PC Manager | Take control of your computers

[Snatek]

Hi to all EEVBlog members,

We’ve launched a Kickstarter campaign that may be of interest to you. The project, named “PC Manager”, consists of a device that, once installed on a desktop computer, brings interesting remote bulk managing, energy saving and security features. The following are some of them:

• Allows organizing computers by floor, department, section, or as desired, and controlling them all simultaneously from anywhere (via the internet).
• It can help save on average $/€/£ 70 a year on energy costs per computer by scheduling their turn on/off, compared to keeping them on 24 h.
• It notifies in case of power outage (or intentional power cord unplugging, which may prevent theft of the PC), or if the internet goes out.
• Wi-Fi connection, without complicated network settings or security risks (e.g. opening ports on the router).
• Automatic PC boot error detection and notification.
• Computer freeze/crash detection and notification.
• It has multiple built-in electronic safety features to prevent any damage to the PC even if incorrectly assembled.
• It is built in the EU using electronic components from top global brands (e.g., Texas Instruments, Samsung, etc.).
• It allows granting partial or total control of PC Manager’s functions to other specified users.
• There are two models available for convenience: one with internal antenna and one with external antenna.
• It can be easily installed and withstand assembly errors. It feeds directly from the PC’s power supply.
• It can be controlled by the majority of internet browsing capable devices.

You can find more detailed info by clicking on the following links:

Kickstarter campaign: https://www.kickstarter.com/projects/snatek/pc-manager
PC Manager’s website: https://www.pc-manager.net/en/

The campaign ends on 11 January.

If you would like further information or have any questions, you can post on this thread (or on Kickstarter project’s web page) and we’ll gladly answer you.

We gratefully thank you in advance for any action you can undertake to promote the PC Manager project.

[Ranayna]

Hmm, interesting idea, but might I ask what your target audience is for this device?

My background: I work in a medium sized company in IT. I am not directly involved with PC support anymore, but once was. We have more than a thousand workstations, but most of them are not classical desktops anymore.

With that in mind, thoughts about this:

1: Power savings could easily be achieved by using wake on LAN. But even without it, disciplined users will already shut down their workstation anyway. And even if not, though I have not measured it, power consumption should already be reduced massively by employing sensible power plans in Windows. Assuming 100 Watts for an unused computer is not reasonable.
2: Reading through the description, I have to assume that your device is "always-on"? Does it work at all without internet?
3: How is the WiFi connection realized? Which bands and channels are supported? How does your supposed simple connection work? How much bandwidth is used? Think hundreds of devices here
4: Error detection according to the beep codes sounds like a neat idea. But I have not seen (or rather heard  ) a beeper on any modern corporate desktop for many years. DELL for example uses diagnostic LEDs since at least 15 years.
5: How does the Freeze/Crash detection and storage monitoring work? For that to work reliably I would think you need a driver of some kind. What operating systems will you support?
6: The device seems not applicable to laptops. And many desktops are being replaced by laptops.

Don't get me wrong. I applaud you for getting this far  Getting a viable product to this stage is an achievement.
But I wonder if you are not a couple of years to late, considering the state of the desktop market.

[bd139]

Sell me on it versus other OOBM systems like IME / AMT. I can do all of that already via host ethernet interface.

[Snatek]

Hi Ranayna,
Thanks for your comment I will try to answer all of your questions:

1. I just measured the active idle power consumption of three PCs from different generations (All with “Balanced” power plan). These are the results (measured 30 minutes after power-on, with no HDD activity):

CPU: Intel Core2 Quad Q9550
Chipset: Intel G41
Accessories: Nvidia GT 520 (passive refrigeration) graphics card.
Idle power consumption: 84.3 W

CPU:CPU: Intel Core i5-650
Chipset: Intel H55 Express
Accessories: Nvidia GTX 760 graphics card.
Idle power consumption: 112.3 W

CPU: Intel Core i9-9900K
Chipset: Intel Z390
Accessories: Nvidia RTX 2060 SUPER graphics card. 5x 3.5’’ HDD.
Idle power consumption: 115.8 W

In addition, Wake on LAN/WIFI implies disabling the motherboard energy saving features (at least on all motherboards I have seen), in comparison, PC Manager have a power consumption of less than 0.5 W. The device also adds some functions that WOL are not capable of, such: crash detection, errors detection, etc.

Fortunately, this also works for non-disciplined users .

2. Yes, the device is meant to keep it on continuously. It feeds from the computer’s standby power rail of the PSU. The remote functions are not available without Wi-Fi connection, but it can still act as a standard Front Panel’s LEDs and buttons (with log), and as all the inputs and outputs are reversible, it could be used on test assemblies, etc.

3. The Wi-Fi connection can be made using the Android app (The phone first connects to a network created by the device, and sends the Wi-Fi details via the app, so the device can connect to your Wi-Fi), or using a MicroSD card. It supports 2.4 GHz band (5 GHz band is not supported) in all standard Wi-Fi channels (limited by specific countries legislation).

4. You can check this function compatibility In the Kickstarter campaign or in PC Manager’s website (https://www.pc-manager.net/en/compatibility/). I cannot speak for HP, DELL and other branded PCs, as they barely follow any standard in this respect. But there is still a lot of motherboards (including new ones, like the Asus ROG Z390-F I have) that still support beep error codes.

5. This function works by installing a very simple program that performs an HDD read/write every “n” seconds, then the PC Manager device detects this signal (HDD LED). If the PC Manager does not detect this signal, then notifies you (or it can be programmed to restart the PC automatically). Only for Windows, at the moment, although it wouldn’t be hard to implement it for other operating systems.

