Quad Cortex security breach

Quad Cortex
1

Just thought it was worth mentioning for anyone who missed it that just because you received an email from Neural regarding the security breach, does not necessarily mean you had your WiFi passwords exposed. That exposure required that you sent them a crash log at some point. Look for the text in the email that says “Crash log found?:” to check your status on this.

While I was not happy to see a notice of a security vulnerability on the QC, I do appreciate Neural being forthcoming about it as well as proactive with a fix that can’t come soon enough. This is just one of the risks and tradeoffs of having devices that can connect to the internet remotely. Hopefully they will lock things down better in the future, but I still love having Wi-Fi and Bluetooth (Boss modelers for example) access to my devices. Would not want to give that up.

The option to have all operations that might require Wi-Fi connectivity, e.g., firmware updating and editor/librarian available directly via USB for those who would prefer better security (you are still connecting to the internet at some point) to flexibility might be a good option to offer. Perhaps worthy of Neural’s consideration IMO if security is going to be an issue via the Wi-Fi adaptor on the QC. Some people may prefer the level of security they are able to achieve by locking down their own router with firewalls and various other security options.

Update: After reading the post in the link below I had to reframe my opinion of this particular breach as one that was self-inflicted by some less than stellar security practices on Neural’s part rather than as the inevitable risk of hacking that comes with the territory when you have Internet connectivity on a device, or for that matter customer data on corporate servers. Amazing how many Fortune 500 companies have been hacked with considerably more financial resources to devote to protecting their data than Neural. This is one of the reasons I hate being asked to send logs. I have seen other companies make similar mistakes with them in the past. Add to that certain email service providers who intentionally “scrape” emails for demographic data for targeted advertising. Logs need to be anonymous first and foremost and encrypted is always a good thing. Could of happened to anyone though and not everyone would have owned up to it.

1 Like
2

Good piece both of you.

Whatever the cause, we as a community need to help each other where we can in moments like this. Those who are most affected by this, and maybe need help or assistance to get it in perspective, express yourselves etc., reach out. That’s what we are all here for in the first place. :hugs: :mending_heart:

[Edit:] In case you understandably don’t feel like going public right now, maybe you could reach out in a PM to someone you trust in here?

Bless

3

As much as I appreciate their response time, and being, frankly, insanely up-front about this, I am a bit frustrated to find something of this nature coming from a company who, until this singular piece of hardware, did business exclusively in the software realm.

There’s no doubt in my mind that it can be very easy to miss some basic things right off the bat, especially with software, but no one saw this later and thought to fix it before something happened? It could’ve been fixed WITH a firmware update, that way, there was no down-time with bug reports.

I’m glad it wasn’t something insanely personal, but it does make me wonder what else may not be encrypted.