An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 9:16 UTC (Wed) by khim (subscriber, #9252)
In reply to: An unpleasant surprise for My Book Live owners by Subsentient
Parent article: An unpleasant surprise for My Book Live owners

Trying to understand device where firmware doesn't have access to the content. Failing.

Not sure what you meant when you wrote what you wrote, but I think it was something like “NAS is more of PC with HDD attached to it, than HDD with Ethernet cable, despite the looks and PC part shouldn't have access to the HDD”… but that's something neither consumers nor WD bosses understand.

Their customers wanted an HDD with an Ethernet cable and they asked engineers to make one, why have engineers provided something else?

It's not easy to understand why that happens for the company which was built around making hardware and always considered firmware just an “enabler” for that hardware.

They probably never even considered that a problem so what hope was there for them to resolve it?

to post comments

An unpleasant surprise for My Book Live owners

Posted Jun 30, 2021 10:40 UTC (Wed) by excors (subscriber, #95769) [Link] (6 responses)

> Their customers wanted an HDD with an Ethernet cable

More specifically, their customers wanted an HDD that was accessible over the internet. That's the main selling point of the product - "Connect this powerful drive to your wireless router for shared storage on your home network that you can access within and outside the home. Share files with PC and Mac computers, stream media to your entertainment center and access files on-the-go with secure, remote access and apps for your mobile devices" (from their Product Overview). And that's what they got (apart from the "secure" part). Even these exploits are simply accessing the device over the intentionally-public API; they're not relying on any hidden components of the software architecture that would surprise 'the WD bosses', they're just bugs in the basic features.

It's certainly possible for companies to write reasonably secure IoT-like software, and sometimes that actually happens. (That seems more common when they start as software companies that branch out into hardware, than when they start as hardware companies that are used to writing little self-contained firmware and suddenly expand into writing IoT SDKs and cloud services. Some hardware companies are adjusting much better than others, though). I think the basic problem is that customers (even highly technical ones) have no way to judge whether a company is one of the good ones; plus secure software is usually less convenient for regular use cases and is more expensive to develop, so on the metrics that are easy for customers to judge the more secure products are actually worse. That means there's little pressure for the industry as a whole to improve.

An unpleasant surprise for My Book Live owners

Posted Jul 1, 2021 4:07 UTC (Thu) by NYKevin (subscriber, #129325) [Link] (5 responses)

In other words: WD's business model is like Dropbox's business model, but crappier. They sell you a HD and some software that makes it act like Dropbox acts, and tell you to replace that hardware after N years (at which point, they'll happily sell you a shiny new one that's still supported). This is analogous to Dropbox's subscription fee, except that you also have to pay for the electricity, you have to do your own offsite backups (or onsite backups, if this thing is your offsite backup), you actually have to remember to replace the damn thing (or hack its firmware and do your own security upgrades), you probably want to have onsite data redundancy of some kind, and so on.

(For anyone unaware, the Dropbox business model can be summed up as "We will make your data accessible to you anywhere in the world, in exchange for $X per gigabyte-year." It's not sold as hardware or software, it's just a service that you pay for.)

Frankly, I find it hard to believe that the consumer comes out ahead in that model. It's probably cheaper per gigabyte than Dropbox, but only if the consumer has the necessary technical knowledge to take care of all of those minutiae. Otherwise, it's just a data loss event waiting to happen.

Disclaimer: I work as an SRE for Google, which offers a similar service to Dropbox. I don't know exactly what the Dropbox engineers do at their datacenters, but I can pretty much guarantee that *our* data persistence beats the pants off anything the average nontechnical consumer can do with a simple device like this one. This is not a boast; it is simply the reality of consumer-grade hardware on a consumer-grade network.

More generally: When you have an IoT device that is connected to the internet, if you are not paying a subscription fee for it, then IMHO you need to ask yourself whether the product has a reasonable economic model, and compare and contrast that economic model to more traditional subscription services. You may find that the product does not actually make sense.

An unpleasant surprise for My Book Live owners

Posted Jul 1, 2021 11:10 UTC (Thu) by excors (subscriber, #95769) [Link] (1 responses)

> I find it hard to believe that the consumer comes out ahead in that model. It's probably cheaper per gigabyte than Dropbox, but only if the consumer has the necessary technical knowledge to take care of all of those minutiae.

