thewayne | Entries tagged with hardware

The article describes the disc as 1 Petabit in storage, but you need to divide that by 8 to get it in bytes, so 128,000 gig of storage. Which is pretty good.

They're using a 3D effect to pack in 100 layers of data to achieve this density. The problem is, this is 'researchers from...' In other words, 'We've done this in a lab! Er... lab model.' We don't have a working prototype shown, we don't know what kind of read/write speeds, we don't know longevity or durability.

In other words, it's sort of vaporware. Could be really nice if it happens, if they ever start showing off production samples, when we can believe a little more of it. Show me an entire season of General Hospital on a single disc, I'll be impressed.

Of course that would require a new series of DVD/BR players, but for something like that, could be worth it. Could even return disc burners to desktop PCs. Or not.

I am reminded of a similar piece of vaporware from the late '80s/early '90s, someone claimed to have created a laser-written crystal lattice storage form, think something along the lines of the little data cartridges they carried around in Star Trek TOS. I think they were claiming something sized along the lines of 35mm slides. Promised amazing storage density at the time, which by now might be laughable. But never saw the light of day.

https://gizmodo.com/meet-the-super-dvd-scientists-develop-massive-1-petabi-1851272615

Interesting stuff. It might have been hack squad versus hack squad warfare!

There were two flaws present in the code on the WD drives. Now, keep in mind that the drive must have a CPU and an operating system to serve up files on the internet: it has to be an intelligent device. And what does this mean for hack squads? BOTNET! As I said, there were two exploits in the OS on the wiped drives, either one was sufficient to compromise the drive and make it a slave for the botnet, which means drives were probably subservient for several years.

Now, here's the sad bit. One of the flaws in the code was particularly tragic: it had the code to enforce a strong password, and for reasons unknown - it was commented out. Completely nullified. So if you were able to get in and study this code, it was trivial to access full admin privileges on the drive. And all you needed to do was network map to find these drives as they had to be publicly accessible to fulfill their role as storage available across the internet.

It turns out you only need one of these exploits to seize control of the drive, not both.

So why would you need access to both?

Back to the second flaw. There is a rumor going 'round that another gang wanted a piece of this WD drive botnet army. They couldn't get access to it, but they could screw over the first gang. So they launched an attack via the second flaw and did a reset on all the drives to deny the first gang access to their botnet army.

It is a theory that has popped up, a possible explanation for why the second hole was exploited by different IP addresses than the first hole.

There's some deeper bad news.

There's a White Hat hacking contest called Pawn2Own, where good guy hackers try to crack the latest in hardware and software, and if they are the first among the competing groups to succeed, they get the hardware and a cash prize. As part of the contest terms, they turn over their exploits to the companies involved so they can toughen their systems. A group was going to go to Japan a couple of years ago with a great hack against Western Digital's Cloud OS 3, and right before the contest WD released their OS 5 against which their hack didn't work. Bad luck for them. Still, they sent their documentation and code to WD for them to fix OS 3.

Care to guess whether or not OS 3 was ever patched?

There's an unknown number of Cloud OS 3 installations out there with weak and exploitable operating systems, that cannot or will not be updated. And WD's answer is 'they should update to 5'. So odds are that we're going to hear the exact same story in the not too distant future.

And believe it or not, there's some amazingly good news.

For people whose drives have been wiped, and this is truly amazing, Western Digital has retained a data recovery service and is providing that service for people with wiped drives FOR FREE!

Data recovery is a VERY expensive service, we explored it when we had a RAID array break at a place I once worked at: they charged a ton and recovered nothing worthwhile, but this was about 20 years ago, hopefully things have improved since then. I have read that in many cases that after the wipe, people's directory trees were intact, which leaves a little hope that the files are there, that just the directory information was clobbered. So people might get lucky.

We shall see.

https://arstechnica.com/gadgets/2021/06/hackers-exploited-0-day-not-2018-bug-to-mass-wipe-my-book-live-devices/

https://krebsonsecurity.com/2021/07/another-0-day-looms-for-many-western-digital-users/

Crossposts: https://thewayne.livejournal.com/1229775.html

Turns out it was reported to Western Digital in 2018. But since the devices were end-of-lifed in '15, they decided not to push an update that would have prevented this happening to their customers.

Nice company.

Here's the even better part.

It's possible the bug lives on in another of their products: "Wizcase [the security researcher who found the flaw] said the flaw it found in MyBook devices also may be present in certain models of WD MyCloud network attached storage (NAS) devices, although Western Digital’s advisory makes no mention of its MyCloud line being affected."

https://krebsonsecurity.com/2021/06/mybook-users-urged-to-unplug-devices-from-internet/

And now for my rant.

This is why I am fundamentally opposed to Internet of Things devices and needlessly connecting things to the internet. Almost all of the companies that make these devices do not do a good job of supporting them and providing security updates because there's no continuing revenue stream: you buy them, or more precisely, once Best Buy or Amazon buys them, there's no continuing money going back to Western Digital or whoever to pay for their programmers to continue updating the software.

