Author Topic: FTDIgate 2.0?  (Read 243515 times)

0 Members and 2 Guests are viewing this topic.

Offline Russ.Dill@gmail.com

  • Contributor
  • Posts: 17
Re: FTDIgate 2.0?
« Reply #275 on: February 02, 2016, 04:20:03 pm »
Of course, now I can't do cool things like make my Arduino act like an FTDI directly via v-usb to make integration for windows users easier.

Why would you need to?

And why would you think it reasonable to make your Arduino behave like a piece of hardware with very specific capabilities when it is nothing of the sort?

It's actually quite straightforward to emulate all of the functions of the FT232RL. I'm not sure if you think that FTDI chips are some kind of black magic, especially the low end ones.
 

Offline c4757p

  • Super Contributor
  • ***
  • Posts: 7805
  • Country: us
  • adieu
Re: FTDIgate 2.0?
« Reply #276 on: February 02, 2016, 04:34:52 pm »
Sure you'd be better off not trying to trigger a problem

My favorite part is where you admit you're wrong and still keep going :-+
No longer active here - try the IRC channel if you just can't be without me :)
 

Offline suicidaleggroll

  • Super Contributor
  • ***
  • Posts: 1455
  • Country: us
Re: FTDIgate 2.0?
« Reply #277 on: February 02, 2016, 04:40:38 pm »
Sure you'd be better off not trying to trigger a problem

My favorite part is where you admit you're wrong and still keep going :-+

Wrong about what?  About how hypotheticals involving non-existent devices with non-existent counterfeit FTDI chips in legitimate supply chains, killing non-existent people in fantastical ways, are a waste of time and a distraction from the issue at hand?  That's what the entire post was about.

If there was a device out there that could kill somebody because it received an 'N' instead of a '2' over a UART line plugged into a Windows machine (a Windows machine that's connected to the internet, receiving untested updates, with nobody's knowledge), it would have ALREADY KILLED plenty of people before FTDI ever started screwing with counterfeits.  It simply doesn't exist, and fantasizing about "what if a device like that DID exist, how bad would that be???" is pointless.
« Last Edit: February 02, 2016, 04:44:51 pm by suicidaleggroll »
 

Offline LoyalServant

  • Regular Contributor
  • *
  • Posts: 65
  • Country: us
Re: FTDIgate 2.0?
« Reply #278 on: February 02, 2016, 04:41:37 pm »
My example was just a purely hypothetical one extrapolated from my experience with how bad some firmware is written. I just can't divulge too much about those experiences for obvious reasons.

Would we all please stop with these nonsense hypotheticals and discuss the actual facts?  So far there is zero proof that there are any counterfeit devices in legitimate supply chains anymore. 

Agree on the hypothetical situations.

While we have not heard of any major blunders in the supply chain like the Newegg and Intel issue a few years back that comes to mind I am sure we can all agree that bad players are constantly trying to infiltrate the supply chain.
I think everyone in the industry shares some responsibility in maintaining the integrity of the supply chain.

 

Online nctnico

  • Super Contributor
  • ***
  • Posts: 17615
  • Country: nl
    • NCT Developments
Re: FTDIgate 2.0?
« Reply #279 on: February 02, 2016, 04:46:58 pm »
Sure you'd be better off not trying to trigger a problem

My favorite part is where you admit you're wrong and still keep going :-+

Wrong about what?  About how hypotheticals involving non-existent devices with non-existent counterfeit FTDI chips in legitimate supply chains, killing non-existent people in fantastical ways, are a waste of time and a distraction from the issue at hand?  That's what the entire post was about.

If there was a device out there that could kill somebody because it received an 'N' instead of a '2' over a UART line plugged into a Windows machine (a Windows machine that's connected to the internet, receiving untested updates, with nobody's knowledge), it would have ALREADY KILLED plenty of people.  It simply doesn't exist, and fantasizing about "what if a device like that DID exist, how bad would that be???" is pointless.
As I wrote before: I have come across firmware doing safety critical tasks and it got upset from receiving data it didn't expect. There is nothing hypothetical about that! Also the assumption FTDI present and future detection algorithms will never be wrong is a false one. So even with a real chip there is a probability things can go wrong (Murphy's law).
« Last Edit: February 02, 2016, 04:48:52 pm by nctnico »
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline c4757p

  • Super Contributor
  • ***
  • Posts: 7805
  • Country: us
  • adieu
Re: FTDIgate 2.0?
« Reply #280 on: February 02, 2016, 04:47:41 pm »
Sure you'd be better off not trying to trigger a problem

My favorite part is where you admit you're wrong and still keep going :-+

Wrong about what?  About how hypotheticals involving non-existent devices with non-existent counterfeit FTDI chips in legitimate supply chains, killing non-existent people in fantastical ways, are a waste of time and a distraction from the issue at hand?  That's what the entire post was about.

If there was a device out there that could kill somebody because it received an 'N' instead of a '2' over a UART line plugged into a Windows machine (a Windows machine that's connected to the internet, receiving untested updates, with nobody's knowledge), it would have ALREADY KILLED plenty of people before FTDI ever started screwing with counterfeits.  It simply doesn't exist, and fantasizing about "what if a device like that DID exist, how bad would that be???" is pointless.

You don't get to cause damage just because it would've happened anyway...

You said it yourself, read my quote from you!
No longer active here - try the IRC channel if you just can't be without me :)
 

Offline suicidaleggroll

  • Super Contributor
  • ***
  • Posts: 1455
  • Country: us
Re: FTDIgate 2.0?
« Reply #281 on: February 02, 2016, 04:49:09 pm »
While we have not heard of any major blunders in the supply chain like the Newegg and Intel issue a few years back that comes to mind I am sure we can all agree that bad players are constantly trying to infiltrate the supply chain.
I think everyone in the industry shares some responsibility in maintaining the integrity of the supply chain.

Absolutely, and I do believe FTDI should be doing as much as they can to help with this.  I am not a distributor, so I don't have any information about what FTDI is or is not doing to ensure either 1) counterfeits don't enter the supply chain, and/or 2) counterfeits are identified before they're sold to customers.  Does anybody else here have any information on this topic?
 

Offline suicidaleggroll

  • Super Contributor
  • ***
  • Posts: 1455
  • Country: us
Re: FTDIgate 2.0?
« Reply #282 on: February 02, 2016, 04:51:51 pm »
As I wrote before: I have come across firmware doing safety critical tasks and it got upset from receiving data it didn't expect. There is nothing hypothetical about that!

And how many people have those devices killed?  Or were there other checks in place to ensure that even if the processor did get upset, it still didn't go on a murdering rampage?

So even with a real chip there is a probability things can go wrong (Murphy's law).
So it's a probability now?  With zero evidence that FTDI's counterfeit detection algorithm has ever given a false positive, it's now a probability that it's going to happen.  More hypotheticals...
« Last Edit: February 02, 2016, 04:57:23 pm by suicidaleggroll »
 

Offline suicidaleggroll

  • Super Contributor
  • ***
  • Posts: 1455
  • Country: us
Re: FTDIgate 2.0?
« Reply #283 on: February 02, 2016, 04:55:07 pm »
You don't get to cause damage just because it would've happened anyway...

You said it yourself, read my quote from you!

It wouldn't have happened anyway, because those devices don't exist.
 

Offline c4757p

  • Super Contributor
  • ***
  • Posts: 7805
  • Country: us
  • adieu
Re: FTDIgate 2.0?
« Reply #284 on: February 02, 2016, 04:58:30 pm »
You said it yourself.

Sure you'd be better off not trying to trigger a problem
No longer active here - try the IRC channel if you just can't be without me :)
 

Online Monkeh

  • Super Contributor
  • ***
  • Posts: 5921
  • Country: gb
Re: FTDIgate 2.0?
« Reply #285 on: February 02, 2016, 05:12:12 pm »
Of course, now I can't do cool things like make my Arduino act like an FTDI directly via v-usb to make integration for windows users easier.

Why would you need to?

And why would you think it reasonable to make your Arduino behave like a piece of hardware with very specific capabilities when it is nothing of the sort?

It's actually quite straightforward to emulate all of the functions of the FT232RL.

So how are you implementing the variable drive current? Do you support both VCP and D2XX drivers? Do you actually emulate the device properly, and if so, why is this even an issue, as surely you'd appear to be a normal FTDI device and they'd be unable to tell the difference?

