Author Topic: FTDIgate 2.0?  (Read 247727 times)

0 Members and 1 Guest are viewing this topic.

Offline amyk

  • Super Contributor
  • ***
  • Posts: 6541
Re: FTDIgate 2.0?
« Reply #725 on: February 19, 2016, 11:37:06 am »
Not everyone wants security over freedom... especially when it's their own computer they're being "secured" against.
 

Offline gmb42

  • Regular Contributor
  • *
  • Posts: 174
  • Country: gb
Re: FTDIgate 2.0?
« Reply #726 on: February 19, 2016, 12:16:33 pm »
You can control the CA certs that are download to a Windows machine, you even run the process manually if you wish, so that you're totally in control of what is "trusted" via certs. See here for more info.

Of course I fully expect those that have "trust issues" to manually inspect every byte of code (including the BIOS and the CPU firmware) that runs on their precious machines.
 

Offline janoc

  • Super Contributor
  • ***
  • Posts: 2954
  • Country: fr
Re: FTDIgate 2.0?
« Reply #727 on: February 19, 2016, 01:56:51 pm »
You can control the CA certs that are download to a Windows machine, you even run the process manually if you wish, so that you're totally in control of what is "trusted" via certs. See here for more info.

Of course I fully expect those that have "trust issues" to manually inspect every byte of code (including the BIOS and the CPU firmware) that runs on their precious machines.

That isn't what I meant when I spoke about trust. I meant that if a cert is issued by someone like Verizon, Symantec or Comodo, you can have some confidence that at least some checks on the identity of the person applying were done and that it is likely that whoever is showing you that certificate is who they claim they are.

If you get a cert issued by a random CA from Eastern Bananistan that nobody has heard about before, it doesn't exactly inspire confidence that the rules were followed, even if their cryptographic chain of trust traces back to one of the major CAs.

 

Offline janoc

  • Super Contributor
  • ***
  • Posts: 2954
  • Country: fr
Re: FTDIgate 2.0?
« Reply #728 on: February 19, 2016, 02:27:18 pm »
Not everyone wants security over freedom... especially when it's their own computer they're being "secured" against.

I think that for Microsoft their major target are locked down corporate markets, where the "security over freedom" is a valid thing to strive for.

The home PCs laden with DRM so that Holywood doesn't get their precious blurays stolen was something relevant 10 years ago, but not with the pervasive streaming and mobile devices anymore.



 

Offline rch

  • Regular Contributor
  • *
  • Posts: 167
  • Country: wales
Re: FTDIgate 2.0?
« Reply #729 on: February 19, 2016, 03:13:06 pm »
You can control the CA certs that are download to a Windows machine, you even run the process manually if you wish, so that you're totally in control of what is "trusted" via certs. See here for more info.

Of course I fully expect those that have "trust issues" to manually inspect every byte of code (including the BIOS and the CPU firmware) that runs on their precious machines.

That isn't what I meant when I spoke about trust. I meant that if a cert is issued by someone like Verizon, Symantec or Comodo, you can have some confidence that at least some checks on the identity of the person applying were done and that it is likely that whoever is showing you that certificate is who they claim they are.

If you get a cert issued by a random CA from Eastern Bananistan that nobody has heard about before, it doesn't exactly inspire confidence that the rules were followed, even if their cryptographic chain of trust traces back to one of the major CAs.


Even with said dubious sources, they have probably checked the ownership of the domain the cert. is granted for, so it does provide some reassurance against man in the middle attacks.  Granted, it doesn't say much about the virtues of the website you are communication with, just that it probably is the site you think it is.
 

Offline ve7xen

  • Frequent Contributor
  • **
  • Posts: 671
  • Country: ca
    • VE7XEN Blog
Re: FTDIgate 2.0?
« Reply #730 on: February 19, 2016, 05:47:54 pm »
You can control the CA certs that are download to a Windows machine, you even run the process manually if you wish, so that you're totally in control of what is "trusted" via certs. See here for more info.

