
20GB leak of Intel data: whole Git repositories, dev tools, backdoor mentions - phoe-krk
https://twitter.com/deletescape/status/1291405688204402689
======
ccurrens
> If you find password protected zips in the release the password is probably
> either "Intel123" or "intel123". This was not set by me or my source, this
> is how it was aquired from Intel.

Can't say I'm surprised, people are lazy.

Another large tech company I used to work for commonly used an only-slightly
more complex password. But it was never changed, so people who had left the
team still could have access to things if they knew the password. It was an
entry point into the system more than the company's Red team.

~~~
schmichael
Password protection may have been used to bypass antivirus and other filters.
While you should treat dumps like this with a lot of suspicion, treat password
protected zips with a heaping dose of care as they may have been used to evade
automated defenses.

~~~
pjc50
Yes - but not for hostile purposes, but because your own company's antivirus
won't let you mail an executable to a colleague.

~~~
marcosdumay
Usually this. Or in my workplace, an image.

Antivirus are some crazy shit that may trigger on any random action and will
teach people to follow the most unsafe procedures without questioning, so they
can get anything done.

~~~
myself248
I've heard it put this way: If you force users to trade convenience for
security, they will find a way to obtain convenience at the expense of
security.

~~~
akira2501
> If you force users to trade convenience for security

I _wish_ it was better security they were making the trade for. It often isn't
though. These programs are large, expensive, and don't do much most of the
time. I feel there's a perverse incentive for developers to make their AV
products as noisy as is possible to justify their own existence.

And yet.. even with full AV rollouts locked down at the highest level, bad
actors still get into networks and exploit them. So, to me it feels like our
users are trading away their convenience for our misguided CYA policies.

~~~
majewsky
My guess/fear is that most AV software gets deployed because some insurance
policy requires you to tick that box.

~~~
fakecigar
A lot of this stuff (AV software) is getting deployed at all different layers
of the environment. Firewalls are getting better at dynamic file analysis and
file blocking, the endpoints are loaded with user behavior/analytics, av and
dlp tools. AV is so omnipresent because it's in a decent amount netsec
appliances these companies stand up

------
orisho
At a previous workplace we had a few places in the code which used the word
backdoor. It was not an actual backdoor though, but merely a debugging server
that could be enabled and allowed you to inspect internal state during
runtime. At some point I removed the word backdoor, fearing it would get to a
customer or during an audit someone would misunderstand. :|

~~~
skissane
Once I got a complaint from a security auditor that some code was using MD5.
It wasn’t being used for any security purpose, just to check whether an
autogenerated file had been manually edited. We decided it was easier to do
what they wanted than argue with them, so we replaced it with CRC32C. That
would have been faster than MD5, but nobody cares about saving a few
milliseconds off reading a configuration file at startup. It would have made
the manual edit check somewhat less reliable, but probably not by much in
practice. But the security auditor was happy we’d stopped using MD5

~~~
heavenlyblue
You don’t actually need to listen to auditors. People like you (who can’t be
bothered to argue because it’s apparently too hard) is the reason that
smartass is still selling their services.

~~~
restingrobot
So much this. My company just got done shelling out a ton of money for some
asshat to tell me that we can't use http on a dev server. <head smashes
through desk>

~~~
greedo
It's worse when the asshat convinces your manager that every internal site,
whether dev or not needs https. Certs everywhere. Our team spends a decent %
of our time generating and managing certs...

~~~
searchableguy
I am confused. Isn't that easily automated?

~~~
souprock
It's not easily automated. Somehow, you have to safely get a certificate
across the air gap to the internal network.

So I guess an internet-connected system grabs the certificates, then they get
burned to DVD-R, then... a robot moves the DVD-R to the internal network? It's
not easy. It's all much worse if the networks aren't physically adjacent. One
could be behind a bunch of armed guards and interlocking doors.

