Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You should trust anything connected to the internet. Demand a physical write-enable switch from your backup drive vendor.


In this particular case, there were My Book drives and My Book Live. When the Live part was configured, you would be creating an entry-point into your network for WD to run code on your drive. I know this, because I purchased one, and read the small getting started guide that came with it.

Needless to say, I never ran any of the Live code. Several of these sorts of things have come up in the industry that always made me recall how happy I was to not have those drives with their backdoors on my network.


The CVE says it needs the IP address. How did the entry point work? Unless it was something like NAT port-forwarding I don't know how the attack could punch through to whatever port the device was using to expose the API.


See, I would care less about all this phoning home if I got the option to opt out like that.


A physical write enable switch? My computer is doing automatic hourly backups, how is that going to work?


A small robotic arm to flip the switch, duh.


As long as they small robotic arm is not also connected to the internet or the WD NAS


It works on your backup drive so when you try to restore from the backup, the ransomware on your system can't encrypt it.


But how do I write backup data to the drive without having to slip a switch every hour?


Verify that your previous backup drive is readable before writing to the next backup drive.

But hey, if you just got a ransomware note, and think "I'm good, I have my backups!", wouldn't you want to flip the read-only switch before plugging in those backup drives? I would. In fact, I'd flip that switch always before trying to read from a backup drive.


Hmm, append-only delta writes?


You don’t have that either. Stop the FUD. Just don’t have your only backup be connected to the Internet with remote wipe capabilities


How many My Book customers would even understand the meaning of your [correct] advice? When companies fuck people over with a defective product, we should resist the urge to tell the victims to be more tech savvy and not use those sort of products. Particularly when those products are intended for the general public.


It's always the same old thing. But the fundamental problem will never vanish: computers are complex, and no matter how hard you try with neat packaging and software, this complexity cannot be hidden. Sooner or later the illusion bursts at its seams and the user discovers another failure mode that they weren't even aware of.

WD really messed up there - but they and others will mess up again, so if the user's goal is not losing any data they'll still need to do more than buy the next shiny thing and click "accept" on the EULA. Because in the end pushing around the blame won't get you the files back.


I don't think it's a "computers are hard" problem. I think it's a "corporation sold a defective product" problem. Well charted territory.


Problem is that whoever designed the system should have done a better job. Computers are still (and probably will always remain) a niche skill so the blame lies completely on the shoulders of the WD engineers/designers who left this option open on the device


You should trust anything connected to the internet.

I presume you mean shouldn't rather than should.


Right.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: