FTDIgate 2.0?

[janoc]

Not everyone wants security over freedom... especially when it's their own computer they're being "secured" against.

I think that for Microsoft their major target are locked down corporate markets, where the "security over freedom" is a valid thing to strive for.

The home PCs laden with DRM so that Holywood doesn't get their precious blurays stolen was something relevant 10 years ago, but not with the pervasive streaming and mobile devices anymore.

[rch]

You can control the CA certs that are download to a Windows machine, you even run the process manually if you wish, so that you're totally in control of what is "trusted" via certs. See here for more info.

Of course I fully expect those that have "trust issues" to manually inspect every byte of code (including the BIOS and the CPU firmware) that runs on their precious machines.

That isn't what I meant when I spoke about trust. I meant that if a cert is issued by someone like Verizon, Symantec or Comodo, you can have some confidence that at least some checks on the identity of the person applying were done and that it is likely that whoever is showing you that certificate is who they claim they are.

If you get a cert issued by a random CA from Eastern Bananistan that nobody has heard about before, it doesn't exactly inspire confidence that the rules were followed, even if their cryptographic chain of trust traces back to one of the major CAs.

Even with said dubious sources, they have probably checked the ownership of the domain the cert. is granted for, so it does provide some reassurance against man in the middle attacks.  Granted, it doesn't say much about the virtues of the website you are communication with, just that it probably is the site you think it is.

[ve7xen]

You can control the CA certs that are download to a Windows machine, you even run the process manually if you wish, so that you're totally in control of what is "trusted" via certs. See here for more info.

Of course I fully expect those that have "trust issues" to manually inspect every byte of code (including the BIOS and the CPU firmware) that runs on their precious machines.

Correct me if I'm wrong, but I don't think this applies to driver signing keys.

[timb]

You can control the CA certs that are download to a Windows machine, you even run the process manually if you wish, so that you're totally in control of what is "trusted" via certs. See here for more info.

Of course I fully expect those that have "trust issues" to manually inspect every byte of code (including the BIOS and the CPU firmware) that runs on their precious machines.

That isn't what I meant when I spoke about trust. I meant that if a cert is issued by someone like Verizon, Symantec or Comodo, you can have some confidence that at least some checks on the identity of the person applying were done and that it is likely that whoever is showing you that certificate is who they claim they are.

If you get a cert issued by a random CA from Eastern Bananistan that nobody has heard about before, it doesn't exactly inspire confidence that the rules were followed, even if their cryptographic chain of trust traces back to one of the major CAs.

Let's Encrypt is propagating its own root, but in the mean time their Authority cert is cross signed by IdenTrust, which is a major root known by all browsers.

As for "trust" well, in the old days when you paid hundreds of dollars for an SSL cert, they "verified" you by phone. It was automated, too. You'd get a call asking to state your full name and company (if applicable) which was recorded and (I assume) stored for the duration of the cert's validity. This was how VeriSign did it 10 years ago. That was literally all there was to it.

Now, Let's Encrypt uses the ACME protocol to actually verify you have control of the domain in question. You run the Let's Encrypt client *on your server* which uses Apache or DNS to perform a challenge response with *their server* for verification. Then the cert is issued.

That seems like much more verification than a 5 second automated phone call from VeriSign, to me. (Seriously, the $$$ SSL certs of old were mostly smoke and mirrors. I ran a big web hosting company from 2002 to 2008, so I know alllll about it.)

[gmb42]

You can control the CA certs that are download to a Windows machine, you even run the process manually if you wish, so that you're totally in control of what is "trusted" via certs. See here for more info.

Of course I fully expect those that have "trust issues" to manually inspect every byte of code (including the BIOS and the CPU firmware) that runs on their precious machines.

Correct me if I'm wrong, but I don't think this applies to driver signing keys.

I believe it does.  If you disable auto downloads and manually control CA trust certs, then you can control (all but MS) driver certs as well.  They still go through the same trust process as say website TLS certs.  For boot drivers I believe the situation is slightly different as the kernel boot process doesn't have access to the trusted cert store so relies on the MS CVR cross cert and the integrity checks of the digital signature.  In my mind this is slightly weaker hence the move to EV certs and attestation signing for boot drivers for Win 10.

[justanothercanuck]

methinks ftdi isn't the only company with this problem...

http://webcache.googleusercontent.com/search?q=cache:TYC9IThct9YJ:store.steampowered.com/hwsurvey/processormfg/%3Fsort%3Dname+&cd=1&hl=en&ct=clnk&gl=ca
http://valid.x86.fr/top-cpu/47656e75696e65496f74656c2050726f636573736f72

i've seen cpu-z shots of the "authentid" amd chips as well, but sadly my google-fu is failing.  i also had to use google cache for the steam listings because the amd chips seem to be slipping out of circulation.

