An unpleasant surprise for My Book Live owners

By Jake Edge
June 29, 2021

Embedded devices need regular software updates in order to even be minimally safe on today's internet. Products that have reached their "end of life", thus are no longer being updated, are essentially ticking time bombs—it is only a matter of time before they are vulnerable to attack. That situation played out in June for owners of Western Digital (WD) My Book Live network-attached storage (NAS) devices; what was meant to be a disk for home users accessible via the internet turned into a black hole when a remote command-execution flaw was used to delete all of the data stored there. Or so it seemed at first.

Missing data

The first indication of the problem came in a June 23 post to the WD support forums by user "sunpeak" about a now-empty My Book Live device ("somehow all the data on it is gone today"), though the 2TB device had been nearly full before that. Sunpeak also reported that the administrative password had been changed so they could not log into the device. It was not long before others added their stories of woe to the thread. In the early going, there was concern that WD had released some kind of firmware update that caused this behavior, but it turns out that those devices have had no updates for quite some time at this point.

Various posters in the thread dug out the logs from their devices to see what they could determine. There were reports that some of the devices had been reset to the factory settings via the factoryRestore.sh script, for unknown reasons, but those reports also said that the default "admin" username (with the same password) did not work. Eventually, "t4thfavor" strongly suggested removing My Book Live devices from the internet by way of a firewall—or simply pulling the Ethernet cable entirely. That good advice was echoed by sunpeak and others in thread.

Not long after that, WD posted a security bulletin to the support forum with effectively the same advice. Both that post and the more formal WDC-21008 security bulletin were quick to point out that these devices were introduced in 2010 and stopped receiving updates in 2015. The WDC-21008 bulletin pointed to CVE-2018-18472, though no context was given. Looking at the CVE provides some missing context, though:

Western Digital WD My Book Live and WD My Book Live Duo (all versions) have a root Remote Command Execution bug via shell metacharacters in the /api/1.0/rest/language_configuration language parameter. It can be triggered by anyone who knows the IP address of the affected device, as exploited in the wild in June 2021 for factory reset commands,

Clearly the CVE description has been recently updated. But the 2018 date in the CVE number is telling; this flaw has been known for three years or so at this point. It was originally reported in a blog post at WizCase that offered much the same advice about removing the device from the internet. As shown by the proof of concept (PoC) in that post (and this report with a clearer PoC), simply tacking a command in backticks (e.g. `whoami`) to the data sent with an HTTP PUT command to the configuration URL will cause the command to be executed with root privileges. Backticks are used in various languages (e.g. Unix shells, PHP, Perl) to execute operating-system commands; the device's interface is written in PHP and shell scripts, so it seems clear that the input provided in the PUT is not being sanitized correctly.

But wait ...

On June 29, the picture got rather murkier. Ars Technica reported on some research it had done on the attacks in collaboration with Derek Abdine, CTO at security firm Censys. It turns out that there is a second, previously unknown flaw in the NAS devices: there is a way to do a factory reset through the configuration interface without providing a password. In fact, the relevant source code has the password checks commented out; anyone who knows how to format the XML-based request can wipe any My Book Live just by knowing its IP address.

It turns out that there is evidence that there are at least two attackers at work here—and they aren't working together. As Abdine described, it would seem that CVE-2018-18472 had been in use for some time, adding the devices to a botnet (possibly Linux.Ngioweb). The just-discovered factory-reset flaw (which does not yet have a CVE number) was only recently used, perhaps as a way to destroy or disrupt the botnet. Whatever the reason, though, exploiting that flaw and wiping the user data on the NAS is what brought the whole situation to light.

[Update: WD has put out more information about the factory-reset flaw, which it said is due to a botched refactoring effort. The bug has been assigned CVE-2021-35941. In addition, WD is offering data-recovery services for those who lost data.]

The configuration endpoint that was vulnerable to the original command-execution flaw (language_configuration.php) was being modified on devices that were being attacked that way. A password test was added so that only the original attacker could further exploit that particular flaw; a SHA-1 hash of the password is used in the modified version of language_configuration.php that has been recovered. As noted in both reports, though, the attacker apparently did not know that the parameters sent to the device's interface can be logged, so at least one of the "secret" passwords used by the attacker is now known. It was written, in plaintext, to a log on the device.

While "rival attackers" is only a theory, it makes sense that the botnet controller would have no need (or interest) in causing the factory reset. After all, they had full control of the system and could make it do whatever they wanted (including wiping the disks if that was somehow useful to them). All that the factory reset did was draw attention to the devices, leading to the exposure of the flaws and, thus, curtailing future My Book Live exploits.

Original response

At some point after the WizCase post in 2018, WD responded to it with much the same information as was in its recent responses. But in part of its response, which seems geared toward covering its ass more than anything else, it described the products in a way that may seriously irritate the owners of these NAS devices:

We encourage users who wish to continue operating these legacy products to configure their firewall to prevent remote access to these devices, and to take measures to ensure that only trusted devices on the local network have access to the device.

Calling these devices "legacy products" obviously reflects WD's level of interest in them, but it probably does not mirror the opinions of most folks who bought them. Turning off the security-update spigot around a year after the product was discontinued seems fairly short-sighted, especially for a system that was touted as one that can be connected to the internet in order to "securely access your media and files anywhere in the world". At some point, the company realized that those devices should not be connected to the internet, but did not make an update, nor, seemingly, raise the profile of this problem so that users could protect themselves.

While the product life cycle may be long finished from the perspective of WD, the devices are still available from outlets like Amazon. Anyone who buys one today might be forgiven for thinking it is still supported. A NAS device is not a cell phone or other consumer-electronics gizmo that might be shunted aside for the latest thing in relatively short order; one might well expect to set up a home NAS and have it running for years—or even a decade or more. One hopes that those who do set up such a device also have another backup strategy go with it, however.

It is, as a number of people have observed, fairly surprising that it took this long for the CVE-2018-18472 vulnerability to be exploited; maybe the recent updates have shown that it actually was used much earlier. The exploit is trivially easy to perform and it provides full access to what would seem to be fairly high-value data. These devices would make for prime ransomware targets, one would think, even if the most recent attackers were perhaps just digital vandals.

