• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Intel Tried to Bribe Dutch University to Suppress Knowledge of MDS Vulnerability

Status
Not open for further replies.
Joined
May 11, 2016
Messages
261 (0.08/day)
Kind of struggling to find the issue that caused the finders of the flaw to turn down the $. An NDA for something like that in return for the reward is standard in any type of business for confidential things like this.

To me it seems to be a misconception on the part of the finders as to how IT works in large corporations. Every IT shop has approvals and thorough testing that every change has to go through, to make sure that a change doesn't have an unintended consequence or introduces a big bug. Intel became the market leader because their chips are reliable. I don't want them throwing out untested patches that are rushed out asap either, and the public would uproar if Intel operated that way. It's not feasible to expect hotfixes for things like this in hours, and although Intel deservedly doesn't have a great rep I don't think this is the hill to die on for railing against big corporate evil. I also personally wouldn't view the payment as a "bribe". To me the flaw finders shot themselves in the foot turning down the money.

So a fix is going to take a little time, and that should be expected.
 
Joined
Mar 10, 2015
Messages
3,984 (1.11/day)
System Name Wut?
Processor 3900X
Motherboard ASRock Taichi X570
Cooling Water
Memory 32GB GSkill CL16 3600mhz
Video Card(s) Vega 56
Storage 2 x AData XPG 8200 Pro 1TB
Display(s) 3440 x 1440
Case Thermaltake Tower 900
Power Supply Seasonic Prime Ultra Platinum
Kind of struggling to find the issue that caused the finders of the flaw to turn down the $. An NDA for something like that in return for the reward is standard in any type of business for confidential things like this.

To me it seems to be a misconception on the part of the finders as to how IT works in large corporations. Every IT shop has approvals and thorough testing that every change has to go through, to make sure that a change doesn't have an unintended consequence or introduces a big bug. Intel became the market leader because their chips are reliable. I don't want them throwing out untested patches that are rushed out asap either, and the public would uproar if Intel operated that way. It's not feasible to expect hotfixes for things like this in hours, and although Intel deservedly doesn't have a great rep I don't think this is the hill to die on for railing against big corporate evil. I also personally wouldn't view the payment as a "bribe". To me the flaw finders shot themselves in the foot turning down the money.

So a fix is going to take a little time, and that should be expected.

They took the bounty. The money they rejected was to downplay the problem.
 
Joined
Jan 8, 2017
Messages
9,509 (3.27/day)
System Name Good enough
Processor AMD Ryzen R9 7900 - Alphacool Eisblock XPX Aurora Edge
Motherboard ASRock B650 Pro RS
Cooling 2x 360mm NexXxoS ST30 X-Flow, 1x 360mm NexXxoS ST30, 1x 240mm NexXxoS ST30
Memory 32GB - FURY Beast RGB 5600 Mhz
Video Card(s) Sapphire RX 7900 XT - Alphacool Eisblock Aurora
Storage 1x Kingston KC3000 1TB 1x Kingston A2000 1TB, 1x Samsung 850 EVO 250GB , 1x Samsung 860 EVO 500GB
Display(s) LG UltraGear 32GN650-B + 4K Samsung TV
Case Phanteks NV7
Power Supply GPS-750C
Intel needs an entire new re-structuring

At the end of the day they are going to draw the line and all they'll see are record revenues. As far as they're concerned they don't need to change anything, that's the sad reality. They do seem to be rather ruthless, they're piling up problems like there's no tomorrow. I am not sure for how long those record numbers will be able to cushion every mistake they make.
 
