AMD Reports Theft of Graphics IP, Stolen

[erek]

Stolen stuff, unfortunately

"According to a Torrent Freak report, AMD used the Digital Millennium Copyright Act (DMCA) to take down the leaked information. The person behind the data breach posted the it (mostly source code related to drivers or firmware), onto a GitHub repository by the handle "xxXsoullessXxx," and titled "AMD-navi-GPU-HARDWARE-SOURCE." The repo contains code that points to "Navi 10," "Navi 21," and "Arden," possibly an internal codename for the GPU of Xbox Series X. Following the DMCA complaint, GitHub's admins promptly scrubbed the repo.

The Torrent Freak report also includes a conversation with the person. "In November 2019, I found AMD Navi GPU hardware source codes in a hacked computer. The user didn't take any effective action against the leak of the codes," she states. "The source code was unexpectedly achieved from an unprotected computer//server through some exploits. I later found out about the files inside it. They weren't even protected properly or even encrypted with anything which is just sad." The leaker values the information at around $100 million, and is willing to sell it to the highest bidder. "If I get no buyer I will just leak everything," she told Torrent Freak."

https://www.techpowerup.com/265076/...tolen-information-not-core-to-competitiveness

 

[Sycraft]

What I want to know is who this idiot leaker thinks this is worth any money to? It isn't like there are tons of GPU companies out there. None of the established ones would touch this since not only do they have their own tech that is as good/better, but it would open them up to civil and criminal liability. What's more, starting a GPU company is expensive as fuck. The amount of R&D it takes to make this stuff is huge. So ti isn't like you could just grab this and then suddenly pop up as a new competitor. You'd need billions in investment and years to get spun up.

This is basically worthless. Just like when some idiot stole the Coke formula and tried to sell it to Pepsi. Pepsi didn't want it, they don't want to replicate Coke's taste, they have their own, nor would they want to be in legal trouble.

 

[Zarathustra[H]]

What I want to know is who this idiot leaker thinks this is worth any money to? It isn't like there are tons of GPU companies out there. None of the established ones would touch this since not only do they have their own tech that is as good/better, but it would open them up to civil and criminal liability. What's more, starting a GPU company is expensive as fuck. The amount of R&D it takes to make this stuff is huge. So ti isn't like you could just grab this and then suddenly pop up as a new competitor. You'd need billions in investment and years to get spun up.

This is basically worthless. Just like when some idiot stole the Coke formula and tried to sell it to Pepsi. Pepsi didn't want it, they don't want to replicate Coke's taste, they have their own, nor would they want to be in legal trouble.

Mostly agree.

The only operators I think might find value here are state actors who want to start domestic businesses for local consumption, and don't care about global markets and thus the legal IP implications are not concerning to them.

China for instance.

Wouldn't be surprised if they would nab something like this and use it to create their own GPU industry. It wouldn't pop up immediately, but the thieving Chinese jerks are playing the long game and have the cash to burn.

That said, China would just steal the information themselves, not pay some nobody for it.

 

[Sycraft]

Yes and no. I'm not saying they might not be interested... but still it would be of questionable value. Even supposing you have the company right now, all the simulation and design equipment, all the staff, etc starting work on implementing something takes years. By the time you are done, this is old tech.

I just don't see this being worth much to anyone.

 

[Krazy925]

Mostly agree.

The only operators I think might find value here are state actors who want to start domestic businesses for local consumption, and don't care about global markets and thus the legal IP implications are not concerning to them.

China for instance.

Wouldn't be surprised if they would nab something like this and use it to create their own GPU industry. It wouldn't pop up immediately, but the thieving Chinese jerks are playing the long game and have the cash to burn.

That said, China would just steal the information themselves, not pay some nobody for it.

Basically this.

They might also pay if it made sense from a cost/performance ratio, and like all AMD buyers, not worried about the extra heat.

 

[Thunderdolt]

What I want to know is who this idiot leaker thinks this is worth any money to? It isn't like there are tons of GPU companies out there. None of the established ones would touch this since not only do they have their own tech that is as good/better, but it would open them up to civil and criminal liability. What's more, starting a GPU company is expensive as fuck. The amount of R&D it takes to make this stuff is huge. So ti isn't like you could just grab this and then suddenly pop up as a new competitor. You'd need billions in investment and years to get spun up.

