Aaron
Sergey Tomilinit's 2023, so how about a security vuln in a guitar processor? (I know, I know, it's not a "guitar processor", they call it "modeller". anyway)
ping @GossiTheDog
https://neuraldsp.com/news/statement-regarding-a-quad-cortex-security-vulnerability
Rairii@stomilin @GossiTheDog very bait and switch, i expected an actual hardware attack lol
yep! after (not so) carefully reading the article for the second time I think most likely their "technical" mailbox was compromised because it had an easy-to-brute-force/weak password (or they don't use encryption) and now they are rolling out the firmware update just to change the mailbox's password. (at first I thought some "researcher" discovered the password in the firmware, but, well, I guess I was wrong)
Rich Lafferty 🐀@stomilin @Rairii @GossiTheDog hm, but why would they have to roll out an update to the device to change that password?
agree it’s a good announcement but I can’t come up with any explanation for requiring the firmware update beyond “wait they did WHAT”
(also, using mail for this and not an API endpoint is clever and terrible all at once)
@mendel @Rairii @GossiTheDog
their gmail mailbox was pwned by some computer-savvy Quad Cortex enjoyer, I've just found a more or less informative youtube video abt it, here are couple of screenshots (hope we wont get DMCAed)
(link to the video https://youtu.be/7NOSJc9_C2g)
Things Got Worse For Quad Cortex
AI6YR Ben@stomilin @GossiTheDog Ooof: "Quad Cortex also records the names and passwords of all the WiFi networks it has connected to since the last factory reset. Unfortunately this data was not encrypted. "
Chris@stomilin @GossiTheDog That's not a cheap piece of hardware either. If I dropped nearly $2k for one of these, I wouldn't be too happy to find out how fast and loose they were playing with basic security.
thebishopgame@stomilin @GossiTheDog Nah, Guitar Processor is totally valid. Source: I’m a firmware engineer on a guitar processor/modeler and we’ve gotten no end of laughter at NDSP’s expense over this (and a number of other failings).
Stephan Neuhaus@stomilin @GossiTheDog I am absolutely not an expert in communicating breaches, but this seems to be an example of a straightforward listing of all the things that happened, including saying "and here we did something we really shouldn't have".
If this is indeed the case, I for one salute them. This probably took some guts to publish.
Jonas Köritz@stomilin @GossiTheDog in my opinion, this posting is a mich better and more comprehensive statement on what happened, who is affected and what was done to mitigate this than many huge companies put out.
They also seem to have informed all affected users, this is really good handling of the non-technical side of the incident!
They also seem to have informed all affected users, this is really good handling of the non-technical side of the incident!