AMD has filed at least two DMCA notices against Github repos that carried “stolen” source code relating to AMD’s Navi and Arden GPUs, the latter being the processor for the upcoming Xbox Series X. The person claiming responsibility for the leak informs TorrentFreak that if they doesn’t get a buyer for the remainder of the code, they will dump the whole lot online.
I’d love to hear the backstory behind this hack. For a company like AMD, such a hack must’ve been an inside job, right? While I know I shouldn’t be surprised anymore by just how lacking security can be at even the most prominent technology companies, I just can’t imagine it being very easy to get your hands on this documentation and code without some form of inside help.
Some possible candidates:
– There could be a shared repo for collaboration with partners (here with Microsoft, since their Xbox code also seems to be leaked). Those kind of repos usually have less security compared to fully locked down ones
– A contractor or a similar “extended” employee might have received access by mistake
– A lost laptop with code without encryption (this should no longer happen in this day and age)
– A employee laptop running unauthorized code (for example an ssh -Y tunnel to internal cloud), there is more chance of this happening during WFH
Or rather simple public AWS bucket misconfiguration.
I am sad that this is happening. While I do support open source for end user software, this should happen voluntarily..
Thom Holwerda,
Who knows what happened in this case, but I’ll say this, so long as someone has access to confidential data as part of their job, it’s virtually impossible to stop a smart & dedicated insider who wants to leak the data. Stopping outsiders should be possible in principal for those who’ve been proactive about defenses, but it can still be difficult to stop trojan horse scenarios where “trustworthy” employees act as unknowing conduits even when security is in place. Portable laptops and mobiles are inherently risky. Also, for better or worse, many companies are inviting and allowing “cloud services” through their perimeter, which explicitly opens the circle of trust to include new outsiders and clearly increases the risks versus in-house solutions.
Ultimately though I don’t think the damage from this breach will be all that significant. it’s not the sort of information that’s coveted by identity thieves (which opens companies up to massive lawsuits). Think about when the code for windows was leaked. sure it raised eyebrows, but it didn’t actually change much in practice.
Highly doubt there was any mistake involved. Here’s the thing, as the guy above me has said, as long as your work involves having access to confidential data, there’s a leakage risk. That’s the reason why most people signs a confidentiality agreement when they get hired for a position in a technology company. Highly doubt an “outsider” has access to GPU technology for a device that hasn’t even been released into the market. Something similar happens within the music and cinema industries, there’s a huge degree of secrecy in the recording process just because that’s how it goes: confidential information is expensive. It reminds me of an article I saw online