Siglent Technical Support join in EEVblog

[Docholiday]

A file embedded with a digital code is no longer a viable method to ensure a files integerity. Those days are long gone...

[Rene]

A file embedded with a digital code is no longer a viable method to ensure a files integerity. Those days are long gone...

Why do you say that? Digital signatures on files is how all reputable companies distribute software. Can you point me to some reference that states that digital code is no longer a viable method to ensure a files integrity?

[pickle9000]

One thing Siglent really beats Rigol at, firmware updates.

Too bad they continues to behave in such an irresponsible manner as to continue the practice of distributing software that has not been digitally signed. Such lack of consideration towards their customers security concerns.... oh well.

Security is minor compared to the functionality, usability. All Chinese scope manufacturers fail big time on that count.

[tautech]

One thing Siglent really beats Rigol at, firmware updates.

Too bad they continues to behave in such an irresponsible manner as to continue the practice of distributing software that has not been digitally signed. Such lack of consideration towards their customers security concerns.... oh well.

Security is minor compared to the functionality, usability. All Chinese scope manufacturers fail big time on that count.

Just what OS's warn of a file not signed? I only use Windows and wonder if other OS's wave the red flag like it does. 

IMO its the file source that most important and that file's suppliers efforts to ensure their repository is secure in order to protect their customers.
Is this view naive?

[Docholiday]

It is exactly as tautech stated what is most important is the manufactures server where these files reside. This is the critical path for file security. Reliance of an embedded code is only a deterrent. To safely secure a file one would have to provide a form of encryption. The encryption process would have to be a two part encryption simular to what pgp encryption provides - public and private keys. This would be expensive for any manufacture to maintain, provide for their customers, and available globally. So it comes down to cost and the only viable solution is to embed a code into the file. Look at as a unique sticker that says "Made in America". When installing this software it will look into a data base more than likely on your computer to see if this software matches a code that is in that database. If not it will tell then display the file is not digitally signed. Some manufactures require you to have internet access not just to download the file but to check the digital signed process on their servers (two part process), that is a better form of file security. The database is part of your frequent security updates. It is a simple method to determine what is used by downloading the file than turn off your Wifi and start installing the file. If it installs successfuly that digital code is being read fron a database installed on you PC. If not it will tell you that it could not access or install because of no internet access.

This method of digitally signing a file has been around since the stone age! We use to call it checksum. So take all this with a grain of salt. Keep up with your OS security updates and OS and application updates too. Most importantly, virus and adware applications are updated too. Follwing these simple processes will minimize your exposure to viruses, adware, and malware. Only download/install files from  sources you know and trust. Google them if you are not sure.

For those curious I am a retired computer forensics expert with 25 years of experience and an expert witness in a court of law for ten years. Now working on career number two as a EE engineer.

Nicholas

[Rene]

Perhaps we are talking about two different types of digital signature. The digital signature that I am talking about (The one that is used by the Windows operating system to guaranty that the downloaded file has not been tampered with) is nowhere near a simple checksum value (not even close).

To digitally sign a file, you must first get a code signing certificate from a trusted certificate authority and use that certificate to sign the file (this certificate consists of private and public keys). In order for someone to digitally sign a file on your behalf they must have the private key which they will not have. This type of digital file signature is not a mom and pops solution, it uses strong encryption and it is de facto standard (as far as I am aware of) to guaranty that nobody has tampered with the file.

A quick internet search yielded the following links describing the process:

http://en.wikipedia.org/wiki/Digital_signature
https://www.comodo.com/resources/small-business/digital-certificates3.php

It is true that downloading files directly from the owner’s site is always better than downloading the file from some bogus site but it is still not a convincing way to guaranty that the file has not been tampered with.

Regarding the comment about the cost of obtaining and maintaining a digital signature certificate. This is not an issue at all. Obtaining a signing certificate is dirt cheap and signing a file is extremely simple, I know this for a fact. But no one has to believe me, just look it up and you will see.

The bottom line is that it is irresponsible for a company to take chances on customer security matters by not digitally signing their files (in Siglent case, they need to digitally sing their zip files). Sorry, don’t mean to sound rude but that is just a fact.

In any event, as someone else mentioned, I doubt that these guys could care less, this will become evident by the fact that Siglent will ignore this posts and pretend this is not an issue. Too bad becuase I do like Siglent stuff and I really wish they cared.

