Sounds like a smear campaign just before release of AMD 2000 series of CPUs. also giving 24hr notice when 6 month period is mandatory in Israel is real fishy.
On their own website: "The report and all statements contained herein are opinions of CTS and are not statements of fact. To the best of our ability and belief, all information contained herein is accurate and reliable, and has been obtained from public sources we believe to be accurate and reliable. Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports." and even more fishy: "...CTS reserves the right to refrain from updating this website even as it becomes outdated or inaccurate."
And to top that off paper not peer-reviewed, like all scientific publications should have been.
Domain registered as AMDFlaws.
Like Carmen00 said it sounds like a gun for hire running smear campaign for competition and media sites like Techpowerup and others running clickbait titles to generate traffic through spreading bullshit.
Just don't click ok when you get a: "program bql257839rly requires administrator privileges" and you'll be fine. Also if i have to tell you that you probably should not be using a computer. Another fun fact; with administrator privileges you can already access the whole computer so they might as well just copy your files and be done with it.
Yes, they seem to be implying that anyone with this level of access can then gain uncontrolled access to the network and systems on it... to which the answer is "duh, you're an admin".
The supposed exploits are pretty stupid.. all of them require the person to access the machine and have administrator privileges.
At that point ANY machine would become vulnerable.
In the research papers they mention modifying the BIOS, which also requires direct access. And others of installing a "modified" and injected with the exploit drivers to be installed.
Requiring admin rights makes it a second-stage attack, but you guys are all missing the main point of concern: the attack is such that, after it is carried out, the malware runs on a "secure processor", in a "protected domain" - and is therefore undetectable by most (if not all) antimalware scanner software.
Lots of attacks might require root or admin privileges, and result in exfiltration of data or installation of malware - but in most of those cases, the "infection" can at least be detected and fixed by antimalware tools. But that is not in the case for the bugs being alleged on AMD's systems here.
Even without this protected black box the average time an attacker stays on system is 288 days. While this is concerning, a few things.
The report is dubious. Ignoring all other things like timing, the disclaimer, the fake video, the lack of peer review, the viceroy connection, etc. Actually reading the report and it reads more like a political hit piece than any whitepaper Ive ever read. There's an awful lot.of conjecture and assumption as well in regards to the asmedia chip, and all without showing any proof.
You wouldnt believe your buddy if he said he banged 3 hookers and one was your sister at face value, why when reading something just as outlandish are people taking it as gospel?
You're right about that facet being potentially concerning, boeush, although I'd still rank it lower than having a permanently active malware installation allowing my systems to be compromised externally (also known as Intel Management Engine). Try detecting that in your antimalware application, let alone the custom exploits written to take advantage of it.
Dude. What time is it in Israel? Shouldn't you and the rest of the CTS-Labs "team" be sleeping? Or did you guys end up botching your totally crap thought out plan end so bad you guys are having to pull all night damage control sessions on blogs/forums?
The lack of sleep seems to be affecting your job skills, as well as a number of basic cognitive abilities.
The disclaimers, the 24h notice, the inflammatory rhetorics, the news reports, all pointing toward AMD short sellers trying to do share bashing. The disclaimers are there to make sure they will not get into legal troubles.
The thing is, if their statements are opinions and not facts, they are not legally liable. Sad but that's the law. And yep, AMD stock price is dropping as I'm writing this.
Depending upon a jurisdiction's libel laws, an opinion can be defamatory. You don't have to claim something as a fact for a statement to damage a reputation or commercial interest.
They are trying to set up a public interest defence, but that only holds if there is an absence of malice (in most post-industrial countries). CTS-Labs would have to show the manner and content of their statement was not intended to have AMD. Refusing to update the website if their claims are disproven, similar to refusing to publish a correction, would for most courts be a smoking gun in a defamation lawsuit.
Funny thing is that for some jurisdictions truth is not a defence to defamation. It'll be interesting to see if they get sued, and under what court system...
They never made a statement of fact though. The disclaimer says we have a financial interest if harming amd and our statements are not facts just opinions. Which kind of begs the question why articles other than this one ran with the story so hard.
Statements of opinion aren't subject to defamation law, that's true. So the inflammatory rhetoric about "a complete disregard for security basics" or whatever is (in the US at least, the rest of the English speaking world has incredibly stupid defamation laws) protected speech. Making claims about a product that appear to be based on fact and then saying afterwards, "That's just, like my opinion, man," may not, though.
And I think the lesson we can all take away from this is don't give randos physical access to your server and let them flash the UEFI.
Sounds like they shorted AMD, before they released these exploits. ;-)
That doesn't change the fact that these exploits are real. But, I think they have some alternative motive here other then just letting the public know. It may be they just want to try to make a name for themselves. But, given the seriousness of these attacks, no one should claim that they were doing this disclosure for the public interest. Having the fact these vulnerabilities exist public is a security risk all of its own. It gives crackers information on where to try to undermine this platform. I would call this reckless.
The flaws are real. But a firm specializing in short selling, Viceroy Research, appears to have known ahead of time and exploited their knowledge. And if someone has root access to your system, you have a whole lot worse problems than this. And the actual flaw is in an ARM Cortex 5 chip. AMD's only mistake was choosing to trust ARM for secure computing instead of doing it themselves.
From what I can tell, Unlike Meltdown/Spectre these problems are in the support chips and likely will mean motherboards will need to be replace - not actual firm ware - this came from technical information provide on AMDFlaws
Their webpage is a bunch of links to google docs of random PDFs they pulled from the internet. Congratulations, anyone can do the same thing. You're a moron. I have a task for you, go read their disclaimer about how they are funded by a 3rd party and have a direct economic interests in the "findings" they published. Hopefully it wont be too hard for someone with such attention to detail.
I sense something; a presence I have not felt since.... oh wait, its an Intel fanboi, taking absolutely anything that is even slightly negative to AMD and grabbing it with both hands and running with it. Something tells me you subscribe to the theory "It's on the internet! It MUST be true!"
In case of Spectre and Meltdown all the involved parties Intel, AMD and ARM knew of the flaws in advance and it was only on 2nd Jan 2018 that those vulnerabilities were made known to public. Infact Intel had so much time in hand that it notified of the security vulnerabilities to Chinese authorities before US agencies. Here is statement for how Google operates Project zero: "Bugs found by the Project Zero team are reported to the manufacturer and only made publicly visible once a patch has been released or if 90 days have passed without a patch being released. The 90-day-deadline is Google's way of implementing responsible disclosure, giving software companies 90 days to fix a problem before informing the public so that users themselves can take necessary steps to avoid attacks." Unlike what this CTS-Labs did giving just 24hrs notice and then notifying press and AMD about the "flaws".
Did you read their whitepaper? obviously not and I am sure that even if you did you wouldn't understand it. Their tests were on intel and Arm platforms but NOT on amd, they speculated that AMD is _potentially_ vulnerable to Spectre... how can you present such claims in a research report is beyond me. We haven't seen yet any attack on AMD regarding the so called Spectre vulnerability and we will never see the Meltdown because it does not compute on AMD. You are a great marketing victim. Get educated.
There was no smear campaign. Intel and a lot of other tech companies were informed MONTHS before public release about spectre and meltdown. Intel just handled it very very badly, empowering the press to hammer them, correctly and justifiably, for their fumble.
Spectre affects most modern CPUs, was found by an independent researcher and Google and they had half a year to fix the issue. This here is completely different. It's from a new unknown company founded in 2017, only giving a 24h embargo and the full webpage and issue names are form a PR-Playbook to give AMD negative Publicity. meltdown wasn't releases on a page called intelflaws and isn't named Core-Melt or i7-fall or something similar stupid.
This clearly is either Intel behind or a large investor in intel wanting to protect his investment. Just ridiculously. For sure not buying intel anytime soon.
If you think that this is anything like Meltdown/Spectre, then you really need to start paying attention. With Meltdown/Spectre, there were respected academic security researchers who paid attention to responsible disclosure and very carefully built up their cases over a period of months. Here, you have a bunch of hired guns who come out of nowhere and 0-day a company with no regard whatsoever for the security impact on the public. Guess which one is going for maximum share price impact in the minimum possible time?
Meltdown and Spectre had a huge amount of time from notification to public release, and even then it was due to someone at Linux being stupid and committing code before he should have. This was 24 hours notification. Other security firms knew weeks prior, even reporters were contacted before AMD was, as the article states. Whatever is at the root of the issue here. Make no mistake CTS Labs behavior is reprehensible to say the list, one might argue it's borderline criminal.
Thanks to their: "This is all just our opinion" disclaimer (you must red the quote with a silly voice to understand the full idiotic impact of it), everything they write is legal. If they were to get sued it might be for defamation of character or something like that.
While i agree with all the responses to this comment that came before, i would use less insults. Luckily stating facts is still enough to deter HStewart from continuing the thread.
Horseshit. Elevated prompt and digitally signed driver cannot bypass virtual machine sandbox. And Flashing bios? Really? Hmm. You can just publish shit like this and short sale AMD shares to make a quick profit. Is it legal?
Who knows if even Intel, cut throat as it is, would allow itself to be behind such a low blow. As much as they must be feeling the heat of finally having some competition, it is hard to believe they would purposefully disclose a competitor serious flaws like this with a 24h notice. Or al least I hope. The hypothesis of stock marches manipulation is interesting and totally plausible. This "security" company is total bullshit and just a smear factory as obviously safety and security of the involved computer system is not their prime interest. It is going to be interesting to find out who is behind this
Oh boy, I really hope you go and purchase some new foil for your new hat. I highly doubt AMD would pay for this campaign against themselves JUST so that people assume its Intel, because Intel would sue the pants off of them if that became public. The other side of the coin is Intel would NOT chance having to pay AMD another billion dollars by being utterly stupid and paying for this campaign against AMD from this less than credible "security" company. However you are most definitely giving the conspiracy theory nutjobs something to drool about.
Yes, AMD would clearly out security flaws in their own products in a grand reverse-pyshcology ploy to make people"hate" Intel. That's how companies and indeed the world work, just like primary school.
In a side note my dad could take your dad in a fight so give me your lunch money.
"This is a PR stunt from AMD to get people to further hate Intel." I like your illustrating absurdity with absurdity, unfortunately it will pass way over all the haters heads. So, an AMD chipset has an errata, big whoop.<that's sarcasm> I agree this "security" company doesn't actually give a rip about security. A compromised computer hurts everyone because it will most likely be used to attack others(or at least spam). I don't see anyone really defending them releasing this w/o giving AMD a chance to patch first. On the other hand w/Meltdown/Spectre many claimed Intel was in the wrong for not mentioning it publically earlier and openly gloated and still do that Meltdown didn't effect AMD. So ya, this looks to me like a smear campaign/publicity stunt, however, smearing other companies not involved doesn't change that. It just puts you the same league as this "security lab" "<in quotes to show disdain>.
So by uncovering all these security flaws, it should hopefully push them into the limelight, allowing them to gain some relevancy and hopefully the money will flow later.
I've been in the security industry for a long time and this is NEVER the approach taken by any reputable security company. CTS-Labs looks like a bunch of guns for hire, and there are few prizes for guessing who's paying them for these particular 0-day vulns. This is a disturbing and sordid event, through and through.
Bullshit "security company" is bullshit. I wouldn't go so far as to say "underhanded Intel PR operation" (at least not yet), but this is not how real and responsible security companies with no agenda or axe to grind operate. That's not to say there are no flaws here (fun bonus question: what big chip company has lots of resources and partners in Israel to conduct competitive research?), but the way the release was handled screams Intel-adjacent (if not directly Intel sponsored) shenanigans.
True, Intel has been heavily invested in Israel for years. They built a VERY controversial plant on UN recognized Palestinian land, which must have been a political decision, not just a business decision. It is/was their second largest plant, and very important for the Israeli economy.
AMD was recently hit with two frivolous lawsuits related to the Meltdown/Spectre vulnerabilities. Both were brought by NY Jewish law firms, Rosen and Pomerantz.
I don't think Intel is behind the attacks on AMD but, considering AMD's astounding success over the last year with Ryzen and Intel's 'misfortune' with Spectre and Meltdown, it's quite feasible that some Intel Good Old Boys decided to take take AMD down a notch. Hey, that's the way things work.
That's nice and blunt (not sarcasm, i like the truth). If you held out for a few more day though this comment section would have enough lines for a movie script. It could be set in the not so distant future and have zombie Gordon Moore as the puppet-master.
Totally irresponsible disclosure. Also the exploits are overhyped given the level of access required already. The language is over the top as well. It seems to me that this is a hit job - maximum damage via the media, and I think it would be interesting to see just who has been funding this so-called security outfit.
Something is terribly wrong here.. and sounds like pure BS. - first link on google is a pain relief manufacturer site. - 24 Hour notice. - let me get this straight.. you need to flash the BIOS... so you basically need Admin access to the hardware... - Google Project Zero didn't find it
I echo what others say below my post/above it...sounds like a smear campaign AGAINST AMD, possibly from Nv or Intel to dissuade sales against AMD in favor of their other competitors when history has proven time and again I would not trust them either in comparison seeing as IMO AMD does whatever they possibly can to get as much performance and stability possible considering they do not have the sheer manpower/revenue others have and tend to have a far larger portfolio of products they attend to (not to mention a vast swath of "free" product provided to the industry at large they do not make a dime off of, whereas their immediate competitors are all about making $$$$$$$$$$ and proprietary everything even when not needed to do so)
Anyways, I personally think this just reeks of making mountain out of molehills possibly even making false claims against AMD for no other purpose but to shaft their stock valuation ahead of the next product launches they are about to have.
Frankly this kind of shady crap only makes me want to buy AMD more. I already suspect Intel shenanigans, and after what HardOCP published last week I also suspect Nvidia. May have to go all AMD on my next build, if only to support an honest company
PC Gamer's will make you feel nauseous. I left a freaking blistering response to the writer & editor that let that crap get out to publish the way it was written.
If I'm reading this brief correctly, the majority of these attacks seem to imply having physical access to the hardware as the initial "crack" into the security. Then it's through a malicious signed device driver (Windows) that... you can do to every other x86 arch.
If this is something that you could exploit on a hardened linux server remotely then that's an actual issue, otherwise this reads like it all builds on the usual windows script kiddy drive-bys.
This was a paid smear job. From their disclaimer on amdflaws.com:
"Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports"
They are getting paid. This is a hit job, nothing more.
This seems awfully suspicious, especially with that comment of ‘vulnerabilities amount to complete disregard of fundamental security principles’, which is a bunch of hogwash. There are some dirty tricks going on at CTS-Labs, and I have a feeling who is behind them.
that's hillarious.... yes, if i can sit in front of the hardware with admin access I would go ahead and first replace the BIOS and went all the way to exploit the processor from the backdoor through all the obscure memory channels when instead I could just tap the hard drive.
yeah this is very very credible threat....LOL, and this is only applicable to AMD somehow? If I can replace the BIOS to any system I can take over the world already.
If anything this sounds like a BIOS security issue, not a CPU flaw. what a shady hit job
On the other hand, if Intel is really behind all this and with all their mighty research power the only exploitable flaw they could find about AMD processors involves flashing the bios and then using a window signed driver, I would say AMD is in a pretty good shape, particularly if you compare to Intel completely fucked up Management Engine which is just a piece of malware allowing any Intel acquaintance to spy on what you do on your PC.
Meh. I've got a Ryzen system but I'm not really worried. If someone has already achieved admin level permissions on my system and has a malicious signed windows driver to install I'm already pretty much screwed. Stacking hardware based attacks on top of that are pretty much pointless.
The bios flash is even more pointless. These types of attacks are interesting and theoretically devastating but they are also by their nature hardware specific. If I'm the target of a three letter agency or some nation state I might be worried about this but not as an average Joe.
On top of that the disclosure was completely irresponsible and the whole process seems designed for max PR/FUD and not for serious security research. Hell the indications are they were working on making the website for this before they even told AMD about it.
CTS lab is apparently a security company established after Meltdown/Spectre vulnerabilities became known to involved partners but before it became known to the security industry. The senior people and researchers at the company appear to be mostly security consultants working for mainly Intel in the past. I smell a criminal defamation lawsuit.
In all prosessors Are bug. In intel, amd, qualcom... Name it. It all depends on how hard or easy it is to exploit these wulnerabilities. We don`t know at this moment. But getting to machine and flashing new bios, does not sound a easy way of doing it. But that is what amd is now investigating. If there Are something that They need to do. Maybe next week there will be 24 hour of intel. As I said all Computer chips include bugs. It is just a matter of work to find them.
"The full whitepaper can be seen here, at safefirmware.com, a website registered on 6/9 with no home page and seemingly no link to CTS-Labs. Something doesn't quite add up here."
But the following website has link to this document at top and also has references to CTS-Labs at bottom of website. My thought is savefirmware.com is site where documents are stored.
I am interested to find out how long HSteward has had an account at anandtech. For no apparent reason, he seems to be very interested in reinforcing these very bizarre and questionable claims
As above - I am not Intel Fanboy only thing directly related to Intel - I have about 30 years in computer experience including almost 7 years of protected mode 386 Assembly language programming - unlike most people I do have understand of programming that make these problems happen.
One thing I am curious about this issue and Meltdown/Spectre is there an actual document virus based on these problems. Which could mean it all been to smear others. Including Meltdown/Spectre - was attempt to spear Intel - but was later to found out also effect AMD and ARM.
Well I be honest here - why would I care about non-Intel cpu's if I only used Intel CPU's but I do have QualComm 820 in my Samsung Tab S3
One thing I believe about Internet - is that with technical information unless it coming from source of the information - I do believe I was doing messages here - before this - my primary reason is to look up technical information - but lately there has been disturbing attacks against Intel and I think it is unjustified. I know I updating here before Ryzen came out.
That argument is perfectly fine regarding your post history, however, if you don't have a deep level of experience with their competitors it doesn't help your case to bash those coming to their defense of something carried out in a questionable manner.
Now full disclosure I work at a chip manufacturer (let's call them Team Blue) and the attacks are frankly justified. The level of Kool-Aid drinking inside their walls is astounding. Think Leslie Nielsen waving his hands telling everyone there's nothing to see while fire and explosions are happening behind him.
As said the bashing of Intel for their handling of Meltdown and Spectre was fully justified. When Piednoël (who was involved in the development of some of Intel's biggest CPU architecture development, including Katmai, Conroe, Penryn, and Nehalem as well as SoCs in Sandy Bridge, Ivy Bridge, Haswell, Broadwell, Skylake, and Kaby Lake) abruptly quit in July of 2017 - https://www.techpowerup.com/img/TtiIY53h3pYaUtyu.j... - just before Ryzen and ThreadRipped launched it was odd but then we learned thats not long after Intel was informed of the vulnerabilities. Then there was the stock purge BK initiated months after the company learned of the vulnerabilities.
I know you think this is all new but this company has many times over done things that open them up for attack. They very frequently like to taught themselves as the most ethical entity in the tech industry yet have had many of their offices worldwide raided by countries and substantial fines leveled on them for far from ethical behavior.
Things such as their providing software developers with a compiler that optimized code to perform better on Intel microprocessors (which hilariously made programs run slower on some of their newer CPU's) - https://techreport.com/news/8547/does-intel-compil...
As a developer for 30 years - I would say one would used a developer that best for situation. Using Intel compiler - it is expected to run the best on their cpu. I once purchase an Intel compiler - primary because it had performance optimization before Microsoft compiler. I primary use Microsoft compilers - actually because of application I been working is quite old - it actually the Older Visual Studio 2008.
AMD Got 1.25Million from Intel on the legal stuff - which I personally don't believe they should. I was around when originally IBM came out with PC. IBM wanted second source of CPU - thus AMD came into picture - Intel created the CPU that was in the IBM which every x86 based CPU is created from. Here is a link on original IBM PC - kind of funny - back then they thought the 8086 was too powerful - so they went with 8088
I am old school person - been computing since 8 bit days - but technically have knowledge of detail internals of chips - I did OS work and I had personal access of all Intel CPU manuals and YES - all of AMD CPU manuals. My IBM PC came though a joint venture with neighbor on code I was developing on the side - my first actual computer that I had actually had a AMD 386 clone chip in it.
You're missing points again and cementing your Intel Fanboy perception by saying things like:
"Using Intel compiler - it is expected to run the best on their cpu."
If you even bothered to research you'd have easily read that their compiler was found to flat out look for Intel ONLY and if it didn't see what it expected it disabled extensions therefore the software it helped create crippled the performance of their competitors such as VIA/Cyrix and AMD. Worse it not only checked the vendor ID string and the instruction sets supported. It also checked for specific Intel processor models thus code generated by it failed to recognize future Intel processors with a family number different from 6.
You say you are old school and bring up the IBM deal which I am old enough to remember vividly as well. You obviously then remember that Intel was required, by IBM, to find a second source and THEY chose AMD. Then in 1984, in order to shore up their advantage in the industry, Intel internally decided to no longer cooperate with AMD in supplying product information, delayed and eventually refused to convey the technical details of the 80386 to AMD despite having signed the papers and having shaked all the hands along the way.
Something is wrong about this this query - I just included an actually question on recent Xbox One Freesync with questions about my monitors and up and coming update from Microsoft and this query did not find it - conclusion this is some how only searching for Intel related comments in last couple of months.
Anyhow my point in general having run several or nearly all offerings for Desktop/Mobile/Server CPU's from the likes of Intel, VIA, Cyrix, SPARC, DEC, AMD, Qualcomm, Samsung, Apple, MediaTek, Transmeta and so on is that not all of them are their 100% competitors equal. You got to play with them to fully see where they benefit you and where they have room for improvement.
BUT only one of those companies has a HUGE track record of shady business tactics to gain an advantage in their space AND has been legally convicted of doing so:
As a result many of their competitors have vanished in the meantime because, as Andre Agassi once said, "image is everything" and Intel has done a VERY good job of damaging the images of many of their competitors.
Meltdown and Spectre were not attempts to smear Intel and it is perplexing that you even think this.
Both were VERY well documented and because of the gravity of them Intel and others involved (including AMD!) were given the 180 day + period to sort out a solution unlike the news today.
For you information I have had an account Amandtech for a year or so. Yes I prefer Intel products but I don't work for Intel - I actually interview with them about 25 years ago - but at that time I was primary Intel Assembly language and they want C++ developers. Also at that time, I have my name on Erratum for IBM 486SLC.
Most of my desire for Intel has been my long history of personal computers on there cpu - I also had bad luck with AMD/Ati products and trust Intel CPU / NVidia. I have no stock in Intel and also unlike the possible reason why this could be fake - I have not been hurt or even have AMD stock.
What is really interesting is that people on internet jump to Meltdown/Spectre claims but when Intel release fixes - they ignore it - but attack others if AMD system has flaws.
One thing, I change my mind about Dell XPS 15 2in1 - initial I was thinking that I would not give it chance because of AMD Vega chip - but I been likely the specs and I might give it chance - but my only reservation is how AMD Fanboy's are so bias and against Intel.
intel was given something like a 6 month lead time on dealing with Spectre/Meltdown. AMD was given a 24 hour lead time on this and the bugs themselves appear to require physical access to the hardware. if you don't see the differences here, you're the one who is being willfully blind. period.
I not complaining about that - that was by there choice on the time given - wrong of right. The bigger issue is that is some people - believe that AMD is perfect and that Intel has a monopoly. In a CPU that Intel originally created with the original IBM PC. If you want to see a real monopoly - look at Windows 10 for ARM only running on Qualcomm CPU's and also Apple where you can purchase only from Apple.
No one is saying AMD is perfect. What people are doing is defending them from a rather shady announcement that most of the industry is questioning the validity of. Read up on Viceroy FFS.
Also since you are desperate to defend Intel in every which shape and form please do the world a favor and READ the facts:
Just FYI, the IBM486 bug was related to cache line been inverted when jumping between 286 and 386 protected mode - it was found in PC-MOS/386 OS which source is actually in public domain - it was in _386.ASM file - but I try to look for it - but could not remember where the work around was place - I just remember IBM sending us a hand mod CPU.
You're blindly ignoring the facts in this that have given strength to scepticism in every corner of the tech community and pushing logic that Intel is the real victim while declaring that all of those here and elsewhere questioning the validity of these findings are anti-Intel AMD Fanboys with statements like:
"It just funny when it against Intel - everything true and must be handle, but AMD it is a spear campaign."
No one has ignored Intel releasing fixes for Meltdown and Spectre. I dare you to prove that. In fact they have gotten a lot of coverage out of such because many of their fixes have had negative outcomes enough for said fixes to be pulled while their Engineers have gone back to their drawing boards.
Also when it comes to Meltdown and Spectre many bashed AMD for basically leaking key details for both when their doing so was prompted by Intel's Brian Krzanich going on air and declaring that both Meltdown and Spectre affected every single CPU out there 100% the same which was completely inaccurate.
If this whole Ryzen problem is fake - than I been reading about possible some investor upset with money lost from AMD and trying to take revenge. I serious doubt a large company like Intel or NVidia is behind this - who knows with all the political miss-information going around.
"For no apparent reason, he seems to be very interested in reinforcing these very bizarre and questionable claims"
All I am indicating here is that where document on safefirmware.com is link from has a link to CTS-Labs yes the document does not have a direct link but I could not find any other links to safefirmware.com but what I notice on cts-labs is that all documents are either in web site or to external sites.
Using a simple Google search on anandtech.com, it seems that he is active since August 2017, posting a lot on Intel related articles (but not only). Just about right, isn't it?
If I was true Intel Fanboy, I would mention on AMD articles putting Intel before AMD. Now if some one complains about Intel - it fair game to rebut that claim.
This article is quite different - AMD Fanboy's attack Intel so much about Meltdown/Spectre and at same time stating AMD did not have the issue. But they completely ignore that Intel fix the issue and that AMD also has documented issues with Spectre.
For the record, I believe I was doing posts here before August 2017 - I used to not care - but the last couple of years I started seeing a pattern where AMD fans attacking if any body says anything about Intel. To be honest it means nothing - minority of folks really read these things just desiring to information about future purchases. For example I like the Dell 15 XPS 2in1 - but I was concern about compatibility with Vega chip - because I had past bad history with ATI/AMD Graphics cards - but that been a long while.
If you want to read about scandals and smear campaigns, try the Blackberry Scandal
It's all over the news today
Apparently Blackberry wasn't as secure as they claim
Everything you do on a Blackberry is obviously monitored or there would be no need to remove the Gov't monitoring capability, like Vincent Ramos did
So the Company can LIE about the security of the phones but if you fix it YOU are the bad guy ?
My point is not about whether or not Vincent was fixing the phones for crime My point is that the Companies making the Phones are committing crimes while posing as the good guys!
Meanwhile, Anandtech appears to be covering FAKE NEWS!
Vincent Ramos was stripping out the GPS,Wifi etc you know things that make it a smartphone to make it a dump phone for the criminals to use. Those are the items which all phones have that make it easier for the cops to track you.
When the government comes knocking on your door you have to weigh the pro and cons.
Most of these companies are not going to allow themselves to be shut down and lose 100s of millions of dollars because of you and your $1000 phone and your sense of privacy.
Frankly, if it is fake - and the timing smells very fishy - I would suspect securities fraud before suspecting Intel. Who will have made money on the AMD price fluctuation? Why now when AMD stock is poised to rise?
The double standard from these toxic AMD fanboys are hilarious. If it was fake they wouldn’t have submitted their findings to AMD. But but but da conspiracy!
It costs them nothing to "submit their findings to AMD", and it lends free "credibility" to their claims. The fact that they submitted their findings to AMD is no evidence at all in their favor. It's really not that hard to reach rational conclusions about this issue if you spend more than 3 seconds thinking about it. But sticking your fingers in your ears and shouting "fanboy" is easier than thinking I suppose.
Toss in a PR firm to handle responses and how prepared this message was it just stinks all aorund. The fact they spent so much time preparing for this and gave AMD so little notice just screams shenanigans.
check the video on yt. They edited the server room to seem as if the server LEDs are blinking. If you are doing something wrong, at least do it the right way.
There was speculation at CES about when, not if, exactly this would happen. But the level of shadiness here is astounding, from the impossibly short notice (and irresponsibility to vendors world-wide in revealing these flaws before acknowledgement by AMD let alone producing patches) to the fact this "security company" opened shop around the time AMD launched the Zen micro-architecture.
I'm no AMD (or Intel, or Nvidia) fanboy, but this whole thing stinks. Sounds like CTS-Labs put self-promotion over professional ethics and the security of end-users.
Perhaps AMD didn't want to put them on retainer? Or perhaps kneecapping AMD seemed like a good way to encourage other companies to put them on retainer? Or both!
1. You have a release of information not following industry standard in terms of security. 2. You have confusing reports with no concrete evidence. 3. You have google project zero who didn't find anything similar in quantity or in impact, with basically 1000 times the R&D of CTS-labs. 4. You have a company with third party affiliation. 5. You have a place of work located in a country with a strong Intel presence. 6. The timing is just at the moment of Zen+ launch. 7. You have a company using videos with no real information of the threats, only specifying their intent to protect the public by presenting these threats without giving AMD time for mitigation and analysis. 8. You have a company not able to answer calls or presenting themselves in interviews after such an important news. 9. You have a company who made propaganda videos using green screen and fake offices for building a false sense of credibility. 10. You have a company named Viceroy, degraded AMD to 0.00$ of value after analyzing the report from CTS shortly after the release of information. Not taking into account that AMD is by far not a CPU only company with many other businesses outside the CPU market. 11. You have a news with too much marketing with threatening naming conventions and logos to frighten the public... and the investors...
and
12. You have a company named AMD with a huge future ahead of them. one of the few company who can provide CPU and GPU ofr IoT and AI applications with companies like Tesla. A company having almost the monopoly in console graphics and processing. A company push to new summit due to their GPU being suited better for mining capability for a fraction of the price of the competition. 13. You have the stock of the most speculative company having the highest amount of shorters at wallstreet... 14. You have one of the biggest scam of the last decade evolving in front of your eyes.
Everything about this story is wrong. And everything about this story is obviously aimed at manipulating the stock value and the reputation of AMD.
and you have (1) ONE corroborating security expert saying he had access a week beforehand in a paid engagement with CTS Labs. All of these things COULD be done but as has been stated ad naseum by others, it requires a significant amount of effort and access in order to accomplish, no mean feat.
Yeah, my favorite part is the acknowledgement that ALL of these flaws require root/admin (system level privileges) in which case you are already fucked if someone is logged in as root that has the intention of taking advantage of these exploits.
Basically the real admin would have to be clueless enough to execute exploiting code.
The 2nd corroborating security expert is a "friend" of some member of the company. This automatically removes him from being an authentic source even IF, as he claims, the data is correct. Ian is very well aware of the requirements for authenticity: peer review, peer research, and the ability to conduct the exact same exploits with the same results. so far, we have none of that. a paid for contractor who says "yep, it works," a friend of a friend who says "yep, it works" and nothing substantive to go on. regardless of whether it's true or not (and I know that some of these things can be done, regardless of platform) this is incredibly, incredibly dubious in presentation and character.
