Dutch not German, I think. And IIRC we actually have a few Dutch speakers on Tildes too... so hopefully one of them chimes in and can let us know what the source says, how reliable a publication...
Dutch not German, I think. And IIRC we actually have a few Dutch speakers on Tildes too... so hopefully one of them chimes in and can let us know what the source says, how reliable a publication it is and maybe even if they can find anything about the topic from VU Amsterdam.
Hoi, I am Dutch. This article is indeed in Dutch, you can tell from the lack of German characters like ü and ö and the inclusion of the Dutch digraph ij. The source you linked (which I'd say is...
Exemplary
Hoi, I am Dutch.
This article is indeed in Dutch, you can tell from the lack of German characters like ü and ö and the inclusion of the Dutch digraph ij.
The source you linked (which I'd say is quite trusted) doesn't mention much about bribes.
De Amsterdamse universiteit krijgt ook als enige partij een beloning: 100.000 dollar (89.000 euro), Intels maximale beloning voor ontdekkers van kritische lekken.
Er zit wel een bijsmaakje aan de premie. Volgens de VU probeerde Intel de ernst van het lek te bagatelliseren door 40.000 dollar beloning officieel uit te keren en daarnaast nog eens 80.000 dollar ‘los’.
This says that intel wanted to give the VU 40k dollars officially as a reward for finding the big and another 80k seperately. This offer was refused and they ended up getting 100k on the books, the max amount available in the program.
Also Dutch. @wanda-seldon is correct. The NRC is one of the 3 or 4 most established/trusted papers in the Netherlands. Full translation of the quote:
Also Dutch. @wanda-seldon is correct. The NRC is one of the 3 or 4 most established/trusted papers in the Netherlands.
Full translation of the quote:
The Amsterdam university is the only party to get a reward: 100.000 dollars (89.000 Euro), Intel's maximum reward for people who discover critical leaks.
There is something a little bit off about the bounty, however. According to the VU [the aforementioned university in Amsterdam] Intel tried to play down the seriousness of the leak by paying out a 40.000 dollar reward officially and another 80.000 dollars 'apart' [could also be translated as 'on the side'].
I'm not really sure that 'bribe' is the correct term here - bug bounties are an established practice, and timed releases in order to patch before announcements is an overwhelmingly common...
I'm not really sure that 'bribe' is the correct term here - bug bounties are an established practice, and timed releases in order to patch before announcements is an overwhelmingly common response. Maybe a bit heavy handed in that they wholly control that release date, but this is a bit hyperbolic.
The dutch article that's been linked in this thread says they initially tried to give them $40k on the books, and then $80k 'on the side'. I imagine that's where the talk of bribes are coming in....
The dutch article that's been linked in this thread says they initially tried to give them $40k on the books, and then $80k 'on the side'.
I imagine that's where the talk of bribes are coming in. That's above the $100k cap for the program, and not only that, the "on the books" payment of $40k wouldn't scream "MAJOR ISSUE" like a $100k bounty being handed in.
Personally, the biggest problem I have with it is the NDA. And while I understand this is common practice, This seems simply impossible considering it's an hardware issue, you can't fix it.
Personally, the biggest problem I have with it is the NDA. And while I understand this is common practice,
Intel says that this gives them the chance to address the issues before hackers have time to design and spread malware that exploit the vulnerability.
This seems simply impossible considering it's an hardware issue, you can't fix it.
If you mean disabling hyperthreading, Intel would never be able to retroactively disable it themselves for all CPUs and if they did, it would be a catastrophic event for them.
If you mean disabling hyperthreading, Intel would never be able to retroactively disable it themselves for all CPUs and if they did, it would be a catastrophic event for them.
Even without a true fix there are mitigations to be applied. Looking into critical infrastructure and doing risk assessments that might mean adding extra layers of security or swapping out for...
Even without a true fix there are mitigations to be applied. Looking into critical infrastructure and doing risk assessments that might mean adding extra layers of security or swapping out for alternative hardware, testing for plausible applications of the exploit and designing out of channel protection from those specific applications, etc.
This is the original source (from my knowledge) but it's in german : https://www.nrc.nl/nieuws/2019/05/14/hackers-mikken-op-het-intel-hart-a3960208
Dutch not German, I think. And IIRC we actually have a few Dutch speakers on Tildes too... so hopefully one of them chimes in and can let us know what the source says, how reliable a publication it is and maybe even if they can find anything about the topic from VU Amsterdam.
Woops, I mean, they're similar languages so I won't blame myself too much for the mistake. Hopefully someone else can chime in to see, yeah.
Hoi, I am Dutch.
This article is indeed in Dutch, you can tell from the lack of German characters like ü and ö and the inclusion of the Dutch digraph ij.
The source you linked (which I'd say is quite trusted) doesn't mention much about bribes.
This says that intel wanted to give the VU 40k dollars officially as a reward for finding the big and another 80k seperately. This offer was refused and they ended up getting 100k on the books, the max amount available in the program.
Also Dutch. @wanda-seldon is correct. The NRC is one of the 3 or 4 most established/trusted papers in the Netherlands.
Full translation of the quote:
I'm not really sure that 'bribe' is the correct term here - bug bounties are an established practice, and timed releases in order to patch before announcements is an overwhelmingly common response. Maybe a bit heavy handed in that they wholly control that release date, but this is a bit hyperbolic.
The dutch article that's been linked in this thread says they initially tried to give them $40k on the books, and then $80k 'on the side'.
I imagine that's where the talk of bribes are coming in. That's above the $100k cap for the program, and not only that, the "on the books" payment of $40k wouldn't scream "MAJOR ISSUE" like a $100k bounty being handed in.
There's clearly something off about that.
Personally, the biggest problem I have with it is the NDA. And while I understand this is common practice,
This seems simply impossible considering it's an hardware issue, you can't fix it.
You can significantly reduce the risk or even completely bypass the issue by turning off certain features, which of course cost performance.
If you mean disabling hyperthreading, Intel would never be able to retroactively disable it themselves for all CPUs and if they did, it would be a catastrophic event for them.
Even without a true fix there are mitigations to be applied. Looking into critical infrastructure and doing risk assessments that might mean adding extra layers of security or swapping out for alternative hardware, testing for plausible applications of the exploit and designing out of channel protection from those specific applications, etc.