~~~
skissane
An airgapped network can include its own internal CA, and all the airgapped
clients can have that internal CA's certificate injected into their trust
stores, and all the services on the airgapped network can automatically
request certificates from the internal CA – which can even be done using the
same protocol which Let's Encrypt uses, ACME, just running it over a private
airgapped network instead of over the public Internet.

------
svnpenn
Someone have a mirror? Seems the actual files are here:

[https://t.me/exconfidential/590](https://t.me/exconfidential/590)

Edit: files are here

[https://mega.nz/folder/CV91XLBZ#CPSDW-8EWetV7hGhgGd8GQ](https://mega.nz/folder/CV91XLBZ#CPSDW-8EWetV7hGhgGd8GQ)

or

magnet:?xt=urn:btih:38f947ceadf06e6d3ffc2b37b807d7ef80b57f21

~~~
johnklos
You can't download from mega.nz unless you have their "downloader" app or an
account, or if you have Firefox or Safari. It's useless.

The torrent works.

~~~
crazypython
A web app that only works in non-Chromium browsers isn't useless.

~~~
bscphil
I've downloaded stuff from MEGA in the last week on a Chromium based browser,
so I'm not sure what the problem is supposed to be here.

------
Traster
This is more embarrassing than harmful. Having worked at companies like intel,
it's not really that damaging leaking some of this IP - the worst that happens
is some open source project gets slightly better or you have a few more bugs
(not that Intel are lacking in that area). The second we see internal
marketing, pricing & road map slides- that's when you know they're in real
trouble.

~~~
kps
> _Having worked at companies like intel_

I've worked at a company very much like Intel¹ and the _really_ closely
guarded secret — the one where two vetted people turn the launch key at the
same time — was the microcode patching keys.

¹ I'm not saying it was Intel, but it was Intel

------
beervirus
Fingers crossed that this will enable some smart person to completely disable
the management engine.

~~~
wmf
AFAIK the ME is required to initialize the processor so it can never be
completely disabled. The best you could do is remove any code beyond necessary
initialization which has mostly already been done by me_cleaner.

~~~
noja
How easy is it to use me_cleaner? Last time I looked it required some wiring
and a Raspberry Pi.

~~~
amiga-workbench
Quite straightforward, I used a ch341A SPI programmer. Just make sure you take
multiple copies of your original ROM image and compare the hashes of them to
make sure there was no screwup.

It took me about 10 minutes to do my ThinkPad. All I lost was some enhanced
integrated GPU power management and integrated thermal management, but I use a
userland fan control program anyhow.

~~~
WanderPanda
How much did it cost? Everything

------
pdevr
Intel denies it was hacked:
[https://twitter.com/TheRegister/status/1291461942624677889](https://twitter.com/TheRegister/status/1291461942624677889)

~~~
dleslie
... They're claiming it came from an NDA'd source of IP that's shared with
customers.

Given that it _appears_ like there are backdoors in this Firmware code, we can
conclude that if there are such backdoors then they were shared with numerous
customers.

That really doesn't improve the optics of the breach.

~~~
moonchild
Alternately, as others have noted, it could be overloaded nomenclature and
doesn't actually indicate a backdoor. Which would be an excellent reason for
them to feel comfortable sharing said 'backdoors' with their customers.

~~~
dathinab
It it is actually a backdoor but only gets put on prototypes/engineering
samples or similar.

Or maybe some well documented Intel management features need to backdoor there
own security mechanisms to work.

Or ...

Well the point is it's a starting point for someone dissecting the data but
not much more.

------
gabcoh
Is releasing this legal? It seems like this person isn't really disguising
their identity or concerned about breaking the law. In their profile they even
seem to brag about leaking company's code.

~~~
dleslie
Of course it's not legal. This is exfiltrated intellectual property being
shared without license.

~~~
dcow
I don't believe this is accurate or in any way obvious even if this is the
stance the courts would ultimately take. These files were downloaded from a
publicly available CDN server discovered while browsing the internet. No
authorization mechanisms were bypassed, no computer systems were hacked. These
files are the result of a GET request to an Akamai server that happened to be
hosting the files. Despite how this will be spun in pop culture, Intel did not
secure access to these files. I'm not sure how you would prosecute someone for
re-sharing a file they were given, under no legal contract, when they asked
for it.

