Dawid Bałut

@thedawidbalut

Backdoor in Western Digital “MyCloud” and Sad State of Online Privacy & Data Safety

If stored online, your data is unlikely to be safe and private

Most of us — let alone non-techy people — blindly believe that if we pay extra money for a product from reputable brand, then we’ll receive a high quality and secure thing. It doesn’t work this way. Not at all.

Most companies don’t give a damn about your safety, your privacy or security of your data as long as they can rock’n’roll thanks to the money you gave them. 
It’s fair to buy products and services. We make these exchanges on daily basis with a problem being that we aren’t really aware of the hidden costs on our side. 
I’m not even going to say a single word about free products, because it’s obvious that “if you are not paying for a product, you are the product”.

Application security, especially on this level, for a company with revenue of 19 billion dollars is NOT hard by any means. There is no excuse or explanation for this. 
They just don’t care and to be honest, it doesn’t make them much more different from >90% of companies which services and products you use on daily basis. With SMBs and startups it’s even worse — because there is almost zero pressure and budget to create secure things — with the worst security posture on side of local (web)shops.

It’s about time to wake up and announce the uncomfortable truth

So I’m happy to welcome anyone willing to join the discussion and as usually tell me that $19B company with 77 000 employees is so unlucky that it’s not capable of managing their security program and hiring security personel.

Let’s not be delusional anymore, we’ve had it enough in the InfoSec industry. Businesses just don’t care as much as you’d like them to and security folks running around and moaning how hard it is to build secure companies and products aren’t contributing to anything. They’re publicly giving an excuse for companies like WD to keep failing us.

WD is just an example. Pretty much on weekly basis we learn about yet another huge company having pathetically basic security vulnerability.
To be clear, I’m far from blaming random companies that were hacked in a sophisticated way or by state sponsored actors. 
There is a difference for the fucks sake between having OWASP TOP 10 vulnerabilities and zaq12wsx password to admin console AND an breach caused by a group of determined hackers. So stop justifying the bad security posture of companies with arguments like ‘hacks happen, everyone is vulnerable yada yada’, because hacks != hacks and looking at the year-by-year statistics on how companies get hacked, where do you see those sophisticated attacks? We’re really lying to ourselves and everyone around us.

This industry is broken and it’s broken in a really bad way

There are people who do great things, find great bugs and contribute to the society by spending their personal time on security research. 
Yet there are cohorts of people who only complain about the insecure world and always brag how hard their work is. 
To those who do that: Please level up your game, get your act together and stop bitching, because it’s just about time to realize how much damage you make to the world.

It’s not just ‘your opinion’, that’s now how sociology work. 
Every single time you share your opinion like this it has a huge effect on the society and it doesn’t go unnoticed by the universe. Your also-complaining homie shares your stupid insights with his 10 Twitter followers, who then share it with their 10 Followers and it grows exponentially with snowball effect. 
Because of how human being are wired, it’s incredibly easy to make negative tweets go viral. Negativity is something people easily bend towards as it costs them nothing, and sharing bad news make them feel special or ‘insightful’ and is a pure fishing for compliments to pamper their ego and mask their insecurities.

Please either do the work to make world a safer place or just shut up. Stop waiting for a miracle to happen and for someone else to pick this battle.

I’m not here to judge any human being for the way they are wired or criticize the things they do to roll thru life full of pain and struggles. 
I’m not here to point fingers, talk about ethics or talk badly about people who just do their 9–5 job and simply don’t feel a need or energy to save the world. That’s fine, I understand it all.

All I want is for those impartial professionals working in security industry, to stop creating an illussion of them doing something noble if they have no intent of doing anything good at all. 
If you want your 9–5 job that pays the bill, that’s fine who am I to judge. 
Do the work and just don’t speak up on a matters you have no clue about, because there are thousands of us trying to fight the bigger battle, and we have no energy for domestic conflicts and people who give a bad example to societies of nontechies following your lead.

To the good Gals and Gys, keep doing what you’re doing. 
By no means I want to instill nihilism in you, but we all should be aware of the challenges and obstacles we’re facing. Those are things that we should be brave enough to acknowledge, because as with anything else in life — if we don’t name this problem, we won’t be able to solve it.

What can be done?

Not much, online privacy and safety are myths and legends we can tell our kids as a bedtime story. 
The problem tho is that we wouldn’t believe in bedtime stories, yet we do believe in this one because it’s comforting to think there are people out there who take care of us behind the scenes. 
It’s comforting for industry to spend money on flashy things and myopic initiatives, even if they have very small and unprofitable ROI. But we still do make those reckless investments because it makes us feel like we’re doing something and then no one can really say that we’re sitting ducks who ignore the problems.

A change would require a society who understands and publicly shames companies with bad security practices, but that’s not going to happen anytime soon.

Most people don’t want to trouble themselves with care about data safety and their privacy so they won’t take any action. Yes, even those who’re terrified reading Orwell’s “1984” and who nod their heads muttering how evil corporations are and how scary it would be to live in such oppressive world.

Hundreds of millions of email addresses, passwords, personal data records, credit card numbers have already leaked in a just past few years. Lots of informations on spying governments violating privacy have been leaked as well, and how much has attitude of regular Joe changed?
In such situations, emotions aren’t strong enough to affect people and force people to take action, so unless individuals get hacked and their naked photos leak — they don’t care.

People still — and likely even more than ever — buy electronic devices from unknown manufacturers on AliExpress. People still don’t give a second thought while buying IoT devices from AliExpress and never consider if the product is safe to use and if it doesn’t violate their privacy. 
Even tho we’ve seen massive leakages of recordings from childcare products, monitoring cameras, sex toys and what not, people still don’t give a damn.

A call for action

Only us, security professionals can make a difference and be a major change-driving force. 
We can make a difference by spreading the awareness and heavily shaming the corporations who clearly neglect security of their products and services. as long as they start losing money.

But that requires passion, moral backbone, ethics and heavy work which very few have and want to spend for a common well-being.

It’s not wrong that people have their own problems, remain neutral and don’t want to spend their lives helping society, which will be ungrateful anyways.
However, it takes totally different colors, when people do things that not only not help, but make things worse — and giving companies permission to continually fail us is one of those things that make world a worse place to live.

But on that I’ve already written a piece — in context of Internet of Things — so I’ll allow myself to stop right here and get back to work.

Happy Sunday All, cheers.

More by Dawid Bałut

Topics of interest

More Related Stories