Just release the src code #5
Comments
|
I came here to look for the assurance that this isn't some rubber ducky disguised as a sysadmin tool, and found a github page with no src. How can we expect to trust a hardware device like this from a company with questionable security practices and reputation? That's easy. Give us the tools we need to see if we should. The irony of this being listed on github without actually being open is palpable. I have been looking for a reasonable crash cart adapter for over 3 years now, and was hoping that this may be the day that I can finally get my hands on one. Oh well, maybe some other day. If it becomes fully open, then that day may be close. |
|
Hi, the NanoKVM-USB is an offline USB peripheral device, which inherently poses no security risks. We are more than willing to release the code earlier, if users approach us with genuine technical inquiries and constructive discussions. When it comes to networked IP KVMs, they may have some grounds to raise questions, but to extend such skepticism to an offline USB KVM is unreasonable. What’s next? Endless baseless accusations? We will not be swayed by such tactics. |
Offline USB devices can absolutely pose security risks. Here are just a few that easily demonstrate that fact:
Please modify the readme to state this as being the case. How is everyone is supposed to assume that this is for issues and feedback only by the fact that a select few people have posted issues?
...So what you're saying is that you're going to delay the release of the code because people are asking for the release of that code? That makes no sense, sorry. Could you explain in better terms what you mean to do here by delaying the release of the code that would prove that this project is indeed secure? Our requests for posting the source code for security reasons isn't based on "bias and conspiracy theories" but on legitimate concerns, given that you and another collaborator have acknowledged several potential security issues and flaws (your statement), as well as outright ignoring security issues (collaborator statement). If you won't share the code openly, at least have the decency not to dismiss our legitimate concerns with accusations of bullying and conspiracy. Stating that those who ask for the source code are conspiracy theorists is not only misguided, but also incredibly dismissive of valid concerns. And to state that these requests for open source are bullying throws out constructive conversation and trust. Shutting people down with this language and these labels is not appropriate. When legitimate concerns about security are dismissed as mere conspiracy theories or bullying, trust evaporates. Trust isn't built by name calling and labeling people with concerns as bullies, but by addressing those concerns. |
|
I'm not one for pointless discussion about conspiracy theories. I would just like the source code to a device I own, if the manufacturer intends to share the code anyway. This (usually) includes documentation about its features.
Personally, @WarmWelcome, I think it is a bit far-fetched calling this a rubber-ducky like device without any hard evidence. In that case, you would have to call every keyboard manufactured in insert bad country here a backdoored device, too. The only way to trigger this would be by either a random interval, or via a specific serial command issued through USB. Since the web interface part is completely usable offline and actually does not make any outside connection. (see the image below), it's hard to believe the manufacturer has a way of remotely talking to those devices.
|
Stop toying around with open-source development. In the interest of security and usability, release the code now and not when the repo has N stars. This behavior is embarrassing for FOSS development.
My points:
READ_MY_HID_DATAGET_PARA_CFGSET_PARA_CFGGET_USB_STRINGSET_USB_STRINGapp.asarshould not be necessary.The text was updated successfully, but these errors were encountered: