It is quite likely that the counterfeiters(at least the ones that actually stamp 'FTDI' on their products, or represent them as FTDI parts, I'm unconvinced that a VID:PID pair is a trademarkable thing) are committing 36 flavors of trademark infringement; but that still doesn't make it obvious that FTDI can just go all vigilante justice on them(much less on random people who may or may not know they were even using counterfeit chips).
Even when something is clearly recognized as a crime, the courts tend to take a somewhat dim view of those who go and dish out some extrajudicial punishment for it (typically with exceptions for things like self defense). Even when the law specifically defines transgressions that create a private right of action, the 'action' usually involves getting to sue the target, not take matters into your own hands.
A certain amount may end up riding on the meaning of 'component' and 'that component', as well. Sure, for a basic USB -> serial dongle the FTDI chip is practically the only component, with just a couple of cheap connectors and a passive or two; but there are some fairly expensive devices that are 'USB' because the manufacturer shoved a converter IC onto the previous generation serial design.
Even if FTDI finds a court that buys their right to destroy cloned chips by vigilante action(rather than by a copyright, patent, or trademark judgement in the appropriate venue), will they find one that is sympathetic when the device ruined is some fairly expensive bit of gear sold by a third party to a customer who didn't even know a USB bridge chip was involved?
As an EE, I will think twice about designing in FTDI products from now on.
Even if you happen to think that FTDI's approach is morally justified and hilarious, it'd still be worth considering avoiding them: some counterfeits don't even bother to pretend; but there are some very, very, convincing fakes that manage to sneak into more respectable parts of the supply chain. It's bad enough that you might get slipped counterfeits that don't meet spec, worse if you might get slipped counterfeits that appear to work and then get destroyed once in the hands of your customers.
I imagine that it also helps (at least in terms of customer acceptance) that most of these RFID tags are probably replacing something that was as bad or worse. Keys are clonable, provide no record of use(much less timestamped logs of individual users) and if one gets into the wild re-keying the place is Not Fun. Magnetic stripe cards are trivially clonable; but on the same level as most RFID tags in terms of access logging and enabling/disabling access. Adequately rugged optical sensors have historically been pretty expensive, so bar codes, hand scanners, and any other biometric gimmicks are likely niche players.
I'd be pretty annoyed if some salesweasel lied to me about it; but it's unlikely that an RFID installation replaced something that was harder to clone, and it's still easier than keys, slightly more robust than mag stripe readers, and reasonably cheap per tag. In some ways that makes it even more obnoxious to harass the researchers, though.
My experience with boat maintenance is (thankfully) limited; but I do know that wood tends to shrink and swell rather cheerfully as its moisture content changes, and that larger wooden vessels tend to suffer some 'play' from the hogging and sagging induced by wave action and any changes in relative buoyancy as cargo load changes from voyage to voyage, hence the fine naval tradition of oakum, tar, and endless manual labor lest you die a watery death.
Thinking of that, the pictures of a whole bunch of curved ribs(in what look to be several varieties of wood) forming a cylinder/cone thing with loads of joints that is expected to be immersed during use, caused me to immediately start imagining assorted ominous creaking, stress fractures, and hull geometry issues that you'll have a heroic time hammering out.
Is the coating adequate to prevent that sort of thing? Are they using some carpentry-fu of the same type that holds wooden barrels and wheels together? Will it in fact be a disaster in short order?
Some vendors skip the helpful 'provide a damn bootable freeDOS image, you cheap bastards' step, which is very annoying; but it's pretty common to use DOS for firmware updates. When the vendor is feeling polite, and for more common ones, you usually get a windows executable with some dire warnings about running it as an administrator and not interrupting it; but DOS is a pretty good choice when you want an OS that isn't going to be multitasking behind your back as you scribble over some bit of firmware that will brick the device if handled indelicately.
It probably will be an amusing test of whether Apple's BIOS emulation layer is up to scratch, or whether it was written rather closely against the specific versions of Windows supported by bootcamp and the bootcamp drivers...
They had that one a while back where the drive would mysteriously decide that it had a capacity of 8MB, though that has been quashed for some time.
