Attn: Statement regarding a Quad Cortex security vulnerability

This is posted on the OpenCortex discord server. Not the official NDSP server.

2 Likes

Thanks ! Iā€™ll have a look at it.

Please also see a very lively discussion of this issue at TGP: No thread on the QC data breach? | The Gear Page

i know keeping info uncrypted is inexcusable but are wifi passwords important whatsoever? like unless a hacker is coming near my home and draining my wifi i donĀ“t see it affecting me

If you have 3300 email addresses + 430 Wi-Fi passwords, youā€™re likely to get at least a few matches where the Wi-Fi password is the same as the email password. From there, youā€™ve won the game.

i spent the last 2 hours reading this whole threadā€¦ most of it is annoying bickering but from what i gather ndsp might be in a whole lotta trouble :s and it does push me away from the companyā€¦ i was already mad with the unfulfilled stuff but knew about it and was hoping for this next few months to be redeeming but now fractal seems more beautiful by the minute

yeah thats true this is sad

I donā€™t know. I hear your concern but I remain a lot more optimistic than this. As I pointed out in a previous post there are a large number of major companies that have had huge lists of everything from extensive account and personal information to actual credit card data hacked with much more serious consequences. Those businesses persist and generally things subside back to normal with a greater emphasis placed on security. Granted these incidents can cause serious ongoing problems for the hackersā€™ victims but hopefully this incident wonā€™t rise to that level. If any of the users who had their data grabbed are damaged by this incident, I hope Neural finds a way to compensate them.

If those large corporations experiencing substantially more impactful breaches can weather the damaging PR and the resultant sh$tstorms, I think Neural can as well. Not to be ignored or minimized, but Neuralā€™s breach appears minor by comparison to the data that has been lifted from other entities. If they needed a wakeup call, at least this one was relatively mild compared to what might have transpired.

They appear to be slowly knocking out delivery on their initial promises. The editor appears to be on its way and I could care less about Marketplace and the Neural plugins although I would wager that at least the plugins are not too far from delivery (could be wrong, basing it on gut and nothing else). I am still curious to see what comes out of the next couple of updates and definitely not considering selling my QC at this time. Pretty sure there are plenty of other owners who feel the same way.

2 Likes

Yeah, i mentioned previously i donĀ“t personally care and it doesnĀ“t seem like a threat for most if any users BUT their response where they flat out lied about knowing about this previously and not acting up at that time is what really worries me, and now they are shutting down open cortex.
I do care about the plugins and itĀ“s good that they are fulfilling promises even if slowly but the constant misses and lack of follow up on small issues is what is disheartening (things like this security breach which would be indicator for bigger breaches or ignored stuff and even smaller things like lack of significant updates compared to competition - the qc doesnĀ“t even have a metronome even tho itĀ“s the highest voted request for 2 years now in the forum and a very simple and basic addition)

Not sure what you are referring to by ā€œopen cortexā€. What is this?

IĀ“m not too knowledgeable with the technical details but itĀ“s a project to help with error fixes and hopefully innovation with the QC. More relevant itĀ“s the people that in doing so figured the security weaknesses in the QC and notified neural to let them know and offered to help for solutions and were politely dismissed but now it seems they are banned from the QC discords and neural is taking legal action to shut down the project. (as seen in the image)


More info on the project here: GitHub - VanIseghemThomas/OpenCortex: A project that opens your Quad Cortex for homebrew software

Disclaimer: IĀ“m not looking to start a sh1tstorm with this just want to address this topics with the community so if iĀ“m wrong with any info or thereĀ“s anything to add letĀ“s talk about this calmly and concisely please

1 Like

The QC isnā€™t an open source project. Itā€™s legally owned intellectual property. That Neural is going to protect vigorously. If they donā€™t then itā€™s worthless in the eyes of the law. Open cortex, if Iā€™m reading correctly, looks like they are trying to root (jailbreak if youā€™re more familiar with that term) the device so they can extend the code. Code they donā€™t own.

They are lucky they didnā€™t get a whole building of lawyers thrown at them.

2 Likes

well yeah but from what I understand they donĀ“t want the code, they just want the ability to implement personalization and improvements and to help the dev team. They obviously can object to it but the project has always been open and transparent to neural and they even figured out the security issues before neural.
TheyĀ“ve known about it since day 1 and them acting against it after this security breach and how negligent they were to attend to it until public reaction doesnĀ“t speak well.

And regardless if you are familiar with modding communities like in videogames companies can support the community which usually benefits both parties (counter strike, half life, minecraft) or go the opposite route (now defunct warcraft 3 and project M for example)

They can go whatever route they please but i personally prefer if they support the community working for them for free instead of getting them in jail

The problem is, now Neural know about it [OpenCortex], they will be having to implement security fixes to block it

So someone ā€œtrying to speed things upā€ has actually given the Devs a load more work to do, and will actually end up slowing things down.

Nice one.

1 Like

Nobody is stopping them doing exactly that.

3 Likes

@Cheems from what I see, NeuralDSP currently has no intention of bringing down the OpenCortex project :slight_smile:. They even offered to collaborate on things in the future.

@Morphire at this point we have no intention of modifying any of the source code present on the QC. We are really carefull and toughtfull with not distributing any of NDSP IP. The goal is only to open access to your device, and add cool stuff. There are however plans to build things from the ground up, but thatā€™s still just in the idea phase.

@tomfs The intention was never to speed anything up. More a matter of enhancing my experience with the device on my own. I also think that customers will be more than happy having these security fixes.

@SkeletronPrime Iā€™m currently a fulltime dev in a startup where I love working. Iā€™m also not based in Finland so applying for a job with NDSP is not something I am considering at this point in my life.

3 Likes

Their job page suggests that global remote work is available, but I understand and Iā€™m glad youā€™re happy with your current workplace.

Iā€™m also very glad to hear that NDSP is considering collaborating! I mostly wanted to point out that there are legal and reasonable options for people who want to be a part of the development.

Iā€™d take what you read on TGP with a pinch of salt :smile:

Especially in threads that devolve into ā€˜sh*t on ndsp circle jerksā€™ (thereā€™s one every month or so).

In fact fatal amounts of salt are required in those cases so be careful out there

:v:

I am glad Neural has become aware of the security vulnerability. Fixing it immediately is the right thing to do, even if it temporarily diverts some resources. Better that, than a security hole that can come back to bite them more than it already has. I am relieved the person/team who discovered the vulnerability appears to have no malicious intent towards fellow QC users.

1 Like

Oh I donā€™t mean that security issue. That one absolutely needs to be fixed asap.

I mean that they will need to fix the issues that allow OpenCortex to get into the system. So those guys have now caused additional work and delays to everything else.

Made my original response clearer.

1 Like