[1] "[...] it turns out the error was caused due to buggy code and nothing I was or wasn't doing wrong." - if the code is so obviously buggy and the backdoor part isn't obviously a bug, the developers are probably just being sloppy, not malicious (bad or rushed development).
I think it can go the other way in a couple of cases though:
A) WD (by a government) or its staff (by WD management) were ordered to put in the backdoor, but didn't agree with doing so, thus made it obvious in the hopes that it would be found.
B) A backdoor that is found but written off as sloppy development is less damaging than a bug that if found and analysed looks deliberate (because bad development practices are hardly new for hardware manufacturers). _Potentially_ makes exploiting it less risky as well - if it's an obvious or known thing, the attacker could be anyone. If it's a subtle, undisclosed bug (that hasn't been used against many targets), that suggests, to some extent, the involvement of whomever could arrange for the bug to be placed there.
It probably isn't deliberate, but that possibility certainly isn't excluded either, so I'd be cautious about treating this as a hard and fast rule.
Having identified a backdoor in a major product myself, the eventual meeting with product managers led to a clear and frank discussion about the cause. That being, it was there because it was expected only "certified" engineers would know about it.
The initial view was a hotfix that just changed the hardcoded password, because senior management felt lightning would not strike twice.
By the same token, if there's little accountability on the project, one might intentionally leave a debugging mechanism in for dubious purposes because they feel they have deniability if/when it's found. "Oh sorry, just a debugging thing I accidentally forgot."
I think you give these guys way too much credit. It's more likely some clueless PM simply asked a clueless junior developer to add a backdoor and due to lack of good processes nobody ever reviewed that commit (assuming those guys even use version control).
Ah, yes; the Russian defense. I know it well. How did it go?
"The hard-coded backdoor that was found can't be a hard-coded backdoor, because Western Digital would never be so crass and incompetent as to put a hard-coded backdoor hidden in such a way that a security researcher would find it and attribute it to them."
How can one argue against such flawless logic when it even has an aphorism to describe it?
I always wondered they were able to sell these devices so cheaply. I recently bought 2 4tb ones to take the hard drives out as they were each $30 cheaper than buying a regular 4tb hardrive.
I pulled some old MyBook hard drives out of their cases and discovered they were unreadable via a standard SATA connection. They were older MyBooks designed for XP, so I thought it was just having trouble because they were using 4k sectors.
I found some information that claimed the older MyBooks would AES encrypt the data (even if you never setup a password) making the data totally inaccessible if the factory enclosure ever broke.
Fuck that shit. I pulled the drive back in and copied everything off, then formatted the disk from a real PC and threw that shit away. Today I always buy separate disks and enclosures that allow direct disk access.
Well, shit. I've had one of these as a stand-in for hopefully eventually getting a Synology NAS, and now I'm paranoid about continuing to use my WD MyCloud. The thing is, I do believe I have a lot of reasons to believe I can trust Synology more, I don't even want to trust anyone. Not Intel or AMD, not WD or Synology. Computers are quickly becoming a source of implicit distrust for me.
> Well, shit. I've had one of these as a stand-in for hopefully eventually getting a Synology NAS, and now I'm paranoid about continuing to use my WD MyCloud.
The hardware is still fine. You can put Debian on it!
There is a very active forum of people replacing the WD firmware with Debian on various models (EX2 Ultra, EX2100, EX4100):
https://forum.doozan.com/list.php?2
Synology has its own backdoor as well [1]. Luckily the backdoor is only active when the OS crashed and the device is in recovery mode.
They also have some very odd practices, like hard-coding specific users and the shell to be used inside OpenSSH binary [2]. This was 2012; haven't checked if the code improved since then.
I'm having modest success using an eSATA enclosure on Windows with Storage Spaces. On the Linux side, BTRFS may be suitable but harder to manage (This is part of what Synology/NetGear are providing management around.)
I recently moved to a FreeNAS machine, as these devices had the weakest CPU and little ram as possible to function. It made buffering media on the network a challenging task when it should have been effortless.
A general question: why is no one suing people who put in back doors? Where are the "reckless negligence" suits? Especially injured third parties, who never agreed to an overreaching EULA.