The tricky thing (and I'm not actually certain where they stand on this now) is that Intel's initial reputation was founded on the superior performance and reliability of the in-house controller design that they used in their x-18 and x-25, especially dramatic back when there was some utter garbage floating around (JMicron controllers, OCZ living up to their reputation) and the safe options were comparatively slow and extremely expensive.
Then, for some reason, they just sat and stagnated on that controller design for several generations, and eventually shipped a Marvell controller in order to have something with SATA 6Gb support. Since then, they've released some Sandforce based stuff, and some of their own; but it isn't as clear exactly what "Intel" on the label means anymore.
Do remember that 'women in tech' has some very vocal friends among employers of techs.
This is not to say that nobody involved is genuinely concerned; but it should be remembered that complaints about the labor market can come from either side, with the supply side generally having the numbers and the demand side generally having the influence. (And, at times, they even shift remarkably quickly: just remember how fast getting women into heavy industry became a national cause during WWII, and how fast encouraging them to keep house in the suburbs become one afterwards.)
It sounds like your post answers its own question. A burn-and-churn industry in a period of high demand has a strong need for new workers(lest the alternatives of cushier working conditions and/or higher salaries be resorted to to retain and re-attract the existing ones and the burnouts). Since the supply has skewed heavily male for some time now, there is some reason to suspect that finding a way to increase female recruitment is the best hope of locating a new source of human resources.
It's seriously difficult to understand the mindset of the organization and how they came into this. Did they even bother hiring a competent cryptographer when designing their product ? Were they duped by someone they hired and led to design a insecure product ? Or is encrypting an RFID communication a difficult and non-trivial task with no known vetted solution ?
I don't think that the problem is difficult in some fundamental way (the problem of verifying a remote host with asymmetric crypto has been reasonably well explored with SSL/TLS, and an access control system has the advantage of being able to trust only a CA it controls, and the advantage that you need to get physical access to an RFID reader pad to attempt attacks); but there are significant practical challenges.
RFID chips are pretty power constrained, since they only get whatever energy they can scavenge from the reader's RF output; and customers want them to be cheap. The industry also has fairly long product lifecycles (since, once you've put in a zillion card readers and integrated it with all your other building security stuff you don't want to rip it out and upgrade in 2 years).
It isn't so much a 'there is no known cryptographic solution to this problem' issue as a 'Why yes, we still have major customers using the 'security' provided by the lousy proprietary cryptosystem that our engineers were able to cram into a cheap, power-constrained, chip using the fab processes available in the mid to late 90s, and we really don't want to fix that' issue.
Most of the world knows that security is fleeting, and those that deepend on the law to preserve obscurity is the fleetingness of all. Do they not even consider that citizens of nations that don't give a shit about legal protections are the very people their customers need to be protected against? These companies should be paying rewards to anyone who can defeat their protections, not punishing them.
Aside from pure cultural dysfunction (of the sort that causes even some software companies to threaten the people who do free security testing for them, and even offer them time to fix bugs before releasing the proof of concept), the issue is that HID and friends are closer to locksmiths than to software companies.
RFID (and non-standardized but conceptually similar contactless short range RF fobs and slightly longer range button-cell-powered keyless entry systems) tends to be painfully computationally limited, since the tags need to be cheap and need to work on a tiny power budget. The older ones are even worse, of course, since they had less efficient silicon fabrication options to work with. For the same reason, such devices aren't usually little microcontrollers with flashable software; but mostly or entirely fixed-function implementations of crap proprietary crypto systems. Depending on when the corresponding card readers and access control stuff was installed, and what the customer picked, those parts of the system may also be hard to upgrade without ripping them out and replacing them(and, since this is a physical security issue, the readers are more likely to be embedded in walls/bolted to stuff/otherwise tied down and hardwired, so it won't just be swapping out a bunch of desktops.
Because upgrading in-software/firmware is often difficult or impossible, and upgrading involves ripping out hardware that was supposed to have years of service life, HID and friends really don't want to hear about it. They'd much rather just try to tamp down public awareness of the issue, hope that there are no high-profile breaches of customers capable of suing them, and pretend it isn't a problem until the flawed parts have aged out.