Of course I fully expect those that have "trust issues" to manually inspect every byte of code (including the BIOS and the CPU firmware) that runs on their precious machines.
Correct me if I'm wrong, but I don't think this applies to driver signing keys.
73 de VE7XEN
 

Offline timb

  • Super Contributor
  • ***
  • Posts: 2528
  • Country: us
  • Pretentiously Posting Polysyllabic Prose
    • timb.us
FTDIgate 2.0?
« Reply #731 on: February 19, 2016, 08:25:47 pm »
You can control the CA certs that are download to a Windows machine, you even run the process manually if you wish, so that you're totally in control of what is "trusted" via certs. See here for more info.

Of course I fully expect those that have "trust issues" to manually inspect every byte of code (including the BIOS and the CPU firmware) that runs on their precious machines.

That isn't what I meant when I spoke about trust. I meant that if a cert is issued by someone like Verizon, Symantec or Comodo, you can have some confidence that at least some checks on the identity of the person applying were done and that it is likely that whoever is showing you that certificate is who they claim they are.

If you get a cert issued by a random CA from Eastern Bananistan that nobody has heard about before, it doesn't exactly inspire confidence that the rules were followed, even if their cryptographic chain of trust traces back to one of the major CAs.

Let's Encrypt is propagating its own root, but in the mean time their Authority cert is cross signed by IdenTrust, which is a major root known by all browsers.

As for "trust" well, in the old days when you paid hundreds of dollars for an SSL cert, they "verified" you by phone. It was automated, too. You'd get a call asking to state your full name and company (if applicable) which was recorded and (I assume) stored for the duration of the cert's validity. This was how VeriSign did it 10 years ago. That was literally all there was to it.

Now, Let's Encrypt uses the ACME protocol to actually verify you have control of the domain in question. You run the Let's Encrypt client *on your server* which uses Apache or DNS to perform a challenge response with *their server* for verification. Then the cert is issued.

That seems like much more verification than a 5 second automated phone call from VeriSign, to me. (Seriously, the $$$ SSL certs of old were mostly smoke and mirrors. I ran a big web hosting company from 2002 to 2008, so I know alllll about it.)
Any sufficiently advanced technology is indistinguishable from magic; e.g., Cheez Whiz, Hot Dogs and RF.
 

Offline gmb42

  • Regular Contributor
  • *
  • Posts: 174
  • Country: gb
Re: FTDIgate 2.0?
« Reply #732 on: February 20, 2016, 01:27:02 pm »
You can control the CA certs that are download to a Windows machine, you even run the process manually if you wish, so that you're totally in control of what is "trusted" via certs. See here for more info.

Of course I fully expect those that have "trust issues" to manually inspect every byte of code (including the BIOS and the CPU firmware) that runs on their precious machines.
Correct me if I'm wrong, but I don't think this applies to driver signing keys.

I believe it does.  If you disable auto downloads and manually control CA trust certs, then you can control (all but MS) driver certs as well.  They still go through the same trust process as say website TLS certs.  For boot drivers I believe the situation is slightly different as the kernel boot process doesn't have access to the trusted cert store so relies on the MS CVR cross cert and the integrity checks of the digital signature.  In my mind this is slightly weaker hence the move to EV certs and attestation signing for boot drivers for Win 10.
 

Offline justanothercanuck

  • Frequent Contributor
  • **
  • Posts: 390
  • Country: ca
  • Doing retro repairs...
Re: FTDIgate 2.0?
« Reply #733 on: February 21, 2016, 08:55:18 pm »
methinks ftdi isn't the only company with this problem...

http://webcache.googleusercontent.com/search?q=cache:TYC9IThct9YJ:store.steampowered.com/hwsurvey/processormfg/%3Fsort%3Dname+&cd=1&hl=en&ct=clnk&gl=ca
http://valid.x86.fr/top-cpu/47656e75696e65496f74656c2050726f636573736f72

i've seen cpu-z shots of the "authentid" amd chips as well, but sadly my google-fu is failing.  i also had to use google cache for the steam listings because the amd chips seem to be slipping out of circulation.
Maintain your old electronics!  If you don't preserve it, it could be lost forever!
 