I bet AMD is behind this PR stunt. Just look at the comments? Everyone is blaming Intel. Looks like AMD got what it wanted from this little PR stunt....
You're either trolling or delusional, but either way it's grade A fun.
Reality check: Comments sections on tech articles are not useful ways to gauge the motivation of a company attempting a hit-job on the stock of a multinational organisation.
Isn't the reason for the 90 days to prevent security breaches? It's not a grace period for the company. Why should a company get a grace period? What matters is the security. If there isn't an increased security risk from the near-simultaneous notification about the security flaws to the company and to the public, then I think notifying the public as soon as possible is the ethical thing to do. Of course, if there is an increased security risk from the simultaneous notification then that's a different story.
The 90 days is to prevent exploitation of the disclosed vulnerabilities and prevent damages. By divulging vulnerabilities in 24 hours, this company is a laughing stock. They are supposed to be bounty hunters and getting paid for bugs by reporting them to the companies so they can fix them. However here, this is just for manipulating AMD stock to buy at low price until the story is debugged as false and selling at higher price.... but it didn't worked.
Everything about this story is just too big... and the flaws, just too small.
"The 90 days is to prevent exploitation of the disclosed vulnerabilities and prevent damages."
Again, what if, for whatever reason that wasn't applicable in some cases. Is it not then reasonable, and ethically superior, to disclose the flaw as soon as possible to those who may be affected by the vulnerability, either because they already own the affected equipment or because they are considering a purchase? From my point of view, as a consumer, the 90 day waiting period is a necessary evil.
"By divulging vulnerabilities in 24 hours, this company is a laughing stock."
Well maybe they shouldn't be, if there is no technical reason to withhold the information.
"They are supposed to be bounty hunters and getting paid for bugs by reporting them to the companies so they can fix them."
They aren't "supposed" to be anything. They are researchers and the only thing they can be supposed to have is ethical consideration for others affected by their actions.
"However here, this is just for manipulating AMD stock to buy at low price until the story is debugged as false and selling at higher price"
That's just conjecture that you are stating as fact. I agree that there are peculiarities here. My point, however, had nothing to do with the motives or specific instances of this case. It was specifically talking about this idea that companies have the right to 90 days notice. There's an attitude in media and forums that somehow AMD was wronged because they weren't given 90 days. I don't see it that way. I don't see why a company should be protected for 90 days. The only reason I can think of for the 90 days is to prevent security breaches.
Unless you happen to know every single use that a particular item of hardware/software is possibly used for, how can you be sure that nobody will be affected? We've gotten this disastrously wrong before and people have been affected. That 90 days is standard for a reason, not because we as a security community "just feel like it".
But all that aside, there's no possible way that you can claim that in this particular case, the 90 days was irrelevant. It's very clearly irresponsible disclosure in this specific case. The facts are very clear!
"But all that aside, there's no possible way that you can claim that in this particular case, the 90 days was irrelevant. It's very clearly irresponsible disclosure in this specific case. The facts are very clear!"
I don't think the facts are so clear. There is a possible way we can claim the time is irrelevant if we were actual security experts who understood the situation. Are you in the security community?
I wonder how much security research is done with a mind towards telling companies about vulnerabilities compared to the amount that is done with a mind towards not telling companies about them.
" I don't see it that way. I don't see why a company should be protected for 90 days. The only reason I can think of for the 90 days is to prevent security breaches."
I honestly don't understand why you're arguing. The 90 days is not to protect the company. It's as you just said, to prevent security breaches. It gives the company a chance to patch before it becomes known in the wild. THIS protects consumers as well as the companies bottom line. It's beneficial to both parties. Granted, no technical how to was released. What they did and what has people upset is they said If you want to breach AMD's procs, this is the path you need to go. If this is in fact legitimate, people that are working to breach these procs and do not have the best intentions either now know to change their attack vector or it confirms they're on the right path. It is very careless and dangerous to release this to the media FIRST and then to AMD after the fact. This endangers anyone with that hardware.
TBS, at face value the prerequisites to even exploit this is dubious at best. It is very questionable in how they went about announcing it. The website and everything else about the company seems odd.
Who did it and why? For what reason? Something is up. I don't believe Intel or NVidia is stupid enough to try something like this. Somebody is up to something. This story will unravel and get more interesting.
I'll neither defend Intel blindly like H Stewart, or attack them and accuse them like a lot of people here are. This is not the Luminati with Intel Inside planning an evil take down. Something is up though.
"The 90 days is not to protect the company. It's as you just said, to prevent security breaches. It gives the company a chance to patch before it becomes known in the wild."
I am asking when that is appropriate and when that isn't. I don't understand why you think its strange I should ask such a question. I think I made the reason I brought it up clear. It's because there is a strong attitude that AMD "deserves" the x days, and that CTS labs did something "dirty" by not giving AMD 90 days. Now you can insist that the reason for the x days is to protect the customers, but if the attitude becomes occified that companies deserve this time that could be a dangerous thing. So I am asking: rather than giving 90 days, did CTS labs actually increase the risk to the public by letting them know of these vulnerabilities immediately, without publishing the technical information, or have they reduced the risk to the public? I don't believe anyone has a clear answer to that because they haven't really considered it. If one considers it and decides that the x days system is the most secure, there still is the issue that the attitude is that a company "deserves" this treatment.
Again, the "who did it and why" conspiracy theories of this particular case are not relevant to the issue I am raising. There may or may not be some sort of manipulation going on here. But that is not the issue I am concerned with. Now, one could argue that immediate release of information makes it easier to try to manipulate the stock price. That is something to consider, but I'm not convinced that that in itself is enough of a reason to choose the other route. Any specific instance of potential securities fraud would be a case for the SEC, or whatever equivalent entity in any other country, to investigate.
I think its strange bc you answered your own question. I don't think AMD deserves protection anymore than Intel. The customers on the are the ones that need protecting. ALL processors have flaws. If you don't give them the chance to know about it, they cant fix it. If you don't give them a time frame, they'll never get it done. So you got to find a balance between giving them a chance to fix it and protecting the consumers by not providing a roadmap for hackers or god forbid, laying out exactly how to do it.
As far as CTS goes, they are in cahoots with Viceroy research which is trying to manipulate AMD stock. yes, I think that by releasing this to the press before notifying AMD and then bashing AMD for not having a fix to an unkown prob reaks to high heaven. It puts users at considerable risk even without giving technical details because you have given the vector to which AMD procs should be attack. AMD will now be scrambling to test/validate/patch trying to beat the hackers. This will result in a rushed patch/solution that could be just as bad or ineffective. It serves no one but CTS to release this the way they did. Add in their collusion with Viceroy and it becomes even more egregious. But, like you I wont speculate into the motives or accuse AMD's competitors but it's fair to acknowledge that it stinks.
CTS Labs in conjunction with viceroy research DID do something dirty. They def didn't do it for the good of the people.
Also, I find strange that they claim they were researching ASMEDIA for a year and never said anything to anybody. ASMEDIA is not exclusively AMD and its strange other security researchers haven't found ANYTHING.
"Also, I find strange that they claim they were researching ASMEDIA for a year and never said anything to anybody. ASMEDIA is not exclusively AMD and its strange other security researchers haven't found ANYTHING."
Yeah, you definitely don't. You have a one track mind...
They pre-briefed media and hired an outside firm to verify it, before they told AMD. This is a red flag.
If they were concerned about consumers, they would have made sure AMD knew before letting anyone outside their group knew. That way AMD could try to address the issues before crackers figured out how to exploit these vulnerabilities. Now the crackers know where to look for these vulnerabilities and AMD has had very little time to even investigate if they are valid.
"If they were concerned about consumers, they would have made sure AMD knew before letting anyone outside their group knew. That way AMD could try to address the issues before crackers figured out how to exploit these vulnerabilities. Now the crackers know where to look for these vulnerabilities and AMD has had very little time to even investigate if they are valid."
Is it reasonable to expect that people can find, implement, and distribute the vulnerabilities before AMD can fix them?
Correct me if I am wrong, but if I remember there was a case some time ago (was it the zero days exploits?) where companies knew about vulnerabilities and did nothing about them. The public was not alerted. Then the vulnerabilities, along with the technical details, were leaked. In such a case the public really are hung out to dry. Or suppose someone finds vulnerabilities, informs the company, and the company doesn't do anything. What then? The finder releases all information to the public? Is that fair to the customers?
I don't know the answers to these questions, but I feel that people are having a knee jerk reaction here without really considering the situation. Frankly, if someone were to be incentivized to find security vulnerabilities it might be better if they sell the information to financial investors, for which the existence of the vulnerabilities need to be revealed, rather than those who wish to use the vulnerabilities. I dunno. I'm guessing no one has a good idea of how much that goes on, except possibly for the entities that buy the most vulnerabilities.
I does'nt take a detective to figure that this was intentional. But seeing how they willingly pay other companies 16000$ to prove "their findings" and I reiterate, "their findings" - of a company which was founded in 2017, nobody knows them and they got this other website amdflaws.com created merely 3 weeks ago with rushed youtube channel, all of this few weeks before next gen Ryzen launch and having 3 employees in total, then I am very inclined to some form of connection with Intel because I fail to see how they found 13 exploits (well you can say 4 and all of them 2nd stage but still). If I am wrong about Intel than I am for sure right that this is all about playing with AMD stock prices so they can buy in, but then question is who these exploits came from.
How is MAD supposed to respond to this stupid shit that, if you have root access, you are the system Admin, you can run any code you want? This is true for every computer ever built
How is AMD supposed to respond to this stupid shit that, if you have root access, you are the system Admin, you can run any code you want? This is true for every computer ever made
"How is AMD supposed to respond to this stupid shit that, if you have root access, you are the system Admin, you can run any code you want? This is true for every computer ever made"
It's not true. Firstly the vulnerabilities make systems on the chip meant to increase security useless. In order to flash the firmware one needs root access. So then your question is akin to asking "why verify a firmware at all, since you need root access to flash it?" Furthermore, some of these vulnerabilities are pervasive. They allow malware to be placed into the firmware such that it can never be removed.That isn't the case without the vulnerabilities, if he security features workt he way they are supposed to.
But if there is no way for AMD to respond, then that is an argument that waiting x days before informing the public is just a waste of time, and that informing the public immediately, without giving the technical details, was the correct choice for action.
Linus Torvalds's profile photo Linus Torvalds +108 +Mark Anderson no, it's not even the 24 hours. I dislike the "give vendors all the time in the world" model of security disclosure enough that I very much understand why some people then give them no time at all.
You can be corrupt by being too chummy with vendors too.
It's the advisory itself that is garbage, and the attention whoring about it. And how it's lapped up.
When was the last time you saw a security advisory that was basically "if you replace the BIOS or the CPU microcode with an evil version, you might have a security problem"? Yeah.
No, the real problem is the mindless parroting of the security advisory (it's "Top Story" on at least one tech news site right now), because security is so much more important than anything else, and you can never question it.
Security people need to understand that they look like clowns because of it. The whole security industry needs to just admit that they have a lot of shit going on, and they should use - and encourage - some critical thinking.
"You can be corrupt by being too chummy with vendors too."
Yes, exactly.
as for the rest, security vendors are going to look for their publicity. Many people will try to monetize their work one way or another. I find it hard to believe that a smooth, well-behaved system of selfless security experts who, even though they have such potential power, gleefully accept a servile role in which they are both friendly with the product owners and entirely ethical with the public is realistic or stable.
What's servile about not fucking with the security of the people you're expecting to pay your bills? Seriously. There's a self-interest element to doing this well, too, but honestly I hate the conflation of doing what is objectively the best thing for everyone involved and being someone's bitch.
"What's servile about not fucking with the security of the people you're expecting to pay your bills?"
What security do you mean?
"There's a self-interest element to doing this well, too, but honestly I hate the conflation of doing what is objectively the best thing for everyone involved and being someone's bitch."
It is obviously the best thing for everything exactly why? And doing the best thing for other people is servile. I think you're getting caught up on connotation here and therefore you're missing the point. The issue I am raising is that people are going to try to monetize their work one way or another. I am questioning the stability of a system in which people who have power are expected to act as if they have none. If you think that doing what is best for the others involved is "being somebody's bitch" then you are just demonstrating my concerns.
It just seems way to timely that this crap came out just before a major CPU release. I smell something rotten here for sure. I am 100% sure that with todays tech and peoples programing skills there are a ton of security flaws out there like this with all hardware that has chips on it and if people were to look very closely they would find that even your talking fridge or thermostat is at risk in some form or another.
Heck I am willing to say that most likely if any of these flaws they claim AMD has are also present in Intel's CPU's as well. Most people would be very surprised just how unsecure their computers are or phones or even those fancy appliances that connect you to the world are.If they did know this they would be running around yelling the sky is falling the sky is falling oh wait that is just what this security company did which to me is a pure trash company for sure with questionable business practices and intent. I am going to say it again NO ONE IS SAFE in todays techy world if we were then things like viruses and malware or simple hacks would be stopped at the hardware level and that simply does not happen so this crap companies claims are pretty much false or just invalid.
A lot of people are comparing this to Spectre and Meltdown. Those were exploitable via just accessing a website. These require running an executable on the system itself and acquiring admin/root privilege. At least some of them require that the software be signed by a trusted key.
This isn't as severe as Spectre and Meltdown, but still very troubling. Not the best thing for AMD to have to deal with 1 month before their launch of the Ryzen 2000 processors. The way this was disclosed is clearly outside of industry standards. I would be surprised if CTS-Labs is around in 6-months. They seem to have no purpose other than take a hit on AMD.
Also didn't someone on here say the CTS-Labs company was formed in 2017 that alone makes this sudden announcement seem a bit dodgy right there. Also it targets Ryzen CPU's in AMD's lineup and not any of the others that right there puts up a lot of red flags for me personally. Whether this is true or not it does not matter any more because the damage has already been done and people will have already made up their minds most likely to just be sheep and believe it. Well the stupid ones that is. I also find it odd that they chose to release this information 1 month before AMD releases the Ryzen+. This makes me think there are other powers here in play and someone spent a lot of money to get this type of trash out in the wild because whether it is true or not like I said the damage is already done. Intel must be in their glory right now they are going phew we might have dodge a big bullet here because of the market share those Ryzens were taking from us will now slow down a lot and we can go back to releasing the same old products again & again like we used to do.
I hope all the "journalists" that helped and are continuing to help prop up this story are sued into submission. Morons are literally doing CTS's/Viceroy's work for them.
Breaking news! Bad things happen when admin access is compromised! More at 11...
Laughable about anyone that says try to look at this objectively in these comments. Unbelieveable the lack of morals and promoting of this farce. The release was completely unprofessional and flies in the face of other established security researchers throughout the years. If CTS had done this to Intel with only a 24hour notice, the wailing would be off the charts.
I've never been more confident in AMD. Meltdown/Spectre were much more serious and Intel walked away unscathed so I don't see any real issue with AMD products.
I haven't used windows in ages, but I thought regular users essentially have administrative privileges. It's not like there's an area of the file system that can't be modified by a regular user, at least, that's how it was when I used windows back in the day. Has that finally changed?
affected ASMEDIA chips/technology.. does that mean asmedia chips on intel mainboards are affected too? or is it only asmedia technology in the AMD CPU´s??
Remember when you would expect other "tech" sites to publish this tripe and Anandtech would see through it? Back before Anand sold the place and retired, I guess.
Somebody with root access to a machine can do anything with it? That's news to the Anandtech staff apparently. Stay tuned for other things you might not know...
If someone had administrator rights I don't think it will be difficult to hack it whether it is Intel or amd. It's not much vurnarable if the main requirement is root acess.
Regarding update from Gadi Evron, CEO of Cymmetria..
"CTS-Labs believes that the public has a right to know if a vendor they are using makes them vulnerable, which is why no substantial lead time was given."
