So if some unknown erson on the internet not only jalibroke your software, but also posted a suite of tools and a guide on how to do it online, your company would just be fine with it and not do anything?
If that happened at my company, every single affected team would drop all work immediately until it was not only fixed, but we had ramped up security far beyond what it was to make sure it was not possible again in future.
If this is how Neural work (and I would be worried if it isn’t), you have just caused a whole load of delays to any future features and releases.
Like some of you, I’ve been writing code for decades and we know how real life works. Any potential security issue is a “drop everything” event. Further: the suggestion that a proprietary product should suddenly turn into a hippie commune just because some randoms on the internet say “but I wanna!” is batshit crazy.
They made the choice to use a Linux based OS that supports logging into a shell, nothing really you can do about that.
They set a password on the thing, but have no control over me changing it by pulling out the SD card and changing it.
People value their data being protected. This to the point it is required by law.
So enlighten me on how one would be able to patch physical access to the SD card with a software update.
Finally I stand by the fact this issue was so obvious, it shouldn’t have been in there in the first place, so I’m glad it’s actually being looked at. I’m not going to appologize for finding an obvious mistake and reporting it to them.
I think there are a couple of topics being bounced around here, maybe they’re being muddled together. I don’t think anyone would criticize you for reporting a security flaw.
“The car was just sat there with the keys in, it was so easy to steal, anyone could have done it”
That’s not how life works I’m afraid.
Also, as @SkeletronPrime said, no one is arguing about you reporting an issue to Neural, or that they should be fixing it. I’m arguing that you jailbreaking the device and posting a guide and scripts for anyone else to do it online was a stupid thing to do that will potentially push back their development schedule while they try to fix THAT issue as well as the logging one.
Life doesn’t allow me to remove a removable storage device and change a password? What are you talking about?
“The car was just sat there with the keys in, it was so easy to steal, anyone could have done it”?
I literally paid close to 2k for this device, just like I drive the car I paid for. Nothing is being stolen here, that’s just a stupid comparison.
The matter of the fact is, anyone that has any idea of how computers work, will find this very easy to do with or without me bundling that knowledge. And I’m pretty sure NDSP is well aware of that. So even hypotetically if I were to not do this, the same problem still persists. I’ll be pretty surprised if it were to be patched and if it is even possible to do so.
You are entitled to feel whatever you want about it, I will not agree.
As for the people that fail to do this, there is a very clear disclaimer first thing you see about the implications of this project and that it is for enthousiasts. Also no script needs to be installed, it’s just changing the password.
The only scripts available are either to generate an XML to rename the models to their real counterparts or in the persuit of understanding how the QC stores data and how it works. Finally there is a PoC remote viewer.
I think now that this has been made public, Neural DSP should go ahead and pay for a full-on independent security audit with a reputable security company (such as Securitum, considered a leading European auditing company, or another company of that caliber). I think just releasing a patch won’t dispel the feeling that there are other security holes waiting to be revealed by many. It needs a full investigation to restore its reputation.
I believe @tomfs’ point is that there’s a difference between subverting a technology and publishing methods for doing so.
It’s a choice you’re making, and I’m not suggesting anyone can control your actions, but the difference between one and the other is noted. The cliché about freedom having consequences applies.
I’m old enough to have followed guides published by Phrack and other electronic magazines. Would I have participated in ethically questionable behaviour without Phrack existing? Maybe not.
You are excusing doing something wrong/illegal by saying “it’s easy, anyone could have done it”.
Anyone could steal a car with the keys in it too, but they don’t (or at least shouldn’t).
If Neural now have to spend time on preventing you or others doing the same again in future, YOU have personally pushed back the development schedule by giving them extra work to do right now.
What is so “wrong/illegal” about it. I’m pretty sure nothing I’m doing is illegal at all. As already stated: We are really carefull and toughtfull with not distributing any of NDSP’s IP.
As for wrong, that’s something subjective. Guess you also think it’s “wrong” to share mods for a Marshall amp? Time to drop all those Friedman amplifiers, those dirty bastards daring to mod and share their guitar gear with the world!
As for the car argument, I think you have to read what you said again because it makes no sense. I repeat once more: I literally paid close to 2k for this device, just like I drive the car I paid for. Nothing is being stolen here.
As for pushing back the schedule, I will provide you with a message from NeuralDSP directly, claiming the supposed security issues were on the agenda regardless. It seems you’ve completely read over this in the above post:
And even if that weren’t the case, I’ll happily wait a week extra for promised feature X if I know my data is safe!
@ThomasVanIseghem you did the right thing reporting an illegal GDPR risk. Otherwise it would have been illegal. At least here in Scandinavia. You could have gone to the authorities, yet you chose to go to the source. Well done.
I think a lot of people don’t really understand that I am super supportive of NDSP and I really want to see them and the Quad Cortex succeed. I really love that piece of gear! Hope I this situation highlights how things can change for the better.
Sorry tomfs , but it seems that you are blaming the wrong person.
Thomas did the right thing, security should be a #1 priority (from the beginning).
NDSP did take it lightly, and must assume the consequences in term if bad buzz (and should even reward the good guys that warned them without asking anything in return…)
Do you really believe that nobody in the world is trying to hack the QC in an ‘evil’ way ? An internet-connected device is a prey of choice for many hackers.
The ‘chance’ we have is that the QC owners are relatively few people , but think about it : if you can afford a 1800+ € device, do you think that nobody is interested in your personal data ?
NeuralDSP is the only one to blame here. Their device has been on the market for several years yet they haven’t put in effort to achieve even base level security on it.
The logging leaking data is just the tip of the iceberg when based on forum posts there are plenty of other security problems like not using HTTPS and apparently more.
Then when security issues were raised, NeuralDSP chose to do nothing about them until shit hit the fan. That’s just negligent and a big failure from management.
Except even without following his guide it would not be difficult for anyone who knows their Linux systems to get access when they are at the point of being able to mount the SD card. There is really nothing particularly unique to the QC being done there.
It’s better for this stuff to be in the open rather than silently done by a malicious person to exploit the gaping security holes in the QC to e.g turn your QC into a part of a botnet or something. Being in the open puts more incentive for NeuralDSP to plug its holes regarding network connectivity.
Being able to access the SD card on the physical device is really not much of a deal. A bigger deal would be e.g compromising the firmware updater by pointing the update server URL on a compromised Wifi network to something that can download a malware package to any QC, considering the QC updater doesn’t seem to verify the identity of the update server nor use a secure connection for it.
@ThomasVanIseghem IP doesn’t just limit itself to the actual code. It involves ideas and concepts that have to be protected if threatened. Remember Apple’s rounded corner icons?
I agree with what others have said. OpenCortex is ultimately going to force Neural to waste time and resources that would have been spent on Dev deliverables and extensions to the QC. The end result is we all lose. Suffice it to say, I’m not a fan.
And for those concerned that Neural didn’t immediately announce they had a vulnerability before they had a fix in place, imagine accidentally leaving your keys in your car in a public parking lot. Knowing it will take time to hire a locksmith to come out to make a new key, would you make a public announcement and put signs on the car telling everyone the keys are in the ignition while you waited for the locksmith? You notice we got the announcement of the vulnerability paired with communication of the imminent release of the fix.
