https://www.anandtech.com/show/12536/our-interesting-call-with-cts-labs
In addition to that, In this case we also sent our code to AMD, and then Microsoft, HP, and Dell, the integrators and also domestic and some other security partners.
‘Domestic’ means Israel’s cyber sleuths are likely developing an exploit & implant kit for this.
Wonderful.
I get the feeling that CTS, being formed of members of Unit 8200, were allowed to use some of the 0-days that they already had, and that had been spotted in the wild, to kick start their company
I would be happy to be proved wrong
So why the fuck did CTS Labs and Viceroy target JUST AMD?
well… Intel had already been shown up with Meltdown… and CTS seem to want to make a name for themselves… and AMD a much softer target? #conspiracyIntensifies
Only name they are making for themselves is a bad one.
the gamble may not have paid off… for CTS nor Viceroy
Well it certainly didn’t work for Viceroy who had I’m sure had a massive short position.
and then AMD gets slightly elevated… probably because of Viceroy’s publicity of CTS… it’s like a great cosmic F you!
https://www.anandtech.com/show/12536/our-interesting-call-with-cts-labs (@catsay linked it allready, I am linking it again to avoid confusion)
The first reply does not make sense in the context of how the story unfolded.
Take some customer requesting an audit and them only publishing to the company selling the audited parts, how come AMD knew after the press about it?
ASMedia was probably contacted by AMD and the press after the publication.
AMD published the same text… This means nothing.
That leads to the question we all want answers for: Why the 24h deadline if the expected patch is so complicated to implement?
Not talking about money is one thing, not talking about it under these circumstances gives serious reason to believe there were strong financial interests in deformation.
Also the “It is our first rodeo” and “we did not contact ARM” strike me as strange. Shouldn´t all remotly affected parties be informed?
CTS is avoiding any answer towards the 24h vs 90 day period. When it comes close to the topic, the interview reads like children taking guesses. And then they return to say “90 days is not enough” (after having said it is a complex issue) so publish now to take even more time away from getting the situation resolved. CTS swivels back and forth between “we are inexperienced” and then making bold claims without even considering other solutions. It is maddening to see this degree of negligence from a security company.
I am not sure what to make of this.
Someone needs to weigh in here. The deeper Anandtech drills, the more CTS seems to be stumbling over their own feet.
Edit:
Anandtech comment at the end has an interesting note:
I wish people would let them fade into obscurity already
Already heard the ‘no smoke without fire’ mantra from a couple of friends…
admittedly less tech savvy, gullible friends… BUT they are still good examples of the common man.
Well they might be able to force mobo manufacturers to not use asmedia usb controllers anymore.
But yeas asmedia are the cheapest controllers out there.
So thats the reason why they are used allot on AMD boards.
How to get owned.
What computer is not owned at that point ?
Now if I email a cat fell out of a window pic and you execute it then yes, yes, through the UAC etc. How can I fix this without killing all humans.
This is a successful 24hour derail spectre / meltdown problem through make news with a nothing burger.
asmedia are on orders of magnitude greatier on inell . Also phones.
I just finished reading the interview and I must say its shady af, I saw a lot of contradicting statements and their excuse for not waiting “It’s our first time around” is just plain irresponsible for a “security firm”. Seriously…
It was kinda entertaining, they keep contradicting themselves. Funniest part was at the end:
– Soo where do you get your money?
– Have to go now, thanks bye!
Looks like the issues are not too hard to fix. If CTS had given AMD a couple of weeks to look into it, the bugs would probably already be fixed. Bigger problem is probably the validation process for the new AGESA etc, that can take months. This validation process seems to be their whole argument that it will take sooo very long for AMD to fix the problem. Looks pretty dishonest to me, had they given AMD a 90 day notice, it would have been a non-issue.
Trail of Bits Technical Summary also say that the bugs are not anything special at all, ergo not hard to fix. Kanter seems to be on the same path, asking about it and not getting any real answer.
The AsMedia USB controller chips being in millions of computers are probably a bigger issue. My old Intel computer has one of the supposedly vulnerable chips for example, and I seriously doubt anyone wants to support it now with firmware updates.
Interesting read…
CTS hiring Trail Of Bits also seemed kinda funny to me. CTS goes to Trail Of Bits like:
–Do me a favor and look at this little, tiiiny thing ok?
–Buddy, this is 13 issues, it will take couple of days to verify. You better pay up!
–Okay, okay the money is on the way.
Then later Trail Of Bits get a lot of crap about it for some reason. Like they are some kind of villans for not wanting to do work for CTS for free? Come on, Trail of Bits are the first real source besides the CTS jokers on this thing. Doing technical work instead of some silly media campaign.
The only scumbags here are CTS. And they seem terrified that anyone would find out who they work for, funny that.
Shit, the CTS update was some excellent work by Steve.
Yup, everybody knows precisely what he is saying by not saying precisely that. 
Looks like everything can be fixed with BIOS updates. Just like the Trail Of Bits analysis seemed to imply. No big deal.