Intel Tried to Bribe Dutch University to Suppress Knowledge of MDS Vulnerability

[Metroid]

Intel is a crooked company, only few websites dont go along with their evil tactics, here at techpowerup we see a neutral take on both, amd or intel, websites for example like anantech there is only intel and their products, I mean amd name and products or news are rarely published there, just for the sake of an unbiased view, I challenge you right now to go to anantech and check their main page, is 100% filled with intel marketing things. It's sad. We need more neutral tech websites like techpowerup. Intel buys everything in order to keep its name and products high priority.

 

[FreedomEclipse]

I don't believe it for a second.

Yeah I mean its not as if Intel were paying or offering OEMs and system builders deep discounts to build more Intel based units or cut out AMD units completely a few years back.

This has been widely documented and even landed Intel in a certain court for anti-trust/anti-competitive practises and fined a few million or billion for their behavior.

 

[moproblems99]

Feel bad for all the people that couldn't wait for Zen 2 and rushed out and bought one. The feeling it must be to support such people...

 

[rtwjunkie]

Intel is a crooked company, only few websites dont go along with their evil tactics, here at techpowerup we see a neutral take on both, amd or intel, websites for example like anantech there is only intel and their products, I mean amd name and products or news are rarely published there, just for the sake of an unbiased view, I challenge you right now to go to anantech and check their main page, is 100% filled with intel marketing things. It's sad. We need more neutral tech websites like techpowerup. Intel buys everything in order to keep its name and products high priority.

You talk about biased as a bad thing, and yet there you are, completely biased.

Did you read the whole thread, beyond the headline? I point you to Post#17

 

[moproblems99]

Wouldn't we want Intel and AMD paying rewards for these discoveries and suppressing the discovery until a patch is issued? Why do these groups want to discover vulnerabilities and immediately expose everyone? I would think these groups would be on the side of consumers but it seems they are on the side of attackers if they intend to release info and expose everyone before fixes are available.

I am a not a fanboy of anyone, currently running AMD in my desktop and Intel in a notebook. Common sense isn't a fanboy.

Generally 90 days is sufficient to patch most problems. If it isn't, as long as the discoverer feels the company is doing its part by engineering a fix, things don't get disclosed. Considering we are well beyond that, I am pretty sure that appropriate decisions were made.

Though I would have contacted a member of the FTC or something to accept the money on my behalf from Intel. In secret.

 

[john_]

It's so easy to believe that Intel tried to bribe someone, it's not even news. It's routine.

 

[moproblems99]

So, basically, seems things went normal according to the usual Intel bounty/reward program, until Intel wanted another 6 months of time to work on the issue. The group didn't want to wait any longer than the initial program deal they made, and in response Intel wanted to at least make things look publicly less "worrying", by asking them to publicly say the vulnerability it wasn't really that of a big deal, offering them another $40k + $80k. They refused the offer and released the research untouched.

Everything else you say is quite truthful and I applaud your extra research and fact finding. However, it is not common practice to downplay the severity (from my understanding). The security industry is founded upon giving people the truth about the risk in their products. If they don't then they have failed the community and people who depend on CVEs when buying their infrastructure (think clouds) etc or risk assessments of their assets. Especially when Intel has the fix ready. It seems more logical they wanted the extra 6 months so they could launch a product without this cloud hanging over. These vulnerabilities are relatively low risk for you and I but not so for enterprise and data centers.

Again, we don't really know for sure so it is hard to say and everyone will make of it what they will. Considering Intel got busted paying off OEMs previously, the former is accusation is plausible. But since we also accused MSI (with no evidence whatsoever) of trying to pull the wool over everyone's eyes with the AM4 socket, I am not surprised by the wording either.

 

[RealNeil]

Intel seriously need medics here..

can you say, "Sucking Chest Wound?"

 

[Redwoodz]

The bribe part came in when Intel wanted to delay 6 months. Of course Zen2 being launched next month had nothing to do with it.

