Intel still struggling with security

[Mega6]

Still many security issues to be fixed

"researchers have kept quiet about the issues for eight months, providing Intel vital time to develop fixes. Intel even asked the security researchers to alter a paper they were planning to present, after it was clear the chip maker needed more time and it didn’t want the flaws to become public knowledge."

 

[Dreamerbydesign]

Ah. The haunting bug that has plagued Intel for a decade or more. To be fair most of these gaping security flaws would not be easy to fix unless you entirely designed a new architecture. But still, they’ve known about the vulnerability.

but the intriguing part of true, is Intel trying to get the researchers to alter the paper....

 

[OrangeKhrush]

If you believe you've found a security vulnerability in an Intel product or technology, we encourage you to notify us through our program and work with us to mitigate and to coordinate the disclosure of the vulnerability to minimize the risk that exploitable information becomes publicly known before mitigations are available.

https://www.intel.com/content/www/us/en/security-center/bug-bounty-program.html

Like a bull in a china shop, intel is taking a wrecking ball to business ethics

 

[dgz]

https://www.intel.com/content/www/us/en/security-center/bug-bounty-program.html

Like a bull in a china shop, intel is taking a wrecking ball to business ethics

Pff, only 100k for a critical bug? Unless those researches are like mother Theresa, they would be better off just selling the exploits on the dark web

 

[CVNet1]

Pff, only 100k for a critical bug? Unless those researches are like mother Theresa, they would be better off just selling the exploits on the dark web

I would imagine researchers who take Intel's Bounty Program money and dis-regard any obligation to disclose directly to the public could easily obtain alternate income streams from the dark web surreptitiously. After all, the exploit is there, the world knows many white and black hats would be looking for it. What is to say it wasn't someone else who realized the same bug existed and sold the exploit on the Dark Web?

I would wager Intel doesn't care if the exploit is on the Dark Web or not. Their biggest and only concern is that the Public at large is not made aware of the exploit via public disclosure. Public Disclosure actually hurts Intel's bottom line. Dark Web exploits which are not publicly disclosed or understood to link back to an Intel hardware security flaws do not actually hurt Intel. Therefore Intel only cares to prevent public disclosure from any angle where it might originate as that protects them from fallout over their security flaws and ultimately protects the shareholder's stock price valuations.

 

[TordanGow]

I would have given them 30 days then full disclosure with poc. If it harms them, tough marbles. Design less shitty products then.

 

[pillagenburn]

Ah. The haunting bug that has plagued Intel for a decade or more. To be fair most of these gaping security flaws would not be easy to fix unless you entirely designed a new architecture. But still, they’ve known about the vulnerability.

but the intriguing part of true, is Intel trying to get the researchers to alter the paper....

Between this and the misleading advertising, as a consumer, I am SHOCKED that a pillar of ethics such as Intel would engage in these sorts of practices.

Just kidding Intel is shit and we all know it. Time to stop pretending

 

[Red Falcon]

From the article:

Intel isn’t fixing the core problem in existing processors, which would mean a redesign, instead it’s an endless game of whack-a-mole to patch each variant that pops up.

This is basically the bottom line, and it is obvious that Intel does not care about security, its customers, its transparency, or actually solving the problem.

Intel sat for nearly a decade on top, and had every opportunity to fix these design flaws, and really, they did this entirely to themselves.
If things continue for the next decade the way they have throughout this year, I give Intel until 2030 before complete bankruptcy, or at a minimum, irrelevance.

 

[HAL_404]

"we encourage you to notify us through our program and work with us"

yea, right. So what's in it for us Intel? How about you refund anyone who wants a refund for buying a "K" version of CPU but had to delid it to make it operate as a K version and voided their warranty in the process plus had to buy a delidding tool? I didn't think so

 

[Dreamerbydesign]

"we encourage you to notify us through our program and work with us"

yea, right. So what's in it for us Intel? How about you refund anyone who wants a refund for buying a "K" version of CPU but had to delid it to make it operate as a K version and voided their warranty in the process plus had to buy a delidding tool? I didn't think so

Ummm vote with your wallet. Intel didn’t make anyone do anything.

Not defending Intel. But I went with team red this round for a reason. I’m done supporting the BS.

 

[N4CR]

Security Speed cheats, another reason why the 10980 is slower than the 980 in some tasks.. Mitigations.

 

[SecretStash]

"we won't give you the bounty until you put our verbiage in your paper."

 

[OrangeKhrush]

The one benchmark Intel is destroying AMD on is the number of reported exploits

 

[Arcygenical]

I would have given them 30 days then full disclosure with poc. If it harms them, tough marbles. Design less shitty products then.

It's not about them. It's about us.

Intel will lose money, we may lose security. NBD on my home gaming machine. The thousands of intel processors in every cloud, though, has implications for everyone.

And since there are no financial mitigations for companies that have purchased high volumes of intel processors, migration to AMD to mitigate issues might cost an absolute fortune.

 

[notarat]

Intel. We'll re-release anything at this point!

 

[TordanGow]

It's not about them. It's about us.

Intel will lose money, we may lose security. NBD on my home gaming machine. The thousands of intel processors in every cloud, though, has implications for everyone.

And since there are no financial mitigations for companies that have purchased high volumes of intel processors, migration to AMD to mitigate issues might cost an absolute fortune.

So what? Sounds like a good reason to sue Intel, not hide from the problem or try to sweep it under the rug. If I had a piece of medical equipment that gave faulty diagnoses/readings every so often and I was aware of it, the proper response is to replace or repair it, not ignore it because it would cost a lot of money.

In a sense it you're right that it is about us. If you are handling my data you owe it to me to be using secure equipment. Burying your head in the sand regarding a security problem is negligent.