Clean up quick-start guide and improve security recommendations

[meeg]

This update is motivated by our desire to address the concerns raised in #263 regarding the security weaknesses in the default PYNQ OS configuration; we thank @unprovable for raising these concerns and suggesting mitigations.

• We've had separate quick-start guides for the ZCU216 and ZCU111 which overlapped significantly, and no guide for the RFSoC4x2. This caused some generally applicable information to only be included on one guide or the other. Merged them into a unified guide which should improve maintainability.
• Explain the security flaws with the default PYNQ OS configuration, and give instructions for mitigating them as part of setting up the board.
• Add some tips (for example, about electrical safety) which have come up in various contexts.

[unprovable]

Re: the security update writeup

This is a significant improvement! It's great to see that you're highlighting the risks and asking people to consider explicitly what security steps they may need to take, which is awesome!

Our only comments might be:

• Suggest to users to use a password manager (such as lastpass, 1passowrd, keepassXC, etc.) - two reasons:
  1. they will help manage passwords much more safely - allowing secure password sharing and other features which may be useful in a lab.
  2. They will also help generate secure passwords - there are many writeups and guidelines that may help here, too :-)
• Perhaps you may consider adding a section on adding/using SSH Keys at some point - this may be a future edit, though. Passwords are routinely leaked (mainly because of how they are often stored incorrectly), but SSH private keys much less so.

We hope these comments help - but also want to thank you for taking the concerns we raised so seriously.

[unprovable]

For one illustrative example - humanly generated passwords tend to get written on whiteboards, whilst SSH keys or computer-generated passwords tend not to be. Here's the Event Horizon team disclosing an admin password in a documentary about their work: https://www.linkedin.com/posts/ken-munro-17899b1_er-thats-the-admin-password-on-the-whiteboard-activity-6523314223945117696-878F

[meeg]

Yes, right, I'm aware - I don't want to be prescriptive about passwords because a password strategy that doesn't fit in a group's flow is more likely to be ignored or applied poorly (e.g. whiteboard).

Password managers, password generators, and SSH keys are good things to mention and will make it in the next time this guide gets updated, but password managers don't mesh very well with SSH, and SSH keys aren't trivial to set up with PuTTY (easy for you and me, but there are some points where a new-to-SSH Windows user can get stuck - and the typical QICK user really is a Windows user who needs a step-by-step walkthrough for anything in the *nix world), so there is no golden path here and these are going to stay at the level of "these are some other options you should consider to enhance security, here are some links to learn about them."

To keep this all in the right context - I think it's important to give users the right security concepts and tools for their toolbox and help them make their systems appropriately secure, but very few QICK systems go on any network other than a private LAN, and I know of no QICK systems where an attacker could accomplish anything other than destroying the QICK (even there it's not obvious that you could do anything more than delete everything, which would ruin a grad student's week but that's it).

[unprovable]

If you can help with us setting up a virtual machine that runs PYNQ, or know of (semi-)official ways of doing so, we will competently demonstrate the risks. We did write a short summary of 4 potential risks on our blog post about this work. Cf. the section "How would an attacker use this bug?".

I'll get to work on creating a demo as I explore this system more. Sadly, as I mentioned, I can't afford a $15k controller, but maybe we can demonstrate in a virtual machine or on a cheaper board like the Kria boards that support PYNQ :)

[meeg]

The thing is, QICK is a research tool - nobody is using QICK to run quantum circuits where the result itself is of value, nobody is renting out QICK-based hardware as a service.

Your blog post is correct on the technical side, and that's what we responded to. Where it speculates about applications and impact, I take issue. The cure for that is not running the OS (it really is pretty much just Ubuntu) or even getting a board, it's reading up on what people are doing with QICK.