Fun fact, there's *pacemakers* that have been hacked. Almost all modern pacemakers/defibrillators "phone home" to the hospital that installed them, for the purpose of monitoring that the device is still functioning properly and notifying the patient if something isn't quite right anymore (or, in the case of a defibrillator, logging when it activates so both the hospital and the patient can track when the device acts to keep them alive). At some point in 2017, a hacker found out that he could "intercept" the data being sent out and access both the sensitive medical data and the current GPS coordinates of the device. Potentially even worse was a specific pacemaker (which was very swiftly recalled) that you could remotely deactivate or cause to send test-shocks, thereby potentially causing a heart-attack in the patient, via a specially crafted SMS.
In most all other cases you don't, as other companies weren't colossally dumb enough to store that information directly on their device. And then to add insult to injury by giving said device WiFi capability and the ability to phone home to the company. And the icing on the shit cake that Neural DSP baked? They didn't encrypt a stich of it....... Nah, this isn't a digital vs. analogue issue, this isn't a guitar pedal issue, this is a Neural DSP issue.
Yeah, create a separate Wifi network for Internet of Things devices (which this would fall under). And make real passwords for your wifi, not your address, birthdays, etc.
@@Scott__C I think you missed my point. Yeah, take precautions with IoT devices. But you know what's even easier? A guitar pedal that doesn't support any kind of network access at all. Instead of defending against the attack vector, eliminate it entirely. I guarantee you that I am 100% rock-solid safe from attacks via a Boss CH-1...
Apple and other computer companies actually have a bounty system for people that find this kind of issue and fix it ASAP. For Neural DSP to ignore it is REALLY REALLY bad.
They did not ignore it. You’re joking if you think you’re not giving out your info everytime you’re on ur computer or cell. Every website is a challenge and risk. Wake up. Neural gave out emails big deal.
@Kcussrebutuemos You're joking if you think that not encrypting the information contained in these systems is anything other than lacklustre and shoddy.
Your cell does it everyday. It’s not an amp. It was weeks ago. Fixed. Nothing happened. Like what T-Mobile did to us giving out our Social Security number to thieves every single one of us. That means someone can steal our identity that’s a big deal. You have to do a lot to protect your identity after that happens it takes days this was nothing. Nothing happened yes they should’ve encrypted your email and Wi-Fi password so if somebody comes in to your house to ask for your Wi-Fi password tell them no. Every single time you go on the cell phone you’re giving out information about yourself. TikTok has been removed already from one state in the US you are giving your information to China. There are thieves all over your cell phone in every website and app you can look up which apps to stay off of. My dude.
@@brianjones8432 are you sure? as someone who works in tech, everything digital is doing shady stuff and vulnerabilities ALWAYS exist, they just haven't been discovered.
Near enough every company demands a wealth of personal information before having the grace to allow you to use (under license) the software you've paid for. We've been so enamoured by technology and what it can offer, we have rolled over and given in to these demands just to get our hands upon it. Even something like loosing a phone which would of been a sickener at any time, now could have massive implications. The only way of effecting change would be a point blank refusal to play the game as such until this system changes, but unfortunately this will never happen. Another interesting article KDH thanks.
I hear you man. Theres always someone to say what about servicing/repair headaches over the years but thats just called looking after your kit. You dont mind that over software hassle, computers, things becoming outdated and devalued by newer versions etc.
I'm a Computer Science student right now, and while I haven't learned how to encrypt data yet, I'm legit terrified. I've been using their plugins now for years, and have told a lot of good things about them to my friends. Hearing that they didn't encrypt their data, send major red flags. It legitmately could cost them my future business because they choose to not encrypt their data. This is literally Cyberscurity 101.
Network security operator here: You don't have to encrypt ALL your data, but goddamn you should store your data securely. That does include ENCRYPTING YOUR OWN FUCKING PASSWORD or finding another way to send info to your servers.
@@kennylongnose4001 Then that would almost be worse. You're talking about passwords (that should absolutely be encrypted) to multiple user accounts and official company accounts. And that's been available to a hacker on a whim since 2021. That's just an insane level of incompetence and lack of care for your customer.
@kennylongnose4001 Keeping Customer data safe should be their #1 priority. They shouldn't purposely not fix the issue because maybe "hackers won't be interested"
Upvote this, let it get around. Trust is earned. Neural DSP has unearned it before they were able to earn it. Nice work! One less company's products I'll pay any attention to.
So you're going to ignore a great product despite the fact the issue is fixed? Something tells me you own a rival product and just want to have a good dig like apple fan girls slag off Android phones
@@neildeakin4454 it wasn't an accident. Stealing people's data is what scumbags do these days. I'm sure they got funding to build the product by the endorsers. Neural is a new company, track records matter. And I guarantee it was intentional.
With that mentality don’t use any tech that’s out in the world. Literally every major company and below have been hacked and have had your information exposed.
I was so excited to go get the QC. I have been debating that or the helix for the longest time. Good thing I saw this because now it’s not even a decision anymore
Yes get the crappy helix it’s awful. Over a WiFi password that may that’s Jay have gotten out. They can’t do anything with it. But til tok has your info and every other app you’ve been on.
@@f0rth3l0v30fchr15t Hack into my Fractal...... Good luck, there's no user data stored there. As I've said many times in other threads here, this is a Neural DSP design problem, not a tube vs. digital problem.
This is inexcusable. Security is a must in this digital age. Places spend millions hardening their systems these days. You are correct though. The Hacks could have been so much worse. I wonder if someone was hacked, and for example lost money from their bank account ,and it was tracked back to NDSP if they would be liable for it being that they knew MONTHS ago. They should have issued a hot fix for it the second they knew about it.
As breaches go, this is pretty minor - it's names, email addresses and WiFi passwords. Yes, shouldn't happen but it's nothing like as scary as being portrayed nor does it pose a real threat. Access to my WiFi does not grant access to my bank account, no matter how sophisticated the hacker. My email address contains my name and has already been leaked in hundreds of other leaks. I get many fishing emails a day. Shouldn't happen but it's a total nothing burger.
@@chiefpotpipe Yeah they do! Really underrated clean tone that is a great pedal platform, and the overdrive channel is also really good. Plus, they're loud as fuck lol
Oof I think this qualifies as a pretty serious GDPR violation, considering they were notified months ago and didn't release a report until now. I wonder if the EU will come for them on that front
I am afraid, EU is too busy with bigger players and GDPR violations of wider ranges, affecting millions of customers, not just some thousands. So, NDSP may feel relaxed about this (for now) but their reputation as vendor and technology driver is in free fall and those who work for this company (potentially) may face issues as well in future if these try to apply for jobs of companies who take more care about security and privacy of end customers. A technically experienced recruiter could use this easily for interesting questions. This is serious and nobody can hide behind a policy of an (ex-)employer.
