The IT Nerd

If you have a Seagate Personal Cloud NAS device, I’d advise you to check for a firmware update because according to a security researcher, there was a nasty bug that Seagate apparently quietly patched after not acknowledging that the flaw even existed:

The vulnerability affects Media Server, a web application that runs on the NAS and allows users to interact with the data stored on the device via a network connection.

And:

The flaw —named an unauthenticated command injection— allows attackers to run commands on the device’s underlying firmware from its web management interface.

Koster put together proof-of-concept code that would use the flaw to enable remote SSH access on the Seagate NAS and then change its root password.

One note is that you have to be on the local network to pull that off. But there’s lots of malware that are capable of getting onto a local network and potentially exploiting something like this. Thus this isn’t trivial.

Here’s the the key point to all of this:

[Security researcher named Yorick] Koster has reached out to Beyond Security’s SecuriTeam managed vulnerability program to inform Seagate of the issue he discovered. Beyond Security, on behalf of Koster, has reached out to Seagate.

“Seagate was informed of the vulnerability on October 16, but while acknowledging the receipt of the vulnerability information, refused to respond to the technical claims, to give a fix timeline or coordinate an advisory,” Beyond Security wrote.

But Koster has told Bleeping Computer that while ignoring the vulnerability report, Seagate has quietly patched the flaws he reported.

“I can confirm it is fixed on my NAS,” Koster told Bleeping Computer, pointing us to the Seagate Personal Cloud changelog for version 4.3.18.0.

That’s really craptastic handling of this issue by Seagate. The fact that they didn’t respond to this, nor did they wrap any timelines around a fix isn’t cool. The only good news is it looks like they fixed this within the 90 day window that the responsible disclosure protocol demands. But clearly their communication needs to be better. In any case, if you have one of these devices, you need to patch it ASAP.

Seeing as this is Earth Day, I guess Seagate decided that today was a great day to release their answer to Western Digital’s Green drives. Let me introduce you to the Seagate Barracuda LP drives:

The Seagate Barracuda LP hard drive, a 3.5-inch 5900RPM drive, is available in capacities of 2TB, 1.5TB and 1TB. The new hard drive family helps reduce product costs for makers of low-power personal computers, external PC storage and multiple-drive home networking SOHO systems by allowing them to use lighter-duty fans, power supplies and other system components.

5900 RPM? That’s a weird number as most desktop hard drives either run at 7200 RPM or 5400 RPM. But for Seagate, that’s the number one method for getting the most power savings out of the drive. I guess for somebody who doesn’t need the speed, that’s fine. At least they come in huge sizes so that you have lots of room for your porn and MP3’s data.

I should note that I recently got the Western Digital 1TB Green drives with an 8MB cache for my D Link NAS box (they were on sale at my local computer store, so I figured why not). While it’s not as fast as the 500MB Seagate’s that I pulled out of the NAS box, it does have Western Digital’s IntelliPower algorithm which varies the rotational speed between 5400RPM and 7200RPM, rather than run at 5900 RPM like the Seagate drives. I think it’s a good drive for my needs and I can say I’ve done my part for the environment.

I’d love get some feedback from anybody who gets one of these Seagate low power drives as to how good they are. Please post a comment and share your experience.

Last night, Seagate who has been in all sorts of hot water lately over hard drives that die and firmware that bricks functioning drives, released a fix for drives that are bricked as well as some other firmware updates for other drives. This updated knowledgebase article has the details, but here’s the key message:

While we believe that the vast majority of customers will not experience any disruption related to this issue, as part of our commitment to customer satisfaction, Seagate is offering a free firmware upgrade to proactively address those with potentially affected products. This new firmware upgrade corrects compatibility issues that occurred with the firmware download provided on our support website on Jan. 16. We regret any inconvenience that the firmware issues have caused our customers.

Okay. That’s great. But the question is, do you have the man sized balls guts to try this given how much of a mess this episode has been? If you do, please post a comment and let us know how it went.

UPDATE: Kudos to “Don” who had the man sized balls guts to try this out and according to his comments, it worked. Thanks to him for posting that info. Please keep the info coming.

As if Seagate doesn’t have enough issues, comes this news. It seems that a firmware update that was supposed to fix those dying hard drives I told you about has been pulled by Seagate (check this page and pick a model number and it will say *In Validation* where the update used to be). Not only that, it seems that while the update was available, it seemed to brick (aka: Kill) 500GB hard drives at an alarming rate.

That’s just awesome if you’re a Seagate drive user.

I used to be a fan of Seagate drives. The key words are USED TO BE. Though I have not been affected by this (At least not yet. I have two of the 500GB drives that so far seem to be fine at the moment.), my next hard drives will come from Hitachi most likely as I have had good results with the notebook drive that I installed in my MacBook Pro, plus they have good feedback from various places on the net. Like anything else, YMMV. But at this point, one thing is clear. Seagate seems to have bungled this issue to the point that I can’t trust them with my data anymore. Nor can many other people.

The class action lawsuit I suspect is about to be filed.

I guess that Seagate has decided to not be like Nvidia when it comes to their flakey hard drives that I posted about last week. Seagate has a support page set up to point customers to the resources they need to deal with the issue, plus they’re offering free data recovery services to those who have bricked hard drives. I was going to post links to the relevant documents, but when I try to go to them this is what I get:

Way to go Seagate. You have a some info and a fix, but you can’t get that info and fix to your customers because your knowledgebase has been Slashdotted. Awesome! Therefore I will post links from The Register and Gizmodo who broke this story. Those stories have links in them that should work. Eventually.

It’s amazing what happens when a bunch of pissed off people post their experiences about a company publicly. Then the story gets picked up and replicated all across the Interwebs. But, I will point this out. While I do applaud what Seagate has done to resolve the problem,  Seagate should have come out and dealt with this far earlier. Instead they denied the problem even existed, leaving everyone in the dark and with a bad taste in their mouth. Also, make sure that when you have a fix and updated info, you can get that info to your customers. Otherwise people like me will point out how half assed your response is that you need to step up your game.

Let this be a lesson to companies who have an problem. You’re not a bad guy for having a problem with your products and dealing with them in an up front manner. In fact, you’re a great guy when you do that. You only become a bad guy when you cover up your problems and lie to your customers.

UPDATE: This link to Seagate’s site seems to be working intermittently.

I’m usually a fan of Seagate and their drives, but there seems to be a growing number of people who have had issues with their 1TB drives lately. A growing thread on Seagate’s discussion boards is the best source to see how ticked off users are. The type of issues that people are having can be seen in this message on that thread. Talk of this issue have also showed up in other places like ZD Net’s blogs for example.

This is actually quite scary. Seagate needs to step up to the plate and deal with this right away. If you want an example of what could happen if they don’t, just look at Nvidia. I’m no legal expert, but lawsuits tend not to be good for business. And that’s what might happen to Seagate if they’re not careful.

In the meantime, if I need a hard drive I’ll be making my purchasing decisions very carefully.