Meh, you are making it worse than it is. Shit I've seen worse at major defense contractors and the stories I could tell.
Possibly, but they've just compromised their own email server. Think about that, and then what concerns there might be in putting this scope on an engineering network in a large corporation or university.
These scopes connect to external web servers via http (not https, so no encryption and no way to validate certificate to ensure there isn't a MITM attack), and then writes downloaded data to the filesystem. I wouldn't be surprised if there was a serious vulnerability there that allowed malicious code to be injected and run on the scope, and not just via the firmware update process.
Is it bad? Yes.
But does it mean they shouldn't be writing networking code or embedded applications? Hah
The fact that a lot worse happens elsewhere doesn't mimimise how bad this is.
Of course... if it wasn't for these same developers this thread wouldn't exist at all. And Rigol would be selling a lot less of their latest scopes.
Why are you concerned about it being a vulnerability?
It's a feature. The literal design of the download mechanism is download via http and just applying the gel file. And uh, you can see we can generate our own gel files by hand pretty easily.
So you could inject the malicious code yourself if you wanted to via a MITM easily over http.
But uh, I'll take my $1k scope that's worth far more since being patched and sit in the corner hugging it
Possibly, but they've just compromised their own email server. Think about that, and then what concerns there might be in putting this scope on an engineering network in a large corporation or university.
I still like relative comparisons. Why?
Because I'm seen so much shit in different industries that everything is fucking terrible to the point you can't escape it, there's just different levels of terrible. You can only work to compartmentalize your network and security to minimize damage when shit goes wrong. Shit, even my home network is running 5 VLANs with 2 dedicated just for IoT devices.
So I rank the scopes with some poor security decisions as less than say, the backdoored Cisco hardware those large corps or univerisities are most likely running