Friday, May 17th 2019

Intel Tried to Bribe Dutch University to Suppress Knowledge of MDS Vulnerability

Cybersecurity researchers at the Vrije Universiteit Amsterdam, also known as VU Amsterdam, allege that Intel tried to bribe them to suppress knowledge of the latest processor security vulnerability RIDL (rogue in-flight data load), which the company made public on May 14. Dutch publication Nieuwe Rotterdamsche Courant reports that Intel offered to pay the researchers a USD $40,000 "reward" to allegedly get them to downplay the severity of the vulnerability, and backed their offer with an additional $80,000. The team politely refused both offers.

Intel's security vulnerability bounty program is shrouded in CYA agreements designed to minimize Intel's losses from the discovery of a new vulnerability. Under its terms, once a discoverer accepts the bounty reward, they enter into a NDA (non-disclosure agreement) with Intel, to not disclose their findings or communicate in the regard with any other person or entity than with certain authorized people at Intel. With public knowledge withheld, Intel can work on mitigation and patches against the vulnerability. Intel argues that information of vulnerabilities becoming public before it's had a chance to address them would give the bad guys time to design and spread malware that exploits the vulnerability. This is an argument the people at VU weren't willing to buy, and thus Intel is forced to disclose RIDL even as microcode updates, software updates, and patched hardware are only beginning to come out.

Update: (17/05): An Intel spokesperson commented on this story.

Intel contacted us with a statement on this story pertaining to the terms of its bug bounty program:
"We [Intel] believe that working with skilled security researchers across the globe is a crucial part of identifying and mitigating security vulnerabilities. One of the ways we engage with researchers is through our bug bounty program. We provide a clear overview of our bug bounty program requirements, eligibility and award schedule on our website."
Sources: NRC.nl, EverythingIsNorminal (Reddit)
Add your own comment

85 Comments on Intel Tried to Bribe Dutch University to Suppress Knowledge of MDS Vulnerability

#1
oxidized
I don't believe it for a second.
Posted on Reply
#2
Jism
Owned. Intel is owned. Owned!
Posted on Reply
#3
ZoneDymo
oxidized said:

I don't believe it for a second.
I believe it, it kinda sorta happens all the time sooo yeah.
Hackers inform a company of a weak spot, they get paid for their find and they give the company a deadline to fix it or else they reveal the information.

This is really no different so whats your problem?
Posted on Reply
#4
s3thra
Oh that's not good PR. Ouch Intel.
Posted on Reply
#5
Xzibit
It was discovered in September and they notified Intel. Intel even paid the bounty. There usually is a 90 day period before the info goes public. We are well passed double the time and Intel wanted another 6 months.
Posted on Reply
#6
GoldenX
Man, Intel needs a new PR department.
Posted on Reply
#7
R0H1T
GoldenX said:

Man, Intel needs a new PR department.
No, they need a new security head. Clearly this guy isn't "working" so well :ohwell:
[IMG alt="See the source image"]http://dl9fvu4r30qs1.cloudfront.net/46/41/561a4230477f9a18d5126f47cd07/better-call-saul-202.jpg[/IMG]

They should also hire a new lawyer :mad:

[IMG alt="See the source image"]http://assets2.ignimgs.com/2014/11/05/o-better-call-saul-facebookjpg-444599_1280w.jpg[/IMG]
Posted on Reply
#8
ShurikN
ZoneDymo said:

I believe it, it kinda sorta happens all the time sooo yeah.
Hackers inform a company of a weak spot, they get paid for their find and they give the company a deadline to fix it or else they reveal the information.