One way to route around device makers and their arbitrary life-cycle decisions would be to create and maintain an alternate firmware for the device. It is, after all, simply a Linux system under the covers. There is some information on the WD support site about how to build and install custom firmware, but there does not seem to be an active existing project for My Book Live. Firmware based on free software would at least be possible to fix, of course, even in the absence of a project keeping things up to date.

Device owners need to be extremely careful with the internet access they provide to the gadgets that they buy. That's easy to say, but can be hard (or impossible) to do in a world where everything from shoes to light bulbs come equipped with some kind of whiz-bang feature that requires internet access. Makers of devices that are attacked rarely suffer anything more than a bit of negative press—and that only briefly. Under those conditions, is it any real surprise that people can lose all of their important data, possibly via a vulnerability that has been public for years?

Index entries for this article
Security	Embedded systems

to post comments

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 0:43 UTC (Wed) by marcH (subscriber, #57642) [Link] (24 responses)

There is simply zero incentive for hardware vendors to develop high quality software and maintain it over time, period. That's just a net loss for them. So stories like this will keep coming and coming until enough consumers have lost their data or worse. Only then will consumers finally exert some market pressure, or lobby their representatives to pass laws making making companies liable or forcing the latter to support 3rd party software (think Right To Repair) or a mix of all the above.

This will take much more time and tears. Road safety was invented in the 70s only after thousands and thousands of casualties, before that no one cared enough even though people were dying! Not just losing their data.

https://en.wikipedia.org/wiki/National_Traffic_and_Motor_...
> The Act was one of a number of initiatives by the government in response to increasing number of cars and associated fatalities and injuries on the road following a period when the number of people killed on the road had increased 6-fold and the number of vehicles was up 11-fold since 1925.

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 6:00 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link] (6 responses)

I have a Synology NAS that has been supported for 10 years. I've just recently upgraded it to a rack-mounted model.

The moral of this story: don't use vendors who can't write good software. WD is very much among them.

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 10:32 UTC (Wed) by nix (subscriber, #2304) [Link] (3 responses)

Of course, the software of theirs you have to trust, as long as you don't want to restrict yourself to a disk near-monopoly, is the firmware on the HDDs they make. These days these are full-blown operating systems too, even if small ones, and they almost never see updates (nor, given the difficulty of recovering after your disk firmware goes wrong, would I want more than seriously critical updates once the disk has data on it).

What quality is this almost-invisible software? (Likely terrible, though not so terrible that data loss from it is common). What about the other drive vendors? What about the much more complex firmware needed on zoned devices, particularly firmware-zoned with caches? Why is there not even a single free-software alternative to this stuff on which all our data ultimately depends?

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 12:56 UTC (Wed) by pabs (subscriber, #43278) [Link]

Obligatory link to the canonical hard drive firmware hacking post:

https://spritesmods.com/?art=hddhack

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 19:29 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

> Of course, the software of theirs you have to trust, as long as you don't want to restrict yourself to a disk near-monopoly, is the firmware on the HDDs they make.
I don't mind firmware that much. The host uses a standardized interface to talk to the drives, and there's a limited number of ways bad firmware can ruin the data. Especially these days with checksums throughout the whole stack.

An unpleasant surprise for My Book Live owners

Posted Jul 1, 2021 14:53 UTC (Thu) by nix (subscriber, #2304) [Link]

Yeah... but that only protects you against (some) misdirected writes -- which do seem to be exceptionally rare, which does suggest that core read/write stuff is not terrible. It doesn't protect you against, say, a drive suddenly deciding to brick itself and now you need to hook up the JTAG and recover it, if you're very lucky and that actually works and you don't need the data on that disk to do that much. And there are other problems that might happen: e.g. I've seen drives suddenly go mad reallocating sectors from spares and abruptly exhaust their spare sector count (mere hours from no spare sectors used, to none *left*). That almost has to be either really bad physical damage, or some sort of firmware bug: but the firmware is totally opaque, so we just had to throw the drive away and replace it. Likely firmware bugs equal more profit for the drive manufacturers, yay!

An unpleasant surprise for My Book Live owners

Posted Jul 8, 2021 10:21 UTC (Thu) by davidgerard (guest, #100304) [Link] (1 responses)

Synology runs a customised version of Ubuntu. Could I replace it with Debian? No I could not, not without being able to crack the DRMed boot loader! Next time I'm just getting a second-hand Microserver and installing FreeNAS.

An unpleasant surprise for My Book Live owners

Posted Jul 8, 2021 18:05 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

You can install your own software on Synology, there's no DRM (apart from Secure Boot which can be turned off).

But why? You're buying Synology because you want a complete solution. A stand-alone server would be cheaper, because you won't be paying for Synology software.

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 6:29 UTC (Wed) by felixfix (subscriber, #242) [Link] (15 responses)

It is wrong to say there is zero incentive. Markets may not act as fast or clearly as you would like, but they do act. People buy brand-name goods precisely because of the brand's reputation. WD has just suffered a triple hit to their reputation: first from the shoddy security, second from the limited support lifespan, and third from their cavalier attitude.

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 6:54 UTC (Wed) by dumain (subscriber, #82016) [Link] (3 responses)

It isn't how fast or clearly markets act it is how effectively they act that matters. Consumer brands seem to recover just fine from the reputational hit of having huge security holes and even when they don't many companies have multiple brands. Security is a hard thing to build a brand on because its absence is easier to demonstrate than its presence and consumers aren't dumb enough to believe that just because a brand hasn't had a recent public security disaster it is any more secure than a brand that has.

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 14:17 UTC (Wed) by proski (guest, #104) [Link] (2 responses)

Case in point: Zoom. They had huge security issues just two years ago, they mishandled those issues badly. But an average Zoom user is totally unaware of it.

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 20:42 UTC (Wed) by Paf (subscriber, #91811) [Link]

I would note that two years ago Zoom was a very small concern; the vast vast majority of people had never heard of it.

An unpleasant surprise for My Book Live owners

Posted Jul 9, 2021 8:50 UTC (Fri) by roblucid (guest, #48964) [Link]

Most of the security kerfuffle didn't apply to Zoom's user base. In 2019 it wasn't thinkable that people be would be dumb enough to run 24/7 parties with public addresses, have no vetting or moderator AND allow file sharing.
Nor was the idea that national parliaments would Zoom.
Having read through far too much security BS on Zoom since, absolutely NONE of it applied to my usage.

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 8:02 UTC (Wed) by marcH (subscriber, #57642) [Link] (7 responses)

> WD has just suffered a triple hit to their reputation: first from the shoddy security, second from the limited support lifespan, and third from their cavalier attitude.

Right, WD executives stopped sleeping at night since LWN published this article. Sorry for being sarcastic, just trying to get the point across.

Markets work when there are (at least) competition and knowledgeable customers. All I wrote is that customers are utterly clueless and careless with respect to security right now and this will take MUCH more than a few headlines in the tech press to address. If this is ever addressed: see what dumain wrote above.

It took populations a very long time to realize that yes, road traffic is dangerous because people listen to stories and not to numbers, just watch the news for 1h. Our brain is simply not made for statistics and risk evaluation https://www.google.com/search?q=site%3Aschneier.com+risk

Car safety did not happen before most people literally _knew someone_ physically hurt in a car accident and similar for COVID despite the very best, number-free education attempts: https://www.nytimes.com/2020/12/05/health/coronavirus-swi... So how much ransomware will it take before consumers starting caring about computer security? A lot more.

Now once they start paying attention will consumers be able to make good choices? Maybe never considering how difficult it is to measure security. Reputation helps of course but sorry it's not enough here. This is why some experts advocate for regulation: https://www.google.com/search?q=site%3Aschneier.com+liabi...

This is the same reason why you need regulation for healthcare or transportation: there no one wants a totally free market where you choose a "product" by looking up which one killed the fewer people. You need the help of trusted experts. Like... these https://arstechnica.com/science/2021/06/controversial-alz... Ahem.

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 13:06 UTC (Wed) by felixfix (subscriber, #242) [Link] (6 responses)

I have worked for companies which went bankrupt after destroying their reputation. I have worked with vendors which ruined their reputations and went broke. Paying attention to the news shows countless companies which suffered from destroyed reputations.

The government itself has destroyed its own reputation far more often than private enterprise, yet will never go out of business. No private company could have flipflopped as many times as the government and remained in business. If that is where you put your trust, then you came to your conclusions from feels, not facts; and conclusions based on feels, not facts, are unrebuttable with facts.

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 15:01 UTC (Wed) by ovitters (guest, #27950) [Link] (2 responses)

> The government itself has destroyed its own reputation far more often than private enterprise, yet will never go out of business.

This seems like that libertarian idea. Just leave everything over to businesses; government makes too many mistakes, customers will sort things out by choosing. With e.g. brexit it's pretty interesting to see how many things British people thought were a "given" that was actually backed by regulations / laws. Similarly, lack of these "givens" is often said to be "protectionist" / "out to get them".

> No private company could have flipflopped as many times as the government and remained in business.

False equivalence, government is there to e.g. ensure things do not happen that might not be profitable to think about. Further, government is for the people. A government should _not_ be run as a business, some things shouldn't be done to e.g. "maximize" profit.

I know various shipping companies which made loads of interesting mistakes. Meaning, multiple times and repetitively. They're still in business. The news doesn't reach most people; plus people don't care.

> If that is where you put your trust, then you came to your conclusions from feels, not facts

Your entire reply is based upon assumptions ("feels"). I haven't seen any facts. You seem to be dismissing e.g. the worth of government/regulations, then use the status quo as a reason to deem government/regulations unneeded.

It's similar to a great running IT department. If they work nicely, people complain why they're needed. If they're not doing so well, people complain why they're needed. Basically: often people will question the need for government or why they pay taxes.

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 17:43 UTC (Wed) by Wol (subscriber, #4433) [Link] (1 responses)

> False equivalence, government is there to e.g. ensure things do not happen that might not be profitable to think about. Further, government is for the people. A government should _not_ be run as a business, some things shouldn't be done to e.g. "maximize" profit.

One only has to look at the American health system, where the *few* who can afford it are well cared for. But lots of nasty diseases circulate amongst those who can't afford it.

I'm not saying our system where it's pretty much all nationalised is any better - imho people who go on about how good the NHS are wearing *very* rose-tinted glasses. But simple things like flu, or more seriously TB, aren't a major problem because basic health care is easily accessible and free.

And one of the reasons we are doing so well with CoVid now is down to the combination of the NHS, and politicians prepared to take risks. All being well, ALL restrictions will be lifted in about a fortnight, and the pandemic will be "over" as far as England is concerned. Because we had a few politicians who kick-started vaccine research and production by writing large contracts up front. Then when we actually got the vaccine, it was dead easy for the NHS to roll it out.

Aiui, one of the biggest problems with the health system in the US is that basic health care is not "economic" in that the people who would benefit most can't afford it, and the people who would pay for it *don't see* the benefit. Coupled with the companies who benefit FROM illness lobbying against it. Over here, the government sets targets for "improving the nation's health" and it can compare how much the nation would benefit, against how much it would cost. Hence the current effort against obesity. When it works, it's brilliant. Unfortunately again, it tends to get hijacked by big pharma (sterols and stuff against cholesterol for example ...)

Cheers,
Wol

An unpleasant surprise for My Book Live owners

Posted Jul 1, 2021 19:48 UTC (Thu) by nix (subscriber, #2304) [Link]

> Unfortunately again, it tends to get hijacked by big pharma

This, of course, is why NICE (or, more formally, the relevant review panel within NICE) exists: to rule out the use of medication whose cost is excessive with respect to its benefit (which is surprisingly often nil for extremely expensive medication, which is often benchmarked against placebo but not against the current best medication just so that its manufacturer can get another nice expensive patent money coiner to replace the previous one, even if it's no better).

This works except when NICE's decisions run up against people who disagree loudly enough. Then you get expensive messes like (IIRC) the Cancer Drugs Fund, which was introduced by Cameron explicitly to pay for cancer medications NICE had said no to. This was completely stupid: the money that was spent on those medications could just as well have been spent to save many *more* people who just happened to have slightly different diseases. Worse, it spent well over a billion quid but collected *no* data at all on whether the money spent had any effect. (This was, naturally, intentional).

Eventually, under a tsunami of criticism from senior oncologists, NHS England itself, the Public Accounts Committee, the National Audit Office and every other body you can think of whose remit was to actually *help* people or not throw money down the toilet, and after Cameron had gone so there was no longer face-saving involved, the fund was closed. It probably cost about 50,000 lives all told, through grossly misallocated resources.

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 18:52 UTC (Wed) by marcH (subscriber, #57642) [Link]

> Paying attention to the news shows countless companies which suffered from destroyed reputations.

Yes, and this is great. But that was not the topic. I want competition and reputations, but I also want a minimum, low bar under which no company can go. I'm happy to take risks and fail to choose the best hard-drive, car or doctor but I also want some assurance that NONE of them will kill me (or my data). I want it even more for the people less fortunate and less educated than me who believe the last cancer medication commercial they saw on TV (seriously?)

> The government itself has destroyed its own reputation far more often than private enterprise, yet will never go out of business.

Apples and oranges, the government is not a business. It's main purpose is to limit business (and individuals!) excesses. Like killing people https://www.drugabuse.gov/drug-topics/opioids/opioid-over...

Is this system perfect? No but it's the best we found so far. How much regulation should there be? The answer is not binary and different for each nation. Is there enough regulation with respect to computer security? Probably not right now, but it's changing. Slowly as usual.
https://www.hklaw.com/en/insights/publications/2021/05/cy...

An unpleasant surprise for My Book Live owners

Posted Jul 1, 2021 15:02 UTC (Thu) by nix (subscriber, #2304) [Link]

> The government itself has destroyed its own reputation far more often than private enterprise, yet will never go out of business. No private company could have flipflopped as many times as the government and remained in business.

What does "go out of business" even mean for a non-business? Replaced with... anarchy? Replaced by a violent revolution? Neither sounds like a remotely desirable outcome.

Democracy provides a fairly good approach here: a government that destroys its reputation (while its opposition(s) have a better one) is replaced at the next election. It seems to me that we have a perfectly good analogue there, and governments "go out of business" a lot, smoothly, routinely, and are replaced by others -- usually with no or minimal disruption to services, which is crucial because *lives* depend on these services and they can't just go away when their (often) monopoly provider is replaced.

Monopoly providers in the business world are more or less never replaced so neatly -- at least, not without government action to ensure it.

An unpleasant surprise for My Book Live owners

Posted Jul 1, 2021 23:29 UTC (Thu) by jschrod (subscriber, #1646) [Link]

This is nonsense. Every time a government looses a vote, it "goes out of business". In the democratic parts of this world this happens quite often.

Government != country or state

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 10:18 UTC (Wed) by LtWorf (subscriber, #124958) [Link] (2 responses)

Most people buying a NAS will never hear anything about this.

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 18:22 UTC (Wed) by willy (subscriber, #9762) [Link] (1 responses)

I understand some retailers allow customers to leave reviews on products

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 23:53 UTC (Wed) by mpr22 (subscriber, #60784) [Link]

I understand the same.

Further, I understand that many such retailers curate their reviews and/or offer people inducements to post favourable reviews.

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 7:11 UTC (Wed) by iteratedlateralus (guest, #102183) [Link]

I feel like that would enable the argument for centralized data stores.

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 7:15 UTC (Wed) by Subsentient (guest, #142918) [Link] (17 responses)

It's times like these I find myself having to force my mind to acknowledge that most people don't have IT careers, and thus are not "stupid" for using cloud-enabled storage, and that they did not, in fact, "deserve it".
I don't like that this is my first reaction, but I tend to think "well, that's what you get".

In reality, the blame lies with WD for being creeps by giving their firmware such extensive access to the drives and their contents.

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 9:16 UTC (Wed) by khim (subscriber, #9252) [Link] (7 responses)

Trying to understand device where firmware doesn't have access to the content. Failing.

Not sure what you meant when you wrote what you wrote, but I think it was something like “NAS is more of PC with HDD attached to it, than HDD with Ethernet cable, despite the looks and PC part shouldn't have access to the HDD”… but that's something neither consumers nor WD bosses understand.

Their customers wanted an HDD with an Ethernet cable and they asked engineers to make one, why have engineers provided something else?

It's not easy to understand why that happens for the company which was built around making hardware and always considered firmware just an “enabler” for that hardware.

They probably never even considered that a problem so what hope was there for them to resolve it?

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 10:40 UTC (Wed) by excors (subscriber, #95769) [Link] (6 responses)

> Their customers wanted an HDD with an Ethernet cable

More specifically, their customers wanted an HDD that was accessible over the internet. That's the main selling point of the product - "Connect this powerful drive to your wireless router for shared storage on your home network that you can access within and outside the home. Share files with PC and Mac computers, stream media to your entertainment center and access files on-the-go with secure, remote access and apps for your mobile devices" (from their Product Overview). And that's what they got (apart from the "secure" part). Even these exploits are simply accessing the device over the intentionally-public API; they're not relying on any hidden components of the software architecture that would surprise 'the WD bosses', they're just bugs in the basic features.

It's certainly possible for companies to write reasonably secure IoT-like software, and sometimes that actually happens. (That seems more common when they start as software companies that branch out into hardware, than when they start as hardware companies that are used to writing little self-contained firmware and suddenly expand into writing IoT SDKs and cloud services. Some hardware companies are adjusting much better than others, though). I think the basic problem is that customers (even highly technical ones) have no way to judge whether a company is one of the good ones; plus secure software is usually less convenient for regular use cases and is more expensive to develop, so on the metrics that are easy for customers to judge the more secure products are actually worse. That means there's little pressure for the industry as a whole to improve.

An unpleasant surprise for My Book Live owners

Posted Jul 1, 2021 4:07 UTC (Thu) by NYKevin (subscriber, #129325) [Link] (5 responses)

In other words: WD's business model is like Dropbox's business model, but crappier. They sell you a HD and some software that makes it act like Dropbox acts, and tell you to replace that hardware after N years (at which point, they'll happily sell you a shiny new one that's still supported). This is analogous to Dropbox's subscription fee, except that you also have to pay for the electricity, you have to do your own offsite backups (or onsite backups, if this thing is your offsite backup), you actually have to remember to replace the damn thing (or hack its firmware and do your own security upgrades), you probably want to have onsite data redundancy of some kind, and so on.

(For anyone unaware, the Dropbox business model can be summed up as "We will make your data accessible to you anywhere in the world, in exchange for $X per gigabyte-year." It's not sold as hardware or software, it's just a service that you pay for.)

Frankly, I find it hard to believe that the consumer comes out ahead in that model. It's probably cheaper per gigabyte than Dropbox, but only if the consumer has the necessary technical knowledge to take care of all of those minutiae. Otherwise, it's just a data loss event waiting to happen.

Disclaimer: I work as an SRE for Google, which offers a similar service to Dropbox. I don't know exactly what the Dropbox engineers do at their datacenters, but I can pretty much guarantee that *our* data persistence beats the pants off anything the average nontechnical consumer can do with a simple device like this one. This is not a boast; it is simply the reality of consumer-grade hardware on a consumer-grade network.

More generally: When you have an IoT device that is connected to the internet, if you are not paying a subscription fee for it, then IMHO you need to ask yourself whether the product has a reasonable economic model, and compare and contrast that economic model to more traditional subscription services. You may find that the product does not actually make sense.

An unpleasant surprise for My Book Live owners

Posted Jul 1, 2021 11:10 UTC (Thu) by excors (subscriber, #95769) [Link] (1 responses)

> I find it hard to believe that the consumer comes out ahead in that model. It's probably cheaper per gigabyte than Dropbox, but only if the consumer has the necessary technical knowledge to take care of all of those minutiae.

The 2TB My Book Live apparently cost £170 in 2011, and nowadays you can get a 6TB WD My Cloud Home for that price. A 2TB account on Dropbox costs £96/year (but 3TB is more than 2x the price, and it appears to be impossible to pay for more than 3TB on a individual account). So if you have less than 2TB of data, and buy two large local disks for redundancy, and you keep those disks for several years, Dropbox is quite a lot more expensive per GB of data. At that scale it's not a huge difference in absolute cost though, so maybe the difference is justified by the maintenance effort and the risk of data loss.

If you have less than 100GB of data then it looks like you can get Microsoft OneDrive for £24/year, or 100GB on Google One for £16/year, etc. That's probably enough for most people's remotely-accessible backed-up document requirements, and is cheaper than the smallest home NAS you can buy, so in those cases the cloud solutions sound a lot more compelling.

At the terabyte scale, I guess the bigger issues are the lack of flexibility (some people really want to store more than 3TB of, uh, Linux ISOs, and Dropbox simply won't let you) and bandwidth (many people will find it slow and expensive to upload terabytes of data from home, or maybe they're using the storage for real-time video editing and need higher bandwidth and lower latency than they get through the internet, etc).

So it sounds like a fairly small niche where a home NAS ends up being better value, but there are still some valid use cases, and the world is large enough that it's worth developing good technology for niches.

An unpleasant surprise for My Book Live owners

Posted Jul 6, 2021 1:54 UTC (Tue) by marcH (subscriber, #57642) [Link]

> So it sounds like a fairly small niche where a home NAS ends up being better value, but there are still some valid use cases, and the world is large enough that it's worth developing good technology for niches.

BTW the NAS could be both on local premises for speed _and_ its software maintained and updated remotely. Many homes already have plenty of devices maintained remotely, so why not storage? It could even be split in two: a "premium", resizable area backed up in the cloud for a monthly fee and the rest not for movi... Linux images that don't need backup.

An unpleasant surprise for My Book Live owners

Posted Jul 1, 2021 11:35 UTC (Thu) by khim (subscriber, #9252) [Link] (1 responses)

> Frankly, I find it hard to believe that the consumer comes out ahead in that model.

Consumer comes out ahead for sure. Offline backups on something which is physically in your possession is very good proctection from this.

Dropbox or Google Drive or any other “cloud” solution saves you against hackers or physical damage to you WD box (it could just go and die on you and if you apartment would burn then even RAID-6 wouldn't help you).

But there are quite non-trivial chances for your data to just become erased while you are trying to prove that you have rights to get it back.

And I'm very sorry to say that, but SREs couldn't do anything about it. Legal issues will supersede all the reliability measures when you deal with cloud.

And yes, even with that incident what WD offers is still good deal. Hackers don't empty these boxes all that often. Pull data from your cloud backup when that happens and you are, again, protected against legal problems.

An unpleasant surprise for My Book Live owners

Posted Jul 5, 2021 6:34 UTC (Mon) by NYKevin (subscriber, #129325) [Link]

My opinion (not Google's): The legal issue should be solved by enacting appropriate legislation (e.g. they must give your data back to you upon request, or else they must get a court order to block the data's return), not by everyone using overtly inferior technology* to work around it.

This would probably create a lot of extra work for people like me (my SRE job has to do with data classification and permissions). I am entirely willing to do that work, because I believe that users ought to own their own data. But either the business or the government has to decide that the work is worth doing, and so far the former has not made that decision.

* I consider it "inferior" under the reasonable-to-me assumption that the average consumer is just barely capable of installing automated updates on "user-friendly" operating systems like Windows, and would have no idea how to e.g. rent a colo, SSH in to fix a problem, etc. Obviously, if you are capable of figuring those things out, then you do you. But I'm concerned with the needs of average consumers, not you.

An unpleasant surprise for My Book Live owners

Posted Jul 1, 2021 14:47 UTC (Thu) by nix (subscriber, #2304) [Link]

> They sell you a HD and some software that makes it act like Dropbox acts, and tell you to replace that hardware after N years

Did they even do that, or did they silently move it to unsupported status at a poorly-advertised or entirely un-advertised date and then (years later) use this to *blame* the customers for not spending more money with them after this silent act of theirs?

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 17:10 UTC (Wed) by cpitrat (subscriber, #116459) [Link] (6 responses)

Exactly my feeling too. My first reaction was "well if you're stupid enough to put your NAS on Internet", but then I realized I know nothing about cars and I don't have to check before buying one that the constructor remembered to put breaks on it, that they are properly sized and of good quality. That they're not lying to me when they say I can safely go on the highway with it.

Maybe there should me similar regulations in the IoT world as there is in the car industry, to ensure that constructors don't have irresponsible behaviour?

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 17:27 UTC (Wed) by mathstuf (subscriber, #69389) [Link]

Dan Geer had some good ideas in one of his talks (that I can't remember or find right now). Basically, any code released in a product publicly is put into escrow and if support is dropped (possibly within some timeframe), the escrow is opened to anyone to offer support. Being FOSS or otherwise freely modifiable relieves one of such conditions (since the world is now your escrow). I'm almost certainly dumbing it down here as I remember watching it years ago.

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 19:56 UTC (Wed) by rgmoore (✭ supporter ✭, #75) [Link] (4 responses)

Even in the automotive world, there are limits on how long manufacturers are required to continue supporting their products after they go out of production. I have recently started to experience this with my car, which is old enough that it's no longer easy to get parts. I agree that electronics manufacturers ought to be held to a higher standard than they currently are, but the biggest thing is they should be required both to support products for a given amount of time and to publicly advertise when support is likely to end.

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 20:22 UTC (Wed) by Wol (subscriber, #4433) [Link] (3 responses)

In Europe I believe it's ten years.

But what's wrong with saying that, once YOU are no longer interested in supporting your products, you are *obliged* to *make*it*easy* for someone else to do so, if they think it's economic.

It may not be worth it for a big mass-production company, but there's a lot of small engineering firms that could easily knock panels and stuff out in small quantities, if only they could get hold of designs, blueprints etc.

And same here with firmware or whatever it is (mobile lhones?), even if it's under NDA and all that, if someone wants to support it you give them the ability.

Cheers,
Wol

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 20:53 UTC (Wed) by cpitrat (subscriber, #116459) [Link] (1 responses)

> once YOU are no longer interested in supporting your products, you are *obliged* to *make*it*easy* for someone else to do so, if they think it's economic.

You get my vote sir!

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 22:26 UTC (Wed) by marcH (subscriber, #57642) [Link]

https://en.wikipedia.org/wiki/Electronics_right_to_repair

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 21:27 UTC (Wed) by rgmoore (✭ supporter ✭, #75) [Link]

But what's wrong with saying that, once YOU are no longer interested in supporting your products, you are *obliged* to *make*it*easy* for someone else to do so, if they think it's economic.

There is actually a robust market for non-OEM car parts. Some parts are highly standardized, so there's no problem getting them. A lot of other parts are made by subcontractors, who IIRC are allowed to keep making them for the aftermarket if the manufacturer gives up on them. In the USA, there is even a law saying owners who are still within their warranty period may substitute aftermarket parts during repairs without voiding their warranty.

But there are plenty of important parts that don't fail often enough to make it economical for anyone to bother making them at scale. For a mechanical parts, custom machining is often a reasonable option. But for a lot of the electrical parts, it simply isn't practical for a shop to try making them custom, at which point you're stuck scouring junkyards for the part you're after. A friend of mine is probably going to have to replace her car because she simply can't get the wiring harness she needs to have it repaired for love or money.

An unpleasant surprise for My Book Live owners

Posted Jul 5, 2021 9:13 UTC (Mon) by immibis (subscriber, #105511) [Link] (1 responses)

How would you propose to design a NAS device, where the software on the NAS device doesn't have access to the data stored on it, and yet, somehow, the user can use that software to access their data?

An unpleasant surprise for My Book Live owners

Posted Jul 5, 2021 12:12 UTC (Mon) by geert (subscriber, #98403) [Link]

It depends on the meaning of "access". Obviously the software on the NAS device can destroy all data stored on the NAS device. But if the data is encrypted by the client, the software on the NAS device cannot disclose the unencrypted data to a third party.
This is similar to keeping your encrypted backups in the cloud.

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 7:21 UTC (Wed) by flussence (guest, #85566) [Link] (10 responses)

WD has a hard-earned reputation for internal hard drives that last as long as the warranty says and not a nanosecond more, so I'm wholly unsurprised this is the response. I bet there's a whole iceberg of devices being actively exploited, from them and others.

Maybe we need a return to outright destructive bricking malware. IoT junk peddlers won't do a proper job of their products until indifference like this comes back to absolutely ruin them.

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 13:50 UTC (Wed) by intgr (subscriber, #39733) [Link] (9 responses)

> WD has a hard-earned reputation for internal hard drives that last as long as the warranty says and not a nanosecond more

When it comes to hard drives, I wouldn't single out WD. *All* hard drive manufacturers have had product releases with appalling reliability. Check out the Backblaze reliability surveys for some chilling reading: https://www.backblaze.com/b2/hard-drive-test-data.html

Maybe this electromechanical technology is just so difficult to get right that nobody has managed to do it. Or maybe all of these companies are incompetent and don't care.

I'm just extremely glad that these products have became irrelevant for end-users. To think how many people used to trust all their data to a single unreliable device without backups. In these situations, the warranty is almost irrelevant because the manufacturer wouldn't replace the data.

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 14:26 UTC (Wed) by fenncruz (subscriber, #81417) [Link]

There also an issue with the value of what's stored on the drive. There are plenty of things around my house that breaks. But when they do I'm only out the cost of replacing the item. If a hard drive fails I need a new hard drive and hope my backups work or I'm having to pay for a very expensive drive recovery. Thus I'm going to be far less torrelant of a hard drive failure.

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 14:30 UTC (Wed) by Wol (subscriber, #4433) [Link] (6 responses)

> Maybe this electromechanical technology is just so difficult to get right that nobody has managed to do it. Or maybe all of these companies are incompetent and don't care.

Or maybe the companies got screwed over by politicians ...

A lot of modern electronics is of poor quality today because the manufacturers can no longer use lead solder. aiui, modern solder suffers unavoidably from "tin whiskers", which doesn't affect decent lead solder. And it only takes one whisker to cause serious damage.

Cheers,
Wol

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 15:15 UTC (Wed) by mathstuf (subscriber, #69389) [Link] (2 responses)

Well, lead is a considerable toxin to humans (and other biological life that we share this planet with) and given our propensity to just throwing everything into a hole (or the sea for that matter) and hoping it's OK for "long enough" that it's someone else's problem, I really wouldn't want it to build up in any amounts. Lead gasoline had upsides too for the mechanical functioning of ICEs, but that doesn't mean it's worth the cost of spewing lead-laced vapors into the air everywhere.

An unpleasant surprise for My Book Live owners

Posted Jul 13, 2021 21:10 UTC (Tue) by cypherpunks2 (guest, #152408) [Link] (1 responses)

Even though lead is bad for the environment, we're releasing more toxic substances due to the fact that landfills are piled high with electronics that failed due to tin whiskers. If we switched back to using lead, it would actually be a net benefit for the environment.

An unpleasant surprise for My Book Live owners

Posted Jul 14, 2021 9:02 UTC (Wed) by mpr22 (subscriber, #60784) [Link]

Do we have actual data on how much WEEE is the result of tin whiskers from cheap lead-free solders as opposed to going to such disposal due to any of:

bad soldering; being plugged into a low-quality charger; the upgrade treadmill plus low prices; cheap knockoff components; poor impact resistance; liquid damage; fragile connectors that would cost more than the device's RRP to pay someone to replace; ...

I'm sure someone's trying to gather it, but I wouldn't know where to look.

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 17:29 UTC (Wed) by mpr22 (subscriber, #60784) [Link]

The decline in the quality of modern electronics has plenty of reasons that are very little to do with "most methods of mitigating Sn whiskers are more expensive and/or less convenient than adding Pb to your solder and hoping local regulations on the use of Pb and other toxic heavy metals remain lax".

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 18:07 UTC (Wed) by dskoll (subscriber, #1630) [Link] (1 responses)

I doubt most hard drives that fail do so because of tin whiskers in the electronics. I bet most failures are in the mechanical or electromechanical components, or caused by a power surge.

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 18:25 UTC (Wed) by willy (subscriber, #9762) [Link]

A surprisingly large number of hard drive failures 20 years ago were firmware. (And the RMA could have been avoided by unplugging the power). I imagine that percentage has only increased since.

An unpleasant surprise for My Book Live owners

Posted Jul 5, 2021 0:26 UTC (Mon) by plugwash (subscriber, #29694) [Link]

> Maybe this electromechanical technology is just so difficult to get right that nobody has managed to do it. Or maybe all of these companies are incompetent and don't care.

Companies are constantly pushing the limits of the underlying tech to one-up each other on capacity/cost. So they end up with a delicate balance, push too hard and they get the bad PR from releasing a lemon, don't push hard enough and their products are uncompetitive.

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 8:16 UTC (Wed) by kleptog (subscriber, #1183) [Link] (4 responses)

If Amazon is still selling them then it's on the hook for providing a product fit for purpose. Since it can't rely on WD to provide that support, how is this being achieved? ISTM anyone who bought such a device from Amazon can simply send it back an get a refund.

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 16:41 UTC (Wed) by JanC_ (guest, #34940) [Link] (3 responses)

In case it was sold in the EU, there would be a legal 2 year guarantee to be provided by the seller indeed.

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 17:56 UTC (Wed) by Wol (subscriber, #4433) [Link] (2 responses)

Depends where in Europe, but I get the impression this would be covered even in the UK. Getting a legal 2year warranty honoured in the UK is a hassle unless it's *obviously* "faulty when purchased", but that's because we have a 6-month "faulty for *any* reason" warranty.

I had a run-in a while back with John Lewis a good few years back - my phone had been bought in the sales because it was discontinued, and they had "a deal with the manufacturer where we don't repair them, we only replace". And "we can't replace it, we'll refund it". Because the new version was full price, and I'd paid sale price, I just blew my top at them and accused them of charging me for wanting to exercise my warranty rights ... they caved VERY fast. In the end, I swapped my basic phone for both the newer model, and the next model up, and paid just the price difference between the lower and higher model. So I walked away a happy customer.

Cheers,
Wol

An unpleasant surprise for My Book Live owners

Posted Jul 1, 2021 15:14 UTC (Thu) by JanC_ (guest, #34940) [Link] (1 responses)

AFAIK the UK still has the law in place that implemented the EU directive indeed.

And in this case (WD MyBook) those devices were obviously “faulty when purchased”, as the security crater (calling it a “hole” would not describe how big it is…) has been around for 10 years and has been publicly known for at least 2-3 years.

An unpleasant surprise for My Book Live owners

Posted Jul 8, 2021 8:14 UTC (Thu) by mariofutire (guest, #141044) [Link]

I am not 100% sure that a potential vulnerability is qualified as fault.

Maybe if your data was lost due to the issue, yes, you can claim warranty.
But a software bug that you have never encountered, then I don't know.

Otherwise 100% devices could be returned for this reason.

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 9:09 UTC (Wed) by shiftee (subscriber, #110711) [Link]

This is exactly why I go out of my way to buy open software/hardware products.
Anyone reading this article could fix these issues in 10 minutes

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 9:30 UTC (Wed) by excors (subscriber, #95769) [Link] (1 responses)

> there is a way to do a factory reset through the configuration interface without providing a password. In fact, the relevant source code has the password checks commented out

WD posted an update explaining that the commented-out checks weren't the actual problem: (https://www.westerndigital.com/support/productsecurity/wd...)