Also, these devices use an older, stripped-down version of Linux as their operating system so that it will run on low-powered CPUs. It simplifies programming and lets it run on lower-end CPUs which saves cost. And is more vulnerable to exploits. In this case, the vulnerability was discovered THREE YEARS AGO, and Western Digital was "*MEH*, not our problem. It's the customer's problem if they get stomped on, because they shouldn't be using hardware past its end of life connected to the internet."

How many people buying these devices and connecting them to the internet are security experts?

I'm not raising my hand, because I'm not a security expert. I know more than most non-experts, but I'm not a trained and certified expert. I do know enough not to trust things connected to the internet because they're inherently not trustworthy. The makers have no profit motive to keep them secure, and when it comes to devices like Alexa and such, while they are convenient, they are there to suck marketing information from your life. If you don't mind that, fine. I have no problem turning on lights and my stereo and selecting my own music by myself and I can look at the weather app on my phone to know if it might rain. Yes, I'm a bit of a luddite. I prefer to avoid my devices potentially being compromised.

The mistake people made with these Western Digital devices to access files across the internet was already a solved problem. It's known as SFTP. Western Digital is known for one thing - making hard drives. That's it. People shouldn't rely on them for anything beyond that. If you have a real need to access files remotely, then get a hosting account and/or set up an SFTP server and get your files that way.

A friend of mine did that exact thing when he did remote file installs for a software company, he traveled around the country doing these setups and kept software packages, updates, help scripts, etc on a server in his house that only he could access. Nowdays he could probably carry everything on a bunch of USB flash drives, but not back then.

I think the big question is, do you really need to access all that data remotely, or do you just think it would be cool to be able to? And do you really need two terabytes worth, or could you pare it down to the point that it could fit in Dropbox/OneDrive/iCloud/Googlewhatever? Do you really need instant access to a letter that you wrote twelve years ago cancelling a credit card?

One last thing about backups and the value therein. There are three basic purposes to backups. One is catastrophic recovery: computer theft, hard drive crash, something like that. One is accidental file overwrite, another is file deletion. In the case of deletion, usually you can get it back from the recycle bin, but not always. In the case of overwrite, your only recourse is from backups, those are true OMG! moments. I've done that before. Recovery from backup is only as good as your most recent backup.

But here's the problem: system administrators have a rule of thumb that you don't have a backup until you've tested it by restoring a file from it. And you don't have a safe backup system unless you have at least one copy stored away from your home or business, i.e. off-site. If you're retired, this becomes a little tricky. Me, I have two sets of backup disks. At the start of the month, I take the disk that my iMac currently backs up to into work with me, and it goes into my desk. The disk that's there comes home, and gets plugged in. There's a second disk there that I use to back up our laptops, we currently have three. I refresh those monthly and that disk gets stored in a fire-resistant lockbox that we have here at the house, swapped with its partner at work.

I can inspect those disks with my laptop at work and test them when I have time. And I misspoke, we have four laptops: I also have a Windows laptop that has a slightly different backup routine, but that's another story. I'll talk about Windows backups another time.

Crossposts: https://thewayne.livejournal.com/1229459.html

Disconnect it from any internet-side connections, including your computer, RIGHT NOW!

There is a bug, most likely a bad actor hack, that is WIPING ALL CONTENT FROM THESE DRIVES!

And if your drive is encrypted, this data loss is likely permanent! Lots of people have already lost years worth of data to whatever it is that's happening. Part of the problem is these drives are accessed via a cloud infrastructure, I'm guessing someone is figuring out how to map local IP addresses in this cloud system, found a weakness in their management software, but hasn't yet written a bot to wipe them en masse and is doing them pretty slowly - for now.

So eject the drive from your Windows Explorer or Mac Finder and and disconnect the ethernet cable to it, optionally just power it down until Western Digital figures out just what is going on and gets a fix released. These drives received their last update in 2015, which means they'd be long-past dead where I live, but probably working fine for lots of people at lower altitudes.

And PLEASE, copy this and post it publicly on your blog if you have a lot of computer people who are likely to have infrastructure like this on their systems! This needs to be spread far and wide, hopefully faster than people's external drives are getting wiped!

https://arstechnica.com/gadgets/2021/06/mass-data-wipe-in-my-book-devices-prompts-warning-from-western-digital/

Crossposts: https://thewayne.livejournal.com/1229247.html

Always strive to learn something useful. --Sophocles

You are coming to a sad realization. Cancel or allow?

Entries tagged with hardware

New super writable DVD(ish) disk stores 128,000 GIG of data!

Some more info on what was behind the Western Digital drive wiping, and some good news

More on that Western Digital hard drive remote wipe, and a rant

If you have a Western Digital My Book Live backup drive connected to the internet, READ THIS!!!

Profile

June 2025

Syndicate

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags