Attn: Statement regarding a Quad Cortex security vulnerability

This is posted on the OpenCortex discord server. Not the official NDSP server.

Thanks ! I’ll have a look at it.

Please also see a very lively discussion of this issue at TGP: No thread on the QC data breach? | The Gear Page

i know keeping info uncrypted is inexcusable but are wifi passwords important whatsoever? like unless a hacker is coming near my home and draining my wifi i don´t see it affecting me

If you have 3300 email addresses + 430 Wi-Fi passwords, you’re likely to get at least a few matches where the Wi-Fi password is the same as the email password. From there, you’ve won the game.

i spent the last 2 hours reading this whole thread… most of it is annoying bickering but from what i gather ndsp might be in a whole lotta trouble :s and it does push me away from the company… i was already mad with the unfulfilled stuff but knew about it and was hoping for this next few months to be redeeming but now fractal seems more beautiful by the minute

yeah thats true this is sad

I don’t know. I hear your concern but I remain a lot more optimistic than this. As I pointed out in a previous post there are a large number of major companies that have had huge lists of everything from extensive account and personal information to actual credit card data hacked with much more serious consequences. Those businesses persist and generally things subside back to normal with a greater emphasis placed on security. Granted these incidents can cause serious ongoing problems for the hackers’ victims but hopefully this incident won’t rise to that level. If any of the users who had their data grabbed are damaged by this incident, I hope Neural finds a way to compensate them.

If those large corporations experiencing substantially more impactful breaches can weather the damaging PR and the resultant sh$tstorms, I think Neural can as well. Not to be ignored or minimized, but Neural’s breach appears minor by comparison to the data that has been lifted from other entities. If they needed a wakeup call, at least this one was relatively mild compared to what might have transpired.

They appear to be slowly knocking out delivery on their initial promises. The editor appears to be on its way and I could care less about Marketplace and the Neural plugins although I would wager that at least the plugins are not too far from delivery (could be wrong, basing it on gut and nothing else). I am still curious to see what comes out of the next couple of updates and definitely not considering selling my QC at this time. Pretty sure there are plenty of other owners who feel the same way.

Yeah, i mentioned previously i don´t personally care and it doesn´t seem like a threat for most if any users BUT their response where they flat out lied about knowing about this previously and not acting up at that time is what really worries me, and now they are shutting down open cortex.
I do care about the plugins and it´s good that they are fulfilling promises even if slowly but the constant misses and lack of follow up on small issues is what is disheartening (things like this security breach which would be indicator for bigger breaches or ignored stuff and even smaller things like lack of significant updates compared to competition - the qc doesn´t even have a metronome even tho it´s the highest voted request for 2 years now in the forum and a very simple and basic addition)

Not sure what you are referring to by “open cortex”. What is this?

I´m not too knowledgeable with the technical details but it´s a project to help with error fixes and hopefully innovation with the QC. More relevant it´s the people that in doing so figured the security weaknesses in the QC and notified neural to let them know and offered to help for solutions and were politely dismissed but now it seems they are banned from the QC discords and neural is taking legal action to shut down the project. (as seen in the image)

image1300×453 87.1 KB

Disclaimer: I´m not looking to start a sh1tstorm with this just want to address this topics with the community so if i´m wrong with any info or there´s anything to add let´s talk about this calmly and concisely please

The QC isn’t an open source project. It’s legally owned intellectual property. That Neural is going to protect vigorously. If they don’t then it’s worthless in the eyes of the law. Open cortex, if I’m reading correctly, looks like they are trying to root (jailbreak if you’re more familiar with that term) the device so they can extend the code. Code they don’t own.

They are lucky they didn’t get a whole building of lawyers thrown at them.

well yeah but from what I understand they don´t want the code, they just want the ability to implement personalization and improvements and to help the dev team. They obviously can object to it but the project has always been open and transparent to neural and they even figured out the security issues before neural.
They´ve known about it since day 1 and them acting against it after this security breach and how negligent they were to attend to it until public reaction doesn´t speak well.

And regardless if you are familiar with modding communities like in videogames companies can support the community which usually benefits both parties (counter strike, half life, minecraft) or go the opposite route (now defunct warcraft 3 and project M for example)

They can go whatever route they please but i personally prefer if they support the community working for them for free instead of getting them in jail

The problem is, now Neural know about it [OpenCortex], they will be having to implement security fixes to block it

So someone “trying to speed things up” has actually given the Devs a load more work to do, and will actually end up slowing things down.

Nice one.

Nobody is stopping them doing exactly that.

@Cheems from what I see, NeuralDSP currently has no intention of bringing down the OpenCortex project . They even offered to collaborate on things in the future.

@Morphire at this point we have no intention of modifying any of the source code present on the QC. We are really carefull and toughtfull with not distributing any of NDSP IP. The goal is only to open access to your device, and add cool stuff. There are however plans to build things from the ground up, but that’s still just in the idea phase.

@tomfs The intention was never to speed anything up. More a matter of enhancing my experience with the device on my own. I also think that customers will be more than happy having these security fixes.

@SkeletronPrime I’m currently a fulltime dev in a startup where I love working. I’m also not based in Finland so applying for a job with NDSP is not something I am considering at this point in my life.

Their job page suggests that global remote work is available, but I understand and I’m glad you’re happy with your current workplace.

I’m also very glad to hear that NDSP is considering collaborating! I mostly wanted to point out that there are legal and reasonable options for people who want to be a part of the development.

I’d take what you read on TGP with a pinch of salt

Especially in threads that devolve into ‘sh*t on ndsp circle jerks’ (there’s one every month or so).

In fact fatal amounts of salt are required in those cases so be careful out there

I am glad Neural has become aware of the security vulnerability. Fixing it immediately is the right thing to do, even if it temporarily diverts some resources. Better that, than a security hole that can come back to bite them more than it already has. I am relieved the person/team who discovered the vulnerability appears to have no malicious intent towards fellow QC users.

Oh I don’t mean that security issue. That one absolutely needs to be fixed asap.

I mean that they will need to fix the issues that allow OpenCortex to get into the system. So those guys have now caused additional work and delays to everything else.

Made my original response clearer.