~~~
MauranKilom
You have a lot of faith in how technically versed the law and courts are on
these topics - because they sure haven't kept up with the times. And even if
they were willing to split hairs over these technical details:

No civilian will agree with you that just because _technically_ you could slip
through several doors that happened to be not locked and got helpful advice
from a neighbor, it doesn't mean that whatever you found behind those doors
was "public" just because you didn't have to pick locks. Or that the photos
you took of private company documents by social engineering your way inside
must clearly be unsecured and publicly distributable because "they were given
to me when I asked for them".

~~~
dcow
This isn't slipping through various open doors. There _were no doors_. This is
literally a public server on the public internet serving files publicly. Intel
is grossly negligent in securing their assets if they're hosting what they
consider to be confidential trade secrets on public CDN servers.

The analog would be if I posted a flyer on a telephone pole with what I
considered confidential information and someone else took a picture of it.
There's no way you could argue that I had a reasonable expectation that only
people for whom the flyer was intended would be able to view the flyer.

If someone deliberately bypassed computer security measures to acquire this
information I'd agree. But you don't get a free pass to be negligent just
because you're a big company. I suspect the EFF would support my viewpoint as
they supported Weeve's appeal of a much more contentions and ethically gray
scenario (the acquisition of personal information from a server that was
negligently "secured" and required someone to imitate the calls an iPad would
make).

~~~
dleslie
> This is literally a public server on the public internet serving files
> publicly.

The flyer analogy does not work because the services were not broadcasting or
otherwise advertising their presence.

Following the house analogy, the thief tested all the front doors on the
street and opened those which were not locked.

~~~
dcow
Then search engines must not be legal. They crawl the public internet and
index what they find.

What you’re effectively saying is that the flyer is unknowable unless a
Street-view car drove past and snapped a picture of it and its owner engaged
in SEO to make sure it landed near the top of search results.

There is no “house” in this analogy (which you might call a corporate/private
network secured or otherwise). No private network was accessed. This stuff was
on the street, in the free pamphlet section of the newspaper stand.

------
bubblethink
May be a good time for Intel to open-source FSP anyway. They've been dilly-
dallying around it for a while now. There were some phoronix articles about it
a year ago.

------
saagarjha
[https://twitter.com/deletescape/status/1291422841834016770](https://twitter.com/deletescape/status/1291422841834016770)

Hmm…

~~~
wonderlg
I’m completely ignorant about this but is it possible that they’re referring
to a “debugging backdoor”?

~~~
bonzini
It's most likely a callback from OS to firmware, or at least this is what I
can guess based on the single comment present in the screenshot and what I saw
in the past in the APEI tables of Intel-based servers.

APEI tables are a part of ACPI that tell the OS how to write an error record
persistently in the machine log, inject a memory error for debugging purposes,
and stuff like that that's tied to the RAS
(Reliability/Availability/Serviceability) features of a server. The tables
contain a list of instructions like "write a value to memory" or "write a
value to an I/O port"; the way they work in practice is that, by following
these instructions, the OS causes the processor to enter system management
mode (that's the "backdoor" into the firmware) where the firmware services the
APEI request.

Since the tweet mentions SMM and RAS in the two lines it shows, my guess is
that it's related to that functionality.

------
Jonnax
Who should we follow on twitter / blogs to read analysis of whether this is
impactful or interesting?

------
unix_fan
The bad news just doesn’t end for this company,does it?

~~~
Alupis
Or karma finally doing it's thing?

------
james412
This kid has been posting these for fame (it's the same guy that posted the
Daimler leak). I guess it's all fun and games until he finds himself in prison

~~~
elmo2you
That is indeed often the case with young narcissists (I don't know if it
applies to this person, don't know him/her).

That said, I remember the shocking arrogance and total disregard (for anything
but their own ego) of a few young privileged "hackers", who were involved in
DDOS services for hire, and also for some very nasty IoT bot net (if I recall
correctly).

Krebs wrote about them quite a bit. I think they even got caught because of
that, but not sure. They did loads of real damage, that much is certain. But
instead of going to jail, they got community service. Apparently with
intervention of the US government, for which they now work. Go figure.

~~~
antihero
IDK if wanting a bit of fame and validation makes you a narcissist per-say.

~~~
elmo2you
Not per-se, indeed. But if that urge for validation is for something that's
fundamentally wrong and/or only supports an person's failure to critically
assess their own actions, then it usually is narcissism.

------
jarym
With stuff like this being exfiltraded (let’s admit if hackers got this they
prob could have a whole ton of fab secrets) it won’t be long until America’s
IP is all in the hands of China/Russia/Europe.

We will have confirmation when China launch a ‘Xi Lake’ x86 compatible cpu...

~~~
Anarch157a
They already have it, thanks to AMD, before Trump blocked further cooperation.

------
greyface-
Any IP lawyers in the house willing to speculate on how this is going to go
down? Intel surely isn't going to let this stand, and the (Swiss) leaker is
being completely open about their identity. What's the legal action going to
look like?

------
kr99x
The three "biggest deals" here are all... a lot less important than they look.
Clarifying info on all three:

"Did Intel get hacked?" I can't confirm the exact mechanism by which these
files got out, but I _do_ know that these files are things which get shared
externally already with Intel's customers under NDA. If security _in general_
is lax, that's one thing and future hacks of more sensitive stuff could be
expected. If security in general is fine, but for _some NDA customer sharing
channel_ is lax, don't expect to see anything juicier.

"Intel123 is an awful password." Yes it is, but... it's not _for_ security.
Intel123 is the password used to bypass executable/script filtering systems
that overzealous IT put in place to "protect" employees. Employee A wants to
share a zip with employee B. There are _many_ channels they can use to do
this, because the contents of the zip are not encrypted or restricted. None of
these channels require encryption, but either A or B doesn't like/understand
them, so they agree on email. Whoops, the filter says that executable could be
harmful and out it goes. Zip-via-email doesn't work. Unless... well, if they
put a password on it, the filter doesn't catch it. Good. Problem solved. This
is _so common_ that the convention Intel123 arose and solidified for exactly
this purpose.

"I see the word 'backdoor' in there!" Sure. Bad name choice. That's not the
kind of backdoor you're thinking. There are a lot of things in the firmware
that take this exact same form and don't use the word backdoor. It's a
_signal_ the low level firmware is keeping an eye out for, and if received, it
will trigger some other piece of firmware to do some task in SMM. If that
other piece of code takes input parameters and fails to verify them, _then_
you may have a vulnerability on your hands - in fact, this was a very common
kind of vulnerability before. Intel has fixed a lot of these over the years.
Odds are they're mostly gone by now. If input parameters are verified (or none
taken), the worst you could do is maybe a DoS by spamming that signal to keep
the CPU clogged/stuck in SMM.

------
Keyframe
At this rate, I fully expect Nvidia to make a meger bid for intel.

~~~
mhh__
Bigger market cap but something like 10 times less revenue, strange world (As
intel get hammered in the media their revenue remains in a different league to
AMD - which I suspect is partly because AMD can walk the walk after dropping
their trousers but there is no foreplay [i.e. sales and software])

------
phendrenad2
This is more of an advertisement for all the cool stuff you can work on if you
go work for Intel than anything.

------
intelleak
In what ways can an end user of intel processor expect to benefit from this?
I'm guessing none, since ever consumer interface is already a standard ... Can
anybody chime in?

~~~
dleslie
Optimistically, the exposure of backdoors in the firmware may cause Intel to
patch and close them.