Is the comment from Gadi Evron poorly worded or is he more closely associated with ct-labs than implied?
Er..Doesn't Gadi person the current chairman of CERT in Israel..he seems to have some personal connection with these guys at CTS....his wording of the issue is not clear..or is it him trying to cover them up. P.S there is alot of corruption in ISRAEL...
on the other hand Trail of Bits...made it clear..need admin privs to exploit any of these..
I feel this entire issue is a HYPERBOLE..
Ian GREAT JOB for laying it all out....Why hasn't CTS contacted other well known Security peeps...
If I had paid for a damaging covert throat-punch against AMD, and this report is what I actually got, I would be wanting my money back. What kind of low IQ moron thought this would fool anyone?
I fail to see how CTS-labs can claim this is in the public's interest. It certainly isn't in the interest of an of the public who own's the effected hardware. Not giving AMD time to analyze and respond to this flaw is extremely unprofessional. It is hard not to read this and immediately assume this lab has an ulterior motive in the way they announced their findings.
Note to CTS-Labs: There is a reason most security firms give manufacturer's 90 days to analyze security issues prior to telling every Tom, Dick and Harry about it.
AT, you've just wasted space by posting all this stuff. It's just FUD. If an agent with malcontent already has hands-on access with a root password in person, then you're pretty much screwed anyway, and any issues would apply to Intel or any other tech aswell. I'm disappointed that the nonsense by CTS is being given so much attention when it's pretty obvious it's essentially just a market exploit, no different to telling people, your front door is incredibly dangerous and you could die because if a serial killer has your door keys they can get in and stab you! Therefore companies who design front doors are garbage and their stock price should be zero! Come on AT, this is so obviously fake news, and a bit of digging of the kind GN did would have quickly made that clear.
Intel should join with AMD and file a combined suit against these people, if it can happen to AMD then it can happen to Intel. Heck, all chip makers should help the effort, it's in all their interests to make it clear these companies won't tolerate such actions against them.
Guido has publicly acknowledged that all scenarios require administrator/root access. Further more, they also required digitally signed drivers. This means that these 'flaws' cannot be used in any way to compromise a protected system. Root access mean the system is already compromised. Meltdown and Spectre are orders of magnitude more destructive than this. Please read more on security to be able to think critically,
AMD should bite the bullet, and take the plunge and whatever else too and vehemently declare and accept publicly that it has knowingly and intentionally planted a bug with potentially unimaginable catastrophic consequences to the public and security of the know universe in their chips lest it be accused of antisemitism.
Four Persons "SOMEWHERE in Isral” Publish Ryzen Flaws, Gave AMD 24 hours Prior Notice
From CTS (Cheap Technical Scammers):
"The report and all statements contained herein are opinions of CTS and are NOT STATEMENTS OF FACT."
"you are advised that we may have, either directly or indirectly, AN ECONOMIC INTEREST in the performance of THE SECURITIES OF THE COMPANIES whose products are the subject of our reports."
No address, no land line, 4 persons "SOMEWHERE in Isral" set up after June 2017 (after Intel's "Meltdown inside"), ..., but just a website ($4.95/month) and a mobile number +1-585-233-0321!
The so called “RESEARCHERS” paid $16K to review their findings!
From the quite cheap guy who reviewed their findings for $16K: "For the attacks to work, an attacker must first obtain administrator access to a targeted network, Guido said."
For the car thief to steal the car, the car thief must first obtain the car key and access to the car, CommonSense said. What a car thief!
The 4 nobodies got the publicity and economic interest.
Yeah, no. Not buying into this utter tripe driven by a clearly financial motivation. Here's to hoping the SEC guts these clowns and leaves them bloody in the street for all to see.
Re: people that say that since this requires admin access, it is irrelevant There are certain things even administrators are not supposed to be able to do - like access the memory with keys or decoded data for certain DRM content and such. Things that mostly publishers of content and software care about, not the users themselves. In so far as actual users/owners of the system are concerned, I'd say it's actually a good thing to be able to break such "security". But don't tell anyone I said that ;) There is the risk that publishers would refuse to publish their content for us without their "rights" being protected by this "security"...
I hope these new phones are secure. I was suspicious of my wife for infidelity and i hired an experienced and trusted hacker S O L I D A R I T Y H A C K E R at G M A I L . C O M to help me hack into her phone and get info. In less than 24 hours after i gave him certain information to work with, he gave me the access link and i saw everything i had been suspicious about. S O L I D A R I T Y H A C K E R at G M A I L . C O M was also able to give me access to deleted messages and phone conversations both on the phone mobile service provider and all the phone calling Apps located on her iphone including whatsApp, FaceBook, Instagram , he said it worked with all apps located on phone memory, so far the App is located in the phone, the information would be revealed through S O L I D A R I T Y H A C K E R at G m a i l . c o m when he has the required information and of course not free. I would advice anyone with similar issues or even more complex issues to contact SOLIDARITY HACKER at G mail .COM for positive results in relatively short period of time.
We’ve updated our terms. By continuing to use the site and/or by logging into your account, you agree to the Site’s updated Terms of Use and Privacy Policy.
211 Comments
Back to Article
Chaitanya - Tuesday, March 13, 2018 - link
Sounds like a smear campaign just before release of AMD 2000 series of CPUs. also giving 24hr notice when 6 month period is mandatory in Israel is real fishy.quadrivial - Tuesday, March 13, 2018 - link
The company has only been around since 2017.http://www.cts-labs.com/management-team
Chaitanya - Tuesday, March 13, 2018 - link
On their own website:"The report and all statements contained herein are opinions of CTS and are not statements of fact. To the best of our ability and belief, all information contained herein is accurate and reliable, and has been obtained from public sources we believe to be accurate and reliable. Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports."
and even more fishy:
"...CTS reserves the right to refrain from updating this website even as it becomes outdated or inaccurate."
And to top that off paper not peer-reviewed, like all scientific publications should have been.
Domain registered as AMDFlaws.
Like Carmen00 said it sounds like a gun for hire running smear campaign for competition and media sites like Techpowerup and others running clickbait titles to generate traffic through spreading bullshit.
goatfajitas - Tuesday, March 13, 2018 - link
smells... wrong. Fake newsnevcairiel - Tuesday, March 13, 2018 - link
It was confirmed by other security researches now that the exploits are real. No matter how shady the release of it was.SleepyFE - Wednesday, March 14, 2018 - link
Just don't click ok when you get a: "program bql257839rly requires administrator privileges" and you'll be fine. Also if i have to tell you that you probably should not be using a computer. Another fun fact; with administrator privileges you can already access the whole computer so they might as well just copy your files and be done with it.Spunjji - Wednesday, March 14, 2018 - link
Yes, they seem to be implying that anyone with this level of access can then gain uncontrolled access to the network and systems on it... to which the answer is "duh, you're an admin".getreallol - Wednesday, March 14, 2018 - link
if you have root access you can do anything you want on the system. I can confirm that. DUHtamalero - Wednesday, March 14, 2018 - link
The supposed exploits are pretty stupid.. all of them require the person to access the machine and have administrator privileges.At that point ANY machine would become vulnerable.
In the research papers they mention modifying the BIOS, which also requires direct access. And others of installing a "modified" and injected with the exploit drivers to be installed.
Which also is gameover for any machine.
boeush - Wednesday, March 14, 2018 - link
Requiring admin rights makes it a second-stage attack, but you guys are all missing the main point of concern: the attack is such that, after it is carried out, the malware runs on a "secure processor", in a "protected domain" - and is therefore undetectable by most (if not all) antimalware scanner software.Lots of attacks might require root or admin privileges, and result in exfiltration of data or installation of malware - but in most of those cases, the "infection" can at least be detected and fixed by antimalware tools. But that is not in the case for the bugs being alleged on AMD's systems here.
hansmuff - Wednesday, March 14, 2018 - link
That's going to be very much the same on an Intel chip.Manch - Thursday, March 15, 2018 - link
Even without this protected black box the average time an attacker stays on system is 288 days. While this is concerning, a few things.The report is dubious. Ignoring all other things like timing, the disclaimer, the fake video, the lack of peer review, the viceroy connection, etc. Actually reading the report and it reads more like a political hit piece than any whitepaper Ive ever read. There's an awful lot.of conjecture and assumption as well in regards to the asmedia chip, and all without showing any proof.
You wouldnt believe your buddy if he said he banged 3 hookers and one was your sister at face value, why when reading something just as outlandish are people taking it as gospel?
Spunjji - Thursday, March 15, 2018 - link
You're right about that facet being potentially concerning, boeush, although I'd still rank it lower than having a permanently active malware installation allowing my systems to be compromised externally (also known as Intel Management Engine). Try detecting that in your antimalware application, let alone the custom exploits written to take advantage of it.HStewart - Tuesday, March 13, 2018 - link
AMDFlaws domain is part of cts-labs not the opposite - cts-labs does more than just AMD related issues.garbagedisposal - Tuesday, March 13, 2018 - link
No they don't, HStewart. "CTS labs" is not a real entity in any meaningful sense. Stop spreading bullshit.Cooe - Wednesday, March 14, 2018 - link
Dude. What time is it in Israel? Shouldn't you and the rest of the CTS-Labs "team" be sleeping? Or did you guys end up botching your totally crap thought out plan end so bad you guys are having to pull all night damage control sessions on blogs/forums?The lack of sleep seems to be affecting your job skills, as well as a number of basic cognitive abilities.
Hereiam2005 - Tuesday, March 13, 2018 - link
The disclaimers, the 24h notice, the inflammatory rhetorics, the news reports, all pointing toward AMD short sellers trying to do share bashing.The disclaimers are there to make sure they will not get into legal troubles.
Gothmoth - Tuesday, March 13, 2018 - link
if this is market manipulation they will get in trouble. and if intel is behind or connected to this it will come out too.Hereiam2005 - Tuesday, March 13, 2018 - link
The thing is, if their statements are opinions and not facts, they are not legally liable. Sad but that's the law.And yep, AMD stock price is dropping as I'm writing this.
Galcobar - Tuesday, March 13, 2018 - link
Depending upon a jurisdiction's libel laws, an opinion can be defamatory. You don't have to claim something as a fact for a statement to damage a reputation or commercial interest.They are trying to set up a public interest defence, but that only holds if there is an absence of malice (in most post-industrial countries). CTS-Labs would have to show the manner and content of their statement was not intended to have AMD. Refusing to update the website if their claims are disproven, similar to refusing to publish a correction, would for most courts be a smoking gun in a defamation lawsuit.
Funny thing is that for some jurisdictions truth is not a defence to defamation. It'll be interesting to see if they get sued, and under what court system...
PixyMisa - Tuesday, March 13, 2018 - link
Making a statement of fact and then claiming it as opinion is not a magic shield against libel suits.Natepaulr - Tuesday, March 13, 2018 - link
They never made a statement of fact though. The disclaimer says we have a financial interest if harming amd and our statements are not facts just opinions. Which kind of begs the question why articles other than this one ran with the story so hard.evilpaul666 - Tuesday, March 13, 2018 - link
Statements of opinion aren't subject to defamation law, that's true. So the inflammatory rhetoric about "a complete disregard for security basics" or whatever is (in the US at least, the rest of the English speaking world has incredibly stupid defamation laws) protected speech. Making claims about a product that appear to be based on fact and then saying afterwards, "That's just, like my opinion, man," may not, though.And I think the lesson we can all take away from this is don't give randos physical access to your server and let them flash the UEFI.
0ldman79 - Wednesday, March 14, 2018 - link
Buy! Buy! Buy!tamalero - Wednesday, March 14, 2018 - link
If they are related to that Viceroy company, they already did that shit a few times (stock manipulation for personal gain)..poohbear - Tuesday, March 13, 2018 - link
Yes forgot about the shortsellers! They've probably been very frustrated the past few months!jabber - Wednesday, March 14, 2018 - link
I'd say you hit the nail on the head there.I bet a lot of folks got calls to "Watch AMD stock!" a few days ago.
danjw - Wednesday, March 14, 2018 - link
Sounds like they shorted AMD, before they released these exploits. ;-)That doesn't change the fact that these exploits are real. But, I think they have some alternative motive here other then just letting the public know. It may be they just want to try to make a name for themselves. But, given the seriousness of these attacks, no one should claim that they were doing this disclosure for the public interest. Having the fact these vulnerabilities exist public is a security risk all of its own. It gives crackers information on where to try to undermine this platform. I would call this reckless.
pjcamp - Wednesday, March 14, 2018 - link
The flaws are real. But a firm specializing in short selling, Viceroy Research, appears to have known ahead of time and exploited their knowledge. And if someone has root access to your system, you have a whole lot worse problems than this. And the actual flaw is in an ARM Cortex 5 chip. AMD's only mistake was choosing to trust ARM for secure computing instead of doing it themselves.boeush - Wednesday, March 14, 2018 - link
If any firm (like Viceroy Research) exploited non-public knowledge to short the stock, they are liable for prosecution under insider trading laws.HStewart - Tuesday, March 13, 2018 - link
But if you look on the their page - it looks like their finding are based on actual standardshttp://www.cts-labs.com/compliance-standards-guide...
From what I can tell, Unlike Meltdown/Spectre these problems are in the support chips and likely will mean motherboards will need to be replace - not actual firm ware - this came from technical information provide on AMDFlaws
https://amdflaws.com/
garbagedisposal - Tuesday, March 13, 2018 - link
Their webpage is a bunch of links to google docs of random PDFs they pulled from the internet. Congratulations, anyone can do the same thing. You're a moron. I have a task for you, go read their disclaimer about how they are funded by a 3rd party and have a direct economic interests in the "findings" they published. Hopefully it wont be too hard for someone with such attention to detail.Gothmoth - Tuesday, March 13, 2018 - link
unfortunately you can´t tell anything because you are clueless and the paper is without any substance.WickedMONK3Y - Wednesday, March 14, 2018 - link
I sense something; a presence I have not felt since.... oh wait, its an Intel fanboi, taking absolutely anything that is even slightly negative to AMD and grabbing it with both hands and running with it. Something tells me you subscribe to the theory "It's on the internet! It MUST be true!"HStewart - Tuesday, March 13, 2018 - link
"Sounds like a smear campaign just before release of AMD 2000 series of CPUs"Just like Meltdown/Spectre was smear campaign against Intel - and then to find out that AMD and ARM ( in lesser ways ) were both effected.
It just funny when it against Intel - everything true and must be handle, but AMD it is a spear campaign.
scholarly_salamander - Tuesday, March 13, 2018 - link
AMD is only affected by Spectre, not MeltdownChaitanya - Tuesday, March 13, 2018 - link
In case of Spectre and Meltdown all the involved parties Intel, AMD and ARM knew of the flawsin advance and it was only on 2nd Jan 2018 that those vulnerabilities were made known to public.
Infact Intel had so much time in hand that it notified of the security vulnerabilities to Chinese authorities before US agencies.
Here is statement for how Google operates Project zero:
"Bugs found by the Project Zero team are reported to the manufacturer and only made publicly visible once a patch has been released or if 90 days have passed without a patch being released. The 90-day-deadline is Google's way of implementing responsible disclosure, giving software companies 90 days to fix a problem before informing the public so that users themselves can take necessary steps to avoid attacks."
Unlike what this CTS-Labs did giving just 24hrs notice and then notifying press and AMD about the "flaws".
https://techcrunch.com/2018/01/28/intel-reportedly...
https://en.wikipedia.org/wiki/Meltdown_(security_v...
garbagedisposal - Tuesday, March 13, 2018 - link
Your comment just proves how much of an idiot you are.Gothmoth - Tuesday, March 13, 2018 - link
look how they have handelt this you ignorant clown. at least learn to read and than use your brain.. if you have one.Yorgos - Tuesday, March 13, 2018 - link
Did you read their whitepaper? obviously not and I am sure that even if you did you wouldn't understand it.Their tests were on intel and Arm platforms but NOT on amd, they speculated that AMD is _potentially_ vulnerable to Spectre...
how can you present such claims in a research report is beyond me.
We haven't seen yet any attack on AMD regarding the so called Spectre vulnerability and we will never see the Meltdown because it does not compute on AMD.
You are a great marketing victim. Get educated.
Ket_MANIAC - Tuesday, March 13, 2018 - link
Do you actually know how to comprehend anything? From your words it is pretty easy to see that you believe anything and everything.WickedMONK3Y - Wednesday, March 14, 2018 - link
There was no smear campaign. Intel and a lot of other tech companies were informed MONTHS before public release about spectre and meltdown. Intel just handled it very very badly, empowering the press to hammer them, correctly and justifiably, for their fumble.beginner99 - Wednesday, March 14, 2018 - link
Spectre affects most modern CPUs, was found by an independent researcher and Google and they had half a year to fix the issue.This here is completely different. It's from a new unknown company founded in 2017, only giving a 24h embargo and the full webpage and issue names are form a PR-Playbook to give AMD negative Publicity. meltdown wasn't releases on a page called intelflaws and isn't named Core-Melt or i7-fall or something similar stupid.
This clearly is either Intel behind or a large investor in intel wanting to protect his investment. Just ridiculously. For sure not buying intel anytime soon.
Carmen00 - Wednesday, March 14, 2018 - link
If you think that this is anything like Meltdown/Spectre, then you really need to start paying attention. With Meltdown/Spectre, there were respected academic security researchers who paid attention to responsible disclosure and very carefully built up their cases over a period of months. Here, you have a bunch of hired guns who come out of nowhere and 0-day a company with no regard whatsoever for the security impact on the public. Guess which one is going for maximum share price impact in the minimum possible time?StevenD - Wednesday, March 14, 2018 - link
Meltdown and Spectre had a huge amount of time from notification to public release, and even then it was due to someone at Linux being stupid and committing code before he should have.This was 24 hours notification. Other security firms knew weeks prior, even reporters were contacted before AMD was, as the article states.
Whatever is at the root of the issue here. Make no mistake CTS Labs behavior is reprehensible to say the list, one might argue it's borderline criminal.
SleepyFE - Wednesday, March 14, 2018 - link
Thanks to their: "This is all just our opinion" disclaimer (you must red the quote with a silly voice to understand the full idiotic impact of it), everything they write is legal. If they were to get sued it might be for defamation of character or something like that.SleepyFE - Wednesday, March 14, 2018 - link
While i agree with all the responses to this comment that came before, i would use less insults. Luckily stating facts is still enough to deter HStewart from continuing the thread.tamalero - Wednesday, March 14, 2018 - link
Except Meltdown never affected AMD? common..Hereiam2005 - Tuesday, March 13, 2018 - link
Horseshit.Elevated prompt and digitally signed driver cannot bypass virtual machine sandbox.
And Flashing bios? Really?
Hmm. You can just publish shit like this and short sale AMD shares to make a quick profit. Is it legal?
Yorgos - Tuesday, March 13, 2018 - link
some so called "analysts" have done this numerous times with various companies.jjstecchino - Tuesday, March 13, 2018 - link
Who knows if even Intel, cut throat as it is, would allow itself to be behind such a low blow. As much as they must be feeling the heat of finally having some competition, it is hard to believe they would purposefully disclose a competitor serious flaws like this with a 24h notice. Or al least I hope.The hypothesis of stock marches manipulation is interesting and totally plausible.
This "security" company is total bullshit and just a smear factory as obviously safety and security of the involved computer system is not their prime interest. It is going to be interesting to find out who is behind this
CeltusIber - Tuesday, March 13, 2018 - link
Against Intel.You guys cannot stop blaming Intel for every ill AMD has.
This is a PR stunt from AMD to get people to further hate Intel.
Alexvrb - Tuesday, March 13, 2018 - link
Now THAT'S a conspiracy theory a nutcase can really get behind!WickedMONK3Y - Wednesday, March 14, 2018 - link
Oh boy, I really hope you go and purchase some new foil for your new hat. I highly doubt AMD would pay for this campaign against themselves JUST so that people assume its Intel, because Intel would sue the pants off of them if that became public. The other side of the coin is Intel would NOT chance having to pay AMD another billion dollars by being utterly stupid and paying for this campaign against AMD from this less than credible "security" company. However you are most definitely giving the conspiracy theory nutjobs something to drool about.Spunjji - Wednesday, March 14, 2018 - link
Yes, AMD would clearly out security flaws in their own products in a grand reverse-pyshcology ploy to make people"hate" Intel. That's how companies and indeed the world work, just like primary school.In a side note my dad could take your dad in a fight so give me your lunch money.
SleepyFE - Wednesday, March 14, 2018 - link
That one gave me a nice chuckle and reminded me of Dexter's Lab, when the dads fought to a stalemate.SleepyFE - Wednesday, March 14, 2018 - link
Just, WOW!ironargonaut - Wednesday, March 14, 2018 - link
"This is a PR stunt from AMD to get people to further hate Intel."I like your illustrating absurdity with absurdity, unfortunately it will pass way over all the haters heads.
So, an AMD chipset has an errata, big whoop.<that's sarcasm> I agree this "security" company doesn't actually give a rip about security. A compromised computer hurts everyone because it will most likely be used to attack others(or at least spam). I don't see anyone really defending them releasing this w/o giving AMD a chance to patch first. On the other hand w/Meltdown/Spectre many claimed Intel was in the wrong for not mentioning it publically earlier and openly gloated and still do that Meltdown didn't effect AMD. So ya, this looks to me like a smear campaign/publicity stunt, however, smearing other companies not involved doesn't change that. It just puts you the same league as this "security lab" "<in quotes to show disdain>.
StevoLincolnite - Wednesday, March 14, 2018 - link
They are an unknown name.So by uncovering all these security flaws, it should hopefully push them into the limelight, allowing them to gain some relevancy and hopefully the money will flow later.
0ldman79 - Wednesday, March 14, 2018 - link
I was thinking the exact same.If security was their primary concern then they'd have spent a week or two solid back and forth with AMD getting to the bottom of this.
It is a smear campaign, nothing more.
As the last few lines of the article say, this requires the bug to be run under admin/root access.
OMG!!!!
You mean to tell me that the computer admin can hose a computer with full admin rights!!!??!?!?!
Oh noes!!!!!!!
Non news.
Did you know that with a serial cable and interrupting boot I can flash whatever firmware I want on 99.99% of the hardware in existence?
FlanK3r - Thursday, March 15, 2018 - link
I agree, its shit campaing to AMD. But Im in relax, this can not me dissuade to buy new Ryzen 7 :)Carmen00 - Tuesday, March 13, 2018 - link
I've been in the security industry for a long time and this is NEVER the approach taken by any reputable security company. CTS-Labs looks like a bunch of guns for hire, and there are few prizes for guessing who's paying them for these particular 0-day vulns. This is a disturbing and sordid event, through and through.Kracer - Tuesday, March 13, 2018 - link
You need so much access prior to the vulnerabilities shown here.It's just normal security research milked for PR effect.
Pmaciel - Tuesday, March 13, 2018 - link
😴😴😴GeorgeH - Tuesday, March 13, 2018 - link
Since you can't say it for legal reasons:Bullshit "security company" is bullshit. I wouldn't go so far as to say "underhanded Intel PR operation" (at least not yet), but this is not how real and responsible security companies with no agenda or axe to grind operate. That's not to say there are no flaws here (fun bonus question: what big chip company has lots of resources and partners in Israel to conduct competitive research?), but the way the release was handled screams Intel-adjacent (if not directly Intel sponsored) shenanigans.
quadrivial - Tuesday, March 13, 2018 - link
https://www.intel.com/content/www/us/en/jobs/locat...Intel has a lot of stuff in Israel.
eSyr - Tuesday, March 13, 2018 - link
As well as AMD. Or IBM. Or many other companies.fallaha56 - Tuesday, March 13, 2018 - link
Er eSyr no other companies don’t have a presence in Israel the way Intel does...tamalero - Wednesday, March 14, 2018 - link
Agree, Intel has FABS and interest, including research.AMD has no kind of presence in Israel.
vext - Tuesday, March 13, 2018 - link
True, Intel has been heavily invested in Israel for years. They built a VERY controversial plant on UN recognized Palestinian land, which must have been a political decision, not just a business decision. It is/was their second largest plant, and very important for the Israeli economy.https://www.sfgate.com/business/article/Intel-chip...
AMD was recently hit with two frivolous lawsuits related to the Meltdown/Spectre vulnerabilities. Both were brought by NY Jewish law firms, Rosen and Pomerantz.
https://semiaccurate.com/2018/02/06/amd-hit-two-ba...
I don't think Intel is behind the attacks on AMD but, considering AMD's astounding success over the last year with Ryzen and Intel's 'misfortune' with Spectre and Meltdown, it's quite feasible that some Intel Good Old Boys decided to take take AMD down a notch. Hey, that's the way things work.
ABR - Wednesday, March 14, 2018 - link
I also have to say that the first thing that came to my mind when I saw the location of the group releasing the report was "Smells like Intel".SleepyFE - Wednesday, March 14, 2018 - link
That's nice and blunt (not sarcasm, i like the truth). If you held out for a few more day though this comment section would have enough lines for a movie script. It could be set in the not so distant future and have zombie Gordon Moore as the puppet-master.psychobriggsy - Tuesday, March 13, 2018 - link
Totally irresponsible disclosure. Also the exploits are overhyped given the level of access required already. The language is over the top as well. It seems to me that this is a hit job - maximum damage via the media, and I think it would be interesting to see just who has been funding this so-called security outfit.shazam786 - Tuesday, March 13, 2018 - link
Something is terribly wrong here.. and sounds like pure BS.- first link on google is a pain relief manufacturer site.
- 24 Hour notice.
- let me get this straight.. you need to flash the BIOS... so you basically need Admin access to the hardware...
- Google Project Zero didn't find it
Dragonstongue - Tuesday, March 13, 2018 - link
I echo what others say below my post/above it...sounds like a smear campaign AGAINST AMD, possibly from Nv or Intel to dissuade sales against AMD in favor of their other competitors when history has proven time and again I would not trust them either in comparison seeing as IMO AMD does whatever they possibly can to get as much performance and stability possible considering they do not have the sheer manpower/revenue others have and tend to have a far larger portfolio of products they attend to (not to mention a vast swath of "free" product provided to the industry at large they do not make a dime off of, whereas their immediate competitors are all about making $$$$$$$$$$ and proprietary everything even when not needed to do so)Anyways, I personally think this just reeks of making mountain out of molehills possibly even making false claims against AMD for no other purpose but to shaft their stock valuation ahead of the next product launches they are about to have.
posted by [H] as well
https://www.hardocp.com/news/2018/03/13/amd_cpu_at...
euskalzabe - Wednesday, March 14, 2018 - link
Frankly this kind of shady crap only makes me want to buy AMD more. I already suspect Intel shenanigans, and after what HardOCP published last week I also suspect Nvidia. May have to go all AMD on my next build, if only to support an honest companyplopke - Tuesday, March 13, 2018 - link
I will try to stay openminded , I AM TRYING SO HARD but come on 24 hours notice?Holliday75 - Tuesday, March 13, 2018 - link
Yeah I am as well, but the more I read the more I was like *sniff sniff* I smell dead fish.jjj - Tuesday, March 13, 2018 - link
The way they did this, you can't even be sure the claims are legit and going to print now, gives them what they want.lefty2 - Tuesday, March 13, 2018 - link
I am impressed by Anandtech for presenting this story with the right amount of scepticism, (unlike other news outlets)Alexvrb - Tuesday, March 13, 2018 - link
Yeah a lot of "tech" sites jumped right on the bandwagon and didn't bother vetting this outfit or their BS, I mean story... at all.euskalzabe - Wednesday, March 14, 2018 - link
Examples? I'd like to unfollow them, in case I do. Crap like this receives the end of my support as a response.Cooe - Wednesday, March 14, 2018 - link
PC Gamer's will make you feel nauseous. I left a freaking blistering response to the writer & editor that let that crap get out to publish the way it was written.xrror - Tuesday, March 13, 2018 - link
If I'm reading this brief correctly, the majority of these attacks seem to imply having physical access to the hardware as the initial "crack" into the security. Then it's through a malicious signed device driver (Windows) that... you can do to every other x86 arch.If this is something that you could exploit on a hardened linux server remotely then that's an actual issue, otherwise this reads like it all builds on the usual windows script kiddy drive-bys.
TaylordTech - Tuesday, March 13, 2018 - link
This was a paid smear job. From their disclaimer on amdflaws.com:"Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports"
They are getting paid. This is a hit job, nothing more.
YazX_ - Tuesday, March 13, 2018 - link
bla bla bla, im getting Ryzen 2000 when its released, what a stupid research and company.jjj - Tuesday, March 13, 2018 - link
The 2700X showed up in Geekbench a few hours agohttps://browser.geekbench.com/v4/cpu/7440381
vext - Tuesday, March 13, 2018 - link
Holy Cow, I may have upgrade my wifes computer with my old 1800X and get a new 2700x for me...dgingeri - Tuesday, March 13, 2018 - link
This seems awfully suspicious, especially with that comment of ‘vulnerabilities amount to complete disregard of fundamental security principles’, which is a bunch of hogwash. There are some dirty tricks going on at CTS-Labs, and I have a feeling who is behind them.LiviuTM - Tuesday, March 13, 2018 - link
Also look at the names and logos they found for each of the vulnerabilities. Looks like professional branding to me.SteelRing - Tuesday, March 13, 2018 - link
that's hillarious.... yes, if i can sit in front of the hardware with admin access I would go ahead and first replace the BIOS and went all the way to exploit the processor from the backdoor through all the obscure memory channels when instead I could just tap the hard drive.yeah this is very very credible threat....LOL, and this is only applicable to AMD somehow? If I can replace the BIOS to any system I can take over the world already.
If anything this sounds like a BIOS security issue, not a CPU flaw. what a shady hit job
jjstecchino - Tuesday, March 13, 2018 - link
On the other hand, if Intel is really behind all this and with all their mighty research power the only exploitable flaw they could find about AMD processors involves flashing the bios and then using a window signed driver, I would say AMD is in a pretty good shape, particularly if you compare to Intel completely fucked up Management Engine which is just a piece of malware allowing any Intel acquaintance to spy on what you do on your PC.kpb321 - Tuesday, March 13, 2018 - link
Meh. I've got a Ryzen system but I'm not really worried. If someone has already achieved admin level permissions on my system and has a malicious signed windows driver to install I'm already pretty much screwed. Stacking hardware based attacks on top of that are pretty much pointless.The bios flash is even more pointless. These types of attacks are interesting and theoretically devastating but they are also by their nature hardware specific. If I'm the target of a three letter agency or some nation state I might be worried about this but not as an average Joe.
On top of that the disclosure was completely irresponsible and the whole process seems designed for max PR/FUD and not for serious security research. Hell the indications are they were working on making the website for this before they even told AMD about it.
SaturnusDK - Tuesday, March 13, 2018 - link
CTS lab is apparently a security company established after Meltdown/Spectre vulnerabilities became known to involved partners but before it became known to the security industry. The senior people and researchers at the company appear to be mostly security consultants working for mainly Intel in the past. I smell a criminal defamation lawsuit.haukionkannel - Tuesday, March 13, 2018 - link
In all prosessors Are bug. In intel, amd, qualcom... Name it.It all depends on how hard or easy it is to exploit these wulnerabilities. We don`t know at this moment. But getting to machine and flashing new bios, does not sound a easy way of doing it. But that is what amd is now investigating. If there Are something that They need to do. Maybe next week there will be 24 hour of intel. As I said all Computer chips include bugs. It is just a matter of work to find them.
