Slashdot Mirror

← Back to Stories (view on slashdot.org)

Backdoor Discovered Into Seagate NAS Drives

Posted by samzenpus on from the protect-ya-neck dept.

Mark Wilson writes: If you have not recently updated the firmware for your Seagate wireless NAS drives, now is the time to do so. Researchers at Tangible Security have discovered a series of vulnerabilities in a number of devices produced by Seagate that could allow unauthorized access to files and settings. An undocumented Telnet feature could be used to gain control of the device by using the username 'root' and the hardcoded default password. There are also other vulnerabilities that allow for unauthorized browsing and downloading of files, as well as permitting malicious files to be uploaded. Tangible Security says that Seagate Wireless Plus Mobile Storage, Seagate Wireless Mobile Storage, and LaCie FUEL drives are affected, but there may also be others. The security issues are confirmed to exist with firmware versions 2.2.0.005 to 2.3.0.014.

121 comments

  1. Backdoor Discovered Into Seagate NAS Drives by nickweller · · Score: 4, Interesting

    Who wrote the code. What explanation do they have for inserting such features in a supposedly secure storage device. Is there a more sinister explanation for this?

    1. Re:Backdoor Discovered Into Seagate NAS Drives by Anonymous Coward · · Score: 0

      It was a rogue intern, obviously.

    2. Re:Backdoor Discovered Into Seagate NAS Drives by umghhh · · Score: 1

      It does not look like a required feature which raises the question: how do you test feature that apparently was hidden and most likely not required? If this was just a mockup of something then surely as hell it should have been removed in production. Maybe the yellow sticker fell from the task board? Or maybe scrum master had a bad day and told the concerned tester to sod off and stop disturbing the team? Or maybe they thought about fixing it later when there is time?
      I have seen it all happening, more than once .... Some people never learn. As this affects many products apparently then this most likely is a systemic problem not an accident.

    3. Re:Backdoor Discovered Into Seagate NAS Drives by Trax3001BBS · · Score: 0

      Who wrote the code. What explanation do they have for inserting such features in a supposedly secure storage device. Is there a more sinister explanation for this?

      Apparently never heard of MHDD http://hddguru.com/software/20... (it's grown - used to be a hobbyist site, now much more professional). I've used it to gain access to drives using default passwords, excellent tool for "talking" to your hard drives, and fixing what's wrong.

    4. Re:Backdoor Discovered Into Seagate NAS Drives by Anonymous Coward · · Score: 1

      Easily reinstall the OS if it gets hosed, like most routers have? Perhaps an early feature that was dropped but never removed from the code?
      Not everything is some great conspiracy to give the government all of your files so they can forward them to out alien reptile overlords. In fact, nearly nothing is.

    5. Re:Backdoor Discovered Into Seagate NAS Drives by nickweller · · Score: 2

      @Anonymous Coward: "Perhaps an early feature that was dropped but never removed from the code?

      Who was it tested the device for security vulnerabilities before releasing to market. They did run some tests - didn't they?

    6. Re:Backdoor Discovered Into Seagate NAS Drives by dinfinity · · Score: 2

      The title is pretty clear about it: It was just discovered into the drives by Tangible Security.

    7. Re:Backdoor Discovered Into Seagate NAS Drives by fisted · · Score: 1

      Indeed. Can we discover the discoverers into jail already?

      --
      CLI paste? paste.pr0.tips!
    8. Re:Backdoor Discovered Into Seagate NAS Drives by Tokolosh · · Score: 2

      "Never attribute to malice that which is adequately explained by stupidity."

      Unfortunately, the explanation is not adequate.

      --
      Prove anything by multiplying Huge Number times Tiny Number
    9. Re:Backdoor Discovered Into Seagate NAS Drives by Anonymous Coward · · Score: 0

      They really need to add to that saying. The full statement should be:

      "Never attribute to malice that which is adequately explained by stupidity; unless it is done by a company or the company is under by a group who has a proven history of such malice."

      As it stands, there is too much done in malice that is falsely attributed to stupidity.

    10. Re: Backdoor Discovered Into Seagate NAS Drives by Anonymous Coward · · Score: 0

      I think that argument speaks for itself. It's plain garbage. Of course if someone is caught being malicious they'd love to just be called stupid. Because that isn't illegal, but when has ignorance ever been a way to excuse damage?
      "Sorry sir I'm too stupid to know when I ram my car into yours it would do damage so I won't give you my insurance info" sure sounds like a trip to jail to me.

    11. Re:Backdoor Discovered Into Seagate NAS Drives by Anonymous Coward · · Score: 0

      How many user names and passwords do you randomly try when testing your software?

    12. Re:Backdoor Discovered Into Seagate NAS Drives by AmiMoJo · · Score: 4, Informative

      As much as I love a good NSA/GCHQ conspiracy theory, I think this one is most likely just incompetence. Their NAS boxes run Linux, and telnet is really useful for debugging headless machines during development. Someone either forgot to turn it off before shipping or just assumed that because they changed the default port no-one would find it.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    13. Re:Backdoor Discovered Into Seagate NAS Drives by Anonymous Coward · · Score: 0

      They did run some tests - didn't they?

      You must be new here. (And by "here", I don't just mean Slashdot.)

    14. Re:Backdoor Discovered Into Seagate NAS Drives by langarto · · Score: 1

      If it is incompetence, then it is criminal incompetence. Someone should be jailed for this.

    15. Re:Backdoor Discovered Into Seagate NAS Drives by RockDoctor · · Score: 1

      supposedly secure storage device.

      It's a wireless NAS - it's insecure in it's very conception, as well as insane.

      OK, slightly less insane - with capacities limited to 500GB, they're only going to take a day or so to fill or empty, depending on how much other traffic you have on your WiFi network. But for fucks sake, if you're going to spend even a femtosecond on thinking about security, then you're going to dump the WiFi for wired.

      --
      Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
    16. Re:Backdoor Discovered Into Seagate NAS Drives by Anonymous Coward · · Score: 0

      What explanation do they have for inserting such features in a supposedly secure storage device.

      We're sorry our backdoor got discovered, and we'll be just as sorry when the next one is too.

      Is there a more sinister explanation for this?

      There is simply NO excuse in this day and age to find a hardcoded password in ANY commercial hardware OR software. I could buy that in the early 2000's, but if you find one today it is deliberate.

  2. Let me guess by Anonymous Coward · · Score: 4, Informative

    Closed-source firmware?

    1. Re:Let me guess by Anonymous Coward · · Score: 1

      Doesn't matter. How many people verify the firmware on their products match the open source version? Differences when compiled can be shrugged off as different compiler versions. You'd have to verify every instruction. For the people who reflash their devices? So what? Now they simply don't have the back door. It's unlikely to matter and almost everyone won't do it.

      Open source vs closed source means nothing if no one is watching very closely. How much OSS is managed by one or two people? I'd guess most of it.

    2. Re:Let me guess by grumbel · · Score: 2

      Differences when compiled can be shrugged off as different compiler versions.

      Yep, and it's not just different compilers, time stamps, compile order on parallel builds, the order of files in the filesystems, install path, compile flags, etc. will all change the resulting binary. Reproducible builds just hasn't been a thing in Free Software community and only very recently did Debian start work on ensuring that their binaries are byte-for-byte reproducible, but that's of course just Debian, we are still far far away from having reproducible builds be the default way how Free Software binaries are distributed.

    3. Re:Let me guess by TheRaven64 · · Score: 2

      but that's of course just Debian

      Actually, it isn't. The Linux Foundation is funding the effort, and it's mostly Debian people leading it, but they're working on a variety of projects (including FreeBSD!), not just Debian.

      --
      I am TheRaven on Soylent News
    4. Re:Let me guess by Anonymous Coward · · Score: 0

      It's actually open source: http://arago-project.org/wiki/index.php/Main_Page

  3. My gosh by execthis · · Score: 4, Funny

    My gosh, you would think in this day and age that firmware developers would know better than this. Hard-coded telnet passwords? Seriously?

    1. Re:My gosh by Anonymous Coward · · Score: 0

      It's easy not to know better when you're paid not to know better.

    2. Re:My gosh by Anonymous Coward · · Score: 1

      1) You think developers make those decisions?
      2) You think that developers hired to write the firmware are of highest quality paid competative salaries and not the shittiest cheapest ones that can do the job so that product runs?

    3. Re:My gosh by Antique+Geekmeister · · Score: 1, Interesting

      Adding encryption means you can't export them to "non-approved" countries, and raises a great number of hoops to be able to export the product at all..

                          https://en.wikipedia.org/wiki/...

      Also, encryption algorithms take more space in the very limited space on firmware and small controller chipsets.

    4. Re:My gosh by drinkypoo · · Score: 1

      Also, encryption algorithms take more space in the very limited space on firmware and small controller chipsets.

      Ye Olde pogoplug has ssh, it's not a very high bar. And that's what I use for my NAS functionality; a series 4 (IIRC) pogoplug, the kind with 2xUSB3 and 1xSATA, running Debian. They cost twenty bucks and use approximately no power...

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    5. Re:My gosh by Anonymous Coward · · Score: 0

      Well, considering they were stupid enough to use "root" for both the username and the password...

  4. This never would happen with APPS! by Anonymous Coward · · Score: 0

    Use WD MyCloud with APPS and your data is totally secure and apped, unlike Seagate Luddite garbage!

    Apps!

    1. Re: This never would happen with APPS! by Anonymous Coward · · Score: 1

      Use the WD or Seagate flavor with or without apps, instruct the router not to let them off the local network and use a vpn to connect to the local network -ãNAS drive if / when needed. Problem alleviated.

      No excuse for a hardcoded backdoor, but should solve any security threat it generates. As an additional measure, encrypt the shares with your favorite flavor of encryption. I still use Truecrypt.

      Moral of this story: You should be treating everything as if it were compromised from day one. ( Because it probably is )

  5. Telnet?! by maugle · · Score: 4, Funny

    Seriously, who uses telnet instead of ssh in this day and age? I think we're at the point where including telnet - even optionally - in any Internet-facing device should be classified as a malicious act.

    1. Re: Telnet?! by Anonymous Coward · · Score: 1

      You don't always need encryption, and ssh takes a fair bit of cpu cycles and space to run.

    2. Re: Telnet?! by Anonymous Coward · · Score: 0

      You don't always need encryption

      Really??! With the N$A's tentacles that far up your anus, you still don't think mandatory and ubiquitous encryption is necessary?

      For real?

    3. Re: Telnet?! by Anonymous Coward · · Score: 0

      You can run ssh easily on an original RaspPi which has less horsepower than this NAS. STFU NSA shill.

    4. Re: Telnet?! by Anonymous Coward · · Score: 1

      It doesn't use that much, especially on embedded systems with more modern CPUs and storage space. Consider for example OpenWRT where you can fit into 4MB of flash space a full Linux kernel, busybox system, dropbear ssh server and have space left over for your web server, samba etc. And that ssh implementation is usable even on a 15 year old Linksys device. The NAS drives will have a system on a chip which is far more capable.

      And for a secure storage device I'd argue encryption is always needed. This is a wireless network drive after all, which is targetted at businesses as well as home users. There could be plenty of valuable data on there. All the file sharing protocols will use encryption already, so should any other method of accessing the drive.

    5. Re: Telnet?! by Anonymous Coward · · Score: 0

      I've played around with ssh2dos on an HP 200LX (think 1990's "organizer"), and you can barely tell the difference between ssh and telnet on interactive sessions (which is precisely what the management interface on this NAS is). SCP is a different story, but that's not what this backdoor is about.

       

    6. Re: Telnet?! by x0ra · · Score: 2

      On my LAN, I don't need encryption. If the NSA is on my LAN, I've got other things to worry about than just them sniffing on my pr0n.

    7. Re: Telnet?! by x0ra · · Score: 0

      Worth, between host and local guests, ssh is really overkill.

    8. Re: Telnet?! by x0ra · · Score: 1

      How much encrypted throughput can the RaspPi handle ?

    9. Re: Telnet?! by Anonymous Coward · · Score: 1

      This device needs some sort of processor to handle all the network storage functions. You can configure SSH to run some very insecure MACs and key exchanges if blindingly fast speed is the flavour of the day. This is not meant to run rsync with compression, it's not for X11 forwarding. It's for debug/administrative purposes.

      SSH being too resource intense is a cop out. It would have been the better choice for their brand reputation if they used SSH instead of Telnet.

      If a cheap 20$ router comes with SSHv2 by default on whatever low-end ARM cpu, I'll be damned if the behemoth of storage that is Seagate can't do the same.

    10. Re: Telnet?! by cbiltcliffe · · Score: 3, Insightful

      SSH has many advantages besides encryption. Passwordless login, tunnelling, etc.

      --
      "City hall" in German is "Rathaus" Kinda explains a few things......
    11. Re: Telnet?! by fisted · · Score: 1

      Yes, but it's kind of slow to authenticate.

      $ while true; do time ssh pi :; done
                      1.84 real 0.11 user 0.01 sys
                      2.02 real 0.16 user 0.02 sys
                      1.64 real 0.16 user 0.01 sys
                      2.17 real 0.16 user 0.00 sys
                      1.76 real 0.18 user 0.01 sys
                      1.93 real 0.13 user 0.00 sys
                      1.83 real 0.16 user 0.00 sys
      ^C
      $

      --
      CLI paste? paste.pr0.tips!
    12. Re: Telnet?! by Anonymous Coward · · Score: 0

      Sniffing pr0n is NSA's fetish.
      much like shoes, pr0n is often used and never washed.

    13. Re: Telnet?! by Antique+Geekmeister · · Score: 2

      Much of that delay is the reverse DNS done by the remote SSH daemon, especially when the reverse DNS is unavailable. Turn that off, especially for wandering sftp clients or git access, and you'll profoundly improve initial connection time.

    14. Re: Telnet?! by rahvin112 · · Score: 3, Insightful

      One of the most important aspects of securing your systems is to layer the security, so that if a zero day is used and the black hat gets access to something they don't automatically get access to everything else. This is simple things like not using the same password on every computer, and even simpler things like not using insecure protocols on your network, even on the internal side.

      There is simply no reason whatsoever to use telnet even internally. SSH does everything telnet does, it doesn't cost more, it isn't harder to use, it's not more difficult to deploy and above all it adds an extra layer to the security.

      Using telnet, even internally is just bad practice and frankly means you aren't very smart. I agree with the parent poster, using telnet in this day and age should be considered a deliberate malicious act by a manufacturer and an indication of stupidity on the part of any admin.

    15. Re: Telnet?! by fisted · · Score: 1

      That would susprise me since the 'remote' host is 10m worth of cabling away. Reverse (non-)DNS lookup on the remote end takes approx. 300ms (but we're still talking about a raspberry pi here...)

      --
      CLI paste? paste.pr0.tips!
    16. Re: Telnet?! by rahvin112 · · Score: 2

      AES instructions are included by default in almost every single processor produced in the last 5 years. The only CPU without "the cycles" to run SSH is going to be the smallest oldest industrial control you've never seen.

      There is no valid reason for not using SSH on any product that can install it. I doubt you could find a single product that would struggle with SSH encryption, even in the lowest end ARM or MIPS processors.

    17. Re: Telnet?! by Anonymous Coward · · Score: 0

      Tunneling on a local LAN is still overkill territory. Password-less logins is handy, but you won't get that with an off-the-shelf wireless hard drive as an alternative to basic telnet.

    18. Re: Telnet?! by cold+fjord · · Score: 1, Insightful

      On my LAN, I don't need encryption. If the NSA is on my LAN, I've got other things to worry about than just them sniffing on my pr0n.

      The problem is that you don't know who else may be on your LAN, or trying to get on it. Even if you think you have nothing of value on your network the computers and associated storage and cpus represent a potentially valuable resource that could be used for many purposes by crackers, spammers, and various criminals. You should really be using a secure protocol of some sort unless your LAN doesn't connect to the internet. Even then you have to ask yourself if you trust all the users on the network?

      --
      much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
    19. Re: Telnet?! by hankwang · · Score: 1

      "AES instructions are included by default in almost every single processor produced in the last 5 years."

      Not in the i3-3xxx mobile cpus (released 2013), celeron N29xx (released 2014), Pentium N35xx (2014), and so on. I.e. my laptop and my SO's... (we're more interested in battery life and compactness)

      And ssh on my phone (ARM) isn't particularly fast even if the hardware supports it. Can't tell whether dropbear and ssh client actually use AES instructions.

      --
      Avantslash: low-bandwidth mobile slashdot.
    20. Re: Telnet?! by TheRaven64 · · Score: 1

      Is the connecting end resolvable? If it isn't, then you may be waiting for the lookup to time out (it has a low timeout, but it can add a noticeable amount of delay).

      --
      I am TheRaven on Soylent News
    21. Re: Telnet?! by Anonymous Coward · · Score: 0

      Those Intel chips easily have the muscle to do it though. I don't think SSH overhead is a real concern until you get into the less than high end embedded stuff. Even ARM SoCs found in smartphones have the performance for it. A tiny 80Mhz ARM 7 is a different matter altogether.

    22. Re: Telnet?! by fisted · · Score: 1

      My "on" was actually an "on", not a typo'ed "of"

      --
      CLI paste? paste.pr0.tips!
    23. Re: Telnet?! by Anonymous Coward · · Score: 1

      It is not overkill, besides it is free... what if my router or one of the computers on my LAN gets compromised? If I don't use ssh they will be able to see all my passwords traveling on my LAN.

      Better safe than sorry, there is really no valid reason to use telnet today, unless you want to see how old BBSes looked like... So I fully agree with OP, mandatory encryption everywhere. Encryption is not overkill... It is a right, a right that we need to learn to defend, use and make it normal.

    24. Re:Telnet?! by Anonymous Coward · · Score: 1

      There's no reason for a telnet server. A telnet client, on the other hand, is vastly useful for debugging connection issues (eg firewall misconfigs) because it lets you specify the port.

  6. Mista Puhtaddah head! by Anonymous Coward · · Score: 0

    MISTA PUTADDAH HEAD!!

    Back doors are NOT secrets!!

  7. Wrong response by Anonymous Coward · · Score: 5, Informative

    When a company's firmware is backdoored, you don't just download the patch and hope they won't do it again. You buy from somewhere else.

    1. Re:Wrong response by Cederic · · Score: 0

      Telnet and logging in as 'root' with a default password isn't exactly a backdoor is it.

      It may be an undocumented default password but just fucking change it. Shit, disable telnet too while you're logged on.

    2. Re:Wrong response by Anonymous Coward · · Score: 1

      Devices should be secure out of the box

    3. Re:Wrong response by Anonymous Coward · · Score: 2, Informative

      Did you miss the part where it was a HARDCODED password? That user account and default password will always work, even if you think you've changed it, or if you think the account doesn't exist at all.

    4. Re: Wrong response by Anonymous Coward · · Score: 0

      jeb bush and hillary clinton disagree. plebs must be controlled, ya know.

      jeb bushs toliet paper brand is Magna Charta.

    5. Re:Wrong response by AmiMoJo · · Score: 3, Insightful

      Consumer laws need to catch up. This kind of vulnerability should be considered a fatal design defect and result in a recall of the affected products, with a full cash refund.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    6. Re:Wrong response by Anonymous Coward · · Score: 0

      You'd think so. Yet - astonishingly - RSA is still in business.

    7. Re:Wrong response by Anonymous Coward · · Score: 0

      Did you read where the password was hard coded? Do you know what "hard coded" means?

  8. Stop it already! by AndyKron · · Score: 1

    Is this crap ever going to stop? I'm ready to chuck my computer out the window.

    1. Re:Stop it already! by Anonymous Coward · · Score: 0

      Don't forget governments too.

    2. Re:Stop it already! by Lisias · · Score: 1

      You get what you pays for. =(

      --
      Lisias@Earth.SolarSystem.OrionArm.MilkyWay.Local.Virgo.Universe.org
    3. Re:Stop it already! by Anonymous Coward · · Score: 0

      Nope, because despite your protests you'll continue to let corporations butt fuck you.

      So what if he does? Homophobe.

    4. Re:Stop it already! by Cafe+Alpha · · Score: 1

      I see, and how much do you have to pay for non-backdoored hardware? A million dollars? Ten million? A hundred million?

    5. Re:Stop it already! by Anonymous Coward · · Score: 0

      The more you pay, the fancier the back doors...

    6. Re:Stop it already! by Anonymous Coward · · Score: 0

      The amount it will take to dismantle the surveillance state. So trillions of dollars.

    7. Re: Stop it already! by Anonymous Coward · · Score: 0

      as much as a chip factory will cost you. ask vlad gazman, he knows.

    8. Re:Stop it already! by Lisias · · Score: 1

      I see, and how much do you have to pay for non-backdoored hardware? A million dollars? Ten million? A hundred million?

      Google is your friend - and try using features and guarantee instead of price when you are sorting the offers.

      Going to the lower spectrum of pricing has a cost.

      --
      Lisias@Earth.SolarSystem.OrionArm.MilkyWay.Local.Virgo.Universe.org
  9. History by meerling · · Score: 1

    I've always had problems with getting seagates to talk with the other hardware, and said they needed to fix that. I see now that they tried, by going too far down the wrong freaking road again! :P

  10. Mix-match vendors and layer your security by rtkluttz · · Score: 3, Interesting

    Its pretty much come down to the fact that all corporations are working against the consumers. The best we can hope for is to mix and match vendors and layer our security and don't use cloud based shit. Use open source firewalls and control your outbound ports not just incoming ports.

    Stop trusting these dickheads people.

    --
    Digital is, by definition, imperfect. Analog is the way to go.
  11. Audited Code? by BoRegardless · · Score: 1

    Doesn't anyone do thi? Belkin - Seagate - Android. Isn't it about time companies check their products?

    1. Re:Audited Code? by Somebody+Is+Using+My · · Score: 1

      Doesn't anyone do thi? Belkin - Seagate - Android. Isn't it about time companies check their products?

      Why should they, when corporations aren't held accountable in any way?

      In fact, stuff like this works to their benefit. "Oops," they say. "We recommend our newer product where this security issue has been fixed." And given the cost of entry for these markets and that apparently all corporations now engage in this sort of behavior, there is nothing for the customer to do but accept it. Writing properly audited code is not only expensive, it quite possibly would cost them sales.

      I'd recommend regulation to fix this sort of thing, except the government has too much advantage in allowing these vulnerabilities to continue too.

      Law suits might work for a while, at least until they start adding verbiage to the post-sale click-through license agreements that require us all to agree to these "accidentally" open ports as a requirement of use our of purchased products.

    2. Re:Audited Code? by Anonymous Coward · · Score: 0

      Belkin puts in its own backdoors. Remember their router that injected ads into the customer's HTTP stream?

      Never buy Belkin.

  12. Whew... by davidwr · · Score: 1

    ... for a minute there I thought this was a bug in the drive firmware.

    At least with a NAS box bug I can plug in USB and turn off the network interface. With a drive firmware bug I can't really prevent being p0wned until I update the firmware, and drive-firmware updates sometimes require a full backup before you even get started.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:Whew... by Anonymous Coward · · Score: 0

      Why should you have to do that in the first place?

  13. Comment removed by account_deleted · · Score: 2

    Comment removed based on user account deletion

  14. Seagate Kinetic? by Anonymous Coward · · Score: 0

    Segate has a new product line, Kinetic, which among other things is basically the hard drive has ethernet so it its own server. Wonder what backdoor it would have in its firmware???

  15. Zyzel NSA325 by drolli · · Score: 1

    Cheap, you can install debian (Why on earth does evert NAS Manufacturer think that he can do better than to take a standard distribution).

    1. Re:Zyzel NSA325 by Anonymous Coward · · Score: 0

      >Zytel NSA325
      >NSA325
      >NSA
      I'm on to your shenanigans, G-man.

  16. Yet another reason not to buy Seagate... by Drakonblayde · · Score: 5, Insightful

    On the other hand, anyone who expects a hard drive in a cheap enclosure that offers network services to have a focus on security is a little whacko. If you're serious about network storage, you buy bare drives and put them in something like a Synology, QNAP, or Drobo. I stopped buying external drives with embedded software that I couldn't wipe awhile ago. RIght now, the only external drives I use are WD Elements because they provide what I'm looking for in an external drive - storage on a USB cable and nothing else

    1. Re:Yet another reason not to buy Seagate... by Anonymous Coward · · Score: 2, Interesting

      If you're serious about network storage, you build a FreeNAS server with server parts including ECC RAM and multiple NICs teamed together. You fill it up with WD Red Pro drives or another drive that has appropriate TLER settings for NAS usage. You also plug it into a decent UPS ($300+ true sine wave unit).

      In no universe are Synology, QNAP or Drobo anything more than consumer toys.

    2. Re:Yet another reason not to buy Seagate... by Anonymous Coward · · Score: 0

      True sine wave UPSes do not cost $300. I also run WD green drives in my FreeNAS box with RAIDZ2 with no issue. You just have to turn off the head parking.

    3. Re:Yet another reason not to buy Seagate... by Anonymous Coward · · Score: 0

      If you're serious about network storage, you build a FreeNAS server with server parts including ECC RAM and multiple NICs teamed together.