6. The signals are probably compatible, but it wouldn’t be reasonable to mount it on a laptop. Probably you’ll have to invest thousands of € on a laptop to compare it with a € 600 desktop computer (even more with a proper desktop workstation), for that reason there are still a lot of users that prefers to work with desktop computers.

Yes, maybe the ideal would have been 5 years ago, but apparently there are still a lot of desktop computer sales (https://www.techspot.com/news/83094-pc-have-dead-now-but-somehow-alive-kicking.html ).

I hope to have answered all your questions. Thank you again for your comment.

[Snatek]

Sell me on it versus other OOBM systems like IME / AMT. I can do all of that already via host ethernet interface.

Hi bd139,

I wasn’t aware of this technology (probably the vast majority of desktop PC users also aren’t). Although for the information I could gather from the internet, seems quite complicated to implement (again, for the average user). I couldn’t find the software price (some comments say it is expensive). Also found several articles about vulnerabilities.

Thanks for your comment.

[Ranayna]

Thank you for the fast reply.

Regarding point 1: One aspect I missed, especially regarding user that do not shutdown: Those users will also keep files open. So, what will happen then? The shutdown will be interrupted by the windows "Please close your files" dialog. I do not know if that has a timeout and will shutdown anyway after some time, but if the users sees that in the morning and cancels the shutdown, the system will likely be in an inconsistent state due to background programs that have already been stopped. And if you force the shutdown by "holding down" the button, users will lose files.
Regarding a sensible power plan: I rather meant something like sending the machine to sleep on idle after maybe an hour.

Regarding point 2: So I understand that the device will need a constant internet connection, even if the App runs on a mobile phone in the same network? What provisions do you have for the case of you shutting down the servers?

I could maybe imagine using something like this, but only one the conditions that it works fully internally, and has management available as a windows program that can run on a server.
And that only if for whatever reasons I have machines that have no AMT / IME available.

Do you have any plans of going open source? That would, In my opinion greatly increase appeal.

[bd139]

Sell me on it versus other OOBM systems like IME / AMT. I can do all of that already via host ethernet interface.

Hi bd139,

I wasn’t aware of this technology (probably the vast majority of desktop PC users also aren’t). Although for the information I could gather from the internet, seems quite complicated to implement (again, for the average user). I couldn’t find the software price (some comments say it is expensive). Also found several articles about vulnerabilities.

Thanks for your comment.

We mostly are in the IT sector. You turn the flag on in the BIOS then run IPMIview which is dead simple. The software is free.

https://www.supermicro.com/en/solutions/management-software/ipmi-utilities

The average desktop user probably doesn't need or care for it.

[Snatek]

Thank you for the fast reply.

Regarding point 1: One aspect I missed, especially regarding user that do not shutdown: Those users will also keep files open. So, what will happen then? The shutdown will be interrupted by the windows "Please close your files" dialog. I do not know if that has a timeout and will shutdown anyway after some time, but if the users sees that in the morning and cancels the shutdown, the system will likely be in an inconsistent state due to background programs that have already been stopped. And if you force the shutdown by "holding down" the button, users will lose files.
Regarding a sensible power plan: I rather meant something like sending the machine to sleep on idle after maybe an hour.

Regarding point 2: So I understand that the device will need a constant internet connection, even if the App runs on a mobile phone in the same network? What provisions do you have for the case of you shutting down the servers?

I could maybe imagine using something like this, but only one the conditions that it works fully internally, and has management available as a windows program that can run on a server.
And that only if for whatever reasons I have machines that have no AMT / IME available.

Do you have any plans of going open source? That would, In my opinion greatly increase appeal.

1. Habitually (for what I have seen) the users who don’t turn off their computers don’t do it because they don’t want to wait for the computer to turn on, and ignore the energy costs of doing this. Others because their PC is slow and don’t want to be bothered by the maintenance task that the computer automatically performs (Updates, virus scanning, HDD defragmentation, backups, etc.), hopping they will be made when they are not using the PC.
I would probably reprimand a worker that doesn’t save his work before leaving, but for that type of user you describe I suppose the best option could be to configure the power button as sleep button on windows, so the unsaved work remains but with much less power consumption.

2. Yes, the device (and the App) needs to be connected to the internet to use all it’s functions. If the project gets funded, keeping the PC Manager host service working over the years will not be a problem, as the hosting maintenance is not very expensive. The problem with working on LAN is that the configuration of each device will probably be more complicated (must input every device’s IP address, and it must to be fixed, etc.). If this is a general concern, I suppose we can add a feature that allows it to work on LAN in the future, for the advanced users.

I’ve heard various cases of Chinese products releasing even before the Kickstarter campaign fulfillment, and after putting lots of work in this project I don’t want to take the risk. Also, going open source will probably imply security risks for the users.

Thanks.

[Snatek]

Sell me on it versus other OOBM systems like IME / AMT. I can do all of that already via host ethernet interface.

Hi bd139,

I wasn’t aware of this technology (probably the vast majority of desktop PC users also aren’t). Although for the information I could gather from the internet, seems quite complicated to implement (again, for the average user). I couldn’t find the software price (some comments say it is expensive). Also found several articles about vulnerabilities.

Thanks for your comment.

We mostly are in the IT sector. You turn the flag on in the BIOS then run IPMIview which is dead simple. The software is free.

https://www.supermicro.com/en/solutions/management-software/ipmi-utilities

The average desktop user probably doesn't need or care for it.

Although PC Manager may be compatible with some servers, the product is mainly designed for standard desktop computers. This seems to be a Supermicro’s specific thing, if you have various brands of servers, do you have to use one specific software for each brand? Or is there a software that supports all brands of servers? (Just curious, never worked with servers).

You are probably right, but I want to give a chance to users and small companies, for which this you are describing is very advanced, to use a more user-friendly software.

Thanks.

[bd139]

It works with desktop chipsets as well. Supermicro just provide a nice client for it.

[PlainName]

This device looks very nice, but how does it compare to the $13 (inc shipping) one on Aliexpress?

eWeLink Mini PCI-e Desktop PC Remote Control Switch

Which raises a question: inside a metal PC case, how does yours get a WiFi signal?

[Snatek]

This device looks very nice, but how does it compare to the $13 (inc shipping) one on Aliexpress?

eWeLink Mini PCI-e Desktop PC Remote Control Switch

Which raises a question: inside a metal PC case, how does yours get a WiFi signal?

Hi dunkemhigh,

Thanks for your comment.

The major problem I see with that device is the lack of shielding of the Wi-Fi controller section of the PCB (PC Manager is properly shielded), which may negatively interfere with the computer’s high-speed signals.

Of course, it’s much cheaper, but that will almost certainly imply lower quality on design, production and components, lack of testing, etc. (as in the case of the shielding), which may put in risk your computer and its data.

Obviating these problems, PC Manager has some additional features over that device:

• It doesn’t occupy a PCIe slot.
• You don’t have to choose between “power” or “reset” signals, as it does support both connections.
• As PC Manager uses its own specifically designed software, it will probably support more features than that device’s app, which apparently, it’s universal to a wide range of IoT devices.
• Automatic PC boot error detection and notification.
• Computer freeze/crash detection and notification.
• It has multiple built-in electronic safety features to prevent any damage to the PC even if incorrectly assembled.
• It is built in the EU using electronic components from top global brands (e.g., Texas Instruments, Samsung, etc.).
• It allows granting partial or total control of PC Manager’s functions to other specified users.

In reference with the Wi-Fi signal inside the PC case, there are two PC Manager versions:

• With internal antenna: for off the case testing and open-frame assemblies, like rigs, etc., without messing with additional cables or the antenna position.
• With external antenna: for most PC types, as the metallic case of the computer blocks the Wi-Fi signal. The antenna is so small that it can be easily hidden inside the PC’s front trim.

[wraper]

The major problem I see with that device is the lack of shielding of the Wi-Fi controller section of the PCB (PC Manager is properly shielded), which may negatively interfere with the computer’s high-speed signals.

It's not a problem and it's not real that it will affect anything within a PC.

It doesn’t occupy a PCIe slot.

As of your device, it's a dangling box which is impossible to properly fix/attach within PC.

The antenna is so small that it can be easily hidden inside the PC’s front trim.

Another dangling thing.

[wraper]

Even if not occupying any slots, I would simply make standard bracket with pcb attached and antenna coming straight out of PCB into back of the case. No case needed, no coax routing through PC and dangling antenna somewhere in front, no 2 versions of the device needed. No strapping with zip ties, everything held by that bracket.

[rs20]

Also, going open source will probably imply security risks for the users.

Aha, you're going for the old 'security through obscurity' route, are you? That's a red flag if ever I saw one.

[Monkeh]

Also, going open source will probably imply security risks for the users.

No, writing bad code will.

[PlainName]

Obviating these problems, PC Manager has some additional features over that device:

Thanks for the detailed reply.

As a personal issue, I would prefer the ability not to have some custom code required for something to work since it invariably stops working when the OS changes (or even just gets updated). If yours doesn't already allow for that perhaps a mode where it Just Works in a limited way would be useful.

[bd139]

Also, going open source will probably imply security risks for the users.

Aha, you're going for the old 'security through obscurity' route, are you? That's a red flag if ever I saw one.

LMAO. Yep that’s end of the pitch for me. Not the fact that’s it’s closed source but the misunderstanding of fundamental security idioms.

[madires]

https://en.wikipedia.org/wiki/Intel_Active_Management_Technology

[bd139]

Already pointed that out above.

I don’t understand the demand or market for the product. Home users and small businesses don’t care and corporate users already have solutions.

[janoc]

Do I understand this correctly that the PC manager is an internet connected gizmo that will allow remote control of the computer - over the internet, using a proprietary service ran by your company? And you want to sell this to companies as a somehow good idea? Did you consider what will happen if someone hacks your service (which is pretty certain to happen, especially given your security by obscurity approach)? Not only could someone instantly disable/crash a load of computers somewhere but if the devices have insecure firmware (very likely), they will act as a wonderful vector into the company's network, bypassing the usual access controls (otherwise they wouldn't be able to do their job).

Not only is this a solution looking for a problem (home users won't care and pros will frogmarch anyone plugging a gizmo like this into their office computer out of the door), it is also asking to get hacked for anyone foolish enough to install this.

Engineering isn't only whether something can be done but also whether it should be.

[Snatek]

The major problem I see with that device is the lack of shielding of the Wi-Fi controller section of the PCB (PC Manager is properly shielded), which may negatively interfere with the computer’s high-speed signals.

It's not a problem and it's not real that it will affect anything within a PC.

It doesn’t occupy a PCIe slot.

As of your device, it's a dangling box which is impossible to properly fix/attach within PC.

The antenna is so small that it can be easily hidden inside the PC’s front trim.

Another dangling thing.

I am not an expert on RF/EMI, but if you do a quick search on Google or Amazon for a Wi-Fi PCIe card (or any other kind of Wi-Fi module), you will find that the vast majority of cards (even the cheap ones) have a metal shield over the Wi-Fi section. If the EMI isn’t a concern in this case, why do the majority of manufacturers include it? Also, there is a reason why the computer cases are usually made of steel, instead of plastic, wood or other cheap materials.

In the worst case, there would be a 500 mW and 2.4 GHz signal radiated at a few millimeters of a various GHz low voltage signals (some signals are differential paired, but others aren’t).

Even if not occupying any slots, I would simply make standard bracket with pcb attached and antenna coming straight out of PCB into back of the case. No case needed, no coax routing through PC and dangling antenna somewhere in front, no 2 versions of the device needed. No strapping with zip ties, everything held by that bracket.

We include Zip ties to fix the PC Manager unit and its antenna (with its small footprint, less than a standard credit card, it is easily fixable even in very small HTPC cases. I had one PC Manager running on one of those for the last 5 months and nothing is dangling nor obstructing anything).

If I go with PCI bracket, then the product wouldn’t support open-air cases or testing rigs. Also, instead of two antenna models, I will have to include two different size PCI brackets (for different case sizes).

Also, going open source will probably imply security risks for the users.

Aha, you're going for the old 'security through obscurity' route, are you? That's a red flag if ever I saw one.

I never said that was the main reason. The main reason is that I don want to put my work, effort and money on hands of a low-quality clone factory in China (in my opinion, that would be a shot in the foot). But is undeniable that making public every single detail of the hardware and software of any product with internet access would make that product more hacker-friendly, independently of the programing quality.
However, if for a strange reason I stop supporting PC Manager service (Which I probably won’t, because once developed, is very simple and cheap o maintain it), I would have no problem to make Open Source every data I ever had of it.

Obviating these problems, PC Manager has some additional features over that device:

Thanks for the detailed reply.

As a personal issue, I would prefer the ability not to have some custom code required for something to work since it invariably stops working when the OS changes (or even just gets updated). If yours doesn't already allow for that perhaps a mode where it Just Works in a limited way would be useful.

As other users were concerned on this, I will add support to PC Manager to work only on LAN for advanced users, knowing that it would be necessary to individually configure every PC Manager’s IP addresses as fixed (or bind its MAC to an IP address on the router’s configuration).
I will add it to the Kickstarter campaign in the following days.

Already pointed that out above.

I don’t understand the demand or market for the product. Home users and small businesses don’t care and corporate users already have solutions.

That is your opinion, not necessarily a fact. Do you think a small company with 10 computers will take the time/effort to implement AMT/IPMI, etc.? but at the same time, that company may be interested in using something simple to use with similar capabilities.


Thanks to all.

[bd139]

I worked with hundreds of small businesses. I’ve run small businesses. This isn’t even on the roadmap until you get to 200 seats+

[wraper]

In the worst case, there would be a 500 mW and 2.4 GHz signal radiated at a few millimeters of a various GHz low voltage signals (some signals are differential paired, but others aren’t).

You are not allowed to go above 100mW for 2.4 GHz band in most regions. And generally wifi devices don't go above that. Also unless there is something horribly wrong with device, most of power will go into antenna outside the PC.

[bd139]

Good point. Most of the antennas provide some gain so the ERP is slightly higher which is what you see in the marketing but it is 100mW at the antenna feed.

[Snatek]

In the worst case, there would be a 500 mW and 2.4 GHz signal radiated at a few millimeters of a various GHz low voltage signals (some signals are differential paired, but others aren’t).

You are not allowed to go above 100mW for 2.4 GHz band in most regions. And generally wifi devices don't go above that. Also unless there is something horribly wrong with device, most of power will go into antenna outside the PC.

Yes, I meant 100 mW (160 mW max., in this case), I mixed things up. Still enough power to use shielding, as in the case of the vast majority of Wi-Fi devices.

[Snatek]

Do I understand this correctly that the PC manager is an internet connected gizmo that will allow remote control of the computer - over the internet, using a proprietary service ran by your company? And you want to sell this to companies as a somehow good idea? Did you consider what will happen if someone hacks your service (which is pretty certain to happen, especially given your security by obscurity approach)? Not only could someone instantly disable/crash a load of computers somewhere but if the devices have insecure firmware (very likely), they will act as a wonderful vector into the company's network, bypassing the usual access controls (otherwise they wouldn't be able to do their job).

Not only is this a solution looking for a problem (home users won't care and pros will frogmarch anyone plugging a gizmo like this into their office computer out of the door), it is also asking to get hacked for anyone foolish enough to install this.

Engineering isn't only whether something can be done but also whether it should be.

I think you had made a lot of assumptions. The reason the product is not Open Source is not because of a low quality or insecure code (The service will not be provided by a server in my house, but by a proper hosting with redundancy and proper security measures), but to avoid to low quality clone factories to take advantage of my work and money.

If you have an IoT device, it probably works in the same way.

[bd139]

How are you providing security controls and authentication both of the device and the users? What is your privacy and security policy? What physical access controls and key management controls do you have in place? Are you willing to have the code audited by an independent contractor (NCC will do this starting at about £20k)? Which cloud provider do you use? What is their security policy? What libraries do you import? What are the security controls on those? What is your GDPR situation and who is the data controller?

Welcome to my world which is very complicated bringing a product into in 2019.