As much as it's a repulsive, dishonest, and definitely-unworthy-of-support-by-the-courts tactic, it must be admitted that plenty of known-broken lock designs continue to more-or-less do their jobs (if attackers are still forcing doors rather than just picking locks, the lock is apparently still effective) for years after their weaknesses become public knowledge, so it is entirely probable that various HID access fobs will quietly age out without any major incidents. No need to threaten the researchers about it, though.
Incidentally, while iced coffee is refreshing and invigorating, you can also get refreshing and relaxing by icing irish coffee. I don't think I've ever seen the option on a menu; but I was pleasantly surprised by the effectiveness of the experiment; and a place that offers irish coffee will usually be willing to put some over ice on request.
At this point, I'd be tempted to make any would-be astronaut pass the 'n months in standby and hard vacuum before the signal from mission control wakes you up' test, because Our Robot Overlords have gotten considerably better; but it'd be no worse, and possibly better, than the John Glenn launch a few years back.
People love to hate Apple. It's a thing. Also, is there any evidence this data is not anonymised by Apple?
'Anonymised' is mostly a weasel word. It isn't always impossible; but the more interesting the dataset is, the more likely it is that there's a clever re-identification attack with good odds of success. If you are serious about preventing those, you tend to have to nuke the data so hard that they aren't of much interest anymore.
Unless robustly demonstrated to the contrary, it's an essentially worthless claim.
If you don't trust an OS vendor, isn't using a network monitoring tool on a different host entirely, with physical access to the wire, pretty much the only way to go? If they were so motivated, the OS would basically be a rootkit with device drivers and a userspace API...
TFA specifically notes that the behavior described was observed with all visible 'privacy' settings adjusted. Presumably the story is even cheerier if those aren't switched off.
I'd go with 'no' and 'no'. Yes, the end goal is to discover the cause, the mechanism, and the effect as precisely as possible; but the universe of possibilities is absurdly gigantic, easily larger than you could ever afford to study.
So what do you do? You start by trying to cut the search space into more manageable chunks with this sort of study, which doesn't provide the level of precision you ultimately want; but can (relatively) cheaply and easily provide some leads on what is worth looking at in greater detail and what isn't.
Next up, after negative user response, ChromeOS to publish full source code and become free user-respecting software.
ChromeOS tends to ship on Tivoized hardware, which isn't exactly Gnu-Freedom; but, in terms of the software on top of the bootloader, what are the deficiencies? I know it ships a proprietary Flash, and whatever bullshit makes Netflix work; but is there anything else?
If memory serves, the tricky bit was that any evidence we had based on receipts or equivalent, either ours or those of other Good Guys, would be both embarassing and largely obsolete; since the Iran/Iraq war was not exactly a moral triumph on our part, and it long enough past that any remaining munitions would be hazmat but close to useless for military purposes. Evidence of anything more recent, though, was hampered by being almost entirely bullshit.
I can definitely appreciate the value of some skills that fall under 'coding', some logic, thinking about breaking down problems in a rigorous way, gaining the ability to make a computer do boring stuff programmatically rather than one-by-one by hand.
However, my understanding(both in personal experience and from what I've read on the subject) is that actually-good, especially actually-really-scary-good, programmers have to be born and then polished, and that just throwing more practice at the unsuited doesn't actually improve them as much as you'd hope.
Is the theory that current education, lacking in CS, is failing to identify promising candidates? That we should be ensuring more suitable people go into CS rather than other areas that require similar talents? That the world really needs more rote-learned java monkeys to keep wages safely low?
Tell that to basically anywhere in the first world... Unfortunately, despite our best efforts, countries seem to go through a generation or two where modern sanitation and medicine have kicked in; but modern prophylaxis hasn't, which goes really badly; but once you get past that, results have been excellent the world over.
The Tor Browser is better than 'just route all traffic through Tor'; but unless you trust that your machine isn't carrying 12 strains of cyber-syphilis, you probably want a non-persistent liveCD OS if you are doing something sensitive.
Slashdot Mirror
It is quite likely that the counterfeiters(at least the ones that actually stamp 'FTDI' on their products, or represent them as FTDI parts, I'm unconvinced that a VID:PID pair is a trademarkable thing) are committing 36 flavors of trademark infringement; but that still doesn't make it obvious that FTDI can just go all vigilante justice on them(much less on random people who may or may not know they were even using counterfeit chips).
Even when something is clearly recognized as a crime, the courts tend to take a somewhat dim view of those who go and dish out some extrajudicial punishment for it (typically with exceptions for things like self defense). Even when the law specifically defines transgressions that create a private right of action, the 'action' usually involves getting to sue the target, not take matters into your own hands.
A certain amount may end up riding on the meaning of 'component' and 'that component', as well. Sure, for a basic USB -> serial dongle the FTDI chip is practically the only component, with just a couple of cheap connectors and a passive or two; but there are some fairly expensive devices that are 'USB' because the manufacturer shoved a converter IC onto the previous generation serial design.
Even if FTDI finds a court that buys their right to destroy cloned chips by vigilante action(rather than by a copyright, patent, or trademark judgement in the appropriate venue), will they find one that is sympathetic when the device ruined is some fairly expensive bit of gear sold by a third party to a customer who didn't even know a USB bridge chip was involved?
As an EE, I will think twice about designing in FTDI products from now on.
Even if you happen to think that FTDI's approach is morally justified and hilarious, it'd still be worth considering avoiding them: some counterfeits don't even bother to pretend; but there are some very, very, convincing fakes that manage to sneak into more respectable parts of the supply chain. It's bad enough that you might get slipped counterfeits that don't meet spec, worse if you might get slipped counterfeits that appear to work and then get destroyed once in the hands of your customers.
To pretend that the governing behaviors have a substantial correlation with the alleged governing philosophies is...empirically tenuous at best.
I imagine that it also helps (at least in terms of customer acceptance) that most of these RFID tags are probably replacing something that was as bad or worse. Keys are clonable, provide no record of use(much less timestamped logs of individual users) and if one gets into the wild re-keying the place is Not Fun. Magnetic stripe cards are trivially clonable; but on the same level as most RFID tags in terms of access logging and enabling/disabling access. Adequately rugged optical sensors have historically been pretty expensive, so bar codes, hand scanners, and any other biometric gimmicks are likely niche players.
I'd be pretty annoyed if some salesweasel lied to me about it; but it's unlikely that an RFID installation replaced something that was harder to clone, and it's still easier than keys, slightly more robust than mag stripe readers, and reasonably cheap per tag. In some ways that makes it even more obnoxious to harass the researchers, though.
My experience with boat maintenance is (thankfully) limited; but I do know that wood tends to shrink and swell rather cheerfully as its moisture content changes, and that larger wooden vessels tend to suffer some 'play' from the hogging and sagging induced by wave action and any changes in relative buoyancy as cargo load changes from voyage to voyage, hence the fine naval tradition of oakum, tar, and endless manual labor lest you die a watery death.
Thinking of that, the pictures of a whole bunch of curved ribs(in what look to be several varieties of wood) forming a cylinder/cone thing with loads of joints that is expected to be immersed during use, caused me to immediately start imagining assorted ominous creaking, stress fractures, and hull geometry issues that you'll have a heroic time hammering out.
Is the coating adequate to prevent that sort of thing? Are they using some carpentry-fu of the same type that holds wooden barrels and wheels together? Will it in fact be a disaster in short order?
Some vendors skip the helpful 'provide a damn bootable freeDOS image, you cheap bastards' step, which is very annoying; but it's pretty common to use DOS for firmware updates. When the vendor is feeling polite, and for more common ones, you usually get a windows executable with some dire warnings about running it as an administrator and not interrupting it; but DOS is a pretty good choice when you want an OS that isn't going to be multitasking behind your back as you scribble over some bit of firmware that will brick the device if handled indelicately.
It probably will be an amusing test of whether Apple's BIOS emulation layer is up to scratch, or whether it was written rather closely against the specific versions of Windows supported by bootcamp and the bootcamp drivers...
They had that one a while back where the drive would mysteriously decide that it had a capacity of 8MB, though that has been quashed for some time.
