A recent article
in Computerworld introduced a new product, the Pogoplug, which has a number of
interesting and useful-sounding features. It is also likely to be
something of a security headache for network administrators. It simplifies
the setup of a internet-connected storage device, but it also uses UDP in a
way that may circumvent the firewall restrictions on some networks.
As a device, the Pogoplug isn't really anything particularly special.
It consists of an ARM processor with a bit of memory and flash, along with
some USB ports and a gigabit ethernet connector. None of the technical
capabilities of the Pogoplug are terribly sophisticated, but
as would be expected for a consumer device like this, it runs Linux under
the covers. It is the service
that is provided by CloudEngines, the company behind Pogoplug, that turns it
into something beyond a simple embedded Linux box.
To use the Pogoplug, you connect it to the ethernet, a USB drive (or
stick), and power it up. After that, browse to my.pogoplug.com,
create an account, and wait a few minutes for an email with a link
containing the magic code for your Pogoplug. Clicking that link takes you
to a page that displays the contents of the USB drive attached to the
Pogoplug. And you can do that from anywhere on the internet.
The Pogoplug relies on being able to send and receive UDP packets over the
internet to and from port 4365. If that is true, based on the network the
Pogoplug is attached to, it can be accessed from anywhere else on the internet.
The device can be configured to share its data with other users via links,
RSS feeds, email notifications, and so forth. It is just the kind of
device that will be attractive to some internet-centric folks.
The device itself is not locked down and the OpenPogo site caters to developers.
There is information on the wiki about installing various other
as MySQL, Django, Ruby on Rails, etc. From that perspective, it looks like
a fun, hackable device. But it suffers from a number of pitfalls that
might bite the unwary.
To start with, ssh
is enabled with a standard root password. That makes it easy for folks
that want to change things on the device, but for those who are not
particularly savvy, it also leaves the device wide open to anyone else on
the network. Presumably the ssh functionality is not exported in whatever
UDP tunnel/encapsulation that gets established, so it is safe from ssh
logins across the internet. But home users that expect their Pogoplug to
be private from their siblings, parents, or roommates may be in for
something of a surprise.
There is also the concern that a Pogoplug could expose
data—inadvertently or maliciously—from inside a company or
other supposedly secure environment. There is nothing technically
new about what the Pogoplug can do, but it would have taken someone with
some reasonable technical skills to set something like the Pogoplug up.
Now, anyone with $129 and a 2G USB stick may be able to publish the
entirety of a
company's secrets on the web, in just a few minutes.
Certainly many or most corporate firewalls will not pass the Pogoplug
traffic, but undoubtedly some will. Various P2P applications
have caused inadvertent releases of confidential information from
employees who didn't fully understand the technology; Pogoplug is likely to
do the same. It is great for folks to be able to share their data with
their friends, but unless they fully understand how it works, there are
some holes that are pretty likely to be stepped in.
to post comments)