Realistically, Intel will patch the firmware and replace the backdoors with
new ones.

~~~
intelleak
Besides the backdoors I mean, I was thinking about performance or usability
improvements...

~~~
eitland
Might finally get certain big PC vendors to consider using AMD which will
increase competition and make sure we get better hardware in the future..?

------
privacyonsec
Intel leaked sources contain "backdoor" keyword

[https://twitter.com/deletescape/status/1291419918685147149?s...](https://twitter.com/deletescape/status/1291419918685147149?s=09)

~~~
wingerlang
I’ve only seen people writing “backdoor!” without actually saying what kind
of, for who, to what and so on. Seem pretty disingenuous to me. Could easily
be something trivial.

------
als0
The FSP source code is supposedly leaked as part of this, which is used to
initialise the memory controller. Are we closer to (modern) blob-free Intel
platforms?

~~~
kr99x
Close _R_ , yes. Close? No. For one, memory init code differs from product gen
to product gen and pulls in platform/board specific libraries and inputs to
set up some parameters. The bigger problem though is just how _big and messy_
the memory init code is. It would take a substantial number of people a
substantial amount of time to unwind and understand what's going on, let alone
do a sane and/or clean-room implementation of it all.

------
xyst
I’m not touching the binaries or executables, but I’m interested in the source
code. Has anybody found anything interesting?

Will download from the mega link and explore in a VM later.

------
pepemon
Intel went open source today.

------
RSO
Anybody else wondering at the rate of bad news around Intel at this moment?
Like, is someone after them or is this just bad luck?

~~~
Nasrudith
Personally it seems more like complacency and cultural rot has caught up to
them than any bad actor - excluding their own management chasing ego
gratification or short term profits. Falling behind AMD in so many metrics
when they were previously often a second-best rival screams that they need to
get their shit together.

~~~
ddingus
This. Inertia, tech debt, a less nimble culture all add up.

Intel needs to kick off a skunk works that basically gets funded well enough
to find a new way.

If they do it now, some space could get really interesting again.

------
danw1979
The advice to try a password of “Intel123” on any protected files says it all.

This organisation genuinely deserves whatever is coming for them.

~~~
Chyzwar
This type of passwords are use in almost all big corporations. People are
being asked to encrypt things but without password managers or keys management
tools.

~~~
jychang
Yeah, I know of plenty of other companies with similar multi-time-use
passwords. The data in that zip file probably isn't that confidential.

------
ggm
I'd love an IPR lawyer to explain legal paths to clean room spec of the bits
of this which could be useful like ME or coreboot depending parts.

I see comments which says "stay clear, they will" but I would like to know
how, if at all, this could be done and be legal on the receiving side of the
functional spec from a clean room.

------
WhyNotHugo
I'm very curious about this. What's the legality on just reading on this for
mere curiosity (e.g.: I don't work for AMD nor write drivers, etc.).

------
inthewings
That's just another internal Meltdown from a Spectre employee !

For once they don't leak our data.

------
chasd00
if you're at a company that can be considered an Intel competitor i would
avoid this like the plague. Wasn't there problems for people working on Linux
after only viewing source code from other operating systems?

------
dmix
Binaries unique to SpaceX, maybe related to a server or contract with SpaceX?

~~~
theon144
I've _heard_ that it's apparently SpaceX camera drivers?

~~~
dmix
That's what it says in the docs

------
spicyramen
Cisco123

------
akayoshi1
The next Edward Snowden.

~~~
mhh__
Unless they've actually found a real smoking gun, probably not even close.
Besides, even if there isn't a backdoor in intel CPUs they've definitely
tried.

------
alsdkfjkqjwer
Why would they include stuff from proprietary releases?

I understand exposing backdoors and all, but who cares about a camera firmware
for a airgaped system?

wonder if some of the clients for those devices is involved and the goal of
this is that those clients got fed up with the NDAs and wanted all this in
"public domain"?

