[HN Gopher] Another 0-day looms for many Western Digital users
___________________________________________________________________
Another 0-day looms for many Western Digital users
Author : danso
Score : 276 points
Date : 2021-07-02 16:14 UTC (6 hours ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| fnord77 wrote:
| when this whole unfortunate thing is done, will there be a lot of
| cheap WD nas drives on ebay?
| ocdtrekkie wrote:
| So, for those who don't know: Your MyCloud will spam you six
| times a day about firmware updates if you didn't update. They
| replaced the vulnerable OS back in March. So people probably
| should know/have done this by now. It's hardly a zero-day at this
| point: It was fixed months ago.
|
| Second, and I feel like this should be obvious: People should not
| be exposing their NAS appliance directly to the Internet! Stop
| doing it. Just don't. If you do, you deserve what you get,
| because you intentionally went into your consumer-grade firewall
| and poked a hole in it.
| markzzerella wrote:
| Except for the folks that can't update and WD won't provide a
| patch, telling them to buy a new device.
| MrStonedOne wrote:
| > They replaced the vulnerable OS back in March.
|
| When a full rewrite that removed functionality, so some users
| aren't going to bother to update, and as far as I'm concerned,
| thats on WD, not the users.
| ocdtrekkie wrote:
| It's still not a zero day: Fixed software has been available
| for months. And it's free.
| GekkePrutser wrote:
| Are you sure it's always intentional? There might be some UPnP
| thing going on here.
| ocdtrekkie wrote:
| Possible, though we should shame any routers that still allow
| uPnP. The horror. And MyCloud does default to local only
| communication.
| DiabloD3 wrote:
| I don't think you understand that they use dark patterns that
| default to the incorrect, dangerous, behavior.
|
| Western Digital is not free of sin.
| causality0 wrote:
| Products that rely on third party servers to function should be
| required to carry an expiration date that guarantees service and
| security patches up to that date.
| userbinator wrote:
| No, that's even worse. It's called planned obsolescence.
|
| Instead, along the same lines as right to repair, such products
| should be required to release the firmware source code.
| Frost1x wrote:
| Planned obsolescence seems better than unplanned
| obsolescence? If your uniformed consumer were informed of the
| lifetime of the product they buy, they _might_ not be conned
| into buying things your informed consumer is aware of and
| avoids.
|
| That's good because, as of current, when the population of
| uninformed consumers drive market forces, they often push out
| the options informed consumers would choose or at the very
| least, create trends towards the uninformed bias purchases
| that force informed consumers to start choosing the same
| options as well or drive up prices for the products informed
| consumers often buy due to lessened demand.
|
| You know, when a bunch of people decide we'll let businesses
| stop producing devices we can repair or put out rent-seeking
| price structures and the rest of people are forced to use
| those options, all because of large scale manipulation of
| consumer perception. Then we end up with markets filled with
| garbage with fluffy profit margins for their owners... Then
| again, cigarettes still have a large market somehow, so maybe
| we're out of luck either way.
| [deleted]
| conductr wrote:
| I feel like this is implied or should be. Even if not explicit,
| you _should_ know you can 't get unlimited software updated
| into eternity which is what I believe you're saying omission of
| an expiration date means.
| causality0 wrote:
| Sure, _I_ know that, but the average consumer doesn 't. When
| an average consumer buys a thermostat for ten times what she
| paid for her last one she expects it to last twenty years
| like her last one did. When a ten year old buys a videogame
| he expects it to be playable until he throws it away or sells
| it. "People shouldn't be so naive" is not the correct
| response to the precipitous decline in the quality of
| consumer goods.
| sp332 wrote:
| They still support this device and there is an OS update that
| closes the vulnerability.
|
| They are providing data recovery services to customers of the
| older devices. Would have been nice if they warned those
| customers about the vulnerability when they found out about it,
| even if the fix was to buy another $X00 product.
| ineedasername wrote:
| _there is an OS update that closes the vulnerability_
|
| Not for all devices: The article indicates that some may not
| be compatible with OS 5 and that WD says those customers
| should buy a new one.
| MrStonedOne wrote:
| and its a full rewrite of the OS that is missing some
| functionality used by users.
| naikrovek wrote:
| who cares about missing functionality when compared with
| deletion of your data?
|
| surely deletion of data is worse alternative to losing
| the ability to theme the web UI, or whatever.
|
| this is why Microsoft has so many updates so often for
| Windows 10. security issues which require no intervention
| from the victim are VERY REAL, and when left alone,
| _users will not update_. this has been proven time and
| time again. A user can take no action and still be
| vulnerable today when they were not yesterday. this WD
| instance is yet another example of users not knowing what
| is best for themselves; not knowing to update their
| devices, or to take their devices off of the internet.
|
| there are secure, free, easy-to-setup ways to access
| files over the internet on a NAS which does not have
| internet access...
|
| WD will hopefully force users to update in the future for
| internet connected devices, and for devices that go out
| of support, and can no longer receive updates, WD should
| take them off the internet as a final action, to protect
| the consumer.
|
| THIS EXACT SITUATION is why updates should be forced on
| users.