Don't pretend to be what you're not - use a generic driver or write your own.

Quote
I'm not sure if you think that FTDI chips are some kind of black magic, especially the low end ones.

 ::)
 

Offline all_repair

  • Frequent Contributor
  • **
  • Posts: 554
Re: FTDIgate 2.0?
« Reply #286 on: February 02, 2016, 05:17:08 pm »
My example was just a purely hypothetical one extrapolated from my experience with how bad some firmware is written. I just can't divulge too much about those experiences for obvious reasons.

Would we all please stop with these nonsense hypotheticals and discuss the actual facts?  So far there is zero proof that there are any counterfeit devices in legitimate supply chains anymore. 

Agree on the hypothetical situations.

While we have not heard of any major blunders in the supply chain like the Newegg and Intel issue a few years back that comes to mind I am sure we can all agree that bad players are constantly trying to infiltrate the supply chain.
I think everyone in the industry shares some responsibility in maintaining the integrity of the supply chain.
There are some kids shouting and keep shouting and defining the supply chain as they wish and imagine.  Any supply chain is as clean as the dirtiest point in the chain.  There were cases and people I knew that were the authorised "CLEAN" channel selling big time to factories, injecting their compatible into the chain.  It took many years for the OEM to find out, because these guys got too greedy and prompted the OEM to investigate.  But the factories were kept in the dark even until now.  It happened, I am sure it is still happening and will never stop happening as long as there are some quick money to be made somewhere.  It is a  forever cat and mouse game.  FTDI is spraying bullets as they like. 
BTW those guys walked off almost trouble-free.  They lost the distributorship but kept the millions (today value should be billions) they had made, because the OEM dared not sue them and had the most to hide, the most to loose.
« Last Edit: February 02, 2016, 05:27:25 pm by all_repair »
 

Offline suicidaleggroll

  • Super Contributor
  • ***
  • Posts: 1455
  • Country: us
Re: FTDIgate 2.0?
« Reply #287 on: February 02, 2016, 05:25:39 pm »
You said it yourself.

Sure you'd be better off not trying to trigger a problem

For fuck's sake, I'm trying to stop the hypotheticals, that's all the post was about.  Quit trying to dig an argument for or against FTDI's actions out of my words, there was none.  I can see both sides of the issue, and both sides have valid points.  The moral/ethical/legal legitimacy of FTDI's actions was not what I was discussing, I was talking about how ridiculous these hypothetical scenarios are, and suggesting that people put an end to them because they're pointlessly dragging down the entire discussion.
 

Offline Sal Ammoniac

  • Frequent Contributor
  • **
  • Posts: 879
  • Country: us
    • Embedded Tales Blog
Re: FTDIgate 2.0?
« Reply #288 on: February 02, 2016, 05:32:41 pm »
As I wrote before: I have come across firmware doing safety critical tasks and it got upset from receiving data it didn't expect. There is nothing hypothetical about that! Also the assumption FTDI present and future detection algorithms will never be wrong is a false one. So even with a real chip there is a probability things can go wrong (Murphy's law).

This thread is getting absurd in the claims some people are making regarding safety critical products. Any competent designer of a product with a critical safety factor involved is going to take special care that the device cannot malfunction if it gets bad data from an FTDI chip or any other source. He will use error detecting algorithms to insure the integrity of the data stream and have safety interlocks to prevent any damage if something is not right. To not do so would be professional incompetence. For some reason, sloppy design seems to be tolerated more in the electronics/software industries than it is in other engineering professions.

Some have even argued that CRC algorithms are not perfect and errors can slip through. Sure, that's correct if you're talking about a few corrupted bits here and there, but if FTDI were truly sending random characters, then even the most basic checksum will detect that.
 

Online nctnico

  • Super Contributor
  • ***
  • Posts: 17615
  • Country: nl
    • NCT Developments
Re: FTDIgate 2.0?
« Reply #289 on: February 02, 2016, 05:37:56 pm »
As I wrote before: I have come across firmware doing safety critical tasks and it got upset from receiving data it didn't expect. There is nothing hypothetical about that! Also the assumption FTDI present and future detection algorithms will never be wrong is a false one. So even with a real chip there is a probability things can go wrong (Murphy's law).
This thread is getting absurd in the claims some people are making regarding safety critical products. Any competent designer of a product with a critical safety factor involved is going to take special care that the device cannot malfunction if it gets bad data from an FTDI chip or any other source. He will use error detecting algorithms to insure the integrity
You are being super naive here!!! You really don't want to know the shitty firmware I have come across and which still can pass safety regulation tests without problems.

It's always the naive people who say 'that shouldn't happen' which cause the problems. I put a reverse power protection diode or even a bridge rectifier in every DC powered design because even though people shouldn't swap the + and - they still do.
« Last Edit: February 02, 2016, 05:41:33 pm by nctnico »
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline Sal Ammoniac

  • Frequent Contributor
  • **
  • Posts: 879
  • Country: us
    • Embedded Tales Blog
Re: FTDIgate 2.0?
« Reply #290 on: February 02, 2016, 05:50:34 pm »
You are being super naive here!!! You really don't want to know the shitty firmware I have come across and which still can pass safety regulation tests without problems.

Perhaps we live in different worlds then. In the world I live in engineers take pride in their work and engineer it properly. If there are any safety aspects to a design, they take care that even uncommon failure modes are taken into account and handled properly in a combination of hardware and firmware interlocks.

Just because some people and companies create shitty, dangerous products doesn't mean that everyone does. Tell me--before all this FTDI stuff started, did engineers designing safety critical products that relied on a serial data stream in a safety critical part of the product assume that this data stream was 100% reliable 100% of the time?
 

Offline AlxDroidDev

  • Frequent Contributor
  • **
  • Posts: 471
  • Country: br
    • Arduino Web Brasil
Re: FTDIgate 2.0?
« Reply #291 on: February 02, 2016, 06:04:40 pm »
Who the hell still needs FTDI?

They are a shitty company, with zero respect for the end-users (who may or most likely may not [which was my case] be aware that their chip is fake).

It's not like we don't have alternatives and we really need them. There are plenty of options out there, from complete software solutions (like V-USB) to other dedicated alternatives, like the CH340G chip, and other solutions from Prolific, Texas, Cypress, Silicon Labs, Microchip, and a few others.

The sooner people stop caring about FTDI and stop using their products, the sooner we'll be rid of the problem.

Regarding the driver, I NEVER let Windows Update automatically update my drivers, since I've had bad experience with that in a distant past. Most of my drivers are probably out-of-date, but they've been working, so I just let them be. Don't fix it unless it's broken. Neverthless, I was a victim of FTDI with my very first Arduino Nano 3.0, because I didn't know any better, and it was a fresh install.

On a side note, some PL-2303HX drivers will simply not work with fake PL2303 chips, but it won't even touch the chip in any way. Prolific even has a utility to detect fake chips.
"The nice thing about standards is that you have so many to choose from." (Andrew S. Tanenbaum)
 

Online Monkeh

  • Super Contributor
  • ***
  • Posts: 5921
  • Country: gb
Re: FTDIgate 2.0?
« Reply #292 on: February 02, 2016, 06:06:07 pm »
On a side note, some PL-2303HX drivers will simply not work with fake PL2303 chips, but it won't even touch the chip in any way. Prolific even has a utility to detect fake chips.

They have a utility to detect old, legitimate, and perfectly functional chips, too; their driver. Which won't work with old chips.
 

Online nctnico

  • Super Contributor
  • ***
  • Posts: 17615
  • Country: nl
    • NCT Developments
Re: FTDIgate 2.0?
« Reply #293 on: February 02, 2016, 06:11:01 pm »
You are being super naive here!!! You really don't want to know the shitty firmware I have come across and which still can pass safety regulation tests without problems.
Perhaps we live in different worlds then. In the world I live in engineers take pride in their work and engineer it properly. If there are any safety aspects to a design, they take care that even uncommon failure modes are taken into account and handled properly in a combination of hardware and firmware interlocks.

