Hacker News new | comments | show | ask | jobs | submit login
Questioning the motive behind the security allegations against AMD (gamersnexus.net)
345 points by lathiat 5 months ago | hide | past | web | favorite | 65 comments



There is a bit of a back story from a South African perspective on what is happening here.

Viceroy research group were the ones to break the Steinhoff scandal[1], exposing gross financial misreporting on Steinhoffs financials and resulting in Steinhof's share price dropping from R46 to R6 per share[2].

I suspect Viceroy had short positions on Steinhoff and made quite a bundle. After tasting this legitimate success, they attempted a similar tactic with Capitec bank, a very successful and fast growing South African bank.

They released a research report stating that Capitec has unsustainable and bad debt levels and will soon suffer huge losses due to this bad debt[3]. This opinion was largely unfounded and fears were dissipated with the South African reserve bank making a statement that Capitec's business is sound, but not before capitec suffered a short term drop in their share price.[4]

And so Viceroy have hit upon a very lucrative business strategy, and AMD is next in line...

[1] - https://www.dailymaverick.co.za/opinionista/2017-12-13-the-s...

[2] - https://www.fin24.com/Companies/Retail/steinhoff-drops-to-un...

[3] - https://www.dailymaverick.co.za/article/2018-02-02-viceroy-u...

[4] - https://www.iol.co.za/business-report/companies/capitec-shar...


It's interesting to point out that the market is continuing to basically not respond to this at all: https://finance.yahoo.com/quote/AMD?p=AMD (click it to the 5 day view, news was released yesterday), despite the fact this has been reasonably widely reported. Bear in mind this was reported yesterday before the transient rise in AMD's value, which has since fallen back. I'm not an expert but AMD's chart looks pretty typical of a normal week to me, not like a chart of a newly-reported disaster. Looking at the one month view, volume doesn't seem all that abnormal either. If they took a short position, they're not making any money, and if they took this out on options they're currently on track to lose it all.


Well there's a lot to unpack there. But it's worth noting that there's an enormous difference between doing something like this in South Africa, and doing this in America.

Of course the SECs view that any trading on US stocks is under it's jurisdiction, and Section 9(a)(4) of the SEC Act. It's known as stock bashing, it's a fairly usual form of market manipulation and attacking big American corporations like this is a great way of getting SEC attention.

So whilst it's potentially lucrative, it's also probably illegal and more a game of when they get big enough to be picked up by the SEC rather than anything else.

It's worth noting AMD's stock has not moved significantly right now, and these anonymous, rather weak accusations are unlikely to be effective, which would leave this strategy quite unprofitable.

-edit: somehow transposed India and South Africa


Sorry if it was implied in my post that their actions has my approval or admiration or any other feeling. The purpose of the post was purely sharing some background information I am aware of.

For the record I view their actions in the case of Capitec and AMD as attempts at blatant (unlawful??) market manipulation.

-edit Oh and there is also a difference between India and South Africa :P


I have no idea where I got India from :)


> Of course the SECs view that any trading on US stocks is under it's jurisdiction, and Section 9(a)(4) of the SEC Act. It's known as stock bashing, it's a fairly usual form of market manipulation and attacking big American corporations like this is a great way of getting SEC attention.

Minor nit: while section 9 does deal in market manipulation overall, “stock bashing” usually refers to the activity prohibited by section 9(a)(2), concerning price manipulation through actual trading of securities (e.g. trading collusion to pump prices up). Section 9(a)(4) does concern public statements about securities; to quote it:[1]

...make any statement, which was at the time and in the light of the circumstances under which it was made, false or mis- leading with respect to any material fact, and which that person knew or had reasonable ground to believe was so false or mis- leading.

In practice, this is not cut and dry. As a security researcher I’m not personally thrilled about vulnerability disclosures being overhyped, but we have ample precedent for people with a financial interest making polarizing statements about companies. This is the modus operandi of activist investors, and the SEC doesn’t usually go after someone unless their claims are flagrantly untrue. That brings me to my next point:

> So whilst it's potentially lucrative, it's also probably illegal and more a game of when they get big enough to be picked up by the SEC rather than anything else.