|
| nothing shoots itself in the foot as often or as
| thoroughly as a user that doesn't know what they're
| doing, believing they know what they're doing.
| MrStonedOne wrote:
| This exact situation is why users don't update.
| seventytwo wrote:
| WD has been cutting engineering corners for years. It's finally
| catching up.
| WalterBright wrote:
| "they discovered a chain of weaknesses that allows an attacker to
| remotely update a vulnerable device's firmware with a malicious
| backdoor"
|
| Once again, this is why firmware needs a hardware write-enable
| switch, not a software one.
|
| Cue the arguments that remote updating is needed to fix bugs that
| allow remote updating. :-/
| crazygringo wrote:
| I'm genuinely curious -- is there any empirical evidence to
| show that's the most effective approach?
|
| Because then the firmware can never auto-update, but needs to
| be manually and explicitly done -- flick the switch, apply the
| update, flick again.
|
| And clearly a significant proportion of people (probably a very
| large majority if we're being honest) will simply never update
| firmware.
|
| So which is the bigger threat: unpatched firmware, or firmware
| auto-update vulnerabilities?
|
| The answer doesn't seem intuitively obvious at all to me. But
| there must be stats available -- frequencies and severities of
| vulnerability categories, and how often people update firmware
| on non-auto-updating devices. So it doesn't seem terribly hard
| to compute an answer?
| [deleted]
| wccrawford wrote:
| "Cue", not "Queue".
| WalterBright wrote:
| Fixed.
| [deleted]
| anonuser123456 wrote:
| That might add an additional 1$ to the BOM. In quantity of 10
| million, that's a lot of extra money for a feature that maybe
| 100 people will use.
|
| Not arguing against the idea, just saying that the economics
| will never work in favor of this.
| WalterBright wrote:
| That's why I've suggested that every time you buy a disk
| drive, when posting a review, take off 1 star for no write-
| enable switch.
| tinus_hn wrote:
| I suggest everyone who has a use for such a switch do that.
| But I think they already do that.
| gowld wrote:
| Add $1 to BOM, add $2 to price, problem solved.
| anonuser123456 wrote:
| As someone that works with OEMs in the semiconductor
| business... I wish this were true.
| WalterBright wrote:
| I want hardware switches for:
|
| 1. firmware updating
|
| 2. write-enable for disk contents
|
| 3. turning the microphone on
|
| 4. turning the camera on
|
| In a surprise development, the webcam I just bought comes with
| a flip-up lens cap. Yay! It's Nexigo, they deserve a shout-out
| for this. But in the Dept of Half-Assed Features, the lens cap
| does not disable the microphone, so I still have to unplug it
| when not in use.
| fsflover wrote:
| > I want hardware switches for
|
| Here you go: https://puri.sm/security/.
| folmar wrote:
| Also PinePhone.
| pengaru wrote:
| pinephone's hardware switches are kind of an afterthought
| and not particularly accessible, being behind the battery
| cover in the form of a tiny block of DIP switches better
| suited to one-time configuration.
| fsflover wrote:
| Exactly. With Pinephone, you will not be able to switch
| on your microphone while receiving a phone call, unlike
| with Librem 5.
| adolph wrote:
| Bug or feature is that?
| fsflover wrote:
| Depends on whether you need a microphone during a phone
| call.
| agilob wrote:
| >3. turning the microphone on
|
| instead we have undocumented microphones for 'future
| purposes'. Thanks Google
| ManBlanket wrote:
| My workstation came equipped with a removable piece of
| masking tape I found in the supply closet.
| reaperducer wrote:
| _2. write-enable for disk contents_
|
| It's funny how such basic things from the past were thrown
| away. Every floppy disk ever had this.
|
| However, i also believe that if such a thing existed for
| modern gear, it would only be used by 1% of people, and even
| then, mostly accidentally, resulting in millions of trouble
| tickets. So I'm not sure what the compromise is.
| WalterBright wrote:
| I don't buy the argument that if not everyone uses it,
| nobody should get it.
|
| BTW, I would read TV repair manuals as a kid (yes, weird).
| There was always the "check to see if it is plugged in".
| Plugging TVs in made a lot of money for service people.
|
| I see similar things in car manuals for car won't start.
| "Put gas in it."
|
| Edit: This was back in the days when you could repair a TV
| with a soldering iron and a screwdriver. Every hardware
| store had a tube testing machine. I'd have fun by randomly
| swapping the tubes that fit in the same socket and seeing
| what effect that would have on the TV's operation.
| Stratoscope wrote:
| And of course, blow the dust out of the connector!
|
| https://devblogs.microsoft.com/oldnewthing/20040303-00/?p
| =40...
|
| I was also the family "TV tube test person" as a kid. I
| must have been around 6 or 7.
|
| For the young'uns, TV sets used to have tubes and hand-
| soldered point-to-point circuitry. Just like an ENIAC, a
| tube TV would always "go on the fritz" as the tubes
| burned out.
|
| My dad showed me how to pull out all the tubes, and we
| would put them in a cigar box and go to the little corner
| grocery, which had a tube tester in front. I would dial
| up all the settings for each tube and test it, and we
| would buy replacements for the bad ones. Take them back
| home and I would plug them in, and the TV worked again!
| Dad was always generous and made sure I got credit for
| it.
|
| BTW did you ever get to discharge the high voltage
| connection to the picture tube with a screwdriver and
| wire with alligator clips? One clip to chassis ground,
| the other to the screwdriver, then slip the screwdriver
| under the rubber insulated connector, and BANG!
|
| https://en.wikipedia.org/wiki/ENIAC
|
| https://en.wikipedia.org/wiki/Vacuum_tube
| fullstop wrote:
| SD cards had this, but it's up to the driver to respect
| that. There is nothing in hardware preventing writes, it's
| just a signal to software saying "Hey, please don't write
| to me!"
| numpad0 wrote:
| I don't remember PATA(IDE) disks having Write Enable jumper
| settings. Apparently some parallel SCSI drives had them but
| pretty rare for non-removable media at all.
| WalterBright wrote:
| I do remember them. I'm old.
| elric wrote:
| Microphones are ... tricky. I remember seeing a proof of
| concept of using laptop speakers as a microphone. And more
| recently, I read about using the mouse to "listen" in on the
| environment. Apparently the sensors in mice are sensitive
| enough to detect a lot of vibration. Not good enough to
| listen in on a conversation, but give it time ...
| bjt2n3904 wrote:
| A "firmware update" hardware switch is challenging to
| implement. A "read only" switch means you have to separate
| your firmware and your configuration into two separate
| storage devices.
|
| Hardware switches are easier for microphones and cameras,
| because you literally cut the power for a device.
| Scoundreller wrote:
| Challenging, but almost always possible.
|
| Most flash chips have a write-enable line that you can put
| a switch on. Usually have to cut a trace but often can
| avoid soldering right to the legs by following traces.
|
| Was a common thing to do to receivers ("Integrated Receiver
| Decoders") back in the paytv days. Thankfully they had
| firmware on a parallel eeprom and config stuff on a smaller
| serial eeprom (that could handle 1m writes instead of 1k
| writes). Receivers could have a lot of wires especially
| after they implemented some lock-detection that had to be
| countered with some 74ac logic that could disrupt the 2nd
| step of starting a write job.
|
| Should be doable for something like a router or cable
| modem, but maybe not on something like these WD drives.
| Like a mod chip without having to worry about the vendor
| trying to counter you.
|
| Of course you're still screwed if something is only non-
| persistent but at least any issues are resolved with a
| simple reboot.
| ComputerGuru wrote:
| > A "firmware update" hardware switch is challenging to
| implement.
|
| No, it's not. The actual low-level chip on the flash has a
| separate pin that must be connected to ground to enable
| writes.
| bjt2n3904 wrote:
| I'll tell you what!
|
| You make an embedded Linux device with a read only
| partition based on a hardware switch. You figure out all
| the bugs that are caused by software not being able to
| write temporary files to disk. You figure out how to do
| configuration management on a separate system with
| something more complicated than a ten line YAML file.
|
| Want to change your password? That's /etc/shadow -- did
| you some how rig that up to be writeable, while the rest
| of /etc was not? Also, since I presume your management
| decided to not let the users have root, because of course
| they did... You'll need to resort to software tricks to
| make sure the user can't change the root password.
|
| Oh, and remember. No software read only tricks. Hardware
| switch.
|
| Please let me know when you finish, I'll help audit your
| system.
|
| Last edit: To all the reply guys, yes. I know it's
| possible. My statement is it isn't easy, and there are
| many challenges. (Especially compared with the simplicity
| of a power cut switch to a webcam.)
|
| I can make you a microcontroller with a firmware update
| switch that blinks a light. By the time you scale that up
| to a full fledged embedded Linux system with a board
| designed in house, with weird hardware that is keeping
| you back on Linux 3.16 because nobody knows how to port
| your drivers, with cryptographically signed updates,
| fault tolerant firmware slots, and a nasty stack of
| software developed by web devs that can't fathom why they
| can't write to disk, that has to interoperate with legacy
| hardware and systems, that has a management bureaucracy
| that can't understand why it's taking so long to
| implement the new media server plugin, and devices in the
| field aren't getting automatic updates...
|
| No. No it's not easy. Part way through, management will
| kill the project, you'll end up with a switch that's read
| in software, and eventually wind up on the front of HN as
| someone who did security wrong.
|
| But by all means, take your "easy" idea to WD and tell
| them you'll have it working on their devices by Q1 2022.
| ikiris wrote:
| Dude, this is basic overlay filesystem stuff / just look
| at every live image ever.
| ComputerGuru wrote:
| I've already done it, and it's not that hard. Others have
| done more. It's the best way to avoid SD card or flash
| write wear. My production devices default to read-only
| mode and must have a dip switch toggled before any
| changes persist beyond the shadow ram-resident overlay
| that resets at power cycle.
|
| (Aside: As for my idea of a configuration system, I've
| developed entire [incremental!] build systems that take a
| kernel source tree and configuration files and generate
| fully boot-ready images with drivers, packages, and even
| GUI support down to specifying the themes and customizing
| panel layouts, and more via a fully declarative syntax.
