, and for securities manipulation, that is enough.

Re:

[theshowmecanuck]

I don't think regulators will let people hide behind 'opinions' anymore. Especially when they say it is such an extremely dire vulnerability, when in fact it is not so dire. Moderate at best. It seems pretty evident when (their lawyers obviously did tell them to include that) they have financial interest in AMD and are partnering with a financial brokerage. If they bought stocks hoping them to rise they wouldn't make such extreme (likely bullshit) proclamations and then give AMD only a day to look at them.

Re:

[lsatenstein]

Manipulating markets with lies. Actually I thought that *was* grounds for prison.

They are not lying. They are stating facts and opinions, and mixing them to confuse naive investors. They preface many sentences with "We believe" and "We may". This "obituary" was almost certainly reviewed by lawyers, to ensure that it got as close to "the line" as possible, without crossing it.

You can fool some of the people some of the time, and for securities manipulation, that is enough.

I have a Intel q9650 system. It has no EFI bios, it relies on Linux and Selinux security features. The TPM for my Asus P5Q is a plug in chip.
So, the TPM is replaceable by someone when a technician comes over and pretends he is installing new hardware, as opposed to replacing a Security chip with one allowing dual access.
Yes, anyone who has physical access to the computer can install new bios's, replace TPMs and even replace CPU Microcode fixes.
This problem is no different from my taking my car to a local g

Re:

[Alain Williams]

I for one stopped buying AMD processors since they introduced PSP

So: who did you warn about the PSP (introduced about 2013 [wikipedia.org]) ? If you did not use AMD or Intel processors, what were you using ?

Re:

[Anonymous Coward]

PrePSP processors..

Re: Seriously? Peddling the fake propaganda a se

[Anonymous Coward]

AMD could open source the code for review to prove there are no backdoors.

Re:

[jimtheowl]

So could Intel, Microsoft and everybody else for that matter. It is not going to happen.

Re:

[RhettLivingston]

AMD investors are down a few 100 million dollars right now. The lab is an "insider" in this case. If any portion of that ended up in pockets of people who were given information ahead of time that enabled them to make money on shorts, they committed insider trading. There is no reason why this form of stealing should get different time than any other. It would certainly have involved enough money to qualify as grand larceny.

Re: Seriously? Peddling the fake propaganda a sec

[theshowmecanuck]

So someone is going to hire a crew of thousands in some mythical shipping department to individually inject malware into chips individually so that it actually becomes much of a threat. You don't happen to with for the mythological Intel associated CTS labs so you? What a fucking moron.

Re:

[HiThere]

IIRC someone did something similar for some Cisco routers. It was a targeted attack, not a global attack, but it wasn't narrowly targeted.

So the scenario isn't unreasonable. A state actor would be the most likely perpetrator, and the attacks would be mildly targeted (systems shipped from location X to foreign location Y between dates D1 and D2). Saying this can't be done is denying that things that have been detected once can happen again.

Re:

[theshowmecanuck]

Not denying it, but this is a (pretty much extreme) edge case. The only place where it would cause widespread issues is, per your example, at router manufacturers. Those are the only items where few instances can affect many. I don't see people doing this on every chip going into workstations or servers. It just isn't practical.

Re:

[thegarbz]

The last time this shit was posted, we established that the prerequisites for those "vulnerabilities" were ridiculous, requiring *at least* admin access

All of which has nothing to do with TFA or TFS which is all about how perception can affect stock market changes. Take a breath, read the summary, participate in intellectual conversations and wipe the froth from your mouth.

Markets dont care

[borcharc]

Markets have shown little care in the face of computer security issues. You may get a few day drop but nothing lasting. Look at Intel, Target, or anyone else. It's just not that big of a deal to investors or consumers.

Re:

[gregfortune]

I don't think the duration of the drop is really that relevant to the accusation being leveled against CTS Labs. More important is the volume of the drop, the knowledge that it is likely to occur and when it is most likely to occur. If there was indeed collusion and CTS Labs benefited financially from the timing of their announcement, that's illegal.

Re:

[borcharc]

I am not in agreement that its illegal. I can research a company and find something I think is negative about them and sell that information to a 3rd party who intends to short the stock. No one is accusing CTS labs of having material inside information about AMD. The information CTS has was independently discovered by them. If this was illegal every short equity operation (Muddy Waters, etc) would be shut down. The most troubling thing about this is the text of the Viceroy Research report. Saying a company

Re:

[HiThere]

Your assertion that those actions aren't illegal is, at best, questionable. IIUC they would be guilty of stock market manipulation and you would be and accessory before the fact.

