Friday, May 17th 2019

Intel Tried to Bribe Dutch University to Suppress Knowledge of MDS Vulnerability

Updated by
btarunr
 Updated: Discuss (87 Comments)
Cybersecurity researchers at the Vrije Universiteit Amsterdam, also known as VU Amsterdam, allege that Intel tried to bribe them to suppress knowledge of the latest processor security vulnerability RIDL (rogue in-flight data load), which the company made public on May 14. Dutch publication Nieuwe Rotterdamsche Courant reports that Intel offered to pay the researchers a USD $40,000 "reward" to allegedly get them to downplay the severity of the vulnerability, and backed their offer with an additional $80,000. The team politely refused both offers.

Intel's security vulnerability bounty program is shrouded in CYA agreements designed to minimize Intel's losses from the discovery of a new vulnerability. Under its terms, once a discoverer accepts the bounty reward, they enter into a NDA (non-disclosure agreement) with Intel, to not disclose their findings or communicate in the regard with any other person or entity than with certain authorized people at Intel. With public knowledge withheld, Intel can work on mitigation and patches against the vulnerability. Intel argues that information of vulnerabilities becoming public before it's had a chance to address them would give the bad guys time to design and spread malware that exploits the vulnerability. This is an argument the people at VU weren't willing to buy, and thus Intel is forced to disclose RIDL even as microcode updates, software updates, and patched hardware are only beginning to come out.

Update: (17/05): An Intel spokesperson commented on this story.

Intel contacted us with a statement on this story pertaining to the terms of its bug bounty program:
"We [Intel] believe that working with skilled security researchers across the globe is a crucial part of identifying and mitigating security vulnerabilities. One of the ways we engage with researchers is through our bug bounty program. We provide a clear overview of our bug bounty program requirements, eligibility and award schedule on our website."
Sources: NRC.nl, EverythingIsNorminal (Reddit)

Related News

Add your own comment

87 Comments on Intel Tried to Bribe Dutch University to Suppress Knowledge of MDS Vulnerability

#26
FreedomEclipse
~Technological Technocrat~
oxidizedI don't believe it for a second.
Yeah I mean its not as if Intel were paying or offering OEMs and system builders deep discounts to build more Intel based units or cut out AMD units completely a few years back.

This has been widely documented and even landed Intel in a certain court for anti-trust/anti-competitive practises and fined a few million or billion for their behavior.
Posted on Reply
#27
moproblems99
Feel bad for all the people that couldn't wait for Zen 2 and rushed out and bought one. The feeling it must be to support such people...
Posted on Reply
#28
rtwjunkie
PC Gaming Enthusiast
MetroidIntel is a crooked company, only few websites dont go along with their evil tactics, here at techpowerup we see a neutral take on both, amd or intel, websites for example like anantech there is only intel and their products, I mean amd name and products or news are rarely published there, just for the sake of an unbiased view, I challenge you right now to go to anantech and check their main page, is 100% filled with intel marketing things. It's sad. We need more neutral tech websites like techpowerup. Intel buys everything in order to keep its name and products high priority.
You talk about biased as a bad thing, and yet there you are, completely biased.

Did you read the whole thread, beyond the headline? I point you to Post#17
Posted on Reply
#29
moproblems99
ssdproWouldn't we want Intel and AMD paying rewards for these discoveries and suppressing the discovery until a patch is issued? Why do these groups want to discover vulnerabilities and immediately expose everyone? I would think these groups would be on the side of consumers but it seems they are on the side of attackers if they intend to release info and expose everyone before fixes are available.

I am a not a fanboy of anyone, currently running AMD in my desktop and Intel in a notebook. Common sense isn't a fanboy.
Generally 90 days is sufficient to patch most problems. If it isn't, as long as the discoverer feels the company is doing its part by engineering a fix, things don't get disclosed. Considering we are well beyond that, I am pretty sure that appropriate decisions were made.

Though I would have contacted a member of the FTC or something to accept the money on my behalf from Intel. In secret.
Posted on Reply
#30
john_
It's so easy to believe that Intel tried to bribe someone, it's not even news. It's routine.
Posted on Reply
#31
moproblems99
MAXLDSo, basically, seems things went normal according to the usual Intel bounty/reward program, until Intel wanted another 6 months of time to work on the issue. The group didn't want to wait any longer than the initial program deal they made, and in response Intel wanted to at least make things look publicly less "worrying", by asking them to publicly say the vulnerability it wasn't really that of a big deal, offering them another $40k + $80k. They refused the offer and released the research untouched.
Everything else you say is quite truthful and I applaud your extra research and fact finding. However, it is not common practice to downplay the severity (from my understanding). The security industry is founded upon giving people the truth about the risk in their products. If they don't then they have failed the community and people who depend on CVEs when buying their infrastructure (think clouds) etc or risk assessments of their assets. Especially when Intel has the fix ready. It seems more logical they wanted the extra 6 months so they could launch a product without this cloud hanging over. These vulnerabilities are relatively low risk for you and I but not so for enterprise and data centers.

Again, we don't really know for sure so it is hard to say and everyone will make of it what they will. Considering Intel got busted paying off OEMs previously, the former is accusation is plausible. But since we also accused MSI (with no evidence whatsoever) of trying to pull the wool over everyone's eyes with the AM4 socket, I am not surprised by the wording either.
Posted on Reply
#32
RealNeil
SIGSEGVIntel seriously need medics here..
can you say, "Sucking Chest Wound?"
Posted on Reply
#33
Redwoodz
The bribe part came in when Intel wanted to delay 6 months. Of course Zen2 being launched next month had nothing to do with it. ;)
Posted on Reply
#34
Ahhzz
MAXLDI'm not part of Intel's bandwagon, but this article seems really confusing and kind of misleading... the title says Intel wanted to pay them to "suppress knowledge of MDS vulnerability", but then the article itself says instead they wanted them "to downplay the severity of the vulnerability". The first part implies the Dutch to don't say a thing (possibly until they fix the problem), the second part implies the information would be public but the severity and details to be "softened".
So after reading this, one may ask... "well, which one was it?" and why is the "bribe" word being used when there's a public bounty program in place by Intel to reward people that discover these kind of issues with their products?

Going to the source/reddit article to find some extra details doesn't exactly make things 100% clear, but it seems to me that it went like this:
- among several researcher groups taking a look at said vulnerabilities, the Dutch Uni was the one that found the major part of it
- Intel paid the Dutch Uni research group around $100,000 (89,000 euros) as part of their public bounty program (explained on their own press release also linked in this TPU article). They would reveal Intel the details and not publicly, so that Intel could investigate and work a security fix. (so nothing really shady here (as in bribe), seems normal procedure in these cases)
- the group said they would give Intel until May, then they would release the infos/leaks themselves
- apparently Intel wanted to wait another six months so they could get more time to fix it
- the group refused
- Intel then made them an additional offer of 40k , then another 80k on top, to convince them to downplay the severity /level of vulnerability of the problem, since sh/t would hit the fan anyway (probably to make things a bit less interesting for hackers and to avoid another public PR snowball)
- the group refused this additional offer to soften the exploit severity, and then released the vulnerability infos in May as planned.

So, basically, seems things went normal according to the usual Intel bounty/reward program, until Intel wanted another 6 months of time to work on the issue. The group didn't want to wait any longer than the initial program deal they made, and in response Intel wanted to at least make things look publicly less "worrying", by asking them to publicly say the vulnerability it wasn't really that of a big deal, offering them another $40k + $80k. They refused the offer and released the research untouched.