The 2TB My Book Live apparently cost £170 in 2011, and nowadays you can get a 6TB WD My Cloud Home for that price. A 2TB account on Dropbox costs £96/year (but 3TB is more than 2x the price, and it appears to be impossible to pay for more than 3TB on a individual account). So if you have less than 2TB of data, and buy two large local disks for redundancy, and you keep those disks for several years, Dropbox is quite a lot more expensive per GB of data. At that scale it's not a huge difference in absolute cost though, so maybe the difference is justified by the maintenance effort and the risk of data loss.

If you have less than 100GB of data then it looks like you can get Microsoft OneDrive for £24/year, or 100GB on Google One for £16/year, etc. That's probably enough for most people's remotely-accessible backed-up document requirements, and is cheaper than the smallest home NAS you can buy, so in those cases the cloud solutions sound a lot more compelling.

At the terabyte scale, I guess the bigger issues are the lack of flexibility (some people really want to store more than 3TB of, uh, Linux ISOs, and Dropbox simply won't let you) and bandwidth (many people will find it slow and expensive to upload terabytes of data from home, or maybe they're using the storage for real-time video editing and need higher bandwidth and lower latency than they get through the internet, etc).

So it sounds like a fairly small niche where a home NAS ends up being better value, but there are still some valid use cases, and the world is large enough that it's worth developing good technology for niches.

An unpleasant surprise for My Book Live owners

Posted Jul 6, 2021 1:54 UTC (Tue) by marcH (subscriber, #57642) [Link]

> So it sounds like a fairly small niche where a home NAS ends up being better value, but there are still some valid use cases, and the world is large enough that it's worth developing good technology for niches.

BTW the NAS could be both on local premises for speed _and_ its software maintained and updated remotely. Many homes already have plenty of devices maintained remotely, so why not storage? It could even be split in two: a "premium", resizable area backed up in the cloud for a monthly fee and the rest not for movi... Linux images that don't need backup.

An unpleasant surprise for My Book Live owners

Posted Jul 1, 2021 11:35 UTC (Thu) by khim (subscriber, #9252) [Link] (1 responses)

> Frankly, I find it hard to believe that the consumer comes out ahead in that model.

Consumer comes out ahead for sure. Offline backups on something which is physically in your possession is very good proctection from this.

Dropbox or Google Drive or any other “cloud” solution saves you against hackers or physical damage to you WD box (it could just go and die on you and if you apartment would burn then even RAID-6 wouldn't help you).

But there are quite non-trivial chances for your data to just become erased while you are trying to prove that you have rights to get it back.

And I'm very sorry to say that, but SREs couldn't do anything about it. Legal issues will supersede all the reliability measures when you deal with cloud.

And yes, even with that incident what WD offers is still good deal. Hackers don't empty these boxes all that often. Pull data from your cloud backup when that happens and you are, again, protected against legal problems.

An unpleasant surprise for My Book Live owners

Posted Jul 5, 2021 6:34 UTC (Mon) by NYKevin (subscriber, #129325) [Link]

My opinion (not Google's): The legal issue should be solved by enacting appropriate legislation (e.g. they must give your data back to you upon request, or else they must get a court order to block the data's return), not by everyone using overtly inferior technology* to work around it.

This would probably create a lot of extra work for people like me (my SRE job has to do with data classification and permissions). I am entirely willing to do that work, because I believe that users ought to own their own data. But either the business or the government has to decide that the work is worth doing, and so far the former has not made that decision.

* I consider it "inferior" under the reasonable-to-me assumption that the average consumer is just barely capable of installing automated updates on "user-friendly" operating systems like Windows, and would have no idea how to e.g. rent a colo, SSH in to fix a problem, etc. Obviously, if you are capable of figuring those things out, then you do you. But I'm concerned with the needs of average consumers, not you.

An unpleasant surprise for My Book Live owners

Posted Jul 1, 2021 14:47 UTC (Thu) by nix (subscriber, #2304) [Link]

> They sell you a HD and some software that makes it act like Dropbox acts, and tell you to replace that hardware after N years

Did they even do that, or did they silently move it to unsupported status at a poorly-advertised or entirely un-advertised date and then (years later) use this to *blame* the customers for not spending more money with them after this silent act of theirs?