Cybercriminals Who Breached Nvidia Issue One of the Most Unusual Demands Ever

shanen shares a report: Data extortionists who stole up to 1 terabyte of data from Nvidia have delivered one of the most unusual ultimatums ever in the annals of cybercrime: allow Nvidia's graphics cards to mine cryptocurrencies faster or face the imminent release of the company's crown-jewel source code. A ransomware group calling itself Lapsus$ first claimed last week that it had hacked into Nvidia's corporate network and stolen more than 1TB of data. Included in the theft, the group claims, are schematics and source code for drivers and firmware. A relative newcomer to the ransomware scene, Lapsus$ has already published one tranche of leaked files, which among other things included the usernames and cryptographic hashes for 71,335 of the chipmaker's employees.

Re:

[The Real Dr John]

Yup, just shows how crypto creates these types of motivations for criminals. It's obviously why they hacked in in the first place. And I still can't find an RTX 3080 or 3070 for anywhere near the MSRP. Like so many others, I will just wait until the price comes back to Earth.

Re:

[Moryath]

It's amazing - say anything that doesn't help the pump-and-dump bitcoin pushers, and you get modded "troll." Their criminal pyramid scam gets more desperate by the day.

Sigh

[Revek]

I was hoping when I read the headline they were going to demand they only allow one card sold per credit card number. But as it turns out they are shitheads. Learned my lesson. You should always count on ransomware monkeys to be shitheads.

Re:

[Joce640k]

NVIDIA can also count on the shitheads not deleting the data and coming up with more demands next month if they give in to anything.

Basically they're screwed. Their only option is to keep stringing them along while they trace them and arrest them.

Re:

[olsmeister]

If their interest is in mining crypto, demanding only one card per credit card number would probably be the stupidest demand in the history of ransomware.

Re:

[IWantMoreSpamPlease]

Well the title of the article contains the word "unusual"...so yeah, it would be "unusual" for them to be that stupid, so it falls within the realm of possibility (although of course highly unlikely...) /h

Re:

[Tailhook]

If NVidia were to somehow try to impose such a policy on retailers the robo-buyers would either find a way to get more CC numbers or pay through some other mechanism, and the retailers will accommodate whatever they come up with because they like sales. So playing CC number games is futile.

At the root, the problem is that certain people are willing to pay far more than you for the output of a finite amount of fab capacity. The robo-buyers scraping NewEgg et al. are just a symptom of this. The solution

Re:

[Revek]

We can't think of anything that will work 100 percent of the time so lets do nothing. Got it.

Re:

[Tailhook]

We can certainly think of stupid things to do and avoid them.

time to crack down hard on crypto!

[Joe_Dragon]

time to crack down hard on crypto!

Because Crypto

[rogoshen1]

So a company sells a product and artificially imposes stipulations on how you can use it, and the hivemind opinion is that it's a good thing?
Uh huh.

Re:

[Moryath]

A company sells a product, and sets the drivers and firmware so that the product works for what it's supposed to work for, not for feeding the fever dreams of criminal enterprises that steal electricity and engage in other criminal activities to feed a pyramid scam.

That is, in fact, a fucking GOOD thing.

Re:Because Crypto

[rogoshen1]

"supposed to work for"
no, fuck off. If you buy something, it is yours -- the relationship between you and the seller is concluded at that point. They do not get a say in how you use it. If you want to mine your magic internet money, that should be entirely your decision, and not influenced by corporate virtue signaling around some vague FUD about the environment. Or is the electricity used to play elden ring or whatever, greener than using it for ethereum .. somehow? If you bought the card, and pay for the electricity, how is that anyone else's goddamn business? You might not realize it, but your reasoning is only a step or two away from dictating what kind of car people should be allowed to drive due to fuel consumption. (it's slashdot, automotive hypotheticals are a thing, right?)

Further nothing occurs in a vacuum. Tolerating something because it temporarily aligns with your views is such a dangerous mindset -- it just allows for further abuse down the line; only instead of a questionable cause built on stupid reasoning, it could be something like an auto maker gimping engine output unless you use an approved partners gasoline. Or all manner of anti-consumer behavior.