Considering it's a security problem, one can see why Intel wanted to at least try some "damage control". Even if the group accepted the "downplay" offer, eventually with time, the real severity would come out and that would make the group and Intel look bad. Difference is, Intel can afford to look bad in that situation, specially if the reasons were based on "customer's security".
Good explanation. :toast:
Posted on Reply
#35
Slizzo
rtwjunkieNice background work! What we have here is one of the only responders who bothered to do some source work, instead of just responding to the sensationalist headline.
What's sad is, that it shouldn't be up to this random internet person to give the full details on the issue and original article; it should be on the "news" team to research this and provide all the information.

But, alas, this isn't a "news" site, it's an editorial site.
Posted on Reply
#36
Metroid
rtwjunkieYou talk about biased as a bad thing, and yet there you are, completely biased.

Did you read the whole thread, beyond the headline? I point you to Post#17
uh? check, if there is even any talk or post about this problem on anantech and this is a very important news and yet there is nothing there at least acknowledging the problem and here you are saying I'm the problem, there must be something wrong inside your head.
Posted on Reply
#37
rtwjunkie
PC Gaming Enthusiast
Metroiduh? check, if there is even any talk or post about this problem on anantech and this is a very important news and yet there is nothing there at least acknowledging the problem and here you are saying I'm the problem, there must be something wrong inside your head.
So that would be a “no” to my question, check.
Posted on Reply
#38
oxidized
I'm not sure you people understand we're talking about a couple hundred thousand of dollars, do you really believe intel would risk to expose such a dirty move for that amount of money? We're talking about a +70 billion company here...
Posted on Reply
#39
Casecutter
R0H1TNo, they need a new security head. Clearly this guy isn't "working" so well :ohwell:
They should also hire a new lawyer :mad:
Love that those guys seem so much more ethical!

I'm fence sitting on this... One side is such findings should at least come to light/public (low level details) after a IDK a 4 week "grace period" where the company has a time to either fix or minimize vulnerability affect. But this... hey we'll pay you for a 6mo extension to not make public...? How many nefarious groups are exploiting it while Intel keep's it hush-hush... Or, that's just enough time to release their next offerings and minimize damage to a launch of products that vulnerability is still there. Perhaps the people who are exploiting it use the extra 6 mo's to release Drumps tax returns, make an attack on your country, or just ruin your credit. In-action is not a option.
Posted on Reply
#40
ShurikN
MAXLDSo after reading this, one may ask... "well, which one was it?" and why is the "bribe" word being used when there's a public bounty program in place by Intel to reward people that discover these kind of issues with their products?


- Intel then made them an additional offer of 40k , then another 80k on top, to convince them to downplay the severity /level of vulnerability of the problem
Did you even read your own post.
Posted on Reply
#41
Steevo
So they discovered the issue, reported it to Intel. Intel paid them.100K and had 6 months to disclose the security issues, didn't, then tried to bribe them with another 40 to not say anything. Then when they didn't take that Intel upped their bribe to 80K to down play it's security issues.

Sounds about right.
Posted on Reply
#42
moproblems99
Casecutterafter a IDK a 4 week "grace period" where the company has a time to either fix or minimize vulnerability affect
The typical grace period is 90 days. Then the researcher and company hash out the details. If it is going to take longer to fix then they will agree to hold off until the fix is ready. If the researcher doesn't believe what the company says then the research will release it after the 90 days or however long they think it will take to fix it.
Posted on Reply
#43
Unregistered
Per Intel's track record, this really shouldn't be a surprise... the opposite would've been a surprise if anything.
Posted on Edit | Reply
#44
Patriot
MAXLDI'm not part of Intel's bandwagon, but this article seems really confusing and kind of misleading... the title says Intel wanted to pay them to "suppress knowledge of MDS vulnerability", but then the article itself says instead they wanted them "to downplay the severity of the vulnerability". The first part implies the Dutch to don't say a thing (possibly until they fix the problem), the second part implies the information would be public but the severity and details to be "softened".
So after reading this, one may ask... "well, which one was it?" and why is the "bribe" word being used when there's a public bounty program in place by Intel to reward people that discover these kind of issues with their products?

