So far, the Brucejack mine has yet to generate free cash flow. Without needing to get too fancy, simply looking at Pretium’s cash flow is enough to see that Pretium’s shareholders will likely be wiped out or diluted close to zero eventually. Pretium may have extreme difficulty in coming up with the $423M+ needed to refinance its credit facility on or before December 2019.
In this post, I’ll describe my opinion as to the correct geological model for Pretium’s flagship Brucejack mine. A lot of it is based on a paper that Dr. Simon Dominy published (with Isobel Clark) about something called conditional modelling (draft version with working images, final version). The paper uses the Brucejack project as an example and deviates from the Pretium party line in many ways. One important deviation is that Dominy seems to (unintentionally) analyze sample tower data that wasn’t disclosed to the public, suggesting that the unreleased data is material to understanding Brucejack’s geology.
One key implication of (what I think is) the correct geological model is that the amount of economic gold in the Brucejack deposit is significantly below what the Ivor Jones resource model estimated. In the diagram above:
- It was originally thought that the blue/teal areas would be worth mining. This is what the resource model and feasibility study predicted before the first bulk sampling program.
- However, all of the economic gold at Brucejack is concentrated in ultra-high grade veins like the Cleopatra and 615 Lateral (E-W) veins. If you simply compare the area of the red regions versus the blue regions, you can see that the tonnage involved is much, much lower. While the veins are very high grade (e.g. the second bulk sample mill results found grades of over 80g/t for Cleopatra material), the higher grade does not fully offset the massive reduction in tonnage.
Unfortunately, Pretium does not disclose the lithological information (rock type) associated with drill results. So, there is no way to independently estimate Brucejack resources.
It turns out that I missed other parts of CTS’ old website from January 2018. The Management Team section from January has a different story than the one from March.
Secondly, I should own up to some of my mistakes in covering CTS Labs.
- AMD has confirmed the vulnerabilities. I originally thought that perhaps (A) CTS Labs was rehashing known issues or (B) they didn’t have the technical chops to find security vulnerabilities. I was wrong. AMD’s story differs from CTS Labs in other respects though. CTS Labs has suggested that the vulnerabilities may take months to fix. AMD states: “AMD is working on PSP firmware updates that we plan to release in the coming weeks.” *AMD’s blog post is not entirely clear about when fixes for the Promontory chipset will be available.
- Apparently CTS Labs (via its PR consultant) is claiming that Yaron Luk-Zilberman (YLZ) no longer actively manages NineWells Capital. It’s unclear to me as to when that occurred since YLZ’s name appears on a March 8, 2018 SEC filing for NineWells. Regardless, it wouldn’t be accurate for me to equate YLZ with NineWells.
While CTS’ predecessor Flexagrid is registered with the Israeli government, I could not find a business registration for CTS Labs. This is because CTS Labs and Flexagrid are the ‘same’ company. According to the archive.org history of the CTS Labs website, Flexagrid “became” Catenoid Security which implicitly became CTS-Labs. Flexagrid was founded in 2013. The charlatans have been claiming that CTS Labs was founded in January 2017, which is a lie.
The Business Wire press release has a 302 temporary redirect on it that makes the press release impossible to read (live link, archive.org link). Effectively, Business Wire has retracted the press release.(EDIT 2:48PM: Well I was wrong. The redirect is no longer in place.)
- In 2016, Uri Farkas registered a number of domains that seem like SEO spam. The websites are filled with Amazon affiliate links. The domain registrations suggest that Uri and Ilia Luk-Zilberman (of CTS Labs) were involved in a 2016 venture involving low-quality cookie cutter websites. This is the kind of startup business an unemployed person might try if they can’t get a job in the IT security field. The affiliate marketing game requires a completely different skillset compared to IT security and is easier to get into (even teenagers can do it). Uri and/or Ilia are a little sleazy because two or more of the websites are written under fake names.
- It looks like Fraser John Perring has told different facts to Reuters and Vice Motherboard. Reuters says that Perring received the report on Monday March 12. Vice Motherboard says that Perring received the report last week, which would be March 4 to 10.
- CTS Labs has released a “Clarification About the Recent Vulnerabilities“. It turns out that all 4 named vulnerabilities are only relevant AFTER an attacker has gained control of the system (“An attacker would only need to be able to run an EXE with local admin privileges on the machine”). I don’t see how the severity of these vulnerabilities would differ much from BIOS rootkit attacks that have existed for years. For example, the Vault 7 documents released by Wikileaks revealed that the CIA developed malware (‘evil software’) to spy on computers. In 2017, Intel Security released a patch to detect such software embedded into the BIOS. Viceroy Research did not write an obituary on Intel.
- Earlier speculation from myself and others on CTS’ research seems to be misguided. CTS Labs is not rehashing vulnerabilities that work without having control of the system (e.g. BadUSB). CTS Labs is presumably alleging novel flaws (although they don’t seem to be actually claiming that their discoveries are novel).
“It looks like the IT security world has hit a new low.”
-Linus Torvalds, creator of Linux (via Google+)
Linus Torvalds has basically summarized the whole situation: clickbait media sites (e.g.
CNET, Tom’s Hardware, Gizmodo, Vice, The Hacker News) breathlessly report on security vulnerabilities without critical thinking or fact checking. The security industry takes advantage of that by making exaggerated claims and being attention whores. On CTS’ report, Linus states: “I refuse to link to that garbage. But yes, it looks more like stock manipulation than a security advisory to me.”
Thankfully there are some journalists trying to do real journalism. (I know the industry is dying but I’d like to thank the journalists out there who are upholding their journalistic integrity.) In comments to these journalists, charlatans like Fraser John Perring and Yaron Luk-Zilberman have been quite disingenuous. The short and distort campaign has been getting more bizarre.
CTS-Labs has come out with a “research” piece on AMD processors. The reader might be misled into thinking that the “white paper” reveals previously undisclosed security vulnerabilities. However, the CTS-Labs disclaimer (archive.org) states that the CTS report “summarizes security vulnerabilities, but purposefully does not provide a complete description of such vulnerabilities […]”. So from my reading of the so-called “white paper”, CTS isn’t actually revealing previously unknown security flaws.
This isn’t like Muddy Waters’ work on St. Jude, where Muddy Waters alleged security flaws with St. Jude’s pacemakers; St. Jude has since recalled pacemakers to fix security vulnerabilities (Zdnet, FDA). The difference between Muddy Waters and CTS is that Muddy Waters did actual research to find previously unknown problems with the company’s products. Now if CTS actually did find a novel security vulnerability, then I would apologize. However, the CTS report does not clearly articulate what’s a rehash of previously known security issues and what isn’t.
EDIT (3/21/2018): Correction: the bugs are real. Their severity has been overstated as they only work on systems that have already been compromised. AMD says that fixes will be available within weeks while CTS Labs is still claiming that it will take months. Status of fixes for the Promontory chipset are less clear at the moment.
Viceroy has come out with a “research” report on AMD based on the work of CTS Labs. Just read CTS Lab’s disclaimer in its white paper PDF or on its website (archive.org).
- CTS Labs doesn’t provide a complete description of security vulnerabilities. So… I don’t see any original research here.
- CTS Labs advises visitors that they have “an economic interest in the performance of the securities of the companies whose products are the subject of our reports”. This is unusual for a IT security company.
Despite being short AMD (see my posts tagged AMD), I disagree with the ethics of what Viceroy is doing.
According to Pretium’s filings, an average of 63.28% of the gold produced was recovered in the doré (with the rest being recovered in the flotation concentrate). However, the company’s metallurgical testing indicated that only around 45% (rather than 63.28%) of the gold produced should be found in the doré. There is a big difference between the feasibility study expectations and reported results (in red):
Something is very wrong here. Here are two possibilities:
- The metallurgical testwork is wrong. Pretium’s CEO is blissfully unaware that the mill’s economics are better than he thinks. The Brucejack deposit is more suitable for gravity concentration at lower grades, completely opposite to what the feasibility study and bulk sampling results found.
- The metallurgical testwork is correct. Somebody may be introducing non-Brucejack doré to the Brucejack output to boost Brucejack numbers. Ounces produced and ore grades may have been fraudulently overstated.
Additionally, the CEO’s comment about the composition of Brucejack doré bars (60-65% gold, 30% silver) implies that Pretium’s silver sales in Q3 were impossibly low (or that gold sales were impossibly high).
Whoever did Pretium’s accounting did something subtle: they decided to re-classify the current portion of the offtake obligation from “accounts payable and accrued liabilities” (the Q3 classification) to “Current portion of long-term debt” (the Q4 classification).
Why this matters: In Q3, Pretium included the offtake in its working capital calculation (“working capital surplus of $7.2 million“). For Q4, Pretium is suggesting to investors that they should omit it from their working capital calculation.