Intel ghosts researcher who found web apps spilled 270K staff records Security boffin Eaton Zveare has highlighted some serious holes in the online infrastructure of chip giant Intel – walking through services with coding flaws to gain access to supposedly internal documentation, from non-disclosure agreements (NDAs) to the personal details of more than 270,000 Intel staffers. Shocked couple …
More likely, the people whose job it was to keep the sites, including ark.intel.com and its internal-only version (which has a very similar name) secure... have been laid off by LBT. Along with anyone else whose job it was to give two shits about quality.
Anon 'cos I am ex-Intel and still somewhat bitter about the cumulative effect of a series of CEOs who bled the company dry to keep Wall Street happy. Gelsinger was the noble exception but of course, "investors need to take short-term financial pain to ensure long-term prosperity" wasn't a message that the Board of Advisors were willing to support.
“ Zveare's investigations began last year, with a gentle poking at an Intel India Operations-run website, which allowed authorized employees to order a set of business cards. Naturally, such a site needs access to an employee database – but, unnaturally, Intel appeared to have done a poor job at the "authorized" side of things.”
That this and a number of the other sites mentioned are even public facing at all beggars belief. What Fuckwit put this together.
I'm convinced that a lot of tech companies even one's that have security departments don't take their bug bounty programs seriously anymore. Maybe it's just a factor of the industry being flooded? At the same time you'd think QA would be on top of stuff like this. I guess it's a good thing for these companies to be exposed like this so we know that they won't give credit where credit is due. The fact that the security researcher didn't even get an email back saying "thank you we are looking into this" is bad PR for Intel.
It's simply an extortion attempt at the end of the day. You hacked me, great, just be thankful I didn't call the cops or find out where you live. I never promised to pay you for the privilege, so don't expect to get anything, including a response from me.
If I asked you to do this work that is different, I will pay you, which is really what a bug bounty program is - a gig work offer. But if you just showed up and committed some vandalism, nope never. Sure _anybody_ could do this, but if you want to get paid, you are going to have to monetize it yourself... and maybe have some repercussions for doing so.
It's really no different than showing up at your neighbors and opening all of the windows that where not locked... and then somehow expecting to be treated like a hero instead of getting shot... when the window locks really are not the home defense system in play anyways. (hint: do NOT go on somebody's private property without being invited here in amurerica, use the front door _with respect_ if you must).
> The storied chipmaker is a mainstay in modern computing and an Intel chip has been inside basically every computer I have ever owned.
Yeah, well... not so much anymore. They've really lost their edge. Last few years I have favoured AMD, who have been eating Intel's lunch for x86. The CEO of Intel has admitted that the company is no longer even in the top 10 of semi-conductor businesses worldwide. This has nothing to do with the article, but it's interesting how much deference the security researcher still gives them.
Wrong way round. The company *should* work for its investors, that’s the whole point of a company. If there weren’t investors, there wouldn’t be companies and public companies exist because private investors and founders want to cash out and others (e.g. pension funds) want a piece of the upside.
Public companies should be maximising long term value for investors (which should be reflected in the share price) through a mix of R&D to maintain an edge over the competition/expand into new markets, and returning profits. If they have limited growth potential it should be more the latter, so that cash can be reinvested more productively in a R&D team at a different company.
The problem comes when management teams and boards *stop* working for the investors. Either by failing to communicate effectively why investment will add value, spunking away money on useless R&D, or by hacking away at costs in the hope short term financial improvements benefit them personally before harder to identify long term damage becomes obvious to external investors. All of which can tank the share price over various timescales, and most aren’t good long term for employees and customers.