[f4eru]

Yep, true. Other companies also alienate their (future ex) customers

[MSO]

So FTDI who has lost millions of dollars in lost sales are suppose to keep losing more millions of dollars in lost sales so the guys who stole from them can continue to have eager customers?

Yeah, a lot of us were screwed over by the scammers too, just as FTDI was.  FTDI will never get their lost sales back, but they can prevent future lost sales.  They are more than right to do so, they have an obligation to do so in my opinion.  Their shareholders and employees deserve an honest shot at making a future for themselves.

Those of us who bought products containing counterfeit chips ought to return those products to have the chips replaced or demand a working driver instead.  There's going to be plenty of cases where sending the device back is uneconomical or the vender is unresponsive. In such situations, we'll need to buy and replace the counterfeit chips ourselves or replace the offending product.

Insisting that FTDI make us whole by continuing to lose additional sales just doesn't make sense. It's as if you've been stolen from once so you should continue to be stolen from so nobody else has to be victimized.

[c4757p]

You seem to be under the impression that because someone did something bad to you, you automatically get to do whatever you like in retaliation - that you no longer have an obligation to remain ethical. Shit I hope you don't vote.

You also didn't read the thread, as that point has been made and addressed multiple times by now.

[nctnico]

Very recently I visited a company which has proprietary USB-UART cables made so their customers can connect to their products with the right connector, protection, etc. They used FTDI in the past but since they got a batch which didn't work due to fake chips they are now moving to a different brand USB-UART chip. They simply don't want to deal with / waste their energy on the fall-out of a mud fight between FTDI and creators of functional equivalents. Since Windows 10 has drivers for most USB-UART chips build in (finally after almost 2 decades) there is no advantage of using FTDI compared to most other popular chips anyway.

[Koen]

nctnico > What is the name of this company ?

[nctnico]

nctnico > What is the name of this company ?

I can't divulge that information but I didn't start the conversation about the FTDI chip; they where just asking me what to use instead.

[Koen]

Of course you can't.

[timb]

Of course you can't.

I wouldn't give out my customer's names on a public forum, either.

[c4757p]

Indeed, you can hardly judge someone for not naming someone in public with whom he has/had a business relation. That could end very poorly.

[MSO]

You seem to be under the impression that because someone did something bad to you, you automatically get to do whatever you like in retaliation - that you no longer have an obligation to remain ethical. Shit I hope you don't vote.

You also didn't read the thread, as that point has been made and addressed multiple times by now.

I've read the majority of this thread (most of which is sickening) and repeatedly found people who did not buy FTDI products complaining that FTDI owes them something for nothing. FTDI has no ethical or moral responsibility to support those who have not purchased their products or services. If you want FTDI to do something for you, pay for it.

The vendors from whom the defective products were purchased are responsible for the products that no longer work, not FTDI.  It is those vendors who have harmed us and FTDI. It is those vendors who have been paid to provide the products and services that we all seek and it is they who have failed to deliver said products and services and it is they who have the ethical and moral responsibility to correct their failures.

[c4757p]

What does any of that drivel have to do with whether FTDI's response was ethical? Yes, counterfeiters are doing a bad thing. That doesn't make any response to it inherently acceptable. FTDI isn't just 'not supporting' counterfeit chips, they're actively trying to prevent them from working.

I'm not even saying that what they did was unethical. I'm just saying that your argument doesn't do anything to prove it's ethical. It adds absolutely nothing to the conversation.

[technix]

Well long have I switched over to CH340G - even selling my CH340-based adapter here: https://www.tindie.com/products/maxtch/fused-usb-to-uart-adapter-33v-and-5v-m1801v4/

[MSO]

What does any of that drivel have to do with whether FTDI's response was ethical? Yes, counterfeiters are doing a bad thing. That doesn't make any response to it inherently acceptable. FTDI isn't just 'not supporting' counterfeit chips, they're actively trying to prevent them from working.

I'm not even saying that what they did was unethical. I'm just saying that your argument doesn't do anything to prove it's ethical. It adds absolutely nothing to the conversation.

So if I were to list my old beater on Craig's list and then meet the guy at Walmart's parking lot where he pays me cash for the car. I take the cash to the bank and the bank tells me the cash is counterfeit, that they won't credit my account and then calls the BATF who takes the counterfeit cash to hold as evidence. I'm out my old beater and there isn't too much I can do about it unless the counterfeiter can be apprehended and somehow get my beater back from him.  I can't hold the bank responsible for the counterfeit money.