HStewart - Tuesday, March 13, 2018 - link
"The full whitepaper can be seen here, at safefirmware.com, a website registered on 6/9 with no home page and seemingly no link to CTS-Labs. Something doesn't quite add up here."But the following website has link to this document at top and also has references to CTS-Labs at bottom of website. My thought is savefirmware.com is site where documents are stored.
https://amdflaws.com/
GruenSein - Tuesday, March 13, 2018 - link
I am interested to find out how long HSteward has had an account at anandtech. For no apparent reason, he seems to be very interested in reinforcing these very bizarre and questionable claimsGothmoth - Tuesday, March 13, 2018 - link
HStewart is either an intel fanboy or someone who is thick as bread.....HStewart - Tuesday, March 13, 2018 - link
As above - I am not Intel Fanboy only thing directly related to Intel - I have about 30 years in computer experience including almost 7 years of protected mode 386 Assembly language programming - unlike most people I do have understand of programming that make these problems happen.One thing I am curious about this issue and Meltdown/Spectre is there an actual document virus based on these problems. Which could mean it all been to smear others. Including Meltdown/Spectre - was attempt to spear Intel - but was later to found out also effect AMD and ARM.
dilacerated - Tuesday, March 13, 2018 - link
Not an Intel Fanboy? Registered late 2017 and have posted exclusively in Intel articles:https://www.google.com/search?q=inurl:anandtech.co...
HStewart - Tuesday, March 13, 2018 - link
Well I be honest here - why would I care about non-Intel cpu's if I only used Intel CPU's but I do have QualComm 820 in my Samsung Tab S3One thing I believe about Internet - is that with technical information unless it coming from source of the information - I do believe I was doing messages here - before this - my primary reason is to look up technical information - but lately there has been disturbing attacks against Intel and I think it is unjustified. I know I updating here before Ryzen came out.
dilacerated - Tuesday, March 13, 2018 - link
That argument is perfectly fine regarding your post history, however, if you don't have a deep level of experience with their competitors it doesn't help your case to bash those coming to their defense of something carried out in a questionable manner.Now full disclosure I work at a chip manufacturer (let's call them Team Blue) and the attacks are frankly justified. The level of Kool-Aid drinking inside their walls is astounding. Think Leslie Nielsen waving his hands telling everyone there's nothing to see while fire and explosions are happening behind him.
As said the bashing of Intel for their handling of Meltdown and Spectre was fully justified. When Piednoël (who was involved in the development of some of Intel's biggest CPU architecture development, including Katmai, Conroe, Penryn, and Nehalem as well as SoCs in Sandy Bridge, Ivy Bridge, Haswell, Broadwell, Skylake, and Kaby Lake) abruptly quit in July of 2017 - https://www.techpowerup.com/img/TtiIY53h3pYaUtyu.j... - just before Ryzen and ThreadRipped launched it was odd but then we learned thats not long after Intel was informed of the vulnerabilities. Then there was the stock purge BK initiated months after the company learned of the vulnerabilities.
That all combined with the cheap TIM fiasco that continues to this day with Intel - https://www.google.com/search?q=intel+tim+problem&...
I know you think this is all new but this company has many times over done things that open them up for attack. They very frequently like to taught themselves as the most ethical entity in the tech industry yet have had many of their offices worldwide raided by countries and substantial fines leveled on them for far from ethical behavior.
Things such as their providing software developers with a compiler that optimized code to perform better on Intel microprocessors (which hilariously made programs run slower on some of their newer CPU's) - https://techreport.com/news/8547/does-intel-compil...
Seriously read up:
https://www.ftc.gov/sites/default/files/documents/...
http://jolt.law.harvard.edu/digest/intel-and-the-x...
HStewart - Tuesday, March 13, 2018 - link
As a developer for 30 years - I would say one would used a developer that best for situation. Using Intel compiler - it is expected to run the best on their cpu. I once purchase an Intel compiler - primary because it had performance optimization before Microsoft compiler. I primary use Microsoft compilers - actually because of application I been working is quite old - it actually the Older Visual Studio 2008.AMD Got 1.25Million from Intel on the legal stuff - which I personally don't believe they should. I was around when originally IBM came out with PC. IBM wanted second source of CPU - thus AMD came into picture - Intel created the CPU that was in the IBM which every x86 based CPU is created from. Here is a link on original IBM PC - kind of funny - back then they thought the 8086 was too powerful - so they went with 8088
https://www.edn.com/electronics-news/4386034/Whenc...
I am old school person - been computing since 8 bit days - but technically have knowledge of detail internals of chips - I did OS work and I had personal access of all Intel CPU manuals and YES - all of AMD CPU manuals. My IBM PC came though a joint venture with neighbor on code I was developing on the side - my first actual computer that I had actually had a AMD 386 clone chip in it.
dilacerated - Tuesday, March 13, 2018 - link
You're missing points again and cementing your Intel Fanboy perception by saying things like:"Using Intel compiler - it is expected to run the best on their cpu."
If you even bothered to research you'd have easily read that their compiler was found to flat out look for Intel ONLY and if it didn't see what it expected it disabled extensions therefore the software it helped create crippled the performance of their competitors such as VIA/Cyrix and AMD. Worse it not only checked the vendor ID string and the instruction sets supported. It also checked for specific Intel processor models thus code generated by it failed to recognize future Intel processors with a family number different from 6.
https://www.theinquirer.net/inquirer/news/1567108/...
http://www.agner.org/optimize/blog/read.php?i=49#4...
https://news.ycombinator.com/item?id=7091064
There's a reason tools like this exist: http://www.softpedia.com/get/Programming/Patchers/...
You say you are old school and bring up the IBM deal which I am old enough to remember vividly as well. You obviously then remember that Intel was required, by IBM, to find a second source and THEY chose AMD. Then in 1984, in order to shore up their advantage in the industry, Intel internally decided to no longer cooperate with AMD in supplying product information, delayed and eventually refused to convey the technical details of the 80386 to AMD despite having signed the papers and having shaked all the hands along the way.
HStewart - Tuesday, March 13, 2018 - link
"Not an Intel Fanboy? Registered late 2017 and have posted exclusively in Intel articles:https://www.google.com/search?q=inurl:anandtech.co...
Something is wrong about this this query - I just included an actually question on recent Xbox One Freesync with questions about my monitors and up and coming update from Microsoft and this query did not find it - conclusion this is some how only searching for Intel related comments in last couple of months.
dilacerated - Tuesday, March 13, 2018 - link
Uh, what?That's looking for results with anandtech.co...
Google may not have cached the results for that article that was published just yesterday...
dilacerated - Tuesday, March 13, 2018 - link
Anyhow my point in general having run several or nearly all offerings for Desktop/Mobile/Server CPU's from the likes of Intel, VIA, Cyrix, SPARC, DEC, AMD, Qualcomm, Samsung, Apple, MediaTek, Transmeta and so on is that not all of them are their 100% competitors equal. You got to play with them to fully see where they benefit you and where they have room for improvement.BUT only one of those companies has a HUGE track record of shady business tactics to gain an advantage in their space AND has been legally convicted of doing so:
https://www.google.com/search?q=intel+convicted+of...
As a result many of their competitors have vanished in the meantime because, as Andre Agassi once said, "image is everything" and Intel has done a VERY good job of damaging the images of many of their competitors.
Even recently they tried to smear AMD for "glueing" ThreadRipper and EPYC CPU's together while omitting that they ever did so - https://www.techpowerup.com/235092/intel-says-amd-...
mode_13h - Tuesday, March 13, 2018 - link
It doesn't take a genius to write asm. I've worked with enough to say that from experience.Also, doesn't mean you're not a troll or a shill. Everything about this reveal is shady. If you can't see that, there's no hope for you.
dilacerated - Tuesday, March 13, 2018 - link
Meltdown and Spectre were not attempts to smear Intel and it is perplexing that you even think this.Both were VERY well documented and because of the gravity of them Intel and others involved (including AMD!) were given the 180 day + period to sort out a solution unlike the news today.
Manch - Wednesday, March 14, 2018 - link
liarManch - Wednesday, March 14, 2018 - link
H Stewart is an idiot and an Intel fanboy/shill. It's endless with him.HStewart - Tuesday, March 13, 2018 - link
For you information I have had an account Amandtech for a year or so. Yes I prefer Intel products but I don't work for Intel - I actually interview with them about 25 years ago - but at that time I was primary Intel Assembly language and they want C++ developers. Also at that time, I have my name on Erratum for IBM 486SLC.Most of my desire for Intel has been my long history of personal computers on there cpu - I also had bad luck with AMD/Ati products and trust Intel CPU / NVidia. I have no stock in Intel and also unlike the possible reason why this could be fake - I have not been hurt or even have AMD stock.
What is really interesting is that people on internet jump to Meltdown/Spectre claims but when Intel release fixes - they ignore it - but attack others if AMD system has flaws.
One thing, I change my mind about Dell XPS 15 2in1 - initial I was thinking that I would not give it chance because of AMD Vega chip - but I been likely the specs and I might give it chance - but my only reservation is how AMD Fanboy's are so bias and against Intel.
echoe - Tuesday, March 13, 2018 - link
intel was given something like a 6 month lead time on dealing with Spectre/Meltdown. AMD was given a 24 hour lead time on this and the bugs themselves appear to require physical access to the hardware.if you don't see the differences here, you're the one who is being willfully blind. period.
HStewart - Tuesday, March 13, 2018 - link
I not complaining about that - that was by there choice on the time given - wrong of right. The bigger issue is that is some people - believe that AMD is perfect and that Intel has a monopoly. In a CPU that Intel originally created with the original IBM PC. If you want to see a real monopoly - look at Windows 10 for ARM only running on Qualcomm CPU's and also Apple where you can purchase only from Apple.dilacerated - Tuesday, March 13, 2018 - link
No one is saying AMD is perfect. What people are doing is defending them from a rather shady announcement that most of the industry is questioning the validity of. Read up on Viceroy FFS.Also since you are desperate to defend Intel in every which shape and form please do the world a favor and READ the facts:
https://www.cnet.com/news/intel-and-amd-a-long-his...
https://www.networkworld.com/article/2239461/data-...
HStewart - Tuesday, March 13, 2018 - link
Just FYI, the IBM486 bug was related to cache line been inverted when jumping between 286 and 386 protected mode - it was found in PC-MOS/386 OS which source is actually in public domain - it was in _386.ASM file - but I try to look for it - but could not remember where the work around was place - I just remember IBM sending us a hand mod CPU.dilacerated - Tuesday, March 13, 2018 - link
You're blindly ignoring the facts in this that have given strength to scepticism in every corner of the tech community and pushing logic that Intel is the real victim while declaring that all of those here and elsewhere questioning the validity of these findings are anti-Intel AMD Fanboys with statements like:"It just funny when it against Intel - everything true and must be handle, but AMD it is a spear campaign."
No one has ignored Intel releasing fixes for Meltdown and Spectre. I dare you to prove that. In fact they have gotten a lot of coverage out of such because many of their fixes have had negative outcomes enough for said fixes to be pulled while their Engineers have gone back to their drawing boards.
Also when it comes to Meltdown and Spectre many bashed AMD for basically leaking key details for both when their doing so was prompted by Intel's Brian Krzanich going on air and declaring that both Meltdown and Spectre affected every single CPU out there 100% the same which was completely inaccurate.
HStewart - Tuesday, March 13, 2018 - link
That is old news about going back to drawing boards - that was back in Jan and was updated and corrected in Febhttps://security-center.intel.com/advisory.aspx?in...
If this whole Ryzen problem is fake - than I been reading about possible some investor upset with money lost from AMD and trying to take revenge.
I serious doubt a large company like Intel or NVidia is behind this - who knows with all the political miss-information going around.
Time will tell
HStewart - Tuesday, March 13, 2018 - link
"For no apparent reason, he seems to be very interested in reinforcing these very bizarre and questionable claims"All I am indicating here is that where document on safefirmware.com is link from has a link to CTS-Labs yes the document does not have a direct link but I could not find any other links to safefirmware.com but what I notice on cts-labs is that all documents are either in web site or to external sites.
nirolf - Tuesday, March 13, 2018 - link
Using a simple Google search on anandtech.com, it seems that he is active since August 2017, posting a lot on Intel related articles (but not only). Just about right, isn't it?HStewart - Tuesday, March 13, 2018 - link
If I was true Intel Fanboy, I would mention on AMD articles putting Intel before AMD. Now if some one complains about Intel - it fair game to rebut that claim.This article is quite different - AMD Fanboy's attack Intel so much about Meltdown/Spectre and at same time stating AMD did not have the issue. But they completely ignore that Intel fix the issue and that AMD also has documented issues with Spectre.
For the record, I believe I was doing posts here before August 2017 - I used to not care - but the last couple of years I started seeing a pattern where AMD fans attacking if any body says anything about Intel. To be honest it means nothing - minority of folks really read these things just desiring to information about future purchases. For example I like the Dell 15 XPS 2in1 - but I was concern about compatibility with Vega chip - because I had past bad history with ATI/AMD Graphics cards - but that been a long while.
ಬುಲ್ವಿಂಕಲ್ ಜೆ ಮೂಸ್ - Tuesday, March 13, 2018 - link
If you want to read about scandals and smear campaigns, try the Blackberry ScandalIt's all over the news today
Apparently Blackberry wasn't as secure as they claim
Everything you do on a Blackberry is obviously monitored or there would be no need to remove the Gov't monitoring capability, like Vincent Ramos did
So the Company can LIE about the security of the phones but if you fix it YOU are the bad guy ?
My point is not about whether or not Vincent was fixing the phones for crime
My point is that the Companies making the Phones are committing crimes while posing as the good guys!
Meanwhile, Anandtech appears to be covering FAKE NEWS!
Makaveli - Tuesday, March 13, 2018 - link
Are you a Moron?Vincent Ramos was stripping out the GPS,Wifi etc you know things that make it a smartphone to make it a dump phone for the criminals to use. Those are the items which all phones have that make it easier for the cops to track you.
When the government comes knocking on your door you have to weigh the pro and cons.
Most of these companies are not going to allow themselves to be shut down and lose 100s of millions of dollars because of you and your $1000 phone and your sense of privacy.
HStewart - Tuesday, March 13, 2018 - link
It is not just AnandTech but all the internet - including C/Net and others.Gothmoth - Tuesday, March 13, 2018 - link
that is either intel again or stock market manipulation. but this CTS company is sure as hell a disgrace.jakemonO - Tuesday, March 13, 2018 - link
Frankly, if it is fake - and the timing smells very fishy - I would suspect securities fraud before suspecting Intel. Who will have made money on the AMD price fluctuation? Why now when AMD stock is poised to rise?realistz - Tuesday, March 13, 2018 - link
The double standard from these toxic AMD fanboys are hilarious. If it was fake they wouldn’t have submitted their findings to AMD. But but but da conspiracy!bji - Tuesday, March 13, 2018 - link
It costs them nothing to "submit their findings to AMD", and it lends free "credibility" to their claims. The fact that they submitted their findings to AMD is no evidence at all in their favor. It's really not that hard to reach rational conclusions about this issue if you spend more than 3 seconds thinking about it. But sticking your fingers in your ears and shouting "fanboy" is easier than thinking I suppose.SaturnusDK - Tuesday, March 13, 2018 - link
You gotta try harder troll. If it was real the industry standard 90 day notice would have been given. Not 24 hours.Holliday75 - Tuesday, March 13, 2018 - link
Toss in a PR firm to handle responses and how prepared this message was it just stinks all aorund. The fact they spent so much time preparing for this and gave AMD so little notice just screams shenanigans.Singuy8888 - Tuesday, March 13, 2018 - link
Fake news is Fake. This company uses stock footages and green screen to create their company out of thin air on youtube.https://i.imgur.com/OkWlIxA.jpg
FreckledTrout - Tuesday, March 13, 2018 - link
LOL nice find Singuy8888.Yorgos - Tuesday, March 13, 2018 - link
check the video on yt.They edited the server room to seem as if the server LEDs are blinking.