[tautech]

The bottom line is that it is irresponsible for a company to take chances on customer security matters by not digitally signing their files (in Siglent case, they need to digitally sing their zip files). Sorry, don’t mean to sound rude but that is just a fact.

Siglent is not the only supplier of code that is not digitally signed, you must be well aware of this.

In any event, as someone else mentioned, I doubt that these guys could care less, this will become evident by the fact that Siglent will ignore this posts and pretend this is not an issue. Too bad becuase I do like Siglent stuff and I really wish they cared.

Really.....thats strong language.

The facts are SIGLENT are on this forum searching for any problems their customers are having ON A DAILY BASIS.

As the Siglent network (CN, EU & USA) is very engaged with this community along with others like myself, they offer almost 24/7 support for their products on EEVblog.

I understand your concerns and others no doubt do too, but point us to problems that have arisen as a result of unsigned files from Siglent.


If this was a REAL issue I'm sure it would have been addressed by now.
Siglent USA will be very aware of these general concerns and quite likely are working in the background to address this. I imagine unsigned files are not a concern in eastern markets like they are here, probably a hanging offence to tamper with files there. 


In relation to ignored posts, Siglent sees all posts but even for me some are difficult to understand.
Some are reported to Siglent and they come back here for more information from customers.
The language issue is sometimes a problem, but name me a Chinese company that doesn't have this problem.

All requests for help must be as clear and meaningful as possible to be fully understood.
 

[Docholiday]

  tautech dont even bother any further with this issue. There are always going to be people that lack the ability for adaptive reasoning. If his belief that digitally signing a file is the right thing to do then so be it. If that gives the level comfort he/she is looking then that is his opinion and we as individuals have the option of not agreeing.

Dont fuel their 15 minutes of fame any more....

Nicholas

[tautech]

tautech dont even bother any further with this issue. There are always going to be people that lack the ability for adaptive reasoning. If his belief that digitally signing a file is the right thing to do then so be it. If that gives the level comfort he/she is looking then that is his opinion and we as individuals have the option of not agreeing.

Dont fuel their 15 minutes of fame any more....

Nicholas

@Docholiday
Thanks for your support but Rene is a valued customer and has every right for their concerns to be heard and discussed.

I may have risen to Rene's bait, but this topic might do well to be explored for all our interests. 

[nctnico]

IMHO Rene is just kicking up dust.
I agree with Docholiday: Keep the anti malware & virussoftware on your PC up to date and look where you download files from.

There is no way to ensure that even a signed file is really from the author if you don't check where you download it from. If you have malware on your PC which redirects a web request to a different server (this is really easy to do even with secure connections!) then you'll happily download a signed file from a malicious source.

[Rene]

Thanks for your support but Rene is a valued customer and has every right for their concerns to be heard and discussed.

I may have risen to Rene's bait, but this topic might do well to be explored for all our interests. 

Thanks Tautech,

I am not going to deny that I probably went a little too far with my comments (probably uncalled for). I was aiming to get a reaction from Siglent since this is not the first time I have brought up the digital signature issue to their attention and they have ignored the issue before.

So lets play by the rules here and be fair. That said, here is my question for the Siglent folks:

Dear Siglent, could you guys please be so kind as to let your customers know the reason for why you don’t digitally sign your files?

Thanks.

tautech dont even bother any further with this issue. There are always going to be people that lack the ability for adaptive reasoning. If his belief that digitally signing a file is the right thing to do then so be it. If that gives the level comfort he/she is looking then that is his opinion and we as individuals have the option of not agreeing.

Dont fuel their 15 minutes of fame any more....

Nicholas

I am sorry you feel that way. I provided you with links that explain how digitally signature works, if you take a minute to read up on the technology you will find that a digitally signature is currently the most secure way for authors to protect the integrity of their files (this is no checksum). This is not my "belief", this is a fact.

For fun, you may also want to check out the requirements for developing apps for the iPhone, iPad, Android, Windows phone etc. You will soon find out that all require you to digitally sign your files. Care to find out the reason why?

That said, if you think I am an ignorant troll that knows nothing about digital signatures then fine, you can color me ignorant, no problem, in the mean time, why don’t you give Apple, Google, Microsoft etc a call and let them know that digitally signing files is an absolute waste of time and they need to stop the nonsense, see what they tell you.

[Docholiday]

I am going to end this now...

This not the platform to school you or anyone else about Information Security concepts and best practices. Do more research and you will find there are more than one method of digital signature processes. The biggest problem with digital signature technology (public & privtate method) is who holds and manages the private key. That is where the vulnerabilty is - lost keys, mis-managed keys, stolen keys and as someone pointed redirects. That is why (of many reasons) in the USA the government does not allow the use of legal documents to be signed digitally. Exept Connectictect but only between corporations. Again, this solution is only a deterent.

In closing this issue I realize after reading my previous responses. I may have been a little harsh in my response, as this was not my intention. I have issue with very short patience when statements are made in a haphazardly fashion. I guess its my 35 years total as a computer forensics expert.

Have a nice day!

[pickle9000]

It would be interesting if Siglent or Rigol, Hantek did more "field work". For example I don't see any Siglent scopes on Sigrok http://sigrok.org/wiki/Supported_hardware.

Helping these guys out would be good P.R. and cost little. From a business standpoint it's like Apple, get them young (early school program) and keep them when they are older.   

[nctnico]

How popular is Sigrok? It shouldn't be hard to create support for a particular instrument and yet only few instruments are supported.

[pickle9000]

How popular is Sigrok? It shouldn't be hard to create support for a particular instrument and yet only few instruments are supported.

I haven't seen any numbers on the user count. To be honest I don't use it much but have done some CAN decoding and it works just fine for that. For me the interesting bits are the protocol decoders but it has real potential overall.

http://sigrok.org/wiki/Protocol_decoders

I'm certain it's used much more than people think. If you consider only the protocol decoding. These are things you pay real money for. If you are bidding / evaluating a job being able to use a free version of a particular protocol (like CAN) is a great benefit.

[Siglent]

How popular is Sigrok? It shouldn't be hard to create support for a particular instrument and yet only few instruments are supported.

I haven't seen any numbers on the user count. To be honest I don't use it much but have done some CAN decoding and it works just fine for that. For me the interesting bits are the protocol decoders but it has real potential overall.

http://sigrok.org/wiki/Protocol_decoders

I'm certain it's used much more than people think. If you consider only the protocol decoding. These are things you pay real money for. If you are bidding / evaluating a job being able to use a free version of a particular protocol (like CAN) is a great benefit.

How can our products be supported by sigrok? we are not familier with this organization.

[nctnico]

Sigrok is an open source project so pull in the sources, add support for your products, push the changes back and wait for the changes to be included in the next release.

[nctnico]

Hello!
new SDG1000 Firmware (1.01.01.37R2) has new menu !! - >> Bandwidth Update - >> Please input license to update bandwidth !
very interesting.....

There is also a DC output option and there is also a frequency counter menu. Suddenly the utility menu has 3 pages!
It is kinda nice new features get added to existing products.

[pickle9000]

How popular is Sigrok? It shouldn't be hard to create support for a particular instrument and yet only few instruments are supported.

I haven't seen any numbers on the user count. To be honest I don't use it much but have done some CAN decoding and it works just fine for that. For me the interesting bits are the protocol decoders but it has real potential overall.

http://sigrok.org/wiki/Protocol_decoders

I'm certain it's used much more than people think. If you consider only the protocol decoding. These are things you pay real money for. If you are bidding / evaluating a job being able to use a free version of a particular protocol (like CAN) is a great benefit.

How can our products be supported by sigrok? we are not familier with this organization.

Sigrok is a signal analysis software package. It's open source and free. The program works with around 140 devices at this point. This includes logic analyzers, DSO's multimeters, power supplies and so on. The package operates on Linux, Windows, Apples, Androids and some others. It has an excellent (and ever expanding) set of protocol decoders. It's a project that has been moving forward and is growing.

Reasons for helping out sigrok?

- Hantek and Rigol have supported hardware, so should you.
- Siglent has some older and low cost scopes that could benefit from the software features. Use on an Apple or Android platform for one. That is a platform you don't support.

   

[vueltinguer]

Hi, Siglent. Do you think future firmware updates of SDG5000 family will enable channel coupling function, if hardware supports it? Thanks 

[rf-loop]

Hi, Siglent. Do you think future firmware updates of SDG5000 family will enable channel coupling function, if hardware supports it? Thanks 

HW supports it. Also I hope Siglent add this function in some future FW.
Channel lock so that user can select what channel is master and then user can set offset frequency (including 0Hz offset of course) between channels and then slave channel follow master when user change master channel frequency.  Also so that user can set phase angle offset between channels and when channels are in this lock mode  it keeps phase offset when user change master channel frequency.

It is nice to see that after 4 yars Siglent still add new features to SDG1000 series. But, it is also important in SDG5000 series. (And I believe they do not have stopped developing it)

Language select after startup.  Personally I do not like it and I know many other who do not. (I can not understand who need this feature) Perhaps some school users?  Perhaps it is better to add some kind of "techers" power up when teacher can power up machine to some initial state after kids have played with it. Example push one button startup what delete all users settings and give also language select menu visible after this special "deep reset" startup.   (keep one key pressed during power up and it do this deep reset to state where it is as new unit or something like it)

[tautech]

It is nice to see that after 4 yars Siglent still add new features to SDG1000 series. But, it is also important in SDG5000 series. (And I believe they do not have stopped developing it)

Language select after startup.
 Personally I do not like it and I know many other who do not. (I can not understand who need this feature) Perhaps some school users?
 Perhaps it is better to add some kind of "techers" power up when teacher can power up machine to some initial state after kids have played with it.
Example push one button startup what delete all users settings and give also language select menu visible after this special "deep reset" startup.
(keep one key pressed during power up and it do this deep reset to state where it is as new unit or something like it)

+1
For all Siglent products that start with the Language option.

[nctnico]

Language select after startup.  Personally I do not like it and I know many other who do not. (I can not understand who need this feature)

It makes lots of sense to me. There are lots of people on this world who cannot understand any other language than they have learned from their parents. Even Europe is problematic! Try to see how far you get with English in France, Germany, Italy or Spain for example.

[vueltinguer]

In Spain maybe a hundred meters... 

[Rene]

IMHO Rene is just kicking up dust.
I agree with Docholiday: Keep the anti malware & virussoftware on your PC up to date and look where you download files from.

There is no way to ensure that even a signed file is really from the author if you don't check where you download it from. If you have malware on your PC which redirects a web request to a different server (this is really easy to do even with secure connections!) then you'll happily download a signed file from a malicious source.

I meant to post this earlier but I got lazy. Nevertheless, I wanted to address your post to help clarify some of your misconceptions.

Two of the main benefits that a modern digital signature provides are:

• It allows you to verify that the file you downloaded originated from a certain publisher.
• It allows you to verify that the file you downloaded has not been tampered with.

If you are using Windows OS, you can view the properties of a file (by right-clicking the file and selecting properties from the context menu). If the file has been digitally signed you will see a tab from where you can get more information about the digital signature (see Picture 1).
 
If you click on the Digital Signature tab, you will have aces to all kinds of information regarding the digital signature, but one piece of information that you will find relevant to your post is the digital signature certificate (see picture 2).
 
Looking at the digital signature certificate (Pciture2), you can be sure of two things:

• The file comes from a publisher named Seagull Scientific, Inc. If this is not the publisher you are expecting then you should not trust the file. In the case of Siglent, you will see Siglent, Inc (or something close to that) instead of Seagull Scientific, Inc
• The file content is exactly the same as what the publisher intended it to be. In other words, the file has not been tampered with. If a malicious person had tampered with the file, the digital signature would have been voided so the file would not appear to be signed.

So to address your comments: You are indeed able to verify that the file is from a certain author by looking at the certificate (with or without redirects). The reason why redirects are not an issue is because it does not matter if you download the file from a malicious website, as long as the file is digitally signed and the digital signature show that it has been published by the expected author, it means that the file is good (this is the whole point of a modern file digital signatures). Your comment about keeping your computer virus protection up to date is obviously valid, but having a digital signature that can prove the file comes from a trusted source is far more valuable and effective (IMHO).

Finally, all the concerns about private keys vulnerability (lost keys, mismanaged keys, stolen keys, etc) are valid but not realistic in most scenarios that matter. For a careless small time teenager digitally signing files from his or her garage computer this may an issue, but reputable corporations don’t take security lightly, you will have a very, very hard time getting anywhere near those certificates, and even if for some reason you were able to steal the digital signature certificates you would still not be able to use them because they are typically locked down with a strong password and they can be revoked at any time. I should also mentioned that if this was a big issue you should be shaking in your boots as we speak because all your banking transactions and online purchases (at one point or another) involve using the same technology used in digital signatures (asymmetric cryptography).

But do you know what the best part of a digital signature is? That if someone does not give a crap about them they can completely ignore them and move on with their lives. But for those of us who care, it is a very valuable feature.

Cheers.