To have something pulled from a website, YouTube, ebay, etc. all one needs to do is to send some sort of DMCA form. The website then must remove the offending post (video, product listing etc.).
So how come FTDI is not already doing that and it's working as you suggest?
If what you say is actually how it works then they have no problem.
I believe Gordon is suggesting taking advantage of this mechanism to have counterfeit chips removed from websites offering them for sale.
Precisely. The method doesn't require compliance from the infringer, or involvement from the courts. All it takes is a valid takedown notice to the ISP, site, or service where the infringing products are available through. Notices can be escalated to the Web host, even to the registrar level. Counter-claims are uncommon, so the products remain delisted. What's not shown for sale doesn't sell.
If a counter-claim is made, the product goes back up, but they must reveal true personal information about themselves that can be verified. If the information is shown to be not true, the site will then delist permanently, likely -- as a precaution -- also removing everything else by that seller.
But don't call this "my" method. Tens of thousands of products worldwide are handled this way every day, even outside the US (though other countries have DMCA-like laws, too). It does require FTDI to know which products are infringing, but I'm sure they have much of that already. Well, for one thing, USB-to-serial devices on eBay for $1.50 purportedly using FTDI chips are almost always going to be counterfeits (exceptions can occur). It doesn't cost much to find out, and as many sellers there are simply reselling the same boards, it's easy enough to do a sweep and stop them all.
So FTDI never had a problem in the first place. If this system you describe is working.
All they had to do was issue these "take down" notices and get the vendors devices carrying bogus names and logos taken off line. End of story.
Um, no. Unless the clone passes back a copyrightable string (this is for some imaginary new product they've done), proving copyright violation is more difficult. Plus, a clone maker, relying on FTDI drivers rather than creating their own, could very well devise a non-infringing chip, trademark notwithstanding. There's nothing stopping them. What FTDI would like to curtail is using their driver with other USB-serial chips.
If a company wants to make their chips use all the features of the new-and-improved-whizbang FTDI Windows drivers that are automatically downloaded from Microsoft, they will have to risk putting the text string into their product.
Remember: FTDI already has a demonstrated method of their driver detecting when a product is a fake. (Though they've tipped their hand so they'll need to come up with something else.) Their new Windows drivers could provide all the features to genuine FTDI product, regardless of whether there's a return string or not. That makes it backwards compatible. For fake product, they can do what they want, as long as it doesn't alter someone's hardware. If the fake product passes back the string, they now have strong ammunition to stop it from being sold.
None of this is an original concept. Your printer likely already does something similar with replacement toner or ink cartridges.
You're talking trademark. The "C" in DMCA is for copyright. You cannot send a DMCA notice for an alleged trademark infringement. For trademark, you have to send a C&D to the infringer, which is often ignored if they are on foreign soil. Trademark doesn't have the same safe harbor takedown mechanisms. When everything else fails, there's always going to court. Such cases almost always end in a summary judgment in your favor, because the other side simply doesn't show up. The court order can then be used with eBay, Alibaba, and others from listing the product, as well as having it pass through customs. In any case, it can be expensive.
And this is one of the really great things about open code. It helps resolve artificial value issues, among other things.
This is likely to happen now.
FTDI clearly added value. I'm good with paying them for that. However, I'm not good with these means or methods, nor am I always good with entities going right to legal means.
court is about the only other alternative.
One of the options FTDI has is to continue to sell that value, and treating people right is a part of that sale, which they do not currently understand. Had they done that, this would play out very, very differently.
And I'm in a niche right now that is absolutely flooded with clones. Cheap o things from Asia. Branding, service, and the overall value sale keeps the product moving very, very nicely. Doing this stuff is worth a lot.
And for bonus points, when it's done well, the legal means do not generate the negatives in anywhere near the same degree.
Why did they feel the need to brick the systems of otherwise honest and well meaning customers?
Oh well. These guys are attending class at the school of hard knocks right now. Perhaps the bell will ring for them.
They felt the need, due to one or more of the following being true:
1. Failure to understand user dynamics, etc... as I've mentioned here a couple of times
2. Legal means being expensive, ineffective, or poorly understood (which strongly favors #1, which is cheap)
3. Punitive. Attention getting, which also can be done with #1, and with far fewer negative consequenses.
4. Error. Perhaps one engineer or a group decided to act.
None of this is to say they should tolerate the goings on, nor that they don't have motivation to act. They do, and if I were them, I would. But... they really could have gotten some consulting prior to just acting.
The big damage is this: How do I know they won't make another gaffe like this?
I don't. So I'm now hoping this all gets opened up, because I need to trust my tech, not worry over it.
Oh dear, we are getting way off topic here but I have to say this DMCA thing is just evil.
As far as I understand the DMCA, which is not much but, it seems to allow for:
1) Perhaps I post something, totally original, that is then issued with a take down notice and hence removed from wherever I put it. Now I am effectively guilty until I prove otherwise. This is is totally opposite to the idea of "innocent until proved guilty" that has taken us humans a long time to arrive at. Not only that I have to give up my privacy and go thought a lot of hassle to prove I'm innocent.
This has happened.
2) Perhaps I figure out how to copy things like DVDs despite their lame attempts at copy prevention. Or perhaps I figure out how to use some hardware I have bought in ways it's creators do not like. Despite there lame attempts at locking me out of my own property.
Now I'm guilty of "circumventing protection" devices or whatever they call it.
This has happened.
Do correct me if I am wrong with any of this.
Back on topic....
Never mind any potential, future, crypto scheme. FTDI took the law into their own hands and attempted to cause users systems to fail. This is not acceptable.
Not only that they subverted Microsoft's update process to mount their attack. This is not acceptable.
It's a bit worse IMHO. The most stark impact of the DMCA is the preventing of sharing how to do things. If you, yourself circumvent, great! Early on, this was discussed with DECSS, which was classified as "a device", to which Professor Felten and team proceeded to sing it, put it on T-shirts, embody in poetry, and do all manner of things to convey it's speech, not "a device."
During that time, I was watching DVD movies on Linux that I bought, on a drive I bought, on a computer I bought, each individually legal in every way. But I had to get that code from somebody and compile it, tell my DVD player software, Ogle at the time, where it was, and according to the legal intrepetations in effect at the time, commit a crime to watch a movie. Not OK.
Ogle would skip "mandatory" previews and just display the movie. Spiffy! That's what I paid for.
It may even be legal where you are too. Norway is one nation where it currently is. In Norway, you get three bites at the apple in the courts. After the third loss, it's law for all time. The various trade industries have lost twice there and are yet to bring a third challenge.
So if I do it somewhere it's legal to do, and I would submit having that legality is valid in plenty of cases, particularly the playing of a DVD, on a drive legally purchased on Linux type of case, and share that, the DMCA allows somebody not even in my jurisdiction to frown on that, cause me grief, impact to reputation, and all manner of other things, just because they don't like the result.
In general, it puts a lot of otherwise valid reverse engineering at risk too. And I'll be quite frank: I see reverse engineering as a clear motivator to continue to add value, not just lock in and rent seek technically. The DMCA isn't a very good tool in this respect, though it works well in others.
More debate, and using proper language as I've advocated for here before, is clearly needed.
Regarding these:
FTDI took the law into their own hands and attempted to cause users systems to fail. This is not acceptable.
Not only that they subverted Microsoft's update process to mount their attack. This is not acceptable.
Absolutely agreed. Open it. Put this whole thing to rest. I don't have the time for it. I do have the time to hear their case, should they present it to me, and I have the time to do them a solid too. Nobody wants to struggle in business, and I'm up for helping them out, doing my part, etc...
But to operate under the assumption that I and anybody really, is collateral damage is completely unacceptable and should carry consequences. Also put very bluntly, I no longer trust them and do not consider them responsible in business.
They can change that, but they need to do the work to change that now.
Oh dear, we are getting way off topic here but I have to say this DMCA thing is just evil.
Like anything it can be, and is, abused.
For other aspects of my professional life, it has caused far more harm than good, due to unclear language in parts of it -- and no, I won't expand on that, as I've already talked about it in other threads. But in this case, it's a way it can be proactively used that's better than disabling someone's property.
As a BTW, filing false DMCA takedowns carries with it severe penalties, including potential federal prison sentences, as filing one requires to swear under oath. Some people are stupid and send them before verifying, but it's not as common as it may seem. A counter-claim can quickly restore the work, at which point it becomes a matter for the courts, like it always has. The onus to find guilt is on the alleging party, just as it always is. So your description of the worst case, while dire sounding, isn't in the least. That part of the law they got right.
And the interface should be common, the CDC, so no special drivers are ever needed in an OS.
Now, you could probably argue that the CDC abstraction is not sufficient in some way. I would be glad to hear in which ways.
I think the wrinkles here, are the CDC (or HID) do not support the classic "Open com" - that is where the VCP (Virtual Com Port) drivers come in - if you want legacy software to open any virtual COM port, something is needed between the OS and user, that senses a USB attach, and adds a virtual COM ready for any generic COM usage.
HID allows you to avoid custom drivers, but now you replace that with custom calls & rewrite of legacy code (and I think buy into issues on any hardware where real COM ports still physically exist... Like all my PCs here )
Of course, you could argue the OS should include such tested and proven functionality, but it seems few (none?) do.
Of course, you could argue the OS should include such tested and proven functionality, but it seems few (none?) do.
Yes, I do argue that. And of course proper operating systems do...
Today I was hunting around the lab and plugging every USB/serial dongle I could find into my PC. Using the detect_ftdi_clone.py script to see if we had any fakes around.
Sadly I did not find any fakes but I did discover that we have some no name USB/Serial dongles that show up as "Prolific" devices and use the bog standard USB CDC drivers of the Linux operating system.
They show up as /dev/ttyUSB0 and have been working as well as anything else for years now.
Which leads me to wonder why do people insist on FTDI? What is the advantage there?
I would like to take this opportunity to update you all regarding our position on the matter and correct some of the misconceptions that have arisen as a result.
Although in certain parts of the media it has been implied that there was some form of counterfeit detection algorithm in FTDI’s latest driver, this is in fact absolutely untrue. There was no mechanism of that description in place and hence no flagging up of a counterfeit device ever occurred. Exactly the same commands and sequence are sent to a genuine chip as to a counterfeit chip. Some counterfeit devices simply failed to handle certain commands correctly (again something that’s shows their lack of suitability for use in serious electronic system design) and they simply end up quarantining themselves out of harm’s way.
FTDI has shown itself to be very proactive in combatting the issue of counterfeiting and will continue to be vigilant.
I'm not sure we should proceed with this debate. There is a 106 pages of debate about it on the eevblog and the arguments just get sillier and sillier.
But whist we are here: Re. the FTDI statement:
It is true that there was no counterfeit detection in that driver.
It is true that there was not any flagging of counterfeit devices.
It is true that the same commands were sent to genuine or counterfeit devices.
However all that is irrelevant. What they did was to add code to the driver that sent out commands that were in no way required for the device and driver to work together. The commands were crafted in such a way that they had no effect on the real chips but changed the VID of the fake chips. With a VID of zero the fake chips would no longer be recognized as FTDI devices and stop working. Meanwhile those redundant commands failed to change the VID on FTDI device and hence they continued to work.
Few people can imagine that this was not done on purpose after seeing the code. The commands in question are redundant and would stop things working if the FTDI device acted on them correctly. It's very cunning.
One could argue that the fake chips were superior in this respect. They correctly changed their VID when told to. The FTDI chips did not!
It's kind of staggering that FTDI could get this killer code onto people's machines via the Microsoft update path. Who knows what other malware comes through that pipe?
They did what they did. Now it's trying to salvage their reputation. The driver they are working on now is the one they should have introduced first. But I am sure it all came down to
money in the beginning, now it is about reputation.
Yes, it is about their reputation at this point. Unfortunately, they have a steep uphill battle to climb. They are on record as posting in certain forums defending the action of their new driver, indicating that if not a deliberate design feature, it was a flaw that soon became known to them. And yet they delayed by more than a reasonable time removing the updated driver from the Microsoft channel. From a product liability standpoint, there is no way they can swim away from this shark.
A "detection algorithm" was indeed part of the update. The software could (or should have) become aware that the device was not genuine FTDI when the commands to change the VID passed. This could be (or should have been) easily determined in software, and therefore it was a detection algorithm. To avoid liability issues, their software should have changed the VID back again -- this is proven to be possible -- and a message displayed to the user that the update failed due to product incompatibility.
They do use the term "counterfeit" in a suspicious manner. A "counterfeit" has a specific meaning under the law, and it could be argued that their driver could not tell the difference between a counterfeit and a non-infringing product that performs the same USB-to-serial function. It's these non-counterfeit chips that represent the biggest issue for the company. By the wording of their notice, they fail to mention the potential damage done to those. So far from helping their reputation or legal defense, they've made it worse by conspicuously ignoring a group of non-infringing products that were known to be affected.
No, there is no "detection algorithm" in their code.
What they did was clever than that. They send exactly the same commands to any device. They do not check if the those commands worked correctly or not. So they have no idea what is on the end of the line. Fake or not.
But, it turns out the way the commands are crafted the fake devices change their VID correctly but the FTDI devices do not.
On top of that the commands to change the VID would also disable FTDI devices. If FTDI devices responded to them correctly that is.
They can quite rightly state that their driver treats all devices equally. No detection going on. Whilst at the same time knowing that fakes get bricked.
There is no other reason for that code to be in their driver so the motivation is clear.
The way I see it, it is quite possible that the fakes are actually cheaper and better devices!
What is all this nonsense about the EULA and such. That driver update came from Microsoft's update as far as any user is concerned.
Not that I am defending those that put other companies trademarks on their products and try to palm themselves off as coming from that company. Far from it.
... no name USB/Serial dongles that show up as "Prolific" devices and use the bog standard USB CDC drivers of the Linux operating system.
They show up as /dev/ttyUSB0 and have been working as well as anything else for years now.
Which leads me to wonder why do people insist on FTDI? What is the advantage there?
Moving forward would "use devices that use the bog standard USB CDC drivers of the Linux operating system, and avoid FTDI altogether when possible" be a reasonable policy? I have enough stupid errors in my life from my own effort for free without help from high paid professionals like MS and FTDI.
Yes. How on Earth did it happen that the humble serial port vanished from our PC's and other devices to be replace by USB but there is no dead simple serial port driver coming as standard for any OS that supports USB?
It's that simple omission, from Windows, that gave FTDI a position in the market. Not any brilliant USB serial chip.
No, there is no "detection algorithm" in their code.
What they did was clever than that.
Quite the opposite to being clever, actually. The fact that they chose not to read back the value at the time of the change was their specific choice, as altering the VID to 0 served solely or primarily as a means of determining non-FTDI parts -- if not directly, then certainly indirectly. Their admission they made no attempt to verify (and potentially correct) only serves to further bury them.
As I noted, their "software could (or should have) become aware" that the modifications performed by the driver had a specific result, which could include rendering some hardware useless with any driver, not just theirs. It doesn't really matter what their software did, but what it should have done, given its design. By specifically not checking for this result, they've added intentional negligence to their roster of potential legal concerns. So no, it's not clever.
I think whoever it is publishing their statements should stop while he or she is ahead. They're only making it worse for themselves.
Quite so. I guess it depends what we mean by "clever".
It seems clear to me that the intention was to knock out some fake devices whilst at the same time being able to claim that there is no detection going on. Which there is not, all devices got the exact same treatment. That is clever.
The "not clever" part is silently disabling peoples working systems. People who probably know nothing about FTDI or the world of fake electronics. Or people who think they are FTDI customers. Innocent parties.
The not clever part is that a simple disassembly of their code shows their intention. Or a sniffer on the USB exchanges.
Bottom line is that anyone injecting malware into peoples systems should be black listed.
That's my question too. And so far the answer is NO, at least not with anything I've been designing or using. Even the domestic Chinese CH340G works like a champ. The high price of FTDI chips drove me away from them a while ago.
I'd be interested to know if there is some application somewhere where FTDI offers the only solution.
I still don't understand why a "driver" needed to change something programmed into the chip in the first place. When did it become necessary for drivers to make alterations to the devices they are used with? Maybe this is normal and I just now found out about it, but to me, this seems like more of a firmware updater than a driver.
I'd be interested to know if there is some application somewhere where FTDI offers the only solution.
'only solution' for Niche only areas.
eg JTAG apps using their MPSSE (sp?) option, and FTDI also have coverage in the High Speed area few others do.
However, on the mainstream serial-bridge area, SiLabs and Microchip and Cypress are all expanding offerings, with parts that are cheaper/smarter in many cases.
1. It is not illegal to produce an independently designed IC to emulate another IC.
Take AMD vs Intel... AMD emulates the Intel instruction set.
The Z80 emulated the 8080 instruction set and added some extras.
A number of manufacturers make 9pin EEPROMs that are compatible in all respects except an identification parameter.
2. The VID/PID can only be protected between the USB registered members. Unregistered designs can utilise any VID/PID they like as a number cannot be trademarked.
So, basically anyone is free to make a chip that emulates the FTDI chip PROVIDED they DO NOT...
a) copy FTDI's IC mask set
b) infringe on FTDI's trademarks such as label their chips as "FTDI" (ie pass-off)
These "counterfeit" chips most likely use a different mask set because as has been said, they are a microprocessor based chip, and from this statement, I presume FTDI is not. Anyway, from what I have read, no one is asserting they have copied FTDI's mask set (otherwise they would faithfully work like FTDI).
So we are left with those counterfeit chips may have been branded "FTDI". If so, FTDI should have published the difference in markings widely so at least responsible companies could at least check their inventories. There has been speculation, but no one seems certain that the counterfeit chips are marked "FTDI". If they are legitimately branded by another company, then IMHO they are not "counterfeit" and so have been intentionally bricked by FTDI.
BUT, why didn't Microsoft supply a standard COM (CDC) driver just like they supply a standard HID driver? My presumption is they make lots of $$$ from companies requiring their drivers get certified by MS.
Without jumping into the whole debate of the widely varying opinions of FTDI or even the mention of just having a second source I am going to mention something from a purely engineering/tech support stand-point...
Parallax has been building development boards for a very long time and through the years there were a number of hurdles that would crop up as technology changed through the years. Usually these boiled down to the FIFO buffers or drivers on the ports. Still some computers did not work well with our product do to these changes to the serial ports. When things started going in the direction of USB many customers started buying adapters with varying brands of USB to Serial chip inside. The results of using these on our products varied, but quite often the USB adapter quite simply wasn't compatible with our products for various reasons. We started testing some to try and narrow things down and ones that were approved later stopped working due to lack of driver updates or compatibility issues with newer USB ports and standards. The FTDI chips have always worked. On some computers the latency settings need to be adjusted or there may be various issues with the driver depending on Windows updates, etc. But the hardware has been reliable and the driver is even included with both the BASIC Stamp Editor and Propeller Tool. The documentation references it and all things considered it really hasn't been an issue. So there's no reason that I can see to switch and in fact the Tech Support issues related to changing at this point would most likely outweigh any benefits another USB chip could provide even in the cost difference of the chip. Just my thoughts on this.
I would never suggest that Parallax or any other company immediately cancel all products that require FTDI devices / drivers and redesign everything to avoid them. That is clearly an expensive road to chaos and ruin.
What I find appalling is that a company like Parallax needs to supply a driver for a serial port. Using an external device that requires a humble serial connection should not dictate messing with the guts of the users operating system, installing executable code of untraceable provenance into the the very kernel of the OS.
Equally appalling is that Microsoft has to ship a driver from a hardware manufacture for such a simple thing as a serial port. How come this is not a standards compliant part of the OS provided by MS already? Serial devices are part of the USB specifications along with mice and keyboards etc.
That's before we get to talking about how the hell it happened that some little company managed to slip malware through Microsoft's update system that can cause users systems to fail.
The whole regime is suspect.
What should one do? Pretend nothing has happened and continue as usual? Or start to think about a way out of this mess?
Everybody here is claiming that there is no CDC driver in Windows. This is not true at all.
There is no CDC driver in Windows XP. That is true. But all Windows Versions since XP (Vista, W7, W8, W2003 - W2012 Server) do have a CDC driver.
Like in Linux you have to add/register the DeviceID so the OS will use the CDC driver. In windows usually done with a .inf file (a text-file you can even write by yourself or copy from a web-page).
So the excuse that someone needs to use FTDIs driver because there is none other is simply wrong.
It is more the inconvenience to deliver a device ID and instructions to install/register the existing driver. Just let FTDI pay for it and use their ID. Brilliant move for any freeloader.
Comments
If what you say is actually how it works then they have no problem. Did I win? Lets' see...:)
@Gordon, Well I hope so because obviously there is some fine point about this DMCA notice thing I do not know or understand.
Precisely. The method doesn't require compliance from the infringer, or involvement from the courts. All it takes is a valid takedown notice to the ISP, site, or service where the infringing products are available through. Notices can be escalated to the Web host, even to the registrar level. Counter-claims are uncommon, so the products remain delisted. What's not shown for sale doesn't sell.
If a counter-claim is made, the product goes back up, but they must reveal true personal information about themselves that can be verified. If the information is shown to be not true, the site will then delist permanently, likely -- as a precaution -- also removing everything else by that seller.
But don't call this "my" method. Tens of thousands of products worldwide are handled this way every day, even outside the US (though other countries have DMCA-like laws, too). It does require FTDI to know which products are infringing, but I'm sure they have much of that already. Well, for one thing, USB-to-serial devices on eBay for $1.50 purportedly using FTDI chips are almost always going to be counterfeits (exceptions can occur). It doesn't cost much to find out, and as many sellers there are simply reselling the same boards, it's easy enough to do a sweep and stop them all.
All they had to do was issue these "take down" notices and get the vendors devices carrying bogus names and logos taken off line. End of story.
Why did they feel the need to brick the systems of otherwise honest and well meaning customers?
Um, no. Unless the clone passes back a copyrightable string (this is for some imaginary new product they've done), proving copyright violation is more difficult. Plus, a clone maker, relying on FTDI drivers rather than creating their own, could very well devise a non-infringing chip, trademark notwithstanding. There's nothing stopping them. What FTDI would like to curtail is using their driver with other USB-serial chips.
If a company wants to make their chips use all the features of the new-and-improved-whizbang FTDI Windows drivers that are automatically downloaded from Microsoft, they will have to risk putting the text string into their product.
Remember: FTDI already has a demonstrated method of their driver detecting when a product is a fake. (Though they've tipped their hand so they'll need to come up with something else.) Their new Windows drivers could provide all the features to genuine FTDI product, regardless of whether there's a return string or not. That makes it backwards compatible. For fake product, they can do what they want, as long as it doesn't alter someone's hardware. If the fake product passes back the string, they now have strong ammunition to stop it from being sold.
None of this is an original concept. Your printer likely already does something similar with replacement toner or ink cartridges.
Separately on this to ensure it's not lost:
You're talking trademark. The "C" in DMCA is for copyright. You cannot send a DMCA notice for an alleged trademark infringement. For trademark, you have to send a C&D to the infringer, which is often ignored if they are on foreign soil. Trademark doesn't have the same safe harbor takedown mechanisms. When everything else fails, there's always going to court. Such cases almost always end in a summary judgment in your favor, because the other side simply doesn't show up. The court order can then be used with eBay, Alibaba, and others from listing the product, as well as having it pass through customs. In any case, it can be expensive.
Works with any string, come who may.
And this is one of the really great things about open code. It helps resolve artificial value issues, among other things.
This is likely to happen now.
FTDI clearly added value. I'm good with paying them for that. However, I'm not good with these means or methods, nor am I always good with entities going right to legal means.
One of the options FTDI has is to continue to sell that value, and treating people right is a part of that sale, which they do not currently understand. Had they done that, this would play out very, very differently.
And I'm in a niche right now that is absolutely flooded with clones. Cheap o things from Asia. Branding, service, and the overall value sale keeps the product moving very, very nicely. Doing this stuff is worth a lot.
And for bonus points, when it's done well, the legal means do not generate the negatives in anywhere near the same degree.
Oh well. These guys are attending class at the school of hard knocks right now. Perhaps the bell will ring for them.
They felt the need, due to one or more of the following being true:
1. Failure to understand user dynamics, etc... as I've mentioned here a couple of times
2. Legal means being expensive, ineffective, or poorly understood (which strongly favors #1, which is cheap)
3. Punitive. Attention getting, which also can be done with #1, and with far fewer negative consequenses.
4. Error. Perhaps one engineer or a group decided to act.
None of this is to say they should tolerate the goings on, nor that they don't have motivation to act. They do, and if I were them, I would. But... they really could have gotten some consulting prior to just acting.
The big damage is this: How do I know they won't make another gaffe like this?
I don't. So I'm now hoping this all gets opened up, because I need to trust my tech, not worry over it.
As far as I understand the DMCA, which is not much but, it seems to allow for:
1) Perhaps I post something, totally original, that is then issued with a take down notice and hence removed from wherever I put it. Now I am effectively guilty until I prove otherwise. This is is totally opposite to the idea of "innocent until proved guilty" that has taken us humans a long time to arrive at. Not only that I have to give up my privacy and go thought a lot of hassle to prove I'm innocent.
This has happened.
2) Perhaps I figure out how to copy things like DVDs despite their lame attempts at copy prevention. Or perhaps I figure out how to use some hardware I have bought in ways it's creators do not like. Despite there lame attempts at locking me out of my own property.
Now I'm guilty of "circumventing protection" devices or whatever they call it.
This has happened.
Do correct me if I am wrong with any of this.
Back on topic....
Never mind any potential, future, crypto scheme. FTDI took the law into their own hands and attempted to cause users systems to fail. This is not acceptable.
Not only that they subverted Microsoft's update process to mount their attack. This is not acceptable.
During that time, I was watching DVD movies on Linux that I bought, on a drive I bought, on a computer I bought, each individually legal in every way. But I had to get that code from somebody and compile it, tell my DVD player software, Ogle at the time, where it was, and according to the legal intrepetations in effect at the time, commit a crime to watch a movie. Not OK.
Ogle would skip "mandatory" previews and just display the movie. Spiffy! That's what I paid for.
It may even be legal where you are too. Norway is one nation where it currently is. In Norway, you get three bites at the apple in the courts. After the third loss, it's law for all time. The various trade industries have lost twice there and are yet to bring a third challenge.
So if I do it somewhere it's legal to do, and I would submit having that legality is valid in plenty of cases, particularly the playing of a DVD, on a drive legally purchased on Linux type of case, and share that, the DMCA allows somebody not even in my jurisdiction to frown on that, cause me grief, impact to reputation, and all manner of other things, just because they don't like the result.
In general, it puts a lot of otherwise valid reverse engineering at risk too. And I'll be quite frank: I see reverse engineering as a clear motivator to continue to add value, not just lock in and rent seek technically. The DMCA isn't a very good tool in this respect, though it works well in others.
More debate, and using proper language as I've advocated for here before, is clearly needed.
Regarding these:
Absolutely agreed. Open it. Put this whole thing to rest. I don't have the time for it. I do have the time to hear their case, should they present it to me, and I have the time to do them a solid too. Nobody wants to struggle in business, and I'm up for helping them out, doing my part, etc...
But to operate under the assumption that I and anybody really, is collateral damage is completely unacceptable and should carry consequences. Also put very bluntly, I no longer trust them and do not consider them responsible in business.
They can change that, but they need to do the work to change that now.
http://www.youtube.com/watch?v=eU66as4Bbds
Like anything it can be, and is, abused.
For other aspects of my professional life, it has caused far more harm than good, due to unclear language in parts of it -- and no, I won't expand on that, as I've already talked about it in other threads. But in this case, it's a way it can be proactively used that's better than disabling someone's property.
As a BTW, filing false DMCA takedowns carries with it severe penalties, including potential federal prison sentences, as filing one requires to swear under oath. Some people are stupid and send them before verifying, but it's not as common as it may seem. A counter-claim can quickly restore the work, at which point it becomes a matter for the courts, like it always has. The onus to find guilt is on the alleging party, just as it always is. So your description of the worst case, while dire sounding, isn't in the least. That part of the law they got right.
Agreed. This stuff is more complex that it should be.
I think the wrinkles here, are the CDC (or HID) do not support the classic "Open com" - that is where the VCP (Virtual Com Port) drivers come in - if you want legacy software to open any virtual COM port, something is needed between the OS and user, that senses a USB attach, and adds a virtual COM ready for any generic COM usage.
HID allows you to avoid custom drivers, but now you replace that with custom calls & rewrite of legacy code (and I think buy into issues on any hardware where real COM ports still physically exist... Like all my PCs here )
Of course, you could argue the OS should include such tested and proven functionality, but it seems few (none?) do.
Today I was hunting around the lab and plugging every USB/serial dongle I could find into my PC. Using the detect_ftdi_clone.py script to see if we had any fakes around.
Sadly I did not find any fakes but I did discover that we have some no name USB/Serial dongles that show up as "Prolific" devices and use the bog standard USB CDC drivers of the Linux operating system.
They show up as /dev/ttyUSB0 and have been working as well as anything else for years now.
Which leads me to wonder why do people insist on FTDI? What is the advantage there?
Thank you for that useful and interesting post.
In short, it's lots of politics from FTDI:
But whist we are here: Re. the FTDI statement:
It is true that there was no counterfeit detection in that driver.
It is true that there was not any flagging of counterfeit devices.
It is true that the same commands were sent to genuine or counterfeit devices.
However all that is irrelevant. What they did was to add code to the driver that sent out commands that were in no way required for the device and driver to work together. The commands were crafted in such a way that they had no effect on the real chips but changed the VID of the fake chips. With a VID of zero the fake chips would no longer be recognized as FTDI devices and stop working. Meanwhile those redundant commands failed to change the VID on FTDI device and hence they continued to work.
Few people can imagine that this was not done on purpose after seeing the code. The commands in question are redundant and would stop things working if the FTDI device acted on them correctly. It's very cunning.
One could argue that the fake chips were superior in this respect. They correctly changed their VID when told to. The FTDI chips did not!
It's kind of staggering that FTDI could get this killer code onto people's machines via the Microsoft update path. Who knows what other malware comes through that pipe?
They did what they did. Now it's trying to salvage their reputation. The driver they are working on now is the one they should have introduced first. But I am sure it all came down to
money in the beginning, now it is about reputation.
A "detection algorithm" was indeed part of the update. The software could (or should have) become aware that the device was not genuine FTDI when the commands to change the VID passed. This could be (or should have been) easily determined in software, and therefore it was a detection algorithm. To avoid liability issues, their software should have changed the VID back again -- this is proven to be possible -- and a message displayed to the user that the update failed due to product incompatibility.
They do use the term "counterfeit" in a suspicious manner. A "counterfeit" has a specific meaning under the law, and it could be argued that their driver could not tell the difference between a counterfeit and a non-infringing product that performs the same USB-to-serial function. It's these non-counterfeit chips that represent the biggest issue for the company. By the wording of their notice, they fail to mention the potential damage done to those. So far from helping their reputation or legal defense, they've made it worse by conspicuously ignoring a group of non-infringing products that were known to be affected.
No, there is no "detection algorithm" in their code.
What they did was clever than that. They send exactly the same commands to any device. They do not check if the those commands worked correctly or not. So they have no idea what is on the end of the line. Fake or not.
But, it turns out the way the commands are crafted the fake devices change their VID correctly but the FTDI devices do not.
On top of that the commands to change the VID would also disable FTDI devices. If FTDI devices responded to them correctly that is.
They can quite rightly state that their driver treats all devices equally. No detection going on. Whilst at the same time knowing that fakes get bricked.
There is no other reason for that code to be in their driver so the motivation is clear.
The way I see it, it is quite possible that the fakes are actually cheaper and better devices!
What is all this nonsense about the EULA and such. That driver update came from Microsoft's update as far as any user is concerned.
Not that I am defending those that put other companies trademarks on their products and try to palm themselves off as coming from that company. Far from it.
But let's stay away from FTDI and their malware.
Moving forward would "use devices that use the bog standard USB CDC drivers of the Linux operating system, and avoid FTDI altogether when possible" be a reasonable policy? I have enough stupid errors in my life from my own effort for free without help from high paid professionals like MS and FTDI.
Does FTDI offer anything we can't get elsewhere?
Yes. How on Earth did it happen that the humble serial port vanished from our PC's and other devices to be replace by USB but there is no dead simple serial port driver coming as standard for any OS that supports USB?
It's that simple omission, from Windows, that gave FTDI a position in the market. Not any brilliant USB serial chip.
Quite the opposite to being clever, actually. The fact that they chose not to read back the value at the time of the change was their specific choice, as altering the VID to 0 served solely or primarily as a means of determining non-FTDI parts -- if not directly, then certainly indirectly. Their admission they made no attempt to verify (and potentially correct) only serves to further bury them.
As I noted, their "software could (or should have) become aware" that the modifications performed by the driver had a specific result, which could include rendering some hardware useless with any driver, not just theirs. It doesn't really matter what their software did, but what it should have done, given its design. By specifically not checking for this result, they've added intentional negligence to their roster of potential legal concerns. So no, it's not clever.
I think whoever it is publishing their statements should stop while he or she is ahead. They're only making it worse for themselves.
Quite so. I guess it depends what we mean by "clever".
It seems clear to me that the intention was to knock out some fake devices whilst at the same time being able to claim that there is no detection going on. Which there is not, all devices got the exact same treatment. That is clever.
The "not clever" part is silently disabling peoples working systems. People who probably know nothing about FTDI or the world of fake electronics. Or people who think they are FTDI customers. Innocent parties.
The not clever part is that a simple disassembly of their code shows their intention. Or a sniffer on the USB exchanges.
Bottom line is that anyone injecting malware into peoples systems should be black listed.
That's my question too. And so far the answer is NO, at least not with anything I've been designing or using. Even the domestic Chinese CH340G works like a champ. The high price of FTDI chips drove me away from them a while ago.
I'd be interested to know if there is some application somewhere where FTDI offers the only solution.
'only solution' for Niche only areas.
eg JTAG apps using their MPSSE (sp?) option, and FTDI also have coverage in the High Speed area few others do.
However, on the mainstream serial-bridge area, SiLabs and Microchip and Cypress are all expanding offerings, with parts that are cheaper/smarter in many cases.
1. It is not illegal to produce an independently designed IC to emulate another IC.
Take AMD vs Intel... AMD emulates the Intel instruction set.
The Z80 emulated the 8080 instruction set and added some extras.
A number of manufacturers make 9pin EEPROMs that are compatible in all respects except an identification parameter.
2. The VID/PID can only be protected between the USB registered members. Unregistered designs can utilise any VID/PID they like as a number cannot be trademarked.
So, basically anyone is free to make a chip that emulates the FTDI chip PROVIDED they DO NOT...
a) copy FTDI's IC mask set
b) infringe on FTDI's trademarks such as label their chips as "FTDI" (ie pass-off)
These "counterfeit" chips most likely use a different mask set because as has been said, they are a microprocessor based chip, and from this statement, I presume FTDI is not. Anyway, from what I have read, no one is asserting they have copied FTDI's mask set (otherwise they would faithfully work like FTDI).
So we are left with those counterfeit chips may have been branded "FTDI". If so, FTDI should have published the difference in markings widely so at least responsible companies could at least check their inventories. There has been speculation, but no one seems certain that the counterfeit chips are marked "FTDI". If they are legitimately branded by another company, then IMHO they are not "counterfeit" and so have been intentionally bricked by FTDI.
BUT, why didn't Microsoft supply a standard COM (CDC) driver just like they supply a standard HID driver? My presumption is they make lots of $$$ from companies requiring their drivers get certified by MS.
Parallax has been building development boards for a very long time and through the years there were a number of hurdles that would crop up as technology changed through the years. Usually these boiled down to the FIFO buffers or drivers on the ports. Still some computers did not work well with our product do to these changes to the serial ports. When things started going in the direction of USB many customers started buying adapters with varying brands of USB to Serial chip inside. The results of using these on our products varied, but quite often the USB adapter quite simply wasn't compatible with our products for various reasons. We started testing some to try and narrow things down and ones that were approved later stopped working due to lack of driver updates or compatibility issues with newer USB ports and standards. The FTDI chips have always worked. On some computers the latency settings need to be adjusted or there may be various issues with the driver depending on Windows updates, etc. But the hardware has been reliable and the driver is even included with both the BASIC Stamp Editor and Propeller Tool. The documentation references it and all things considered it really hasn't been an issue. So there's no reason that I can see to switch and in fact the Tech Support issues related to changing at this point would most likely outweigh any benefits another USB chip could provide even in the cost difference of the chip. Just my thoughts on this.
I would never suggest that Parallax or any other company immediately cancel all products that require FTDI devices / drivers and redesign everything to avoid them. That is clearly an expensive road to chaos and ruin.
What I find appalling is that a company like Parallax needs to supply a driver for a serial port. Using an external device that requires a humble serial connection should not dictate messing with the guts of the users operating system, installing executable code of untraceable provenance into the the very kernel of the OS.
Equally appalling is that Microsoft has to ship a driver from a hardware manufacture for such a simple thing as a serial port. How come this is not a standards compliant part of the OS provided by MS already? Serial devices are part of the USB specifications along with mice and keyboards etc.
That's before we get to talking about how the hell it happened that some little company managed to slip malware through Microsoft's update system that can cause users systems to fail.
The whole regime is suspect.
What should one do? Pretend nothing has happened and continue as usual? Or start to think about a way out of this mess?
There is no CDC driver in Windows XP. That is true. But all Windows Versions since XP (Vista, W7, W8, W2003 - W2012 Server) do have a CDC driver.
Like in Linux you have to add/register the DeviceID so the OS will use the CDC driver. In windows usually done with a .inf file (a text-file you can even write by yourself or copy from a web-page).
So the excuse that someone needs to use FTDIs driver because there is none other is simply wrong.
It is more the inconvenience to deliver a device ID and instructions to install/register the existing driver. Just let FTDI pay for it and use their ID. Brilliant move for any freeloader.
Enjoy!
Mike