"you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports"
People here seems to be mentioning short sellers being connected to this research as if there's some sinister collusion going on.
This is the entire point of short selling, and SEC encourages this type of activism. It allows people who can provide expert knowledge to profit off a trade if it can reveal damaging and legitimate information about a company
For example, a short seller last year revealed (through extensive research), that Valeant Pharmaceuticals was stuffing its channels and faking its finances. He placed a huge sort sell and went public with the damaging info - tanking the stock from $270 to $12 and made a ton of profit off of it: https://www.nytimes.com/2017/06/08/magazine/the-bounty-hunte...
Without this incentive, why would anyone bother to reveal damaging info? You're placing your self as a target with no reward. The payment is the natural balance of the market.
So yes, this research firm is connected w a hedge fund, and they have a very vested interest. But that doesn't make their claim untrue
It's also a huge incentive to overstate the severity. Their goal is to profit off the panic they can produce, so every statement they make is likely heavily biased in that direction.
That said, I don't mind that these "research" organizations exist. Only bothers me when they put the general public at risk (or attempt to) for their own gain.
The point is the counter balance the other side - companies have an incentive to overstate their upside and understate their risk.
Short sellers want the opposite. So they both present their best cases and let the public decide, much like how lawyers will defend their own clients to the last breath regardless of the amount of evidence against them
I disagree. AMD needs to maintain it's reputation over time. Short sellers make their profit over a few hours/days and don't care if they are proven wrong.
So, AMD has vastly more incentive to be accurate than short sellers.
Pity that vast incentive didn't seem to work out when they promoted all these chips as having "Firmware Trusted Platform Module", "Secure Encrypted Virtualization", "AMD Secure Processor", and "AMD Secure OS" as features.
AMDs incentive, like any corporation, is to maximise shareholder value. Same as any tiny little security research firm. If a research firm can maximise their profit buy discovering vulnerabilities and shorting stock before disclosing them, is that any ethically worse than a chip company rushing out flawed hardware with big flashy marketing bullet points claiming how secure they are?
(I'm not saying short-selling chip vendor stocks on the back of vulnerabilities is a way I'd choose to make a living, but surveillance capitalism doesn't seem an "ethically better" industry to work in either...)
As to ethics that's mostly irrelevant to this discussion. Both sides could have ethical behavior, I am simply pointing out which side has the larger incentives to exaggerate. After all the stock could drop and a short seller could still lose money. They need the stock to drop a lot even over a minor issue.
While the dollar value of AMDs incentive is without doubt larger - the existential value of the smaller amount incentivising the researcher is likely more motivating...
On an individual level, it's much less I'd think. Inciting a panic could be life changing amounts of money for the researchers, paid out by the hedge fund returns.
AMD isn't going to crash and burn over these flaws anymore than Intel (at 5 year high) did.
More and more lately I'm leaning towards the, "responsible disclosure is a bunch of crap" camp. You have to be "in" to get the news. Even if you're "in" security people love to play info war power games and withhold things because it tickles their jimmies, etc. And don't forget, you're deliberately keeping a vulnerability secret from consumers during a long period where you have no idea who else knows about it. If I'm a "user" or 3rd party and there's a critical vuln in some system I depend on, I want to know that I shouldn't use it or that I should take extra caution or whatever rather than being clueless in all in the name of the vendor's image.
This is how the whole industry ran in the mid-1990s. There were secret vendor lists that the cool kids got to be on. If you didn't have the right friends, you were shut out. Vendors took their sweet time getting patches out, because their preferred customers were all read in and had workarounds in place. It was a shitty way to organize an industry, and it fell apart with Bugtraq and full-disclosure security.
It's sad to see people arguing for a return to those norms, especially since the rejection of them correlates with a renaissance in our understanding how to secure software.
It looks like the short notice in this case is not intended to force a timely fix, but to prevent it. They are hoping to cause as much of damage to the company as possible both directly and indirectly through its customers so they can profiteer from it.
I'd say that the intent makes this qualitatively different to what I'd consider legitimate disclosure.
The flip side to that is to ask whether AMD have been "profiteering" from their customers by deceiving them about the security of their products?
It's not like their marketing copy makes accurate claims like:
"We're reasonably sure our Firmware Trusted Platform Module is trustworthy, but we ran out of time to pentest it properly before we shipped it."
or
"Ryzen features Probably-Secure Encrypted Virtualization! Our interns couldn't break it in a afternoon of trying! The data looks random enough to us..."
How much does "the intent" of their marketing copy and claims come into play?
> It's sad to see people arguing for a return to those norms
Where do you see anyone arguing for that? Or is it just a strawman? What I see is not people arguing against disclosure but people arguing for disclosure with an embargo longer than a day. You're going to have a hard time proving that one day is a norm, or that it correlates with a renaissance in securing software. Your response looks much more like circling the wagons when a member of your tribe is criticized.
If some security researchers are currently choosing immediate highly publicised disclosure and short selling because it's the most profitable path for them - perhaps companies should reconsider their default/expected response to vendor-privileged-disclosure?
It's not like AMD set their chip prices based on "ethics" or "duty to the public". As "the public" I'd prefer a Ryzen 1900X to sell for $150 rather than $500 - It's just a bunch of sand after all (plus some intellectual effort). I don't think AMD get to choose their pricing model but then complain about how security companies price/sell their intellectual work...
Don't sue people if they publish vulnerabilities without any notification to the vendor, as long as they never overstepped and exploited it themselves.
> Having a financial incentive to mess up AMD might explain why they only gave 24 hours' warning, though.
A good way for companies to prevent this is to have a generous bug bounty program. Money is still transferred from the shareholders to the researchers, but then the company can impose conditions like delaying public disclosure for a reasonable time to prepare a fix.
If it's actually someone attempting to make money on a short or to benefit from a working relationship with a competitor, then a bug bounty program does nothing. No one can run a bounty program that pays out anywhere near as much as the information is actually worth to an adversary. Bug bounties work to engender a bit of good will among researchers and to provide some incentive to an otherwise neutral party to play ball. They don't mean shit to a hedge fund or a competitor in a multi-billion dollar industry.
> Not unless the bounties are large enough to attract the attention of a hedge fund.
Which they should be if the alternative is a much larger loss to the company's share value. The shareholders come out ahead to pay five million on a bug bounty if the alternative is to lose a billion dollars in market cap.
I'm not a finance expert, but my very lay person understanding of how financial markets work tells me that those would have to be some rather huge bounties. See e.g., the effect on Intel from earlier this year:
It's not their problem. There's no obligation for them to give any warning at all. They can just go public, short the stock, and watch it fall. The warning is just a polite thing to do
That's fine, but it doesn't change the fact that the possibility (likelyhood?) of financial gain affects the authors credibility. Especially since it is already strained by other issues with this disclosure.
It seems to me that disclosing vulnerabilities is in a different category from disclosing fraud. In the latter case, the only entities that suffer materially is the fraudulent organization and its investors, in the former you have the additional potential to expose all users of the vulnerable software to risk.
>We believe AMD is worth $0.00 and will have no choice but to file for Chapter 11 (Bankruptcy) in order to effectively deal with the repercussions of recent discoveries.
At what point does it go from being legal (utilizing information that anyone could have discovered with enough time and effort, whether through short sale or investment) to illegal (stock manipulation through rumor or innuendo)? This qualifies in my eyes, but it's probably hard to prove when one is attached to the other. I agree, it does feel slimy.
A new twist on an old game. I hear people ask why short-selling exists, but’s a good check against corruption but prone to it’s own abuses. Citron Research (a short-sell shop) is a good example of this— they savaged companies like NQ Mobile, Lumber Liquidators, etc. and make a bundle doing it.
The security angle is a fascinating and concerning new development, however. That said it may encourage more secure practices (as opposed to theater) through the hardware/software lifecycle in response to serious fundamental design problems.
It will also serve to increase the premium on 0days...
> It will also serve to increase the premium on 0days...
I strongly doubt that. I've seen incredibly serious vulnerabilities I've reported firsthand have little to no impact on a company's valuation when publicized.
But did you create an entire website about the vulnerability, including graphics and headline-friendly names, as well as sending out briefings to major media outlets ahead of the disclosure? Because that's what this group did
Just look at what Citron Research did to Shopify last year. They tanked the stock from $120 to $93 just based on false accusations that they put out in a "report".
Now Shopify is now closer to $150...so their plan worked.
> just based on false accusations that they put out in a "report".
If it's false information, isn't that classic stock manipulation? I thought for it to be legal to make money on the stock it had to be both accurate and publicly available (if potentially hard to put together)?
They make claims that are demonstrably...stupid. I don't know if there's a better, more nuanced word to use here. It's trolling in broad daylight from what I can tell.