This is really no different so whats your problem?
He's a known hardcore Intel fanboy, of course he's gonna defend them tooth and nail. You're preaching to the wrong choir.
GoldenX said:

Man, Intel needs a new PR department.
Intel needs some serious restructuring from the ground up. IMO PR is least of their concern at the moment.
Posted on Reply
#9
enxo218
GoldenX said:

Man, Intel needs a new PR department.
better engineers would be more beneficial imo
Posted on Reply
#10
SIGSEGV
oxidized said:

I don't believe it for a second.
lol.
i believe it 1000%

Intel seriously need medics here..
Posted on Reply
#11
lynx29
Intel needs an entire new re-structuring, and I think they are getting that now with the new CEO, sadly the new CEO doesn't care about consumer, he only cares about big data centers moving forward because that is where the money is. Luckily, AMD EPYC Rome 7nm is going to smoke Intel in that area too, so Intel will be forced to diversify and improve very fast to appease the stock holders. Free markets work as long as there is competition, AMD is bae.
Posted on Reply
#12
Abaidor
Dang cheap ass amateurs! $40,000 or $80,000? This is what you get for your cheapness......FAIL!

These things require "brute force"......Next time Intel throw a million on their face in one go and wipe the floor. But $40k? Come one I would also tell you to shove it off!
Posted on Reply
#13
XiGMAKiD
btarunr said:

With public knowledge withheld...
you don't need to worry about wasting money on security :laugh:
Posted on Reply
#14
spnidel
classic intel
and to think they've been doing this for almost two decades now and people still buy their CPUs... jesus christ
Posted on Reply
#15
MAXLD
I'm not part of Intel's bandwagon, but this article seems really confusing and kind of misleading... the title says Intel wanted to pay them to "suppress knowledge of MDS vulnerability", but then the article itself says instead they wanted them "to downplay the severity of the vulnerability". The first part implies the Dutch to don't say a thing (possibly until they fix the problem), the second part implies the information would be public but the severity and details to be "softened".
So after reading this, one may ask... "well, which one was it?" and why is the "bribe" word being used when there's a public bounty program in place by Intel to reward people that discover these kind of issues with their products?

Going to the source/reddit article to find some extra details doesn't exactly make things 100% clear, but it seems to me that it went like this:
- among several researcher groups taking a look at said vulnerabilities, the Dutch Uni was the one that found the major part of it
- Intel paid the Dutch Uni research group around $100,000 (89,000 euros) as part of their public bounty program (explained on their own press release also linked in this TPU article). They would reveal Intel the details and not publicly, so that Intel could investigate and work a security fix. (so nothing really shady here (as in bribe), seems normal procedure in these cases)
- the group said they would give Intel until May, then they would release the infos/leaks themselves
- apparently Intel wanted to wait another six months so they could get more time to fix it
- the group refused
- Intel then made them an additional offer of 40k , then another 80k on top, to convince them to downplay the severity /level of vulnerability of the problem, since sh/t would hit the fan anyway (probably to make things a bit less interesting for hackers and to avoid another public PR snowball)
- the group refused this additional offer to soften the exploit severity, and then released the vulnerability infos in May as planned.

So, basically, seems things went normal according to the usual Intel bounty/reward program, until Intel wanted another 6 months of time to work on the issue. The group didn't want to wait any longer than the initial program deal they made, and in response Intel wanted to at least make things look publicly less "worrying", by asking them to publicly say the vulnerability it wasn't really that of a big deal, offering them another $40k + $80k. They refused the offer and released the research untouched.

Considering it's a security problem, one can see why Intel wanted to at least try some "damage control". Even if the group accepted the "downplay" offer, eventually with time, the real severity would come out and that would make the group and Intel look bad. Difference is, Intel can afford to look bad in that situation, specially if the reasons were based on "customer's security".
Posted on Reply
#16
erixx
I'd have absolutly loved to have a room like this (at his age, not now, hahahah) (Taken from the news source NRC)

[ATTACH type="full" alt="123083"]123083[/ATTACH]
Posted on Reply
#17
rtwjunkie
PC Gaming Enthusiast
MAXLD said:

I'm not part of Intel's bandwagon, but this article seems really confusing and kind of misleading... the title says Intel wanted to pay them to "suppress knowledge of MDS vulnerability", but then the article itself says instead they wanted them "to downplay the severity of the vulnerability". The first part implies the Dutch to don't say a thing (possibly until they fix the problem), the second part implies the information would be public but the severity and details to be "softened".
So after reading this, one may ask... "well, which one was it?" and why is the "bribe" word being used when there's a public bounty program in place by Intel to reward people that discover these kind of issues with their products?