I doubt it’s illegal. More precisely speaking, I doubt a successful legal action will be brought against the researchers. They took a few liberties with the severity of the vulnerability, but there is a vulnerability. The level of dishonesty they’re demonstrating doesn’t categorically make their statements untrue, nor does it quite rise to actual fraud. Hyperbole, sure. But outright dishonesty, no.

Reasonable people can disagree about the severity of the vulnerability, but there exists a vulnerability. Similarly, activist investors are historically controversial, and to some extent routinely engage in hyperbole. The truth or falsity of their claims are not typically straightforward. They are not typically challenged by the SEC despite this, even when their actions get widespread media coverage.

__________________________

1. http://legcounsel.house.gov/Comps/Securities%20Exchange%20Ac...


Vicearoy, a firm that specializes in shorting stocks, had a 25 page writeup [1] ready to print on why AMD was go bankrupt because of this before AMD itself even fully analyzed the issues.

I suspect there will be an SEC investigation.

1. https://viceroyresearch.files.wordpress.com/2018/03/amd-the-...


At which point does it become illegal though? Is it considered insider trading if you know about a security issue but have no internal knowledge about deals etc.?

I would hope that intentionally spreading false information to manipulate stock prices would be illegal, but it may be hard to draw the line between subjective interpretation, intentionally misleading interpretation, and outright lies.


> At which point does it become illegal though? Is it considered insider trading if you know about a security issue but have no internal knowledge about deals etc.?

Trading on a security vulnerability that has not been made public is, on a basic level, not insider trading. Contrary to popular belief, there is nothing illegal about trading on material, nonpublic data. Insider trading requires the trader to have a confidentiality agreement governing the data with the company, or to have a fiduciary duty to shareholders of the company.

There are basically two situations in which trading on the vulnerability would be illegal insider trading:

1. You work for the company, or are a consultant engaged by the company, and you have knowledge of the vulnerability, or

2. You report the vulnerability to the company as an outsider and, in the process, enter into a confidentiality agreement.

Regarding scenario 2, merely reporting a vulnerability wouldn’t cut it. If you report the vulnerability through a channel that requires you to accept a confidentiality agreement as part of the terms and conditions of reporting (such as a bug bounty platform, like Hackerone or BugCrowd), then you can’t trade on it. On the other hand, if you report the vulnerability through a channel with no constraints, such as to a security@ email address, you have no confidentiality agreement.


3. The vulnerability is not real, or you intentionally overstate the impact publicly.

Not insider trading, but definitely worthy of SEC inquiry. It's like a short position pump-and-dump.


> Is it considered insider trading...

No, it's not. Short selling is not a populist activity, but it's essential for disciplined price discovery. This type of behavior is EXACTLY what the SEC and other regulators want to encourage: self regulation. This is a market solution to a market problem. These vulns may or may not be significant, and the people behind the release may be shady...but this is what society should want to see from market participants. It's no different than performing forensic accounting and discovering massive fraud. There have to be incentives for investors to perform due diligence, and if people only get compensated by rising prices, there will be no incentive to uncover the frauds.


Up to a point: it's what a market "wants" to see insofar as it promotes accurate valuation; but not insofar as it's deceptive or promotes volatility. This press release is clearly quite heavy on those negative factors.

Furthermore: using market-based incentives risks undermining other approaches - even when that's to the detriment of society. Here too there are indications of that: for maximum gain, a speculator needs to cause a scare - and thus needs to cause maximum damage and impact (on the AMD stock - if indeed that's what they're doing). It's no coincidence that responsible disclosure was not followed here! Whether in the long run that's actually a bad thing isn't something I'm sure of - but it's a factor that does need considering.

Finally: self regulation is intellectually neat: and that's a risk, because people are biased towards simple and clever sounding solutions. There's nothing wrong with trying that approach; but assuming that SEC and other regulators themselves are rational actors in this matter strikes me as being overly optimistic. They aren't immune to partisan politics; and may suffer from regulatory capture. We should at least be open to the risk that some self-regulating processes may simply be inefficient. (The alternative need not be no self-regulation whatsoever).