"Neural DSP is committed to providing the most safe and secure experience for our customers, we implement state of the art clear text technologies to ensure user data is ubiquitous to the outside world"
I am a development lead for 2 software teams for an international telecommunications company. We often get complains about the effort we make, yep, even to make 'things' secure. What I hear here is just unprofessional. Or naive. Or a mixture of both. Then again, stupid things do happen. So... I hope someone over there wakes up.
I heard about a company that got hacked and lost millions, by using a wifi connected coffee machine. ANYTHING with wifi, that doesn't have anti virus software, IS a backdoor. If Neural is guilty is are MANY companies. Printers are notoriously easy to use as a backdoor because they're now about ALL connected to wifi. Maybe Neural is not taking it very seriously, and they SHOULD, but from the very start of getting one I though "oh, this has wifi, I should keep this unconnected because I'm sure it has no anti virus software, and remember the coffee machine incident." Basic internet security. My question now, is: When you tether your QC to the internet using your computer instead of wifi, is it still vulnerable? Or is it safe because it's coming through your computer with antivirus software? And when are they finally going to put anti virus software in place? That I would like to know.
This why I've predominantly returned to amps and analog equipment, I foresaw this being an issue 10-15 years ago when modeling units began to have early forms of internet connectivity. Also, the stack of useless units in my closet due to device power issues, software issues, awful dated tones, irreparable damage.. the amount of money I spent on that gear for the return it gave me is pretty depressing. My amps and pedals? I plug them in and play, and they sound the same as they did twenty years ago.
Tried the QC for a year and a half. Finally sold it and went back to Fractal and the Axe fx III. No regrets. Sound quality destroys the QC and it's so much better supported.
He’s about 2? Weeks Kate and he knows it’s not a big deal. Change your WiFi password if that. It was fixed weeks ago and he’s just finding out about it now but doesn’t mention any other breaches that are done on the daily on every app you go on like TikTok today it was banned in Wyoming Facebook has done this and other apps, I’m not gonna keep repeating myself you have to give him more information out than you realize, every time you go on some random website you’re risking giving out your information they already have a lot of your info T-Mobile has already given out all our Social Security numbers to somebody who gave them out to the dark web. Do you know what we had to go through with that was freezing credit, etc. wake up. Geez.
That is a monumental fuck up. I’m going to stay clear of all neural dsp products and plugins for good. The attitude of that company is someting else. They have some neck.
Not starting to tackle this issue when first notified about it is like letting a crack in the dam get bigger and bigger until you see some water leaking through it. Wtf Neural.
The sooner organisations adopt this policy the better. It's not a matter of 'if you get hacked', but 'when you get hacked'. Having a solid mitigation policy for this eventuality is basically mandatory.
Or had they been smart, like say Fractal did with their products, they just wouldn't store that information on the unit. This isn't a tube vs. digital thing, it's a design issue.
Turn them off. Wait for 10 seconds then turn them on again while putting one finger in your right ear and singing "The Star Spangled Banner". This will reset the chipset and ensure that your data is properly secured. This is for the Fender obviously. For the Marshall you need to put a finger in your LEFT ear and sing "God Save the King"
These days most organisations have a responsible disclosure policy in place. This means that hackers/scriptkiddies can formally report any vulnerability they find and often get rewarded for it. The fact that Neural hasn't shown the slightest bit of appreciation for these hackers that tried to help them(for free) is concerning.
Check-list:- 1. Is our customers' information secure? Y/N 2. Does anybody know about it? Y/N 3. If anybody knows about it, can we get in trouble. Y/N If the answers are "No," ...
Sounds like the customer's wifi passwords were always sent to Neural DSP when they sent a crash log? That alone is a HUGE privacy issue. Even if that data had never been accessible by anyone outside of Neural DSP, the company should not collect customer data as sensible as this. Also having an email password hard-coded and basically accessible by anyone... Seems like they didn't have the slightest clue about security best practices and just chose to ignore that.
This is just crazy. Who the hell doesn't encrypt that kind of data?? Sensitive user data or connection creds from the company itself?? That's programming 101 to secure that stuff. Between this and all the other issues why would anyone still own one of these things. The company is literally screaming "I could care less about your privacy or features" at this point. Again, so happy I'm not a Quad Cortex owner. Never had any issues like this with Fractal.
Do you work as a programmer? Companies are completely reckless with security and user data, they don't care until they get bad PR from a leak. I would have hoped that a smaller company like Neural DSP would have been better though.
@@pigbenis274 No, I've worked in support of large teams of programmers. I'm on the server support and NOC security side. And from what I can tell it's amateur hour at Neural DSP. Saying "all companies do this" tells me you just don't know what you're talking about. Anyone who left security breaches this basic open on any job I've been involved with would be crucified. This is some of the most basic security you provide in software (securing email connections, ODBC connections, private user data). Every stitch of that should be encrypted. This also tells me it got past their QC, which means not only was their source coding team ridiculously stupid, management for their entire programming division and product development were idiots as well. These are rookie mistakes.
@@stallionstudios Yep, pretty much. I mean it's just bad design anyway. They didn't have to ever have the unit contact Neural at all. Nor did they need to use WIFI. Fractal just connects to the computer for the editor and firmware and stores no user data at all. Can't speak to Kemper and others but I would suspect it's the same. This is just complete incompetence in design of the damn thing.🙄
No unauthorized recording of network passwords should be allowed whatsoever, where the hell do they get off? The fact they didn't even ask is a direct invasion of privacy and security protocols.
they can't. Because it's a password. Most likely the user was asked to enter it, as to enable the Quad Cortex to connect to the laptop editor via wifi. Just like the average home printer, or IOT device. in other words: it's common.
@@ericvandruten sure, it’s common to require that information to operate; we all entered our wifi passwords into our phones to connect. but to ship that information in a crash report without consent? and to not bother encrypting sensitive user data upon receipt? it’s mind boggling.
@@JeffreyRutland Just goes to show it's up to the customer to protect themselves. It's a good thing there are watch dogs like KDF and white hat hackers looking out for us. Unsung heroes indeed.
@@kcussrebutuemos4815 That excuse doesn't work. This was a design flaw from the jump. The data never needed to be on the device at all. And this went through design, development, and two years of production before they even addressed it (even after repeated warnings). Most software companies are wise enough to know that if you don't address an issue like this immediately your reputation is in the toilet, and most software companies also tend to hire programmers who are well aware of the most basic rules of writing code. This was a violation of even the most basic software design practices. User data, secure connections such as email or ODBC connection, or any data going from the unit to the company at all should absolutely be encrypted. This would be the equivalent of RUclips or Facebook not employing HTTPS. Or better yet, storing your passwords in plain text on their servers and handing hackers a backdoor to their network. You just don't do it.🙄
The longer this goes on, the more I'm convinced Neural DSP is basically just a bunch of cargo cult programmers and terribly ineffectual management, in constant panic/rush mode. And as someone said below: the GDPR implications of this are going to bite Neural DSP VERY hard, GDPR is 100% unforgiving. That's a 10million euro fine minimum.
How’s about doing everything possible to deeply evaluate your attitude and priorities with respect customer data security? Seems like that’s where you need to start rather than with your systems and the Quad Cortex itself. Get your attitude right and you’re more likely to get your systems right 🤷🏼♂️
Man, this unit hasn’t had a good slog of it has it? First it had a delayed launch which limited its market share considerably, overpromised features at launch that still haven’t been implemented and the features that are there have their abilities exceeded by competitors, a price only the affluent can part with and now a major security breach which had the potential for massive fraud and even identity theft. GG, that’s just impressive.
Considering all of these security flaws, it’s a wonder no one can crack the DRM on Neural’s software. They have that stuff on lock (good) but somehow QC was borked? I’m really glad I waited a year or so before I pulled the trigger on a multi.
I'd be mad if this didn't happen with literally every company that's ever had access to my data. Definitely something they need to never have happen again, but I'm not surprised it took more public pressure for them to actually get to it. Truly unfortunate but still the best out on the market right now
This doesn't happen with every other company that has access to your data. That's a made up idea to make this not seem so bad. This is both lazy and shoddy work.
@@PaulLembo I mean it happens with a VAST majority of them, much bigger companies than you'd expect too. Denying so is just odd. It's 100% lazy and shoddy but nothing that surprises me one bit considering how small they are in comparison to companies that still have similar issues. I think it being locked behind the skill gap of mainly being used by skilled musicians and the paywall of $1800+ saved everyone from getting their identity stolen out of this by some "bad hacker"
They’ve been displaying incompetence in their delivery of this product for a long time now. I’m not confident enough in their competence to believe they could properly investigate a security incident.
We should find out soon. I can only imagine these are being torn apart now. I mean as far as high value targets go, professional recording studios would be up there.
Ugh not surprised, if they spent as much time on actual things like this rather than moderating their social media posts I guess this wouldn’t happen. Try and post on their Facebook group about a genuine question and it never gets approved 🤷♂️
Not to mention that the patch they used to fix this issue (2.0.2) contained a bug that deleted the preset you were working on if you altered the preset name 😅😂
Thanks for the report. Security professional here. I can see lots of things NeuralDSP have done wrong here which if done correctly could have eliminated or at least mitigated this problem. If a security researcher does a responsible disclosure of a vulnerability, you are getting their expertise basically for free, why discount or ignore it? Additionally having personally identifiable information, and secrets in log files... log files that are sent to the mother-ship... without disclosing to customers?? That's bananas bad practice, and illegal in the EU. For a small company like NeuralDSP, the fallout from this could be the end for them.
But they didn’t ignore it we were notified and given an update and it was fixed. Your email wasn’t encrypted it’s giving out daily every time you go online on every app and every website and your Wi-Fi password may have been seen so change it. Meanwhile let’s go through this again it’s your Social Security number that’s dangerous if it’s given out like what T-Mobile did to us. It creates stolen identity. That’s not what happened here. I’m not a fan boy I never even heard of neural before I bought a quad. And I am all for tube amps and pedals. But this was fixed weeks ago and as I’ve said now 100 times tik tok was banned in Wyoming that’s pretty bad it’s owned by China and they’re getting a lot of information every time you use it and you keep using it. So are they dealing with stupid people that work there or stupid people that buy stuff?
Neural DSP seems like money grubbing company that doesn't care about its users. Lots of promises and not much delivery. They're basically a marketing company now repackaging the same tech over and over and spinning it to their customer with a different artist's name on top it.
It’s not anything bigger than anytime you go on any website. It could be a bad website that takes every bit of info off your cell. Tik tok for example. Facebook, Instagram , WhatsApp. Etc. If you’re that worried change your wifi thats it. T-Mobile gave out our social security number to god knows who. It was a giant breach. It’s all over the dark web. Can’t sue them for their stupidity or we would have. Had to freeze credit and put fraud alerts on everything. That was an issue. This wasn’t. And T-Mobile’s issue is forever.
I sold my QC a few fews back and haven't looked back. Stuff like this just makes me more sure it was the correct path. Now just to flog most of their plugins....I was a victim of marketing lol
KDH, Nothing about this inspires confidence in Neural's knowledge of the hacks and of methods to prevent them. Just another quick patch, bro! :D It will not be the last security problem they have.
Excellent reporting, one of your best. I think, for the most part you really captured the heart of the issue. I am perhaps a bit more charitable with Neural than you. I have been doing computer security for a lot of years and I have seen this kind of thing over and over. Bad security is far more common than good security. I would really like to see Neural come out with specifics on what they are going to do to prevent this in the future. They definitely need to rebuild trust.
I work in the same field, and it's pretty rare to see this level of incompetence. Not even encrypting personal user data on the device (programming 101)? That means it went through an entire dev team, their management, and mind you this is through an entire design and production cycle, and no one caught this or thought it was important on the device? And to make it worse, it's been out in the world completely unaddressed for 2 years even after the company has been explicitly warned. That's just clown world stupidity across the board and companywide.
@@raymondforbes4295 Oh I know, I've visited my share of NOC's in my time and seen horrendous practices, but this is a bit different. This went through it's entire development cycle (years) and they didn't even design with the security in mind, much less catch that mistake somewhere along the way. Hilarious part being that it's flat out bad design anyway. Why would you have the unit store this information at all? Why would you use WiFi as your chosen connection method rather than BT or USB for the editor and firmware updates? The unit shouldn't ever have to contact Neural DSP. Just crazy stuff man.
@@brianjones8432 I mean, they had the password for their gmail account just plain text on the device. heh. It is pretty clear there is nobody there really thinking about security. I did mail them a couple years ago asking if they were going to open up position focusing on security. I never got a response back.
This is very common and at least they’re being honest as to what happened and they fixed the problem weeks ago and again for the third time and by the way this is going on with you all the time you just don’t know it why do you think they just removed TikTok in one of the states in the US? T-Mobile gave out our Social Security number there was a giant breach. I didn’t hear this much about it as I did about the quad cortex which was not a really horrible thing change your Wi-Fi password if you’re that concerned. Meanwhile, we had to freeze our credit we had to put fraud alerts out we have to check every month to see what’s going on. Giving out a social security number by a company as big as T-Mobile. Where’s the anger for them?!! I was infuriated with T-Mobile you don’t think that they would know better they’re a huge company. This is going on all the time every time you take a chance and go on some random website it could happen. Yes they should’ve known better well now they do. I still don’t think anything was stolen from them. I already had a talk with them. I think they feel pretty confident that things are OK update their latest update which you should’ve got another notification. There were 2. One fixed that security issue and one fixed another simple issue.
I have been saying that this type of breach could and would happen for three plus years to one of these companies!!! I even contacted them and it fell on deaf ears. I even approached a tech investor to create a product to prevent this problem from happening! BTW, all these companies with rig sharing forums, what would happen if these executable files contained malware or malicious code and it gets into your computer or “rig” manager, will antivirus software prevent it from infecting your computer or worse yet your digital amplifier?😢
Wait...They used `curl -k` to load a firmware? The flag that says `INSECURE` in the curl manual? With a paragraph `WARNING: using this option makes the transfer insecure.`. I don't even know where to begin...m(
This is a different aspect though, and unrelated to customer data leaking here. This would help you trick the QC into loading a custom firmware from your own server, which would enable the whole OpenCortex thing to happen (homebrew is arguably a good thing..) But of course in theory if you were in control of the network the QC was connected to, then you could potentially serve it a malicious firmware that does stuff like prompt for credit card details on screen and other random crap
The real sin here is to use subprocess to spawn curl out of Python when Python is perfectly capable of natively handling HTTP downloads, monitor them, recover from errors… If they knew what they were doing, they wouldn't need such a kludge to mitigate TLS certificates issues that can sometimes pop up (Incorrect date/time on the device, device with outdated certificates…). Also: signing firmwares, anyone?
LMAO at the QC fanboys saying this was a "Kemper Killer", yada yada yada. Neural dug their own grave. Others have jumped ship to the Tonex...and Kemper is still getting updates and new features.
Best way to secure your personal information in cases like these are not being able to afford the unit.
So best thing to do is become woke so your broke? 😂
Way ahead of you 😂
Everytime you get on your cell phone you’re giving out info. Facebook, Instagram, Tik Tok and more plus random websites.
Marked safe.
Except in this day and age not being able to afford something doesn't stop people. That's what credit cards are for. That is the new heroin.
So glad that security vulnerabilities in *guitar pedals* is a thing we have to worry about now...
Guitar pedals, lightbulbs, fridges...
Fun fact, there's *pacemakers* that have been hacked.
Almost all modern pacemakers/defibrillators "phone home" to the hospital that installed them, for the purpose of monitoring that the device is still functioning properly and notifying the patient if something isn't quite right anymore (or, in the case of a defibrillator, logging when it activates so both the hospital and the patient can track when the device acts to keep them alive).
At some point in 2017, a hacker found out that he could "intercept" the data being sent out and access both the sensitive medical data and the current GPS coordinates of the device.
Potentially even worse was a specific pacemaker (which was very swiftly recalled) that you could remotely deactivate or cause to send test-shocks, thereby potentially causing a heart-attack in the patient, via a specially crafted SMS.
In most all other cases you don't, as other companies weren't colossally dumb enough to store that information directly on their device. And then to add insult to injury by giving said device WiFi capability and the ability to phone home to the company. And the icing on the shit cake that Neural DSP baked? They didn't encrypt a stich of it....... Nah, this isn't a digital vs. analogue issue, this isn't a guitar pedal issue, this is a Neural DSP issue.
Yeah, create a separate Wifi network for Internet of Things devices (which this would fall under). And make real passwords for your wifi, not your address, birthdays, etc.
@@Scott__C I think you missed my point. Yeah, take precautions with IoT devices. But you know what's even easier? A guitar pedal that doesn't support any kind of network access at all. Instead of defending against the attack vector, eliminate it entirely. I guarantee you that I am 100% rock-solid safe from attacks via a Boss CH-1...
Apple and other computer companies actually have a bounty system for people that find this kind of issue and fix it ASAP. For Neural DSP to ignore it is REALLY REALLY bad.
That's actually a very sound business practice. Providing a monetary incentive for people to act "honestly."
@@castleanthrax1833 They're not ignoring it?
@@DaveAksteter I'm not really sure what it is that you're asking me.
They did not ignore it. You’re joking if you think you’re not giving out your info everytime you’re on ur computer or cell. Every website is a challenge and risk. Wake up. Neural gave out emails big deal.
@Kcussrebutuemos You're joking if you think that not encrypting the information contained in these systems is anything other than lacklustre and shoddy.
12AX7s dont hold your credit card information. Just saying.
The only problem is they’re kind of tough to get now, thanks to sanctions.
Are you sure? 😅
Also, still running on a 1984 firmware update 🤘👍
The place you buy them from does....
Beat me to it.
Getting your identity stolen by a guitar amp is crazy 😂
Lolz
lol, soon you'll have to debate and convince them to start working. If it's having a bad day, you're out of luck my dude.
Your cell does it everyday. It’s not an amp. It was weeks ago. Fixed. Nothing happened. Like what T-Mobile did to us giving out our Social Security number to thieves every single one of us. That means someone can steal our identity that’s a big deal. You have to do a lot to protect your identity after that happens it takes days this was nothing. Nothing happened yes they should’ve encrypted your email and Wi-Fi password so if somebody comes in to your house to ask for your Wi-Fi password tell them no. Every single time you go on the cell phone you’re giving out information about yourself. TikTok has been removed already from one state in the US you are giving your information to China. There are thieves all over your cell phone in every website and app you can look up which apps to stay off of. My dude.
My late 90s tube amp just guessed my mothers maiden name and first pet…
My late 90's tube Amp can fry eggs !
You know what problems I don't have with my analog equipment? Security vulnerabilities. LOL.
You know what problems I don't have with my Fractal equipment? Security vulnerabilities. And I don't have to lug around a boat anchor. :)
@@brianjones8432 are you sure? as someone who works in tech, everything digital is doing shady stuff and vulnerabilities ALWAYS exist, they just haven't been discovered.
@@shekador If you don't have to use wifi or connect an account, how much shady stuff can be done though?
@@AtomicMeatballGuitar good point, but what about firmware updates?
Near enough every company demands a wealth of personal information before having the grace to allow you to use (under license) the software you've paid for. We've been so enamoured by technology and what it can offer, we have rolled over and given in to these demands just to get our hands upon it. Even something like loosing a phone which would of been a sickener at any time, now could have massive implications. The only way of effecting change would be a point blank refusal to play the game as such until this system changes, but unfortunately this will never happen.
