In the worst case, there would be a 500 mW and 2.4 GHz signal radiated at a few millimeters of a various GHz low voltage signals (some signals are differential paired, but others aren’t).You are not allowed to go above 100mW for 2.4 GHz band in most regions. And generally wifi devices don't go above that. Also unless there is something horribly wrong with device, most of power will go into antenna outside the PC.
Do I understand this correctly that the PC manager is an internet connected gizmo that will allow remote control of the computer - over the internet, using a proprietary service ran by your company? And you want to sell this to companies as a somehow good idea? Did you consider what will happen if someone hacks your service (which is pretty certain to happen, especially given your security by obscurity approach)? Not only could someone instantly disable/crash a load of computers somewhere but if the devices have insecure firmware (very likely), they will act as a wonderful vector into the company's network, bypassing the usual access controls (otherwise they wouldn't be able to do their job).
Not only is this a solution looking for a problem (home users won't care and pros will frogmarch anyone plugging a gizmo like this into their office computer out of the door), it is also asking to get hacked for anyone foolish enough to install this.
Engineering isn't only whether something can be done but also whether it should be.
Aha, you're going for the old 'security through obscurity' route, are you?
How are you providing security controls and authentication both of the device and the users? What is your privacy and security policy? What physical access controls and key management controls do you have in place? Are you willing to have the code audited by an independent contractor (NCC will do this starting at about £20k)? Which cloud provider do you use? What is their security policy? What libraries do you import? What are the security controls on those? What is your GDPR situation and who is the data controller?
Welcome to my world which is very complicated bringing a product into in 2019.
Also worth a watch as to how even higher investment can produce a “fuck up” (excuse the pun): hacking buttplugs. https://youtu.be/RnxcPeemHSc
(The service will not be provided by a server in my house, but by a proper hosting with redundancy and proper security measures)
(The service will not be provided by a server in my house, but by a proper hosting with redundancy and proper security measures)
If - for whatever reason - the servers are shut down, do all PC manager devices become e-junk?
(The service will not be provided by a server in my house, but by a proper hosting with redundancy and proper security measures)
If - for whatever reason - the servers are shut down, do all PC manager devices become e-junk?
Who is going to provide customer support. Yourself sitting beside the server in your house? Is it just a single server by the way? Are you familiar with the concepts of Business Continuity and Disaster Recovery?
"Simply unplugging the power cable" is a Major inconvenience to the customer by the way. You sure every grandma will know how and when to do it? You will be instructing people via your facebook?
I am on the verge of backing this. My partner uses WoL to get her PC running when she is on the road, but sometimes it doesn't work (ISTR Microsoft furkled with the network stack a while back which borked it until I found the fix), so this might save me having to pretend interest in support.
But... I am lost as to the point of the power and reset buttons. I mean, if you are in a position to stab those, surely you could just press the real ones. Or is the intent (for some uses) to completely disconnect the front panel to prevent passers-by from dicking with it?
QuoteAha, you're going for the old 'security through obscurity' route, are you?
Imagine a door with a handle. 100 people try to open it, most pushing the handle down to start with. Not all open it and a proportion give up. Now imagine a notice above the door: "Lift handle to open". Of 100 people, more open it now (but some still fail and give up - such is life as a human!).
Are you saying that not obscuring stuff is exactly as secure as going out of your way to tell anyone who wants to know the detail?
Are you also saying that making source available lets security bloopers be seen and fixed? It should but in practice there are loads of exploits, many in security-centric applications. In fact, the wonder is that more bad guys haven't exploited the bloopers no-one else has been arsed to find in open source code.
Surely the better way would be to use code that is apparently secure (properly audited, open source or not) but still obscure it anyway, just in case. Just like one might always use a voltage tester on a mains cable, even after turning off the mains and pulling the circuit breaker, before touching it.
In the worst case, there would be a 500 mW and 2.4 GHz signal radiated at a few millimeters of a various GHz low voltage signals (some signals are differential paired, but others aren’t).You are not allowed to go above 100mW for 2.4 GHz band in most regions. And generally wifi devices don't go above that. Also unless there is something horribly wrong with device, most of power will go into antenna outside the PC.
Yes, I meant 100 mW (160 mW max., in this case), I mixed things up. Still enough power to use shielding, as in the case of the vast majority of Wi-Fi devices.
And why do we *know* it is secure? Because both the algorithms and the implementations are open.
But a properly set up system is secure even when the source is open.
And the security against chinese clones... If PC manager is deemed "worth it" it will be cloned the minute your device is released. At best, your obscurity is buying you some time while at the same time alienating any security aware user.
In the worst case, there would be a 500 mW and 2.4 GHz signal radiated at a few millimeters of a various GHz low voltage signals (some signals are differential paired, but others aren’t).You are not allowed to go above 100mW for 2.4 GHz band in most regions. And generally wifi devices don't go above that. Also unless there is something horribly wrong with device, most of power will go into antenna outside the PC.
Yes, I meant 100 mW (160 mW max., in this case), I mixed things up. Still enough power to use shielding, as in the case of the vast majority of Wi-Fi devices.Where are you getting that 160 mW figure from? Since you do not use 5GHz (you could use 200 mW there) you are limited to 100mW. What wifi chipset do you use?
BTW about shields. For example Raspberry pi 3 does not use any shield above wifi chip and got FCC approval just fine. My TPlink Archer C7 router does not have shields too.
I would not trust that chinese card *at all*. That thing has access to the PCIe bus and can transmit your data to who-knows-where.
I think you had made a lot of assumptions. The reason the product is not Open Source is not because of a low quality or insecure code (The service will not be provided by a server in my house, but by a proper hosting with redundancy and proper security measures), ...
but to avoid to low quality clone factories to take advantage of my work and money.
If you have an IoT device, it probably works in the same way.
However, other options could be e.g. an independent firmware/software (including backend and the mobile app!) audit by a reputable company/researchers, published update policy (how often, how long does it take to fix security critical issues, both in the app and the firmware), dedicated security contact on your web site for reporting problems, and, for example, references of the hosting company, so that customer could have at least some idea of what security is in place.
I think you had made a lot of assumptions. The reason the product is not Open Source is not because of a low quality or insecure code (The service will not be provided by a server in my house, but by a proper hosting with redundancy and proper security measures), ...
Your answers only show that you don't have much of an idea about computer security.
You are asking everyone to take you for your word on the device being secure. A company with no reputation, no references and product starting on Kickstarter. Don't take it personally but that's just a no.
Open sourcing the product is only one way of fixing that, I understand that you may not want to do that for business reasons. However, other options could be e.g. an independent firmware/software (including backend and the mobile app!) audit by a reputable company/researchers, published update policy (how often, how long does it take to fix security critical issues, both in the app and the firmware), dedicated security contact on your web site for reporting problems, and, for example, references of the hosting company, so that customer could have at least some idea of what security is in place. How much of that do you have in place before unleashing this on your paying clients? Starting to think about it only once your clients get hacked and there is a CVE assigned to it already would be too late.
Using a hosting company alone means exactly nothing when it comes to security. You wouldn't believe how many hosters keep e.g. customer passwords and credit card data in unecrypted databases, with the argument being that they require it to provide support when the client has problems logging in. Not kidding, I have this in writing from a customer rep of one such rather big name hoster after my personal site was hacked thanks to them and used to host a phishing website for stealing money from clients of some US investment bank. They consider it a normal practice, apparently!but to avoid to low quality clone factories to take advantage of my work and money.
That's a pretty poor argument for putting your clients at risk. Is their work and money worth less than your work and money?If you have an IoT device, it probably works in the same way.
Are you really trying to make an argument that because the security dumpster fire of IoT is a standard fare, it is OK to release another such product and sell it to businesses? You are really not helping your case here, IMO.
Also, there is a heck of a difference between a smart light bulb or a doorbell and something meant for an actual business use. I can guarantee you that you won't find the former in the latter, as long as there is a semi-competent IT manager around.
... for anyone foolish enough to install this.
QuoteHowever, other options could be e.g. an independent firmware/software (including backend and the mobile app!) audit by a reputable company/researchers, published update policy (how often, how long does it take to fix security critical issues, both in the app and the firmware), dedicated security contact on your web site for reporting problems, and, for example, references of the hosting company, so that customer could have at least some idea of what security is in place.
If even a fraction of the IoT stuff on Amazon managed a quarter of that! Yet they sell by the boatload. Wouldn't surprise me if most people here have kit that fails on pretty much all of your points, despite them arguing that this will kill the product on Kickstarter.
Probably, the device you’ve used to write your post, in addition to being Closed Source, has dozens of known vulnerabilities and hundreds of other unknown ones, both in its hardware and its software. It’s also quite probable that any of those vulnerabilities would have much more devastating effects than the ones you are trying to attribute to this project based on no evidence.
If, as you say, is important to make the project Open Source to make it more secure (which I see it as an oxymoron), then how would I pay to any software engineer to fix those vulnerabilities once the clone factories make my business unsustainable? Are you relying on some random expert working for free to amend a problem that affect to small number of people/businesses?
“PC Manager” and “Snatek” are registered trademarks under my name, ID, address, etc. That data figures on the Global Brand Database and they store that data even after the trademark expiration (10 years). In base of this, yes, my personal reputation would be in risk if that devices have any kind of problem in the future.
I don’t take anything personally but it is not an easy task when someone calls “fool” to any potential buyer, based in incorrect assumptions.
Regards.
We just added a feature to PC Manager that allows (advanced) users to completely disable internet access and to work only on LAN. This function will result in a little more time to configure each device (more than the 2 minutes it takes with the default configuration) for users who opt for this function.
As this function allows the PC Manager to work completely offline, I hope this will mitigate the concernssome usersby nice EEVBlog forum fellows had about security and/or about a hypothetical product end of life.
Adding this feature doesn’t mean we will relax our security policy; it is only an additional layer of protection for those who wants it.
This feature has been included in the campaign already.