> We have heard concerns about the nature of this vulnerability and are sharing technical details to address these questions. We have determined that the unauthenticated factory reset vulnerability was introduced to the My Book Live in April of 2011 as part of a refactor of authentication logic in the device firmware. The refactor centralized the authentication logic into a single file, which is present on the device as includes/component_config.php and contains the authentication type required by each endpoint. In this refactor, the authentication logic in system_factory_restore.php was correctly disabled, but the appropriate authentication type of ADMIN_AUTH_LAN_ALL was not added to component_config.php, resulting in the vulnerability. The same refactor removed authentication logic from other files and correctly added the appropriate authentication type to the component_config.php file.

That explanation doesn't reflect any better on their software engineering competence, though - it still sounds like a bunch of cobbled-together PHP and shell scripts with inadequate testing. And it doesn't reflect well on their decision to stop providing security updates for an internet-connected device that is specifically designed for long-term data storage, where it's obvious that people will keep using it for many years after it's been discontinued and will be seriously hurt if the device is exploited.

WD also say:

> For customers who have lost data as a result of these attacks, Western Digital will provide data recovery services. My Book Live users will also be offered a trade-in program to upgrade to a supported My Cloud device. Both programs will be available beginning in July, and details on how to take advantage of these programs will be made available in a separate announcement.

so at least they'll be paying some cost for their mistakes.

It's quite possible they've had a cultural change and started taking security a lot more seriously since 2011 when they wrote that buggy PHP code; but it's also quite possible they haven't; so I guess it'll take a lot of effort if they want to earn people's trust in their ability to securely store data.

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 20:49 UTC (Wed) by Paf (subscriber, #91811) [Link]

> “ For customers who have lost data as a result of these attacks, Western Digital will provide data recovery services.”

This is actually a pretty significant commitment, and if serious and handled well (big ifs) goes about as far as they could be asked today in dealing with the results of these past mistakes.

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 16:05 UTC (Wed) by zblaxell (subscriber, #26385) [Link]

It's a single-drive/dual-drive-single-vendor NAS box from 2011. Users should be expecting total data loss any day now, based on today's date alone. The Internet is merely helping natural attrition run a little faster.

They are indeed still offered on Amazon, at prices that are high for the size but not insane. They are a little cheaper in absolute terms than the much newer and larger (and hopefully less buggy) My Cloud NAS devices, and similar-sized devices with new and shiny (and expensive) USB 3.0 and Thunderbolt interfaces.

I wouldn't buy one, but I could see someone who says "I need a tiny NAS box with an Ethernet port that I can drop off at a client site and forget exists" clicking on the cheapest search result. Product reviews indicate some people have done this over the past few years, and been disappointed with the results.

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 21:50 UTC (Wed) by Nahor (subscriber, #51583) [Link]

> [...] seems geared toward covering its _ass_ more than anything else [...]

Sounds like some one _piss_ed!! :p

(I'm not against using the word, it's just unexpected, so I'm wondering it's voluntary or if it was just missed by the editors)

An unpleasant surprise for My Book Live owners

Posted Jul 8, 2021 19:40 UTC (Thu) by Hello71 (guest, #103412) [Link]

> There is some information on the WD support site about how to build and install custom firmware, but there does not seem to be an active existing project for My Book Live.

OpenWRT has supported My Book Live for almost five years now (anniversary in two weeks): https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h..., https://openwrt.org/toh/western_digital/mybooklive. Debian used to mostly work, before the removal of powerpc support in stretch.

An unpleasant surprise for My Book Live owners

Posted Aug 2, 2021 16:38 UTC (Mon) by mcortese (guest, #52099) [Link] (4 responses)

I can understand that a manufacturer can't or doesn't want to commit to support a product forever. I just wish it was mandatory to inform customers about it. All devices with upgradable software or firmware should come with a label on the package stating since when the support won't be guaranteed anymore. We have similar requirements for food, why not for electronics?

An unpleasant surprise for My Book Live owners

Posted Aug 2, 2021 18:35 UTC (Mon) by pizza (subscriber, #46) [Link] (3 responses)

Oh, mandated labeling will result in most stuff saying "this product is not guaranteed to have any post-sale support/updates" to the fine print somewhere. Which is already the status quo.

But is there anything the manufacturer can be expected to do, other than notifying (via some means) the user that the support period has expired?

An unpleasant surprise for My Book Live owners

Posted Aug 3, 2021 10:57 UTC (Tue) by foom (subscriber, #14868) [Link] (2 responses)

I think it'd have a bigger impact than you think.

A warranty period is something which influences purchase behavior across a large range of products, and promising to release software updates is similar to an additional limited warranty just for the software portion of the product. (although, without a legal obligation of fitness for purpose, I suspect.)

So, if consumers can make an informed choice between a product with a 10 year software update lifetime, and one with a 1-year software update lifetime, I think that can indeed increase sales of the 10-year product.

I also note that promises of "software updates for N years" are being voluntarily published for many phones these days. But not very prominently.

An unpleasant surprise for My Book Live owners

Posted Aug 3, 2021 12:47 UTC (Tue) by pizza (subscriber, #46) [Link] (1 responses)

> So, if consumers can make an informed choice between a product with a 10 year software update lifetime, and one with a 1-year software update lifetime, I think that can indeed increase sales of the 10-year product.

Sure, *if the price is the same*

In the real world, the stuff with longer support lifetimes costs more, often considerably so, because... well, support costs money to provide. Sometimes that cost is baked into the initial purchase price, other times it is literally a monthly/yearly paid add-on.

An unpleasant surprise for My Book Live owners

Posted Aug 9, 2021 0:14 UTC (Mon) by mcortese (guest, #52099) [Link]

Retailers will be the ones who will refuse to keep big stocks of devices past their "due date" because they know they'll have to sell them at a discounted price.

Ultimately, manufacturers will face a choice: sustain the costs of extended support or lower their margins. Some will choose the former, others will prefer the latter: there's a market for both positions. Customers will be able to buy from either option, with a decision process based on documented facts, not short-sighted ratings by casual Amazon customers.