Security News This Week: Hackers Are Erasing Western Digital Hard Drives Remotely

[Anonymous]

https://www.wired.com/story/western-digital-hard-drives-erased-
amazon-wickr-security-news/

[freef...@club-internet.fr]

>
> https://www.wired.com/story/western-digital-hard-drives-erased-
> amazon-wickr-security-news/

Please put <> around links to force them onto one line. You
probably know that but are just too lazy to do it.

<https://www.wired.com/story/western-digital-hard-drives-erased-
amazon-wickr-security-news/>

[Philip Herlihy]

In article <sb9nc7$k97$1...@news.mixmin.net>, freef...@club-internet.fr says...

I for one didn't know that - but it doesn't work on my newsreader (Gravity). I
have noticed, though, that some "wrapped" URLS do seem to work, and I'd be glad
to know what actually does work to solve this problem.

--

Phil, London

[Rabid Roach]

On 2021-06-27 4:23 a.m., Anonymous wrote:
> https://www.wired.com/story/western-digital-hard-drives-erased-
> amazon-wickr-security-news/

Even though I still had a WD Passport external drive, I completely lost
faith in them as a company when the hard disk I purchased for the laptop
I owned from 2010 to 2015 died after 8 months without warning. I've
never seen a hard disk die that quickly, and it's not like I was lugging
the laptop around while sleeping or anything.


--
Rabid Roach
Immune to all of your __ist labels.

[J. P. Gilliver (John)]

On Sun, 27 Jun 2021 at 09:19:06, Rabid Roach <ra...@roa.ch> wrote (my
responses usually follow points raised):

>On 2021-06-27 4:23 a.m., Anonymous wrote:
>> https://www.wired.com/story/western-digital-hard-drives-erased-
>> amazon-wickr-security-news/
>
>Even though I still had a WD Passport external drive, I completely lost
>faith in them as a company when the hard disk I purchased for the
>laptop I owned from 2010 to 2015 died after 8 months without warning.
>I've never seen a hard disk die that quickly, and it's not like I was
>lugging the laptop around while sleeping or anything.
>
>

I had to read that twice to dispel the image of you wandering around in
your night attire, arms out in front of you, laptop bag over your
shoulder!
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

Under capitalism, man exploits man. Under communism, it's just the opposite.
- J. K. Galbraith, economist

[rbowman]

Which did absolutely nothing on Thunderbird...

[Char Jackson]

On Sun, 27 Jun 2021 06:28:07 -0500, "freef...@club-internet.fr"
<freef...@club-internet.fr> wrote:

>>
>> https://www.wired.com/story/western-digital-hard-drives-erased-
>> amazon-wickr-security-news/
>
> Please put <> around links to force them onto one line. You
>probably know that but are just too lazy to do it.
>

Unwrapping the URL so it works with older clients (like mine).

<https://www.wired.com/story/western-digital-hard-drives-erased-amazon-wickr-security-news/>

[Char Jackson]

On Sun, 27 Jun 2021 09:19:06 -0400, Rabid Roach <ra...@roa.ch> wrote:

>On 2021-06-27 4:23 a.m., Anonymous wrote:
>> https://www.wired.com/story/western-digital-hard-drives-erased-
>> amazon-wickr-security-news/
>
>Even though I still had a WD Passport external drive, I completely lost
>faith in them as a company when the hard disk I purchased for the laptop
>I owned from 2010 to 2015 died after 8 months without warning. I've
>never seen a hard disk die that quickly, and it's not like I was lugging
>the laptop around while sleeping or anything.

One bad drive and you lose faith in the entire company? Every storage
company has a less than 100% success rate.

[Clifford]

On 27 Jun 2021, "J. P. Gilliver (John)" <G6...@255soft.uk> posted some
news:WUHFunJj...@255soft.uk:

> On Sun, 27 Jun 2021 at 09:19:06, Rabid Roach <ra...@roa.ch> wrote (my
> responses usually follow points raised):
>>On 2021-06-27 4:23 a.m., Anonymous wrote:
>>> https://www.wired.com/story/western-digital-hard-drives-erased-
>>> amazon-wickr-security-news/
>>
>>Even though I still had a WD Passport external drive, I completely lost
>>faith in them as a company when the hard disk I purchased for the
>>laptop I owned from 2010 to 2015 died after 8 months without warning.
>>I've never seen a hard disk die that quickly, and it's not like I was
>>lugging the laptop around while sleeping or anything.
>>
>>
> I had to read that twice to dispel the image of you wandering around in
> your night attire, arms out in front of you, laptop bag over your
> shoulder!