OTOH, it is true that such crimes are rarely prosecuted, and are difficult to detect. This doesn't keep them from being crimes.

Re:

[gregfortune]

Sure. So did you find information in your research that's publicly available? No harm, no foul from what I understand.

How about information that is not publicly available? Now we're in a little different spot. Now let's add that you intentional disseminate that information publicly after having sold the privileged information to a third party who acted on that information to purchase a security with an expectation that your public release of the information will affect price of the security? From what I

Re:

[KruiserX]

They do care about opinions/reports, that's where Viceroy thrives. They were up to similar antics in South Africa, that time in banking. https://www.fin24.com/Companie... [fin24.com]

Even if true...

[fazig]

Invulnerabilities of the Security Processor had been reported to AMD last year by researchers from Google. Apparently AMD found a workaround by letting people disable the entire PSP. Considering that both the "Masterkey" and "Ryzenfall" vulnerability groups allegedly depend on exploiting the PSP, these problems already appear to be fixed by AMD, somewhat.
So if someone with a Ryzen is concerned there's something they can do about it. Source: https://www.bleepingcomputer.c... [bleepingcomputer.com]

Re:

[fazig]

Well, I meant vulnerabilities there, not invulnerabilities.

Re:

[ravenshrike]

Clearly you should find out by sneaking into CTS Labs, stealing the technical data on the vulnerabilities they purportedly found, hack the PSP itself without removing the code to disable it, and test the hacked PSP while it's disabled to see if it can execute code. Until you do that however, you're just pissing upwind and splattering everyone with it.

Securities fraud

[Bruce Perens]

Just in case it isn't clear enough to you, buying a security with insider knowledge of an unannounced problem with the company, then announcing the problem in the expectation that the announcement will manipulate the price of the stock, and attempting to profit from that, is securities fraud. It is the kind of thing that should be investigated by the Securities and Exchange Commission, and charges should be filed if appropriate.

Re:Securities fraud

[Bruce Perens]

And yes, this also applies to purchasing short positions in the same stock before that sort of announcement.

Re:

[macklin01]

Thanks, Bruce. That was my first question at this story, and I appreciate hearing it from your expertise!!!!

Re:

[ebcdic]

But is information you have found out yourself, or from someone unrelated to the company, "insider knowledge"? In what sense are these people insiders?

Re:

[Actually, I do RTFA]

Look at Mark Cuban's investor newspaper. Its business model was to research and publish news about companies, but between research and publication Mark would invest in them (long or short positions). The SEC sued him. His blog has a lot of details.

Cuban won

[raymorris]

The SEC went after Mark Cuban and Cuban won. The Cuban case is an example of what is NOT insider trading.

Also if you look at the SEC web site it says illegal insider trading is:
--
  buying or selling a security, in breach of a fiduciary duty or other relationship of trust and confidence,
--

The fiduciary duty is the duty that corporate officers, the company's lawyer, etc, have to look out for the interests of the company (stockholders) rather than their own personal gain. I have no "relationship of trust and confidence", no fiduciary duty, with Intel or AMD. Therefore, according to the SEC I can buy and sell AMD or Intel stock based on WHATEVER information I have, as long as I didn't get that information secretly from someone who has a "relationship of trust and confidence" with the company, such as a corporate officer.

Re:

[Train0987]

Manipulating the markets even without insider knowledge is also technically illegal but virtually impossible to prove or prosecute. People are allowed to have opinions and publish them even if they are wrong. People are also allowed to speculate financially based on their opinions.

Re:

[Khyber]

"People are allowed to have opinions and publish them even if they are wrong."

Not if it involves being done to intentionally damage a company and is wholly misleading and defamatory, it sure as fuck is not.

Re:

[ravenshrike]

I wonder how they got the digitally signed drivers to test with. Depending on any contracts signed that very well could put them in the wheelhouse of insider trading. Either that or that portion of the 'security flaws' is entirely a theoretical attack with no actual proof of concept done on it at all.

Re:Securities fraud

[Luthair]

Its not clear that this would be considered insider knowledge to me. The normal modus operandi for short sellers is to do a significant amount of research on companies looking for flaws, wrong doing, etc. purchase a position then try to build uncertainty by hyping a press release.

Previously unknown security vulnerabilities don't seem much different than accounting fraud assuming neither has a source inside the company.

Re:

[Train0987]

First, the SEC only has civil jurisdiction, meaning they can ONLY fine people and companies. The SEC brings civil suits, most of which are settled for pennies while the targets never have to admit any wrongdoing. Only the most egregious fraud gets the attention of the FBI who can pursue criminal charges.

Oh, and everything being claimed in the article is completely legal if the author of the hit pieces disclosed their position. And yes, saying "we may or may not have a financial interest in publishing thi

Re:

[DivineKnight]

Indeed. But now we have to contend with mismanaged funds (always a problem), and idiot savants using AI algorithms to scour newsfeeds for good / bad information (and automatically engage in buying / selling).

And they really went SEO over this one. The Asus forums I frequent all had interesting "posts" about this problem, typically followed by a single post stating that one must acquire admin rights before anything can be exploited (and if they already have admin rights, they don't exactly need an exploit at

Re:

[borcharc]

Wrong. If a 3rd party independently discovers information that is non-public but adverse to a public company they can do whatever they wish with it. If AMD employees in possession of non-public information made trades based on it, they would be in trouble. But in that situation, AMD would have had to know prior to any public release. As it stands now, the information is public and anyone can trade based on it.

Re:

[DRJlaw]

Here's the problem with your post, the second they disclosed it to AMD, legally they became insiders.

Not even close. An "insider" is a person with a fiduaciary or similar duty to the company, and "insider trading" requires trading on information obtained from such a person, whether one is an insider or not.

An outsider disclosing information to AMD does not become a fiduciary to AMD or come under some similar duty unless they've gone and done something like signed a non-disclosure agreement. Giving outside

Re:

[Train0987]

"Someone looks in the trashcan, picks up the folder, reads the results, and decides to trade on the stock based on the financial results. This person is NOT guilty of insider trading."

Tell that to Martha Stewart. She went to prison for selling her position in ImClone based on a tip from a broker who noticed ImClone's CEO was dumping his stock. That's all it took for her to be guilty of insider trading.

Trading based on information not known to the public at large is all it takes to be in violation of insid

Re:

[imrahilj]

"Someone looks in the trashcan, picks up the folder, reads the results, and decides to trade on the stock based on the financial results. This person is NOT guilty of insider trading."

Tell that to Martha Stewart. She went to prison for selling her position in ImClone based on a tip from a broker who noticed ImClone's CEO was dumping his stock. That's all it took for her to be guilty of insider trading.

Trading based on information not known to the public at large is all it takes to be in violation of insider-trading laws regardless of how you came into that information.

Didn't she go to prison for lying about what she did, rather than directly for what she did?

Re:

[Agripa]

Tell that to Martha Stewart. She went to prison for selling her position in ImClone based on a tip from a broker who noticed ImClone's CEO was dumping his stock.

"Stewart was found guilty in March 2004 of felony charges of conspiracy, obstruction of an agency proceeding, and making false statements to federal investigators."

Which is another way of saying she talked her way into jail and should have taken legal advice to shut up.

The Securities Exchange Commission disagrees with

[raymorris]

The statute, and the SEC, disagree with you.

If you look at the SEC web site it says illegal insider trading is:
--
buying or selling a security, in breach of a fiduciary duty or other relationship of trust and confidence,
--

The fiduciary duty is the duty that corporate officers, the company's lawyer, etc, have to look out for the interests of the company (stockholders) rather than their own personal gain. I have no "relationship of trust and confidence", no fiduciary duty, with Intel or AMD. The

Re:

[ripvlan]

hmm... you might want to ask Martha Stewart about that definition. She received a tip that the CEO of the company had sold all his shares - and she acted accordingly. But I don't believe she was an officer of the company.

Pump and Dump schemes are illegal too. https://en.wikipedia.org/wiki/... [wikipedia.org]

Actually this CTS instance might be considered "Short and Distort"

She wasn't convicted of Securities Fraud

[rsilvergun]

Martha Stewart was convicted of lying to an officer. She tried to cover up what she did. Also, she was on the board of directors of the Stock Exchange, which probably gave her a fiduciary duty (tangentially). But even that wouldn't have stuck if she'd just come clean.

Rule 10b-5

[raymorris]

Stewart wasn't held liable for most of the things in the SEC complaint because she was neither an officer of the company nor did she get the information from one. She basically went to prison for lying about the whole thing (obstruction of justice, etc.)

Pump and dump is covered under rule 10b-5: Employment of Manipulative and Deceptive Practices. What's illegal is to LIE about a company in order to fraudulently manipulate the stock price. Telling the truth about a company is not only okay, but encouraged.

Re:Securities fraud- Market manipulation?

[ripvlan]

That's what I came here to ask. It seems like market manipulation - similar to the penny stock pump and dump schemes.

So is it? It's hard to believe that the folks at CTS et al aren't aware of SEC rules, esp brazenly including a comment in the disclosure. It's kind of like those YouTube disclaimers "I don't own this content - any Copyrighted material is owned by other entities" -- yeah that makes it all better.

And as somebody else above noted - the security holes aren't really all that concerning requi

Re:

[ripvlan]

ah ha - answered my own question

https://en.wikipedia.org/wiki/... [wikipedia.org]

This might be considered "Short and Distort"

Its criminally minded people trying this out

[gweihir]

So far, it does not seem to work against AMD, good. And the attempt was on low amateur level in addition, like a lot of crime. Of course, a lot of the press response was also on low amateur level (whatever happened to verifying stories before publishing?), so some small-time investors may have gotten spooked. I hope the SEC and others looks into this ruthlessly.

AMD is down!

[Anonymous Coward]

As of this posting, AMD is down by a whopping -0.06. I do not think this does what you wanted it to do.

Obvious stock market manipulation

[Khyber]

And Dan Guido is prime helper number one in this crime.

Re:

[Khyber]

Slashdot is helper number two given they're spreading this bullshit without any good reason. I wonder if slashdot has some skin in this game?

Nothing suspicious here

[TimothyHollins]

Hey guys, I'm one of you, a neutral third party financially uninvolved in any of this.
Let's all go and buy Intel processors because they don't have any of these critical security flaws that are just so much more noteworthy than boring and harmless Spectre and Meltdown. And who even remembers those? They are so 2017, am I right?

Also did you know that when you support Intel you support small independent security researchers of the highest ethical and moral standards? Wow, if that isn't standing up for the lit

Re:

[drinkypoo]

AMD isn't the little guy.
This is Ford vs. Chevy stuff.

No, not even close. Ford and GM are on roughly equal footing. Sometimes one leads the other. But the courts have decided more than once now that Intel not only has a dominant position in the market, but that they have abused it — specifically against AMD.

You, cowardly sir, are an Intel shill.

Re:

[nedlohs]

Ford's market cap is $43.61B, General Motor's market cap is $52.80B. One is 83% of the size of the other.

AMD's market cap is $10.94B. Intel's' market cap is $239.19B. On is 5% of the size of the other.

Those are nothing like similar.

Re:

[TooManyNames]

Can't recall off the top of my head, but I think Spectre is an Intel-specific variant of the generic Meltdown vulnerability, which basically impacts all speculative processors (so everything currently in use). In other words, the vulnerability isn't just Intel's problem.

Also, I very much doubt that Intel had anything to do with this security firm's announcement, or the investment journal's "obituary." I'd suspect that that's more just run-of-the-mill profiteering from basically worthless outlets looking to

Re:

[Xtifr]

The other way around, actually. Meldown is the Intel-specific* (and far more severe) of the three related vulnerabilities. (The other two are collectively called Spectre.) Meltdown requires drastic changes to the OS kernels, which have a big impact on performance. Linux, at least, put an "if (cpu_vendor != AMD)" around their performance-inhibiting Meltdown fixes. The Spectre vulnerabilities, on the other hand, don't require the same sort of low-level OS patches. They need changes to apps, and we'll be deali

Re:

[HiThere]

IIUC Spectre requires hardware level changes to all processors that engage in speculative execution. Also it requires a level of access not required by the Meltdown flaw (i.e. Intel) and is also not as privilege breaking.

That said, Spectre still needs to be addressed, it's just that no remote exploits are yet known. But Meltdown (Intel) is remotely exploitable by, e.g., web browser javascript.

The current articles attaching AMD are almost certainly either psychowar or attempted market manipulation (or some

Not without your help, duche!

[xxxLCxxx]

Not without your help, duche!
I can't believe this is still being spread...

maybe CTS Labs can find out what happen drop soap

[Joe_Dragon]

maybe CTS Labs can find out what happens when you drop the soap!

Questions.

[Norman Haga]

1. What is Intel's stake in putting AMD out of business.
2. How much is Intel paying for this hit piece?

Re:

[Anonymous Coward]

I don't think Intel had anything to do with this. This was a group of people trying to profit on a short term drop in AMD stock at a time of their choosing. Very sleezy and illegal manipulation. Long term it would help AMD and make Intel look bad if it were to come out Intel had anything to do with it.

If AMD ever does go under, Intel will be facing ant-trust issues... it needs to keep a competitor for that alone.

Re:

[HiThere]

Valid questions, but you put too much certainty behind them. Certainly I suspect that Intel somehow sponsored this, but I don't see any reason to feel certain. MS also has derived some benefit from this, as it's distracted people from complaining about MSWindows10 misdeeds. And it could be a pure attempt at financial gain by manipulating the stock market. There are probably a few other possibilities.