Offline f4eru

  • Frequent Contributor
  • **
  • Posts: 557
Re: FTDIgate 2.0?
« Reply #734 on: February 27, 2016, 08:45:58 am »
Yep, true. Other companies also alienate their (future ex) customers
 

Offline MSO

  • Contributor
  • Posts: 42
  • Country: us
Re: FTDIgate 2.0?
« Reply #735 on: February 27, 2016, 08:21:11 pm »
So FTDI who has lost millions of dollars in lost sales are suppose to keep losing more millions of dollars in lost sales so the guys who stole from them can continue to have eager customers?

Yeah, a lot of us were screwed over by the scammers too, just as FTDI was.  FTDI will never get their lost sales back, but they can prevent future lost sales.  They are more than right to do so, they have an obligation to do so in my opinion.  Their shareholders and employees deserve an honest shot at making a future for themselves.

Those of us who bought products containing counterfeit chips ought to return those products to have the chips replaced or demand a working driver instead.  There's going to be plenty of cases where sending the device back is uneconomical or the vender is unresponsive. In such situations, we'll need to buy and replace the counterfeit chips ourselves or replace the offending product.

Insisting that FTDI make us whole by continuing to lose additional sales just doesn't make sense. It's as if you've been stolen from once so you should continue to be stolen from so nobody else has to be victimized.

 

Offline c4757p

  • Super Contributor
  • ***
  • Posts: 7805
  • Country: us
  • adieu
Re: FTDIgate 2.0?
« Reply #736 on: February 27, 2016, 08:31:51 pm »
You seem to be under the impression that because someone did something bad to you, you automatically get to do whatever you like in retaliation - that you no longer have an obligation to remain ethical. Shit I hope you don't vote.

You also didn't read the thread, as that point has been made and addressed multiple times by now.
No longer active here - try the IRC channel if you just can't be without me :)
 

Online nctnico

  • Super Contributor
  • ***
  • Posts: 18001
  • Country: nl
    • NCT Developments
Re: FTDIgate 2.0?
« Reply #737 on: February 27, 2016, 08:46:07 pm »
Very recently I visited a company which has proprietary USB-UART cables made so their customers can connect to their products with the right connector, protection, etc. They used FTDI in the past but since they got a batch which didn't work due to fake chips they are now moving to a different brand USB-UART chip. They simply don't want to deal with / waste their energy on the fall-out of a mud fight between FTDI and creators of functional equivalents. Since Windows 10 has drivers for most USB-UART chips build in (finally after almost 2 decades) there is no advantage of using FTDI compared to most other popular chips anyway.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline Koen

  • Frequent Contributor
  • **
  • Posts: 453
Re: FTDIgate 2.0?
« Reply #738 on: February 27, 2016, 09:51:15 pm »
nctnico > What is the name of this company ?
 

Online nctnico

  • Super Contributor
  • ***
  • Posts: 18001
  • Country: nl
    • NCT Developments
Re: FTDIgate 2.0?
« Reply #739 on: February 27, 2016, 10:00:13 pm »
nctnico > What is the name of this company ?
I can't divulge that information but I didn't start the conversation about the FTDI chip; they where just asking me what to use instead.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline Koen

  • Frequent Contributor
  • **
  • Posts: 453
Re: FTDIgate 2.0?
« Reply #740 on: February 27, 2016, 10:02:03 pm »
Of course you can't.
 

Offline timb

  • Super Contributor
  • ***
  • Posts: 2528
  • Country: us
  • Pretentiously Posting Polysyllabic Prose
    • timb.us
Re: FTDIgate 2.0?
« Reply #741 on: February 28, 2016, 12:56:26 am »

Of course you can't.

I wouldn't give out my customer's names on a public forum, either.
Any sufficiently advanced technology is indistinguishable from magic; e.g., Cheez Whiz, Hot Dogs and RF.
 

Offline c4757p

  • Super Contributor
  • ***
  • Posts: 7805
  • Country: us
  • adieu
Re: FTDIgate 2.0?
« Reply #742 on: February 28, 2016, 12:58:28 am »
Indeed, you can hardly judge someone for not naming someone in public with whom he has/had a business relation. That could end very poorly.
No longer active here - try the IRC channel if you just can't be without me :)
 

Offline MSO

  • Contributor
  • Posts: 42
  • Country: us
Re: FTDIgate 2.0?
« Reply #743 on: February 28, 2016, 04:17:49 am »
You seem to be under the impression that because someone did something bad to you, you automatically get to do whatever you like in retaliation - that you no longer have an obligation to remain ethical. Shit I hope you don't vote.

You also didn't read the thread, as that point has been made and addressed multiple times by now.

I've read the majority of this thread (most of which is sickening) and repeatedly found people who did not buy FTDI products complaining that FTDI owes them something for nothing. FTDI has no ethical or moral responsibility to support those who have not purchased their products or services. If you want FTDI to do something for you, pay for it.

The vendors from whom the defective products were purchased are responsible for the products that no longer work, not FTDI.  It is those vendors who have harmed us and FTDI. It is those vendors who have been paid to provide the products and services that we all seek and it is they who have failed to deliver said products and services and it is they who have the ethical and moral responsibility to correct their failures.
 

Offline c4757p

  • Super Contributor
  • ***
  • Posts: 7805
  • Country: us
  • adieu
Re: FTDIgate 2.0?
« Reply #744 on: February 28, 2016, 04:27:32 am »
What does any of that drivel have to do with whether FTDI's response was ethical? Yes, counterfeiters are doing a bad thing. That doesn't make any response to it inherently acceptable. FTDI isn't just 'not supporting' counterfeit chips, they're actively trying to prevent them from working.

I'm not even saying that what they did was unethical. I'm just saying that your argument doesn't do anything to prove it's ethical. It adds absolutely nothing to the conversation.
No longer active here - try the IRC channel if you just can't be without me :)
 

Offline technix

  • Super Contributor
  • ***
  • Posts: 3223
  • Country: cn
  • From Shanghai With Love
    • My Untitled Blog
Re: FTDIgate 2.0?
« Reply #745 on: February 28, 2016, 06:03:57 am »
Well long have I switched over to CH340G - even selling my CH340-based adapter here: https://www.tindie.com/products/maxtch/fused-usb-to-uart-adapter-33v-and-5v-m1801v4/
 

Offline MSO

  • Contributor
  • Posts: 42
  • Country: us
Re: FTDIgate 2.0?
« Reply #746 on: February 28, 2016, 06:52:49 am »
What does any of that drivel have to do with whether FTDI's response was ethical? Yes, counterfeiters are doing a bad thing. That doesn't make any response to it inherently acceptable. FTDI isn't just 'not supporting' counterfeit chips, they're actively trying to prevent them from working.

I'm not even saying that what they did was unethical. I'm just saying that your argument doesn't do anything to prove it's ethical. It adds absolutely nothing to the conversation.

So if I were to list my old beater on Craig's list and then meet the guy at Walmart's parking lot where he pays me cash for the car. I take the cash to the bank and the bank tells me the cash is counterfeit, that they won't credit my account and then calls the BATF who takes the counterfeit cash to hold as evidence. I'm out my old beater and there isn't too much I can do about it unless the counterfeiter can be apprehended and somehow get my beater back from him.  I can't hold the bank responsible for the counterfeit money.

FTDI did in the first instance make a mistake. They bricked the counterfeit devices.  They made an about face on that decision and stopped bricking the counterfeit chips.  In the present case however, they did not brick any devices, they simply refused to service them, just like the bank with my counterfeit cash.  The only difference is that FTDI carried most of us for several years at their own expense; the bank would never do that and we would never expect that they would.