"Hit him with your purse!" came to mind.

[Rabid Roach]

Eight months is not normal. Even the crappy Seagate I had in there
before it lasted a good three years and they're like the worst after ADATA.

[Char Jackson]

I think your position is extreme but I won't belabor the point.

[John Doe]

Chronic nym-shifting deranged troll...

--
Anonymous <nob...@remailer.paranoici.org> wrote:

> From: Anonymous <nob...@remailer.paranoici.org>
> Subject: Security News This Week: Hackers Are Erasing Western Digital Hard Drives Remotely
> Message-ID: <d3c3e10f300de382...@remailer.paranoici.org>
> Date: Sun, 27 Jun 2021 10:23:22 +0200 (CEST)
> Newsgroups: alt.privacy.anon-server, alt.comp.os.windows-10, alt.comp.hardware.homebuilt, comp.os.linux.advocacy
> Path: eternal-september.org!reader02.eternal-september.org!news.mixmin.net!sewer!news.dizum.net!not-for-mail
> Organization: dizum.com - The Internet Problem Provider
> X-Abuse: ab...@dizum.com
> Injection-Info: sewer.dizum.com - 2001::1/128
> Xref: reader02.eternal-september.org alt.privacy.anon-server:81572 alt.comp.os.windows-10:147352 alt.comp.hardware.homebuilt:2290 comp.os.linux.advocacy:823006
>
> https://www.wired.com/story/western-digital-hard-drives-erased-
> amazon-wickr-security-news/
>
>
>

[Anonymous Remailer (austria)]

In article <sbb30r$3d9$2...@dont-email.me>
John Doe <alway...@message.header> wrote:
>
> Chronic nym-shifting deranged troll...
>

Yawn.

[Ant]

In alt.comp.hardware.homebuilt Clifford <an...@anon.com> wrote:
...

> "Hit him with your purse!" came to mind.

I prefer socks with bricks inside like Homey the Clown. ;)
--
The last baby bird left its nest as of 6/25/2021 at 10:13 AM PDT! :O Go L.A. Clippers! Beat those hot Suns! :P
Note: A fixed width font (Courier, Monospace, etc.) is required to see this signature correctly.
/\___/\ Ant(Dude) @ http://aqfl.net & http://antfarm.home.dhs.org.
/ /\ /\ \ Please nuke ANT if replying by e-mail.
| |o o| |
\ _ /
( )

[chrisv]

Char Jackson wrote:

> Rabid Roach AKA "Slimer" wrote:
>>
>> Char Jackson wrote:

>>>
>>> Rabid Roach, AKA "Slimer" wrote:
>>>>
>>>> Even though I still had a WD Passport external drive, I completely lost
>>>> faith in them as a company when the hard disk I purchased for the laptop
>>>> I owned from 2010 to 2015 died after 8 months without warning. I've
>>>> never seen a hard disk die that quickly, and it's not like I was lugging
>>>> the laptop around while sleeping or anything.
>>>
>>> One bad drive and you lose faith in the entire company? Every storage
>>> company has a less than 100% success rate.
>>
>>Eight months is not normal. Even the crappy Seagate I had in there
>>before it lasted a good three years and they're like the worst after ADATA.

Idiot. No one thinks that it is normal. You missed the point
entirely.

>I think your position is extreme but I won't belabor the point.

Oh, "Slimer" is extreme, all right. He's a Nazi or, at least, a Nazi
sympathizer.

--
"All I have to say to you is that it is a shame what the Allies did to
the innocent German people during the Second World War and if I had
been there during that time and known the facts as I do today, I would
have gladly fought alongside your countrymen for the cause of National
Socialism." - "Slimer"

[Mayayana]

<freef...@club-internet.fr> wrote

| Please put <> around links to force them onto one line. You
| probably know that but are just too lazy to do it.
|

While you're fighting about links...

It turns out the story is not what it seems:

https://hardware.slashdot.org/story/21/06/27/008211/western-digital-blames-remotely-installed-trojans-for-wiping-my-book-storage-devices

The problem is with "My Book Live", an idiotic and unsafe
"personal cloud" device designed to be accessed from
online. So as with remote desktop, the real problem is with
people thinking it's safe to allow direct access to their
computers from the Internet.

[nospam]

In article <sbce9k$kjk$1...@dont-email.me>, Mayayana

<maya...@invalid.nospam> wrote:

>
> The problem is with "My Book Live", an idiotic and unsafe
> "personal cloud" device designed to be accessed from
> online. So as with remote desktop, the real problem is with
> people thinking it's safe to allow direct access to their
> computers from the Internet.

it is when done properly.

this was not.

[Carlos E.R.]

Well, that's the idea they were given.

People are not computer experts to know better.

(removing advocacy group)

--
Cheers, Carlos.

[Frank Slootweg]

I must be really, really stupid: Out of three lost drives, two were
Western Digital (WD) drives [1]. And what did I do? I bought yet another
WD drive. Some people deserve all the bad luck they get!

[1] Adding insult to injury - and to get back on topic - one of them was
in a WD MyCloud NAS.

[Frank Slootweg]

Mayayana <maya...@invalid.nospam> wrote:
[...]

> It turns out the story is not what it seems:
>
> https://hardware.slashdot.org/story/21/06/27/008211/western-digital-blames-remotely-installed-trojans-for-wiping-my-book-storage-devices
>
> The problem is with "My Book Live", an idiotic and unsafe
> "personal cloud" device designed to be accessed from
> online. So as with remote desktop, the real problem is with
> people thinking it's safe to allow direct access to their
> computers from the Internet.

It's not 'idiotic' and it's not 'unsafe', but like anything, it *can*
be *made* unsafe in the hands of clueless people. No news at eleven.

I had a similar device, a WD (Western Digital) MyCloud NAS, and have
a similar device, a Synology DS115j NAS. I did and do not use the
'personal cloud' feature, because I do not really need it and - like
anything and everything - it has its risks.

Also note that the reports are about people 'losing all their data'!
How is that possible? Did they only have *one* copy of their data? If
so, that was yet another user-caused problem. Again, no news at eleven.

As to "the real problem is with people thinking it's safe to allow
direct access to their computers from the Internet", it's not about
access to their computers, but to their data. And guess what, quite a
lot of their - and mine and your - data has "direct access from the
Internet" and is only protected by a username+password and perhaps 2FA.
Think of any and all of your online accounts - including, but by no
means limited to - email, bank(s), etc., etc.. The main difference is
that in the latter cases, security is partly/mostly managed by the
service provider, instead of only by the user.

[nospam]

In article <sbffd9...@ID-201911.user.individual.net>, Frank Slootweg

<th...@ddress.is.invalid> wrote:

> >
> > The problem is with "My Book Live", an idiotic and unsafe
> > "personal cloud" device designed to be accessed from
> > online. So as with remote desktop, the real problem is with
> > people thinking it's safe to allow direct access to their
> > computers from the Internet.
>
> It's not 'idiotic' and it's not 'unsafe', but like anything, it *can*
> be *made* unsafe in the hands of clueless people. No news at eleven.

yep, but unfortunately, there are a lot of clueless people and the
default settings are often that of convenience more than security.

> I had a similar device, a WD (Western Digital) MyCloud NAS, and have
> a similar device, a Synology DS115j NAS. I did and do not use the
> 'personal cloud' feature, because I do not really need it and - like
> anything and everything - it has its risks.

what i do is use a vpn to connect directly into my home network. i can
then access servers or other computers, which all have username and
passwords of their own (and not the same as the vpn), so it's going to
be quite an accomplishment for someone to hack into anything. nothing
is 100% secure, but this is close enough without going wildly
overboard.

> Also note that the reports are about people 'losing all their data'!
> How is that possible? Did they only have *one* copy of their data? If
> so, that was yet another user-caused problem. Again, no news at eleven.

yep.

the same net effect would have happened if their backup drive had
failed rather than be remotely erased, but that doesn't make for any
headlines.

> As to "the real problem is with people thinking it's safe to allow
> direct access to their computers from the Internet", it's not about
> access to their computers, but to their data. And guess what, quite a
> lot of their - and mine and your - data has "direct access from the
> Internet" and is only protected by a username+password and perhaps 2FA.
> Think of any and all of your online accounts - including, but by no
> means limited to - email, bank(s), etc., etc.. The main difference is
> that in the latter cases, security is partly/mostly managed by the
> service provider, instead of only by the user.

yep, but unfortunately, their security is often quite poor.

at least one of experian's servers had a login of admin/admin.

<https://www.forbes.com/sites/kateoflahertyuk/2019/10/20/equifax-lawsuit-
reveals-terrible-security-practices-at-time-of-2017-breach/>
Brace yourself, because this isnıt going to make pretty reading,
especially if youıre a cybersecurity professional. According to
the filing in the U.S. District Court for the Northern District of
Georgia, Atlanta Division, Equifax was protecting sensitive
personal information on a portal used to manage credit disputes
with the username ³admin.² 

And if that wasnıt enough, the password protecting that data was
probably the first one an attacker would guess: Yes thatıs right, it
was also ³admin,² according to the lawsuit.

The class action lawsuit calls this ³a sure-fire way to get hacked.²

But that is not all. The lawsuit also points out that Equifax was
storing unencrypted user data on a public facing server­so it could
have been viewed by any attacker who chose to compromise it.
Meanwhile, Equifax didnıt encrypt its mobile applications either­and
when it did encrypt data, it left the encryption keys on the same
public facing servers.

[Mayayana]

"Frank Slootweg" <th...@ddress.is.invalid> wrote

| > The problem is with "My Book Live", an idiotic and unsafe
| > "personal cloud" device designed to be accessed from
| > online. So as with remote desktop, the real problem is with
| > people thinking it's safe to allow direct access to their
| > computers from the Internet.
|
| It's not 'idiotic' and it's not 'unsafe'

There are some things that can't be made entirely safe. One
is javascript in browsers. Another is setting up your system
for remote access. There are reeasons to risk both. There's
no sensible reason to risk it in order to have a "private cloud".
Thus, idiotic.

| Also note that the reports are about people 'losing all their data'!
| How is that possible? Did they only have *one* copy of their data?

Maybe so, maybe not. That wasn't the point. The point was that
their disks were erased. Rather shocking, don't you think, backup
or not? You can pretend there's no risk to what
you're doing but it just isn't true.

[nospam]

In article <sbg4mt$gqu$1...@dont-email.me>, Mayayana

<maya...@invalid.nospam> wrote:

> | > The problem is with "My Book Live", an idiotic and unsafe
> | > "personal cloud" device designed to be accessed from
> | > online. So as with remote desktop, the real problem is with
> | > people thinking it's safe to allow direct access to their
> | > computers from the Internet.
> |
> | It's not 'idiotic' and it's not 'unsafe'
>
> There are some things that can't be made entirely safe.

not just some things. *everything* cannot be made entirely safe.

> One
> is javascript in browsers. Another is setting up your system
> for remote access. There are reeasons to risk both. There's
> no sensible reason to risk it in order to have a "private cloud".
> Thus, idiotic.

there are plenty of reasons for a private cloud, which can be extremely
safe when done correctly.

part of that requires not using abandoned hardware with unpatched
exploits.

> | Also note that the reports are about people 'losing all their data'!
> | How is that possible? Did they only have *one* copy of their data?
>
> Maybe so, maybe not. That wasn't the point. The point was that
> their disks were erased. Rather shocking, don't you think, backup
> or not? You can pretend there's no risk to what
> you're doing but it just isn't true.

everything has a risk.

hard drives can fail without any cloud.
fire/flood/etc. can destroy them (and a lot more).
users can mistakenly delete important files.

if the users had multiple copies, then it doesn't matter if one of them
is lost. there are others.

[Frank Slootweg]

Mayayana <maya...@invalid.nospam> wrote:
> "Frank Slootweg" <th...@ddress.is.invalid> wrote
>
> | > The problem is with "My Book Live", an idiotic and unsafe
> | > "personal cloud" device designed to be accessed from
> | > online. So as with remote desktop, the real problem is with
> | > people thinking it's safe to allow direct access to their
> | > computers from the Internet.
> |
> | It's not 'idiotic' and it's not 'unsafe'
>
> There are some things that can't be made entirely safe. One
> is javascript in browsers. Another is setting up your system
> for remote access. There are reeasons to risk both. There's
> no sensible reason to risk it in order to have a "private cloud".
> Thus, idiotic.

