Thursday, December 20, 2007

MioNet - Western Digital take it online.

Western Digital has a new product out, called MioNet (you can read about MioNet here), which allows people who buy these massive external disk drives to "share" them out to the Internet, using Western Digital's secure MioNet application. There are complications, of course, as you would imagine... but are we inviting in problems? Let's take a look.

A new article appearing on PC World's site addresses this product lightly, but in my humble opinion, completely misses the point. The article criticizes the MioNet software for restricting "user rights" by employing some internal DRM mechanism to limit the sharing (between different users) of identified music/video file-types (list available here). Sure, the MioNet blocks users from sharing media files (audio/video) between users simply because it's next to impossible to verify digital rights. So in that light, if I buy an MP3 somewhere, and try and share it with a friend whom I've given access to my MioNet shares, it will be blocked by the system. On the same side of the coin, if i create some custom music or audio files which just happen to be in one of these blocked formats - I can't share them with another users since MioNet has no way to verify that they have rights to this file. Now - it's easy to complain and point the finger at Western Digital and say how they're restricting people's rights to share files - but after all, they are providing a service, and don't wish to end up as the next hot-bed for illeglal file-swapping so they're taking precautions. You can still share your pictures, it's just multimedia files you can't share... I say get over it - or find another way to do this? It is a service after all... no one's forcing you to use it. Someone commented on this article that they would be refraining from purchasing WD products in the future and urged others to do the same... why? Because they're trying to error on the side of caution and digital rights? Anyway - as I said before... I think this article misses the point. Forget illegal MP3/Movie/etc swapping that everyone's in a tizzy about... I wish someone would address the security and privacy part of this. After all, you're allowing your private files which could contain financial information, personal legal records, or other personal information to be shared to the Internet, bypass your firewall (which by now I'll assume you have...) and be held at the mercy of a 3rd party you're supposed to trust. Even if Western Digital has a perfect application, with unbreakable (read: hackable) internals such that I can't bypass their access (AuthZ) controls... it's still all hinging on a username/password combination for access to these files. Hackers and malware authors everywhere must be thrilled to read this. I can just imagine a whole new wave of malware looking to steal people's MioNet access credentials. I don't have the product installed so I can't tell if it requires "strong passwords" but I'm going to guess no.

A quick pro/con analysis of this new way of avoiding uploading files to the general Internet looks like this...

Pro
  • Ability to access your files remotely (in case you forget something at home?)
  • Secure access to the system using only a login and password
  • No firewall configurations needed at home (the MioNet software does it auto-magically)
  • Share non-DRM files like pictures, documents, etc with friends, family or co-workers
  • Remote computer control and screen sharing
  • Remote monitoring of a web-cam you can set up with access credentials (monitor your computer's webcam from the office!)

Con

  • Remote access to your internal network files over the Internet (this doesn't even sound like a good idea)
  • Untested, unverified (or at least unpublished) system (MioNet) being trusted to guard your potentially private files
  • Notice that one of the "features" that WD touts is that this application can bypass your firewall, and you don't have to do anything to get it working (network back-door anyone?)
  • Potentially limiting DRM technology (although crude) limits your ability to share home-made movies of the kids or dog with your in-laws

So there it is, and I think the success of MioNet will be quite simply put. The positives (for most users) far outweigh the negatives as they your typical end-user will see it. Most users aren't as concerned with the cons as security professionals and paranoids - they see all these great features coupled with the fact that the system is "password protected", and they're sold. But there are clearly problems - or at least issues that need to be addressed to make this system more viable.

First - I would like to see a 3rd party certification that this product is "hacker tested" or at least source-code-reviewed to ensure any major and simple security defects are found and eradicated. Second, I would like to see some sort of "strong authentication" option for those users who want to share more than just photos (such as highly sensitive material like financial and personal documents). Aside from that, I think this product has some potential - and no - I don't think that the DRM'ish attempt to curb illegal file-sharing (albeit crude, I'll admit) should be removed.

6 comments:

rodent042 said...

Hey RX8volution!

I didn't "miss" those points at all. Actually, As you said, there just isn't space enough to cover all the bases :)

If one wanted to get technical all of the abilities that this new software package touts are already available in the form of personal web space alloted by a person's ISP to cuteFTP which is easy enough for anyone (who would take 5 minutes out of their time to read the instructions) to use and a dozen other methods which can be set up far more securely and are already proven. The problems with most of these alternatives are the lack of understanding most people have, the unwillingness to want to learn how to use them and the laziness of "I just want to click on it and have it work". So WD releases a great "new" product that you can just "Magically" share your files with and people flock to it like moths to a light.