The tricky thing (and I'm not actually certain where they stand on this now) is that Intel's initial reputation was founded on the superior performance and reliability of the in-house controller design that they used in their x-18 and x-25, especially dramatic back when there was some utter garbage floating around (JMicron controllers, OCZ living up to their reputation) and the safe options were comparatively slow and extremely expensive.
Then, for some reason, they just sat and stagnated on that controller design for several generations, and eventually shipped a Marvell controller in order to have something with SATA 6Gb support. Since then, they've released some Sandforce based stuff, and some of their own; but it isn't as clear exactly what "Intel" on the label means anymore.
Do remember that 'women in tech' has some very vocal friends among employers of techs.
This is not to say that nobody involved is genuinely concerned; but it should be remembered that complaints about the labor market can come from either side, with the supply side generally having the numbers and the demand side generally having the influence. (And, at times, they even shift remarkably quickly: just remember how fast getting women into heavy industry became a national cause during WWII, and how fast encouraging them to keep house in the suburbs become one afterwards.)
It sounds like your post answers its own question. A burn-and-churn industry in a period of high demand has a strong need for new workers(lest the alternatives of cushier working conditions and/or higher salaries be resorted to to retain and re-attract the existing ones and the burnouts). Since the supply has skewed heavily male for some time now, there is some reason to suspect that finding a way to increase female recruitment is the best hope of locating a new source of human resources.
It's seriously difficult to understand the mindset of the organization and how they came into this. Did they even bother hiring a competent cryptographer when designing their product ? Were they duped by someone they hired and led to design a insecure product ? Or is encrypting an RFID communication a difficult and non-trivial task with no known vetted solution ?
I don't think that the problem is difficult in some fundamental way (the problem of verifying a remote host with asymmetric crypto has been reasonably well explored with SSL/TLS, and an access control system has the advantage of being able to trust only a CA it controls, and the advantage that you need to get physical access to an RFID reader pad to attempt attacks); but there are significant practical challenges.
RFID chips are pretty power constrained, since they only get whatever energy they can scavenge from the reader's RF output; and customers want them to be cheap. The industry also has fairly long product lifecycles (since, once you've put in a zillion card readers and integrated it with all your other building security stuff you don't want to rip it out and upgrade in 2 years).
It isn't so much a 'there is no known cryptographic solution to this problem' issue as a 'Why yes, we still have major customers using the 'security' provided by the lousy proprietary cryptosystem that our engineers were able to cram into a cheap, power-constrained, chip using the fab processes available in the mid to late 90s, and we really don't want to fix that' issue.
Most of the world knows that security is fleeting, and those that deepend on the law to preserve obscurity is the fleetingness of all. Do they not even consider that citizens of nations that don't give a shit about legal protections are the very people their customers need to be protected against? These companies should be paying rewards to anyone who can defeat their protections, not punishing them.
Aside from pure cultural dysfunction (of the sort that causes even some software companies to threaten the people who do free security testing for them, and even offer them time to fix bugs before releasing the proof of concept), the issue is that HID and friends are closer to locksmiths than to software companies.
RFID (and non-standardized but conceptually similar contactless short range RF fobs and slightly longer range button-cell-powered keyless entry systems) tends to be painfully computationally limited, since the tags need to be cheap and need to work on a tiny power budget. The older ones are even worse, of course, since they had less efficient silicon fabrication options to work with. For the same reason, such devices aren't usually little microcontrollers with flashable software; but mostly or entirely fixed-function implementations of crap proprietary crypto systems. Depending on when the corresponding card readers and access control stuff was installed, and what the customer picked, those parts of the system may also be hard to upgrade without ripping them out and replacing them(and, since this is a physical security issue, the readers are more likely to be embedded in walls/bolted to stuff/otherwise tied down and hardwired, so it won't just be swapping out a bunch of desktops.
Because upgrading in-software/firmware is often difficult or impossible, and upgrading involves ripping out hardware that was supposed to have years of service life, HID and friends really don't want to hear about it. They'd much rather just try to tamp down public awareness of the issue, hope that there are no high-profile breaches of customers capable of suing them, and pretend it isn't a problem until the flawed parts have aged out.
