CTS Labs is a lie (The AMD bear raid from Viceroy + CTS-Labs + NineWells, volume IV)

While CTS’ predecessor Flexagrid is registered with the Israeli government, I could not find a business registration for CTS Labs.  This is because CTS Labs and Flexagrid are the ‘same’ company.  According to the archive.org history of the CTS Labs website, Flexagrid “became” Catenoid Security which implicitly became CTS-Labs.  Flexagrid was founded in 2013.  The charlatans have been claiming that CTS Labs was founded in January 2017, which is a lie.

Less importantly:

  1. The Business Wire press release has a 302 temporary redirect on it that makes the press release impossible to read (live link, archive.org link).  Effectively, Business Wire has retracted the press release.  (EDIT 2:48PM: Well I was wrong.  The redirect is no longer in place.)
  2. In 2016, Uri Farkas registered a number of domains that seem like SEO spam.  The websites are filled with Amazon affiliate links.  The domain registrations suggest that Uri and Ilia Luk-Zilberman (of CTS Labs) were involved in a 2016 venture involving low-quality cookie cutter websites.  This is the kind of startup business an unemployed person might try if they can’t get a job in the IT security field.  The affiliate marketing game requires a completely different skillset compared to IT security and is easier to get into (even teenagers can do it).  Uri and/or Ilia are a little sleazy because two or more of the websites are written under fake names.

Archive.org history of cts-labs.com

The January 17, 2018 version of the CTS website differs in very important ways from the March 13, 2018 version.  Go to the archive.org January version of cts-labs.com, use Firefox instead of Chrome (the old CTS-labs.com site won’t work in Chrome), and then click on Company –> About Us after scrolling to the very bottom of the page.

The key line is this:

Catenoid Security (formerly Flexagrid Systems Inc.)

Flexagrid was a company registered with the Israeli government on July 1, 2013 (source).  If it ‘became’ Catenoid Security, then Catenoid Security became CTS Labs.  The Name Origin section on the current website explains how Catenoid Security shortens to CTS according to some weird Israeli English-as-a-second-language logic:

The word CTS in CTS-Labs stands for Catenoid (en.wikipedia.org/wiki/Catenoid) which is a minimal surface discovered by Leonhard Euler in 1744.

But there is a problem for the people behind the AMD stock manipulation scheme.  They’ve been saying that CTS Labs was started in 2017 rather than 2013 (or early 2018, when the About Us page was changed).  For the most part, CTS Labs is largely a sham.  While Ilia has continued to keep the Flexagrid government registration active, there doesn’t seem to be a registration for CTS Labs.  Furthermore, the archive.org history shows that phone numbers and the company’s address were REMOVED from the cts-labs.com website:

Here’s how the website looks now:

The old telephone number was replaced with the contact info of Jessica Schaefer, who is a public relations consultant based in New York City.  If these guys were interested in attracting IT security clients, they should list their own telephone number.

CTS Labs is a sham created to manipulate AMD stock.

Government Registration

A user on Reddit pointed out:

I don’t know if this story is true, if it is, they didn’t do service to the community by releasing it publicly without working with AMD prior to. I may have an explanation why they rushed to go public.

“CTS Labs” isn’t registered in Israel (couldn’t find them in ICA [1]), but Flexagrid Systems LTD (company ID 514948298) I did find. It was founded by Ilia Luk-Zilberman (CTO @CTS Labs) and Ido Li On (CEO @CTS Labs) in 2013 and is still marked as an active company.

The interesting information from their company registry, is that they placed a lien [2] against the company on March 5th, about a week before they came out with this “advisory”. It may explain why they rushed with making this story public.

If someone want to take a look at the documents (in Hebrew) and want to avoid paying the 33nis to ICA, contact me privately.

Links:

  1. https://ica.justice.gov.il
  2. https://en.wikipedia.org/wiki/Lien

Because I haven’t looked into the Reddit user’s lien theory, I don’t/can’t endorse it.  However, he/she seems to have a point about CTS Labs not having a business registration that is easy to find.  Using the ica.justice.gov.il link, I easily found Flexagrid.  But I couldn’t find anything for:

cts labs
ctslabs
catenoid
safe firmware
safefirmware

I suppose that it’s possible that they (A) use a Hebrew name that’s not listed on their website and (B) didn’t put an English name in their business registration.  But this is unlikely because the Flexagrid business lists both a Hebrew name (פלקסגריד מערכות בע”מ) and English name (FLEXAGRID SYSTEMS LTD), which means that Ilia knows how to register a business.

I also tried another method of finding CTS Labs’ business registration.  Some websites scrape the Israeli government information.  I tried searching one of these websites (corporation.co.il) and could not find a CTS Labs registered at 32 Ben Yehuda street (בן יהודה 32) via http://www.corporation.co.il/search?q=%22%D7%91%D7%9F+%D7%99%D7%94%D7%95%D7%93%D7%94+32%22&p=6.

This leads me to believe that CTS Labs is not a registered business, especially considering how the CTS website talks about Catenoid Security being the successor to Flexagrid.

Ido Li On’s LinkedIn

I did not figure out why Ido’s LinkedIn does not state that he co-founded Flexagrid in (July) 2013.

Timeline

The CTS Labs website links to LinkedIn profiles that put January 2017 as the date when CTS Labs was founded.

They have also told Reuters that the company was founded in January 2017.  Obviously, I have my doubts about that version of events.  The domain registrations from Ilia (h/t Yonathan Klijnsma) show that Ilia was kicking around different business ideas in June of 2017:

It seems more likely that CTS Labs, as a stock manipulation vehicle, really began operating sometime in the beginning of 2018 (starting sometime in the January to March timeframe).  Here is a full timeline:

  • The Flexagrid.com domain was registered on July 1, 2013 (source).  Flexagrid was registered with the Israeli government on July 18, 2013.
  • CrowdCores.com and CrowdCored.com are likely the sister sites to Flexagrid, which was a distributed computing startup.  Both the CrowdCores/CrowdCored domains were registered months later on March 22, 2014.
  • Around September 2016, Uri Farkas registered domains for the Amazon affiliate link venture.  Some of Uri Farkas’ domains list Ilia in the domain registration.
  • January 2017 is supposedly when CTS Labs was founded.
  • SafeFirmware.com was registered on June 8, 2017.
  • CatenoidSecurity was also registered on June 8, 2017.  The CTS Labs website explains how CTS is the shortened form of Catenoid.  As of February 14, 2018, the CatenoidSecurity.com domain was simply a GoDaddy parking page (archive.org).  It remains a parking page today.
  • CTS-Labs.com was registered on June 24, 2017.
  • A January 10, 2018 archive.org snapshot suggests that flexagrid.com wasn’t redirecting to CTS Labs until later in 2018.

CTS Labs is a six-person company… without a registration with the Israeli government

The Luk-Zilberman bros (proverbial brothers) have been claiming that CTS is a 6-person company:

  • The Reuters article states that CTS has six employees.  This is presumably information provided by CTS.
  • The CTO letter (archive.org) from Ilia Luk-Zilberman states in his English-as-a-second-language-style prose: “us being a small group of 6 researchers“.

It seems highly unlikely that somebody wouldn’t register a company that had six employees.

Ilia and/or Uri make their first fake website

RiskIQ community edition is one of the various online services that let you piece together connections between domain registrations.  (RiskIQ is pretty slick and the community edition is free.)  Here is the domain registration for flyfishingacademy.online:

The email shows Uri [at] Farkas [dot] io, which is Uri Farkas’ email.  The name (for the registrant, admin, billing, and tech contacts) is Ilia Luk Zilberman.  This tells me that the pair were working together on this venture.  The street is Levi Eshkol 88… both Uri and Ilia have used this address for their domain registrations.

Affiliate marketing, a form of marketing where advertisers get commissions for each sale that they generate, seems to be the business model.  The aforementioned flyfishingacademy.online domain has affiliate links such as:

https://www.amazon.com/Supertrip-Portable-Telescopic-Spinning-Saltwater/dp/B017P7AU5A?psc=1&SubscriptionId=AKIAIEZSLJDAQX7R4G2Q&tag=flyfishingacademysite-20&linkCode=xm2&camp=2025&creative=165953&creativeASIN=B017P7AU5A

The tag=flyfishingacademysite-20 part of the amazon link is what allows Amazon to credit the sale to the affiliate.  You can find out more information about Amazon’s affiliate marketing program at affiliate-program.amazon.comOne sleazy aspect of this venture is that at least two of the sites use fake names for the ‘author’ of the blog posts.  The authors on the WordPress powered sites have names like Eric Whitehill, Suzy Krohn, Andrew Klein, Amber Minton, etc.  The Handyman Gear site bills itself as recommendations from “real men”, yet it lists a woman’s name (Suzy Krohn) for the author of the site’s blog posts.  BathTime.us contains recommendations from a mom named Matt Fleming.  These guys clearly aren’t that good at making fake websites.

A list of domains registered to the address Levi Eshkol 88 can be found on my Google Sheet (make a copy of it to play around with it).

Does CTS Labs have the skills needed to find security holes?

All four of the known participants in the CTS Labs scheme seem to have questionable skills.  Both Uri and Ilia can do a better job when it comes to making fake websites.

Ian Cutress at Anandtech has done some good work interviewing the other two.  His excellent interview writeup – Our Interesting Call with CTS-Labs – contains some gems.  In one instance, Yaron Lev-Zilberman almost immediately contradicts his own answer:

IC: On the website, CTS-Labs states that the 0-day/1-day way of public disclosure is better than the 90-day responsible disclosure period commonly practiced in the security industry. Do you have any evidence to say that the paradigm you are pursuing with this disclosure is any better?

YLZ: I think there are pros and cons to both methods. […long rambling discussion…]

In this case we decided that the second option is the more responsible one, but I would say that in every case that this is the better method. But that is my opinion. Maybe Ilia (CTO) has a slightly different take on that. But these are my concerns.

IC: Would it be fair to say that you felt that AMD would not be able to mitigate these issues within a reasonable time frame, therefore you went ahead and made them public?

YLZ: I think that is a very fair statement. I would add that we saw that it was big enough of an issue for the consumer had the right to know about them.

IC: Say, for example, CTS-Labs were in charge of finding Meltdown and Spectre, you would have also followed the same path of logic?

YLZ: I think that it would have depended on the circumstances of how we found it, how exploitable it was, how reproducible it was. I am not sure it would be the case. Every situation I think is specific.

It’s bizarre.  Unfortunately his Yale education did not help him in this interview.  EDIT (3/20/2018): The original Anandtech article has since been revised to add the word “not” in “I would [not] say that in every case that this is the better method”.  So there is no immediate contradiction.

As for Ido Li On, he makes some bizarre technical comments in the interview.  At one point, he randomly rambles about FPGAs for no reason:

In any case, the first thing I can say about this is that ASMedia produces ASICs. So I am fairly certain, based on everything we have read and the research we have done, that this is not an FPGA chip so they can’t just patch it with FPGA updates. I do not know if they have hidden features that would enable them to disable those features and I guess it is up to them to tell us.

David Kanter, one of the interviewers and somebody very knowledgeable about designing ASICs (like AMD’s CPUs), would later remark on the Real World Technologies forum:

So I actually interviewed these guys along with Ian Cuttress of AnandTech: https://www.anandtech.com/show/12536/our-interesting-call-with-cts-labs

It’s telling how quickly they bailed on the call once I started asking about their company. Also, they seemed to not understand “chicken bits” at all or the basic HW design principles. The ramblings about FPGAs were fascinating.

David

It is Kanter’s opinion that the two CTS Labs representatives he interviewed have some bizarre technical beliefs.

In the interview writeup, Ian Cutress raises some other relevant points:

  • The CTS Labs campaign seemed to be skewed against AMD.  The ASMedia flaws alleged by CTS would mean that both Intel-based and AMD-based systems would be affected (ASMedia chips are found in many but not all Intel-based computers).  Yet CTS Labs focused solely on AMD and claimed that they care about protecting consumers, without putting up an IntelFlaws.com or ASMediaFlaws.com website.
  • The legal argument of not being able to share the details of the security flaws outside of Israel seems to be BS.

Business Wire press release pulled

The Business Wire press release has a 302 temporary redirect on it that makes the press release impossible to read (live link).  Use the archive.org link to read it.  It is possible (but in my opinion highly unlikely) that Business Wire is having technical issues.  I do not know why the press release was pulled, but it’s not hard to imagine why it was pulled.  (EDIT 2:48PM: Well I was wrong.  The redirect is no longer in place.)

 

*Disclosure: I have a short position in AMD (see my posts tagged AMD).  Despite that, I disagree with the ethics of what these charlatans are doing.

Links

The AMD bear raid from Viceroy + CTS-Labs + NineWells, volume III

The AMD bear raid from Viceroy + CTS-Labs + YLZ, volume V

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.