Re:

[Moryath]

They do not get a say in how you use it.

They say how they designed it. They get to say what features they put in the firmware THEY make and the drivers THEY provide.

So "no fuck off" right back to you, pyramid scammer. If you want them to change what's in the firmware and drivers they provide to the public? Try a letter writing campaign. Try making a business case to them.

Or, YOU write your own fucking driver and firmware for what you want to repurpose the product to do.

But you don't get to be a cr

Re:

[serafean]

> Or, YOU write your own fucking driver and firmware for what you want to repurpose the product to do.

Where this argument falls on its face is that Nvidia requires cryptographically signed firmware. Meaning you really can't roll your own.
Even open source drivers are still waiting for the benevolency of nvidia to release the firmware so they can boot up the 3D rendering part of new revisions of GPUs (https://www.phoronix.com/scan.php?page=news_item&px=Nouveau-NVIDIA-GA106)

> They say how they design

Cuts both Ways

[Roger W Moore]

If you buy something, it is yours -- the relationship between you and the seller is concluded at that point.

Exactly, but that cuts both ways. If you buy something which may be capable of doing X and Y but the seller only provides you with the software to allow it to do X and makes that clear that's what they are selling you then what's the problem? You are free to figure out a way to write your own software to make it do Y, nobody is stopping you but if you cannot then that's not the seller's problem. It is certainly not reasonable that you try to blackmail the seller into making them give you the code to make i

Re:

[serafean]

> You are free to figure out a way to write your own software to make it do Y, nobody is stopping you but if you cannot then that's not the seller's problem.

Wrong, nvidia is actively stopping you: its firmware (loaded at runtime) is cryptographically signed, and the hw will refuse to load anything else.

Re:

[Roger W Moore]

Wrong, nvidia is actively stopping you

No, it's making it hard for you. If you can't beat the signature or don't like it then buy AMD and if enough do they'll soon get the message.

Re:

[Tyr07]

Ah it sucks. You're completely right, although I wish the prices of video cards would come down.

It's like if you bought a car but they said you can only use it to travel in the local city, we don't allow it to leave. (I'm not talking about leased, rented or otherwise, I mean gave them full cash and it's 100% yours)

Re:

[tlhIngan]

It's like if you bought a car but they said you can only use it to travel in the local city, we don't allow it to leave. (I'm not talking about leased, rented or otherwise, I mean gave them full cash and it's 100% yours)

No, it's like if you bought a car that can only go 80mph and demand the manufacturer unlock it so you can 100.

They built it to do 80, they may have limited the engine to only going 80 and not going any faster. The same car might be available in other markets and do 100, but for your market,

Re:

[Pentium100]

How is this different from printers having DRM in their ink cartridges?
After all, manufacturer designed the printer to use its cartridges, display an "out of ink" message after printing a certain number of pages (even if there is still ink in the cartridge)...

Or various anti-repair practices - Apple designed the phone to only use genuine parts and require special software (that they are under no obligation to release to the public) if you want to replace the part, even if the new one is genuine. Apple certa

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Tyr07]

No, it's like if you bought a car that can only go 80mph and demand the manufacturer unlock it so you can 100.

Actually that's worse than my example. They're not limiting the speed for processing graphics or gaming which is its intention.

Just like if they marketed it as a inner city car, but disabled going out of town, as that is not the way they're being marketed.
Your speed limit one is incorrect as it's not limited speed, it's crippling a feature it wasn't intended for.

Like going out of town if they crippled that. Can you pay extra money and they unlock the crypto mining features? That would be the only way to br

Re:

[WipeLeftShakeRight]

That reasoning would be consistent with longstanding US automotive policy, no hypotheticals necessary. The Jeep I drive has a shutoff switch for the engine that can't be turned off without a $300 Tazer. It makes sense for city driving where the average stopping time is more than 7-8 seconds if you ignore the extra wear on the starter, but not for me. Speaking of wear, they recommend a lighter weight oil than sensible mechanics recommend, again because it helps conform to fuel economy standards. The stereo v

Re: Because Crypto

[xavdeman]

Found the libertarian / miner. If the seller is clearly indicating this is a card with LHR limitation, no miner can complain. Caveat emptor, libertarian.

Re:

[wisnoskij]

I don't really agree.
For example, car companies have/might design features into cars to make them less deadly for people you crash into. But what if I wanted to use my car as a deadly weapon?
Companies put a emergency stop in a table saws that deploy a break if the saw cuts into conductive material, but what if I want to cut meat with it?
What if I gun company could add a part to a gun that made it impossible for it it kill anyone under the age of 5?
Companies put rounded corners on everything, but what if I w

Re:

[thegarbz]

no, fuck off. If you buy something, it is yours

Absolutely. Do with it what you want. But don't expect the device to do something the vendor explicitly designed it not to. Hack away to eek out extra performance, but demanding that a device do something other than what was advertised is just mind-numbingly stupid.

You sound like an incredibly entitled twat.

Re:Because Crypto [has no there there]

[shanen]

Best of the comments I've seen so far and closest to the joke I would have tried to write if I'd had more time. (When I was rushing to submit the story before I had other stuff to do...)

Anyway, I extended your Subject along the lines of the first low-hanging joke that came to my mind. There's nothing there in the cryptocurrencies. No there there to get there from NVIDIA.

Related reading? Well, it's really about math in general and prime numbers in particular, so... Currently enjoying Stalking the Riemann Hyp

Re:

[King_TJ]

I was going to say the same thing.... Funny how the entitled gamer crowd thinks products should be artificially crippled, if necessary, to help ensure availability for THEIR purposes over others.

I was disgusted when nVidia pulled that tactic, instead of just trying to invest more money into manufacturing so they could produce more product in the long-term.

We've got so many people complaining right now that countries like the USA don't have enough chip fab plants in them, and yet this is a clear and obvious

Re:

[NotEmmanuelGoldstein]

... artificially imposes stipulations ...

Like the 10-bullet limit in civilian semi-automatic rifles, or the 6-cartridge limit for shotguns: Please remind us that's a bad thing.

I too, think many stipulations are more trouble than they're worth. But throttling of GPUs or over-the-counter medicines is a bearable impediment to the many people doing the right thing.

Re:

[Luckyo]

I would like to remind you that both of those things are both bad and stupid, as you requested.

Screw ponzi cryptocurrency scammers

[f00zbll]

the world would be better if all those people rode a rocket to the sun

No cash...

[RogueWarrior65]

We want the printing press, the plates, the ink and the paper.

If they have the source code

[93 Escort Wagon]

Why can't they unlock the artificial constraints themselves?

Unless they're just script-kiddie parasites with no skill of their own, of course. In which case nvidia should be even more ashamed of their shoddy "security".

They already did, or claim to have anyway,

[waspleg]

and they were selling the modified drivers for $10 and then realized they were worth more and started trying to sell them for $1,000,000 - at least that's what I read yesterday or the day before, I can't remember where.

They have also demanded that NVIDIA FOSS all their drivers now and forever. [bleepingcomputer.com]

They also said they have all the Verilog circuit design files and threatened to release those as well. They claim to not be a state actor but who knows. They also had NVIDIA try to hack/encrypt their data back which

Re:

[cloud.pt]

because it's a firmware-level limitation, and they stole the source, not the keys to flash it. If it is even multi-flash device, which I think not given Nvidia gave OEMs the choice to apply LHR or not. Since Nvidia themselves do NOT use LHR on their founder edition 3080 (8GB), 3070, 3060 Ti and 3090 (actually nobody uses it on 3090 because it is effectively a workstation card which may need crypto-processing...) I am of the opinion this is a flash-once, reflash never again shenanigan. Kind of like the new A

A whole terrabyte?

[PPH]

Wow! That's like a third of the average porn collection.

Re:

[Ostracus]

Of course. Some people have a pimple fetish.

Backfired.

[Gravis Zero]

This is hilarious. What's happened here was that Nvidia decided to cash in by adding hardware level hashing to their cards but then it became too much. It was killing their own original videocard business, so they artificially kneecapped cards. Now the cryptomonster they fed is on the verge of destroying their business entirely if they don't feed it.

This is a great example of why they tell you "don't feed the bears".

The wise (business) move for Nvidia would be to cave to the demands and then remove hardw

Make use of

[kyoko21]

If NVidia doesn't pay out and all that data gets released, who has the balls to pirate those trade secret and actually turn them into anything of value? AMD? Intel? The Chinese? The Russians? Even if you somehow incorporated their designs into your chip, who has the technology to even fabricate the chip? As of right now, only two groups in the world that have the capabilities: SAMSUNG and TSMC. I mean sure, you could print a 3090 chip using some old tech, but you would be making a big chonky GPU that's at l

put the code into the linux kernel and get rid of

[Joe_Dragon]

put the code into the linux kernel and get rid of nv 3rd party drivers

Re:

[Petersko]

The fact that it becomes generally available doesn't protect anybody who makes unauthorized use of it.

You would still have to write drivers that conform, but don't infringe.

Re:

[wisnoskij]

Nvidia already provides Linux drivers, and since they already had this source code and are by far in the best position to make use of it for building a Linux driver, I doubt anyone else can do much better.

Half the stories you hear online is the AMD linux drivers are even worse.

Re:

[IWantMoreSpamPlease]

My guess (and as like you, I know nothing about fabs etc) is some 3rd party Chinese company will open up using the stolen info, and make a card that is their "own" but awfully close in performance and drivers to a 1050 ti or something.

From there they will build on what they've nicked, and eventually start creating cards that could compete head to head.
This is just a guess, and almost certain to be incorrect.

Re:

[kyoko21]

There are limited fabs in the world that produce at that small of a scale. However, both TSMC and Samsung get their printing equipment from ASML and those things aren't cheap to begin with and buying the equipment is only the start. You still need to get the tech support and the right engineers to even know how to run the machine. That's on top of the physical facility that you can do all of this in.

I highly recommend the YouTube channel Asianometry as he has several videos that digs deep into the various a

Re:

[Gravis Zero]

who has the balls to pirate those trade secret and actually turn them into anything of value? AMD? Intel? The Chinese? The Russians?

The first would be the Chinese, hands down. China doesn't give two shits about IP or legalities... unless it's to their advantage. You would have clones on the shelves in China in a few weeks.

Re: Make use of

[SleepingEye]

You forget, trade secrets are a thing. They are not legally protected in any way shape or form. You can copy them straight up legally anywhere. The recipe for making cocacola is a trade secret. If you find the recipe, you can make it under a different name without paying or lawsuit

Re:

[N.73SL4]

As a 3D vision user, I'm hoping the hackers DO dump what they have so the community can integrate 3D Vision back into the latest drivers and fully support 3000 series cards. Yes a lot of people couldn't care less about 3D Vision, but this post isn't for them.

Open source the drivers

[bubblyceiling]

Open-source drivers would be pretty cool. Not like the crypto community is actually deterred by software limits

post the signing key

[cciechad]

My understanding is modern NVidia cards only allow signed drivers or BIOS(not sure which or if both) to access the full HW capabilities. Since they are asking them to do this or they will release I think this means they didn't get the signing key :(

Re:

[salahx]

Depends on where the anti-cryptomining is implemented. If its implemented in the driver, then all that's needed is the source code and it can simply be removed. No keys needed (except on Windows). If its in the firmware, the driver or firmware source will not help, as the card will only load it if its signed by Nvidia.

While open source drivers would be nice, this isn't the way to go about it.

Sounds like desperation to me

[devslash0]

So firstly they demanded that the drivers were released as open source. Now, that they want the drivers without any bitcoin mining countermeasures. Surely, if you have the source code and you're a L33t hacker you can bypass all those protections yourself? I'm beginning to think that there could be a bit of truth in that story about NVIDIA hacking the hackers back and encrypting their data dump, and that now the hackers are trying to gain anything at all from their action by a bluffed blackmail.

They have the tools to do it

[oldnuskeet]

If they canâ(TM)t, releasing the source code would lead to their demands being fulfilled since people can edit the firmware if they release the code.