| The images have been booted on commodity hardware not
| under our control spanning some twenty-plus years of
| technology on more than a 100k machines. This is HN: not
| everyone is merely an armchair expert in whatever the
| topic of discussion is for today. It can be beneficial to
| assume expertise is out there and seek it rather than
| deny things are possible.)
| philips wrote:
| You can use an overlay filesystem to do this or do like
| CoreOS or ChromeOS and have a read only root with
| necessary symlinks to a writable directory. Systemd also
| has helpers for this.
| EvanAnderson wrote:
| I thought that was a solved problem w/ "unionfs" or such.
| Lots of Linux-based devices boot from read-only media.
| NavinF wrote:
| Have you ever used a Linux LiveCD? Or booted a machine
| off the network? The latter is a very common way to
| operate servers.
|
| In both cases you can write to the filesystem just fine.
| The writes just stay in RAM and don't get committed to
| disk.
|
| There are cons to this approach, but you've listed none
| that apply in the real world
| bjt2n3904 wrote:
| I've built a BusyBox image that TFTPs over to do the
| initial firmware flash, all ramdisk based. I've got
| physically write protected ICs on my boards. I almost
| rigged up my board to do write once NOR flash for U-boot.
| I know read only systems can be built, and everything
| else can be tmpfs. (And infact, I've built them.)
|
| People seem to be thinking I'm saying this is impossible.
| I'm not, I never did. I'm sorry I'm frustrated, but it's
| difficult to respond to things you didn't say.
|
| I'm saying, compared to a power cut switch for a webcam
| (which, I seem to remember even Apple screwed up
| accidently), a write protect switch is more challenging.
|
| A power cut switch is mostly challenging mechanically.
| How do I get the dang thing on the case? But otherwise,
| that's the only consideration.
|
| For a truly hardware based write protect switch that
| disables write capabilities at the silicon level, you
| have to adapt your image, your software, your hardware,
| and many of your procedures for the bring up process.
|
| Is that challenging? For some people in this thread, I
| suppose not. But compared with a power cut? Orders of
| magnitude more challenging. Especially when you are
| bringing this to a massive codebase that hasn't had this
| as a design consideration.
| cesarb wrote:
| Often, the same chip is used for more than just firmware.
| For instance, for UEFI firmware AFAIK it's common to have
| the UEFI variables stored on the same flash chip; not
| being able to write to these variables will break more
| than just firmware update.
| mananaysiempre wrote:
| I don't know how PC hardware does it, but
| microcontrollers typically have separate "flash" (large,
| less write cycles, requires complex rituals to write,
| executable) for programs and "EEPROM" (small, more write
| cycles, requires little if any preparation to write,
| often non-executable) for configuration and (very
| lightweight) logging. Prohibiting writes to the former
| but not the latter shouldn't be particularly difficult,
| although I've yet to see a chip that would actually do
| it.
| ComputerGuru wrote:
| This is actually why bios chips fail so often in personal
| computers.
| ComputerGuru wrote:
| Yeah, it's a bit more nuanced in practice. Most chips now
| have the ability to specify ranges that are locked or
| unlocked which then have different requirements for what
| it takes to write to them, and treat the /W line
| differently depending on that configuration. But they're
| also 20c parts, so using two chips isn't crazy (many use
| multiple either as backup or for the different components
| anyway).
| LeifCarrotson wrote:
| The firmware and configuration are already split into
| several devices. These machines have Arm Cortex A9 and
| similar processors that go through several stages to start
| up:
|
| First, some internal boot ROM, likely with fuses burned in
| for the particular IO configuration, reads a bootloader
| (likely Das U-boot) from external flash memory. That first-
| stage bootloader initializes the parallel/SPI NAND/NOR
| flash interface and DRAM controllers, and then launches the
| second-stage bootloader. The second-stage bootloader uses
| those memory controllers to read the firmware image out of
| memory into RAM, then executes it.
|
| If you want to update the firmware - more precisely, to
| change the location or signature of the image that should
| be loaded by the second-stage bootloader - it would be
| trivial to add a check for a GPIO switch to allow or deny
| changes.
| edoceo wrote:
| Challenging? I think you mean fun.
| jackpirate wrote:
| > 3. turning the microphone on
|
| Most people are surprised that speakers can be used as
| microphones by "running them in reverse", and so you also
| need a hardware switch for your speakers to maintain privacy.
| tux1968 wrote:
| This may be a horribly naive question, but do computers
| have the circuitry/sensors required to treat speakers as an
| input device?
| staticautomatic wrote:
| Sure. Try setting a pair of headphones as a mic and then
| talking into them.
| Dylan16807 wrote:
| If you're worried about a secret hardware input attached to
| the speakers, you might as well be worried about a secret
| extra microphone. And at that point switches won't help at
| all.
|
| If there's non-secret hardware inputs on the speakers...
| it's probably easier to just remove that.
| LukeShu wrote:
| You've misunderstood. There's no extra hardware, secret
| or non-secret. It's possible to run devices in reverse.
| Take a computer with separate headphone/microphone jacks
| (not the combined jack), and plug a speaker in to the
| microphone jack and scream in to the speaker; the speaker
| hardware works just fine as a (crappy) microphone. Or try
| the opposite, plug a microphone in to the speaker jack
| and turn the volume up, you'll hear sound coming out of
| the microphone.
| Dylan16807 wrote:
| If the user plugs their speakers into the microphone
| jack, that is either a deliberate act or a mistake that
| will be quickly fixed. It's not a threat to the user.
|
| The threat is if the _speaker jack_ has recording
| hardware. That 's why I said "attached to the speakers".
|
| If you're thinking about adding a switch to disable
| recording via the speaker jack, for safety purposes, you
| should probably just remove that capability entirely.
| beerandt wrote:
| The point is that jacks are software configurable on most
| computers. So a speaker jack is a setting change away
| from being a microphone jack.
| kortilla wrote:
| No, everyone understood just fine. The point is that
| speakers behind an amplifier can't be used as a
| microphone with just a software change. And if you're
| worried about malicious hardware that would allow that,
| then you might as well be worried about an extra hidden
| microphone.
| zootboy wrote:
| While technically true, in most real life situations, this
| is not possible to exploit. If the speakers have an
| amplifier in line with them, they will not work in reverse.
| If the speakers are built in to a laptop, the driver
| circuitry will not allow them to work in reverse.
|
| Pretty much the only way this might be possible is if you
| had an audio port that was capable of functioning as both a
| TRS output and a TRS input (not a TRRS "headset" port), and
| had a set of headphones plugged into said port, and had a
| piece of malicious software that was able to reconfigure
| the port to act as an input.
| orbital-decay wrote:
| _> Pretty much the only way this might be possible is if
| you had an audio port that was capable of functioning as
| both a TRS output and a TRS input_
|
| Most embedded PC sound cards made in the last few years
| have this.
|
| (also, you'll need headphones without an amplifier as
| well!)
| WalterBright wrote:
| When I was a boy I'd hook up a speaker to a phono input,
| which made a great PA system! An even longer wire
| attached to the phono input turned any amplifier into an
| AM radio.
|
| A simple intercom is just two speakers, one on each end,
| wired together in a loop.
| pengaru wrote:
| Nice!
|
| In my childhood I took apart a broken WalkMan and
| discovered if I connected a random ~8" loudspeaker driver
| in the tape head's place, I could eavesdrop on my
| siblings and parents from across the house by placing the
| speaker against the walls or floor, complete with volume
| control and everything.
|
| It was incredibly sensitive, and infuriating to learn how
| much everyone was constantly lying and talking behind
| eachother's backs at that age.
| gruez wrote:
| >and had a piece of malicious software that was able to
| reconfigure the port to act as an input.
|
| That's actually a feature of many realtek sound drivers.
| https://www.reaper-x.com/2012/02/13/how-to-remap-
| retasking-r...
| LudwigNagasena wrote:
| Shouldn't it be possible to disallow this on the level of
| the sound card?
| luke2m wrote:
| My new Lenovo has a built in camera cover which was a nice
| surprise, but only a software hotkey for the mic.
| caleblloyd wrote:
| I recently bought USB off/on switches [1] for the external
| webcam and microphone on my desktop. I think they control the
| power line and not the data lines, but they do the trick.
| Reduces port fatigue and USB orientation frustration.
|
| [1] https://www.amazon.com/gp/aw/d/B08M44D79T
| jareklupinski wrote:
| funny story, i just spent a day troubleshooting why a
| microcontroller would not reset after cutting its power
| lines
|
| turns out it was leeching power from another still-active
| device through its data pins!
|
| there was not enough power flowing through this way to
| actually do something, but there was enough to keep the
| brownout detector from kicking in and resetting the chip
| a1369209993 wrote:
| To be fair, the 'correct' way to do this is to use a
| double-pole switch that actively pulls (whole-device) VCC
| to ground when off, but that has it's own problems,
| especially if any of your sensors are capable of
| generating electricity on their own (piezoelectric
| microphone, radio reciever, alleged photo'transistor's
| that can operate photovoltaicly, etc).
| formerly_proven wrote:
| I mirrored the pinout of an AVR once and spent a few
| hours debugging why ISP wasn't working (so I unsocketed
| it for programming) and all the pins were wrong. It
| worked just fine pulling ground and Vcc from the I/O pins
| just opposite. These are of course fairly low-power 1.8-5
| V devices, so when run on 5 V there is a huge margin for
| the supply voltage.
| phaker wrote:
| You were powering it through the protection diodes.
|
| Some 10-15 years ago someone built dirt simple radio tags
| this way. Just a microcontroller, with a capacitor and an
| antenna trace connected to some io pin. I loved that
| hack.
| myself248 wrote:
| https://scanlime.org/2008/09/using-an-avr-as-an-rfid-tag/
| thechao wrote:
| Now I _really_ want a USB blade switch.
| WalterBright wrote:
| I didn't know those existed. Nice! But it does have a
| serious flaw - no indication which switch position is "On"
| or "Off". C'mon, makers!