Last edited:

Space Lynx

Astronaut
Joined
Oct 17, 2014
Messages
17,427 (4.68/day)
Location
Kepler-186f
Processor 7800X3D -25 all core
Motherboard B650 Steel Legend
Cooling Frost Commander 140
Video Card(s) Merc 310 7900 XT @3100 core -.75v
Display(s) Agon 27" QD-OLED Glossy 240hz 1440p
Case NZXT H710 (Red/Black)
Audio Device(s) Asgard 2, Modi 3, HD58X
Power Supply Corsair RM850x Gold
At the end of the day they are going to draw the line and all they'll see are record revenues. As far as they're concerned they don't need to change anything, that's the sad reality. They do seem to be rather ruthless, they're piling up problems like there's no tomorrow. I am not sure for how long those record numbers will be able to cushion every mistake they make.

those numbers will change in the coming quarters I am afraid, EPYC Rome and 3700x are going to dominate like we have never seen, I suspect. Well EPYC is already dominating data centers and supercomputer deals.
 
Joined
Mar 10, 2015
Messages
3,984 (1.11/day)
System Name Wut?
Processor 3900X
Motherboard ASRock Taichi X570
Cooling Water
Memory 32GB GSkill CL16 3600mhz
Video Card(s) Vega 56
Storage 2 x AData XPG 8200 Pro 1TB
Display(s) 3440 x 1440
Case Thermaltake Tower 900
Power Supply Seasonic Prime Ultra Platinum
At the end of the day they are going to draw the line and all they'll see are record revenues. As far as they're concerned they don't need to change anything, that's the sad reality. They do seem to be rather ruthless, they're piling up problems like there's no tomorrow. I am not sure for how long those record numbers will be able to cushion every mistake they make.

It is a sad truth and I'd honestly like to say people cared but they don't. You just have to remember that these problems don't affect anyone because you have to rub your tummy and your head at the same time, in opposite directions, in order to exploit it. To top that off, no one actually has any data that people want. Can you believe some people care?

But don't worry, they are going to save us with GPUs. They will be dirt cheap and better than AMDs.
 
Joined
Nov 4, 2005
Messages
12,015 (1.72/day)
System Name Compy 386
Processor 7800X3D
Motherboard Asus
Cooling Air for now.....
Memory 64 GB DDR5 6400Mhz
Video Card(s) 7900XTX 310 Merc
Storage Samsung 990 2TB, 2 SP 2TB SSDs, 24TB Enterprise drives
Display(s) 55" Samsung 4K HDR
Audio Device(s) ATI HDMI
Mouse Logitech MX518
Keyboard Razer
Software A lot.
Benchmark Scores Its fast. Enough.
Kind of struggling to find the issue that caused the finders of the flaw to turn down the $. An NDA for something like that in return for the reward is standard in any type of business for confidential things like this.

To me it seems to be a misconception on the part of the finders as to how IT works in large corporations. Every IT shop has approvals and thorough testing that every change has to go through, to make sure that a change doesn't have an unintended consequence or introduces a big bug. Intel became the market leader because their chips are reliable. I don't want them throwing out untested patches that are rushed out asap either, and the public would uproar if Intel operated that way. It's not feasible to expect hotfixes for things like this in hours, and although Intel deservedly doesn't have a great rep I don't think this is the hill to die on for railing against big corporate evil. I also personally wouldn't view the payment as a "bribe". To me the flaw finders shot themselves in the foot turning down the money.

So a fix is going to take a little time, and that should be expected.

Their fix is going to cripple performance, Intel's lead in IPC is based on lack of security and checks that cost IPC in real world application switching.

There is no fix that won't cost IPC degredation.
 
Joined
Apr 16, 2010
Messages
2,070 (0.39/day)
System Name iJayo
Processor i7 14700k
Motherboard Asus ROG STRIX z790-E wifi
Cooling Pearless Assasi
Memory 32 gigs Corsair Vengence
Video Card(s) Nvidia RTX 2070 Super
Storage 1tb 840 evo, Itb samsung M.2 ssd 1 & 3 tb seagate hdd, 120 gig Hyper X ssd
Display(s) 42" Nec retail display monitor/ 34" Dell curved 165hz monitor
Case O11 mini
Audio Device(s) M-Audio monitors
Power Supply LIan li 750 mini
Mouse corsair Dark Saber
Keyboard Roccat Vulcan 121
Software Window 11 pro
Benchmark Scores meh... feel me on the battle field!
.....this is just sad........its like intel in a hiring furry hired this guy too...
123143

.....and he began building gpu-a-nators and installing self destruct buttons on everything........
 
Joined
Mar 10, 2015
Messages
3,984 (1.11/day)
System Name Wut?
Processor 3900X
Motherboard ASRock Taichi X570
Cooling Water
Memory 32GB GSkill CL16 3600mhz
Video Card(s) Vega 56
Storage 2 x AData XPG 8200 Pro 1TB
Display(s) 3440 x 1440
Case Thermaltake Tower 900
Power Supply Seasonic Prime Ultra Platinum
Their fix is going to cripple performance, Intel's lead in IPC is based on lack of security and checks that cost IPC in real world application switching.

There is no fix that won't cost IPC degredation.

Let's be clear. Zen may not be vulnerable to these, but rest assured, Zen will have its issues as well. I can assure you that Intel is hard at work on it.
 
Joined
Nov 21, 2010
Messages
2,355 (0.46/day)
Location
Right where I want to be
System Name Miami
Processor Ryzen 3800X
Motherboard Asus Crosshair VII Formula
Cooling Ek Velocity/ 2x 280mm Radiators/ Alphacool fullcover
Memory F4-3600C16Q-32GTZNC
Video Card(s) XFX 6900 XT Speedster 0
Storage 1TB WD M.2 SSD/ 2TB WD SN750/ 4TB WD Black HDD
Display(s) DELL AW3420DW / HP ZR24w
Case Lian Li O11 Dynamic XL
Audio Device(s) EVGA Nu Audio
Power Supply Seasonic Prime Gold 1000W+750W
Mouse Corsair Scimitar/Glorious Model O-
Keyboard Corsair K95 Platinum
Software Windows 10 Pro
I'm not part of Intel's bandwagon, but this article seems really confusing and kind of misleading... the title says Intel wanted to pay them to "suppress knowledge of MDS vulnerability", but then the article itself says instead they wanted them "to downplay the severity of the vulnerability". The first part implies the Dutch to don't say a thing (possibly until they fix the problem), the second part implies the information would be public but the severity and details to be "softened".
So after reading this, one may ask... "well, which one was it?" and why is the "bribe" word being used when there's a public bounty program in place by Intel to reward people that discover these kind of issues with their products?

Suppress: keep info from going public until fix
Downplay: get fix out then release now blunted info due to issue being remedied, PR spins it to not look as bad.
 
Joined
Oct 22, 2014
Messages
14,170 (3.81/day)
Location
Sunshine Coast
System Name H7 Flow 2024
Processor AMD 5800X3D
Motherboard Asus X570 Tough Gaming
Cooling Custom liquid
Memory 32 GB DDR4
Video Card(s) Intel ARC A750
Storage Crucial P5 Plus 2TB.
Display(s) AOC 24" Freesync 1m.s. 75Hz
Mouse Lenovo
Keyboard Eweadn Mechanical
Software W11 Pro 64 bit
Let's be clear. Zen may not be vulnerable to these, but rest assured, Zen will have its issues as well. I can assure you that Intel is hard at work on it.
Bribing Microsoft to cripple AMD performance? :p
 
Last edited:
Joined
Mar 10, 2015
Messages
3,984 (1.11/day)
System Name Wut?
Processor 3900X
Motherboard ASRock Taichi X570
Cooling Water
Memory 32GB GSkill CL16 3600mhz
Video Card(s) Vega 56
Storage 2 x AData XPG 8200 Pro 1TB
Display(s) 3440 x 1440
Case Thermaltake Tower 900
Power Supply Seasonic Prime Ultra Platinum
Joined
Feb 23, 2019
Messages
6,106 (2.87/day)
Location
Poland
Processor Ryzen 7 5800X3D
Motherboard Gigabyte X570 Aorus Elite
Cooling Thermalright Phantom Spirit 120 SE
Memory 2x16 GB Crucial Ballistix 3600 CL16 Rev E @ 3600 CL14
Video Card(s) RTX3080 Ti FE
Storage SX8200 Pro 1 TB, Plextor M6Pro 256 GB, WD Blue 2TB
Display(s) LG 34GN850P-B
Case SilverStone Primera PM01 RGB
Audio Device(s) SoundBlaster G6 | Fidelio X2 | Sennheiser 6XX
Power Supply SeaSonic Focus Plus Gold 750W
Mouse Endgame Gear XM1R
Keyboard Wooting Two HE
Suppress: keep info from going public until fix
Downplay: get fix out then release now blunted info due to issue being remedied, PR spins it to not look as bad.
I think they were more worried about what their investors would think about another vulnerability than the general public.
 
Joined
Oct 1, 2006
Messages
4,934 (0.74/day)
Location
Hong Kong
Processor Core i7-12700k
Motherboard Z690 Aero G D4
Cooling Custom loop water, 3x 420 Rad
Video Card(s) RX 7900 XTX Phantom Gaming
Storage Plextor M10P 2TB
Display(s) InnoCN 27M2V
Case Thermaltake Level 20 XT
Audio Device(s) Soundblaster AE-5 Plus
Power Supply FSP Aurum PT 1200W
Software Windows 11 Pro 64-bit
I think they were more worried about what their investors would think about another vulnerability than the general public.
Even more important than that, how their Data Center customers think.
After all that is where Intel's profit margins are.
 
Joined
Feb 17, 2017
Messages
854 (0.30/day)
Location
Italy
Processor i7 2600K
Motherboard Asus P8Z68-V PRO/Gen 3
Cooling ZeroTherm FZ120
Memory G.Skill Ripjaws 4x4GB DDR3
Video Card(s) MSI GTX 1060 6G Gaming X
Storage Samsung 830 Pro 256GB + WD Caviar Blue 1TB
Display(s) Samsung PX2370 + Acer AL1717
Case Antec 1200 v1
Audio Device(s) aune x1s
Power Supply Enermax Modu87+ 800W
Mouse Logitech G403
Keyboard Qpad MK80
Did you even read your own post.

Beside i don't believe it even for a second, do you trust anything you read on the internet only because it might come from a "reputable" source?
 

FreedomEclipse

~Technological Technocrat~
Joined
Apr 20, 2007
Messages
24,179 (3.74/day)
Location
London,UK
System Name WorkInProgress
Processor AMD 7800X3D
Motherboard MSI X670E GAMING PLUS
Cooling Thermalright AM5 Contact Frame + Phantom Spirit 120SE
Memory 2x32GB G.Skill Trident Z5 NEO DDR5 6000 CL32-38-38-96
Video Card(s) Asus Dual Radeon™ RX 6700 XT OC Edition
Storage WD SN770 1TB (Boot)|1x WD SN850X 8TB (Gaming) | 2x2TB WD SN770| 2x2TB+2x4TB Crucial BX500
Display(s) LG GP850-B
Case Corsair 760T (White) {1xCorsair ML120 Pro|5xML140 Pro}
Audio Device(s) Yamaha RX-V573|Speakers: JBL Control One|Auna 300-CN|Wharfedale Diamond SW150
Power Supply Seasonic Focus GX-850 80+ GOLD
Mouse Logitech G502 X
Keyboard Duckyshine Dead LED(s) III
Software Windows 11 Home
Benchmark Scores ლ(ಠ益ಠ)ლ
So their response was pretty much an everyday boilerplate response that ignores the original accusation and of course Intel being caught with their hand in the cookie jar trying to initiate some antitrust behavior.
 
Joined
Jul 28, 2007
Messages
94 (0.01/day)
Location
Portugal
Processor AMD Ryzen 5 3600
Motherboard MSi MPG X570 Gaming Plus
Cooling Noctua NH-D14
Memory G.Skill DDR4-3600 Trident Z CL 16
Video Card(s) MSi GTX 1080 Gaming X 8GB
Storage Crucial P1 500GB M.2 NVMe
Display(s) Acer Predator XB1 IPS 165Hz G-Sync
Case Lian-Li PC-A10B
Audio Device(s) Creative X-Fi Titanium Fatal1ty Pro Series
Power Supply Seasonic Focus+ Gold 750W
Mouse Zowie EC1-A
Keyboard G.Skill KM780 MX (MX brown)
Did you even read your own post.

Did you even try to understand it? The said post had the objective to underline the lack of clear info and details from a reader's point of view, possibly creating more questions and doubts than answers. Was it a case of "suppress" information or was it a case of "downplay" of the information? Was actually both?
Which therefore made me (and the replies here prove wasn't the only one) go to the original reddit post to try decipher the sequence of events and understand if the "bribe" term was something that made sense in this case, since Intel has a public reward program in place. So, without reading that reddit post, and just considering this short TPU news, it's fair that a reader could have some questions on what actually was happening... "was the 40k+80k the first initial offer from Intel just to make them downplay the problem?", "was it part of a more complex sequence of events where Intel tried to suppress information?", "was the usual reward program even considered in this case and the group just completely refused?"

The rest of my own post was the result of my own findings after reading the reddit page a few times (something I encourage everyone else to do and check if they reach the same scenario and conclusion). Which culminates on a better understanding of what happened and if the "bribe" wording can be applied after all. And the answer is: it can, depending on your point of view of it all and your own judgement of Intel's intentions along the entire process.

TLDR:
1 - information was unclear and insufficient after reading the short TPU article
2 - questions were presented
3 - further basic research reading was done to try understand more
4 - results were presented to answer those questions.

Can't be more clear than this.
 

Dexiefy

New Member
Joined
Jul 30, 2018
Messages
26 (0.01/day)
So, basically, seems things went normal according to the usual Intel bounty/reward program, until Intel wanted another 6 months of time to work on the issue. The group didn't want to wait any longer than the initial program deal they made, and in response Intel wanted to at least make things look publicly less "worrying", by asking them to publicly say the vulnerability it wasn't really that of a big deal, offering them another $40k + $80k. They refused the offer and released the research untouched.

Considering it's a security problem, one can see why Intel wanted to at least try some "damage control". Even if the group accepted the "downplay" offer, eventually with time, the real severity would come out and that would make the group and Intel look bad. Difference is, Intel can afford to look bad in that situation, specially if the reasons were based on "customer's security".
Bribe - dishonestly persuade (someone) to act in one's favour by a gift of money or other inducement.

Intel: "Hey guys, please lie to the public [underplay severity of exploit] in our favor[so we won't be so screwed with yet another vulnerability in our cpu's] in exchange for money [40k$+80k$]"

Imo it fits the definition of a bribe perfectly. Intel seems to have asked them to lie in exchange for money.
That is of course while assuming that the entire story is true as it's described.
 
Joined
Mar 10, 2015
Messages
3,984 (1.11/day)
System Name Wut?
Processor 3900X
Motherboard ASRock Taichi X570
Cooling Water
Memory 32GB GSkill CL16 3600mhz
Video Card(s) Vega 56
Storage 2 x AData XPG 8200 Pro 1TB
Display(s) 3440 x 1440
Case Thermaltake Tower 900
Power Supply Seasonic Prime Ultra Platinum
Joined
May 8, 2018
Messages
1,571 (0.65/day)
Location
London, UK
For Intel, doing anything that makes them having a huge advantage over the competition is routine, no matter how ugly or evil it is, in the end of the day is just business practices.
 
Joined
Jul 28, 2007
Messages
94 (0.01/day)
Location
Portugal
Processor AMD Ryzen 5 3600
Motherboard MSi MPG X570 Gaming Plus
Cooling Noctua NH-D14
Memory G.Skill DDR4-3600 Trident Z CL 16
Video Card(s) MSi GTX 1080 Gaming X 8GB
Storage Crucial P1 500GB M.2 NVMe
Display(s) Acer Predator XB1 IPS 165Hz G-Sync
Case Lian-Li PC-A10B
Audio Device(s) Creative X-Fi Titanium Fatal1ty Pro Series
Power Supply Seasonic Focus+ Gold 750W
Mouse Zowie EC1-A
Keyboard G.Skill KM780 MX (MX brown)
Bribe - dishonestly persuade (someone) to act in one's favour by a gift of money or other inducement.

Intel: "Hey guys, please lie to the public [underplay severity of exploit] in our favor[so we won't be so screwed with yet another vulnerability in our cpu's] in exchange for money [40k$+80k$]"

Imo it fits the definition of a bribe perfectly. Intel seems to have asked them to lie in exchange for money.
That is of course while assuming that the entire story is true as it's described.

It's fair to view things that way.
But hen again, considering the security context part of it, in which the said information could eventually publicly persuade hackers into an even more intensive attack towards those vulnerabilities, possibly putting companies who pack Intel hardware into a even more fragile situation, then it's also kind of logical that another 6 months could be for the better good overall. That is, giving more time to spread possible fixes so when things got out to the public most of the affected clients would be already protected. When the group refused, only thing Intel could do was to try make things not so dangerous for their products and their customers/clients, avoiding a possible attack escalation. But for that to happen, the research group would have to agree to something. Question is, what would it take for them to accept?
- accepting just "for the better good" if Intel asked?
- accepting any type of non-monetary favor/benefit for the Uni?
- accepting more money?
Considering they already accepted money $100k for the initial Intel reward program, but refused to wait any longer, then it's fair to assume Intel could at least try offer some more to try get a different type of secondary deal.
Obviously this gets much more complicated and shady when we consider all the possible background intentions for Intel to try downplay the problem and protect itself as a big company (apart from the obvious security one).
 
Joined
Jun 19, 2010
Messages
409 (0.08/day)
Location
Germany
Processor Ryzen 5600X
Motherboard MSI A520
Cooling Thermalright ARO-M14 orange
Memory 2x 8GB 3200
Video Card(s) RTX 3050 (ROG Strix Bios)
Storage SATA SSD
Display(s) UltraHD TV
Case Sharkoon AM5 Window red
Audio Device(s) Headset
Power Supply beQuiet 400W
Mouse Mountain Makalu 67
Keyboard MS Sidewinder X4
Software Windows, Vivaldi, Thunderbird, LibreOffice, Games, etc.
So the university spoke about getting under NDA if they participate in the "Intel Bug Bounty Program" ?

If thats true, the program is like a muzzle.
 
Joined
Apr 12, 2013
Messages
7,563 (1.77/day)
You get paid only after you sign the NDA under the bug Bounty program, the University could've chosen to not sign the NDA & release the exploit like that shady as hell CTS lab ~ but then they'd be panned even worse I guess.
 
Joined
Feb 19, 2019
Messages
324 (0.15/day)
What stopping AWS customers for example to ask to be moved to EPYC servers? is it a big problem?
 
Joined
Mar 10, 2015
Messages
3,984 (1.11/day)
System Name Wut?
Processor 3900X
Motherboard ASRock Taichi X570
Cooling Water
Memory 32GB GSkill CL16 3600mhz
Video Card(s) Vega 56
Storage 2 x AData XPG 8200 Pro 1TB
Display(s) 3440 x 1440
Case Thermaltake Tower 900
Power Supply Seasonic Prime Ultra Platinum
What stopping AWS customers for example to ask to be moved to EPYC servers? is it a big problem?

It is if AWS doesn't have any.
 
Status
Not open for further replies.
Top