Security Market Segment LS
Friday, 16 March 2018 07:48

Israeli firm was advised to use CERT to disclose AMD flaws Featured


A company that was asked to review a series of flaws claimed to be in some AMD processors says it recommended to the firm that found the flaws — the previously unknown Israel-based CTS Labs — that it disclose the vulnerabilities through a CERT advisory as is standard practice.

Trail of Bits, whose chief Dan Guido was paid US$16,000 to review the claimed vulnerabilities that were disclosed by CTS Labs after just 24 hours of notifying AMD, said in a blog post on Thursday that his company had not taken part either in the CTS Labs' research or disclosure process.

Standard industry practice is to give a company 90 days notice to patch any flaws before details are released. In most cases, disclosure after the 90-day period is done in a co-ordinated manner.

CTS Labs defended its method of disclosure, with its chief technology officer Ilia Luk-Zilberman saying in a public post: "The main problem in my eyes with this model is that during these 30/45/90 days, it’s up to the vendor if it wants to alert the customers that there is a problem.

"And as far as I’ve seen, it is extremely rare that the vendor will come out ahead of time notifying the customers – 'We have problems that put you at risk, we’re working on it'. Almost always it’s post-factum — 'We had problems, here’s the patch — no need to worry'."

The Trail of Bits post, which had no byline, appeared to be an effort to play down the firm's role in the incident which has attracted far more criticism than praise.

Reaction to CTS Labs' slick disclosure — on a website with its own domain and including a video using glitzy stock background office footage — was not helped by the fact that a noted short-seller, Viceroy Research, released a report soon after the story broke, betting that AMD shares would fall.

The Viceroy report, headlined "AMD – The Obituary", was claimed by its head, John Fraser Perring, to have been written after the firm received a copy of the CTS Labs report from an anonymous source on Monday evening.

Adding to the controversy was a Reuters report that found there had been a surge of short-selling of AMD shares in the run-up to the disclosure on Tuesday.

Additionally, CTS Labs' cause was not helped by a curious clause in the disclaimer in its advisory which read: "Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports."

Apart from this, an accompanying white paper issued by CTS Labs contained language that is rarely found in such publications: "In our opinion, the basic nature of some of these vulnerabilities amounts to complete disregard offundamental security principles. This raises concerning questions regarding security practices, auditing, andquality controls at AMD."

iTWire sought clarification about the disclaimer and some other aspects of the CTS Labs report on Wednesday when the news first broke in Australia. No response has yet been received.

In its post, Trail of Bits wrote: "Our review of the vulnerabilities was based on documentation and proof-of-concept code provided by CTS. We confirmed that the proof-of-concept code worked as described on the hardware we tested, but we will defer to AMD for a final determination of their full impact, patches, and remediation recommendations."

After providing technical details of the flaws and their potential impact, Trail of Bits appeared to play down the significance of the flaws, saying: "There is no immediate risk of exploitation of these vulnerabilities for most users.

"Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilise these vulnerabilities. This level of effort is beyond the reach of most attackers."

Reacting to the CTS Labs' post, British security researcher Kevin Beaumont, who had issued a series of preliminary findings about the flaws on Wednesday, said in an addendum to his analysis: "CTS-Labs believes in what they dub a type of disclosure called 'Public Interest Disclosure' where once a vulnerability is found, its impact is disclosed to the public, and the technical details are only sent to the vendor and/or security companies that can help with mitigation.

"I profoundly disagree with the concept of 'Public Interest Disclosure' as it will lead to claims without evidence being run in the mainstream press, without any mitigation advice. That is not in the public interest. That is in the interest of media whoring."

The most caustic criticism of CTS Labs' act came from Linux creator Linus Torvalds. In a post on Google Plus, Torvalds wrote: "It looks like the IT security world has hit a new low. If you work in security, and think you have some morals, I think you might want to add the tag-line 'No, really, I'm not a whore. Pinky promise', to your business card.

"Because I thought the whole industry was corrupt before, but it's getting ridiculous. At what point will security people admit they have an attention-whoring problem?"

Referring to the current disclosure process, Luk-Zilberman added in his post: "I think that a better way, would be to notify the public on day 0 that there are vulnerabilities and what is the impact. To notify the public and the vendor together.

"And not to disclose the actual technical details ever unless it’s already fixed. To put the full public pressure on the vendor from the get go, but to never put customers at risk."


As part of our Lead Machine Methodology we will help you get more leads, more customers and more business. Let us help you develop your digital marketing campaign

Digital Marketing is ideal in these tough times and it can replace face to face marketing with person to person marketing via the phone conference calls and webinars

Significant opportunity pipelines can be developed and continually topped up with the help of Digital Marketing so that deals can be made and deals can be closed

- Newsletter adverts in dynamic GIF slideshow formats

- News site adverts from small to large sizes also as dynamic GIF slideshow formats

- Guest Editorial - get your message out there and put your CEO in the spotlight

- Promotional News and Content - displayed on the homepage and all pages

- Leverage our proven event promotion methodology - The Lead Machine gets you leads

Contact Andrew our digital campaign designer on 0412 390 000 or via email



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments