[tor-talk] "Safeplug"

gq bugmagnet1 at gmail.com
Fri Nov 22 23:07:45 UTC 2013 

I bought an early pogoplug device.

It was advertised as a means to provide "safe and secure" file access.
This model allowed connecting one's external hard drive via a USB port 
and connecting via ethernet to WAN thru their infrastructure which 
ostensibly provided authentication and access control. The idea was you 
could generate a URL to their server which would, if authenticated than 
open the door to the files you wanted to share with others. Or you could 
access your own home files on that external drive from any outside WAN 
location.

For me, it was the ability to place files i wanted to share online 24/7 
and since the device used only 4 watts and the external HD perhaps 6-10 
watts more, it had a minimal cost for electricity. Leaving a PC online 
24/7 as a fileserver costs $15-25 per month in electricity where I live, 
so potential of saving 80% of that was a boon.

I started the mandatory device registration process to get it going, 
then, before clicking the final "OK", decided I'd like to look at the 
linked Terms of Service since they were quite vague about how all the 
magic happened. I was curious.

Turns out, this little device used a special version of Linux for which 
THEY had root access, not you. If you jumped through hoops, you could 
get root access but it was not a process for normal people. They still 
maintained control.

With the level of control they had, the TOS was a concern, because in it 
you had to grant them full legal permission to:

    monitor and log your bandwidth usage,
    the identity of who was accessing the files on your HD,
    the content of your files ("so they could index content and make it
    easily searchable"),
    AND they had your permission to copy all your files (for evidence
    purposes)
    AND...get this... even delete files from YOUR hard drive (should
    THEY determine them to be 'illegal' or otherwise inappropriate..


pogoplug is NOT your friend.

Some geeks figured out how to run a clean version of Linux that didn't 
connect to pogoplug's content monitoring management service but that is 
quite complicated. Were Raspberry Pi available back then, I wouldn't 
have wasted so much buying into pogoplugs lies and deception. Is it far 
to say I don't trust they? YUP!

BM

On 11/22/2013 3:21 PM, Yuri wrote:
> On 11/22/2013 11:35, Roman Mamedov wrote:
>> Why can't it be?
>>
>> Well, maybe not the whole device down to the CPU Verilog design 
>> level, but
>> they could post source-code for the firmware with the instructions to 
>> build
>> and flash it, and since most likely this contains at least the Linux 
>> kernel
>> and some GPLed tools like Busybox, they are legally obligated to provide
>> source to whoever they distribute the binary to, on their request. 
>> But many
>> router manufacturers don't bother limiting it to just that, and 
>> simply post
>> the source code for public download on their websites.
>
> How can one be sure that firmware that is running on the router is 
> built from this particular source code and not from some modified 
> version or different revision? Also how can one be sure that one extra 
> service wasn't added on top of this open source? I think the answer to 
> both of these questions is "impossible". In addition, governments have 
> the power to execute the secret order on the company to secretly add 
> such back door.
>
> Open source only makes sense when built and installed by the party 
> interested in security, or maybe when it is built by some trustworthy 
> organization, like some trusted linux distro, and not just some random 
> commercial company without any reputation.
>
> Yuri

More information about the tor-talk mailing list