If you are doing something wrong, at least do it the right way.
Yorgos - Tuesday, March 13, 2018 - link
So, this was being hyped for a couple of hours and now it's backfiring back to jntel.Nice try.
dilacerated - Tuesday, March 13, 2018 - link
I thought their office looked like it was fake:https://www.reddit.com/r/Amd/comments/846gpm/how_c...
Samus - Tuesday, March 13, 2018 - link
There was speculation at CES about when, not if, exactly this would happen. But the level of shadiness here is astounding, from the impossibly short notice (and irresponsibility to vendors world-wide in revealing these flaws before acknowledgement by AMD let alone producing patches) to the fact this "security company" opened shop around the time AMD launched the Zen micro-architecture.If I were AMD, I'd sue.
dilacerated - Tuesday, March 13, 2018 - link
Ian asked for an ELI5 on Viceroy: https://www.moneyweb.co.za/in-depth/investigations...easp - Tuesday, March 13, 2018 - link
I'm no AMD (or Intel, or Nvidia) fanboy, but this whole thing stinks. Sounds like CTS-Labs put self-promotion over professional ethics and the security of end-users.Perhaps AMD didn't want to put them on retainer? Or perhaps kneecapping AMD seemed like a good way to encourage other companies to put them on retainer? Or both!
guidryp - Tuesday, March 13, 2018 - link
Unlikely this has anything to do with Intel. It won't have any legs.More likely it's a stock short play.
Short Stock.
Create some alarmist bad news, to drop price.
Cash in and run.
eva02langley - Tuesday, March 13, 2018 - link
1. You have a release of information not following industry standard in terms of security.2. You have confusing reports with no concrete evidence.
3. You have google project zero who didn't find anything similar in quantity or in impact, with basically 1000 times the R&D of CTS-labs.
4. You have a company with third party affiliation.
5. You have a place of work located in a country with a strong Intel presence.
6. The timing is just at the moment of Zen+ launch.
7. You have a company using videos with no real information of the threats, only specifying their intent to protect the public by presenting these threats without giving AMD time for mitigation and analysis.
8. You have a company not able to answer calls or presenting themselves in interviews after such an important news.
9. You have a company who made propaganda videos using green screen and fake offices for building a false sense of credibility.
10. You have a company named Viceroy, degraded AMD to 0.00$ of value after analyzing the report from CTS shortly after the release of information. Not taking into account that AMD is by far not a CPU only company with many other businesses outside the CPU market.
11. You have a news with too much marketing with threatening naming conventions and logos to frighten the public... and the investors...
and
12. You have a company named AMD with a huge future ahead of them. one of the few company who can provide CPU and GPU ofr IoT and AI applications with companies like Tesla. A company having almost the monopoly in console graphics and processing. A company push to new summit due to their GPU being suited better for mining capability for a fraction of the price of the competition.
13. You have the stock of the most speculative company having the highest amount of shorters at wallstreet...
14. You have one of the biggest scam of the last decade evolving in front of your eyes.
Everything about this story is wrong. And everything about this story is obviously aimed at manipulating the stock value and the reputation of AMD.
davegraham - Tuesday, March 13, 2018 - link
and you have (1) ONE corroborating security expert saying he had access a week beforehand in a paid engagement with CTS Labs. All of these things COULD be done but as has been stated ad naseum by others, it requires a significant amount of effort and access in order to accomplish, no mean feat.Samus - Wednesday, March 14, 2018 - link
Yeah, my favorite part is the acknowledgement that ALL of these flaws require root/admin (system level privileges) in which case you are already fucked if someone is logged in as root that has the intention of taking advantage of these exploits.Basically the real admin would have to be clueless enough to execute exploiting code.
davegraham - Wednesday, March 14, 2018 - link
The 2nd corroborating security expert is a "friend" of some member of the company. This automatically removes him from being an authentic source even IF, as he claims, the data is correct. Ian is very well aware of the requirements for authenticity: peer review, peer research, and the ability to conduct the exact same exploits with the same results. so far, we have none of that. a paid for contractor who says "yep, it works," a friend of a friend who says "yep, it works" and nothing substantive to go on. regardless of whether it's true or not (and I know that some of these things can be done, regardless of platform) this is incredibly, incredibly dubious in presentation and character.poohbear - Tuesday, March 13, 2018 - link
Would it shock anyone if this company is owned or funded by Intel or Nvidia? Wouldn't be the 1st time competition does this in the business world.lilmoe - Tuesday, March 13, 2018 - link
-> Grabs popcorn MJ style.-> Reads more articles about ryzen+ and waiting patiently to drop Intel once and for all in all future build and purchases.
Keep it coming, "security firms".
euskalzabe - Wednesday, March 14, 2018 - link
Right there with ya.Xeeros - Tuesday, March 13, 2018 - link
*cringes*Please fix the grammar and spelling issues.
To many to count but coal instead of goal is a stand out.
Kthnx
lilmoe - Tuesday, March 13, 2018 - link
*Too* many to count.Please fix your spelling mistakes.
/cringe
mkozakewich - Sunday, March 18, 2018 - link
"Muphry's Law"ianmills - Tuesday, March 13, 2018 - link
The CEO of the company is named Ido Li"I do lie"
lilmoe - Tuesday, March 13, 2018 - link
I died, lolSamus - Wednesday, March 14, 2018 - link
Lmfao, nice.CeltusIber - Tuesday, March 13, 2018 - link
I bet AMD is behind this PR stunt.Just look at the comments?
Everyone is blaming Intel.
Looks like AMD got what it wanted from this little PR stunt....
Spunjji - Wednesday, March 14, 2018 - link
You're either trolling or delusional, but either way it's grade A fun.Reality check: Comments sections on tech articles are not useful ways to gauge the motivation of a company attempting a hit-job on the stock of a multinational organisation.
lilmoe - Tuesday, March 13, 2018 - link
Too many to count***Please fix your spelling issues.
lilmoe - Tuesday, March 13, 2018 - link
That was meant for Xeeros.Yojimbo - Tuesday, March 13, 2018 - link
Isn't the reason for the 90 days to prevent security breaches? It's not a grace period for the company. Why should a company get a grace period? What matters is the security. If there isn't an increased security risk from the near-simultaneous notification about the security flaws to the company and to the public, then I think notifying the public as soon as possible is the ethical thing to do. Of course, if there is an increased security risk from the simultaneous notification then that's a different story.eva02langley - Tuesday, March 13, 2018 - link
The 90 days is to prevent exploitation of the disclosed vulnerabilities and prevent damages. By divulging vulnerabilities in 24 hours, this company is a laughing stock. They are supposed to be bounty hunters and getting paid for bugs by reporting them to the companies so they can fix them. However here, this is just for manipulating AMD stock to buy at low price until the story is debugged as false and selling at higher price.... but it didn't worked.Everything about this story is just too big... and the flaws, just too small.
Yojimbo - Tuesday, March 13, 2018 - link
"The 90 days is to prevent exploitation of the disclosed vulnerabilities and prevent damages."Again, what if, for whatever reason that wasn't applicable in some cases. Is it not then reasonable, and ethically superior, to disclose the flaw as soon as possible to those who may be affected by the vulnerability, either because they already own the affected equipment or because they are considering a purchase? From my point of view, as a consumer, the 90 day waiting period is a necessary evil.
"By divulging vulnerabilities in 24 hours, this company is a laughing stock."
Well maybe they shouldn't be, if there is no technical reason to withhold the information.
"They are supposed to be bounty hunters and getting paid for bugs by reporting them to the companies so they can fix them."
They aren't "supposed" to be anything. They are researchers and the only thing they can be supposed to have is ethical consideration for others affected by their actions.
"However here, this is just for manipulating AMD stock to buy at low price until the story is debugged as false and selling at higher price"
That's just conjecture that you are stating as fact. I agree that there are peculiarities here. My point, however, had nothing to do with the motives or specific instances of this case. It was specifically talking about this idea that companies have the right to 90 days notice. There's an attitude in media and forums that somehow AMD was wronged because they weren't given 90 days. I don't see it that way. I don't see why a company should be protected for 90 days. The only reason I can think of for the 90 days is to prevent security breaches.
Carmen00 - Wednesday, March 14, 2018 - link
Unless you happen to know every single use that a particular item of hardware/software is possibly used for, how can you be sure that nobody will be affected? We've gotten this disastrously wrong before and people have been affected. That 90 days is standard for a reason, not because we as a security community "just feel like it".But all that aside, there's no possible way that you can claim that in this particular case, the 90 days was irrelevant. It's very clearly irresponsible disclosure in this specific case. The facts are very clear!
Yojimbo - Thursday, March 15, 2018 - link
"But all that aside, there's no possible way that you can claim that in this particular case, the 90 days was irrelevant. It's very clearly irresponsible disclosure in this specific case. The facts are very clear!"I don't think the facts are so clear. There is a possible way we can claim the time is irrelevant if we were actual security experts who understood the situation. Are you in the security community?
I wonder how much security research is done with a mind towards telling companies about vulnerabilities compared to the amount that is done with a mind towards not telling companies about them.
Manch - Wednesday, March 14, 2018 - link
" I don't see it that way. I don't see why a company should be protected for 90 days. The only reason I can think of for the 90 days is to prevent security breaches."I honestly don't understand why you're arguing. The 90 days is not to protect the company. It's as you just said, to prevent security breaches. It gives the company a chance to patch before it becomes known in the wild. THIS protects consumers as well as the companies bottom line. It's beneficial to both parties. Granted, no technical how to was released. What they did and what has people upset is they said If you want to breach AMD's procs, this is the path you need to go. If this is in fact legitimate, people that are working to breach these procs and do not have the best intentions either now know to change their attack vector or it confirms they're on the right path. It is very careless and dangerous to release this to the media FIRST and then to AMD after the fact. This endangers anyone with that hardware.
TBS, at face value the prerequisites to even exploit this is dubious at best. It is very questionable in how they went about announcing it. The website and everything else about the company seems odd.
Who did it and why? For what reason? Something is up. I don't believe Intel or NVidia is stupid enough to try something like this. Somebody is up to something. This story will unravel and get more interesting.
I'll neither defend Intel blindly like H Stewart, or attack them and accuse them like a lot of people here are. This is not the Luminati with Intel Inside planning an evil take down. Something is up though.
Yojimbo - Wednesday, March 14, 2018 - link
"The 90 days is not to protect the company. It's as you just said, to prevent security breaches. It gives the company a chance to patch before it becomes known in the wild."I am asking when that is appropriate and when that isn't. I don't understand why you think its strange I should ask such a question. I think I made the reason I brought it up clear. It's because there is a strong attitude that AMD "deserves" the x days, and that CTS labs did something "dirty" by not giving AMD 90 days. Now you can insist that the reason for the x days is to protect the customers, but if the attitude becomes occified that companies deserve this time that could be a dangerous thing. So I am asking: rather than giving 90 days, did CTS labs actually increase the risk to the public by letting them know of these vulnerabilities immediately, without publishing the technical information, or have they reduced the risk to the public? I don't believe anyone has a clear answer to that because they haven't really considered it. If one considers it and decides that the x days system is the most secure, there still is the issue that the attitude is that a company "deserves" this treatment.
Again, the "who did it and why" conspiracy theories of this particular case are not relevant to the issue I am raising. There may or may not be some sort of manipulation going on here. But that is not the issue I am concerned with. Now, one could argue that immediate release of information makes it easier to try to manipulate the stock price. That is something to consider, but I'm not convinced that that in itself is enough of a reason to choose the other route. Any specific instance of potential securities fraud would be a case for the SEC, or whatever equivalent entity in any other country, to investigate.
Manch - Thursday, March 15, 2018 - link
I think its strange bc you answered your own question. I don't think AMD deserves protection anymore than Intel. The customers on the are the ones that need protecting. ALL processors have flaws. If you don't give them the chance to know about it, they cant fix it. If you don't give them a time frame, they'll never get it done. So you got to find a balance between giving them a chance to fix it and protecting the consumers by not providing a roadmap for hackers or god forbid, laying out exactly how to do it.As far as CTS goes, they are in cahoots with Viceroy research which is trying to manipulate AMD stock. yes, I think that by releasing this to the press before notifying AMD and then bashing AMD for not having a fix to an unkown prob reaks to high heaven. It puts users at considerable risk even without giving technical details because you have given the vector to which AMD procs should be attack. AMD will now be scrambling to test/validate/patch trying to beat the hackers. This will result in a rushed patch/solution that could be just as bad or ineffective. It serves no one but CTS to release this the way they did. Add in their collusion with Viceroy and it becomes even more egregious. But, like you I wont speculate into the motives or accuse AMD's competitors but it's fair to acknowledge that it stinks.
CTS Labs in conjunction with viceroy research DID do something dirty. They def didn't do it for the good of the people.
Manch - Thursday, March 15, 2018 - link
Also, I find strange that they claim they were researching ASMEDIA for a year and never said anything to anybody. ASMEDIA is not exclusively AMD and its strange other security researchers haven't found ANYTHING.Yojimbo - Friday, March 16, 2018 - link
"Also, I find strange that they claim they were researching ASMEDIA for a year and never said anything to anybody. ASMEDIA is not exclusively AMD and its strange other security researchers haven't found ANYTHING."Yeah, you definitely don't. You have a one track mind...
Yojimbo - Friday, March 16, 2018 - link
"I think its strange bc you answered your own question."I don't think you understand the issue I am raising.
danjw - Wednesday, March 14, 2018 - link
They pre-briefed media and hired an outside firm to verify it, before they told AMD. This is a red flag.If they were concerned about consumers, they would have made sure AMD knew before letting anyone outside their group knew. That way AMD could try to address the issues before crackers figured out how to exploit these vulnerabilities. Now the crackers know where to look for these vulnerabilities and AMD has had very little time to even investigate if they are valid.
Yojimbo - Thursday, March 15, 2018 - link
"If they were concerned about consumers, they would have made sure AMD knew before letting anyone outside their group knew. That way AMD could try to address the issues before crackers figured out how to exploit these vulnerabilities. Now the crackers know where to look for these vulnerabilities and AMD has had very little time to even investigate if they are valid."Is it reasonable to expect that people can find, implement, and distribute the vulnerabilities before AMD can fix them?
Correct me if I am wrong, but if I remember there was a case some time ago (was it the zero days exploits?) where companies knew about vulnerabilities and did nothing about them. The public was not alerted. Then the vulnerabilities, along with the technical details, were leaked. In such a case the public really are hung out to dry. Or suppose someone finds vulnerabilities, informs the company, and the company doesn't do anything. What then? The finder releases all information to the public? Is that fair to the customers?
I don't know the answers to these questions, but I feel that people are having a knee jerk reaction here without really considering the situation. Frankly, if someone were to be incentivized to find security vulnerabilities it might be better if they sell the information to financial investors, for which the existence of the vulnerabilities need to be revealed, rather than those who wish to use the vulnerabilities. I dunno. I'm guessing no one has a good idea of how much that goes on, except possibly for the entities that buy the most vulnerabilities.