As much as it's a repulsive, dishonest, and definitely-unworthy-of-support-by-the-courts tactic, it must be admitted that plenty of known-broken lock designs continue to more-or-less do their jobs (if attackers are still forcing doors rather than just picking locks, the lock is apparently still effective) for years after their weaknesses become public knowledge, so it is entirely probable that various HID access fobs will quietly age out without any major incidents. No need to threaten the researchers about it, though.
Incidentally, while iced coffee is refreshing and invigorating, you can also get refreshing and relaxing by icing irish coffee. I don't think I've ever seen the option on a menu; but I was pleasantly surprised by the effectiveness of the experiment; and a place that offers irish coffee will usually be willing to put some over ice on request.
At this point, I'd be tempted to make any would-be astronaut pass the 'n months in standby and hard vacuum before the signal from mission control wakes you up' test, because Our Robot Overlords have gotten considerably better; but it'd be no worse, and possibly better, than the John Glenn launch a few years back.
People love to hate Apple. It's a thing. Also, is there any evidence this data is not anonymised by Apple?
'Anonymised' is mostly a weasel word. It isn't always impossible; but the more interesting the dataset is, the more likely it is that there's a clever re-identification attack with good odds of success. If you are serious about preventing those, you tend to have to nuke the data so hard that they aren't of much interest anymore.
Unless robustly demonstrated to the contrary, it's an essentially worthless claim.
If you don't trust an OS vendor, isn't using a network monitoring tool on a different host entirely, with physical access to the wire, pretty much the only way to go? If they were so motivated, the OS would basically be a rootkit with device drivers and a userspace API...
TFA specifically notes that the behavior described was observed with all visible 'privacy' settings adjusted. Presumably the story is even cheerier if those aren't switched off.
I'd go with 'no' and 'no'. Yes, the end goal is to discover the cause, the mechanism, and the effect as precisely as possible; but the universe of possibilities is absurdly gigantic, easily larger than you could ever afford to study.
So what do you do? You start by trying to cut the search space into more manageable chunks with this sort of study, which doesn't provide the level of precision you ultimately want; but can (relatively) cheaply and easily provide some leads on what is worth looking at in greater detail and what isn't.
Next up, after negative user response, ChromeOS to publish full source code and become free user-respecting software.
ChromeOS tends to ship on Tivoized hardware, which isn't exactly Gnu-Freedom; but, in terms of the software on top of the bootloader, what are the deficiencies? I know it ships a proprietary Flash, and whatever bullshit makes Netflix work; but is there anything else?
If memory serves, the tricky bit was that any evidence we had based on receipts or equivalent, either ours or those of other Good Guys, would be both embarassing and largely obsolete; since the Iran/Iraq war was not exactly a moral triumph on our part, and it long enough past that any remaining munitions would be hazmat but close to useless for military purposes. Evidence of anything more recent, though, was hampered by being almost entirely bullshit.
Hence the ha-ha-only-serious joke told during the farcical run-up to the war: "How do we know Iraq has chemical weapons? We have the receipts."
A few of you had questions about the 'work/life balance' at this company. I take it that those have been settled?
I can definitely appreciate the value of some skills that fall under 'coding', some logic, thinking about breaking down problems in a rigorous way, gaining the ability to make a computer do boring stuff programmatically rather than one-by-one by hand.
However, my understanding(both in personal experience and from what I've read on the subject) is that actually-good, especially actually-really-scary-good, programmers have to be born and then polished, and that just throwing more practice at the unsuited doesn't actually improve them as much as you'd hope.
Is the theory that current education, lacking in CS, is failing to identify promising candidates? That we should be ensuring more suitable people go into CS rather than other areas that require similar talents? That the world really needs more rote-learned java monkeys to keep wages safely low?
birth control is escapist fantasy.
Tell that to basically anywhere in the first world... Unfortunately, despite our best efforts, countries seem to go through a generation or two where modern sanitation and medicine have kicked in; but modern prophylaxis hasn't, which goes really badly; but once you get past that, results have been excellent the world over.
The Tor Browser is better than 'just route all traffic through Tor'; but unless you trust that your machine isn't carrying 12 strains of cyber-syphilis, you probably want a non-persistent liveCD OS if you are doing something sensitive.