| bonestamp2 wrote:
| True, but that flaw can be addressed with a label maker.
| WalterBright wrote:
| Trust me, I have a label maker and use it :-)
|
| It's really, really helpful to figure out which wall wart
| goes with which device.
|
| Another tip I learned from another. You know those green
| plastic tabs that keep a bread bag closed? They clip onto
| a cable nicely, and write on them with a sharpie which
| device the other end is attached to. That really helps
| with the rat's nest of wires under my desk. One of them
| says "cam" on it :-)
| a1369209993 wrote:
| Also cellophane tape with a chunk of index card inside.
| (More legible on account of high contrast.)
| thechao wrote:
| My boss took my label maker away. Apparently, I am "not
| responsible".
|
| Also, with respect to cables, this is _really_ why we
| need tri-colored braided cables from a reputable dealer
| (ANKER!?): white, black, gray, blue -- that gives 64
| possible combinations!
| uhhyeahdude wrote:
| This is why I just let the NSA do my backup management for me.
| coolspot wrote:
| Easy to recover the backup using a FOIA request too!
| quijoteuniv wrote:
| Every time I read replies or comments from WD the less i want to
| buy anything from them again. Very disappointing as every few
| years i buy 1 drive that backsup all my previous backups plus the
| new stuff. So i guess all my drives are unsupported. Not buying
| any cloud solution, NAS ever. A company not taking care of its
| customers is either not worth investing or are about to go belly
| up anytime.
| conductr wrote:
| Is there a better alternative? Or are the competitors just a
| day away from their own disaster event?
| quijoteuniv wrote:
| Good point, i did go for cheap and redundant with WD. Also i
| like to have spare power suplies, meaning 2 or 3 drives
| Within same line, will use the same. Did that with maxtor 15
| years ago, those drives still work... but are 120GB. Not sure
| which is the brand to buy now. But it looks like is time for
| a change.
| coolspot wrote:
| Best spinning hard drives though, especially after they
| acquired HGST.
| freeone3000 wrote:
| The manufacturing of HGST got sold to Toshiba -- that's where
| you want to look for quality drives now. HGST is just another
| WD brand at this point.
| sschueller wrote:
| On the other side I would like to thank synology for 10 years of
| updates that always worked. This is the way it should be and why
| I recommend them.
| freeone3000 wrote:
| We may be using different Synology products. Updates frequently
| break filesharing or drive sharing or encryption for me.
| CodeWriter23 wrote:
| IMO if they have a point in time where they decide they will no
| longer provide security updates, they should adjust the MTBF
| calculation, setting the maximum possible lifetime to be the EOL
| on the software.
| chronogram wrote:
| That sounds ecologically disastrous. Although I remember when I
| once purchased a TV when they were still tubes, there was an
| additional EUR9 recycling fee at the time of purchase.
| CodeWriter23 wrote:
| Not if they extend the software EOL to match the life of the
| mechanicals.
| themodelplumber wrote:
| I have a friend who is considering a refurb PC with
| openmediavault as a replacement for one of these. She isn't using
| the WD remote access tools, so it's not a security issue with the
| product, but more like an old-OS issue.
|
| I'm not sure if she plans to shuck the drive for use in the new
| system, and am wondering if shucking is pretty easy or not...
|
| Does anybody have experience with OMV on this kind of setup? It
| made me curious.
| mattwad wrote:
| Not all drives are "shuckable". But this is pretty common, you
| see people posting shuckable drives on Reddit often when
| there's a good sale.
| jms55 wrote:
| The main thing that struck me about this, is that they only
| supported their NAS for 5 years? It's a NAS, wouldn't the
| expectation be that people are running this for 10-15 years?
| atatatat wrote:
| Who still uses this crap?!
| dukeofdoom wrote:
| I've never had any problems with external WD drives on mac.
| However, my Seagate 4Tb is almost unusable. It corrupts my final
| cut file every time I'm editing off of it. It will randomly
| disconnect, such that its still mounted under /Volumes/ but its
| not actually there. Not sure if its overheating. So wanted to go
| back to WD, but not sure now.
| ausumm wrote:
| https://ausum.io/s/Wmp0rFH51RY2PtYe8O7pEYc_czwFLIqcxCHFuwWKs...
|
| Summarized this article into short-form audio for anyone that
| wants to "read" on-the-go.
| excalibur wrote:
| "The people pay for the newest version, and the newest version
| fixes the vulnerability." -- Mitch McConnell
| dec0dedab0de wrote:
| The video is pretty interesting, it looks like the nobody account
| was not meant as a backdoor, but the secret api is just doing
| authentication, without authorization. Couple that with having
| the api using the Linux auth and you have a problem. ...I wonder
| if it's doing pam or just reading the shadow file direcly,
| doesn't really matter
|
| When I first read there was a backdoor account I thought it would
| be one that was on purpose. At an old job about 15 years ago we
| used network equipment that had a vendor backdoor built in. Only
| reason we knew it existed was one of our engineers had recorded a
| remote session with the vendor's support team. The account gave
| you full admin access and didn't even show up as another logged
| in user. It was disturbing to say the least.
| coolspot wrote:
| Network equipment vendor name?
| [deleted]
| oceanghost wrote:
| So, I've "owned" a PR4100 for 3 or 4 years. I wanted it because
| it supposedly supported hardware transcoding for Plex. Sadly the
| transcoding was limited to 5mbps h264-- the signal looked _BAD_.
| It was like watching confetti. Later the capability was removed
| altogether.
|
| Which is why I haven't been affected by these 0days as of late--
| the damned thing is useless and therefore turned off.
| ineedasername wrote:
| Why not return it when it didn't work well for Plex?
| ClumsyPilot wrote:
| Odds are by the time he was done mucking around with all
| possible plex settings, the return period has passed
| reducesuffering wrote:
| My parents actually use this Western Digital MyCloud as a local
| backup because of concerns about data being exported out to cloud
| servers a la Apple, Microsoft, Google, etc. Are there any
| recommendations for good local backup solutions for middle aged
| people not great with tech?
|
| Edit: Needs auto-backups, so it has to be more than a USB or old
| computer.
| eric__cartman wrote:
| An Intel NUC style computer with openmediavault, or other easy
| to use open source NAS solution is what I would use in that
| case.
|
| If you don't care about the small size of a NUC, an old office
| PC with a couple hard drives should do well.
| fulafel wrote:
| Sadly keeping a general purpouse server OS consistently
| secure and patched up is not realistic for "middle aged
| people not great with tech". I wonder if there are good
| affordable ways to outsource this...
| reducesuffering wrote:
| Agreed. GP reads like the famous Dropbox comment. That just
| isn't realistic for people that aren't very tech literate.
| eric__cartman wrote:
| I run Debian on a small file server in my parent's house.
| Granted I had to set it up for them, but after configuring
| unattended upgrades, I only needed to work on it to upgrade
| from Debian 8 to 10 because it was getting close to being
| EOL. I keep SSH open to the internet in case I need to
| troubleshoot something. Their computers automatically run
| weekly incremental backups and it's transparent to them.
|
| It's not the best solution, but it works reasonably well
| with little maintenance on my part. On Windows you can set
| a smb drive to mount automatically at boot and it'll behave
| like a normal drive. So it was easy to explain to them that
| you can access that folder from both machines
| simultaneously.
|
| I agree that this is not a good solution for someone that
| has to set it up themselves. In that case I'd recommend
| something like a Synology unit.
| [deleted]
| ClumsyPilot wrote:
| If only the OS was simple to use and updated itself...
|
| I have a gigabit connection and am disgrunted that I can't
| self-host most services I need without turning it into a
| 2nd job
| GekkePrutser wrote:
| I'm surprised people recommend OMV. It's very "Web 1.0" with
| its user interface IMO.
|
| I use it myself heavily but that's because you can install it
| on top of regular debian. So you get a NAS that you can
| customize to the wazoo. Which I do, it runs a lot of custom
| scripts. I basically use OMV only as an easy GUI for adding
| shares, changing out drives etc. I could do it all by hand
| and perhaps next time I will.
|
| However I wouldn't choose to run it if I didn't have that
| requirement. There's much more modern options out there.
|
| What made you choose it yourself?
| ok123456 wrote:
| Synology NAS. Synology does a pretty good job updating their
| software, and it's a core part of their business.
|
| With WD it's like they just wanted to bolt on some NAS features
| on the cheap and the result was the current mess.
| GekkePrutser wrote:
| Synology is a totally different price range though. You'd pay
| the same for the empty NAS as you'd pay for the WD with the
| drive included :)
|
| But then again it's clear that you get what you pay for.
| ok123456 wrote:
| A two bay disk-less filled with ~2tb drives is only
| slightly more.
| filmgirlcw wrote:
| Synology. QNAP is good too but Synology is probably the easiest
| to use and they have very strong and long-standing software
| support.
|
| Edit: QNAP has had some security issues too. I've had Synology
| gear for close to a decade, interspersed with DIY servers and
| homelab stuff and really, really like it. If I were getting my
| parents a NAS/backup system, that's what I would get.
| WalterBright wrote:
| A USB stick works well, or a USB drive if more space is needed.
| reducesuffering wrote:
| The go-to standard for quite awhile. Unfortunately, it
| doesn't come with the convenience of auto-backups and runs
| the risk of being lost along with all the memories and data
| it contains.
| WalterBright wrote:
| Make a copy of your parents' backup and keep it yourself.
|
| I have a friend whose grandparents took tons of film of him
| growing up. Then their house burned down, all lost. Give a
| backup to an offsite family member.
| ineedasername wrote:
| Many home routers include an option to plug USB storage into
| it. From there you can just mount it on the computer and use
| the OS's built-in backup software: they all have some,
| automation included.
|
| Edit: Seagate doesn't seem to make the option I mentioned for
| them. Removed.
|
| A simple external USB drive will work though: Windows 10 has
| built-in automated backup capabilities. Actually it's been
| possible since at least XP.
| throwawayboise wrote:
| Home routers aren't exactly known for getting regular
| firmware updates or being super-secure either.
