I wonder if Marketing will ever learn.
They can certainly sell shit.
Unfortunately, I don't want to purchase shit. Mayhap put Engineering and QA back into the loop? It's just an idea, what do I know ...
If you have a Western Digital My Cloud network attached storage device, it's time to learn how to update its OS because researcher James Bercegay has discovered a dozen models possess a hard-coded backdoor. The backdoor, detailed here, lets anyone log in as user mydlinkBRionyg with the password abc12345cba. WD mostly markets …
This post has been deleted by its author
and they're STILL hard-coding back doors into their stuff, EVEN THOUGH it has been proven time, and time, and time, and time, and time ... again that DOING! THAT! IS! BONEHEADED! STUPID!!!
Anybody got a CLUEBAT for these idiots?
There may have once been a reason for this, for vertical market systems NOT on the internet, so you could go to a customer site and un-brick "whatever they did to it". Since the 90's, that has become *INCREDIBLY* *STUPID* to do. A physical reset button with a 'password reset' command of some kind would be a better idea, but NOOooo they had to do a BACK DOOR with a HARD CODED USER/PASS combo.
Nice. Job. Not!!!
It is not THEM (as WD). They are just shopping from the lowest bidder.
That is "consumer device manufacturers" these days. It is all ODM by someone working to a minimal budget somewhere in South East Asia. So any expectations of bug fixes, etc are pretty far fetched as well.
It cannot be fixed in the current economic environment as it is the minimal cost model. The only way it can be fixed is if the seller (the one who stuck the brand sticker on it) will be made responsible at a FTC/Eu level to supply fixes for a reasonable amount of time. IMHO 5 years of security and safety fixes for software with penalties for non-delivering in the range of 5-10% of global turnover should do the job.
I don't care who it is, this is simply not acceptable, ever.
Computer security is hard enough. We just discovered a vulnerability in a raft of CPUs that dates back more than a decade and nobody had a clue.
So we definitely don't need people putting in barn doors that can't be closed.
"We just discovered a vulnerability in a raft of CPUs that dates back more than a decade and nobody had a clue."
Nobody had a clue?
I seriously doubt that is the case.
See the flaws in the Intel Management Engine, their implications and consequences.
It's a long albeit interesting read.
And then see if you can, with all the good faith you could possibly muster, say "nobody had a clue" again.
Meltdown/Spectre, in some forms, originated in 1995 - 27 years ago.
What with that, this WDMyFail story and a few other ohJFCnotagain fails lately I'm really starting to wonder whether I should jack in security and take up, I dunno,.. something else. Sitting next to my local ATM with a McDonalds cup, perhaps? That looks like an appealing lifestyle, compared to this.
"The only way it can be fixed is if the seller (the one who stuck the brand sticker on it) will be made responsible at a FTC/Eu level to supply fixes for a reasonable amount of time."
It can be fixed PDQ. Security checking becomes a part of UL and CE (and the equivalent for other quality regimes) checking. That goes a long way to keeping unchecked products out of major markets, sufficient to make doing it right the more profitable option.
"It is not THEM (as WD). They are just shopping from the lowest bidder."
Technically true. However, in my view, if you've bought it put your name on it, and are selling it, then you're responsible for it whether you made it or not. WD is at fault here for, at a minimum, not properly vetting the device.
'Goodbye "cloud" I'm done with you.'
Sadly that may be the only alternative...
Still, it would seem to me that *maybe* an 'Open NAS' or equivalent might work on those drives...
(has anyone tried to load it?)
If another OS _can_ be loaded on those devices, maybe THAT is the fix?
....you have to configure it and the router to allow incoming connections from the Internet otherwise it is a NAS and not a cloud.
Unless (like my HP printer) it connects out to a central server so no incoming connection is required.
I had a quick look round but couldn't find a description of the mechanics. I assume it does clever things to the router as most punters wouldn't know where to start.
1) They probably have UPnP (read: Automated, unauthenticated system to instruct your router to port-forward any given port externally to any given IP/port internally. In case you didn't know that).
2) Talking out is enough to cause issues like this to be worrying as you can then use apps to connect back to the drive. Presumably they are now blocking that username combination but who knows?
3) It doesn't matter... it's much more of a risk INTERNALLY. People are suggesting using these as iSCSI devices, which means they are acting as backing stores and live storage for VM's for servers, etc. That's just dumb to have a pre-fab password. This time next year, every virus will have those passwords included and will probe the local network so that that tiny local infection can - if you don't have full isolation - turn into direct access to all your iSCSI storage, etc.
... I went for an HP microserver which was actually cheaper.
I did the same. Back in the day all the NAS's were too expensive and limited, so I bought HP Microserver N36L on one of those cashback deals. Running NAS4Free (since the split up... was running FreeNAS before that) nicely from USB stick with all 4 bays for ZFS. I did add a intel quad GE NIC though as the onboard one would lock up on heavy traffic.
Successfully updated a MyCloud EX4 just now. This was made more awkward by the fact that the device expects to be able to download the firmware update into user-data space - so if you've deliberately created an ISCSI target that uses _all_ of that space, it has nowhere to put the update. Take your service disks out, put a scratch disk in, let it set that up, update the firmware, take the scratch out, put your service disks back, and click 'OK' when it asks you if you want to 'integrate the roaming RAID partition'.... And relax.
So, there's a programmer who works at D-Link somewhere named Briony, is there? Her surname starts with G? Good grief...
I had a My Book (500Gb) for quite a long time and later on bought myself a My WorldBook (1Tb). It was fun while it lasted: after a while the MyBook didn't work for some reason; even copying a 1Mb file would take minutes (just for context: my computer and the MyBook were hooked up onto the same switch, and other network related functions worked without any issues).
Eventually I opened it up, took out the HD, learned about the Linux OS and ext2 (or ext3, don't remember) filesystems and then copied all my data from it. Right now this same HD sits inside my FreeBSD server, now UFS formatted, and it works just fine. So much for reliability.
I still have the WorldBook but I don't dare to copy any data onto it because I fear for the worst. So it's read-only for now. I'll probably end up opening it up and taking out the HD as well, that will be the end of my My Book endeavors.
Given that the MyCloud devices prompt the users throughout the installation to install cloud access I expect that there's a lot of data out there for the taking. For a lot of casual users, even if they don't use the cloud features, it may well have boon turned on when it was installed.
Since serious, and intentional, security holes are routinely found in pretty much every class of network-connected device, I think it's safe to say that manufacturers can't be trusted with anything that involves network access. The only secure way forward for devices that have network access is to roll your own.
What like these, reviewed by el reg some time back with no consideration of security or how it might be a pwn point for your entire network by the reviewer...
Interesting user name choice. :-
"Noun 1. briony - a vine of the genus Bryonia having large leaves and small flowers and yielding acrid juice with emetic and purgative properties
I have firmware version 2.10.310 but I'm not able to log in via the web interface, and FTP, SSH and Telnet ports are all refusing connections.
That seems strange. Shouldn't I be able to log in with this old firmware?
Actually I have some quite low opinions of this system for other reasons. When I first got it and tried logging in remotely using a mobile phone and the official software from WD, it worked super slow for a little while, before the entire device just crashed and I was not able to use it any more until I came home and rebooted. I was pretty disgusted and never tried to use it again after that. I suppose I might have some better luck now with a new firmware (this happened about two years ago) but how can a big company release something in such a poor working state?
Biting the hand that feeds IT © 1998–2020