That aside, I have a serious issue with DRM in general. You aren't going to stop anyone from trading music and movies. It is as easy as converting the file from one format to another. Show me just about any DRM protected file and I can show you 10,000 google hits on how to bypass it for free. The old adage "Locks only keep honest people out" is alive and well. Would all of these people that illegally trade music buy all of these songs if DRM was foolproof? Let's be serious about that and say "NO". Where would all of these kids get tens, even hundreds of thousands of $ for the thousands of albums they downloaded? Does that make it right? Of course not. But for companies to throw out the numbers that they projected losing is absurd. I should not have to suffer the inability to make a backup copy of any software or music I purchase and, yes, I really do make copies of music. I won't pay $10-20 for a cd to ruin it bouncing around my car ;)

Western Digital makes excellent hard drives. They are, in fact, the only company I have purchased a drive from for years now. And, like I said, I won't bother boycotting them but I certainly was compelled to write them and express my concerns and this is what will ultimately make a difference. Stamping one's foot and ignoring the problem hasn't worked since most of us were around 2 years old.

Finally, bandwidth is not infinite (contrary to many people's beliefs). Upload speeds are capped by most high speed providers and almost all have policies in place that forbid excessive use of your connection for filesharing or ftp service which, if I read this correctly, is exactly what Mionet is doing. Do people really seriously feel the need to share gigabytes of music and photos with their friends and family? If they do then invest in a DVD burner because the speed they are going to get from this "great new invention" isn't going to be what they were led to believe and their ISP isn't going to tolerate it very long (if this "new" idea even catches on).

That's my take on the whole mess anyway :)

Salim said...

I share some of the same security concerns as identified in this article. I purchased a one of these drives a few months back but as soon as I realized that the authentication credentials are stored on some third party servers, I was turned off. Even if the site is hacker-proof certified and source code is reviewed by some third party for security holes, I'm still worried about a security breach at WD's systems in my credentials getting stolen. I know for fact that user passwords that are stored on their system can be decrypted because when I used the 'forgot my password' feature on their site, the system emailed me my original password. That tells me that passwords aren't just one-way encrypted, if they're encrypted at all, on their systems. In addition to that, I'm also worried about WD's internal staff having access to my credentials. Sure these concerns should be same for any other financial institution website, but I'm only limited to my accounts at each institution and I trust the financial institution to protech my data far more that I could trust WD. If there is a security breach at WD, someone could gain access to all my financial data that may be stored on my hard drive.

I would have really preferred to have Mionet authenticate the user directly on the software that's running on the drive rather than authenticating against a central server on the internet. That would make me much more comfortable using my drive.

Ken said...

Great article, I am 100% in agreement. I just bought the World Edition II, not realizing the setup. As soon as I started transfering data, I got a super uneasy feeling in my gut. Upon further investigation I realized everything you just mention, in regards to security. Not enough, bypasses my Zone Alarm Pro firewall. I could see some benefits, but by no means do they outweigh the cons. I contacted WD and let them know I will be taking it back on these grounds.
Thanks for the blog.
cory

Dan Andrews said...

I did not by a drive, but a friend did. He wanted to share files with me so I downloaded and installed Mionet. Bad idea. This software is viral in nature. It starts on every start-up even though I have used Spybot and Zone Alarm to turn it off and keep it off! I have now uninstalled it but do not have perfect faith that it is gone.

Anonymous said...

I just bought this product, it asked for name address details and messed up my network. This machine is another method of the goverment trying to obatin your personal information. Its a pile of shit and I called the support team who are from India not USA. The response is that they don't even understand the product and if you ask them any technical questions they simply hang up or try to find some dumb excuse to not answer your question...Its RUBISH, Support is RUBBISh and its VIRAL ...avoid all Western Digital products especially the My Book Drives or anything of theirs that connect to a network or internet. They are simply out to collect your personal data.

Anonymous said...

I installed Mionet software and after a lot of prompting paid for the full use of Mionet file shariing etc.
I am concerned whether my fire wall was not breached as at the same time my ISP cable connection with 7GB per month capacity was filled up with continuous downloads day and night - on one day in 13 hours a 500 000MB donwnload
I am invetigating the matter and have asked WD for help - being looked at

Google+