FTDI did in the first instance make a mistake. They bricked the counterfeit devices.  They made an about face on that decision and stopped bricking the counterfeit chips.  In the present case however, they did not brick any devices, they simply refused to service them, just like the bank with my counterfeit cash.  The only difference is that FTDI carried most of us for several years at their own expense; the bank would never do that and we would never expect that they would.

Your position seems to be that FTDI should continue to support the counterfeit chips while I think they are doing the ethical thing by not supporting them.  Those knockoff chips still work fine, they just won't work with FTDI drivers. The technology in those fake chips was stolen from FTDI and then used to reduce FTDI's profits by undercutting FTDI's pricing.  FTDI actions to bring these thieves to heel is the only ethical action they can take. Yes, FTDI helps themselves financially, but they also help the entire industry to the extent they can inhibit the profits that can be made through the theft of Intellectual Property and counterfeiting.

[technix]

What does any of that drivel have to do with whether FTDI's response was ethical? Yes, counterfeiters are doing a bad thing. That doesn't make any response to it inherently acceptable. FTDI isn't just 'not supporting' counterfeit chips, they're actively trying to prevent them from working.

I'm not even saying that what they did was unethical. I'm just saying that your argument doesn't do anything to prove it's ethical. It adds absolutely nothing to the conversation.

So if I were to list my old beater on Craig's list and then meet the guy at Walmart's parking lot where he pays me cash for the car. I take the cash to the bank and the bank tells me the cash is counterfeit, that they won't credit my account and then calls the BATF who takes the counterfeit cash to hold as evidence. I'm out my old beater and there isn't too much I can do about it unless the counterfeiter can be apprehended and somehow get my beater back from him.  I can't hold the bank responsible for the counterfeit money.

FTDI did in the first instance make a mistake. They bricked the counterfeit devices.  They made an about face on that decision and stopped bricking the counterfeit chips.  In the present case however, they did not brick any devices, they simply refused to service them, just like the bank with my counterfeit cash.  The only difference is that FTDI carried most of us for several years at their own expense; the bank would never do that and we would never expect that they would.

Your position seems to be that FTDI should continue to support the counterfeit chips while I think they are doing the ethical thing by not supporting them.  Those knockoff chips still work fine, they just won't work with FTDI drivers. The technology in those fake chips was stolen from FTDI and then used to reduce FTDI's profits by undercutting FTDI's pricing.  FTDI actions to bring these thieves to heel is the only ethical action they can take. Yes, FTDI helps themselves financially, but they also help the entire industry to the extent they can inhibit the profits that can be made through the theft of Intellectual Property and counterfeiting.

Now you hijack end users' equipment. End users are usually unsuspecting and they will find their equipment suddenly stopped working, causing a surge of complaints and RMA to the manufacturers of their equipment (who is the actual customers of FTDI.)

[Karel]

FTDI isn't just 'not supporting' counterfeit chips, they're actively trying to prevent them from working.

Nothing wrong with that. People shouldn't use counterfeit chips. As soon as they discover that their device stops working,
blame the seller of the device. Not FTDI.

[Karel]

You also didn't read the thread, as that point has been made and addressed multiple times by now.

"It has been addressed" in many ways based on different opinions of different people.
Pick one you like. There's no consensus.

[Karel]

FTDI did in the first instance make a mistake. They bricked the counterfeit devices.

Nothing wrong with that. It's illegal to use/sell or import counterfeit products.
Blame the seller. Not FTDI.

[Karel]

Now you hijack end users' equipment. End users are usually unsuspecting and they will find their equipment suddenly stopped working, causing a surge of complaints and RMA to the manufacturers of their equipment (who is the actual customers of FTDI.)

No, they are not the actual customers of FTDI. They are the actual customers of counterfeit chips.

[nctnico]

FTDI isn't just 'not supporting' counterfeit chips, they're actively trying to prevent them from working.

Nothing wrong with that. People shouldn't use counterfeit chips. As soon as they discover that their device stops working,
blame the seller of the device. Not FTDI.

And yet that is not happening. People can keep yabbering on about managing their supply lines, complaining to suppliers, etc but the fact is that is taking extra effort one way or another so companies are going for non-FTDI chips because it is easier and thus cheaper for them. It is all about the economics of doing business. Companies don't care whether FTDI is right or wrong; they just want to order a bunch of USB-UART cables from their supplier in China and be done with it. These kind of cables are usually not their core business anyway so less hassle it better.