Your position seems to be that FTDI should continue to support the counterfeit chips while I think they are doing the ethical thing by not supporting them.  Those knockoff chips still work fine, they just won't work with FTDI drivers. The technology in those fake chips was stolen from FTDI and then used to reduce FTDI's profits by undercutting FTDI's pricing.  FTDI actions to bring these thieves to heel is the only ethical action they can take. Yes, FTDI helps themselves financially, but they also help the entire industry to the extent they can inhibit the profits that can be made through the theft of Intellectual Property and counterfeiting.

 

Offline technix

  • Super Contributor
  • ***
  • Posts: 3223
  • Country: cn
  • From Shanghai With Love
    • My Untitled Blog
Re: FTDIgate 2.0?
« Reply #747 on: February 28, 2016, 07:29:01 am »
What does any of that drivel have to do with whether FTDI's response was ethical? Yes, counterfeiters are doing a bad thing. That doesn't make any response to it inherently acceptable. FTDI isn't just 'not supporting' counterfeit chips, they're actively trying to prevent them from working.

I'm not even saying that what they did was unethical. I'm just saying that your argument doesn't do anything to prove it's ethical. It adds absolutely nothing to the conversation.

So if I were to list my old beater on Craig's list and then meet the guy at Walmart's parking lot where he pays me cash for the car. I take the cash to the bank and the bank tells me the cash is counterfeit, that they won't credit my account and then calls the BATF who takes the counterfeit cash to hold as evidence. I'm out my old beater and there isn't too much I can do about it unless the counterfeiter can be apprehended and somehow get my beater back from him.  I can't hold the bank responsible for the counterfeit money.

FTDI did in the first instance make a mistake. They bricked the counterfeit devices.  They made an about face on that decision and stopped bricking the counterfeit chips.  In the present case however, they did not brick any devices, they simply refused to service them, just like the bank with my counterfeit cash.  The only difference is that FTDI carried most of us for several years at their own expense; the bank would never do that and we would never expect that they would.

Your position seems to be that FTDI should continue to support the counterfeit chips while I think they are doing the ethical thing by not supporting them.  Those knockoff chips still work fine, they just won't work with FTDI drivers. The technology in those fake chips was stolen from FTDI and then used to reduce FTDI's profits by undercutting FTDI's pricing.  FTDI actions to bring these thieves to heel is the only ethical action they can take. Yes, FTDI helps themselves financially, but they also help the entire industry to the extent they can inhibit the profits that can be made through the theft of Intellectual Property and counterfeiting.

Now you hijack end users' equipment. End users are usually unsuspecting and they will find their equipment suddenly stopped working, causing a surge of complaints and RMA to the manufacturers of their equipment (who is the actual customers of FTDI.)
 

Offline Karel

  • Super Contributor
  • ***
  • Posts: 1401
  • Country: 00
Re: FTDIgate 2.0?
« Reply #748 on: February 28, 2016, 08:27:52 am »
FTDI isn't just 'not supporting' counterfeit chips, they're actively trying to prevent them from working.

Nothing wrong with that. People shouldn't use counterfeit chips. As soon as they discover that their device stops working,
blame the seller of the device. Not FTDI.




The difference between theory and practice is less in theory than
the difference between theory and practice in practice.
Expensive tools cannot compensate for lack of experience.
 

Offline Karel

  • Super Contributor
  • ***
  • Posts: 1401
  • Country: 00
Re: FTDIgate 2.0?
« Reply #749 on: February 28, 2016, 08:33:32 am »
You also didn't read the thread, as that point has been made and addressed multiple times by now.

"It has been addressed" in many ways based on different opinions of different people.
Pick one you like. There's no consensus.



The difference between theory and practice is less in theory than
the difference between theory and practice in practice.
Expensive tools cannot compensate for lack of experience.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf