Pogoplug makes internet data sharing easy

A recent article in Computerworld introduced a new product, the Pogoplug, which has a number of interesting and useful-sounding features. It is also likely to be something of a security headache for network administrators. It simplifies the setup of a internet-connected storage device, but it also uses UDP in a way that may circumvent the firewall restrictions on some networks.

As a device, the Pogoplug isn't really anything particularly special. It consists of an ARM processor with a bit of memory and flash, along with some USB ports and a gigabit ethernet connector. None of the technical capabilities of the Pogoplug are terribly sophisticated, but as would be expected for a consumer device like this, it runs Linux under the covers. It is the service that is provided by CloudEngines, the company behind Pogoplug, that turns it into something beyond a simple embedded Linux box.

To use the Pogoplug, you connect it to the ethernet, a USB drive (or stick), and power it up. After that, browse to my.pogoplug.com, create an account, and wait a few minutes for an email with a link containing the magic code for your Pogoplug. Clicking that link takes you to a page that displays the contents of the USB drive attached to the Pogoplug. And you can do that from anywhere on the internet.

The Pogoplug relies on being able to send and receive UDP packets over the internet to and from port 4365. If that is true, based on the network the Pogoplug is attached to, it can be accessed from anywhere else on the internet. The device can be configured to share its data with other users via links, RSS feeds, email notifications, and so forth. It is just the kind of device that will be attractive to some internet-centric folks.

The device itself is not locked down and the OpenPogo site caters to developers. There is information on the wiki about installing various other applications such as MySQL, Django, Ruby on Rails, etc. From that perspective, it looks like a fun, hackable device. But it suffers from a number of pitfalls that might bite the unwary.

To start with, ssh is enabled with a standard root password. That makes it easy for folks that want to change things on the device, but for those who are not particularly savvy, it also leaves the device wide open to anyone else on the network. Presumably the ssh functionality is not exported in whatever UDP tunnel/encapsulation that gets established, so it is safe from ssh logins across the internet. But home users that expect their Pogoplug to be private from their siblings, parents, or roommates may be in for something of a surprise.

There is also the concern that a Pogoplug could expose data—inadvertently or maliciously—from inside a company or other supposedly secure environment. There is nothing technically new about what the Pogoplug can do, but it would have taken someone with some reasonable technical skills to set something like the Pogoplug up. Now, anyone with $129 and a 2G USB stick may be able to publish the entirety of a company's secrets on the web, in just a few minutes.

Certainly many or most corporate firewalls will not pass the Pogoplug traffic, but undoubtedly some will. Various P2P applications have caused inadvertent releases of confidential information from employees who didn't fully understand the technology; Pogoplug is likely to do the same. It is great for folks to be able to share their data with their friends, but unless they fully understand how it works, there are some holes that are pretty likely to be stepped in.