This is basically worthless. Just like when some idiot stole the Coke formula and tried to sell it to Pepsi. Pepsi didn't want it, they don't want to replicate Coke's taste, they have their own, nor would they want to be in legal trouble.

The value might lie in a competitor gaining insight into launch and architecture timelines. For example, if AMD had known 5 years ago that Nvidia was going to launch with hardware RT, they might have been more serious about adding it to the last round of cards that launched.

 

[5150Joker]

What I want to know is who this idiot leaker thinks this is worth any money to? It isn't like there are tons of GPU companies out there. None of the established ones would touch this since not only do they have their own tech that is as good/better, but it would open them up to civil and criminal liability. What's more, starting a GPU company is expensive as fuck. The amount of R&D it takes to make this stuff is huge. So ti isn't like you could just grab this and then suddenly pop up as a new competitor. You'd need billions in investment and years to get spun up.

This is basically worthless. Just like when some idiot stole the Coke formula and tried to sell it to Pepsi. Pepsi didn't want it, they don't want to replicate Coke's taste, they have their own, nor would they want to be in legal trouble.

One word: China

 

[cjcox]

Makes you wonder if Intel Xe source code was posted if Intel or the consumers would make them take it down.

 

[ChadD]

There just software drivers. Zero value unless they include die schematics or something. lol

Frankly its a bit silly any of the GPU companies bother locking their drivers down. In this case its doubly pointless as AMD provides all the required hardware information to open source driver teams. Open source Navi drivers are already a thing. The few bits unique to the closed source windows drivers are hardly unique... and they aren't detailing anything that can be reproduced in a hardware design.

I guess the only real reason to keep windows drivers closed... is to keep the average moron PC user from downloading BS malware drivers, that are recompiled for super super hold onto your seat gaming.

 

[cybereality]

Wow. Hacker dude must be smoking something if he thinks he'll get paid $100M for this.

Especially since, as you say ChadD, AMD releases drivers open source on Linux.

 

[Sycraft]

There just software drivers. Zero value unless they include die schematics or something. lol

Frankly its a bit silly any of the GPU companies bother locking their drivers down. In this case its doubly pointless as AMD provides all the required hardware information to open source driver teams. Open source Navi drivers are already a thing. The few bits unique to the closed source windows drivers are hardly unique... and they aren't detailing anything that can be reproduced in a hardware design.

I guess the only real reason to keep windows drivers closed... is to keep the average moron PC user from downloading BS malware drivers, that are recompiled for super super hold onto your seat gaming.

They don't have a choice actually. You'll notice that when AMD released their OSS drivers they were very incomplete and needed a lot of community work (and still aren't feature parity with the closed Linux drivers). Reason is licensed code. A lot of code out there is licensed, and they can't just put it out for free. Even simple things like OpenGL. Yes there are free implementations, but the companies license it for their drivers and can't just hand out the licensed version. They may have other reasons to try and bee all secretive too, good or bad, but there are legit licensing reasons they can't just hand out their code as-is.

 

[cybereality]

HDMI is one of them. Maybe it's fixed now, but about 1 or 2 years ago when I was setting up an AMD rig on Ubuntu, you couldn't even get audio over HDMI without the proprietary drivers.

 

[DukenukemX]

Wow. Hacker dude must be smoking something if he thinks he'll get paid $100M for this.

Especially since, as you say ChadD, AMD releases drivers open source on Linux.

The open source drivers on Linux are not the same drivers used in Windows. Even still, I don't think the firmware used for the drivers is open source on Linux. Honestly, I never understood the reason for AMD or Nvidia for not having open source drivers. I personally would like to see someone take this code and use it for older legacy AMD graphic cards, if that's possible.

 

[Nobu]

HDMI is one of them. Maybe it's fixed now, but about 1 or 2 years ago when I was setting up an AMD rig on Ubuntu, you couldn't even get audio over HDMI without the proprietary drivers.

More or less fixed in the open drivers now. Still some buggyness last I used it, but it works at least.

 

[thebufenator]

Source code for hardware drivers?

Who wants a privesc? Anyone?

