This site may earn chapter commissions from the links on this folio. Terms of use.

AMD-Opteron-A1100

Before today, we covered news that a previously unknown security research firm, CTS-Labs, has defendant AMD of 13 serious security flaws inside its products. If these security flaws exist, information technology'southward critically important AMD deal with them immediately. Aught about their provenance or the process by which they were communicated to the printing changes that. But we'd exist remiss if we didn't note the perplexing nature of how they were communicated. Security researchers are likewise raising the warning regarding some highly suspicious disclosures and framing of the underlying issues.

With Spectre and Meltdown, an early disclosure spilled the beans about a week earlier than Intel, AMD, ARM, and Google had collectively planned. All of the companies in question had been enlightened of Spectre and Meltdown since June (pregnant, for months) and had been working on fixes throughout that time. Google, in fact, had given the various hardware companies an extended deadline to get fixes set up before disclosing the existence of the bugs. That'south standard operating procedure in security disclosures; vendors are typically given at least a ninety-solar day window to implement solutions. Only in this case, AMD was notified a day ahead of the disclosure by an Israeli firm, CTS-Labs.

CTS-Labs has hired a PR firm to handle press inquiries and its website, AMDFlaws.com, doesn't exactly follow typical disclosure methodology. In fact, the text of the site absolutely drips with scareism, with quotes similar:

AMD-Security-Lives

Spectre affects every Intel CPU manufactured for over two decades, yet Google managed to avoid this kind of hyperbolic claptrap when it disclosed both it and Meltdown.

Under the section for "How long until a fix is bachelor?" the site states:

HowLongBeforeFix

It'southward hard to estimate a time to resolutionwhen you haven't even spoken to the company yet.

If you want to know how long information technology's going to have to fix a security flaw, you typically ask the company in question subsequently telling them yous've constitute 1. This just isn't how security researchers disclose product flaws. Compare the linguistic communication above from Google'south ain work on Meltdown and Spectre, where it details how the attacks work, links to bodily, formal white papers that detail how these attacks work, and so goes into an in-depth breakup of the attacks with lawmaking samples and examples.

CTS-Labs website and white paper completely lack this in-depth technical word, just the site is blimp with pretty infographics and visual designs depicting which AMD products are afflicted by these bug. It'south exactly the kind of thing you might create if you were more than interested in launching a PR blitz equally opposed to a security notification.

AMD was given then trivial notice, it can't even land if the attacks are valid or not. The company's statement reads: "At AMD, security is a summit priority and we are continually working to ensure the safety of our users equally new risks arise. Nosotros are investigating this report, which we just received, to sympathize the methodology and merit of the findings."

Good security firms don't put users at chance by launching nix-day broadsides confronting companies when the security flaws in question could take months to resolve. Proficient security firms don't engage in rampant scareism. Practiced security firms don't use websites like "AMDFlaws" to communicate technical information, any more than they'd use "IntelSecuritySucks" to communicate security flaws related to Spectre, Meltdown, or the Intel Management Engine. Good security firms do not describe conclusions; they convey information and necessary context.

The reason good security firms don't do these things is because good security firms are more concerned with finding and fixing problems than they are with publicity. When Embedi found recent flaws in the Intel Direction Engine and F-Secure discovered problems within Intel's Active Management Technology, they emphasized communicating the situation clearly and concisely (F-Secure'due south web log mail does have a touch of hyperbole, but doesn't approach what CTS-Labs is doing hither).

Nosotros aren't the but site to notice. In that location'southward a notification on CTS-Labs site that it may have a financial interest in the companies it investigates (shorting AMD stock is practically a pastime in financial circles). Other security researchers have absolutely trashed the mode in which the findings were communicated, the likely financial entanglements, and the way the brief has been communicated.

If these security flaws are existent, AMD has a lot of work to do to ready them. It absolutely deserves criticism for failing to catch them in the commencement place, and there is at least i security researcher who has seen the lawmaking and believes the matter to be serious. But even if CTS-Labs findings are 18-carat, it has communicated them in a manner completely at odds with best practices in the security community. Its manner and method of communicating its findings have much more than in common with a PR business firm hired to practise a striking task on a competitor or a company looking to make a fiscal killing by shorting stock than a reputable security house interested in establishing a name for itself. Finding thirteen major security flaws in a major microprocessor was guaranteed to make the news all on its ain.

Information technology's entirely possible that CTS-Labs is a relatively new company comprised of researchers who decided to debut with a splash and sacrificed the best practices of security disclosures to do it. It's likewise possible information technology isn't. The company has washed itself no favors with these shenanigans.

Update:

CTS-Labs has acknowledged to Reuters that it shares its research with companies that pay for the data and that it'south a business firm with just half dozen employees. Meanwhile, Viceroy Research, a short-seller firm, has published a 25-page "obituary" for AMD based on this data in which it declares AMD is worth $0.00 and believes no one should purchase AMD products on any ground, for whatsoever reason whatsoever. It also predicts AMD will be forced to file for bankruptcy on the basis of this "written report."

We stand by what we said regarding the flaws themselves — we'll wait to hear from AMD on how that shakes out and what the risks are — but the actual reporting of the flaws appears to have been done in profound bad faith and with an eye towards enriching a very particular gear up of clients. ExtremeTech denounces, in the strongest possible terms, this scheme's apparent perversion of the security flaw disclosure process.