Going to the source/reddit article to find some extra details doesn't exactly make things 100% clear, but it seems to me that it went like this:
- among several researcher groups taking a look at said vulnerabilities, the Dutch Uni was the one that found the major part of it
- Intel paid the Dutch Uni research group around $100,000 (89,000 euros) as part of their public bounty program (explained on their own press release also linked in this TPU article). They would reveal Intel the details and not publicly, so that Intel could investigate and work a security fix. (so nothing really shady here (as in bribe), seems normal procedure in these cases)
- the group said they would give Intel until May, then they would release the infos/leaks themselves
- apparently Intel wanted to wait another six months so they could get more time to fix it
- the group refused
- Intel then made them an additional offer of 40k , then another 80k on top, to convince them to downplay the severity /level of vulnerability of the problem, since sh/t would hit the fan anyway (probably to make things a bit less interesting for hackers and to avoid another public PR snowball)
- the group refused this additional offer to soften the exploit severity, and then released the vulnerability infos in May as planned.

So, basically, seems things went normal according to the usual Intel bounty/reward program, until Intel wanted another 6 months of time to work on the issue. The group didn't want to wait any longer than the initial program deal they made, and in response Intel wanted to at least make things look publicly less "worrying", by asking them to publicly say the vulnerability it wasn't really that of a big deal, offering them another $40k + $80k. They refused the offer and released the research untouched.

Considering it's a security problem, one can see why Intel wanted to at least try some "damage control". Even if the group accepted the "downplay" offer, eventually with time, the real severity would come out and that would make the group and Intel look bad. Difference is, Intel can afford to look bad in that situation, specially if the reasons were based on "customer's security".
We need you writing the stories here...
Posted on Reply
#45
Casecutter
moproblems99The typical grace period is 90 days
Depending on what it is, the unscrupulous could keep wreaking havoc for 3 mo's. IDK that feels generous especially depending on what it is and how it could be used.
Posted on Reply
#46
Diverge
Intel needs to class action lawsuit... I can't wait to cash in on all the flawed CPUs I've bought over the years....
Posted on Reply
#47
moproblems99
CasecutterDepending on what it is, the unscrupulous could keep wreaking havoc for 3 mo's. IDK that feels generous especially depending on what it is and how it could be used.
That's true but it has to be found by others in order to be used. Could other people have found it? Sure. Can everything be fixed in 4 weeks? No. 12 weeks? Maybe.

The key is that the longer it is not public then generally speaking the longer it doesn't get exploited. If the company is dragging their feet then they usually get called out and the vulnerability goes public. The problem with that is that it leaves people with the vulnerable system at the mercy of companies and bad actors.

The researchers have to use their judgement about which path to take: Hopefully protect users by not releasing the vulnerability while the patch happens or release the vulnerability to force the company to fix it (hope they do) and put users at greater risk.
Posted on Reply
#48
drade
Fake news intel a transparent company
Posted on Reply
#49
moproblems99
dradeFake news intel a transparent company
Clear as mud!
Posted on Reply
#50
dozenfury
Kind of struggling to find the issue that caused the finders of the flaw to turn down the $. An NDA for something like that in return for the reward is standard in any type of business for confidential things like this.

To me it seems to be a misconception on the part of the finders as to how IT works in large corporations. Every IT shop has approvals and thorough testing that every change has to go through, to make sure that a change doesn't have an unintended consequence or introduces a big bug. Intel became the market leader because their chips are reliable. I don't want them throwing out untested patches that are rushed out asap either, and the public would uproar if Intel operated that way. It's not feasible to expect hotfixes for things like this in hours, and although Intel deservedly doesn't have a great rep I don't think this is the hill to die on for railing against big corporate evil. I also personally wouldn't view the payment as a "bribe". To me the flaw finders shot themselves in the foot turning down the money.

So a fix is going to take a little time, and that should be expected.
Posted on Reply
Add your own comment
May 4th, 2024 08:59 EDT change timezone

Latest GPU Drivers

New Forum Posts

Popular Reviews

Controversial News Posts