| lokl wrote:
| There's no indication EasyStore is affected, right? Assuming not
| using any WD Backup software.
| orf wrote:
| > The researchers said Western Digital never responded to their
| reports.
|
| > The communication that came our way confirmed the research team
| involved planned to release details of the vulnerability and
| asked us to contact them with any questions," Western Digital
| said. "We didn't have any questions so we didn't respond."
|
| Lol. Is this entire company, from the developers to the people in
| charge of comms, complete idiots?
|
| I guess this is what you get when you think software is nothing
| but a cost center then gut + outsource it.
| x3n0ph3n3 wrote:
| Having worked there -- mostly. I engaged in multiple arguments
| with leadership whom wanted to measure engineer productivity
| based on lines of code added to version control.
| N00bN00b wrote:
| It's not just WD NAS that are facing issues like this. I have a
| QNAP, so I follow news on that and they've been getting hit
| repeatedly with ransomware cryptolockers recently as well.
|
| It's nearly always UPNP that's causing the device to be exposed
| unknowingly to the internet and then a some software bug that
| allows the exploit.
| tempfs wrote:
| How many times do people need to be burned by closed-source,
| cloud boxes before they learn to stop buying them?
|
| Western Digital deserves their fair share of blame here as always
| but honestly the pattern of failure and consequences here is
| pretty well established by now.
|
| Rolling your own remote access solution(SSH/VPN+ strict FW rules)
| that can be used in conjunction with your own DIY raspberry pi
| network share(SMB+external drive USB or docked HDD) service is
| just really well documented in so many articles and is very
| maintenance free once you cronjob the updates.
|
| It is time to own your digital destiny people. The stakes have
| always been high enough to justify the time and effort. Just do
| it!
| kingsuper20 wrote:
| > How many times do people need to be burned by closed-source,
| cloud boxes before they learn to stop buying them?
|
| Probably when their thermostat turns off during a heatwave.
| roberto wrote:
| > How many times do people need to be burned by closed-source,
| cloud boxes before they learn to stop buying them?
|
| > Rolling your own remote access solution(SSH/VPN+ strict FW
| rules) that can be used in conjunction with your own DIY
| raspberry pi network share(SMB+external drive USB or docked
| HDD)
|
| These target completely different audiences.
| gentleman11 wrote:
| Could anyone recommend a specific foss stack + guide for
| setting this up for somebody who has no idea how to set it up?
| I'm most concerned about misconfiguring something, which is
| sort of what this Wd exploit is - somebody misconfigured an
| account to not have a password in this case. I can only assume
| they forgot to do that step, or didn't know how to avoid doing
| so
|
| What software do you use to push your files from your
| windows/Linux machines? How do you test your backups most
| easily? How do you test you aren't leaving your device exposed?
| willis936 wrote:
| A truenas mini is the fastest way there.
|
| Reading zfs and truenas documentation then building your own
| is the second fastest.
| gentleman11 wrote:
| Looks like $700 USD entry price? Might be worth it but
| seems overkill for a lot of people. I will read those docs
| however to see about building my own, thanks for the tip
| willis936 wrote:
| Used workstations (hpe proliant, dell poweredge tower,
| etc.) on ebay plus 4x 4 TB hard drives clocks in around
| $700 too. Couple it with something like B2 or S3
| replication and your data is safe and secure.
|
| It ain't cheap, but you're buying reliability and
| privacy.
| nullz3r0 wrote:
| Do you have one article that you particularly like?
| gtm1260 wrote:
| I think your over-estimating how little most people think/care
| about their storage drives.
| nodamage wrote:
| No one capable of doing those things would have even bought one
| of these WD devices in the first place...
| williamtwild wrote:
| No way mom and pop are going to know how to do this. Even semi
| tech literate people will struggle.
| mdoms wrote:
| The typical buyer of this type of product has no idea what
| "closed source" means. They went to Harvey Norman and asked the
| 17 year old store assistant what they should buy to keep their
| important photos and documents safe.
| gentleman11 wrote:
| > We strongly encourage moving to the My Cloud OS5 firmware," the
| statement reads. "If your device is not eligible for upgrade to
| My Cloud OS 5, we recommend that you upgrade to one of our other
| My Cloud offerings that support My Cloud OS 5.
|
| Not sure how this isn't illegal. You sell something so defective
| that it destroys the thing it's designed to protect and you
| refuse to fix it, and rather use it as a chance to force
| customers to buy new devices that are likely just as bad
| minikites wrote:
| >Not sure how this isn't illegal.
|
| Many people believe that regulations on companies stifles
| innovation, so this is what we get. Apparently, it's your own
| fault if you bought a defective product.
| colecut wrote:
| While no regulation is bad, regulation is often bad or worse.
| Hard to know where to point a finger.
| ErikVandeWater wrote:
| Quantity of regulation is not the issue. It's the quality of
| the existing tens of thousands of pages.
| thijsvandien wrote:
| People screwed by this are surely going to buy more WD. /s
___________________________________________________________________
(page generated 2021-07-02 23:00 UTC)