 

[Sycraft]

The open source drivers on Linux are not the same drivers used in Windows. Even still, I don't think the firmware used for the drivers is open source on Linux. Honestly, I never understood the reason for AMD or Nvidia for not having open source drivers. I personally would like to see someone take this code and use it for older legacy AMD graphic cards, if that's possible.

Like I said in another post: Licensed code. That's why they don't just open everything up. They can't, legally.

 

[Jim Kim]

There just software drivers. Zero value unless they include die schematics or something. lol

Frankly its a bit silly any of the GPU companies bother locking their drivers down. In this case its doubly pointless as AMD provides all the required hardware information to open source driver teams. Open source Navi drivers are already a thing. The few bits unique to the closed source windows drivers are hardly unique... and they aren't detailing anything that can be reproduced in a hardware design.

I guess the only real reason to keep windows drivers closed... is to keep the average moron PC user from downloading BS malware drivers, that are recompiled for super super hold onto your seat gaming.

Unlock you laptops hidden potential. Make your integrated APU perform as fast or faster than a discrete RX 5700XT.
EXTREME GAMING DRIVERS!!1!
guaranteed free of root kits, ransomeware and zombie ddos code

 

[cybereality]

Download more shader cores.

 

[1_rick]

Honestly, I never understood the reason for AMD or Nvidia for not having open source drivers.

Like I said in another post: Licensed code.

It's that, and at least in the past, they've said they consider what's in there to be proprietary business secrets (as in, if it were open sourced, they could lose a competitive advantage.) Obviously they won't say what specifically they consider such an advantage.

 

[Darth Ender]

It's not about using the driver or parts of it. It's about seeing the code so you can make brand new exploits. That's worth money.

 

[DukenukemX]

It's that, and at least in the past, they've said they consider what's in there to be proprietary business secrets (as in, if it were open sourced, they could lose a competitive advantage.) Obviously they won't say what specifically they consider such an advantage.

I get things like video decoding and etc, but that stuff works on Linux's open source drivers without issue. As an AMD user, the Linux drivers are far better. If you have a GCN or newer AMD graphics card, the Linux drivers will perform better, especially with DXVK.

 

[M76]

Mostly agree.

The only operators I think might find value here are state actors who want to start domestic businesses for local consumption, and don't care about global markets and thus the legal IP implications are not concerning to them.

China for instance.

Wouldn't be surprised if they would nab something like this and use it to create their own GPU industry. It wouldn't pop up immediately, but the thieving Chinese jerks are playing the long game and have the cash to burn.

That said, China would just steal the information themselves, not pay some nobody for it.

I think that's naivety. Nvidia wouldn't pass up the opportunity to look under the hood of AMD firmware and drivers, of course they wouldn't use any of it directly, but even looking at it can be extremely beneficial. Industrial espionage is widespread.

 

[illli]

looks like the xbox source code was stolen too
https://www.engadget.com/2020-03-25-hacker-steals-source-code-for-xbox-series-x-graphics.html

 

[/dev/null]

What I want to know is who this idiot leaker thinks this is worth any money to? It isn't like there are tons of GPU companies out there. None of the established ones would touch this since not only do they have their own tech that is as good/better, but it would open them up to civil and criminal liability. What's more, starting a GPU company is expensive as fuck. The amount of R&D it takes to make this stuff is huge. So ti isn't like you could just grab this and then suddenly pop up as a new competitor. You'd need billions in investment and years to get spun up.

This is basically worthless. Just like when some idiot stole the Coke formula and tried to sell it to Pepsi. Pepsi didn't want it, they don't want to replicate Coke's taste, they have their own, nor would they want to be in legal trouble.

Probably worth a lot to state-actor type agencies to find vulnerabilities for future exploits.

 

[/dev/null]

It's not about using the driver or parts of it. It's about seeing the code so you can make brand new exploits. That's worth money.

EXACTLY this.

 

[Sycraft]

Probably worth a lot to state-actor type agencies to find vulnerabilities for future exploits.

Any state actor could get it for much cheaper. Just have someone inserted at AMD that gets you the code. For that matter, they probably already have the code. Generally governments want to do code audits for security and they are big customers, so they'll get access to source code. It isn't the giant secret people assume it is. A good example is the Microsoft Shared Source program. Lots of entities have Windows source code.

Finally, most vulnerabilities are found by beating on the compiled product, not by staring at the source. There's this idea that there must be huge flaws, just sitting around in source code waiting to be seen and as soon as someone looks at it they can find them. Well that would assume that the people doing the programming suck, and can't see said problems. That's not the case for most big projects. Not only are the devs pretty clever, but they usually have internal review and audit teams. A lot of smart, motivated, trained people review the code. So the bugs that remain are ones that are not obvious, not something you see by looking at the source and going "Ahh look, they screwed up." Rather they are complex interactions that you only find by beating on the operational device.

An example of that kind of thing would be the SMM Sinkhole developed by Chris Domas. There was no flaw in the code he exploited, as he himself says, it is properly written down to the assembly level. Nor did he break the many protection features, etc. Instead he found an interaction between the APIC and MCH that was unexpected and allowed him to cause the EFI code to do something unintended, which he could exploit. This wasn't reading source code and going "Look how stupid these programmers are, there is an obvious exploit here!" It was carefully examining things in operation, and beating on them until getting them to work in an unexpected way that could cause a vulnerability.

 

[DukenukemX]

looks like the xbox source code was stolen too
https://www.engadget.com/2020-03-25-hacker-steals-source-code-for-xbox-series-x-graphics.html

That could become useful for anyone looking to make a Xbox Series X emulator.

 

[cybereality]

That could become useful for anyone looking to make a Xbox Series X emulator.

That happened to have, you know, $100M just laying around.

 

[DukenukemX]

That happened to have, you know, $100M just laying around.

Assuming the person just releases the source code for free.

 

[Darth Ender]

Any state actor could get it for much cheaper. Just have someone inserted at AMD that gets you the code. For that matter, they probably already have the code. Generally governments want to do code audits for security and they are big customers, so they'll get access to source code. It isn't the giant secret people assume it is. A good example is the Microsoft Shared Source program. Lots of entities have Windows source code.

Finally, most vulnerabilities are found by beating on the compiled product, not by staring at the source. There's this idea that there must be huge flaws, just sitting around in source code waiting to be seen and as soon as someone looks at it they can find them. Well that would assume that the people doing the programming suck, and can't see said problems. That's not the case for most big projects. Not only are the devs pretty clever, but they usually have internal review and audit teams. A lot of smart, motivated, trained people review the code. So the bugs that remain are ones that are not obvious, not something you see by looking at the source and going "Ahh look, they screwed up." Rather they are complex interactions that you only find by beating on the operational device.

An example of that kind of thing would be the SMM Sinkhole developed by Chris Domas. There was no flaw in the code he exploited, as he himself says, it is properly written down to the assembly level. Nor did he break the many protection features, etc. Instead he found an interaction between the APIC and MCH that was unexpected and allowed him to cause the EFI code to do something unintended, which he could exploit. This wasn't reading source code and going "Look how stupid these programmers are, there is an obvious exploit here!" It was carefully examining things in operation, and beating on them until getting them to work in an unexpected way that could cause a vulnerability.

How firmware is signed and checked can best be determined by looking at the source. Loading hacked firmware is very much the in-thing to do these days. But otherwise, sure, you tend to have work around the idiosyncrasies of how a compiled object executes and the source code is not very helpful in doing that, it is still helpful in showing you where to hunt instead of blindly guessing and checking. You could easily identify functions / variables that look to overrun buffers or not be securely checking bounds and focus your attention there. The compiler may have protected them, maybe not...but you at least know the best places to look so you're not wasting a bunch of time on hopes and dreams. Most exploits aren't created by demigods of assembly.

Also if somehow the source could be buildable and signed to look like it came from amd, then you could have a lot of fun with people.

Personally though, it would be interesting to see if there are any cheats to benchmarks or shortcuts for specific games hardcoded in to make framerates faster at the expense of something they're not saying. Similar to what nvidia has been found guilty of in the past. This would be huge news if it was nvidia's source code leaked. I'm sure they still have sneaky stuff going on in their drivers. Why else would they be so hesitant to release firmware blobs and use standard api's in open source land unless they're doing some hoopty stuff in their drivers.