Also worth a watch as to how even higher investment can produce a “fuck up” (excuse the pun): hacking buttplugs. https://youtu.be/RnxcPeemHSc

[PlainName]

Aha, you're going for the old 'security through obscurity' route, are you?

Imagine a door with a handle. 100 people try to open it, most pushing the handle down to start with. Not all open it and a proportion give up. Now imagine a notice above the door: "Lift handle to open". Of 100 people, more open it now (but some still fail and give up - such is life as a human!).

Are you saying that not obscuring stuff is exactly as secure as going out of your way to tell anyone who wants to know the detail?

Are you also saying that making source available lets security bloopers be seen and fixed? It should but in practice there are loads of exploits, many in security-centric applications. In fact, the wonder is that more bad guys haven't exploited the bloopers no-one else has been arsed to find in open source code.

Surely the better way would be to use code that is apparently secure (properly audited, open source or not) but still obscure it anyway, just in case. Just like one might always use a voltage tester on a mains cable, even after turning off the mains and pulling the circuit breaker, before touching it.

[Snatek]

How are you providing security controls and authentication both of the device and the users? What is your privacy and security policy? What physical access controls and key management controls do you have in place? Are you willing to have the code audited by an independent contractor (NCC will do this starting at about £20k)? Which cloud provider do you use? What is their security policy? What libraries do you import? What are the security controls on those? What is your GDPR situation and who is the data controller?

Welcome to my world which is very complicated bringing a product into in 2019.

Also worth a watch as to how even higher investment can produce a “fuck up” (excuse the pun): hacking buttplugs. https://youtu.be/RnxcPeemHSc

The cloud service is not ready yet, but it will work in a similar way as a website (with SSL encryption): with login/password (maybe 2FA, etc.). The cloud provider is not chosen yet. If the project gets funded, I will discuss the rest of your concerns with a proper software engineer (I am not). If the project is massively backed I will probably run a security audit, but if not, I don’t see any hacker goddess bypassing lots of security measures only to bother to users of a low implemented product (the worst that hacker could do is to force the PC's shutdown), which the affected one can fix by simply unplugging the PC Manager's power cable (computer’s front panel controls would still work) until we solve the problem.

We do actually have a website (https://www.pc-manager.net/) that is in compliance with GDPR. But as we value the users’ privacy, we will probably make the PC Manager “cloud” to run without the need of any personal data.

Yes indeed, it is not easy to bring a product at this time, but at least it helps to keep updated the acquired knowledge.

[madires]

(The service will not be provided by a server in my house, but by a proper hosting with redundancy and proper security measures)

If - for whatever reason - the servers are shut down, do all PC manager devices become e-junk?

[BravoV]

(The service will not be provided by a server in my house, but by a proper hosting with redundancy and proper security measures)

If - for whatever reason - the servers are shut down, do all PC manager devices become e-junk?

Looks like it, as its all proprietary.

I think your question is also answered too, indirectly though from previous multiple answers, as what the Op keeps pointing out is, just trust them, ask no more, because he/she said so.

This is what gathered so far from this discussion.

[Bud]

Who is going to provide customer support. Yourself sitting beside the server in your house? Is it just a single server by the way? Are you familiar with the concepts of Business Continuity and Disaster Recovery?

"Simply unplugging the power cable" is a Major inconvenience to the customer by the way. You sure every grandma will know how and when to do it? You will be instructing people via your facebook?

[Snatek]

(The service will not be provided by a server in my house, but by a proper hosting with redundancy and proper security measures)

If - for whatever reason - the servers are shut down, do all PC manager devices become e-junk?

As stated in previous messages, In the coming days I will add the support of LAN controlling (without the need of any external server) to the Kickstarter campaign, for advanced users. In addition, I will have no reason to “shutdown” the cloud service provider, as its maintenance costs would be low. Why would I put my reputation in risk only to save a tiny amount of money?

I also stated previously that if for whatever strange reason I stop supporting PC Manager in the future, I'll have no problem to make everything Open Source.

Who is going to provide customer support. Yourself sitting beside the server in your house? Is it just a single server by the way? Are you familiar with the concepts of Business Continuity and Disaster Recovery?

"Simply unplugging the power cable" is a Major inconvenience to the customer by the way. You sure every grandma will know how and when to do it? You will be instructing people via your facebook?

That would depend on the specific problem and/or the project popularity. I will not have a server in my house, as previously (ironically) stated, but a cloud service provider with redundancy and proper security measures.

I just stated what would happen in the worst (and unlikely) case. Probably there are other more important and active vulnerabilities your computer can have at this moment (Windows’s, Intel’s, etc.). The security is our second concern, only behind the product safety/reliability, and it’s included on the product price (that is one of the reasons why it costs more than the Chinese product stated in previous messages).

[PlainName]

I am on the verge of backing this. My partner uses WoL to get her PC running when she is on the road, but sometimes it doesn't work (ISTR Microsoft furkled with the network stack a while back which borked it until I found the fix), so this might save me having to pretend interest in support.

But... I am lost as to the point of the power and reset buttons. I mean, if you are in a position to stab those, surely you could just press the real ones. Or is the intent (for some uses) to completely disconnect the front panel to prevent passers-by from dicking with it?

[Snatek]

I am on the verge of backing this. My partner uses WoL to get her PC running when she is on the road, but sometimes it doesn't work (ISTR Microsoft furkled with the network stack a while back which borked it until I found the fix), so this might save me having to pretend interest in support.

But... I am lost as to the point of the power and reset buttons. I mean, if you are in a position to stab those, surely you could just press the real ones. Or is the intent (for some uses) to completely disconnect the front panel to prevent passers-by from dicking with it?

The device has a (labeled) connector for the front panel signals (power/reset buttons and Power/HDD LEDs), and works independently of the PC Manager (the PC signals are internally connected with the front panel ones and in parallel with the PC Manager’s isolated ones), so you have the option to remain the front panel in use or not, as you wish.

[Ranayna]

I would not trust that chinese card *at all*. That thing has access to the PCIe bus and can transmit your data to who-knows-where.
In that regard, the PC Manager is indeed better.

Regarding security, I think enough has been said.

Aha, you're going for the old 'security through obscurity' route, are you?

Imagine a door with a handle. 100 people try to open it, most pushing the handle down to start with. Not all open it and a proportion give up. Now imagine a notice above the door: "Lift handle to open". Of 100 people, more open it now (but some still fail and give up - such is life as a human!).

Are you saying that not obscuring stuff is exactly as secure as going out of your way to tell anyone who wants to know the detail?

Are you also saying that making source available lets security bloopers be seen and fixed? It should but in practice there are loads of exploits, many in security-centric applications. In fact, the wonder is that more bad guys haven't exploited the bloopers no-one else has been arsed to find in open source code.

Surely the better way would be to use code that is apparently secure (properly audited, open source or not) but still obscure it anyway, just in case. Just like one might always use a voltage tester on a mains cable, even after turning off the mains and pulling the circuit breaker, before touching it.

Your analogy might be true for inherently unsecure systems, i.e. an unlocked door. Stuff like that is often done to "secure" stuff like Windows Remote Desktop. People change the default port and think they are secure now  True, that keeps the script kiddies out, but not a determined attacker.
But a properly set up system is secure even when the source is open.
With a closed source system you can be secure, but you do not have any way of checking for security. The old security saying "Do not roll your own crypto" is important here. And most well known, established, and secure crypto is fully open. And why do we *know* it is secure? Because both the algorithms and the implementations are open.

And the security against chinese clones... If PC manager is deemed "worth it" it will be cloned the minute your device is released. At best, your obscurity is buying you some time while at the same time alienating any security aware user.

In the worst case, there would be a 500 mW and 2.4 GHz signal radiated at a few millimeters of a various GHz low voltage signals (some signals are differential paired, but others aren’t).

You are not allowed to go above 100mW for 2.4 GHz band in most regions. And generally wifi devices don't go above that. Also unless there is something horribly wrong with device, most of power will go into antenna outside the PC.

Yes, I meant 100 mW (160 mW max., in this case), I mixed things up. Still enough power to use shielding, as in the case of the vast majority of Wi-Fi devices.

Where are you getting that 160 mW figure from? Since you do not use 5GHz (you could use 200 mW there) you are limited to 100mW. What wifi chipset do you use?

[PlainName]

And why do we *know* it is secure? Because both the algorithms and the implementations are open.

As I pointed out, being open doesn't mean anyone actually checks it over. There have been security application which are open that had serious bugs that no-one ever saw because no-one ever looked.

But a properly set up system is secure even when the source is open.

You assume. Until an issue is discovered because even security people can make mistakes, you know. Hardly anything is infallible.

Surely an extra layer would be to just hide what you're using, whether it's allegedly infallible or not, and then the good old exploit search engines wouldn't highlight the system 5 mins after an issue is discovered. The way you go on, it seems like you're saying that not telling anyone you're using open source means it's automatically less secure than if you broadcast the fact!

[wraper]

BTW about shields. For example Raspberry pi 3 does not use any shield above wifi chip and got FCC approval just fine. My TPlink Archer C7 router does not have shields too.

[Snatek]

And the security against chinese clones... If PC manager is deemed "worth it" it will be cloned the minute your device is released. At best, your obscurity is buying you some time while at the same time alienating any security aware user.

In that case, they can copy the hardware (probably eliminating some safety components to save on production costs) but they will not be able use the PC Manager software, so they will have to develop its own (probably in Chinenglish, as the majority of its software).

In the worst case, there would be a 500 mW and 2.4 GHz signal radiated at a few millimeters of a various GHz low voltage signals (some signals are differential paired, but others aren’t).

You are not allowed to go above 100mW for 2.4 GHz band in most regions. And generally wifi devices don't go above that. Also unless there is something horribly wrong with device, most of power will go into antenna outside the PC.

Yes, I meant 100 mW (160 mW max., in this case), I mixed things up. Still enough power to use shielding, as in the case of the vast majority of Wi-Fi devices.

Where are you getting that 160 mW figure from? Since you do not use 5GHz (you could use 200 mW there) you are limited to 100mW. What wifi chipset do you use?

100 mW is the maximum in some countries, but others have a higher maximum power (4,000 mW on India, for example). That is why most Wi-Fi routers and other Wi-Fi stuff will ask you the country: to limit the maximum power radiated by the device. It's a Wi-Fi module (with FCC and CE compliance).

BTW about shields. For example Raspberry pi 3 does not use any shield above wifi chip and got FCC approval just fine. My TPlink Archer C7 router does not have shields too.

You aren’t probably going to put your Router or your Raspberry Pi enclosed in a metal case next to various several GHz signals. No Wi-Fi system is perfect. There would be losses before reaching the antenna, if you want that EMI near to your PC signals, is up to you but I prefer not taking the risk and shield it. The fact is that every quality PCIe and M.2 PCIe has a shield over the Wi-Fi section, and the ones it doesn’t have, it’s because has been carefully measured and designed so the manufacturer can save on the shield (I doubt any random factory on china supplying unbranded products is concerned by this, but I could be wrong).


Thanks to all.

[Monkeh]

I would not trust that chinese card *at all*. That thing has access to the PCIe bus and can transmit your data to who-knows-where.

Uh, five seconds of looking at it shows that is not the case.

[janoc]

I think you had made a lot of assumptions. The reason the product is not Open Source is not because of a low quality or insecure code (The service will not be provided by a server in my house, but by a proper hosting with redundancy and proper security measures), ...

Your answers only show that you don't have much of an idea about computer security.

You are asking everyone to take you for your word on the device being secure. A company with no reputation, no references and product starting on Kickstarter. Don't take it personally but that's just a no.

Open sourcing the product is only one way of fixing that, I understand that you may not want to do that for business reasons. However, other options could be e.g. an independent firmware/software (including backend and the mobile app!) audit by a reputable company/researchers, published update policy (how often, how long does it take to fix security critical issues, both in the app and the firmware), dedicated security contact on your web site for reporting problems, and, for example, references of the hosting company, so that customer could have at least some idea of what security is in place. How much of that do you have in place before unleashing this on your paying clients? Starting to think about it only once your clients get hacked and there is a CVE assigned to it already would be too late.

Using a hosting company alone means exactly nothing when it comes to security. You wouldn't believe how many hosters keep e.g. customer passwords and credit card data in unecrypted databases, with the argument being that they require it to provide support when the client has problems logging in. Not kidding, I have this in writing from a customer rep of one such rather big name hoster after my personal site was hacked thanks to them and used to host a phishing website for stealing money from clients of some US investment bank. They consider it a normal practice, apparently!

but to avoid to low quality clone factories to take advantage of my work and money.

That's a pretty poor argument for putting your clients at risk. Is their work and money worth less than your work and money?

If you have an IoT device, it probably works in the same way.

Are you really trying to make an argument that because the security dumpster fire of IoT is a standard fare, it is OK to release another such product and sell it to businesses? You are really not helping your case here, IMO.

Also, there is a heck of a difference between a smart light bulb or a doorbell and something meant for an actual business use. I can guarantee you that you won't find the former in the latter, as long as there is a semi-competent IT manager around.

[PlainName]

However, other options could be e.g. an independent firmware/software (including backend and the mobile app!) audit by a reputable company/researchers, published update policy (how often, how long does it take to fix security critical issues, both in the app and the firmware), dedicated security contact on your web site for reporting problems, and, for example, references of the hosting company, so that customer could have at least some idea of what security is in place.

If even a fraction of the IoT stuff on Amazon managed a quarter of that! Yet they sell by the boatload. Wouldn't surprise me if most people here have kit that fails on pretty much all of your points, despite them arguing that this will kill the product on Kickstarter.

[Snatek]

I think you had made a lot of assumptions. The reason the product is not Open Source is not because of a low quality or insecure code (The service will not be provided by a server in my house, but by a proper hosting with redundancy and proper security measures), ...

Your answers only show that you don't have much of an idea about computer security.

You are asking everyone to take you for your word on the device being secure. A company with no reputation, no references and product starting on Kickstarter. Don't take it personally but that's just a no.

Open sourcing the product is only one way of fixing that, I understand that you may not want to do that for business reasons. However, other options could be e.g. an independent firmware/software (including backend and the mobile app!) audit by a reputable company/researchers, published update policy (how often, how long does it take to fix security critical issues, both in the app and the firmware), dedicated security contact on your web site for reporting problems, and, for example, references of the hosting company, so that customer could have at least some idea of what security is in place. How much of that do you have in place before unleashing this on your paying clients? Starting to think about it only once your clients get hacked and there is a CVE assigned to it already would be too late.

Using a hosting company alone means exactly nothing when it comes to security. You wouldn't believe how many hosters keep e.g. customer passwords and credit card data in unecrypted databases, with the argument being that they require it to provide support when the client has problems logging in. Not kidding, I have this in writing from a customer rep of one such rather big name hoster after my personal site was hacked thanks to them and used to host a phishing website for stealing money from clients of some US investment bank. They consider it a normal practice, apparently!

but to avoid to low quality clone factories to take advantage of my work and money.

That's a pretty poor argument for putting your clients at risk. Is their work and money worth less than your work and money?

If you have an IoT device, it probably works in the same way.

Are you really trying to make an argument that because the security dumpster fire of IoT is a standard fare, it is OK to release another such product and sell it to businesses? You are really not helping your case here, IMO.

Also, there is a heck of a difference between a smart light bulb or a doorbell and something meant for an actual business use. I can guarantee you that you won't find the former in the latter, as long as there is a semi-competent IT manager around.

Probably, the device you’ve used to write your post, in addition to being Closed Source, has dozens of known vulnerabilities and hundreds of other unknown ones, both in its hardware and its software. It’s also quite probable that any of those vulnerabilities would have much more devastating effects than the ones you are trying to attribute to this project based on no evidence.

If, as you say, is important to make the project Open Source to make it more secure (which I see it as an oxymoron), then how would I pay to any software engineer to fix those vulnerabilities once the clone factories make my business unsustainable? Are you relying on some random expert working for free to amend a problem that affect to small number of people/businesses?

“PC Manager” and “Snatek” are registered trademarks under my name, ID, address, etc. That data figures on the Global Brand Database and they store that data even after the trademark expiration (10 years). In base of this, yes, my personal reputation would be in risk if that devices have any kind of problem in the future.

... for anyone foolish enough to install this.

I don’t take anything personally but it is not an easy task when someone calls “fool” to any potential buyer, based in incorrect assumptions.

Regards.

[Ranayna]

That sounds like whataboutism at it's finest 

You are going on about physical safety quite a bit on the project page and you try to sell that as an advantage (compared to what?).
Sure, that is an important aspect, but essentially it is an aspect covered by product liability laws. So you need to cover those issues no matter what, otherwise you could be liable for damages.
That reminds me a bit of a common labeling for some foodstuffs here in Germany. In big letters on the front it then says "Without preservatives*" as if this is something noteworthy. Somewhere, in tiny font on the back you then see "*as prescribed by law". So they are not allowed to use preservatives anyway, but still use that fact to advertise.

The liability laws, sadly, generally have holes as large as barndoors in regards to IT security. Therefore it is only natural, as someone who wants to release a project, to put security as a secondary concern. But consider the possibility of raising *above* the level of all that abundant always connected IoT crap that is out there.
Currently you are just a small step above the crap, by the sole reason that you are European, and are therefore (easier) subjected to European liablity law. Not that chinese junk (or rather it's importers) is not subject to those, but enforcement seems to be to difficult there...

Then the question comes up: What do you *really* want to sell?
You are selling some hardware, where the software is included. The software alone has no value for you, except as an incentive to sell your hardware. Since you do not plan a subscription service, the software will *never* have more value than that.
The hardware alone could have a value, if someone else can write software, under the assumption that there even it is a significant market for your device.
Given the ease of access regarding wifi-connected microcontroller projects nowadays (hello ESP-32 and co) I can even relate to your fears regarding easy cloning.

I do not know where else you are advertising your campaign, I have it only seen here so far. And I am even a bit surprised that your are advertising here. The EEBVlog is not a computing forum. True, it has a computing related sub-section, but that is not the main focus, not by a long shot. And you are not showing much about the actual electronics of your device. Not even a board shot

At least the current status shows that the niche for your device seems to be surprisingly small, or you are not going to the right spots to advertise.

[janoc]

However, other options could be e.g. an independent firmware/software (including backend and the mobile app!) audit by a reputable company/researchers, published update policy (how often, how long does it take to fix security critical issues, both in the app and the firmware), dedicated security contact on your web site for reporting problems, and, for example, references of the hosting company, so that customer could have at least some idea of what security is in place.

If even a fraction of the IoT stuff on Amazon managed a quarter of that! Yet they sell by the boatload. Wouldn't surprise me if most people here have kit that fails on pretty much all of your points, despite them arguing that this will kill the product on Kickstarter.

And how much of that kit is meant to be used as an enterprise solution? Are we really comparing wifi LED bulbs from Amazon with something one is supposed to install into a company's computer and use on company network? Really??? 

[bd139]

Indeed. You won't find any rock bottom IoT shit in the average enterprise.

[janoc]

Probably, the device you’ve used to write your post, in addition to being Closed Source, has dozens of known vulnerabilities and hundreds of other unknown ones, both in its hardware and its software. It’s also quite probable that any of those vulnerabilities would have much more devastating effects than the ones you are trying to attribute to this project based on no evidence.

That's only your unfounded assumption about my PC that  you know nothing about and hand waving distracting from the point being debated.

If, as you say, is important to make the project Open Source to make it more secure (which I see it as an oxymoron), then how would I pay to any software engineer to fix those vulnerabilities once the clone factories make my business unsustainable? Are you relying on some random expert working for free to amend a problem that affect to small number of people/businesses?

Again a strawman argument - I have said explicitly that I understand you may not want to do it for business reason (not bothering to refute the "oxymoron" claim, that can be  easily debunked with a 5 minutes google search) and offered you alternatives - which you have all promptly ignored.

“PC Manager” and “Snatek” are registered trademarks under my name, ID, address, etc. That data figures on the Global Brand Database and they store that data even after the trademark expiration (10 years). In base of this, yes, my personal reputation would be in risk if that devices have any kind of problem in the future.

Which is of great help to anyone who gets hacked because of your device that you didn't fix problems in or don't even accept vulnerability reports for.

I don’t take anything personally but it is not an easy task when someone calls “fool” to any potential buyer, based in incorrect assumptions.

Regards.

It is difficult to call it anything else when you are intentionally avoiding answers to questions and trying to obfuscate the issue by throwing up irrelevant arguments, such as your trademark registration or supposed vulnerabilities in other devices. You have also not provided any arguments why my assumptions are incorrect. 

[Snatek]

We just added a feature to PC Manager that allows (advanced) users to completely disable internet access and to work only on LAN. This function will result in a little more time to configure each device (more than the 2 minutes it takes with the default configuration) for users who opt for this function.

As this function allows the PC Manager to work completely offline, I hope this will mitigate the concerns some users had about security and/or about a hypothetical product end of life.

Adding this feature doesn’t mean we will relax our security policy; it is only an additional layer of protection for those who wants it.

This feature has been included in the campaign already.

[BravoV]

We just added a feature to PC Manager that allows (advanced) users to completely disable internet access and to work only on LAN. This function will result in a little more time to configure each device (more than the 2 minutes it takes with the default configuration) for users who opt for this function.

As this function allows the PC Manager to work completely offline, I hope this will mitigate the concerns some users by nice EEVBlog forum fellows had about security and/or about a hypothetical product end of life.

Adding this feature doesn’t mean we will relax our security policy; it is only an additional layer of protection for those who wants it.

This feature has been included in the campaign already.

You're welcome.

PS : correction added