ಬುಲ್ವಿಂಕಲ್ ಜೆ ಮೂಸ್ - Wednesday, March 14, 2018 - link
Check out Dan Goodins article on this over at Ars Technicabeginner99 - Wednesday, March 14, 2018 - link
Intel back to their scummy tactics. I see.xidex2 - Wednesday, March 14, 2018 - link
Isreali jews collaborating with Intel on smear campaign before next gen Ryzen CPUs release.Spunjji - Wednesday, March 14, 2018 - link
Sources or go home.xidex2 - Wednesday, March 14, 2018 - link
I does'nt take a detective to figure that this was intentional. But seeing how they willingly pay other companies 16000$ to prove "their findings" and I reiterate, "their findings" - of a company which was founded in 2017, nobody knows them and they got this other website amdflaws.com created merely 3 weeks ago with rushed youtube channel, all of this few weeks before next gen Ryzen launch and having 3 employees in total, then I am very inclined to some form of connection with Intel because I fail to see how they found 13 exploits (well you can say 4 and all of them 2nd stage but still).If I am wrong about Intel than I am for sure right that this is all about playing with AMD stock prices so they can buy in, but then question is who these exploits came from.
getreallol - Wednesday, March 14, 2018 - link
How is MAD supposed to respond to this stupid shit that, if you have root access, you are the system Admin, you can run any code you want? This is true for every computer ever builtgetreallol - Wednesday, March 14, 2018 - link
How is AMD supposed to respond to this stupid shit that, if you have root access, you are the system Admin, you can run any code you want? This is true for every computer ever madeYojimbo - Thursday, March 15, 2018 - link
"How is AMD supposed to respond to this stupid shit that, if you have root access, you are the system Admin, you can run any code you want? This is true for every computer ever made"It's not true. Firstly the vulnerabilities make systems on the chip meant to increase security useless. In order to flash the firmware one needs root access. So then your question is akin to asking "why verify a firmware at all, since you need root access to flash it?" Furthermore, some of these vulnerabilities are pervasive. They allow malware to be placed into the firmware such that it can never be removed.That isn't the case without the vulnerabilities, if he security features workt he way they are supposed to.
But if there is no way for AMD to respond, then that is an argument that waiting x days before informing the public is just a waste of time, and that informing the public immediately, without giving the technical details, was the correct choice for action.
getreallol - Wednesday, March 14, 2018 - link
Linus Torvalds's profile photoLinus Torvalds
+108
+Mark Anderson no, it's not even the 24 hours. I dislike the "give vendors all the time in the world" model of security disclosure enough that I very much understand why some people then give them no time at all.
You can be corrupt by being too chummy with vendors too.
It's the advisory itself that is garbage, and the attention whoring about it. And how it's lapped up.
When was the last time you saw a security advisory that was basically "if you replace the BIOS or the CPU microcode with an evil version, you might have a security problem"? Yeah.
No, the real problem is the mindless parroting of the security advisory (it's "Top Story" on at least one tech news site right now), because security is so much more important than anything else, and you can never question it.
Security people need to understand that they look like clowns because of it. The whole security industry needs to just admit that they have a lot of shit going on, and they should use - and encourage - some critical thinking.
Yojimbo - Thursday, March 15, 2018 - link
"You can be corrupt by being too chummy with vendors too."Yes, exactly.
as for the rest, security vendors are going to look for their publicity. Many people will try to monetize their work one way or another. I find it hard to believe that a smooth, well-behaved system of selfless security experts who, even though they have such potential power, gleefully accept a servile role in which they are both friendly with the product owners and entirely ethical with the public is realistic or stable.
Spunjji - Thursday, March 15, 2018 - link
What's servile about not fucking with the security of the people you're expecting to pay your bills? Seriously. There's a self-interest element to doing this well, too, but honestly I hate the conflation of doing what is objectively the best thing for everyone involved and being someone's bitch.Yojimbo - Friday, March 16, 2018 - link
"What's servile about not fucking with the security of the people you're expecting to pay your bills?"What security do you mean?
"There's a self-interest element to doing this well, too, but honestly I hate the conflation of doing what is objectively the best thing for everyone involved and being someone's bitch."
It is obviously the best thing for everything exactly why? And doing the best thing for other people is servile. I think you're getting caught up on connotation here and therefore you're missing the point. The issue I am raising is that people are going to try to monetize their work one way or another. I am questioning the stability of a system in which people who have power are expected to act as if they have none. If you think that doing what is best for the others involved is "being somebody's bitch" then you are just demonstrating my concerns.
rocky12345 - Wednesday, March 14, 2018 - link
It just seems way to timely that this crap came out just before a major CPU release. I smell something rotten here for sure. I am 100% sure that with todays tech and peoples programing skills there are a ton of security flaws out there like this with all hardware that has chips on it and if people were to look very closely they would find that even your talking fridge or thermostat is at risk in some form or another.Heck I am willing to say that most likely if any of these flaws they claim AMD has are also present in Intel's CPU's as well. Most people would be very surprised just how unsecure their computers are or phones or even those fancy appliances that connect you to the world are.If they did know this they would be running around yelling the sky is falling the sky is falling oh wait that is just what this security company did which to me is a pure trash company for sure with questionable business practices and intent. I am going to say it again NO ONE IS SAFE in todays techy world if we were then things like viruses and malware or simple hacks would be stopped at the hardware level and that simply does not happen so this crap companies claims are pretty much false or just invalid.
danjw - Wednesday, March 14, 2018 - link
A lot of people are comparing this to Spectre and Meltdown. Those were exploitable via just accessing a website. These require running an executable on the system itself and acquiring admin/root privilege. At least some of them require that the software be signed by a trusted key.This isn't as severe as Spectre and Meltdown, but still very troubling. Not the best thing for AMD to have to deal with 1 month before their launch of the Ryzen 2000 processors. The way this was disclosed is clearly outside of industry standards. I would be surprised if CTS-Labs is around in 6-months. They seem to have no purpose other than take a hit on AMD.
rocky12345 - Wednesday, March 14, 2018 - link
Also didn't someone on here say the CTS-Labs company was formed in 2017 that alone makes this sudden announcement seem a bit dodgy right there. Also it targets Ryzen CPU's in AMD's lineup and not any of the others that right there puts up a lot of red flags for me personally. Whether this is true or not it does not matter any more because the damage has already been done and people will have already made up their minds most likely to just be sheep and believe it. Well the stupid ones that is. I also find it odd that they chose to release this information 1 month before AMD releases the Ryzen+. This makes me think there are other powers here in play and someone spent a lot of money to get this type of trash out in the wild because whether it is true or not like I said the damage is already done. Intel must be in their glory right now they are going phew we might have dodge a big bullet here because of the market share those Ryzens were taking from us will now slow down a lot and we can go back to releasing the same old products again & again like we used to do.palindrome - Wednesday, March 14, 2018 - link
I hope all the "journalists" that helped and are continuing to help prop up this story are sued into submission. Morons are literally doing CTS's/Viceroy's work for them.Breaking news! Bad things happen when admin access is compromised! More at 11...
Tewt - Wednesday, March 14, 2018 - link
Laughable about anyone that says try to look at this objectively in these comments. Unbelieveable the lack of morals and promoting of this farce. The release was completely unprofessional and flies in the face of other established security researchers throughout the years. If CTS had done this to Intel with only a 24hour notice, the wailing would be off the charts.I've never been more confident in AMD. Meltdown/Spectre were much more serious and Intel walked away unscathed so I don't see any real issue with AMD products.
johnny_boy - Wednesday, March 14, 2018 - link
I haven't used windows in ages, but I thought regular users essentially have administrative privileges. It's not like there's an area of the file system that can't be modified by a regular user, at least, that's how it was when I used windows back in the day. Has that finally changed?Lord of the Bored - Wednesday, March 14, 2018 - link
It changed a while back. I think with XP, though everyone ran as admin there. I think Vista started discouraging that practice.I get told by Win10 that I don't have access rights to some system files even though I run as admin.
Gothmoth - Wednesday, March 14, 2018 - link
ok asking someoe ewith a clue here.....affected ASMEDIA chips/technology.. does that mean asmedia chips on intel mainboards are affected too? or is it only asmedia technology in the AMD CPU´s??
beggerking@yahoo.com - Wednesday, March 14, 2018 - link
No, this is bs fake news, nothing is affected by it.chobao - Wednesday, March 14, 2018 - link
It seems this plot is directed solely at AMD...it Foretells DOOM & and END OF THE WORLD...well they are Israeli's, I don't blame them >.<
wumpus - Wednesday, March 14, 2018 - link
Remember when you would expect other "tech" sites to publish this tripe and Anandtech would see through it? Back before Anand sold the place and retired, I guess.Somebody with root access to a machine can do anything with it? That's news to the Anandtech staff apparently. Stay tuned for other things you might not know...
Li_pun - Wednesday, March 14, 2018 - link
If someone had administrator rights I don't think it will be difficult to hack it whether it is Intel or amd.It's not much vurnarable if the main requirement is root acess.
macel - Wednesday, March 14, 2018 - link
Regarding update from Gadi Evron, CEO of Cymmetria.."CTS-Labs believes that the public has a right to know if a vendor they are using makes them vulnerable, which is why no substantial lead time was given."
Is the comment from Gadi Evron poorly worded or is he more closely associated with ct-labs than implied?
chobao - Wednesday, March 14, 2018 - link
Er..Doesn't Gadi person the current chairman of CERT in Israel..he seems to have some personal connection with these guys at CTS....his wording of the issue is not clear..or is it him trying to cover them up. P.S there is alot of corruption in ISRAEL...on the other hand Trail of Bits...made it clear..need admin privs to exploit any of these..
I feel this entire issue is a HYPERBOLE..
Ian GREAT JOB for laying it all out....Why hasn't CTS contacted other well known Security peeps...
Ian did CTS send you the POC's
Cheers
chobao - Wednesday, March 14, 2018 - link
*Isn'tpogostick - Wednesday, March 14, 2018 - link
If I had paid for a damaging covert throat-punch against AMD, and this report is what I actually got, I would be wanting my money back. What kind of low IQ moron thought this would fool anyone?CalebDume - Wednesday, March 14, 2018 - link
I fail to see how CTS-labs can claim this is in the public's interest. It certainly isn't in the interest of an of the public who own's the effected hardware. Not giving AMD time to analyze and respond to this flaw is extremely unprofessional. It is hard not to read this and immediately assume this lab has an ulterior motive in the way they announced their findings.Note to CTS-Labs: There is a reason most security firms give manufacturer's 90 days to analyze security issues prior to telling every Tom, Dick and Harry about it.
mapesdhs - Wednesday, March 14, 2018 - link
This was a blatant financial attack piece, most likely on the back of short selling to exploit the negative PR. GamersNexus did a good piece about it:https://www.youtube.com/watch?v=ZZ7H1WTqaeo
AT, you've just wasted space by posting all this stuff. It's just FUD. If an agent with malcontent already has hands-on access with a root password in person, then you're pretty much screwed anyway, and any issues would apply to Intel or any other tech aswell. I'm disappointed that the nonsense by CTS is being given so much attention when it's pretty obvious it's essentially just a market exploit, no different to telling people, your front door is incredibly dangerous and you could die because if a serial killer has your door keys they can get in and stab you! Therefore companies who design front doors are garbage and their stock price should be zero! Come on AT, this is so obviously fake news, and a bit of digging of the kind GN did would have quickly made that clear.
Intel should join with AMD and file a combined suit against these people, if it can happen to AMD then it can happen to Intel. Heck, all chip makers should help the effort, it's in all their interests to make it clear these companies won't tolerate such actions against them.
mapesdhs - Wednesday, March 14, 2018 - link
(oops, sorry Caleb, that was meant to be a general post, not a reply to you)dwade123 - Thursday, March 15, 2018 - link
https://twitter.com/dguido/status/9736289330349916...The security flaws are indeed real. RIP AMD.
sgeocla - Thursday, March 15, 2018 - link
Guido has publicly acknowledged that all scenarios require administrator/root access. Further more, they also required digitally signed drivers. This means that these 'flaws' cannot be used in any way to compromise a protected system. Root access mean the system is already compromised. Meltdown and Spectre are orders of magnitude more destructive than this. Please read more on security to be able to think critically,versesuvius - Thursday, March 15, 2018 - link
AMD should bite the bullet, and take the plunge and whatever else too and vehemently declare and accept publicly that it has knowingly and intentionally planted a bug with potentially unimaginable catastrophic consequences to the public and security of the know universe in their chips lest it be accused of antisemitism.jakemonO - Thursday, March 15, 2018 - link
@versesuvius as a Jew I find your post offensive - no, wait, I meant hilarious! :-)wow&wow - Thursday, March 15, 2018 - link
“Security Researchers Publish Ryzen Flaws, Gave AMD 24 hours Prior Notice”Four Persons "SOMEWHERE in Isral” Publish Ryzen Flaws, Gave AMD 24 hours Prior Notice
From CTS (Cheap Technical Scammers):
"The report and all statements contained herein are opinions of CTS and are NOT STATEMENTS OF FACT."
"you are advised that we may have, either directly or indirectly, AN ECONOMIC INTEREST in the performance of THE SECURITIES OF THE COMPANIES whose products are the subject of our reports."
No address, no land line, 4 persons "SOMEWHERE in Isral" set up after June 2017 (after Intel's "Meltdown inside"), ..., but just a website ($4.95/month) and a mobile number +1-585-233-0321!
The so called “RESEARCHERS” paid $16K to review their findings!
From the quite cheap guy who reviewed their findings for $16K:
"For the attacks to work, an attacker must first obtain administrator access to a targeted network, Guido said."
For the car thief to steal the car, the car thief must first obtain the car key and access to the car, CommonSense said. What a car thief!
The 4 nobodies got the publicity and economic interest.
SkyBill40 - Friday, March 16, 2018 - link
Yeah, no. Not buying into this utter tripe driven by a clearly financial motivation. Here's to hoping the SEC guts these clowns and leaves them bloody in the street for all to see.Visual - Friday, March 16, 2018 - link
Re: people that say that since this requires admin access, it is irrelevantThere are certain things even administrators are not supposed to be able to do - like access the memory with keys or decoded data for certain DRM content and such. Things that mostly publishers of content and software care about, not the users themselves.
In so far as actual users/owners of the system are concerned, I'd say it's actually a good thing to be able to break such "security". But don't tell anyone I said that ;) There is the risk that publishers would refuse to publish their content for us without their "rights" being protected by this "security"...
stimudent - Sunday, March 18, 2018 - link
Intel sponsored report?MMurcek - Sunday, March 18, 2018 - link
You believe you are gatekeepers. The subject of your article thinks they are too.dereck101 - Thursday, March 29, 2018 - link
I hope these new phones are secure. I was suspicious of my wife for infidelity and i hired an experienced and trusted hacker S O L I D A R I T Y H A C K E R at G M A I L . C O M to help me hack into her phone and get info. In less than 24 hours after i gave him certain information to work with, he gave me the access link and i saw everything i had been suspicious about.S O L I D A R I T Y H A C K E R at G M A I L . C O M was also able to give me access to deleted messages and phone conversations both on the phone mobile service provider and all the phone calling Apps located on her iphone including whatsApp, FaceBook, Instagram , he said it worked with all apps located on phone memory, so far the App is located in the phone, the information would be revealed through S O L I D A R I T Y H A C K E R at G m a i l . c o m when he has the required information and of course not free. I would advice anyone with similar issues or even more complex issues to contact SOLIDARITY HACKER at G mail .COM for positive results in relatively short period of time.
stimudent - Saturday, March 31, 2018 - link
CTS looking rather foolish and incompetent right about now to a lot of insiders.