...assuming that SEC and other regulators themselves are rational actors in this matter strikes me as being overly optimistic. They aren't immune to partisan politics; and may suffer from regulatory capture. We should at least be open to the risk that some self-regulating processes may simply be inefficient.

Perhaps I misunderstood this, but it seems to say that since stock regulators are human with inherent human failings, they should take a larger role in stock trading? That seems confused; what is meant here?


I'm simply saying that you should not assume that because the SEC encourages certain self-regulating features that that approach is necessarily optimal.


You can claim there are problems with regulators and then argue for better or stricter regulations. Assuming infallible regulators are necessary for any regulation at all is naive and self-defeating.


It is a fallacy to think that because X can be beneficial, then any X is a good thing. Rain is essential, but hurricanes bring floods.

This is different than "performing forensic accounting and discovering massive fraud". It's more like performing forensic accounting, finding only a few errors, but nevertheless claiming massive fraud.

The real reason this is not insider trading is that there is no information provided from the inside here - simply deducing facts from outside information is both legal and ethical (though if you do have material inside information, claiming that it could have been deduced from outside is not a defense.)


> The real reason this is not insider trading is that there is no information provided from the inside here - simply deducing facts from outside information is both legal and ethical (though if you do have material inside information, claiming that it could have been deduced from outside is not a defense.)

Nit: “material inside information” isn’t illegal, and would not have to be defended at all ordinarily. Material, nonpublic information can be deduced from the outside, in which case it’s not illegal, because you are not an insider by confidentiality or fiduciary requirements. In fact, you can even trade on information provided to you by an insider with such constraints, so long as you were not entered into agreement with the same constraints, and so long as there is no quid pro quo between the parties.[1]

___________________________

1. Though lately, the SEC has been getting more aggressive and trying to lower the bar for a quid pro quo to “friendship”...


It seems a little more nefarious than that. From what I am reading it seems that the group that is releasing the vulnerabilities has created a fake research firm and released an analysis attacking AMD. That parts reeks of market manipulation.


Another angle is not the money. It would be that the Intel backdoor business is so profitable to the secret services, that they don't want to loose it at all costs. So they attack the one with the most effort to develop backdoors for. AMD could really harm the Intel server business. So Isreal and the US will try to push all buttons. Croudstrike could be next. That's my theory.


If it's a little fake, maybe AMD can sue them. If it's a major issue, the Govt will jump in.


Wouldn't it just be straight up libel?


They're trying to cover their a.. with a long disclaimer. I hope that that's not enough to provide legal protection; but it may provide some protection against some laws. And then there's the issue of jurisdiction - which defamation laws apply? If they reasonably believed to be true statements that a reader might reasonably infer, is that enough to shield them - even if another reader might (incorrectly) infer something else?


When it's hard to draw the line from outside, prosecutors mostly try to prove their cases from the inside communications. If you email your coworker: "Guess what I found ... AMD can go bankrupt over this ..." and then short the stock it should be fine. But if you write "Let's put together an action plan to drive the AMD price down" then you would be in trouble. The FX scandal is an perfect example of this. It's true you can explain your action in perfectly legitimate reasons but you can't also call your self "The Cartel" in group chats.

I'm not a lawyer.


It becomes illegal when you misrepresent facts in order to manipulate an equity, though that's not insider trading.


Could AMD potentially go after them with civil suits for slander, despite their well worded disclaimer?



See also https://news.ycombinator.com/item?id=16579314 on the Viceroy paper with some details confirming that that writeup was indeed ready to print.


It's not against the law to trade on a zero day you discover and either fail to report, or report rapidly with no warning to the target.


That can be illegal - it's market manipulation (specifically, stock bashing). It'll almost certainly depend on the details. (IANAL, and I'm not sure this is ever prosecuted).


Another article on the same issue highlights some other problems as well:

https://wccftech.com/low-down-amd-security-exploit-saga-cts-...

> The offices shown in the CTS-Labs interview don’t exist, its CGI.

> shorting the AMD stock to make a quick buck. In fact, both CTS-Labs and Viceroy Research, very ‘ethically’, disclose that they could be doing just that.


Both those points were covered already covered by this item's article.


This comment was meant for another submission which didn't cover these points explicitly. Comments were merged hence the issue.


If an action is brought against the researchers, I predict it will be a (likely unsuccessful) insider trading case, not a market manipulation case. I don’t see any market manipulation here[1], considering activist investors have set a precedent for make hyperbolic statements which are mostly unchallenged, so long as there is a nontrivial kernel of truth.

Material, nonpublic information is of course not illegal to trade on, on its own. It’s not generally illegal to trade on unpublished vulnerabilities. But it’s routine to be forcibly entered into a confidentiality agreement as part of the process of reporting a vulnerability. For example, reporting a vulnerability through Bugcrowd or Hackerone would immediately make it illegal for you to trade on the knowledge of the vulnerability.

I assume the researchers were savvy enough to report the vulnerability in such a way that did not enter them into a confidentiality agreement. That said, AMD may lean on the widespread commonalities of how many responsible disclosure processes do work with respect to confidentiality in order to try and establish a precedent. They’ll make arguments about reasonable disclosure windows before publication, etc. This is, to my eyes, the best case for someone trying to bring a case forward. If the researchers implicitly agreed to a confidentiality agreement (for example, if the page with security contact information has “browsewrap” terms and conditions, or if buying an AMD product at all has such terms), it will be messy, but they’ll be probably fine, I think.

However, if they actually reported the vulnerability through a medium that explicitly forces confidentiality, I think they’re actually screwed.

__________________________

1. Legally speaking. I decline to comment on ethics.


Going strictly by the letter of the law what you say makes sense. But there are other factors at play here. These are "computer nerds" taking aim at an American company from outside the US. I do not think they will find many willing to practice the restraint we would see if we were dealing with a typical wealthy American white collar criminal. Such behavior is normalized in some circles, but it is still seen as aberrant for any 'outsiders' to engage in the same behavior.


> These are "computer nerds" taking aim at an American company from outside the US. I do not think they will find many willing to practice the restraint we would see if we were dealing with a typical wealthy American white collar criminal. Such behavior is normalized in some circles, but it is still seen as aberrant for any 'outsiders' to engage in the same behavior.

1. That they are "computer nerds", in your words, is inconsequential. Their in-group will not be a deciding factor, for better or worse. This isn't high school, and the SEC has a minimum level of professionalism it does adhere to.

2. Your characterization is, more broadly speaking, not well-founded. Activist investors are not, as a rule, white collar criminals. in fact they're not typically any sort of criminal. The SEC doesn't need to practice restraint or extend arbitrary leniency (something the SEC is not known for, for any group), because the activity tends to only rarely overstep legal boundaries.

3. This behavior is not seen as aberrant for any outsiders, and it's not normalized to only some group in "Big Wall Street." For example, I'm an outsider to activist investing, and I find nothing aberrant about it at all. In fact I think of it somewhat positively.


I think you misinterpreted what I was talking about. Either that or you define 'activist investors' very differently from how I define it. What these people are doing is not 'activist investing.' They are providing disinformation, engaging in active and intentional deception towards the goal of destroying a company in order to profit. They are not uncovering wrongdoing or fraud. They are not doing due diligence and profiting from material information. That is not criminal, obviously, and is to be lauded!

If you engage in willful intentional deception, you are not an activist investor. You would be engaging in fraud and illicit market manipulation. I find it very bizarre that you would claim these malicious actors as activist investors. Most of the rest of your complaints with my statements seem to stem from your notion that I would do the same. I do not.


The most likely explanation to me is that the authors are connected to people shorting AMD, and they wished to get the maximum impact out of their release. It didn’t seem to hurt the stock any though.


CTS' site apparently says as much.

> There’s a notification on CTS-Labs site that it may have a financial interest in the companies it investigates (shorting AMD stock is practically a pastime in financial circles).


Yeah, ironically, the price went up significantly.


Short squeezes are rough, especially if people are expecting one and want to get in on the action.


Probably people bailing out of their short positions.