You can't sue on formal grounds, you need a material claim that your rights have been hurt. reckless negligence sounds like a criterion to determine whether the damage is actually a liability of the defendant. And that you had to install a patch, which is available according to other comments, is likely not enough. Unless there are rules I don't know about, or you can construct an argument that backdoors were per se illegal.
Maybe you could claim that someone is offering copyrighted material on the internet, because that's illegal per se, no downloading required, but beware of the backfire.
I was approached on Twitter by an attorney for a class action against Payfone et al when their demo popped up here. It won’t take much effort to find one who sees a case here.
A relevant but still more general question: How can we protect ourself against backdoored products that are covertly subsidized by governments?
Sure, demanding the sources is a necessary first step. But what happens when the manufaturer blocks and there is not enough competition in the market, see Intel and laptops?
This situation has been a problem for years now. What can be done? What regulation or law would help? What should we demand?
> A relevant but still more general question: How can we protect ourself against backdoored products that are covertly subsidized by governments?
There's a big issue with quality on devices but spreading conspiracy theories only harms that cause. There's no reason to believe this is connected to a government — and it's way below the level of craft we've seen in that regard – and making dubious claims is more likely to cause people to take you and the broader argument less seriously.
> This situation has been a problem for years now. What can be done? What regulation or law would help? What should we demand?
Two good starting points would be protection for security researchers and the requirement that manufacturers promptly support devices for a reasonable amount of time. Things like this happen because there's very little perceived cost to shipping something shoddy compared with not getting as many features to market as quickly as possible.
A followup point, especially for restoring trust that there aren't sophisticated backdoors, would be not just source code but fully reproducible, user-installable builds. This is still fundamentally a losing game if you don't trust the hardware but it'd dramatically increase the odds of someone being able to notice an error, not to mention being a huge win for users’ ability to improve an orphaned device.
The reason why that's unlikely to happen is that companies treat source code as a significant asset, which is why I first mentioned a longer support period. My favorite approach for this problem would be regulation requiring mandatory release of source code, the toolchain, signing keys, etc. if the manufacturer stops supporting something, so the places which want to keep their trade secrets can still do so but are required to help their users at the same time.
open source is only going to protect you from non-intentional backdoors. if the government really wanted a backdoor, there's nothing preventing them from loading a modified version that has a backdoor. short of dumping the firmware from nvram + reproducible builds, you won't be safe.
So the government that subsidizes such things is the government that's going to protect us...from it (i.e., our government)? Not to go all tinfoil hat on you, but I think it's fairly obvious what side the gov is on. Hint: It's not the same side we're on.
The article doesn't seem to make clear that the 04 firmware which fixes this has been out for years (mid 2014, specifically). One nice thing about this device is that it is a real Linux system which can be used for hosting cheap services.
The article mentions firmware version 2.30.165 where as mine is running 2.11.168 and when checking for updates, reports back I have the latest. I have the EX4 models.
I only run mine on private/home networks with no remote access in to them.
WD probably contracted D-Link to make these devices for them, i.e. D-Link is the OEM. The latter has been known for quite a few router vulnerabilities...
...but on the bright(?) side, I remember finding lots of software and other fun stuff on "public" D-Link NASes a few years ago, including information critical to repairing the products of one well-known and notoriously-closed company. ;-)
FYI, some MyCloud devices can be modified to just run Debian. I treat my MyCloud as a cheap Linux box with lots of storage in a convenient form factor. If it weren't for that, I'd just build a computer.
I am now less sure how anything is secured once it can be reached through the Internet.
May be I have the old way of a NAS that is NOT reachable through the internet at all.
I really want a Time Capsule for all my iOS devices,, and have it only accessible within my Network. But then i am also paranoid about Bit rot on HDD. As I have seen far too many of my Photos or Video with this problem. And I dont believe any consumer grade NAS are quite capable of handling them yet.
I have yet to find a usecase where I want ALL of my files, Photos, Movies or whatever accessible when ever I am. Most of the time I only need one file form work, and it is normally in dropbox or email.
Correct me if I'm wrong but if this is on your home network then you're only vulnerable to other people on your network right? Just don't port forward access for a start.
" the D-Link DNS-320L had the same exact hard coded backdoor and same exact file upload vulnerability that was present within the WDMyCloud. So, it seems that the WDMyCloud software shares a large amount of the D-Link DNS-320L code, backdoor and all. There are also other undeniable examples such as misspelled function names and other anomalies that match up within both the WDMyCloud and the D-Link DNS-320L ShareCenter code."
I haven't had a chance to finish my investigations yet, but at least part of the vulnerabilities were corrected with the latest firmware, so I'd start by updating the firmware. I wrote more here: https://news.ycombinator.com/item?id=16091555
[+] [-] EgoIncarnate|8 years ago|reply
If someone actually wanted to implant a "secret" backdoor it would be disguised as a subtle bug and/or obfuscated in some way.
"Never attribute to malice that which is adequately explained by stupidity." Hanlon's Razor - https://en.wikipedia.org/wiki/Hanlon%27s_razor
[1] "[...] it turns out the error was caused due to buggy code and nothing I was or wasn't doing wrong." - if the code is so obviously buggy and the backdoor part isn't obviously a bug, the developers are probably just being sloppy, not malicious (bad or rushed development).
[+] [-] stordoff|8 years ago|reply
A) WD (by a government) or its staff (by WD management) were ordered to put in the backdoor, but didn't agree with doing so, thus made it obvious in the hopes that it would be found.
B) A backdoor that is found but written off as sloppy development is less damaging than a bug that if found and analysed looks deliberate (because bad development practices are hardly new for hardware manufacturers). _Potentially_ makes exploiting it less risky as well - if it's an obvious or known thing, the attacker could be anyone. If it's a subtle, undisclosed bug (that hasn't been used against many targets), that suggests, to some extent, the involvement of whomever could arrange for the bug to be placed there.
It probably isn't deliberate, but that possibility certainly isn't excluded either, so I'd be cautious about treating this as a hard and fast rule.
[+] [-] technion|8 years ago|reply
The initial view was a hotfix that just changed the hardcoded password, because senior management felt lightning would not strike twice.
[+] [-] 0xBA5ED|8 years ago|reply
[+] [-] zouhair|8 years ago|reply
[+] [-] Too|8 years ago|reply
[+] [-] jhiska|8 years ago|reply
"The hard-coded backdoor that was found can't be a hard-coded backdoor, because Western Digital would never be so crass and incompetent as to put a hard-coded backdoor hidden in such a way that a security researcher would find it and attribute it to them."
How can one argue against such flawless logic when it even has an aphorism to describe it?
[+] [-] aeleos|8 years ago|reply
[+] [-] djsumdog|8 years ago|reply
I found some information that claimed the older MyBooks would AES encrypt the data (even if you never setup a password) making the data totally inaccessible if the factory enclosure ever broke.
Fuck that shit. I pulled the drive back in and copied everything off, then formatted the disk from a real PC and threw that shit away. Today I always buy separate disks and enclosures that allow direct disk access.
[+] [-] berbec|8 years ago|reply
1: https://www.backblaze.com/blog/backblaze_drive_farming/
[+] [-] jquast|8 years ago|reply
[+] [-] jchw|8 years ago|reply
[+] [-] kogepathic|8 years ago|reply
The hardware is still fine. You can put Debian on it!
There is a very active forum of people replacing the WD firmware with Debian on various models (EX2 Ultra, EX2100, EX4100): https://forum.doozan.com/list.php?2
[+] [-] milofeynman|8 years ago|reply
[+] [-] guiambros|8 years ago|reply
They also have some very odd practices, like hard-coding specific users and the shell to be used inside OpenSSH binary [2]. This was 2012; haven't checked if the code improved since then.
[1] https://wrgms.com/synologys-secret-telnet-password/
[2] https://serverfault.com/questions/458553/cant-log-in-via-ssh...
[+] [-] 1over137|8 years ago|reply
[+] [-] mey|8 years ago|reply
[+] [-] ronnier|8 years ago|reply
https://lime-technology.com/
[+] [-] cordite|8 years ago|reply
[+] [-] Animats|8 years ago|reply
[+] [-] astura|8 years ago|reply
[+] [-] posterboy|8 years ago|reply
Maybe you could claim that someone is offering copyrighted material on the internet, because that's illegal per se, no downloading required, but beware of the backfire.
[+] [-] tehwebguy|8 years ago|reply
[+] [-] simcop2387|8 years ago|reply
[+] [-] caconym_|8 years ago|reply
[+] [-] the_common_man|8 years ago|reply
[+] [-] madez|8 years ago|reply
Sure, demanding the sources is a necessary first step. But what happens when the manufaturer blocks and there is not enough competition in the market, see Intel and laptops?
This situation has been a problem for years now. What can be done? What regulation or law would help? What should we demand?
[+] [-] acdha|8 years ago|reply
There's a big issue with quality on devices but spreading conspiracy theories only harms that cause. There's no reason to believe this is connected to a government — and it's way below the level of craft we've seen in that regard – and making dubious claims is more likely to cause people to take you and the broader argument less seriously.
> This situation has been a problem for years now. What can be done? What regulation or law would help? What should we demand?
Two good starting points would be protection for security researchers and the requirement that manufacturers promptly support devices for a reasonable amount of time. Things like this happen because there's very little perceived cost to shipping something shoddy compared with not getting as many features to market as quickly as possible.
A followup point, especially for restoring trust that there aren't sophisticated backdoors, would be not just source code but fully reproducible, user-installable builds. This is still fundamentally a losing game if you don't trust the hardware but it'd dramatically increase the odds of someone being able to notice an error, not to mention being a huge win for users’ ability to improve an orphaned device.
The reason why that's unlikely to happen is that companies treat source code as a significant asset, which is why I first mentioned a longer support period. My favorite approach for this problem would be regulation requiring mandatory release of source code, the toolchain, signing keys, etc. if the manufacturer stops supporting something, so the places which want to keep their trade secrets can still do so but are required to help their users at the same time.
[+] [-] thomastjeffery|8 years ago|reply
That's why we needed to get rid of DMCA Section 1201, and demand access to source code, at the very least, for security research.
[+] [-] gruez|8 years ago|reply
[+] [-] chiefalchemist|8 years ago|reply
[+] [-] free2rhyme214|8 years ago|reply
[+] [-] xioxox|8 years ago|reply
[+] [-] emcrazyone|8 years ago|reply
I only run mine on private/home networks with no remote access in to them.
Curious about the version difference...
[+] [-] userbinator|8 years ago|reply
...but on the bright(?) side, I remember finding lots of software and other fun stuff on "public" D-Link NASes a few years ago, including information critical to repairing the products of one well-known and notoriously-closed company. ;-)
[+] [-] ronnier|8 years ago|reply
[+] [-] l0b0|8 years ago|reply
[+] [-] notadoc|8 years ago|reply
I suspect there are many more of these out there.
[+] [-] freestockoption|8 years ago|reply
[+] [-] ksec|8 years ago|reply
May be I have the old way of a NAS that is NOT reachable through the internet at all.
I really want a Time Capsule for all my iOS devices,, and have it only accessible within my Network. But then i am also paranoid about Bit rot on HDD. As I have seen far too many of my Photos or Video with this problem. And I dont believe any consumer grade NAS are quite capable of handling them yet.
I have yet to find a usecase where I want ALL of my files, Photos, Movies or whatever accessible when ever I am. Most of the time I only need one file form work, and it is normally in dropbox or email.
[+] [-] patrickdavey|8 years ago|reply
[+] [-] linkmotif|8 years ago|reply
[+] [-] fernly|8 years ago|reply
" the D-Link DNS-320L had the same exact hard coded backdoor and same exact file upload vulnerability that was present within the WDMyCloud. So, it seems that the WDMyCloud software shares a large amount of the D-Link DNS-320L code, backdoor and all. There are also other undeniable examples such as misspelled function names and other anomalies that match up within both the WDMyCloud and the D-Link DNS-320L ShareCenter code."
[+] [-] paulie_a|8 years ago|reply
[+] [-] newb88|8 years ago|reply
[+] [-] bmaupin|8 years ago|reply
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] mmaunder|8 years ago|reply
[+] [-] daniel_iversen|8 years ago|reply