Do you know where the line is between what e.g. Citron Research is doing and what is considered slander? (I assume they walk a very thin line in order to not get sued)
Their Shopify video [1] for example is not the typical „research report“ with lots of specifics but more of a personal opinion with rather broad accusations.
Citron Research? Total hack and the premise that they provide the market a value is a stretch at best. Sometimes right and lots of times incredibly wrong but makes money on investors panicking immediately.
I agree on the premise of moving the market but they don't necessarily need to be only short sellers, they could have hedged both ways and still made money.
They could have exercised puts if it went down (which it did in the morning) or bought stock/calls both before the site release and in the case of it going down because they knew it wouldn't be a concern or dispelled by AMD.
Unless, this is truly a flaw and in that case, they can still buy more puts and just wait for AMDs official response.
Agreed on the losing money part, in general, but in a stock as volatile as AMD, I feel like there is an opportunity for this type of action, may not be the case for others.
Also, as nothing has been verified about the report (from AMD), there is still the potential for this to move either way.
AMD's stock was negative multiple times today ($11.38 on March 13, 2018 10AM,and at 12Noon on NASDAQ). Shorting the stock would be an obvious play. I have heard of people thinking about trading on security flaws in products but never seen it done in real life.
I've done it once or twice when I reported a vulnerability directly to a company and I knew they'd have to report it to downstream customers pretty quickly. I've also been in discussions for larger vulnerabilities with security-focused hedge funds such as Muddy Waters. Generally I'm weakly skeptical about profiting from it consistently. In particular, funds like Muddy Waters have a pretty high bar for the sort of vulnerability they're willing to work with. You need not only a severe vulnerability, but the right kind of vulnerability, so you know that it can't be swept under the rug.
That said, it's pretty striking to me how aggressive this disclosure is. It may be an attempt to narrow the window and increase the profitability of a short sell.
It's not uncommon for short sellers to take a position first before releasing a report like this to drive the stock lower. Of course, there are legitimate groups that, in the past, have unearthed real issues and corporate misconduct, but there are also questionable groups that will release reports with little to no substance. This case certainly does looks dubious, but I'd like to see an assessment by reputable security expert.
this is not in the same league but i recall AMD/INTC also traded up on the spectre/meltdown debate. a lot of insecure chips ironically leads to a lot of demand for new secure-er chips.
That’s... sort of ok? It’s not perfect, but it opens up another avenue to finance security audits besides selling exploits to intelligence services, attacking end-users (both worse), and collecting rewards from the companies (better).
i always find the importance of these disclaimers blown way out of proportion to their probable economic impact. AMD shares are -up- 2% right now, for a presumably negative piece of news. the stock market is a big and sometimes inscrutable place. but ethics likes to treat things as morally black and white.
Almost always these types of security incidents and breaches NEVER move stock prices negatively because frankly they don't impact business. $AMD is currently trading up 3.5% as of writing this. :-)
Doesn't seem to have a noticeable impact though, and based on the (lack of) impact of most previous security issues, I wouldn't have expected it either.
No they aren't. Aside from the inherent and obvious lack of nuance in that terminology, black hats do not report their vulnerabilities. They weaponize them and use them, or they sell them to criminal organizations.
No, it's actually not. It's distinguished precisely by using a vulnerability with the intention to compromise others. You can't just redefine "black hat" to be whatever normative disagreement you have with how people choose to disclose vulnerabilities. That's entirely subjective.
Excellent, great citation! Now, precisely what did the security researchers hack for their own gain, and precisely which computer's security was violated?
If we can call them "hackers" just because they ostensibly compromised their own hardware or software as a proof of concept for the vulnerability research, does that mean that all of Google's Project Zero consists of hackers and black hats because they get paid (personal gain) by Google to find security vulnerabilities?
Project Zero practices responsible disclosure. They do not make money from the exploitation of the companies whose software/hardware they find flaws in. The difference is very stark and you are being deliberately obtuse.
> They do not make money from the exploitation of the companies whose software/hardware they find flaws in.
Right, and neither did these researchers.
In point of fact, no, the difference really isn't all that stark. It's a difference of degree, not category. You apparently have a problem with disclosing vulnerabilities without providing advanced notice to the vendor, and you consider it especially distasteful to do so if you're financially benefitting from that. But all of that still comprises vulnerability disclosure, which is categorically different from actively using a vulnerability to compromise users as part of a criminal enterprise.
We can go back and forth like this all day, because every time someone bends the definition of black hat to fit something they disagree with, I can form a counterpoint which is technically true but which no one is willing to call black hat behavior, like Google Project Zero. On the other hand, if we use the definition of black hats as criminals engaging in online fraud, augmented by security vulnerabilities, then of course Google Project Zero doesn't qualify. You're going to have a very difficult time broadening the scope of this terminology to suit your definition without accidentally including groups you don't want to be in the same bucket.
And that's precisely my point. If you broaden terms too much, like "black hat" to "stuff with computers in bad faith", we can just weasel in whatever satisfies the definition or agrees with our personal viewpoint. Black hat criminals do not engage in debatable behavior, because it's strictly illegal and directly profits at the expense of other people. At best, all you can do is formulate an abstract argument about people being harmed by rapid disclosure, but that actually comes down to a debate of disclosure guidelines, not a debate of activist investing.
Actually dsacco convinced me with his arguments (that those guys are not black hats). Don't assume bad faith in opponents when you are losing the argument ...
On the other hand I agree with responsible disclosure. And I think that should be made mandatory by law.
And finally, I also agree with some fines for companies allowing these holes to exist for so long. Especially those discoverable by 4 (more or less) random guys.
This is not black and white situation, so don't look for easy conclusions.
There is a reasonably accepted definition for what a "black hat" is. I don't particularly agree with conceptually bucketing people into black hats or white hats, but the paradigm has an existing meaning.
In any case, if we go by what you're saying, then anyone can define "black hat" to mean whatever they want, which means it's a meaningless and unproductive concept to throw around in conversation.
Your assertion is in a catch-22 here. Words have meaning without requiring an independent body to rigorously define them. The established definition of a black hat is someone who compromises other people using security failures for their own gain. If instead we choose to say that the term has no established definition, then the entire point is moot, because calling someone a "black hat" no longer means anything.
> There is a "reasonably accepted" definition of black hat, by your reasoning, and it is: someone who uses computers in bad faith.
Speaking as someone who 1) works in the security industry, 2) has managed corporate disclosure programs as an internal security engineer, 3) has run a security consulting firm working with many companies, and 4) has reported security vulnerabilities in disclosure programs; no, that's not the reasonably accepted definition. I can't think of any colleague I've ever worked with off the top of my head, nor any widely read security-focused periodical (like Krebs), who would use the term "black hat" for such a generalized disagreement of ethics.
I think the "security industry" has a delusional image of themselves and regard most of them as grey hats at best. An insider's opinion on what constitutes black hat is not particularly impressive to me. And this is not a generalized disagreement of ethics. Bad faith is has a specific meaning and you are unreasonably stretching it.
> I think the "security industry" has a delusional image of themselves and regard most of them as grey hats at best.
This criticism of the industry might hold more weight if you actually evidenced a willingness to use terminology according to its accepted usage, not as a tool to advance your ethical opinions.
> And this is not a generalized disagreement of ethics.
It actually is, because I strictly disagree that either of 1) trading on bad news, like security vulnerabilities, or 2) disclosing vulnerabilities without notifying the vendor are unethical. You're free to disagree! Your opinion is just as valid as mine; the thing is, we don't define words based on opinions, because then we'd never get anywhere, and we could label people we don't like whatever term we know other people don't like, even if we don't share the same definition of the term. By calling people who do either of #1 or #2 black hats, you're exercising rhetoric that puts them in with actual criminals, doing actual illegal things just because they are doing something you disagree with.
> Bad faith is has a specific meaning and you are unreasonably stretching it.
Okay. I guess I'm free to also call scientists working on whatever thing I disagree with pseudoscientists then, just because I find their work ethically unsettling. Better yet, I could call them criminals.
Words aren't defined by any authority. Their historical and present common uses however are documented by dictionaries et al. The most authoritative source on the term "black hat" is probably esr's jargon file: http://www.catb.org/jargon/html/B/black-hat.html
To save the click: "1. [common among security specialists] A cracker, someone bent on breaking into the system you are protecting."
Your (and hdyr's) looser version is not in common usage and in that sense is wrong.
This is exactly my point. The Jargon file is pretty dated and imo the definition given there isn't really adequate.
My looser version is indeed in common usage. If nothing else 5 HN users seem to agree with my definition enough to upvote my initial comment on the matter.
black hats use them for bad, white hats use them for good.
ideological discussions about disclosure policy aside,
if they are doing this to manipulate stock prices and in doing so create a situation where more actual exploits occur, I'd say that is 'black hat' behavior.. the 'weaponization' is in the 'social engineering' of the market reaction, rather than a direct exploit in this case..