It could also have been used to motivate people to buy shorts by leaking it to friends before its official public release. Is there any way to profit from getting people to buy shorts that won't make money in the end of AMD's stock didn't move?

I guess you could try to ruin some people by leaking fake inside information like this and getting them to load up on AMD puts.

If that was possible, I can see this move being profitable, but if it was to move the actual AMD price it was a failure.


If you're the one selling the shorts you profit when the buyers miss their target.


As a side-side note, I noticed this in the article (near the end):

> The CTS-labs.com domain name was registered on June 25, 2017, around when the Meltdown exploits were privately revealed to Intel.

which somehow sounds "queer" to me, particularly in an article attempting to debunk a possible "conspiracy", I mean June 25, 2017 is also surprisingly around the time the UK parliament was cyber-attacked and the time the large Brian Head fire started in Utah, what gives?


Yeah that jumped out to me as irrelevant and baseless theorizing. If it had been intelflaws.com or some bandwagon like domain then the claim might have merit. But the article is just making speculation similar to what they're criticizing CTS Labs for.


https://news.ycombinator.com/item?id=16577433 was the big thread on the front page all day, but since a second wave of analyses with more information is coming out, this submission is rising and it seems like discussion can move here.


Do you think it could be organised and paid by the same company that bribed Dell and other OEMs so they don't sell AMD CPUs in their laptops?


To give you a straight answer: no, it isn't. Intel isn't afraid to get its hands dirty and will take a close look at every opportunity to sabotage AMD, but this was amateur hour. At the very very least, Intel would've exposed an actually serious flaw in Ryzen. There's already a strong suspicion that CTS isn't a real lab but just something set up to make it look more credible, while the actual exploits have been bought through a 0day broker. This is amateur hour by some people who've never done actual security research and are only in for a quick buck. Odds are high this will lead to an investigation for stock manipulation.


Mmmhhh, I wonder which company would do such thing...

/s


This is also a business model: short the stock, issue "research" that put the company in a bad light, cash out--if lucky.

Shorting on the other hand is quite legitimate and so is pointing out you opinions.


Shorting is legitimate—under certain conditions. In many markets throughout history, shorting has been explicitly forbidden. This is because it encourages destroying value. It's much much easier to destroy a company's value than to raise it. So anyone holding a short on a company has every incentive to disrupt its operation. This is in contrast with the traditional position, where you hold stock in a competing company. Then you have only a very minor incentive to disrupt your competitors, because it translates in small gains for your own stock. Only when companies are neck-to-neck does it become profitable, but then any sabotage is scrutinised much more closely.


It looks like both cts-labs.com and amdflaws.com are completely black-holed by Google search. Does anyone know why?


For the first one, it's probably that they don't allow search engines to crawl their site:

http://cts-labs.com/robots.txt

The other domain does appear on Google for me.


https://duckduckgo.com/?q=cts-labs.com&t=canonical&ia=answer

>cts-labs.com is a parked domain (last time we checked).

>Domain parking refers to the registration of an internet domain name without that domain being associated with any services such as e-mail or a website


Feels shady to me.


Is link dead?


Still working fine for me

They released a video version of the article here if that helps you: https://www.youtube.com/watch?v=ZZ7H1WTqaeo&t=628s


Why was this flagged? While the title is clickbaity, this seems to be a well-researched piece on the alleged AMD vulnerabilities.

By the way: There were also some very interesting pieces by Matt Levine on Bloomberg about the legal implications of independent short-selling "research groups" like Viceroy. If you can't show that they are acting in bad faith, it is apparently not illegal to publish biased "research" to move the stock down.

Edit: Ok, just saw that there were already other threads about this topic. However this article adds some additional research and statements from industry insiders, probably it would make sense to just change the title.


We've changed the title.


Poor title choice.


I thought someone had tried to kill the CEO.


We've changed the title to more neutral language from the text.


Good title choice.



We merged those comments into this thread. It's true that one was posted earlier, but https://news.ycombinator.com/item?id=16577433 was earlier still, and the current post seems at first glance to have the more substantial analysis.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: