That's not quite accurate. Microsoft removed the update and bitch-slapped them.
Thats what you said numerous times and probbably like to believe but there is 0 evidence to back it up so it is pure speculation from your side?
arstechnica (iirc) posted that MS did, in fact, remove 2 versions of the driver from its update site. we can guess its 2.11 and 2.12, since 2.10 was the last known good working version, malware-free.
why do you doubt that MS has removed the updates? I'm not MS fan (not even close) but I have no reason to believe this was false reporting from A.T.
why do you doubt that MS has removed the updates? I'm not MS fan (not even close) but I have no reason to believe this was false reporting from A.T.
It also makes business sense for MS to intervene. They have enough problems with Windows Updates killing systems, the last thing they want is to get inundated with complains about how
their update bricked user's peripherals. Everyone would look at MS first, as that would have been the most recent system change. This is a near "free" act of preventative maintenance on their part.
why do you doubt that MS has removed the updates? I'm not MS fan (not even close) but I have no reason to believe this was false reporting from A.T.
Let me rephrase so it is more clear and unambiguous:
I do believe MS removed the updates.
BUT I rather do believe a CEO from a multi million$ company stating in an official press release that their company asked MS to remove them than the words of a youngster that says that MS has removed the updates and "bitch slapped" that company.
Well, this has raised the awareness of counterfeit components and caused problems for those supply lines using the fakes. The problem is that a lot of people have been upset.
Yes, like raising the awareness of people not cleaning windows by smashing every dirty window in sight. Clever move.
It is not removed yet! it will be next week...
read this: http://www.ftdichipblog.com/?p=1053
I can't believe Mr. Dart got zero comments on that blog posting. Some minion at FTDI might be busy ruining the Delete button on his keyboard.
What the posting also shows is that FTDi didn't learn its lesson.
The simplest solution would be to have the driver pop up a message that says :
" This device attempted to load the wrong driver. Please contact the device manufacturer to get an updated driver."
The device doesn't load anything. It's the OS and driver that decide what to 'load'.
It is not removed yet! it will be next week...
read this: http://www.ftdichipblog.com/?p=1053
I can't believe Mr. Dart got zero comments on that blog posting. Some minion at FTDI might be busy ruining the Delete button on his keyboard.
What is there to comment on? It is a vague press release. Not an invitation for debate.
What the posting also shows is that FTDi didn't learn its lesson.
I agree. I'm not going to change my decision not to put FTDI chips in my design. One way or another FTDI has decided to kill their competition. I don't want to become collateral damage.
That's not quite accurate. Microsoft removed the update and bitch-slapped them.
Thats what you said numerous times and probbably like to believe but there is 0 evidence to back it up so it is pure speculation from your side?
arstechnica (iirc) posted that MS did, in fact, remove 2 versions of the driver from its update site. we can guess its 2.11 and 2.12, since 2.10 was the last known good working version, malware-free.
why do you doubt that MS has removed the updates? I'm not MS fan (not even close) but I have no reason to believe this was false reporting from A.T.
Update: Microsoft has given us a statement:
Yesterday FTDI removed two driver versions from Windows Update. Our engineering team is engaging with FTDI to prevent these problems with their future driver updates via Windows Update.
That would seem to say FTDI removed them, not Microsoft.
why do you doubt that MS has removed the updates? I'm not MS fan (not even close) but I have no reason to believe this was false reporting from A.T.
Let me rephrase so it is more clear and unambiguous:
I do believe MS removed the updates.
BUT I rather do believe a CEO from a multi million$ company stating in an official press release that their company asked MS to remove them than the words of a youngster that says that MS has removed the updates and "bitch slapped" that company.
I'm 46, thank you very much. And I would trust just about anyone more than I would trust someone in an obvious position to need to spin a situation.
Update: Microsoft has given us a statement:
Yesterday FTDI removed two driver versions from Windows Update. Our engineering team is engaging with FTDI to prevent these problems with their future driver updates via Windows Update.
That would seem to say FTDI removed them, not Microsoft.
Yeah, you really need to un-spin that.
What sort of engineering assistance could FTDI possibly need from Microsoft to prevent them from knowingly and deliberately supplying a weaponized driver to Windows Update?
No, what likely
really happened was that Microsoft's legal team had a "chat" with someone over there and they had an "Oh shit!" moment. And everything after that has been spin control.
I appreciate the statement FTDI put out on their forum site.
It is the only action to take: Remove the destructive code but refuse to work with counterfeit devices.
However the damage is done.
At our today's engineering meeting we got a good analogy of what FTDI did:
It is like the shopkeeper who knows you for 10+ years suddenly points his gun at you saying "if you don't steal you have nothing to fear".
Sure you would think "WTF?"
Well at least the shopkeeper has put the gun away now, saying "If you steal I won't talk to you anymore"
Sure I am fine with that.
All the FTDI chips we purchased the past year (around 17K units in total) went through their official sales network,
so the risk is almost 0. Phew...
I am still not happy.... but....whatever
One way or another FTDI has decided to kill their competition.
Yeah, competition. What will you think when will get such a competition
. People will think that your product is a crap which sells everywhere while actually you can barely sell anything at all.
Update: Microsoft has given us a statement:
Yesterday FTDI removed two driver versions from Windows Update. Our engineering team is engaging with FTDI to prevent these problems with their future driver updates via Windows Update.
That would seem to say FTDI removed them, not Microsoft.
Yeah, you really need to un-spin that.
What sort of engineering assistance could FTDI possibly need from Microsoft to prevent them from knowingly and deliberately supplying a weaponized driver to Windows Update?
No, what likely really happened was that Microsoft's legal team had a "chat" with someone over there and they had an "Oh shit!" moment. And everything after that has been spin control.
And you need to stop posting opinion and assumption as fact.
One way or another FTDI has decided to kill their competition.
Yeah, competition. What will you think when will get such a competition . People will think that your product is a crap which sells everywhere while actually you can barely sell anything at all.
I would rather think that they have pretty much killed their own customer base with this stunt. Who is going to trust them now?
J.
Update: Microsoft has given us a statement:
Yesterday FTDI removed two driver versions from Windows Update. Our engineering team is engaging with FTDI to prevent these problems with their future driver updates via Windows Update.
That would seem to say FTDI removed them, not Microsoft.
Yeah, you really need to un-spin that.
What sort of engineering assistance could FTDI possibly need from Microsoft to prevent them from knowingly and deliberately supplying a weaponized driver to Windows Update?
No, what likely really happened was that Microsoft's legal team had a "chat" with someone over there and they had an "Oh shit!" moment. And everything after that has been spin control.
And you need to stop posting opinion and assumption as fact.
I am not doing anything of the sort. Do you think the scenario I described is unlikely? What did I say other than that?
And you need to stop posting opinion and assumption as fact.
I am not doing anything of the sort. Do you think the scenario I described is unlikely? What did I say other than that?
FTDI just tweeted, that they removed the update from WinUpdate and are working on a less invasive option:
http://www.ftdichipblog.com/?p=1053
That's not quite accurate. Microsoft removed the update and bitch-slapped them.
You are absolutely right. I retract that, and replace it with
That's likely not quite accurate. Microsoft probably removed the update and bitch-slapped them.
I apologize for not being more clear earlier.
And in that case, yes, it's entirely possible Microsoft told them where to stick it.
On the other hand, they may have realised they just shot themselves in the foot with a 12-gauge and done something about it for themselves.
I would rather think that they have pretty much killed their own customer base with this stunt. Who is going to trust them now?
You're kidding, yeah?
Anyone with an interest in the supply chain being less full of fakes might see this as an opening shot, however misplaced, in that battle.
They were never going to sell their smallest devices to the sub-dollar serial widget manufacturer or the Chinese knockoff Arduino market, so have lost nothing there.
No longer having their drivers blamed for problems with the VID/PID rippers' budget and variously crappy widgets sounds like a good thing.
Having designers explicitly call for real FTDI chips from the CEMs - that might deliver real volumes of sales.
I, for one, will continue to design in and specify FTDI parts where they're the best fit.
And you need to stop posting opinion and assumption as fact.
Just as you need to stop posting content-free snark
I think the real take-away here is that devices that rely on proprietary drivers always leave you at the mercy of the suppliers of those drivers, in sharp contrast to devices that implement open standards. Here I am specifically contrasting FTDI devices with CDC devices.
Where an open standard exists, this incident shows the value proposition of adopting it.
Current FTDI driver offered in FTDI Drivers Download page (v2.12.00) does it. Im attaching an image with the
attack with the relevant USB Transactions using a USB sniffing software, confirming the driver disassembly behaviour posted a few days ago.
As a bit of an oddity, I'll ask the folks here for a similar thing I asked of FTDI support:
Can someone create a tool to reproduce the "kill" operation of the 2.12 driver? If this is a "thing" that can happen, I'd prefer to add a few seconds of production test time to screen parts that might cause the end-user grief down the road. This is, in essence, a vulnerability without a clear way to patch it - so the easiest route I can do is attempt to brick any devices that might get a non genuine part in the lot. (I buy all my parts from Mouser and Digikey, but they're not omnipotent or flawless).
you can build such tool yourself using this joke linux patch - its replicating what the windows driver did
https://lkml.org/lkml/2014/10/23/129A quick check of FTDI's website doesn't appear to offer any resources for manufacturers to test their parts to see whether they are genuine.
such tool would be used by chinese designer to perfect his copy, chicken and egg problem
Incidentally, the current difference that they are exploiting is quite easy to fix and in a few months we will see clones that are invulnerable to the current destructive clone counterfeit test.
Few months? More like a few weeks... look how long it took for the Chinese to clone Apple's Lightning cable - and that was RE from scratch, not in this case where all they have to do is update a mask ROM and start producing new chips.
In fact I think the moment that driver update was released, they saw the problem and were working on fixing it. I'm almost willing to bet they've already fixed it and are just waiting for the wafer fab.
except for the fact your fake chips just lost a ton of value and desirability, people in big companies might do meetings discussing FTDI policy, but most chinese sellers/designers will simply STOP using fakes outright - fake sold over ebay equals to bad feedback at best, paypal chargeback and black mark (few of those and paypal freezes your account) at worst. There might still be few scammers/wise guys trying to sell old stock bundled with CD including older driver, but all of a sudden its a very dangerous proposition if they want to remain on ebay platform
Also agree with the others that this would be a great time to move to a non-proprietary standard protocol like CDC - for which source code is available for both AVRs, PICs, and several other common MCU families.
ot was never about lack of drivers, it was about convenience, FTDI driver is just there, by default, everywhere, so why bother reinventing the wheel.
you think ebay is going to even LISTEN to you after 30 or perhaps 90 days?
are they going to reimburse you for the high cost of shipping back to china?
45 days minimum + YO DO NOT pay for any shipping in case of a fake
I think the real take-away here is that devices that rely on proprietary drivers always leave you at the mercy of the suppliers of those drivers, in sharp contrast to devices that implement open standards. Here I am specifically contrasting FTDI devices with CDC devices.
Where an open standard exists, this incident shows the value proposition of adopting it.
I agree in principle, problem is windows now enforces driver signing so you either pay M$ tax or use something that is already signed