Saturday, February 28, 2009

Sharing Your Stuff with the World (or Bits of It)

Someone recently pointed me to the SheevaPlug computer - an ingenious little plug computer that essentially consists of a low-power computer built into a wall-wart - and a consumer applicance based on it, the Pogoplug (http://pogoplug.com/). There's a nice write-up in the SheevaPlug at http://linuxdevices.com/news/NS9634061300.html and their development info is at http://www.marvell.com/products/embedded_processors/developer/kirkwood/sheevaplug.jsp.

The Pogoplug is a small server appliance which shares the contents of a USB hard drive (or flash drive) attached to it. It does this by setting up an SSL connection back to the the company's servers, where a browser-based interface lets you administer your account and generate links which you can email to others so that they can access the shared files on your device. Devilishly ingenious.

The company's home page trumpet's the device's ease-of-use: "Just connect Pogoplug to your home network and attach any external drive or memory stick. That's it, no need to call your office networking guy"

In my cynical fashion, I'd rephrase that: "Please, please don't call your office networking guy because once he hears what you're planning, he'll slap you upside the head and we won't make the sale!".

In other words, if the nasty, restrictive network admins at work won't let you connect remotely because It's A Bad Idea, then this thing is An Even Worse Idea.

The last thing any enterprise firewall admin wants to come across is a device he didn't know about that sits on the inside network and pokes holes through the firewall. In this case, I'm betting (the device is in early beta) that it connects back to port 443 on Pogoplug's servers, since many firewalls don't block or proxy SSL connections. So, expect the firewall admins to black-list pogoplug.com, thereby stopping this device in its tracks.

Once you've shared your stuff, other users can log in at the Pogoplug site via their web browser - this solves the problem of locating a Pogoplug hidden behind a modem with a DHCP-allocated IP address that might change. Of course, this suggests various easy attacks: a keystroke logger, spyware or even XSS attack on a user's browser could capture the user's credentials. In fact, if I was an Evil Criminal Mastermind banging out spyware to capture banking, eBay and email credentials, I'd add my.pogoplug.com on the list of pages to monitor, just to see what might turn up - most Pogoplugs will contain shared photos, videos, etc. but there's bound to be more than a few users who let their guards drop and use it to transfer more sensitive information.

Of course, if our Evil Criminal Mastermind was to compromise the Pogoplug servers, he would own every Pogoplug in the world. I do hope that their software isn't written in PHP by a summer intern.

Access control concerns me, too. If the access checking is done at the Pogoplug servers, that means they have access to the entire contents of the USB drive. People are quite likely to use a single drive for backup, carrying documents around and also plugging into the Pogoplug, and would be trusting the company to protect all of that.

Of course, Pogoplug isn't the only company offering boxes like this; Lacie, Axentra and probably others have them, too, in many cases based on the Marvell OEM SheevaPlug.

Here's a way it could be done better (and a free design innovation for router manufacturers like Netgear and Linksys):

Put the USB connector on the router itself. Many ADSL modem/routers already have a feature to nominate a machine on one of their internal IP addresses as a "DMZ machine" and do port forwarding of common services to that machine, letting you run things like web servers on an internal machine. And the router already has the ability to register with dyndns.org, so that you can register a domain name and that lets people find the external IP address of the modem. I don't like the port forwarding approach, because if an attacker is able to compromise a service on an internal machine, then he's on the inside and can see other machines as well.

Those modem/routers are based on a Linux kernel anyway, so it would be easy to add support for a simple web server that can serve just static data (there used to be such an animal in the 2.6 kernel, but I think Linus took it out again). Add a USB port to the router, with a predefined mount point that is the web server HTML root. Add a simple management interface to let the user manage .htaccess files, and hey presto! Now there's a web server that can be accessed by outside users and uses a dynamic DNS service, rather than a centralized management scheme. There's no central web page for login credentials, making it harder for spyware, etc. to grab credentials.

The access control is entirely in the user's hands; nobody else gets open access to everything on the inserted drive (as would be the scheme for Pogoplug, where the access control is at my.pogoplug.com). And there's a switch in user perceptions, too - if you plug a drive into the router, you're clearly doing that to put it On The Internet, while plugging a drive into a wall-wart inside your house, well, people are a bit more vague about that.

So, what about it, Netgear and Linksys?

Back to the Pogoplug: Neat device, but don't trust it too much. Only use it for semi-public material; don't put personal, private or embarrassing material on there, and make sure you choose good passwords and are careful not to use them from public computers. I'd also put a big "PUBLIC" sticker on the drive to make sure that you never relax and accidentally put something sensive on there. And don't take one into the office!