Another interesting article KDH thanks.
WOULD'VE been, yes.
I'm going stick to analog gear, I don't need this headache.
No headache with Line 6 Helix over here😅
Analog stomp boxes are superior And are not tacky
@@jerrymartinez2160 idk man some of those paint jobs are super gaudy
You already have this headache. Every free service on the internet takes your data, and there are constant leaks. You're never safe.
I hear you man. Theres always someone to say what about servicing/repair headaches over the years but thats just called looking after your kit. You dont mind that over software hassle, computers, things becoming outdated and devalued by newer versions etc.
I'm a Computer Science student right now, and while I haven't learned how to encrypt data yet, I'm legit terrified. I've been using their plugins now for years, and have told a lot of good things about them to my friends. Hearing that they didn't encrypt their data, send major red flags. It legitmately could cost them my future business because they choose to not encrypt their data. This is literally Cyberscurity 101.
Network security operator here: You don't have to encrypt ALL your data, but goddamn you should store your data securely. That does include ENCRYPTING YOUR OWN FUCKING PASSWORD or finding another way to send info to your servers.
Maybe Neural DSP thinks their device is not of interest to hackers and the like, and plan to fix that when they do the bulk of the QC work?
@@kennylongnose4001 Talk about treading water.
@@kennylongnose4001 Then that would almost be worse. You're talking about passwords (that should absolutely be encrypted) to multiple user accounts and official company accounts. And that's been available to a hacker on a whim since 2021. That's just an insane level of incompetence and lack of care for your customer.
@kennylongnose4001 Keeping Customer data safe should be their #1 priority. They shouldn't purposely not fix the issue because maybe "hackers won't be interested"
Back in olden times, we used to worry about a preamp tube going out, now we worry about a digital processor leaking our personal information,
As someone in charge of managing vulnerabilities and exploits in a commercial setting this is always terrifying.
Upvote this, let it get around.
Trust is earned. Neural DSP has unearned it before they were able to earn it. Nice work! One less company's products I'll pay any attention to.
So you're going to ignore a great product despite the fact the issue is fixed? Something tells me you own a rival product and just want to have a good dig like apple fan girls slag off Android phones
@@neildeakin4454 Nice fan fiction, loser
@@neildeakin4454 it wasn't an accident. Stealing people's data is what scumbags do these days. I'm sure they got funding to build the product by the endorsers. Neural is a new company, track records matter. And I guarantee it was intentional.
Im sure they are absolutely shaking
With that mentality don’t use any tech that’s out in the world. Literally every major company and below have been hacked and have had your information exposed.
I was so excited to go get the QC. I have been debating that or the helix for the longest time. Good thing I saw this because now it’s not even a decision anymore
Yes get the crappy helix it’s awful. Over a WiFi password that may that’s Jay have gotten out. They can’t do anything with it. But til tok has your info and every other app you’ve been on.
Get Kemper...liquid profiling is coming!
So, what you're telling me is that my valve amps are way more secure than digital modellers.
no, only than quadcortex
@@MrBurakOzel Go on, then. Hack into my DSL100.
If you tell me where you live, I'll bring around an axe and hack into anything you like.😮
@@f0rth3l0v30fchr15t Hack into my Fractal...... Good luck, there's no user data stored there. As I've said many times in other threads here, this is a Neural DSP design problem, not a tube vs. digital problem.
@@brianjones8432 Just because there's no user data doesn't mean it can't be hacked. Just means the only reason to do it is spite.
This is inexcusable. Security is a must in this digital age. Places spend millions hardening their systems these days. You are correct though. The Hacks could have been so much worse. I wonder if someone was hacked, and for example lost money from their bank account ,and it was tracked back to NDSP if they would be liable for it being that they knew MONTHS ago. They should have issued a hot fix for it the second they knew about it.
Absolutely nothing in the digital realm is secure.
Also…good to see you active on YT Lucas!
@@charlesrocks thank you.
As breaches go, this is pretty minor - it's names, email addresses and WiFi passwords. Yes, shouldn't happen but it's nothing like as scary as being portrayed nor does it pose a real threat. Access to my WiFi does not grant access to my bank account, no matter how sophisticated the hacker. My email address contains my name and has already been leaked in hundreds of other leaks. I get many fishing emails a day.
Shouldn't happen but it's a total nothing burger.
@@robinr22 exactly. Bigger breaches. But kdh gets views. I wish he’d try the quad.
LMAO just more reason for me to stick with my old 5150 and Peavey Bandit. Keep chasing that dragon, kids.
Bandits kick ass!
@@chiefpotpipe Yeah they do! Really underrated clean tone that is a great pedal platform, and the overdrive channel is also really good. Plus, they're loud as fuck lol
Oof I think this qualifies as a pretty serious GDPR violation, considering they were notified months ago and didn't release a report until now. I wonder if the EU will come for them on that front
I am afraid, EU is too busy with bigger players and GDPR violations of wider ranges, affecting millions of customers, not just some thousands.
So, NDSP may feel relaxed about this (for now) but their reputation as vendor and technology driver is in free fall and those who work for this company (potentially) may face issues as well in future if these try to apply for jobs of companies who take more care about security and privacy of end customers.
A technically experienced recruiter could use this easily for interesting questions.
This is serious and nobody can hide behind a policy of an (ex-)employer.
Good thing I don't have to worry about security breaches with my 6534+.
I've been working in IT for 30 years and this is disgustingly bad technology. They should be ashamed of themselves.
remember about the TSA 'no fly' list was leaked after being found on unsecured airline server?
one would hope they would audit security
"Neural DSP is committed to providing the most safe and secure experience for our customers, we implement state of the art clear text technologies to ensure user data is ubiquitous to the outside world"
😂😂😂
I am a development lead for 2 software teams for an international telecommunications company. We often get complains about the effort we make, yep, even to make 'things' secure. What I hear here is just unprofessional. Or naive. Or a mixture of both. Then again, stupid things do happen. So... I hope someone over there wakes up.
I heard about a company that got hacked and lost millions, by using a wifi connected coffee machine. ANYTHING with wifi, that doesn't have anti virus software, IS a backdoor. If Neural is guilty is are MANY companies. Printers are notoriously easy to use as a backdoor because they're now about ALL connected to wifi. Maybe Neural is not taking it very seriously, and they SHOULD, but from the very start of getting one I though "oh, this has wifi, I should keep this unconnected because I'm sure it has no anti virus software, and remember the coffee machine incident." Basic internet security. My question now, is: When you tether your QC to the internet using your computer instead of wifi, is it still vulnerable? Or is it safe because it's coming through your computer with antivirus software? And when are they finally going to put anti virus software in place? That I would like to know.
I used this information to access Dave Mustaine's quad cortex. It snarled at me, then kicked my ass.
This why I've predominantly returned to amps and analog equipment, I foresaw this being an issue 10-15 years ago when modeling units began to have early forms of internet connectivity. Also, the stack of useless units in my closet due to device power issues, software issues, awful dated tones, irreparable damage.. the amount of money I spent on that gear for the return it gave me is pretty depressing. My amps and pedals? I plug them in and play, and they sound the same as they did twenty years ago.
They're more fun too. 🎉🎉🎉
Tried the QC for a year and a half. Finally sold it and went back to Fractal and the Axe fx III. No regrets. Sound quality destroys the QC and it's so much better supported.
Just another reason I'm glad I chose the Helix Floor!
I'm pretty sure this is a huge breach of GDPR, they could be in some trouble for this
They will be, fines for GDPR breaches are huge.
😂who will hold them accountable !?
@@auntjenifer7774 The EU, since it´s EU law. Since they do business in the EU, they have to abide by EU law.
@@Kynos1 the eu is super strict with this shit too
@PugnaciousBadger so the EU will hold court in EU according to EU laws in a jury of ppl from the EU because neural dsp operates within the EU?
Holy hell. This is absolutely inexcusable for a company like that. Thank you for this info and update Kallen.
He’s about 2? Weeks Kate and he knows it’s not a big deal. Change your WiFi password if that. It was fixed weeks ago and he’s just finding out about it now but doesn’t mention any other breaches that are done on the daily on every app you go on like TikTok today it was banned in Wyoming Facebook has done this and other apps, I’m not gonna keep repeating myself you have to give him more information out than you realize, every time you go on some random website you’re risking giving out your information they already have a lot of your info T-Mobile has already given out all our Social Security numbers to somebody who gave them out to the dark web. Do you know what we had to go through with that was freezing credit, etc. wake up. Geez.
“Public Pressure” 😂😂😂 f’IN Hell.
That is a monumental fuck up. I’m going to stay clear of all neural dsp products and plugins for good. The attitude of that company is someting else. They have some neck.
Man, this sucks!! Neural DSP has to boot someone over this. Basic 101 security protocols ignored. Wow
Can’t believe people throw money at companies like this 😂 😅 🤷🏻♂️👍🏻
Just get a Kemper. 10 years later still getting awesome updates.
Yeah like getting basic features like USB audio, awesome!
@@KingKong-mp6gj USB audio isn't really a basic feature. In the synth world the vast majority of synths do not support audio over USB still
@@KingKong-mp6gj That is for home users not pros.. just saying.
@@KingKong-mp6gj liquid profiling is coming, you ape!
Get them, KDH!🤘
That's why I use a Princeton.
Not starting to tackle this issue when first notified about it is like letting a crack in the dam get bigger and bigger until you see some water leaking through it. Wtf Neural.
Everything that connects to the internet is a new security risk
The sooner organisations adopt this policy the better. It's not a matter of 'if you get hacked', but 'when you get hacked'. Having a solid mitigation policy for this eventuality is basically mandatory.
This is why I'm happy I switched from plugins to good ol tube amps
My Marshalls or Peaveys never gave out my information, am I missing out?
every week i get mail from every service ive used in the past 15 years that "my data may be at risk" from a security breach.
i don’t know much about tech, but even i know all information should be encrypted. can’t believe a company did this.
Boy I sure do worry that Marshall and Fender never put into place any encryption on my vintage tube amps! What am I gonna do????
Or had they been smart, like say Fractal did with their products, they just wouldn't store that information on the unit. This isn't a tube vs. digital thing, it's a design issue.
Turn them off. Wait for 10 seconds then turn them on again while putting one finger in your right ear and singing "The Star Spangled Banner". This will reset the chipset and ensure that your data is properly secured.
This is for the Fender obviously. For the Marshall you need to put a finger in your LEFT ear and sing "God Save the King"
@@jonniegibbins Or 'God Save my Tubes'...... Either might work. :)
I just had a leak before watching this video
These days most organisations have a responsible disclosure policy in place. This means that hackers/scriptkiddies can formally report any vulnerability they find and often get rewarded for it. The fact that Neural hasn't shown the slightest bit of appreciation for these hackers that tried to help them(for free) is concerning.
Absolutely insane they basically said publicly “We only fixed it because we had to”
Check-list:-
1. Is our customers' information secure? Y/N
2. Does anybody know about it? Y/N
3. If anybody knows about it, can we get in trouble. Y/N
If the answers are "No," ...
Bueller? Bueller? Love it. 😂
A good preamp pedal, an eq pedal and a seymour Duncan powerstage. Minimal, lightweight and versatile analogue travel rig.
Makes me happy that I saved a grand and picked up a FM3 instead of the QC
Hard coded gmail password?! Lmao! Who the hell did they hire as developers for this thing?
My Mesa Boogie doesn’t have this problem. 🤣👌
Sounds like the customer's wifi passwords were always sent to Neural DSP when they sent a crash log? That alone is a HUGE privacy issue. Even if that data had never been accessible by anyone outside of Neural DSP, the company should not collect customer data as sensible as this. Also having an email password hard-coded and basically accessible by anyone...
Seems like they didn't have the slightest clue about security best practices and just chose to ignore that.
Or they just collect everything like everyone else !?
"the cloud"... screw the cloud!! If you can, leave everything on physical storage!
My tube amp will never sell me out 🤷🏻♂️
The place you bought it from will....
@@algorithm007ify
Unless you paid in cash.
Jeesus F christ.... Thanks KDH for this video! I'll be sure to think twice before buying any more Neural products.
This is just crazy. Who the hell doesn't encrypt that kind of data?? Sensitive user data or connection creds from the company itself?? That's programming 101 to secure that stuff. Between this and all the other issues why would anyone still own one of these things. The company is literally screaming "I could care less about your privacy or features" at this point. Again, so happy I'm not a Quad Cortex owner. Never had any issues like this with Fractal.
Do you work as a programmer? Companies are completely reckless with security and user data, they don't care until they get bad PR from a leak. I would have hoped that a smaller company like Neural DSP would have been better though.
@@pigbenis274 This isn't rocket science, they blatantly ignored some pretty basic security and privacy measures.
@@pigbenis274 No, I've worked in support of large teams of programmers. I'm on the server support and NOC security side. And from what I can tell it's amateur hour at Neural DSP. Saying "all companies do this" tells me you just don't know what you're talking about. Anyone who left security breaches this basic open on any job I've been involved with would be crucified. This is some of the most basic security you provide in software (securing email connections, ODBC connections, private user data). Every stitch of that should be encrypted. This also tells me it got past their QC, which means not only was their source coding team ridiculously stupid, management for their entire programming division and product development were idiots as well. These are rookie mistakes.
Amateurs
@@stallionstudios Yep, pretty much. I mean it's just bad design anyway. They didn't have to ever have the unit contact Neural at all. Nor did they need to use WIFI. Fractal just connects to the computer for the editor and firmware and stores no user data at all. Can't speak to Kemper and others but I would suspect it's the same. This is just complete incompetence in design of the damn thing.🙄
Also as a dev for systems that handle very secure data my guess is management said “why do we care about security?!”
No unauthorized recording of network passwords should be allowed whatsoever, where the hell do they get off? The fact they didn't even ask is a direct invasion of privacy and security protocols.
they can't. Because it's a password.
Most likely the user was asked to enter it, as to enable the Quad Cortex to connect to the laptop editor via wifi. Just like the average home printer, or IOT device.
in other words: it's common.
@@ericvandruten sure, it’s common to require that information to operate; we all entered our wifi passwords into our phones to connect.
but to ship that information in a crash report without consent? and to not bother encrypting sensitive user data upon receipt? it’s mind boggling.
@@JeffreyRutland - missed that one; that's ludicrous!
@@ericvandruten Ah, I hear ya.
@@JeffreyRutland Just goes to show it's up to the customer to protect themselves. It's a good thing there are watch dogs like KDF and white hat hackers looking out for us. Unsung heroes indeed.
Makes me wonder if owning one of their plugins exposes users in this same way. Makes me want to uninstall everything I own from them.
Maybe there's someone "out there" that's trying to find the answer to your query right now? I hope their intentions are on the altruistic side.
Your tik Tok? Your other apps? You’re concerned about the wrong thing.
@@kcussrebutuemos4815 That excuse doesn't work. This was a design flaw from the jump. The data never needed to be on the device at all. And this went through design, development, and two years of production before they even addressed it (even after repeated warnings). Most software companies are wise enough to know that if you don't address an issue like this immediately your reputation is in the toilet, and most software companies also tend to hire programmers who are well aware of the most basic rules of writing code. This was a violation of even the most basic software design practices. User data, secure connections such as email or ODBC connection, or any data going from the unit to the company at all should absolutely be encrypted. This would be the equivalent of RUclips or Facebook not employing HTTPS. Or better yet, storing your passwords in plain text on their servers and handing hackers a backdoor to their network. You just don't do it.🙄
Neural DSP is acting like they really can’t be bothered and want people to buy a ToneX.
The longer this goes on, the more I'm convinced Neural DSP is basically just a bunch of cargo cult programmers and terribly ineffectual management, in constant panic/rush mode. And as someone said below: the GDPR implications of this are going to bite Neural DSP VERY hard, GDPR is 100% unforgiving. That's a 10million euro fine minimum.
Oh no, the Chinese are going to get my Blues Jr. settings.
No but they do have everything about you through TikTok.
How’s about doing everything possible to deeply evaluate your attitude and priorities with respect customer data security? Seems like that’s where you need to start rather than with your systems and the Quad Cortex itself. Get your attitude right and you’re more likely to get your systems right 🤷🏼♂️
Man, this unit hasn’t had a good slog of it has it? First it had a delayed launch which limited its market share considerably, overpromised features at launch that still haven’t been implemented and the features that are there have their abilities exceeded by competitors, a price only the affluent can part with and now a major security breach which had the potential for massive fraud and even identity theft. GG, that’s just impressive.
Considering all of these security flaws, it’s a wonder no one can crack the DRM on Neural’s software. They have that stuff on lock (good) but somehow QC was borked? I’m really glad I waited a year or so before I pulled the trigger on a multi.
@@handicappedhoods What? Lots of pirated stuff out there. I do own Imperial MKII and Cory Wong archetype. But they can easily be cracked.
I'd be mad if this didn't happen with literally every company that's ever had access to my data. Definitely something they need to never have happen again, but I'm not surprised it took more public pressure for them to actually get to it. Truly unfortunate but still the best out on the market right now
This doesn't happen with every other company that has access to your data. That's a made up idea to make this not seem so bad. This is both lazy and shoddy work.
@@PaulLembo I mean it happens with a VAST majority of them, much bigger companies than you'd expect too. Denying so is just odd. It's 100% lazy and shoddy but nothing that surprises me one bit considering how small they are in comparison to companies that still have similar issues. I think it being locked behind the skill gap of mainly being used by skilled musicians and the paywall of $1800+ saved everyone from getting their identity stolen out of this by some "bad hacker"
They’ve been displaying incompetence in their delivery of this product for a long time now. I’m not confident enough in their competence to believe they could properly investigate a security incident.
Good, that I never bought into the hype... I always found the marketing for the QC and the entire product premise fishy.
Same thing going on with Tone-X right now, shilling and hype everywhere
@@Wagoo Yes. Tonex advertisement gets grating at this point. However, Tonex delivers what it promises and has no Wi-Fi…
Nice, i'm gonna buy a Fractal!
Sounds to me like they changed the password for the Gmail account! Problem solved! Presumably, version 2.0.2 contains the updated password?
We should find out soon. I can only imagine these are being torn apart now. I mean as far as high value targets go, professional recording studios would be up there.
always amazed by how well-researched and cleaely presented your videos are
I was considering buying this unit. Nope this turned me off. Kemper it is. Thanks for reporting this.
Ugh not surprised, if they spent as much time on actual things like this rather than moderating their social media posts I guess this wouldn’t happen. Try and post on their Facebook group about a genuine question and it never gets approved 🤷♂️
I'm starting to look at my old Boss GT-8 very fondly right about now.
Neural's company bank account PIN is probably 1234.
this is the reason im not spending 2k on an unfinished product
Not to mention that the patch they used to fix this issue (2.0.2) contained a bug that deleted the preset you were working on if you altered the preset name 😅😂
Oh GREAT!
It’s fixed. Didn’t you get a notification? Why not post that?
Another reason to keep using physical amps and effects pedals.
Sooo glad I went Fractal
Remember when digital gear was supposed to be more convenient than analog?
Yeah I'd say they're even now
Thanks for the report. Security professional here. I can see lots of things NeuralDSP have done wrong here which if done correctly could have eliminated or at least mitigated this problem. If a security researcher does a responsible disclosure of a vulnerability, you are getting their expertise basically for free, why discount or ignore it? Additionally having personally identifiable information, and secrets in log files... log files that are sent to the mother-ship... without disclosing to customers?? That's bananas bad practice, and illegal in the EU. For a small company like NeuralDSP, the fallout from this could be the end for them.
But they didn’t ignore it we were notified and given an update and it was fixed. Your email wasn’t encrypted it’s giving out daily every time you go online on every app and every website and your Wi-Fi password may have been seen so change it. Meanwhile let’s go through this again it’s your Social Security number that’s dangerous if it’s given out like what T-Mobile did to us. It creates stolen identity. That’s not what happened here. I’m not a fan boy I never even heard of neural before I bought a quad. And I am all for tube amps and pedals. But this was fixed weeks ago and as I’ve said now 100 times tik tok was banned in Wyoming that’s pretty bad it’s owned by China and they’re getting a lot of information every time you use it and you keep using it. So are they dealing with stupid people that work there or stupid people that buy stuff?
Am I the only person looking at all of their analog gear and smiling?
My Soldano tube amp has never released any of my personal info... Never!
watch out for the next episode of black mirror 😛
Peak KDH is pointing out problems in the industry. His journalistic style and integrity is top tier.
Neural DSP are more afraid of your investigation video than the Cyber Attack itself, 😂
They should have publicly thanked the hackers.
Neural DSP seems like money grubbing company that doesn't care about its users. Lots of promises and not much delivery. They're basically a marketing company now repackaging the same tech over and over and spinning it to their customer with a different artist's name on top it.
My Marshall tube amp never tried to hack me 😉😆
Why the hell is any of this information in a guitar pedal that can't even connect to a computer yet?
Since the Sony PSN breach this kind of negligence is unacceptable. Neural needs to get their stuff together.
Glad I went fractal..
Neural DSP? Dog Sh... Pedal.
Well, time for full acoustic only.
Good video. I wonder how many people are going to continue to not buy a quad cortex after all the good things they've done
It’s not anything bigger than anytime you go on any website. It could be a bad website that takes every bit of info off your cell. Tik tok for example. Facebook, Instagram , WhatsApp. Etc. If you’re that worried change your wifi thats it. T-Mobile gave out our social security number to god knows who. It was a giant breach. It’s all over the dark web. Can’t sue them for their stupidity or we would have. Had to freeze credit and put fraud alerts on everything. That was an issue. This wasn’t. And T-Mobile’s issue is forever.
I sold my QC a few fews back and haven't looked back. Stuff like this just makes me more sure it was the correct path. Now just to flog most of their plugins....I was a victim of marketing lol
Well done, I appreciate you calling companies out on their B.S
KDH,
Nothing about this inspires confidence in Neural's knowledge of the hacks and of methods to prevent them. Just another quick patch, bro! :D It will not be the last security problem they have.
Excellent reporting, one of your best. I think, for the most part you really captured the heart of the issue. I am perhaps a bit more charitable with Neural than you. I have been doing computer security for a lot of years and I have seen this kind of thing over and over. Bad security is far more common than good security. I would really like to see Neural come out with specifics on what they are going to do to prevent this in the future. They definitely need to rebuild trust.
I work in the same field, and it's pretty rare to see this level of incompetence. Not even encrypting personal user data on the device (programming 101)? That means it went through an entire dev team, their management, and mind you this is through an entire design and production cycle, and no one caught this or thought it was important on the device? And to make it worse, it's been out in the world completely unaddressed for 2 years even after the company has been explicitly warned. That's just clown world stupidity across the board and companywide.
@@brianjones8432 you think this is bad you should see the what I have found in medical devices. ;-)
@@raymondforbes4295 Oh I know, I've visited my share of NOC's in my time and seen horrendous practices, but this is a bit different. This went through it's entire development cycle (years) and they didn't even design with the security in mind, much less catch that mistake somewhere along the way. Hilarious part being that it's flat out bad design anyway. Why would you have the unit store this information at all? Why would you use WiFi as your chosen connection method rather than BT or USB for the editor and firmware updates? The unit shouldn't ever have to contact Neural DSP. Just crazy stuff man.
@@brianjones8432 I mean, they had the password for their gmail account just plain text on the device. heh. It is pretty clear there is nobody there really thinking about security. I did mail them a couple years ago asking if they were going to open up position focusing on security. I never got a response back.
This is very common and at least they’re being honest as to what happened and they fixed the problem weeks ago and again for the third time and by the way this is going on with you all the time you just don’t know it why do you think they just removed TikTok in one of the states in the US? T-Mobile gave out our Social Security number there was a giant breach. I didn’t hear this much about it as I did about the quad cortex which was not a really horrible thing change your Wi-Fi password if you’re that concerned. Meanwhile, we had to freeze our credit we had to put fraud alerts out we have to check every month to see what’s going on. Giving out a social security number by a company as big as T-Mobile. Where’s the anger for them?!! I was infuriated with T-Mobile you don’t think that they would know better they’re a huge company. This is going on all the time every time you take a chance and go on some random website it could happen. Yes they should’ve known better well now they do. I still don’t think anything was stolen from them. I already had a talk with them. I think they feel pretty confident that things are OK update their latest update which you should’ve got another notification. There were 2. One fixed that security issue and one fixed another simple issue.
I have been saying that this type of breach could and would happen for three plus years to one of these companies!!!
I even contacted them and it fell on deaf ears.
I even approached a tech investor to create a product to prevent this problem from happening!
BTW, all these companies with rig sharing forums, what would happen if these executable files contained malware or malicious code and it gets into your computer or “rig” manager, will antivirus software prevent it from infecting your computer or worse yet your digital amplifier?😢
Wait...They used `curl -k` to load a firmware? The flag that says `INSECURE` in the curl manual? With a paragraph `WARNING: using this option makes the transfer insecure.`. I don't even know where to begin...m(
This is a different aspect though, and unrelated to customer data leaking here. This would help you trick the QC into loading a custom firmware from your own server, which would enable the whole OpenCortex thing to happen (homebrew is arguably a good thing..)
But of course in theory if you were in control of the network the QC was connected to, then you could potentially serve it a malicious firmware that does stuff like prompt for credit card details on screen and other random crap
@@Wagoo Yeah, I think its a pretty good indicator where NeuralDSP should be ranked on the security and/or privacy landscape.
The real sin here is to use subprocess to spawn curl out of Python when Python is perfectly capable of natively handling HTTP downloads, monitor them, recover from errors… If they knew what they were doing, they wouldn't need such a kludge to mitigate TLS certificates issues that can sometimes pop up (Incorrect date/time on the device, device with outdated certificates…). Also: signing firmwares, anyone?
LMAO at the QC fanboys saying this was a "Kemper Killer", yada yada yada. Neural dug their own grave. Others have jumped ship to the Tonex...and Kemper is still getting updates and new features.