      Hell, if you're an amateur hour rockstar who just wants to save some pr0n, you use ECC RAM.

      Don't. Use. Shitty. RAM. For. Storage. Applications.

      This has been a public service announcement.

    4. Re:Yet another reason not to buy Seagate... by thegarbz · · Score: 1

      Don't worry. The hackers won't be able to get at the data because the drive will crash and you'll lose everything before they even get their telnet terminal up.

    5. Re:Yet another reason not to buy Seagate... by KingMotley · · Score: 1

      No real use in getting drives with TLER settings for a NAS as most NAS's don't use a hardware RAID controller and will happily wait for the drive to try all attempts at recovery, even if it takes two minutes.

    6. Re:Yet another reason not to buy Seagate... by Drakonblayde · · Score: 1

      In no universe are Synology, QNAP or Drobo anything more than consumer toys.

      That's a cute sentiment, but I know quite a few small and medium sized businesses that would disagree with you. The higher end units are perfectly capable of performing, they're easy to setup and deploy, and you don't need to keep someone on staff or retainer to perform sysadmin duties for you.

  17. Hilarious extract from website by Tokolosh · · Score: 3, Funny

    From CERT website, with prominent NSA logo (https://www.kb.cert.org/vuls/id/903500):

    "Tangible Security would also like to publically thank Seagate for their cooperation and desire to make their products and customers more secure."

    --
    Prove anything by multiplying Huge Number times Tiny Number
    1. Re:Hilarious extract from website by Tokolosh · · Score: 0

      Oops, Homeland Security, not NSA.

      Oops again, they are the same thing.

      --
      Prove anything by multiplying Huge Number times Tiny Number
    2. Re:Hilarious extract from website by Anonymous Coward · · Score: 0

      Not to mention "Alcohol was reportedly not a factor."

      From the decision to hard-code a back door after years of evidence that doing so is a Very Bad Thing(tm), the first thing that came to mind when reading that it's happened again was "here, hold my drink".

  18. NAS is a fad anyways by buckfeta2014 · · Score: 2

    The only difference between a file server and a NAS is the ridiculously bad CPU and slow, clunky software it's packed with. If you really want a file server, just grab a random linux distro and install it on a PC with a lot of disks.

    --
    Buck Feta. You know what to do.
    1. Re:NAS is a fad anyways by Anonymous Coward · · Score: 0

      Only if size, noise, power consumption & heat output don't matter.....after all, virtually all NAS's are simply a linux distribution with a cure GUI on top, meaning the only real difference IS the physical layer....

    2. Re:NAS is a fad anyways by Anonymous Coward · · Score: 0

      Then use a portable USB drive. No need for it to be networked if all you want is a place to dump your porn.

    3. Re:NAS is a fad anyways by drinkypoo · · Score: 1

      Then use a portable USB drive. No need for it to be networked if all you want is a place to dump your porn.

      That's only true if you only own one computer. For those of us with three netbooks, one laptop, two tablets, two smartphones, two desktops, and a set-top box in the house, any or all of which may be rebooted or turned off at any given moment, there's substantial utility to NAS.

      Right now Kodi on my Android tablet (with HDMI output) is indexing my media so that it can play it across the network gracefully while acting at a STB. As controllers I have the option of the PS3 BD-ROM remote (which I can remap with External Keyboard Helper, or I can mangle XBMC config files...) or the PS3 Dual Shock 3 Sixaxis controller... I get to turn my PC off and save me some Wh because the tablet draws less than 20W peak while charging and my NAS less than 10W. And it's a $20 Pogoplug, with GigE, SATA, and USB3. And that's the price in a new retail box with an included wall wart. I did have to add an SD card; 4GB will do, 8GB is roomier.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    4. Re:NAS is a fad anyways by PRMan · · Score: 1

      My Asus 9" netbook also uses less than 10W, once I turned off the WiFi and Bluetooth radios. I replaced the main drive with an SSD and connected a 3TB HDD to the USB port and I have a nice 24/7 "NAS" running Windows 10 file sharing.

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
    5. Re:NAS is a fad anyways by KingMotley · · Score: 1

      Hated using XBMC (Now Kodi) for multiple network devices. Have you tried PLEX? It works so much better.

    6. Re:NAS is a fad anyways by drinkypoo · · Score: 1

      Hated using XBMC (Now Kodi) for multiple network devices. Have you tried PLEX? It works so much better.

      I didn't like Plex as much. I do wish that XBMC had a media info server, though.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    7. Re: NAS is a fad anyways by KingMotley · · Score: 1

      What do you like more about kodi? I'm curious what they've added recently. Granted, I think the UI on the PC client is better than PLEX, however, PLEX has multiple user support (each with their own watched, queue lists), mobile support (with sync), and has a client for just about everything (some better than others). iOS client is good. Android client is ok. Xbox one client is likely the worst of the "official" clients. There is even an unofficial plug in for kodi.

    8. Re: NAS is a fad anyways by KingMotley · · Score: 1

      I forgot PLEX has the ability to have a central media server (or servers) and all clients can watch anything from any server, and sharing with friends and family (for those graduation and birthday movies of course).

    9. Re: NAS is a fad anyways by drinkypoo · · Score: 1

      What do you like more about kodi? I'm curious what they've added recently. Granted, I think the UI on the PC client is better than PLEX,

      The UI on the PC client is the same as on Android, except that I deliberately chose a touch-friendly skin (re-Touched, which is now an official one) for Kodi on my tablet.

      I haven't tried Plex in a while, but last time I did, it didn't play as much of my media as Kodi did. I also just liked the layout of the Kodi skins I've used better than the Plex layout.

      Since I only have a couple of devices, it's not like I have a huge duplication of effort maintaining metadata. I guess you can back that stuff up, but I never have bothered.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  19. Thought of purchasing one, thought better by Anonymous Coward · · Score: 2, Insightful

    A few weeks ago, thought of purchasing one.

    Then, I remembered I had a raspberry pi 2, an old 1tb drive, a usb wireless dongle, and 15 minutes of spare time.

    I now have a device running ssh, that I can rsync to properly firewalled, and can act as an ssh proxy.

    Raspberry Pi 2: $30 - on sale
    Old 1TB Drive : "FREE"
    USB to SATA Converter: $5.00 - with sleep mode!
    Wireless Dongle : Free
    Raspberry Pi Case: $7.99
    2.1A Power Supply : Free

    NO KNOWN BACKDOORS: PRICELESS
    FULL CONTROL OF MY HARDWARE: PRICELESS
    FULL CONTROL OF MY DATA: PRICELSS

  20. Didn't "support" linux by Anonymous Coward · · Score: 0

    I haven't bought a Seagate drive since they made that FreeAgent USB drive that were made so it only supported Windows.

  21. And THAT'S... by jofas · · Score: 1

    ...why you build your own NAS.

  22. Undocumented Telnet Commands by Anonymous Coward · · Score: 1

    You can find information on undocumented Telnet Commands and tidbits on Seagate drives at http://webcache.googleusercont...

  23. made in... by harvey+the+nerd · · Score: 1

    "made in NSA" ?? These guys have been at that stuff for decades. Better hope it wasn't FSA or Cn...

  24. Re:Security updates good. by mentil · · Score: 1

    My security update procedure is: laziness. Unfortunately, I'm too lazy to update the procedure.

    --
    Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
  25. Buy American by Anonymous Coward · · Score: 0

    and this is what you get. Get used to it, or find alternatives.

  26. Not a backdoor by javispedro · · Score: 5, Informative
    This is not a backdoor.
    • It is not undocumented. It uses Arago, an actually open GNU/Linux distribution as firmware (so it is more open source than your average android device!), and the ability to root it via telnet has been available since day 1, with a widely known password.
    • It is not remote, since to access it you need to join the NAS WLAN, and for that you need to passphrase created by the user. If you've managed to guess the passphrase/break that layer, then you've already crossed the airtight hatchway: at that point you can already view all the files on the disk, install adware, viruses, etc.
    • This was being used by plenty of people to install custom Linux distributions such as Debian or Arch on relatively inexpensive hardware. There's even a user focused distribution for the device

    Basically, another group of security ``researchers'' (use of quotes intentional) manage to force a company making a relatively open embedded product to close it down for tinkerers, while not improving the security of the product at all.

    I hate this world.

  27. not a bug a feature by nvm_my_comment · · Score: 1

    Lady and gentleman... The NSA NAS! The NSA should give up already... just open up nsa.org and give everyone fast, free unlimited storage, email, etc. Hek, i'd subscribe.