back to article Seagate NAS owners: hide it behind a firewall. Fast.

An Australian security researcher says a bunch of Seagate NAS devices carry serious vulnerabilities and should be kept away from the Internet. OJ Reeves of Beyond Binary says the Seagate Business NAS line, up to version 2014.00319, carries old versions of PHP, CodeIgniter and Lighttpd. All of these, the post notes, have …

  1. P. Lee
    Facepalm

    You put your NAS on the internet?

    You probably aren't going to ever see the advisory.

    1. frank ly

      Re: You put your NAS on the internet?

      It's those 'oh so convenient' built-in FTP servers and web servers. Who could resist using them?

    2. Sandtitz Silver badge
      Unhappy

      Re: You put your NAS on the internet?

      Not putting the NAS on internet doesn't solve the problem though it helps a bit.

      These device are likely on the corporate LAN and are thus vulnerable to malicious users. Patching is still needed.

      This isn't the first poorly programmed NAS line from Seagate. The previous Blackarmor NAS line was garbage as well.

  2. dan1980

    The key problem with these types of bugs appears to be laziness as a form of cost-cutting - get off-the-shelf bits, use generic firmware and software stacks, add a customised interface and pop it in a cheap plastic enclosure.

    Job done.

    1. Dan 55 Silver badge

      There's not much wrong with that, it's failing to update the software that's the problem.

      1. Pascal Monett Silver badge

        There's a lot wrong with that. It has been demonstrated over and over again that the public is just not aware of the importance of security measures. Making software updates for your kit is of no use if your customers never apply them.

        Kit made to connect to a network must include security by default, because you cannot count on a customer to do it right. As far as security is concerned, the public must be considered as not being able to program their VCR (and yes, I know they probably don't have one anymore, but I think the comparison stands).

        1. Dan 55 Silver badge

          I meant the problem was there's not a lot wrong with it apart from Seacrate not updating the software (automatically). Any NAS box which requires Joe Public to update it is broken at the design stage.

    2. Anonymous Coward
      Anonymous Coward

      The biggest bug is they all use Linux.

      1. dan1980

        @AC

        Well, there is a little truth to this but it still has more to do with cost cutting and lack of concern than anything else.

        They use Linux stacks (many of them) because they cost less. Buying software means you usually get the most up-to-date-versions as you have to pay licensing to use it and so want to get your money's worth; a free stack has no such concerns - you just build a stack that works and leave it as your default install.

        Again: 'job done'.

        But of course, this is not some kind of inherent problem with Linux or free software in general.

  3. Anonymous Coward
    Anonymous Coward

    "the Web interface running on Lightppd runs as root"

    Excuse me? Seagate configured the GUI to run as root? If they provide a comment to El Reg, I'm sure many people would be curious to learn whether the moron who decided to do that still works with Seagate.

    (The other issue at hand - the shared encryption keys - is bad enough, but this one really had me speechless for a moment.)

  4. thexfile

    One encryption key to rule them all.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like