I think you don't quite know what a "personal cloud" is and is not.

You seem to say that "There are reasons to risk" "setting up your
system for remote access". If so, guess what? The "personal cloud" is
also a system which you set up for remote access. It's just not - at
least not mainly - a *computational* system, big deal. The "personal
cloud" is just a way to access one's files from the Internet, just like
"setting up your system for remote access" is, no more, no less.

I think that the mere mention of "cloud" gets your knickers in a
twist. Lighten up! It's just a buzz word. We already did "cloud" four
decades ago, only it was called Remote File Access (RFA), Network File
System (NFS), etc.. (See also the - snipped - analogies in my earlier
post.)

> | Also note that the reports are about people 'losing all their data'!
> | How is that possible? Did they only have *one* copy of their data?
>
> Maybe so, maybe not. That wasn't the point. The point was that
> their disks were erased. Rather shocking, don't you think, backup
> or not? You can pretend there's no risk to what
> you're doing but it just isn't true.

I'm not doing anything (see the part you snipped), but it's just a
case of misconfigured system gets compromised. No news at eleven.

FYI, (before my previous post), I checked the configuration of my
(Synology DS115j) NAS which has "personal cloud" functionality. Guess
what? The default is that that functionality is completely disabled.

Bottom line: If you would be "setting up your system for remote
access" without proper security (i.e. authentication, etc.) and someone
would access your system and erase your disk(s), would that also be all
over the news and people blaming Microsoft or/and whoever made your
computer, disk, <whatever>!? I don't think so.

[Mayayana]

"Frank Slootweg" <th...@ddress.is.invalid> wrote

| > There are some things that can't be made entirely safe. One
| > is javascript in browsers. Another is setting up your system
| > for remote access. There are reeasons to risk both. There's
| > no sensible reason to risk it in order to have a "private cloud".
| > Thus, idiotic.
|
| I think you don't quite know what a "personal cloud" is and is not.
|
| You seem to say that "There are reasons to risk" "setting up your
| system for remote access". If so, guess what? The "personal cloud" is
| also a system which you set up for remote access. It's just not - at
| least not mainly - a *computational* system, big deal. The "personal
| cloud" is just a way to access one's files from the Internet, just like
| "setting up your system for remote access" is, no more, no less.

Yes. That's the point. If you set it up to be accessible from online
then you've set it up to be hacked from online. That's why so many
attacks in the past have exploited remote desktop, RPC, etc. Once
you're able to reach your own computer remotely, or allow others to
by allowing your tech support to work on your desktop, for example,
then you've made the mistake of applying intranet security protocols
to the Internet and you're a sitting duck.

That's also why there are so
many problems with hacked security cameras, thermostats, door
locks, etc. We're creating the IoT without having learned this basic
lesson in security -- that if you want a door opening to the Internet
you need to keep it locked. Why do these problems keep happening?
Because security is a hassle. You want to be able to get your files
in the easiest possible way. So we pretend the real problem was a bug
that needed a fix. Or bad config. But there's no end of such problems.
That's why credit card and corporate database hacks are constant.
That's why the Russians can turn off the US electric grid. The real
problem is that you're allowing people from outside to come in the
front door. The real problem is that these systems shouldn't be online
in the first place.

I knew you'd be back to argue this. :) But you're shooting the
messenger. There are reasons to allow remote access, as I said,
but there are also risks. You don't do yourself any favors by blaming
my imagined paranoia for those risks.

This lesson was demonstrated in the early days of XP. People
started getting scam popups on their systems. Why? The Messenger
service was running by default. Messenger is something that allows
a corporate network admin to post messages on employee systems,
like, "Don't forget to turn off your computer before leaving on Friday.
There will be building maintenance this weekend."

So why was that a problem? Because MS designs Windows to be
a corporate workstation on an intranet where the network is trusted.
With default config it was easy for outsiders online to use Messenger
service. Much of the history of bugs follows a general trend of creating
such holes and then patching them. Automatic updates, COM+, DCOM,
RPC, Messenger, NetMeeting, Remote Registry, javascript in browsers,
ActiveX, Flash, Silverlight, Java... and on and on. They're all clever
tools for use locally or on intranets that make Windows computers
unsafe online.

| but it's just a
| case of misconfigured system gets compromised.

Yes. That's always the culprit. The problem is not that
you left your front door unlocked. The problem is just that you don't
have a backup TV to replace the one that was just stolen. Or the
problem is that you didn't lock down the TV. Yes, that's
all true, to a point. But the fact that these problems are possible
is due to the fact you didn't lock the front door. For convenience.

When your "smart" thermostat is hacked to freeze your pipes
(not to mention the extensive spying Google does on their
thermostats) you can blame it on a software bug, or a missed
update, or faulty configuration, or whatever. But the real
risk was simply having it in the first place. If you want to be
able to call your house from work to turn the heat on then you're
creating possible vulnerabilities. If that's really important to you
then that's up to you. But you might also ask yourself: Do I
really need to talk to my thermostat over my phone? What kind
of nut have I turned into? (Whether you ask the 2nd question
is up to you. :)

[nospam]

In article <sbi0mm...@ID-201911.user.individual.net>, Frank Slootweg

<th...@ddress.is.invalid> wrote:

> FYI, (before my previous post), I checked the configuration of my
> (Synology DS115j) NAS which has "personal cloud" functionality. Guess
> what? The default is that that functionality is completely disabled.

synology's cloud is very safe.

another option is use synology's vpn app (which might need to be
installed) for direct access, skipping synology's cloud entirely.

or just leave it off.

> Bottom line: If you would be "setting up your system for remote
> access" without proper security (i.e. authentication, etc.) and someone
> would access your system and erase your disk(s), would that also be all
> over the news and people blaming Microsoft or/and whoever made your
> computer, disk, <whatever>!? I don't think so.

yep.

[nospam]

In article <sbi1nl$r5s$1...@dont-email.me>, Mayayana

no, the real problem is that security is an afterthought.

experian had a login of admin/admin on a public-facing server on the
internet. that's just begging to be hacked.

[AJL]

On 6/30/2021 8:13 AM, Mayayana wrote:

> When your "smart" thermostat is hacked to freeze your pipes (not to
> mention the extensive spying Google does on their thermostats) you
> can blame it on a software bug, or a missed update, or faulty
> configuration, or whatever.

Or the power company? My electric company gives away free smart
thermostats. We are now having a severe heat wave. The electric company
remotely raised the temperature on everybody's thermostat a few
degrees to lessen the strain on the power grid.

[nospam]

that was something you opted into in exchange for a free thermostat.
those who bought it outright do not have that constraint.

it's also a good thing, because if the grid is overloaded, the result
is no power.

[Mayayana]

"AJL" <noe...@none.com> wrote

I saw that.

https://hardware.slashdot.org/story/21/06/19/2122221/some-texans-surprised-their-smart-thermostats-are-being-raised-remotely

There was an argument in a Reddit privacy forum. Apparently some
people were stunned that their thermostat was taken over, while
others said they had agreed to it in exchange for lower rates. But
the reported case seemed fishy: People "agreed" in exchange for
being entered into some sort of mickey mouse sweepstakes. But
who would even think of needing to agree to, or watch out for,
such a thing when simply buying a thermostat?

Google came to my mind because I just started reading The Age
of Surveillance Capitalism. In the introduction the author uses the
example of Google's Nest thermostat, which has app tie-ins, motion
detectors, and connections to other devices that can allow Google
to track and study people's activities around the house. A study
showed that anyone attempting to actually have a real contract
to approve of all such spying through the device would require
over 1,000 contracts... And of course, these things have been
hacked. But the people who buy them don't think of that. Nor
should they. The tech geniuses are all telling them it's the
greatest thing since sliced bread. You can probably get an app
to have your Nest call for your Egg McMuffin to be delivered as
soon as the connected security cameras detect your eyes opening.
Who wouldn't want that? :)

[AJL]

On 6/30/2021 9:13 AM, nospam wrote:

> AJL <noe...@none.com> wrote:

>> My electric company gives away free smart thermostats. We are now
>> having a severe heat wave. The electric company remotely raised
>> the temperature on everybody's thermostat a few degrees to lessen
>> the strain on the power grid.

> that was something you opted into in exchange for a free thermostat.

I never opted in to it. I do have a smart thermostat that came with my
AC but I have never hooked it to the WiFi. Call it paranoia?

> it's also a good thing, because if the grid is overloaded, the
> result is no power.

Agreed. I always keep mine set to 78F which is what the power
company raised the others to. So I did my part anyway. But my real
incentive is to keep the electric bill within reason...

[nospam]

In article <sbi66e$sll$1...@dont-email.me>, Mayayana

<maya...@invalid.nospam> wrote:

> There was an argument in a Reddit privacy forum. Apparently some
> people were stunned that their thermostat was taken over, while
> others said they had agreed to it in exchange for lower rates. But
> the reported case seemed fishy: People "agreed" in exchange for
> being entered into some sort of mickey mouse sweepstakes. But
> who would even think of needing to agree to, or watch out for,
> such a thing when simply buying a thermostat?

they didn't 'simply buy a thermostat'.

they received a discount, and in some cases, it was completely free,
which requires agreeing to certain terms.

had they paid full price from a store, there would be no strings
attached. in fact, the utility would have no way of knowing there is
even a smart thermostat in use.

> Google came to my mind because I just started reading The Age
> of Surveillance Capitalism. In the introduction the author uses the
> example of Google's Nest thermostat, which has app tie-ins, motion
> detectors, and connections to other devices that can allow Google
> to track and study people's activities around the house. A study
> showed that anyone attempting to actually have a real contract
> to approve of all such spying through the device would require
> over 1,000 contracts... And of course, these things have been
> hacked. But the people who buy them don't think of that. Nor
> should they. The tech geniuses are all telling them it's the
> greatest thing since sliced bread. You can probably get an app
> to have your Nest call for your Egg McMuffin to be delivered as
> soon as the connected security cameras detect your eyes opening.
> Who wouldn't want that? :)

those who don't like egg mcmuffins, obviously.

[nospam]

In article <sbi67h$t15$1...@dont-email.me>, AJL <noe...@none.com> wrote:

>
> >> My electric company gives away free smart thermostats. We are now
> >> having a severe heat wave. The electric company remotely raised
> >> the temperature on everybody's thermostat a few degrees to lessen
> >> the strain on the power grid.
>
> > that was something you opted into in exchange for a free thermostat.
>
> I never opted in to it.

more accurately, you were automatically opted into it as part of the
'free' deal, which is explained in the fine print which nobody reads.

you probably can opt-out, but i don't know if that affects it being
free. different companies have different deals.

> I do have a smart thermostat that came with my
> AC but I have never hooked it to the WiFi. Call it paranoia?

maybe. it's also easy to firewall it if it does something undesirable.

[AJL]

On 6/30/2021 9:50 AM, nospam wrote:
> In article <sbi67h$t15$1...@dont-email.me>, AJL <noe...@none.com>
> wrote:
>
>>
>>>> My electric company gives away free smart thermostats. We are
>>>> now having a severe heat wave. The electric company remotely
>>>> raised the temperature on everybody's thermostat a few degrees
>>>> to lessen the strain on the power grid.
>>
>>> that was something you opted into in exchange for a free
>>> thermostat.
>>
>> I never opted in to it.
>
> more accurately, you were automatically opted into

Nope. It is a volunteer program here. I *didn't* opt in.

> it as part of the 'free' deal, which is explained in the fine print
> which nobody reads.

I don't know the details of those who did opt in as I never got that far.

> you probably can opt-out, but i don't know if that affects it being
> free.

The nice thing of not opting in is that I don't have to opt out.

> different companies have different deals.

Yup.

>> I do have a smart thermostat that came with my AC but I have never
>> hooked it to the WiFi. Call it paranoia?

> maybe. it's also easy to firewall it if it does something
> undesirable.

I would have kept my old dumb thermostat since I didn't really need the
extra gadgetry (YMMV) but the smart one was required with the new
AC/furnace.

[nospam]

In article <sbi8ul$gak$1...@dont-email.me>, AJL <noe...@none.com> wrote:

> I would have kept my old dumb thermostat since I didn't really need the
> extra gadgetry (YMMV) but the smart one was required with the new
> AC/furnace.

that's very different than a utility company offering a nest or ecobee
thermostat as part of a deal.

[Frank Slootweg]

Mayayana <maya...@invalid.nospam> wrote:

[Nearly all deleted.]

> I knew you'd be back to argue this. :) But you're shooting the
> messenger. There are reasons to allow remote access, as I said,
> but there are also risks. You don't do yourself any favors by blaming
> my imagined paranoia for those risks.

I'm not shooting the messenger (and I'm not blaming you for the
risks). It just was - a kinda still is - unclear what the message *was*.

What you wrote was:

> | > There are some things that can't be made entirely safe. One
> | > is javascript in browsers. Another is setting up your system
> | > for remote access. There are reeasons to risk both. There's
> | > no sensible reason to risk it in order to have a "private cloud".
> | > Thus, idiotic.

The "Thus, idiotic." part was unspecific, contentless and hence
meaningless and the [not] "entirely safe" was already a backpedal from
your earlier "unsafe". "idiotic"/"unsafe" are not really meaningful
arguments, won't you agree?

So it's not about me blaming you, but about you seeming to blame
unspecified parties for doing/not-doing unspecified things.

Also - 'between the lines' - you seemed to be blaming WD for their
customers losing their data.

But now it seems your *actual*/intended message is "Be very, very
careful with enabling outside Internet access to your 'stuff'!". If so,
we of course all agree.

FWIW, I do not have any of the risky 'IoT' stuff you mentioned. So
don't worry about me! :-)

[Rest deleted.]

[Paul]

Frank Slootweg wrote:
> Mayayana <maya...@invalid.nospam> wrote:
>
> [Nearly all deleted.]
>
>> I knew you'd be back to argue this. :) But you're shooting the
>> messenger. There are reasons to allow remote access, as I said,
>> but there are also risks. You don't do yourself any favors by blaming
>> my imagined paranoia for those risks.

>

> Also - 'between the lines' - you seemed to be blaming WD for their
> customers losing their data.

This article describes the situation as doubly-hilarious.

It's suspected two groups or two individuals were involved,
one initially establishing a botnet made from the WD device,
and a second one using the factory reset vulnerability, to
shut the devices down. It's like you were on your way to the
7-11 convenience store, and get caught in gang crossfire :-)
Oops.

https://arstechnica.com/gadgets/2021/06/hackers-exploited-0-day-not-2018-bug-to-mass-wipe-my-book-live-devices/?comments=1

Now, this is my kind of code. The double-slashes, comment
out the authentication call. It makes you wonder whether
all devices have this code or not.

function post($urlPath, $queryParams = null, $ouputFormat = 'xml') {
// if(!authenticateAsOwner($queryParams))
// {
// header("HTTP/1.0 401 Unauthorized");
// return;
// }

Paul

[Frank Slootweg]

Ah, the story has changed quite a bit! Apparently there *was* already
an unfixed vulnerability, which allowed hackers to obtain full access,
if they knew the IP address of the device.

That vulnerability is CVE-2018-18472, which says:
<https://nvd.nist.gov/vuln/detail/CVE-2018-18472>

"Current Description

Western Digital WD My Book Live and WD My Book Live Duo (all versions)
have a root Remote Command Execution bug via shell metacharacters in
the /api/1.0/rest/language_configuration language parameter. It can be
triggered by anyone who knows the IP address of the affected device, as
exploited in the wild in June 2021 for factory reset commands,"

So - without having to have/know any authentication information (i.e.
username, password) - hackers *could* already *fully* control the
device. The device-wipe (factory reset) - without the need for
*additional* authentication - was just icing on the cake.

So this was/is an unfixed 0-day vulnerability for a device for which
support ended in 2015.

This in an example of the risks of continuing to use out-of-support
hardware/software. Don't get me wrong, I don't blame the users for doing
that, because often it's not feasible to throw away all 'old' stuff and
buy 'new' and start the cycle all over again. It's just a very
unpleasant reminder.

What is not clear from the Ars Technica article, nor from the CVE, is
whether or not the user had to have enabled the "personal cloud"
functionality in order to be vulnerable. I.e. even if the hackers knew
the IP address of the device, could they penetrate from the WAN side of
the router to the LAN side if the "personal cloud" functionality was
*not* enabled? I don't think so, but sofar the articles/reports have
been unclear about this aspect. (Again, I'm not blaming the users if
they used this functionality, I'm just wondering if the vulnerability
affects *all* devices or 'only' those with "personal cloud" enabled.)