Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Security AMD Businesses The Almighty Buck

Can AMD Vulnerabilities Be Used To Game the Stock Market? ( 106

Earlier this week, a little-known security firm called CTS Labs reported, what it claimed to be, severe vulnerabilities and backdoors in some AMD processors. While AMD looks into the matter, the story behind the researchers' discovery and the way they made it public has become a talking point in security circles. The researchers, who work for CTS Labs, only reported the flaws to AMD shortly before publishing their report online. Typically, researchers give companies a few weeks or even months to fix the issues before going public with their findings. To make things even stranger, a little bit over 30 minutes after CTS Labs published its report, a controversial financial firm called Viceroy Research published what they called an "obituary" for AMD. Motherboard reports: "We believe AMD is worth $0.00 and will have no choice but to file for Chapter 11 (Bankruptcy) in order to effectively deal with the repercussions of recent discoveries," Viceroy wrote in its report. CTS Labs seemed to hint that it too had a financial interest in the performance of AMD stock. "We may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports," CTS Labs wrote in the legal disclaimer section of its report.

On Twitter, rumors started to swirl. Are the researchers trying to make money by betting that AMD's share price will go down due to the news of the vulnerabilities? Or, in Wall Street jargon, were CTS Labs and Viceroy trying to short sell AMD stock? Security researcher Arrigo Triulzi speculated that Viceroy and CTS Lab were profit sharing for shorting, while Facebook's chief security officer Alex Stamos warned against a future where security research is driven by short selling.

[...] There's no evidence that CTS Labs worked with Viceroy to short AMD. But something like that has happened before. In 2016, security research firm MedSec found vulnerabilities in pacemakers made by St. Jude Medical. In what was likely a first, MedSec partnered with hedge fund Muddy Waters to bet against St. Jude Medical's stock. For Adrian Sanabria, director of research at security firm Threatcare and a former analyst at 451 Research, where he covered the cybersecurity industry, trying to short based on vulnerabilities just doesn't make much sense. While it could work in theory and could become more common in the future, he said in a phone call, "I don't think we've seen enough evidence of security vulnerabilities really moving the stock for it to really become an issue."
Further reading: Linus Torvalds slams CTS Labs over AMD vulnerability report (ZDNet).
This discussion has been archived. No new comments can be posted.

Can AMD Vulnerabilities Be Used To Game the Stock Market?

Comments Filter:
  • by Anonymous Coward on Thursday March 15, 2018 @10:55AM (#56264437)

    The last time this shit was posted, we established that the prerequisites for those "vulnerabilities" were ridiculous, requiring *at least* admin access, or even installing a hacked bios first! We also established that CTS labs were in bed with Intel had created the domain for this only right before publishing it. Apart from the fact that everyone agreed that giving AMD only such a short time to react befor publishing it, was completely unprofessional and a "hit job". (To which I agree.)

    So, do you plan on posting it until people believe it because we have given up on remindig everyone, or have you now brought your sock puppet troll army to silence everyone?

    Seriously, in my world, you need to go to prison over this!

    • The last time this shit was posted, we established that the prerequisites for those "vulnerabilities" were ridiculous, requiring *at least* admin access

      All of which has nothing to do with TFA or TFS which is all about how perception can affect stock market changes. Take a breath, read the summary, participate in intellectual conversations and wipe the froth from your mouth.

  • by borcharc ( 56372 ) * on Thursday March 15, 2018 @12:01PM (#56264619)

    Markets have shown little care in the face of computer security issues. You may get a few day drop but nothing lasting. Look at Intel, Target, or anyone else. It's just not that big of a deal to investors or consumers.

    • I don't think the duration of the drop is really that relevant to the accusation being leveled against CTS Labs. More important is the volume of the drop, the knowledge that it is likely to occur and when it is most likely to occur. If there was indeed collusion and CTS Labs benefited financially from the timing of their announcement, that's illegal.

      • by borcharc ( 56372 ) *

        I am not in agreement that its illegal. I can research a company and find something I think is negative about them and sell that information to a 3rd party who intends to short the stock. No one is accusing CTS labs of having material inside information about AMD. The information CTS has was independently discovered by them. If this was illegal every short equity operation (Muddy Waters, etc) would be shut down. The most troubling thing about this is the text of the Viceroy Research report. Saying a company

        • by HiThere ( 15173 )

          Your assertion that those actions aren't illegal is, at best, questionable. IIUC they would be guilty of stock market manipulation and you would be and accessory before the fact.

          OTOH, it is true that such crimes are rarely prosecuted, and are difficult to detect. This doesn't keep them from being crimes.

        • Sure. So did you find information in your research that's publicly available? No harm, no foul from what I understand.

          How about information that is not publicly available? Now we're in a little different spot. Now let's add that you intentional disseminate that information publicly after having sold the privileged information to a third party who acted on that information to purchase a security with an expectation that your public release of the information will affect price of the security? From what I

    • They do care about opinions/reports, that's where Viceroy thrives. They were up to similar antics in South Africa, that time in banking. []
  • by fazig ( 2909523 ) on Thursday March 15, 2018 @12:08PM (#56264659)
    Invulnerabilities of the Security Processor had been reported to AMD last year by researchers from Google. Apparently AMD found a workaround by letting people disable the entire PSP. Considering that both the "Masterkey" and "Ryzenfall" vulnerability groups allegedly depend on exploiting the PSP, these problems already appear to be fixed by AMD, somewhat.
    So if someone with a Ryzen is concerned there's something they can do about it. Source: https://www.bleepingcomputer.c... []
    • by fazig ( 2909523 )
      Well, I meant vulnerabilities there, not invulnerabilities.
  • Securities fraud (Score:5, Insightful)

    by Bruce Perens ( 3872 ) <> on Thursday March 15, 2018 @12:08PM (#56264663) Homepage Journal
    Just in case it isn't clear enough to you, buying a security with insider knowledge of an unannounced problem with the company, then announcing the problem in the expectation that the announcement will manipulate the price of the stock, and attempting to profit from that, is securities fraud. It is the kind of thing that should be investigated by the Securities and Exchange Commission, and charges should be filed if appropriate.
    • Re:Securities fraud (Score:4, Informative)

      by Bruce Perens ( 3872 ) <> on Thursday March 15, 2018 @12:12PM (#56264689) Homepage Journal
      And yes, this also applies to purchasing short positions in the same stock before that sort of announcement.
    • Re: (Score:2, Redundant)

      by macklin01 ( 760841 )
      Thanks, Bruce. That was my first question at this story, and I appreciate hearing it from your expertise!!!!
    • by ebcdic ( 39948 )

      But is information you have found out yourself, or from someone unrelated to the company, "insider knowledge"? In what sense are these people insiders?

      • Look at Mark Cuban's investor newspaper. Its business model was to research and publish news about companies, but between research and publication Mark would invest in them (long or short positions). The SEC sued him. His blog has a lot of details.

        • Cuban won (Score:5, Informative)

          by raymorris ( 2726007 ) on Thursday March 15, 2018 @01:14PM (#56265189) Journal

          The SEC went after Mark Cuban and Cuban won. The Cuban case is an example of what is NOT insider trading.

          Also if you look at the SEC web site it says illegal insider trading is:
            buying or selling a security, in breach of a fiduciary duty or other relationship of trust and confidence,

          The fiduciary duty is the duty that corporate officers, the company's lawyer, etc, have to look out for the interests of the company (stockholders) rather than their own personal gain. I have no "relationship of trust and confidence", no fiduciary duty, with Intel or AMD. Therefore, according to the SEC I can buy and sell AMD or Intel stock based on WHATEVER information I have, as long as I didn't get that information secretly from someone who has a "relationship of trust and confidence" with the company, such as a corporate officer.

    • Re:Securities fraud (Score:4, Informative)

      by Luthair ( 847766 ) on Thursday March 15, 2018 @12:25PM (#56264805)

      Its not clear that this would be considered insider knowledge to me. The normal modus operandi for short sellers is to do a significant amount of research on companies looking for flaws, wrong doing, etc. purchase a position then try to build uncertainty by hyping a press release.

      Previously unknown security vulnerabilities don't seem much different than accounting fraud assuming neither has a source inside the company.

    • First, the SEC only has civil jurisdiction, meaning they can ONLY fine people and companies. The SEC brings civil suits, most of which are settled for pennies while the targets never have to admit any wrongdoing. Only the most egregious fraud gets the attention of the FBI who can pursue criminal charges.

      Oh, and everything being claimed in the article is completely legal if the author of the hit pieces disclosed their position. And yes, saying "we may or may not have a financial interest in publishing thi

      • Indeed. But now we have to contend with mismanaged funds (always a problem), and idiot savants using AI algorithms to scour newsfeeds for good / bad information (and automatically engage in buying / selling).

        And they really went SEO over this one. The Asus forums I frequent all had interesting "posts" about this problem, typically followed by a single post stating that one must acquire admin rights before anything can be exploited (and if they already have admin rights, they don't exactly need an exploit at

    • by borcharc ( 56372 ) *

      Wrong. If a 3rd party independently discovers information that is non-public but adverse to a public company they can do whatever they wish with it. If AMD employees in possession of non-public information made trades based on it, they would be in trouble. But in that situation, AMD would have had to know prior to any public release. As it stands now, the information is public and anyone can trade based on it.

    • The statute, and the SEC, disagree with you.

      If you look at the SEC web site it says illegal insider trading is:
      buying or selling a security, in breach of a fiduciary duty or other relationship of trust and confidence,

      The fiduciary duty is the duty that corporate officers, the company's lawyer, etc, have to look out for the interests of the company (stockholders) rather than their own personal gain. I have no "relationship of trust and confidence", no fiduciary duty, with Intel or AMD. The

      • hmm... you might want to ask Martha Stewart about that definition. She received a tip that the CEO of the company had sold all his shares - and she acted accordingly. But I don't believe she was an officer of the company.

        Pump and Dump schemes are illegal too. []

        Actually this CTS instance might be considered "Short and Distort"

        • Martha Stewart was convicted of lying to an officer. She tried to cover up what she did. Also, she was on the board of directors of the Stock Exchange, which probably gave her a fiduciary duty (tangentially). But even that wouldn't have stuck if she'd just come clean.
        • Stewart wasn't held liable for most of the things in the SEC complaint because she was neither an officer of the company nor did she get the information from one. She basically went to prison for lying about the whole thing (obstruction of justice, etc.)

          Pump and dump is covered under rule 10b-5: Employment of Manipulative and Deceptive Practices. What's illegal is to LIE about a company in order to fraudulently manipulate the stock price. Telling the truth about a company is not only okay, but encouraged.

    • That's what I came here to ask. It seems like market manipulation - similar to the penny stock pump and dump schemes.

      So is it? It's hard to believe that the folks at CTS et al aren't aware of SEC rules, esp brazenly including a comment in the disclosure. It's kind of like those YouTube disclaimers "I don't own this content - any Copyrighted material is owned by other entities" -- yeah that makes it all better.

      And as somebody else above noted - the security holes aren't really all that concerning requi

    • ah ha - answered my own question []

      This might be considered "Short and Distort"

  • So far, it does not seem to work against AMD, good. And the attempt was on low amateur level in addition, like a lot of crime. Of course, a lot of the press response was also on low amateur level (whatever happened to verifying stories before publishing?), so some small-time investors may have gotten spooked. I hope the SEC and others looks into this ruthlessly.

  • by Anonymous Coward

    As of this posting, AMD is down by a whopping -0.06. I do not think this does what you wanted it to do.

  • And Dan Guido is prime helper number one in this crime.

    • by Khyber ( 864651 )

      Slashdot is helper number two given they're spreading this bullshit without any good reason. I wonder if slashdot has some skin in this game?

  • Hey guys, I'm one of you, a neutral third party financially uninvolved in any of this.
    Let's all go and buy Intel processors because they don't have any of these critical security flaws that are just so much more noteworthy than boring and harmless Spectre and Meltdown. And who even remembers those? They are so 2017, am I right?

    Also did you know that when you support Intel you support small independent security researchers of the highest ethical and moral standards? Wow, if that isn't standing up for the lit

    • Can't recall off the top of my head, but I think Spectre is an Intel-specific variant of the generic Meltdown vulnerability, which basically impacts all speculative processors (so everything currently in use). In other words, the vulnerability isn't just Intel's problem.

      Also, I very much doubt that Intel had anything to do with this security firm's announcement, or the investment journal's "obituary." I'd suspect that that's more just run-of-the-mill profiteering from basically worthless outlets looking to

      • by Xtifr ( 1323 )

        The other way around, actually. Meldown is the Intel-specific* (and far more severe) of the three related vulnerabilities. (The other two are collectively called Spectre.) Meltdown requires drastic changes to the OS kernels, which have a big impact on performance. Linux, at least, put an "if (cpu_vendor != AMD)" around their performance-inhibiting Meltdown fixes. The Spectre vulnerabilities, on the other hand, don't require the same sort of low-level OS patches. They need changes to apps, and we'll be deali

        • by HiThere ( 15173 )

          IIUC Spectre requires hardware level changes to all processors that engage in speculative execution. Also it requires a level of access not required by the Meltdown flaw (i.e. Intel) and is also not as privilege breaking.

          That said, Spectre still needs to be addressed, it's just that no remote exploits are yet known. But Meltdown (Intel) is remotely exploitable by, e.g., web browser javascript.

          The current articles attaching AMD are almost certainly either psychowar or attempted market manipulation (or some

  • Not without your help, duche!
    I can't believe this is still being spread...
  • maybe CTS Labs can find out what happens when you drop the soap!

  • 1. What is Intel's stake in putting AMD out of business.
    2. How much is Intel paying for this hit piece?

    • by Anonymous Coward

      I don't think Intel had anything to do with this. This was a group of people trying to profit on a short term drop in AMD stock at a time of their choosing. Very sleezy and illegal manipulation. Long term it would help AMD and make Intel look bad if it were to come out Intel had anything to do with it.

      If AMD ever does go under, Intel will be facing ant-trust issues... it needs to keep a competitor for that alone.

    • by HiThere ( 15173 )

      Valid questions, but you put too much certainty behind them. Certainly I suspect that Intel somehow sponsored this, but I don't see any reason to feel certain. MS also has derived some benefit from this, as it's distracted people from complaining about MSWindows10 misdeeds. And it could be a pure attempt at financial gain by manipulating the stock market. There are probably a few other possibilities.

Variables don't; constants aren't.