The AMD bear raid from Viceroy + CTS-Labs + NineWells, volume II

“It looks like the IT security world has hit a new low.”
-Linus Torvalds, creator of Linux (via Google+)

Linus Torvalds has basically summarized the whole situation: clickbait media sites (e.g. CNET, Tom’s Hardware, Gizmodo, Vice, The Hacker News) breathlessly report on security vulnerabilities without critical thinking or fact checking.  The security industry takes advantage of that by making exaggerated claims and being attention whores.  On CTS’ report, Linus states: “I refuse to link to that garbage. But yes, it looks more like stock manipulation than a security advisory to me.”

Thankfully there are some journalists trying to do real journalism.  (I know the industry is dying but I’d like to thank the journalists out there who are upholding their journalistic integrity.)  In comments to these journalists, charlatans like Fraser John Perring and Yaron Luk-Zilberman have been quite disingenuous.  The short and distort campaign has been getting more bizarre.

EDIT (3/16/2018):  CNET and Vice have since added updated information.  On Thursday March 15, AMDFlaws.com removed its link to the CNET article (see archive.org here and here).

Social media explains why the CTS report is misleading

• Mich (@0x6d696368) explains how “CHIMERA” sounds like the BadUSB vulnerability disclosed a long time ago.  EDIT (3/20/2018): The “CHIMERA” vulnerability has nothing to do with BadUSB.
• Arrigo Triulzi (@cynicalsecurity) explains why the 4 “vulnerabilities” in the CTS report are over-hyped beyond belief.
• Linus Torvalds, the creator of Linux, rips into the IT security world.

Fraser ‘I work really fast’ John Perring of Viceroy Research

A Reuters article that did some fact checking has this to say about Mr. Perring:

Viceroy founder Fraser Perring told Reuters that somebody anonymously emailed him a draft of the report at about 4 p.m. on Monday. The firm spent much of the evening analyzing the situation and ended up taking a “sizeable” short position in AMD, he said.

So basically Mr. Perring would like us to believe the following:

• In less than a day, he (and his 2 associates) prepare a 25-page research report for Viceroy.  He received the report “anonymously” on Monday at 4PM (EST?  GMT?).  Viceroy tweeted out its research report the next day at 11:28AM EST.
• Time zones aren’t a problem even though he lives in the UK, his 2 associates live in Australia, and the “experts” they talked to live god knows where.
• In less than a day, they were able to find and talk to their own computer security experts.  These experts were also able to quickly verify CTS Labs claims… despite CTS not providing any technical detail in their report.  Not only does Perring work really fast, so do the security experts that he talked to.
• Somebody sends him a report on an esoteric subject (IT security) and he is able to quickly get up to speed on it, despite his background as an ex-social worker.
• It’s normal for him to put on a “sizeable” short position after less than a day of research on a report sent to him anonymously on a subject that he probably doesn’t understand.  And then he’s able to have a CNBC interview lined up.  Investing really is that easy… people anonymously send you great ideas and you get a CNBC interview the next day.
• Perring also somehow knew that Vice Motherboard would interview Dan Guido (Twitter).  After working so hard on his report, Perring still has time and energy to magically stumble across random press articles favorable to the bear raid he’s working on.  Viceroy also stumbles across another random security firm which wrote about CTS’ findings (Twitter, archive.org).

EDIT (3/15/2018):  A Vice Motherboard article states:

Perring also said that Viceroy has never had any financial relationship with CTS Labs. An anonymous tipster shared CTS Labs’ report with Viceroy last week, Perring said.

It seems that Perring is telling different facts to different reporters.  Last week refers to March 4 to 10 while the Reuters article refers to Monday March 12.

EDIT (3/20/2018):  I previously said that Dan Guido was a shill (“Perring also somehow knew that Vice Motherboard would interview an IT security shill named Dan Guido” and “As for Dan Guido, apparently there’s a lot that he’s willing to say and do for $16,000”).  This was an unfair and inaccurate characterization on my part.  Similarly, I also wrote: Perring also stumbles across another random security firm which had time to “verify” CTS’ findings.  I have changed that sentence to be more accurate.

Yaron ‘my brother is useless’ Luk-Zilberman

The CTS Labs website lists both Yaron Luk-Zilberman and Ilia Luk-Zilberman as 2 of the 3 co-founders of CTS.  While I’m not 100% certain that they are brothers (their last name is the same), they might as well be brothers.  On their Twitter accounts, they follow less than 25 people each but they follow each other (here and here).  They are friends on Facebook.  When Yaron got engaged in 2015, Ilia commented on the post and his comment received likes from the future bride and groom.

From what I can tell, it is highly likely that CTS originated from these two proverbial brothers.  Yaron emigrated to the United States, graduated from Yale, and became a hedge fund manager.  His first form D filing for his NineWells Capital appears in 2011.  Ilia’s work history is more lacklustre.  His LinkedIn shows that he was the co-founder of various startups.  His domain registrations paint the rest of the picture.  Flexagrid was his startup prior to CTS.  Flexagrid.com was registered to his email (source: RiskIq) and now redirects visitors to cts-labs.com, suggesting that Flexagrid didn’t work out.  When he started his post-Flexagrid venture, it seems like he didn’t settle on a name yet.  He registered CatenoidSecurity.com and SafeFirmware.com before settling on the CTS name in June 2017 (the website has a discussion about the name origin of Catenoid –> CTS).

CTS looks like it was intended to be his next startup/venture.  His brother Yaron likely came up with the idea of teaming up, using Ilia’s security focus to come up with market-moving information that would benefit hedge funds like Yaron’s (similar to Muddy Waters’ or MedSec’s work on St. Jude medical).  The Reuters article describes the business model (emphasis mine):

CTS executives told Reuters that they had shared their findings with some clients who pay the firm for proprietary research on vulnerabilities in computer hardware. They declined to identify their clients or say when they had provided them with data on the vulnerability.

“I can’t really talk about my clients,” said Yaron Luk-Zilberman, chief financial officer at the firm that was founded in January 2017.

The business model is a little clearer if you look at the CTS Labs website (archive.org).  Their own website does not talk about any of the 13 security vulnerabilities that they discovered, despite hiring somebody to do their PR.  They are oddly disinterested in gaining clients for the IT security consulting business that they are supposedly running.  They seem far more interested in moving stock prices, making slick videos to support their claims against AMD.

I think it’s clear that the brothers are in it together.  Both of their fingerprints are clearly all over CTS.  Amusingly, in their promo video, Ilia is the only member of CTS that doesn’t appear on camera.  It’s a weird situation where Yaron the hedge fund manager (supposedly the chief financial officer of CTS Labs) is explaining IT security concepts instead of his brother, who has been working on tech startups for years.

And to be clear, Yaron was a hedge fund manager as of March of this year (he signed his name on a D/A form filed with the SEC) so he should realize that what he’s doing may not be kosher.  He should familiarize himself with Section 17(b) of the Securities Act of 1933, which the SEC uses to go after stock promoters that don’t disclose the compensation that they receive.  Here’s the actual legalese (feel free to skip it; emphasis mine):

(b)Use of interstate commerce for purpose of offering for sale

It shall be unlawful for any person, by the use of any means or instruments of transportation or communication in interstate commerce or by the use of the mails, to publish, give publicity to, or circulate any notice, circular, advertisement, newspaper, article, letter, investment service, or communication which, though not purporting to offer a security for sale, describes such security for a consideration received or to be received, directly or indirectly, from an issuer, underwriter, or dealer, without fully disclosing the receipt, whether past or prospective, of such consideration and the amount thereof.

CTS faces risk of SEC enforcement since it is trying to manipulate stock prices and has clients paying it for so-called “research”.  CTS should disclose how much they’re getting paid and they should disclose who is paying them.  Some people would call this ‘not breaking the law’.  The CTS comments in reply to a CNET email shows the wrong way of disclosing (emphasis mine):

“Although we have a good faith belief in our analysis and believe it to be objective and unbiased,” the disclaimer says, “you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports.”

In response to an email about the disclaimer, CTS-Labs said it doesn’t have “any investment (long or short) in Intel or AMD.”

 

*To the lawyers out there: Obviously Perring didn’t say that he works really fast and Yaron didn’t say that Ilia (who may not be his biological brother) is useless.  My statements were rhetorical.

**Disclosure: I actually have a short position in AMD (see my posts tagged AMD).  Despite that, I disagree with the ethics of what these charlatans are doing.

Links

The bear raid from Viceroy Research + CTS-Labs, and the NineWells Capital Management connection

The AMD bear raid from Viceroy + CTS-Labs + NineWells, volume III