The AMD vulnerabilities disclosure is about the "Why", not the "What"

My short take on the AMD disclosure: Whether or not these bugs are real, weaponize-able, or allow for a persistent footprint on the steel that survives reboot and evades OS-level detection isn't the story here... (especially when they all require admin-level access to the target machine in the first place...but that's another article for later)

The story is about *why* a researcher(s) would ever want to cause harm to the employees, their families, and shareholders of AMD by effectively not giving AMD sufficient notice to patch, work with their downstream customers, and prepare the landscape prior to public disclosure. 

The only possible motives I can extract from this are either a) harm to AMD or b) a financial gain associated with short positions of AMD stock. The CTS research website on these vulns took considerable prep time in both the art/layout, as well as legal-eze, and contextual content, while being sparse on any technical content. Within it you can find a phrase saying

[...] we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports.  

It's there, staring us all in the face in the white paper.

Prediction: This disclosure event may lead to industry or government/SEC talk about the regulation of the disclosure process itself.

There may even be insider-trading rules that someday could apply, for example these two rules that are mentioned here:

The SEC adopted new Rules  10b5-1 and  10b5-2 to resolve two insider trading issues where the courts have disagreed. Rule 10b5-1 provides that a person trades on the basis of material nonpublic information if a trader is "aware" of the material nonpublic information when making the purchase or sale. [...]

Rule 10b5-2 clarifies how the misappropriation theory applies to certain non-business relationships. This rule provides that a person receiving confidential information under circumstances specified in the rule would owe a duty of trust or confidence and thus could be liable under the misappropriation theory.

While I am not a lawyer nor studied in law, I think it would boil down to what the definition of 'material non-public information' is, and if applicable as well, the second rule which would force us to define what 'duty of trust or confidence' means in the context of research that is not yet public. Can an outsider be liable for insider trading if research like this can be construed in 'material non-public information'? Might there be a future burden of (proper) disclosure by the research community that is written into SEC law at some point (e.g. SEC regulation of disclosure due process?) Either would be a double-edged sword for the entire research community...and the pointiest edge would likely harm overall research much more than it could ever help it. Again, I am not a lawyer and these are just the thoughts that run through my mind, not knowing what I don't know in this area.

There may also be market manipulation rules that apply:

Sec 9.(a)(2) To effect, alone or with one or more other persons, a series of transactions in any security in any security registered on a national securities exchange creating actual or apparent active trading in such security or raising or depressing the price of such security, for the purpose of inducing the purchase or sale of such security by others .

Again, I'm not a lawyer...

What I do know is that something isn't right with the way this is being done, and I think the discussion in the near term will shift to the 'why' of how this was done instead of the 'what' like it should be. It's probably all legal the way it's been done and may boil down to whether it is ethical and the conversation ends. The St. Jude vs. MedSec debacle in 2016 forced us to visit these same questions... but did anyone learn or did anything change?

Stay tuned for thoughts on the risk/impact of these vulnerabilities against the context of the kill chain and what additional business risk these vulns might bring to the table if/when they are weaponized and used in the wild (if they haven't been already by an APT).

Ps. Eager and grateful for any lawyers reading this to chime in, provide corrections or insights, etc. in the comments. I can edit this as needed based on your inputs.

Pps. These are just my personal thoughts and questions, not those representing my employer.

#AMDflaws #AMDbugs #RYZENFALL #MASTERKEY #FALLOUT #CHIMERA #AMDRYZENFALL #AMDMASTERKEY #AMDFALLOUT #AMDCHIMERA #AMDdisclosure