Proprietary design data security

As those “couple of developers” would have thousands of community members looking over their shoulders, it’s a doomed idea. The source code can be seen by everyone.
Much simpler and easier to bribe a few MS employees with a couple of millions.

1 Like

Hard to get away with on KiCad as ALL commits are on GitHub and actually get looked at by others.
My experience is that commercial software tends to be written my much smaller teams, with a lot less scrutiny. That is before someone decides to save money by outsourcing development overseas.
Earlier this week my PC was crawling and Task Manager was showing 50% CPU used by Microsoft “Telemetry”

1 Like

This possibility will not appear for the time being, because the pirated AD users think that we use KiCad is stupid, so our number is small, and we are divided into a worthless group by the rich. :wink:

My dastardly plan has been uncovered! I would have have gotten away with it too if not for you meddling kids and your dog too!

Edit:. Here’s a link for the youngsters in the thread

9 Likes

I knew it was you!
At least, your name is sooo close to “Sith”, it could not be coincidence.
And everyone knows what can be expected from a representative of the Dark Side.
Don’t EVER underestimate the power of the Dark Side.
[khhhhh chhhhh]

1 Like

There are various ways to block programs from accessing the network e.g. firewalls
This may be more practical than a fully air-gapped system.
KiCAD has the advantage here as it does not need to do online license verification

1 Like

Don’t worry Art, your computer is probably already taken care of by the governments. Intel ME, automated Windows updates, maybe the firmware on your motherboard, GPU or your WiFi card already comes with some unexpected features :slight_smile:

Time to find that old trusty waterproof marker and draw your PCBs the traditional way. But beware, spy satellites can still watch your precious layouts.

T.

6 Likes

Only if you remove that tin-foil blanket.

The argument: “Anybody can view the source code” has one flaw - does anybody actually view unrelated portions of source code? Do developers have regular code reviews? Do they cover 100% of the code? I would imagine that the source code would be pretty significant in volume by now, so it wouldn’t been really hard to hide the proverbial needle in the haystack.

The question is mostly about perception rather than about creating a government level secure machine. When you go and try to pitch KiCad to a company the common perception is that open source software can be a source of security vulnerability (even if it is not in real life). Therefore any additional independent evaluation, certifications or adoption by well known companies with sensitive proprietary designs would be beneficial.

This is a popular question directed towards the Open Source community and software. It depends on the project in question. Being Open Source doesn’t guarantee peer review. As for KiCad, I can say peer review really happens, although not formally. Sneaking under radar is a theoretical possibility, but only theoretical. Again, I would say “impossible”.

Do you get guarantee from any commercial company that all their code is really reviewed by several independent programmers?

2 Likes

As has been mentioned before - REAL security is your local responsibility. KiCAD already gives you the best shot at enabling it, by being completely local and handing you it’s source to check.

If a proprietary ECAD offers that as a “guarantee” then you pay for it.
If you want that with KiCAD you have to find a company that does verification’s of this kind (if you don’t have this capability in-house) and pay them to do it and rely on their insurance and assurance that what they say is true. And if some break occurs and you can stick it on them having not done their job (good luck) then you can sue them and your CEO/CTO can wash their hands off the responsibility… because this is what the real goal is here. Putting the blame on something/somebody else outside of your companies chain of command so no one is liable and can be fired for this.
I’m sure such services exist as there must be high demand for this - “free” markets and all :wink:

2 Likes

If you can actually find a commercial ECAD supplier willing to let a truly independent party do an audit.

People do examine other developers commits on KiCad. The hole is third party frameworks like Python and the graphics. Commercial software will have the same challenges with Qt or similar

2 Likes

I assure you that none of this happen at the other ecad vendors in any meaningful way to make you happy either. At least two ecad vendors off the top of my head are carrying Fortran code ducktaped to C#/Java/C to keep it working without caring to fix it.

They are more than free to pay for it then. Open source does not mean free labor to satisfy the needs of commercial entity but everyone sure as shit thinks it does.

4 Likes

My experience of commercial software is that important security related libraries for SSL/SSH etc never get patched as nobody wants to sign off the development and testing costs (and the risk of something breaking)
This attitude is how some of the cracked pirate versions appeared

lmaooo this thread is a trip

nothing you’re creating is so interesting that anybody wants to do this, I promise

The question is mostly about perception rather than about creating a government level secure machine. When you go and try to pitch KiCad to a company the common perception is that open source software can be a source of security vulnerability (even if it is not in real life).

I use KiCad regularly professionally with actual clients and not a single one has ever said this. Mostly it’s “wait, you’re using a different CAD package than us and we don’t have to buy anything to view your files? wtf this is the best i love open source”

5 Likes

:smiling_face_with_three_hearts:

Interesting. Suppose a Chinese, or other, entity offers to seriously fund KiCad development if in return they get access to all the designs, without support or warranty. This is a conversation worth having. Say 10 full-time developers?

Ah, but as the Romans said: “Quis custodiet ipsos custodies?”

i’d happily give Art’s IP to the commies for that much development power

Maybe you should not worry so much about the Chinese. About the Chinese it is said that they might spy on us. About the Americans it is proven that they spy on us. Only the Europeans are nice guys and don’t. Naive and stupid? Or maybe they are super clever, and are the only ones that have not been found out yet! Doesn’t CERN fund development of KiCad. Suspect…

5 Likes