Going to the source/reddit article to find some extra details doesn't exactly make things 100% clear, but it seems to me that it went like this:
- among several researcher groups taking a look and said vulnerabilities, the Dutch Uni was the one that found the major part of it
- Intel paid the Dutch Uni research group around $100,000 (89,000 euros) as part of their public bounty program (explained on their own press release also linked in this TPU article). They would reveal Intel the details and not publicly so that Intel could investigate and work a security fix. (so nothing really shady here (as in bribe), seems normal procedure in these cases)
- the group said they would give Intel until May, then they would release the infos/leaks themselves
- apparently Intel wanted to wait another six months so they could get more time to fix it
- the group refused
- Intel then made them an additional offer of 40k , then another 80k on top, to convince them to downplay the severity /level of vulnerability of the problem, since sh/t would hit the fan anyway (probably to make things a bit less interesting for hackers and to avoid another public PR snowball)
- the group refused this additional offer to soften the exploit severity, and then released the vulnerability infos in May as planned.

So, basically, seems things went normal according to the usual Intel bounty/reward program, until Intel wanted another 6 months of time to work on the issue. The group didn't want to wait any longer than the initial program deal they made, and in response Intel wanted to at least make things look publicly less "worrying" but asking them to publicly say the vulnerability it wasn't really that of a big deal, offering them another $40k + $80k. They refused the offer and released the research untouched.

Considering it's a security problem, one can see why Intel wanted to at least try some "damage control". Even if the group accepted the "downplay" offer, eventually with time, the real severity would come out and that would make the group and Intel look bad. Difference is, Intel can afford to look bad in that situation, specially if the reasons were based on "customer's security".
Nice background work! What we have here is one of the only responders who bothered to do some source work, instead of just responding to the sensationalist headline.
Posted on Reply
#18
Chomiq
erixx said:

I'd have absolutly loved to have a room like this (at his age, not now, hahahah) (Taken from the news source NRC)
Best part about, his Uni probably paid for most of it :D Dream deal.
Posted on Reply
#19
_Flare
Vrije Universiteit Amsterdam (Free University Amsterdam) whouldn´t be free if under NDA.

So Intel whould have to buy the whole and not make a joke of its self.
Posted on Reply
#20
Konceptz
queue Intel fanboy damage control
Posted on Reply
#21
tigger
I'm the only one
I'd have took the $40k no lie
Posted on Reply
#22
ssdpro
Wouldn't we want Intel and AMD paying rewards for these discoveries and suppressing the discovery until a patch is issued? Why do these groups want to discover vulnerabilities and immediately expose everyone? I would think these groups would be on the side of consumers but it seems they are on the side of attackers if they intend to release info and expose everyone before fixes are available.

I am a not a fanboy of anyone, currently running AMD in my desktop and Intel in a notebook. Common sense isn't a fanboy.
Posted on Reply
#23
Metroid
40k or 80k is nothing to them, now if it was around 5 million then it might have achieved success.
Posted on Reply
#24
iO
ssdpro said:

Wouldn't we want Intel and AMD paying rewards for these discoveries and suppressing the discovery until a patch is issued? Why do these groups want to discover vulnerabilities and immediately expose everyone? I would think these groups would be on the side of consumers but it seems they are on the side of attackers if they intend to release info and expose everyone before fixes are available.

I am a not a fanboy of anyone, currently running AMD in my desktop and Intel in a notebook. Common sense isn't a fanboy.
The standard 90 days deadline forces them to react and work on fixes instead of dragging their feet and hoping people will just buy their (probably also vulnerable) 10k series in a few months.
Posted on Reply
#25
Metroid
Intel is a crooked company, only few websites dont go along with their evil tactics, here at techpowerup we see a neutral take on both, amd or intel, websites for example like anantech there is only intel and their products, I mean amd name and products or news are rarely published there, just for the sake of an unbiased view, I challenge you right now to go to anantech and check their main page, is 100% filled with intel marketing things. It's sad. We need more neutral tech websites like techpowerup. Intel buys everything in order to keep its name and products high priority.
Posted on Reply
Add your own comment