Intel Tried to Bribe Dutch University to Suppress Knowledge of MDS Vulnerability

[dozenfury]

Kind of struggling to find the issue that caused the finders of the flaw to turn down the $. An NDA for something like that in return for the reward is standard in any type of business for confidential things like this.

To me it seems to be a misconception on the part of the finders as to how IT works in large corporations. Every IT shop has approvals and thorough testing that every change has to go through, to make sure that a change doesn't have an unintended consequence or introduces a big bug. Intel became the market leader because their chips are reliable. I don't want them throwing out untested patches that are rushed out asap either, and the public would uproar if Intel operated that way. It's not feasible to expect hotfixes for things like this in hours, and although Intel deservedly doesn't have a great rep I don't think this is the hill to die on for railing against big corporate evil. I also personally wouldn't view the payment as a "bribe". To me the flaw finders shot themselves in the foot turning down the money.

So a fix is going to take a little time, and that should be expected.

 

[moproblems99]

Kind of struggling to find the issue that caused the finders of the flaw to turn down the $. An NDA for something like that in return for the reward is standard in any type of business for confidential things like this.

To me it seems to be a misconception on the part of the finders as to how IT works in large corporations. Every IT shop has approvals and thorough testing that every change has to go through, to make sure that a change doesn't have an unintended consequence or introduces a big bug. Intel became the market leader because their chips are reliable. I don't want them throwing out untested patches that are rushed out asap either, and the public would uproar if Intel operated that way. It's not feasible to expect hotfixes for things like this in hours, and although Intel deservedly doesn't have a great rep I don't think this is the hill to die on for railing against big corporate evil. I also personally wouldn't view the payment as a "bribe". To me the flaw finders shot themselves in the foot turning down the money.

So a fix is going to take a little time, and that should be expected.

They took the bounty. The money they rejected was to downplay the problem.

 

[Vya Domus]

Intel needs an entire new re-structuring

At the end of the day they are going to draw the line and all they'll see are record revenues. As far as they're concerned they don't need to change anything, that's the sad reality. They do seem to be rather ruthless, they're piling up problems like there's no tomorrow. I am not sure for how long those record numbers will be able to cushion every mistake they make.

 

[Space Lynx]

At the end of the day they are going to draw the line and all they'll see are record revenues. As far as they're concerned they don't need to change anything, that's the sad reality. They do seem to be rather ruthless, they're piling up problems like there's no tomorrow. I am not sure for how long those record numbers will be able to cushion every mistake they make.

those numbers will change in the coming quarters I am afraid, EPYC Rome and 3700x are going to dominate like we have never seen, I suspect. Well EPYC is already dominating data centers and supercomputer deals.

 

[moproblems99]

At the end of the day they are going to draw the line and all they'll see are record revenues. As far as they're concerned they don't need to change anything, that's the sad reality. They do seem to be rather ruthless, they're piling up problems like there's no tomorrow. I am not sure for how long those record numbers will be able to cushion every mistake they make.

It is a sad truth and I'd honestly like to say people cared but they don't. You just have to remember that these problems don't affect anyone because you have to rub your tummy and your head at the same time, in opposite directions, in order to exploit it. To top that off, no one actually has any data that people want. Can you believe some people care?

But don't worry, they are going to save us with GPUs. They will be dirt cheap and better than AMDs.

 

[Steevo]

Kind of struggling to find the issue that caused the finders of the flaw to turn down the $. An NDA for something like that in return for the reward is standard in any type of business for confidential things like this.

To me it seems to be a misconception on the part of the finders as to how IT works in large corporations. Every IT shop has approvals and thorough testing that every change has to go through, to make sure that a change doesn't have an unintended consequence or introduces a big bug. Intel became the market leader because their chips are reliable. I don't want them throwing out untested patches that are rushed out asap either, and the public would uproar if Intel operated that way. It's not feasible to expect hotfixes for things like this in hours, and although Intel deservedly doesn't have a great rep I don't think this is the hill to die on for railing against big corporate evil. I also personally wouldn't view the payment as a "bribe". To me the flaw finders shot themselves in the foot turning down the money.

So a fix is going to take a little time, and that should be expected.

Their fix is going to cripple performance, Intel's lead in IPC is based on lack of security and checks that cost IPC in real world application switching.

There is no fix that won't cost IPC degredation.

 

[ensabrenoir]

.....this is just sad........its like intel in a hiring furry hired this guy too...

.....and he began building gpu-a-nators and installing self destruct buttons on everything........

 

[moproblems99]

Their fix is going to cripple performance, Intel's lead in IPC is based on lack of security and checks that cost IPC in real world application switching.

There is no fix that won't cost IPC degredation.

Let's be clear. Zen may not be vulnerable to these, but rest assured, Zen will have its issues as well. I can assure you that Intel is hard at work on it.

 

[Totally]

I'm not part of Intel's bandwagon, but this article seems really confusing and kind of misleading... the title says Intel wanted to pay them to "suppress knowledge of MDS vulnerability", but then the article itself says instead they wanted them "to downplay the severity of the vulnerability". The first part implies the Dutch to don't say a thing (possibly until they fix the problem), the second part implies the information would be public but the severity and details to be "softened".
So after reading this, one may ask... "well, which one was it?" and why is the "bribe" word being used when there's a public bounty program in place by Intel to reward people that discover these kind of issues with their products?

Suppress: keep info from going public until fix
Downplay: get fix out then release now blunted info due to issue being remedied, PR spins it to not look as bad.

 

[Caring1]

Let's be clear. Zen may not be vulnerable to these, but rest assured, Zen will have its issues as well. I can assure you that Intel is hard at work on it.

Bribing Microsoft to cripple AMD performance?

 

[moproblems99]

Bribing Microsoft to cripple AMD performance?

Links?

 

[mtcn77]

Links?

Did you watch Harrison Ford's "Firewall"?

 

[Chomiq]

Suppress: keep info from going public until fix
Downplay: get fix out then release now blunted info due to issue being remedied, PR spins it to not look as bad.

I think they were more worried about what their investors would think about another vulnerability than the general public.

 

[Zubasa]

I think they were more worried about what their investors would think about another vulnerability than the general public.

Even more important than that, how their Data Center customers think.
After all that is where Intel's profit margins are.

 

[oxidized]

Did you even read your own post.

Beside i don't believe it even for a second, do you trust anything you read on the internet only because it might come from a "reputable" source?

 

[FreedomEclipse]

So their response was pretty much an everyday boilerplate response that ignores the original accusation and of course Intel being caught with their hand in the cookie jar trying to initiate some antitrust behavior.

 

[MAXLD]

Did you even read your own post.

Did you even try to understand it? The said post had the objective to underline the lack of clear info and details from a reader's point of view, possibly creating more questions and doubts than answers. Was it a case of "suppress" information or was it a case of "downplay" of the information? Was actually both?
Which therefore made me (and the replies here prove wasn't the only one) go to the original reddit post to try decipher the sequence of events and understand if the "bribe" term was something that made sense in this case, since Intel has a public reward program in place. So, without reading that reddit post, and just considering this short TPU news, it's fair that a reader could have some questions on what actually was happening... "was the 40k+80k the first initial offer from Intel just to make them downplay the problem?", "was it part of a more complex sequence of events where Intel tried to suppress information?", "was the usual reward program even considered in this case and the group just completely refused?"

The rest of my own post was the result of my own findings after reading the reddit page a few times (something I encourage everyone else to do and check if they reach the same scenario and conclusion). Which culminates on a better understanding of what happened and if the "bribe" wording can be applied after all. And the answer is: it can, depending on your point of view of it all and your own judgement of Intel's intentions along the entire process.

TLDR:
1 - information was unclear and insufficient after reading the short TPU article
2 - questions were presented
3 - further basic research reading was done to try understand more
4 - results were presented to answer those questions.

Can't be more clear than this.

 

[Dexiefy]

So, basically, seems things went normal according to the usual Intel bounty/reward program, until Intel wanted another 6 months of time to work on the issue. The group didn't want to wait any longer than the initial program deal they made, and in response Intel wanted to at least make things look publicly less "worrying", by asking them to publicly say the vulnerability it wasn't really that of a big deal, offering them another $40k + $80k. They refused the offer and released the research untouched.

Considering it's a security problem, one can see why Intel wanted to at least try some "damage control". Even if the group accepted the "downplay" offer, eventually with time, the real severity would come out and that would make the group and Intel look bad. Difference is, Intel can afford to look bad in that situation, specially if the reasons were based on "customer's security".

Bribe - dishonestly persuade (someone) to act in one's favour by a gift of money or other inducement.

Intel: "Hey guys, please lie to the public [underplay severity of exploit] in our favor[so we won't be so screwed with yet another vulnerability in our cpu's] in exchange for money [40k$+80k$]"

Imo it fits the definition of a bribe perfectly. Intel seems to have asked them to lie in exchange for money.
That is of course while assuming that the entire story is true as it's described.

 

[moproblems99]

Did you watch Harrison Ford's "Firewall"?

No. I generally stay away from anything 'Hollywood'.

 

[Metroid]

For Intel, doing anything that makes them having a huge advantage over the competition is routine, no matter how ugly or evil it is, in the end of the day is just business practices.

 

[MAXLD]

Bribe - dishonestly persuade (someone) to act in one's favour by a gift of money or other inducement.

Intel: "Hey guys, please lie to the public [underplay severity of exploit] in our favor[so we won't be so screwed with yet another vulnerability in our cpu's] in exchange for money [40k$+80k$]"

Imo it fits the definition of a bribe perfectly. Intel seems to have asked them to lie in exchange for money.
That is of course while assuming that the entire story is true as it's described.

It's fair to view things that way.
But hen again, considering the security context part of it, in which the said information could eventually publicly persuade hackers into an even more intensive attack towards those vulnerabilities, possibly putting companies who pack Intel hardware into a even more fragile situation, then it's also kind of logical that another 6 months could be for the better good overall. That is, giving more time to spread possible fixes so when things got out to the public most of the affected clients would be already protected. When the group refused, only thing Intel could do was to try make things not so dangerous for their products and their customers/clients, avoiding a possible attack escalation. But for that to happen, the research group would have to agree to something. Question is, what would it take for them to accept?
- accepting just "for the better good" if Intel asked?
- accepting any type of non-monetary favor/benefit for the Uni?
- accepting more money?
Considering they already accepted money $100k for the initial Intel reward program, but refused to wait any longer, then it's fair to assume Intel could at least try offer some more to try get a different type of secondary deal.
Obviously this gets much more complicated and shady when we consider all the possible background intentions for Intel to try downplay the problem and protect itself as a big company (apart from the obvious security one).

 

[_Flare]

So the university spoke about getting under NDA if they participate in the "Intel Bug Bounty Program" ?

If thats true, the program is like a muzzle.

 

[R0H1T]

You get paid only after you sign the NDA under the bug Bounty program, the University could've chosen to not sign the NDA & release the exploit like that shady as hell CTS lab ~ but then they'd be panned even worse I guess.

 

[HwGeek]

What stopping AWS customers for example to ask to be moved to EPYC servers? is it a big problem?

 

[moproblems99]

What stopping AWS customers for example to ask to be moved to EPYC servers? is it a big problem?

It is if AWS doesn't have any.