 

[Ahhzz]

I'm not part of Intel's bandwagon, but this article seems really confusing and kind of misleading... the title says Intel wanted to pay them to "suppress knowledge of MDS vulnerability", but then the article itself says instead they wanted them "to downplay the severity of the vulnerability". The first part implies the Dutch to don't say a thing (possibly until they fix the problem), the second part implies the information would be public but the severity and details to be "softened".
So after reading this, one may ask... "well, which one was it?" and why is the "bribe" word being used when there's a public bounty program in place by Intel to reward people that discover these kind of issues with their products?

Going to the source/reddit article to find some extra details doesn't exactly make things 100% clear, but it seems to me that it went like this:
- among several researcher groups taking a look at said vulnerabilities, the Dutch Uni was the one that found the major part of it
- Intel paid the Dutch Uni research group around $100,000 (89,000 euros) as part of their public bounty program (explained on their own press release also linked in this TPU article). They would reveal Intel the details and not publicly, so that Intel could investigate and work a security fix. (so nothing really shady here (as in bribe), seems normal procedure in these cases)
- the group said they would give Intel until May, then they would release the infos/leaks themselves
- apparently Intel wanted to wait another six months so they could get more time to fix it
- the group refused
- Intel then made them an additional offer of 40k , then another 80k on top, to convince them to downplay the severity /level of vulnerability of the problem, since sh/t would hit the fan anyway (probably to make things a bit less interesting for hackers and to avoid another public PR snowball)
- the group refused this additional offer to soften the exploit severity, and then released the vulnerability infos in May as planned.

So, basically, seems things went normal according to the usual Intel bounty/reward program, until Intel wanted another 6 months of time to work on the issue. The group didn't want to wait any longer than the initial program deal they made, and in response Intel wanted to at least make things look publicly less "worrying", by asking them to publicly say the vulnerability it wasn't really that of a big deal, offering them another $40k + $80k. They refused the offer and released the research untouched.

Considering it's a security problem, one can see why Intel wanted to at least try some "damage control". Even if the group accepted the "downplay" offer, eventually with time, the real severity would come out and that would make the group and Intel look bad. Difference is, Intel can afford to look bad in that situation, specially if the reasons were based on "customer's security".

Good explanation.

 

[Slizzo]

Nice background work! What we have here is one of the only responders who bothered to do some source work, instead of just responding to the sensationalist headline.

What's sad is, that it shouldn't be up to this random internet person to give the full details on the issue and original article; it should be on the "news" team to research this and provide all the information.

But, alas, this isn't a "news" site, it's an editorial site.

 

[Metroid]

You talk about biased as a bad thing, and yet there you are, completely biased.

Did you read the whole thread, beyond the headline? I point you to Post#17

uh? check, if there is even any talk or post about this problem on anantech and this is a very important news and yet there is nothing there at least acknowledging the problem and here you are saying I'm the problem, there must be something wrong inside your head.

 

[rtwjunkie]

uh? check, if there is even any talk or post about this problem on anantech and this is a very important news and yet there is nothing there at least acknowledging the problem and here you are saying I'm the problem, there must be something wrong inside your head.

So that would be a “no” to my question, check.

 

[oxidized]

I'm not sure you people understand we're talking about a couple hundred thousand of dollars, do you really believe intel would risk to expose such a dirty move for that amount of money? We're talking about a +70 billion company here...

 

[Casecutter]

No, they need a new security head. Clearly this guy isn't "working" so well
They should also hire a new lawyer

Love that those guys seem so much more ethical!

I'm fence sitting on this... One side is such findings should at least come to light/public (low level details) after a IDK a 4 week "grace period" where the company has a time to either fix or minimize vulnerability affect. But this... hey we'll pay you for a 6mo extension to not make public...? How many nefarious groups are exploiting it while Intel keep's it hush-hush... Or, that's just enough time to release their next offerings and minimize damage to a launch of products that vulnerability is still there. Perhaps the people who are exploiting it use the extra 6 mo's to release Drumps tax returns, make an attack on your country, or just ruin your credit. In-action is not a option.

 

[ShurikN]

So after reading this, one may ask... "well, which one was it?" and why is the "bribe" word being used when there's a public bounty program in place by Intel to reward people that discover these kind of issues with their products?


- Intel then made them an additional offer of 40k , then another 80k on top, to convince them to downplay the severity /level of vulnerability of the problem

Did you even read your own post.

 

[Steevo]

So they discovered the issue, reported it to Intel. Intel paid them.100K and had 6 months to disclose the security issues, didn't, then tried to bribe them with another 40 to not say anything. Then when they didn't take that Intel upped their bribe to 80K to down play it's security issues.

Sounds about right.

 

[moproblems99]

after a IDK a 4 week "grace period" where the company has a time to either fix or minimize vulnerability affect

The typical grace period is 90 days. Then the researcher and company hash out the details. If it is going to take longer to fix then they will agree to hold off until the fix is ready. If the researcher doesn't believe what the company says then the research will release it after the 90 days or however long they think it will take to fix it.

 

[Deleted member 158293]

Per Intel's track record, this really shouldn't be a surprise... the opposite would've been a surprise if anything.

 

[Patriot]

I'm not part of Intel's bandwagon, but this article seems really confusing and kind of misleading... the title says Intel wanted to pay them to "suppress knowledge of MDS vulnerability", but then the article itself says instead they wanted them "to downplay the severity of the vulnerability". The first part implies the Dutch to don't say a thing (possibly until they fix the problem), the second part implies the information would be public but the severity and details to be "softened".
So after reading this, one may ask... "well, which one was it?" and why is the "bribe" word being used when there's a public bounty program in place by Intel to reward people that discover these kind of issues with their products?

Going to the source/reddit article to find some extra details doesn't exactly make things 100% clear, but it seems to me that it went like this:
- among several researcher groups taking a look at said vulnerabilities, the Dutch Uni was the one that found the major part of it
- Intel paid the Dutch Uni research group around $100,000 (89,000 euros) as part of their public bounty program (explained on their own press release also linked in this TPU article). They would reveal Intel the details and not publicly, so that Intel could investigate and work a security fix. (so nothing really shady here (as in bribe), seems normal procedure in these cases)
- the group said they would give Intel until May, then they would release the infos/leaks themselves
- apparently Intel wanted to wait another six months so they could get more time to fix it
- the group refused
- Intel then made them an additional offer of 40k , then another 80k on top, to convince them to downplay the severity /level of vulnerability of the problem, since sh/t would hit the fan anyway (probably to make things a bit less interesting for hackers and to avoid another public PR snowball)
- the group refused this additional offer to soften the exploit severity, and then released the vulnerability infos in May as planned.

So, basically, seems things went normal according to the usual Intel bounty/reward program, until Intel wanted another 6 months of time to work on the issue. The group didn't want to wait any longer than the initial program deal they made, and in response Intel wanted to at least make things look publicly less "worrying", by asking them to publicly say the vulnerability it wasn't really that of a big deal, offering them another $40k + $80k. They refused the offer and released the research untouched.

Considering it's a security problem, one can see why Intel wanted to at least try some "damage control". Even if the group accepted the "downplay" offer, eventually with time, the real severity would come out and that would make the group and Intel look bad. Difference is, Intel can afford to look bad in that situation, specially if the reasons were based on "customer's security".

We need you writing the stories here...

 

[Casecutter]

The typical grace period is 90 days

Depending on what it is, the unscrupulous could keep wreaking havoc for 3 mo's. IDK that feels generous especially depending on what it is and how it could be used.

 

[Diverge]

Intel needs to class action lawsuit... I can't wait to cash in on all the flawed CPUs I've bought over the years....

 

[moproblems99]

Depending on what it is, the unscrupulous could keep wreaking havoc for 3 mo's. IDK that feels generous especially depending on what it is and how it could be used.

That's true but it has to be found by others in order to be used. Could other people have found it? Sure. Can everything be fixed in 4 weeks? No. 12 weeks? Maybe.

The key is that the longer it is not public then generally speaking the longer it doesn't get exploited. If the company is dragging their feet then they usually get called out and the vulnerability goes public. The problem with that is that it leaves people with the vulnerable system at the mercy of companies and bad actors.

The researchers have to use their judgement about which path to take: Hopefully protect users by not releasing the vulnerability while the patch happens or release the vulnerability to force the company to fix it (hope they do) and put users at greater risk.

 

[drade]

Fake news intel a transparent company

 

[moproblems99]

Fake news intel a transparent company

Clear as mud!