The problem with your first line is that it leaves the definition of black hat open to interpretation, when that is not how the word is actually used in the security industry or in popular reporting. Black hat activity specifically refers to criminal activity, which we can demonstrably perceive and attribute. By your reasoning, I am free to call security researchers black hats if they don't give vendors advance notice. You might disagree with that, but you can't say I'm wrong without making a normative argument about whether or not something is ultimately unethical. There is no categorical difference between me choosing to call people black hats if I disagree with their behavior and you calling these researchers black hats because they're doubling as activist investors.
On the other hand, this entire sideshow is bypassed if we use the well-established definition for "black hat", which refers exclusively to illegal behavior involving security vulnerabilities and online fraud. More to the point, reporting facts is not "market manipulation" (which is also a well established term) even if you want it to be, and "social engineering" is not the same as publicizing information with the intent to move the markets. Using these words in the way you are is the same as flippantly redefining them as you go along, with the result that the conclusion is quite brittle. There could be a strong argument that the behavior is unethical, but using these terms as you are doesn't help that point along, it hampers it.
> Black hat activity specifically refers to criminal activity, which we can demonstrably perceive and attribute
stock manipulation is clearly criminal, if you want to take the 'letter of the law' approach..
beyond this, this gets into the same debate as letter of the law vs spirit of the law, which has both nothing and everything to do with this topic.. black hat is not 'defined exclusively' anywhere, and of course one leaning to a 'letter of the law' argument would then also look for 'exclusive definitions'
as to your point:
> free to call security researchers black hats if they don't give vendors advance notice.
if they are doing this for malicious purposes, yes
if it is for an ideological stance, then, well, it depends on how you view their ideology.
what happens if the law is incorrect?
again, letter of the law vs spirit of the law.
"normative argument about whether or not something is ultimately unethical"
laws are normative arguments about whether or not something is ultimately unethical.. not neutral 'things' that exist in a vacuum. and they can be correct or incorrect, and also incompletely defined..
how does acting completely unethically yet entirely within the law for malicious purposes fit into your framework?
Say for example, actively portscanning (legality nebulous) for already infected computers and then overcharging 2000% for cleanup? Then spamming virii from a jurisdiction where it is not illegal in order to grow this 'business'? All legal.. so it's "white hat?" or is it 'grey hat' because it is in a legal 'gray area'? I don't think that's what grey hat means either..
> laws are normative arguments about whether or not something is ultimately unethical
That wasn't the distinction I was making. A law is a positive statement. An argument of what should be lawful, or an interpretation of a law, is of course normative. But I already said that in this thread.
By the "letter of the law" (section 9(4)(a) of the SEC act and existing case law), stock manipulation involves promulgating outright falsehoods. Case law shows us that exemplary falsehoods have to be categorically untrue; a biased presentation of something that is true does not pass the bar. Being that there is a vulnerability here, the material we have to go on does not paint a favorable outlook on the researchers being indicted. Activist investors routinely present facts to the media with a clear agenda, but the SEC virtually never prosecutes them if there is an inarguable, material kernel of truth to their allegations. There's a vulnerability here. Reasonable people can disagree on the severity of the vulnerability and how it should have been disclosed. But it's not fraud.
> how does acting completely unethically yet entirely within the law for malicious purposes fit into your framework?
Your question has a presupposition; if the security researchers traded on their knowledge of this vulnerability, I find that to be neither unethical nor illegal stock manipulation.
I'm sure they believe that, but to be blunt, that changes the definition of "black hat" from "compromising people with security vulnerabilities" to "doing things I personally find unsavory when publicly disclosing security vulnerabilities."
If people want to bend over backwards to make an argument about the abstract way in which people are harmed by small disclosure windows, activist investing or information asymmetry in the market, they're free to do so. But none of those things qualifies as black hat behavior. Definitions require precision to be useful, and you throw all precision out the window if you decide to lump people with disclosure habits you dislike in with organized criminals stealing identities en masse.
> If the term is flexible, why the hard reaction to my flexing of it?
The terminology is not flexible, it has a well established meaning. If your bar for a black hat includes legitimate security researchers disclosing vulnerabilities in a way you don't like, you've just expanded the group of people we can call "black hats" almost arbitrarily. You're putting security researchers you have a normative disagreement with into the same group of people who commit actual fraud, steal identities and sell your credit card data.
"you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports"