![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
thewayneTurns out it was reported to Western Digital in 2018. But since the devices were end-of-lifed in '15, they decided not to push an update that would have prevented this happening to their customers.
Nice company.
Here's the even better part.
It's possible the bug lives on in another of their products: "Wizcase [the security researcher who found the flaw] said the flaw it found in MyBook devices also may be present in certain models of WD MyCloud network attached storage (NAS) devices, although Western Digital’s advisory makes no mention of its MyCloud line being affected."
https://krebsonsecurity.com/2021/06/mybook-users-urged-to-unplug-devices-from-internet/
And now for my rant.
This is why I am fundamentally opposed to Internet of Things devices and needlessly connecting things to the internet. Almost all of the companies that make these devices do not do a good job of supporting them and providing security updates because there's no continuing revenue stream: you buy them, or more precisely, once Best Buy or Amazon buys them, there's no continuing money going back to Western Digital or whoever to pay for their programmers to continue updating the software.
Also, these devices use an older, stripped-down version of Linux as their operating system so that it will run on low-powered CPUs. It simplifies programming and lets it run on lower-end CPUs which saves cost. And is more vulnerable to exploits. In this case, the vulnerability was discovered THREE YEARS AGO, and Western Digital was "*MEH*, not our problem. It's the customer's problem if they get stomped on, because they shouldn't be using hardware past its end of life connected to the internet."
How many people buying these devices and connecting them to the internet are security experts?
I'm not raising my hand, because I'm not a security expert. I know more than most non-experts, but I'm not a trained and certified expert. I do know enough not to trust things connected to the internet because they're inherently not trustworthy. The makers have no profit motive to keep them secure, and when it comes to devices like Alexa and such, while they are convenient, they are there to suck marketing information from your life. If you don't mind that, fine. I have no problem turning on lights and my stereo and selecting my own music by myself and I can look at the weather app on my phone to know if it might rain. Yes, I'm a bit of a luddite. I prefer to avoid my devices potentially being compromised.
The mistake people made with these Western Digital devices to access files across the internet was already a solved problem. It's known as SFTP. Western Digital is known for one thing - making hard drives. That's it. People shouldn't rely on them for anything beyond that. If you have a real need to access files remotely, then get a hosting account and/or set up an SFTP server and get your files that way.
A friend of mine did that exact thing when he did remote file installs for a software company, he traveled around the country doing these setups and kept software packages, updates, help scripts, etc on a server in his house that only he could access. Nowdays he could probably carry everything on a bunch of USB flash drives, but not back then.
I think the big question is, do you really need to access all that data remotely, or do you just think it would be cool to be able to? And do you really need two terabytes worth, or could you pare it down to the point that it could fit in Dropbox/OneDrive/iCloud/Googlewhatever? Do you really need instant access to a letter that you wrote twelve years ago cancelling a credit card?
One last thing about backups and the value therein. There are three basic purposes to backups. One is catastrophic recovery: computer theft, hard drive crash, something like that. One is accidental file overwrite, another is file deletion. In the case of deletion, usually you can get it back from the recycle bin, but not always. In the case of overwrite, your only recourse is from backups, those are true OMG! moments. I've done that before. Recovery from backup is only as good as your most recent backup.
But here's the problem: system administrators have a rule of thumb that you don't have a backup until you've tested it by restoring a file from it. And you don't have a safe backup system unless you have at least one copy stored away from your home or business, i.e. off-site. If you're retired, this becomes a little tricky. Me, I have two sets of backup disks. At the start of the month, I take the disk that my iMac currently backs up to into work with me, and it goes into my desk. The disk that's there comes home, and gets plugged in. There's a second disk there that I use to back up our laptops, we currently have three. I refresh those monthly and that disk gets stored in a fire-resistant lockbox that we have here at the house, swapped with its partner at work.
I can inspect those disks with my laptop at work and test them when I have time. And I misspoke, we have four laptops: I also have a Windows laptop that has a slightly different backup routine, but that's another story. I'll talk about Windows backups another time.
Nice company.
Here's the even better part.
It's possible the bug lives on in another of their products: "Wizcase [the security researcher who found the flaw] said the flaw it found in MyBook devices also may be present in certain models of WD MyCloud network attached storage (NAS) devices, although Western Digital’s advisory makes no mention of its MyCloud line being affected."
https://krebsonsecurity.com/2021/06/mybook-users-urged-to-unplug-devices-from-internet/
And now for my rant.
This is why I am fundamentally opposed to Internet of Things devices and needlessly connecting things to the internet. Almost all of the companies that make these devices do not do a good job of supporting them and providing security updates because there's no continuing revenue stream: you buy them, or more precisely, once Best Buy or Amazon buys them, there's no continuing money going back to Western Digital or whoever to pay for their programmers to continue updating the software.
Also, these devices use an older, stripped-down version of Linux as their operating system so that it will run on low-powered CPUs. It simplifies programming and lets it run on lower-end CPUs which saves cost. And is more vulnerable to exploits. In this case, the vulnerability was discovered THREE YEARS AGO, and Western Digital was "*MEH*, not our problem. It's the customer's problem if they get stomped on, because they shouldn't be using hardware past its end of life connected to the internet."
How many people buying these devices and connecting them to the internet are security experts?
I'm not raising my hand, because I'm not a security expert. I know more than most non-experts, but I'm not a trained and certified expert. I do know enough not to trust things connected to the internet because they're inherently not trustworthy. The makers have no profit motive to keep them secure, and when it comes to devices like Alexa and such, while they are convenient, they are there to suck marketing information from your life. If you don't mind that, fine. I have no problem turning on lights and my stereo and selecting my own music by myself and I can look at the weather app on my phone to know if it might rain. Yes, I'm a bit of a luddite. I prefer to avoid my devices potentially being compromised.
The mistake people made with these Western Digital devices to access files across the internet was already a solved problem. It's known as SFTP. Western Digital is known for one thing - making hard drives. That's it. People shouldn't rely on them for anything beyond that. If you have a real need to access files remotely, then get a hosting account and/or set up an SFTP server and get your files that way.
A friend of mine did that exact thing when he did remote file installs for a software company, he traveled around the country doing these setups and kept software packages, updates, help scripts, etc on a server in his house that only he could access. Nowdays he could probably carry everything on a bunch of USB flash drives, but not back then.
I think the big question is, do you really need to access all that data remotely, or do you just think it would be cool to be able to? And do you really need two terabytes worth, or could you pare it down to the point that it could fit in Dropbox/OneDrive/iCloud/Googlewhatever? Do you really need instant access to a letter that you wrote twelve years ago cancelling a credit card?
One last thing about backups and the value therein. There are three basic purposes to backups. One is catastrophic recovery: computer theft, hard drive crash, something like that. One is accidental file overwrite, another is file deletion. In the case of deletion, usually you can get it back from the recycle bin, but not always. In the case of overwrite, your only recourse is from backups, those are true OMG! moments. I've done that before. Recovery from backup is only as good as your most recent backup.
But here's the problem: system administrators have a rule of thumb that you don't have a backup until you've tested it by restoring a file from it. And you don't have a safe backup system unless you have at least one copy stored away from your home or business, i.e. off-site. If you're retired, this becomes a little tricky. Me, I have two sets of backup disks. At the start of the month, I take the disk that my iMac currently backs up to into work with me, and it goes into my desk. The disk that's there comes home, and gets plugged in. There's a second disk there that I use to back up our laptops, we currently have three. I refresh those monthly and that disk gets stored in a fire-resistant lockbox that we have here at the house, swapped with its partner at work.
I can inspect those disks with my laptop at work and test them when I have time. And I misspoke, we have four laptops: I also have a Windows laptop that has a slightly different backup routine, but that's another story. I'll talk about Windows backups another time.
no subject
Date: 2021-06-27 04:38 am (UTC)no subject
Date: 2021-06-27 04:49 am (UTC)I find Siri to be pretty hopeless, I don't know if it's my speech pattern or what, so I almost never use it. On rare occasion I can get it to call someone when I'm driving, but it's rare that I use it for such.
no subject
Date: 2021-06-27 10:54 pm (UTC)I loath IOT, and prefer never using it. So far, I haven't suffered because my refrigerator can't sext with my dryer.
no subject
Date: 2021-06-27 11:18 pm (UTC)No, it just strikes me as silly. I can hear my dryer beep to tell me it's done. I don't need to remote-start my washer, that just strikes me as silly. And I'm perfectly capable of keeping a list on my phone of what we need for grocery shopping. The concept of a camera in my fridge just strikes me as weird.
GE applied DRM to water filters for the ice maker/water dispensers on their fridge! You have to buy their brand water filters or it shuts off. OR you buy one filter, cut off the QR code with tin snips, and tape it on to the third-party filter that you buy.
Just because it's new doesn't mean it's better.
Oh hai.
Date: 2021-06-28 04:43 pm (UTC)no subject
Date: 2021-06-30 06:19 am (UTC)no subject
Date: 2021-06-30 02:57 pm (UTC)Oh, I agree. I prefer to drive things until they completely fail, thus the pile of mostly or completely dead laptops that I have. I'm running a 2015 MacBook Pro that's in excellent health, ditto my '15 iMac. I don't know how old my Asus ROG laptop is, I suspect of similar vintage. I try to buy as much of my gear used as possible to save it from increasing landfill, bought a "new" iPad from a pawnshop when we were in Phoenix in May. But the manufacturers have very little incentive to provide unlimited updates, and there's very little to do to change that. Case in point: we have an iPad from 2012, that thing went stale on iOS updates ages ago, and because of that, app updates. Fortunately my wife mostly only plays one game on it. That was the reason for my iPad purchase last month: to give her my less ancient and much less heavy iPad.
no subject
Date: 2021-06-30 04:42 pm (UTC)Maybe I'm just being an old grump who has built and bought their PCs with the idea in mind that they should last slightly longer than forever and be easy to swap components out, and easy to migrate from one machine to the next without the faff of having to reinstall everything.