[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] "Safeplug"



I bought an early pogoplug device.

It was advertised as a means to provide "safe and secure" file access.
This model allowed connecting one's external hard drive via a USB port and connecting via ethernet to WAN thru their infrastructure which ostensibly provided authentication and access control. The idea was you could generate a URL to their server which would, if authenticated than open the door to the files you wanted to share with others. Or you could access your own home files on that external drive from any outside WAN location.

For me, it was the ability to place files i wanted to share online 24/7 and since the device used only 4 watts and the external HD perhaps 6-10 watts more, it had a minimal cost for electricity. Leaving a PC online 24/7 as a fileserver costs $15-25 per month in electricity where I live, so potential of saving 80% of that was a boon.

I started the mandatory device registration process to get it going, then, before clicking the final "OK", decided I'd like to look at the linked Terms of Service since they were quite vague about how all the magic happened. I was curious.

Turns out, this little device used a special version of Linux for which THEY had root access, not you. If you jumped through hoops, you could get root access but it was not a process for normal people. They still maintained control.

With the level of control they had, the TOS was a concern, because in it you had to grant them full legal permission to:

   monitor and log your bandwidth usage,
   the identity of who was accessing the files on your HD,
   the content of your files ("so they could index content and make it
   easily searchable"),
   AND they had your permission to copy all your files (for evidence
   purposes)
   AND...get this... even delete files from YOUR hard drive (should
   THEY determine them to be 'illegal' or otherwise inappropriate..


pogoplug is NOT your friend.

Some geeks figured out how to run a clean version of Linux that didn't connect to pogoplug's content monitoring management service but that is quite complicated. Were Raspberry Pi available back then, I wouldn't have wasted so much buying into pogoplugs lies and deception. Is it far to say I don't trust they? YUP!

BM

On 11/22/2013 3:21 PM, Yuri wrote:
On 11/22/2013 11:35, Roman Mamedov wrote:
Why can't it be?

Well, maybe not the whole device down to the CPU Verilog design level, but they could post source-code for the firmware with the instructions to build and flash it, and since most likely this contains at least the Linux kernel
and some GPLed tools like Busybox, they are legally obligated to provide
source to whoever they distribute the binary to, on their request. But many router manufacturers don't bother limiting it to just that, and simply post
the source code for public download on their websites.

How can one be sure that firmware that is running on the router is built from this particular source code and not from some modified version or different revision? Also how can one be sure that one extra service wasn't added on top of this open source? I think the answer to both of these questions is "impossible". In addition, governments have the power to execute the secret order on the company to secretly add such back door.

Open source only makes sense when built and installed by the party interested in security, or maybe when it is built by some trustworthy organization, like some trusted linux distro, and not just some random commercial company without any reputation.

Yuri

--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk