Seagate and LaCie make wireless external hard drives for mobile use, so you can ‘expand your phone’ and carry around whatever external data you’d like to carry around without blowing your phone’s storage. I guess that’s useful. I imagine people also use them as ‘personal cloud’ devices, whatever the hell that’s supposed to mean, and other things.
But I don’t care, really, because THEY SHIP WITH AN UNDOCUMENTED TELNET SERVER RUNNING WITH ROOT ACCESS. You can read and write anything and everything.
This is… amazing. How do you let this happen? It’s another case where I need an Industrial Espionage Inside! logo sticker. Here, have a first draft.
On a related note, this talk at Black Hat 2013 on hacking z/OS mainframes is pretty cool, and tells me that back in my part of the problem days that I could’ve been a goddamn rock star in this admittedly-small field at Black Hat, because the shit I was doing on IBM mainframes was way more complicated and subtle than this.
There are mainframe people in comments telling the presenter not to be so glib about mainframe security because they know exactly what you’re doing via their monitoring systems. I heard that shit then, too; it was bullshit at the time and I’m pretty sure it’s bullshit now given the sploits he’s outlining. Hell, I submitted some reports through trusted third parties because they were just too easy – easier than these, even, and some of this is pretty damn easy.
I mean, seriously, ever seen a security patch for an unpublicised exploit released in one day? I have. That was caused by one of my third-partied reports. (Arbitrary access to any account in 19 keystrokes, completely unlogged. It was hilarious. But also too easy, so, reported. I knew exactly what they were doing wrong and how to fix it, so it’s not like they had to work at it.)
But enough of the past. Go play skeet shooting with your wireless Seagate and LaCie drives now. It’s probably more effective than trusting them.