> When the KiCad Project formally became a registered project under the Linux Foundation, we attempted to secure the rights to the original domain name from Dick without success.
> In the meantime, Digikey Corporation purchased the kicad.org domain name from squatters and donated it to the KiCad Project.
It’s too bad they didn’t start migrating to the kicad.org domain name earlier. Changing domains is always hard but they should have started the migration at first signs of trouble with the old domain holder, not after he had sold it away.
> The former project lead refused to surrender the domain names
We actually offered to purchase the domain names from him. We don't know how much he sold them for but we were not given the chance to bid against whoever eventually bought them.
We migrated in 2020. The post is badly worded. We updated the vast majority of links in our control at the time. Third party links however are always a pita.
The forums have always been user ran projects. Chris setup the kicad.info forum about 5 years ago. I personally doubt Chris will go rogue, he has been preaching kicad for far too long, I would say he has well and truely "drank the kool-aid" (Not the correct term, but was the first term that came to mind, what I mean is that he is extremely passionate about the project so I don't see him doing it any harm.), but I see your point that the forums could be another point of failure as they are user ran.
I found this amusing myself too. Though, if they have any working relationship, why not point subdomain like forum.kicad.org to Chris's forum? It's cheap and easy, and noticeable who controls it.
Because its not the only forum nr is it the official forum.
Dave at eevblog also runs one https://www.eevblog.com/forum/kicad/ (Chris and Dave both host The Amp Hour podcast), There is the Subreddit, there are also Chinese and Spanish forums on differnt domains too.
The kicad site also states that in order to have your forum listed on the kicad site "You do not misrepresent yourself as being an official KiCad entity". Having a subdomain for it could imply its "official" and break its own rule. https://www.kicad.org/community/forums/
Nothing. It would be highly discriminatory to declare any one forum as the official one. The user bases across various languages are huge (in fact English is not the majority), electrical engineers are also highly tribal and have their own various communities that are very large. Trying to centralize them into one english forum is downright disingenuous.
I started the forum because at the time one of the only sources of user support was a Yahoo message board. It was not a nice place. There was also an IRC (still active), but that format have any searchable history.
Things have gotten way better since then. I have not heard any desire to have a centrally maintained forum, but will help however I can.
In case it's helpful, here's the first paragraph from the post:
"The original KiCad domain name (kicad-pcb.org) was recently sold to an unnamed third party that is not affiliated with the KiCad Project or members of the KiCad Development Team. This sale was unexpected and may pose a risk to KiCad users. The new owners may simply post advertisements or (worst-case scenario) they may host malicious versions of the KiCad software for download."
> they may host malicious versions of the KiCad software for download
Imagine someone using this as an attack vector to smuggle in exfiltration appliances in the form of hardware circuits in the KiCad software itself, so that the generated PCB files contain spyware in hardware form.
That would be a first of its kind: Supply chain attack at hardware level.
Extremely difficult to achieve undetected. Firstly just successfully smuggling a working design for spyware into the PCB design would require an impressive feat of CAD engineering, then there's no way to achieve this just with copper traces, you would need to add new components to the board. Both changes in the traces and new components would be extremely obvious in all but the most automated workflows (getting a PCB manufactured is a very manual process). It's typical to inspect the output gerber files manually for any errors, as well as for PCB manufacturers to offer a preview of their interpretation of the gerber. Similarly with the BOM, which has a different flow with a lot of human touch. Also, the techniques which would allow hiding the components within the PCB itself (which do exist) are extremely rare. The only places with the slightest chance of this working (massive organisations with a huge amount of siloing) aren't using KiCAD as a tool.
You're correct of course. It's wildly infeasible, prone to rapid detection, and there's no plausible profit to sneaking subtle backdoors into random KiCAD projects. Now let's brainstorm possible vectors anyway...
You could manipulate PCB traces in such a way as to leak data over RF? No topological change to the circuit and very hard to pin down.
Perhaps there's some chip that has some functionality enabled by a logic input. The designer intended it to be off but KiCad tied it high or low or open to turn it on instead. That functionality might enable a serial interface or reading or writing some sensitive memory or whatever that might become a vulnerability.
I imagine it would be much more likely to have a "backdoor"-ed version of kicad that would phone in with intellectual property rather than PCB spyware. Making a PCB is too much like writing assembly for it to go unnoticed...
Exfiltrating KiCAD project files and manually designing a subtly backdoored version is a much more likely attack. An automatically inserted backdoor has a high risk of detection, dragging the entire plot out into the open. Stealthily phoning home is harder to detect and most small operations that would use KiCAD are probably not well equipped to detect such network traffic. The downside is of course that physical access to the product is required to install the backdoored electronics.
> pcb's today contain too much 'made by hand' to hide much without the designer noticing...
Doesn't mean the layers have to be rendered with the modified/malicious version of KiCAD. They could just try to hide it if they detect a layer with id=spyware.
I'm just saying that this would be a very sneaky way to infiltrate the hardware industry, because currently all installed versions rely on the old domain - and that's where they will pull their updates from, too. So pushing out a newer release with that "spyware" modification would be super easy to realize.
Adding an extra layer is expensive (and done in pairs). As others mentioned, when you go to manufacture your boards, you export each layer into its own file, zip them all up and then send/upload the files to your manufacturer. Either you will notice the extra files, or when you put in your order, the manufacturer will reject the order as you gave them the wrong number of files (eg: you paid for 4 layers, but sent them 6). The file format of the layers is basically a vector in ASCII of each trace, so there is little opportunity to hide extra stuff.
More and more manufacturers with online ordering show you images of what they think each layer looks like, and any modifications unless they are very slight will be detected then. You always review each layer in the manufacturers tool as there is a host of things that can go wrong (layer ordering, mirroring, alignment, copper vs solder mask vs silkscreen layer types).
Adding extra components is out too, as the Bill of Materials is exported to CSV, then imported into several component suppliers websites. Any non-basic component is carefully scrutinized for need as they are expensive (and these days hard to get) and to make sure you have everything you need to actually build the board as any non-trivial board requires multiple suppliers to provide all of the components. Even if you missed it then, assembly charges a significant amount per unique component they have to place on the board (eg: placing same resistor twice is cheaper than 2 different resistors).
Once the board is assembled, it will then likely undergo EMI testing to comply with various countries limits on how much RF can leak out of the product. In quite a few cases, final testing is done by a 3rd party lab. This basically limits whatever data exfiltration method to be short range.
If someone wanted to be evil, they would have much better luck on the software side of the product rather than at the board level.
As a part of a highly targeted attack on a single device, maybe. It would have to involve specialist knowledge and manual work to do it. For example, something simple like sabotaging a "mic on" or "camera on" LED on might be possible on a complicated design without anyone noticing for a while. Seems a lot of work for little effect though.
Blanket automated modifying of hardware designs to add "spyware in hardware form"? I would say even "automated" part is impossible at the moment. I've never heard of automation that would understand a hardware design on a level that would be required for that.
In the end, the only modification with a good chance of being missed by the designer is the copper artwork on existing PCB layers. You might add an extra trace, or break an existing trace somewhere. But as soon as your hacked Kicad starts adding BOM items (like an extra "spyware" microprocessor or something) or even extra layers, I guarantee someone is going to notice very soon. If not for other reasons then because these things will add extra $ on someone's bill.
There is no way this could work. The EDA tool (e.g. KiCAD) is only the first step of the fabrication process - you generate Gerbers from your KiCAD board layout, which are a highly standardized format that can be viewed in a variety of independent pieces of software. There are also multiple stages of design validation - both in the design phase, and then in the physical phase of actually inspecting your fabricated boards. The chances of any "malicious" circuitry slipping in are next to nil.
Well, depends on how the Q&A process is in the pipeline after the design.
What I thought of is maybe it might be feasible to sneak in some circuits that reroute e.g. a network port's traffic to a specific public IP/CnC. Depending on how complex the PCB layout is, it could be feasible to encode or modify the modulation of easy network busses (aside from ethernet).
But I guess that would involve deployment of malicious firmware or availability of a specific "malicious" chipset, too, because ethernet is quite complex in the sense that there are too many physical parts necessary to implement it in hardware form.
I was just thinking about the Q&A pipelines in the industrial process. Usually they never validate anything because of proprietary/protected intellectual property contracts, so suppliers down the line always claim it's according to specifications and that is blindly trusted by the manufacturers.
Identifying something like this is much harder in the organizational sense, because it involves a lot of time for verification down the line, and involves a lot of organizational blamestorm before anything really happens to fix it.
> When the KiCad Project formally became a registered project under the Linux Foundation, we attempted to secure the rights to the original domain name from Dick without success.
And then
> Please do not contact Dick about this. He cannot undo the damage at this point
There's got to be more to this story. What happened?
Well, he's never been a team player and he must be doing it out of spite for whatever ego driven reason. He refused to transfer the domain to the rest of the team awhile ago.
Searching for "kicad", "kicad pcb" or "kicad-pcb" on DDG, Google, Bing and Brave, only Brave still shows a link to kicad-pcb.org on the first page, so the campaign seems to be going in the right direction
What about trademark issues? E.g. if I buy coca-cola.net (assuming Coca-Cola forgot to register that domain) and use it to sell watered-down Coca-Cola (or software with adware tacked-on..), doesn't Coca-Cola have a valid case against me?
What if I don't sell watered-down cola, but Pepsi? Would they still have a case, and could the resolution of that case include me losing the domain?
You would 100% certainly lose the domain. However every other trademark in the world is weaker then Coke. KiCAD are working on having the best software not the best lawyers.
DigiKey is the real hero of this story:
> When the KiCad Project formally became a registered project under the Linux Foundation, we attempted to secure the rights to the original domain name from Dick without success.
> In the meantime, Digikey Corporation purchased the kicad.org domain name from squatters and donated it to the KiCad Project.
It’s too bad they didn’t start migrating to the kicad.org domain name earlier. Changing domains is always hard but they should have started the migration at first signs of trouble with the old domain holder, not after he had sold it away.