this post was submitted on 10 Nov 2024
190 points (97.5% liked)

Technology

1443 readers
1214 users here now

Which posts fit here?

Anything that is at least tangentially connected to the technology, social media platforms, informational technologies and tech policy.


Rules

1. English onlyTitle and associated content has to be in English.
2. Use original linkPost URL should be the original link to the article (even if paywalled) and archived copies left in the body. It allows avoiding duplicate posts when cross-posting.
3. Respectful communicationAll communication has to be respectful of differing opinions, viewpoints, and experiences.
4. InclusivityEveryone is welcome here regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, education, socio-economic status, nationality, personal appearance, race, caste, color, religion, or sexual identity and orientation.
5. Ad hominem attacksAny kind of personal attacks are expressly forbidden. If you can't argue your position without attacking a person's character, you already lost the argument.
6. Off-topic tangentsStay on topic. Keep it relevant.
7. Instance rules may applyIf something is not covered by community rules, but are against lemmy.zip instance rules, they will be enforced.


Companion communities

[email protected]
[email protected]


Icon attribution | Banner attribution

founded 1 year ago
MODERATORS
top 38 comments
sorted by: hot top controversial new old
[–] [email protected] 74 points 2 weeks ago (2 children)

My "newer model" wouldn't be a D-Link.

[–] [email protected] 14 points 2 weeks ago (1 children)

My thoughts exactly .... if a company's response to a problem with their equipment is to instead of fixing the problem but to ask you to replace it with a new model

I would go buy something new ... it just wouldn't be with the same company

This would be a great opportunity for a rival company to take advantage of this.

[–] [email protected] 5 points 2 weeks ago

It would. They could over a discount with the turn in of a d-link device and roll in some nonsense about reducing e-waste. They will probably get a nice little sales boost and tax breaks while helping the decline of a competitor.

[–] [email protected] 4 points 2 weeks ago (1 children)

they don't make them anymore, anyway.

[–] [email protected] 4 points 2 weeks ago

Which is likely why they are not bothering to fix it.

[–] [email protected] 39 points 2 weeks ago (1 children)

Anybody who didn't already know this:

D-Link makes marginal products that routinely suffer major security flaws. Do not buy/use D-Link products.

[–] LiveLM 6 points 2 weeks ago (1 children)

damn, side-eyeing the D-Link router I got in the closet now

[–] [email protected] 18 points 2 weeks ago

It's usually possible to replace the firmware of d-link routers with open alternatives, such as dd-wrt.

[–] [email protected] 25 points 2 weeks ago* (last edited 2 weeks ago) (2 children)

So what you're saying is I should be able to pickup one of these used for a song?

Edit: oh, these are all four years past their EOL. Yeesh.

I run old hardware like this, but I'd never recommend anyone else do it.

[–] [email protected] 19 points 2 weeks ago (3 children)

oh, these are all four years past their EOL. Yeesh.

Yeah, at a certain point it's the consumer's (and blog writer's) fault, and that's after EoL. Not patching a supported one and just getting rid of support, saying buy a newer one? Yeah, that's bad.
Continuing to not support an EoL model that you already don't support due to EoL (or even dropping support for an EoL model that no one expected you to support in the first place due to EoL)? Non-issue.

[–] [email protected] 15 points 2 weeks ago

I was going to disagree, because manufacturers often set a very short and arbitrary EOL, but looking at the amazon price history this doesn't seem to have been sold new since around 2013.

[–] [email protected] 6 points 2 weeks ago (3 children)

At what point is that acceptable? Attacks like this were well known when this was new so shouldn't they fix it? 12 year old cars have been recalled before, but there are a lot of cars without the latest safety fixes. We need aeserious debate over when it is accebtable to call something that works scrap because it isn't supported. there are costs to the environment and society around this so even though I don't own one of these devices I'm affected but it.

[–] [email protected] 3 points 2 weeks ago

Last sold 20+ years ago sounds reasonable.

[–] [email protected] 2 points 2 weeks ago

Cars are not consumer grade NAS. If you want your consumer NAS to have the same regulated support requirements, expect to see prices go up by about 5x or more. Auto tech doesn't age out like computer tech. I wouldn't want a 20 year old device - the power consumption alone would be horrific, let alone the performance and lack of capability.

These are already 4 years past EOL. Know how long we spec servers for our clients? 5 years, max (we push them to replace at 4 years).

After 5 years the risks go up, and dealing with an outage will cost more in support costs than simply having planned and deployed a new system already.

These devices are double our server lifetime already - last made in 2013.

Again, I do dumb shit like this for my own systems at home, because I deal with the risk myself (redundancy). I'd never let a client do this. If someone had one of these at any point, I would've been replacing it - even if it was brand new.

My complaint against Dlink is these things were junk from the start. But expecting anything from them years after EOL is unreasonable.

[–] rumba 1 points 2 weeks ago

It would be REALLY nice if IT appliances had replaceable admin boards, especially for something as simple as a nas that probably hasn't upgraded the PCI buss in a decade :)

[–] [email protected] 5 points 2 weeks ago

Continuing to not support an EoL model that you already don’t support due to EoL (or even dropping support for an EoL model that no one expected you to support in the first place due to EoL)? Non-issue.

Dropping support should mean opening the source. I think there's a movement about that.

[–] possiblylinux127 1 points 2 weeks ago

Swap the OS for sure

[–] [email protected] 22 points 2 weeks ago (2 children)

Any vendor is going to reach a point where they no longer are willing to support older devices. So you have three choices:

  1. Run with the vulnerability. This is incredibly stupid and I'd hope no one did this.
  2. Replace the OS on any such device with something open source. Probably the best option for those who already own such a device.
  3. Never buy a proprietary device in the first place. Unless you really, really need something the propriety device offers, a beige box running some flavor of 'nix is probably a better long term solution.

Ok, I guess there is a fourth option. Learn to enjoy that vendor bending you over every few years. This is what many businesses do and it can make sense. You just need to have lots of money.

[–] [email protected] 7 points 2 weeks ago

every few years

These boxes had almost a decade of support.

[–] [email protected] 1 points 2 weeks ago

I object to your third point, it can be a sexy black box

[–] [email protected] 17 points 2 weeks ago (2 children)

So D-Link can't afford to pay employees to fix their shit? That's not a strong argument for buying more of their stuff.

[–] [email protected] 5 points 2 weeks ago

They don't want to pay employees.

[–] [email protected] 2 points 2 weeks ago

Some of these machines haven't been sold since 2013. That's a pretty decent lifespan.

[–] [email protected] 14 points 2 weeks ago (2 children)

If you’re using one of these models, it’s highly recommended that you replace your NAS system with one that’s still receiving patches from the manufacturer. If that isn’t possible right now, Netsecfish suggests restricting access to your NAS settings menu/interface to only trusted IP addresses. You could also isolate your NAS from the public internet to ensure that only authorized users can interact with it.

Emphasis mine, regardless of this incident, even with a brand new supported model, it shouldn't be exposed to the internet. Half the reason these security issues are such a big deal is because manufacturers wanted to make things simple and designed it to sit on the open internet, so they wouldn't have to deal with support requests. Now their customers are exposed because of poor recommendations and the lack of updates.

[–] [email protected] 5 points 2 weeks ago

Exactly!

If you need external access, use an external access infrastructure that's designed for that purpose, with controls and monitoring.

[–] [email protected] 3 points 2 weeks ago (2 children)

who the fuck even still has an exposed IPv4 address anyway, those are fucking expensive since we ran out. I couldn't expose my network if I tried.

[–] [email protected] 4 points 2 weeks ago (2 children)

Dynamic DNS has solved that for 20+ years. Just need a domain name, and a utility to update the IP when it changes.

That said, my IP hasn't changed in over 5 years now.

[–] [email protected] 4 points 2 weeks ago

Dynamic DNS is useless if you're on CGNAT.

[–] [email protected] 1 points 2 weeks ago

Still though, Dynamic DNS points to an external IP address, which you'd have your NAS exposed on a public port. This is the flaw in the design which allows remote execution of this exploit.

If you need remote access to the NAS, it should not be publicly exposed and should require a VPN to access. That way if there is an issue or misconfiguration, everyone on the internet can't exploit it easily.

[–] [email protected] 1 points 2 weeks ago

Its free, so why the fuck not? Why the hassle with ddns, wich funnily enough is also free with my hoster/registra

[–] [email protected] 11 points 2 weeks ago (1 children)
[–] [email protected] 5 points 2 weeks ago (1 children)
[–] [email protected] 3 points 2 weeks ago (2 children)

Well... I definitely wouldn't say "always", as he has taken some pretty gross stances on non-technical subjects https://www.wired.com/story/richard-stallmans-exit-heralds-a-new-era-in-tech/

[–] [email protected] 3 points 2 weeks ago (1 children)

Go read what he actually wrote, not what the character assassins pretended he meant.

[–] [email protected] -2 points 2 weeks ago

On what? His disgusting views on the age of consent? His disgusting views on rape?

The more I read into his views the more disgusting I find him. Then again I shouldn't have had any standards for someone who goes up on stage and eats gunk off of his feet.

[–] possiblylinux127 1 points 2 weeks ago

I read his article on pay toilets. He makes a good point.

[–] [email protected] 1 points 2 weeks ago

I do SMB support. I recently replaced one at a customer , essentially because it didn’t support larger disks. Also because it was slow as fuck. replacing a 10 year plus device doesn’t seem that unreasonable.

That said, I don’t like Dlink.

[–] possiblylinux127 -1 points 2 weeks ago

I can't blame them. I think relying on the manufacturer for updates means that you are expecting them to spend money on you. That works for a while but not indefinitely