Just because some people and companies create shitty, dangerous products doesn't mean that everyone does. Tell me--before all this FTDI stuff started, did engineers designing safety critical products that relied on a serial data stream in a safety critical part of the product assume that this data stream was 100% reliable 100% of the time?
Again: I have seen released-for-production safety critical firmware do weird stuff when/after receiving unexpected data. And I've seen much worse than that as well. So yes, competent engineers are very rare. Even with safety interlocks and so on poorly designed firmware can still cause lots of trouble.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline Sal Ammoniac

  • Frequent Contributor
  • **
  • Posts: 879
  • Country: us
    • Embedded Tales Blog
Re: FTDIgate 2.0?
« Reply #294 on: February 02, 2016, 06:26:46 pm »
Again: I have seen released-for-production safety critical firmware do weird stuff when/after receiving unexpected data. And I've seen much worse than that as well. So yes, competent engineers are very rare. Even with safety interlocks and so on poorly designed firmware can still cause lots of trouble.

These companies should be run out of business. I'm not a big fan of government regulation, but this is a case where it's needed. Poor engineering of products with safety critical aspects should not be tolerated.
 

Offline f4eru

  • Frequent Contributor
  • **
  • Posts: 549
Re: FTDIgate 2.0?
« Reply #295 on: February 02, 2016, 06:31:41 pm »
If you search for 'woman falls in elevator shaft' you'll notice it -shockingly- happens very often! The case I was referring to happened in Germany.

"man falls in elevator shaft" >> 389 000  google results
"woman falls in elevator shaft" >> 116 000 google results
"FTDI accident" >> 71 000  google results
"man falls in elevator shaft due to FTDI malware" >> 7  google results

So men fall 3,5x more often into elevator shafts it seems, amd FTDI is responsible for 1/6 of elevator shaft accidents.
 

Offline f4eru

  • Frequent Contributor
  • **
  • Posts: 549
Re: FTDIgate 2.0?
« Reply #296 on: February 02, 2016, 06:41:02 pm »
My favorite part is where you admit you're wrong and still keep going :-+
it's not wrong. typically, a properly done failure analysis for that specific looks like :
- problem : corrupt data on UART due to access conflict with other program/other Hardware
- probability : low
- severity : mid (after implementing CRC)
- risk level : low


Problem : FTDI just increased the probability, and therefore the risk to dangerous levels !
 

Offline f4eru

  • Frequent Contributor
  • **
  • Posts: 549
Re: FTDIgate 2.0?
« Reply #297 on: February 02, 2016, 06:45:33 pm »
Quote
Any competent designer of a product with a critical safety factor involved is going to take special care that the device cannot malfunction if it gets bad data from an FTDI chip or any other source.

Wrong.
Any competent designer of a product with a critical safety factor involved is going to take special care to reduce the likelihood of  device malfunction down to an acceptable level.
There is no zero risk.
Lesson one in functionnal safety : You cannot eliminate risk. You only reduce it's likelihood or it's severity.

FTDI just raised that risk to an inacceptable level.
 

Offline mtdoc

  • Super Contributor
  • ***
  • Posts: 3579
  • Country: us
Re: FTDIgate 2.0?
« Reply #298 on: February 02, 2016, 07:08:38 pm »
The hypotheticals re: FTDI's shenanigans causing deaths may be overblown but the general principle and precident it sets- that is - companies reeking havoc on end user systems to combat clones - could easily eventually result in loss of life IMHO.

My end user experience with technology in the medical world has shown me that despite the best intentions of engineers - critical, unexpected faults can and do occur.

As things become more and more connected - there's been a rapid push to incorporate more technology into medical equipment and informatics - with efforts underway to allow more and more automatic connection and control - for example between implanted medical devices or bedside hospital medical equipment - and computerized medical systems accessible 24/7 to doctors and staff caring for patients.

The nature of the economics of the current system of hospital adoption of medical technology prevents the usual feedback mechanisms that force companies to compete based on the quality and reliability of their systems - so that salesmen and marketers are the focus - since once a hospital adopts a specific vendors technology they are pretty much stuck with it no matter how shitty it is.
 

Offline Karel

  • Super Contributor
  • ***
  • Posts: 1374
  • Country: 00
Re: FTDIgate 2.0?
« Reply #299 on: February 02, 2016, 07:14:26 pm »
Also the assumption FTDI present and future detection algorithms will never be wrong is a false one.

Can you provide a link to a documented event that shows that FDTI wrongly detected a non-genuine chip
while in reality it was genuine?
The difference between theory and practice is less in theory than
the difference between theory and practice in practice.
Expensive tools cannot compensate for lack of experience.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf