WD My Cloud Mirror 4tb £147.25 - Tesco in store - New Oscott
151°Expired

WD My Cloud Mirror 4tb £147.25 - Tesco in store - New Oscott

32
LocalFound 26th Jan
Just picked up a 4tb (2*2tb) New Oscott for 147.25.

They also had 2tb single for £62.50 and 3tb for £72.50 - cheaper than standard WD disks. There was a 4tb but no price / stock

White label so not normal clearance - but release the geese for everyone else!
Community Updates

Groups

32 Comments
Just rang Sutton Coldfield (New Oscott) and one of the representative told me that they don't stock this in store (online only)?
Being offloaded to compensate for the (lack of) security issue where anybody can access the drive remotely to load some rubbish to the drive to host VMs etc without persmission of owner theregister.co.uk/201…or/
AndyRoyd5 m ago

Being offloaded to compensate for the (lack of) security issue where …Being offloaded to compensate for the (lack of) security issue where anybody can access the drive remotely to load some rubbish to the drive to host VMs etc without persmission of owner https://www.theregister.co.uk/2018/01/08/wd_mycloud_nas_backdoor/


Why would they offload them when that’s been fixed with firmware?
Edited by: "trickytree1984" 26th Jan
Hot but I can’t check my local Tesco extra until Monday.
Edited by: "trickytree1984" 26th Jan
trickytree19842 m ago

Why would they offload them when that’s been fixed with firmware?


Pre-updated stock where the new owner is conveniently not informed about the f/w update and randomly discovers the issue via a deal site.
AndyRoyd43 m ago

Pre-updated stock where the new owner is conveniently not informed about …Pre-updated stock where the new owner is conveniently not informed about the f/w update and randomly discovers the issue via a deal site.


That doesn't make a huge amount of sense, practically everything gets security issues that are fixed with updates, it's the owners responsibility to update their devices to the latest firmware/update not the sellers.
Original Poster
KB901 h, 5 m ago

Just rang Sutton Coldfield (New Oscott) and one of the representative told …Just rang Sutton Coldfield (New Oscott) and one of the representative told me that they don't stock this in store (online only)?



They were upstairs on the electrical's- they have a dedicated WD display - try ask for electrical desk and Katrina was very helpful member of staff who helped me.
AndyRoyd1 h, 53 m ago

Pre-updated stock where the new owner is conveniently not informed about …Pre-updated stock where the new owner is conveniently not informed about the f/w update and randomly discovers the issue via a deal site.


Except that one of the first things they do when you connect them, is tell you there's an update available.
AndyRoyd3 h, 39 m ago

Pre-updated stock where the new owner is conveniently not informed about …Pre-updated stock where the new owner is conveniently not informed about the f/w update and randomly discovers the issue via a deal site.


It was 2014. Do you not think they would have blasted these?

Besides, anyone buying a NAS is by nature a techie, and techies always update firmware. I do
secretspartan126th Jan

That doesn't make a huge amount of sense, practically everything gets …That doesn't make a huge amount of sense, practically everything gets security issues that are fixed with updates, it's the owners responsibility to update their devices to the latest firmware/update not the sellers.

Not much benefit having the latest firmware when the manufacturer consistently fails to include patches in it to address known vulnerabilities.
trickytree198426th Jan

It was 2014. Do you not think they would have blasted these?Besides, …It was 2014. Do you not think they would have blasted these?Besides, anyone buying a NAS is by nature a techie, and techies always update firmware. I do


Peeps / techies approach to "firmware fixes all" seems confused. What about instances when known security issues aren't addressed by the manufacturer's firmware releases? Techies don't seem to have grasped the context of the epic WD fail for that scenario. Owners of this kit were still exposed to the subject vulnerability for as long as four years after another manufacturer released their patch. WD released the firmware that patched this 2014 vulnerability 15 55 days ago. The contributors to this thread appear to suggest this is acceptable. Presumably WD will address the 2015 vulnerabilities in their 2019 firmware releases, assuming WD still bother support this kit in 2019 - and clearly the current support is poor at best. But hey, as long as owners have the latest firmware installed in their kit it's perfectly safe and secure (to 2014 standards).
Some poetic licence in that ramble but definitely some justification for caution.
Edited by: "AndyRoyd" 28th Jan
AndyRoyd3 h, 32 m ago

Not much benefit having the latest firmware when the manufacturer …Not much benefit having the latest firmware when the manufacturer consistently fails to include patches in it to address known vulnerabilities. Peeps / techies approach to "firmware fixes all" seems confused. What about instances when known security issues aren't addressed by the manufacturer's firmware releases? Techies don't seem to have grasped the context of the epic WD fail for that scenario. Owners of this kit were still exposed to the subject vulnerability for as long as four years after another manufacturer released their patch. WD released the firmware that patched this 2014 vulnerability 15 days ago. The contributors to this thread appear to suggest this is acceptable. Presumably WD will address the 2015 vulnerabilities in their 2019 firmware releases, assuming WD still bother support this kit in 2019 - and clearly the current support is poor at best. But hey, as long as owners have the latest firmware installed in their kit it's perfectly safe and secure (to 2014 standards).Some poetic licence in that ramble but definitely some justification for caution.


It's fixed...end of. There are no other vulnerabilities to address that I'm aware of?certainly not any for 2015
Dam. Thought it was a boiler again!
AndyRoyd6 h, 48 m ago

Not much benefit having the latest firmware when the manufacturer …Not much benefit having the latest firmware when the manufacturer consistently fails to include patches in it to address known vulnerabilities. Peeps / techies approach to "firmware fixes all" seems confused. What about instances when known security issues aren't addressed by the manufacturer's firmware releases? Techies don't seem to have grasped the context of the epic WD fail for that scenario. Owners of this kit were still exposed to the subject vulnerability for as long as four years after another manufacturer released their patch. WD released the firmware that patched this 2014 vulnerability 15 days ago. The contributors to this thread appear to suggest this is acceptable. Presumably WD will address the 2015 vulnerabilities in their 2019 firmware releases, assuming WD still bother support this kit in 2019 - and clearly the current support is poor at best. But hey, as long as owners have the latest firmware installed in their kit it's perfectly safe and secure (to 2014 standards).Some poetic licence in that ramble but definitely some justification for caution.


Is there an issue if I turn off the cloud side of things in the settings? All I'm using it for is a centralised way to back up my devices whilst in the home only.

I'm no techy so this sort of stuff freaks me out!

By the way, I got the 3TD from my local store (Yardley, Birmingham) for £72.50
Also, anyone know why the Network port lights in the back of my sky router and myCloud drive are flashing constantly... Even when I am not using them, Seems to imply that network traffic is going over the cable. Given the above discussions, I am even more scared!
trickytree198427th Jan

It's fixed...end of. There are no other vulnerabilities to address that …It's fixed...end of. There are no other vulnerabilities to address that I'm aware of?certainly not any for 2015


Yes, the 2014 issue is now fixed via the firmware released in January 2018 Nov 2017. But if you re-visit your response, you may appreciate the implied future issue which is simply: the user is typically not aware of any ongoing issues that the manufacturer may not address until years after the vulnerability is known.
This is also true of any device from any manufacturer, but clearly WD has form in this area.
Edited by: "AndyRoyd" 28th Jan
tmohammad27th Jan

Is there an issue if I turn off the cloud side of things in the settings? …Is there an issue if I turn off the cloud side of things in the settings? All I'm using it for is a centralised way to back up my devices whilst in the home only...


Simplistically: if the web connectivity can be genuinely disabled by the user then the drive will (should) not be accessible from a web-based attacker. Less simplistically: such a feature assumes WDs implementation of access restriction is robust and does not require a prompt firmware release and firmware update awareness+installation by the user to resolve any access vulnerability. Regardless, even a robust web-access restriction is unlikely to prevent an attacker finding a way of accessing the drive via another device connected to the web on the same network as the drive, but that attack route is reasonably not a WD issue.
AndyRoyd3 h, 8 m ago

Yes, the 2014 issue is now fixed via the firmware released in January …Yes, the 2014 issue is now fixed via the firmware released in January 2018. But if you re-visit your response, you may appreciate the implied future issue which is simply: the user is typically not aware of any ongoing issues that the manufacturer may not address until years after the vulnerability is known. This is also true of any device from any manufacturer, but clearly WD has form in this area.


When was it discovered?
trickytree198416 m ago

When was it discovered?


This issue was discovered in 2014. Dlink released its patch to the issue in July 2014. WD released its patch to the issue in Nov 2017.
AndyRoyd34 m ago

This issue was discovered in 2014. Dlink released its patch to the issue …This issue was discovered in 2014. Dlink released its patch to the issue in July 2014. WD released its patch to the issue in Nov 2017.


I didn't ask about the dlink vulnerabilities. When we're the WD ones found and when were they patched?
Edited by: "trickytree1984" 28th Jan
Original Poster
As I set mine up the console web page had an option to upgrade the firmware as the first task, so unless you ignored it will be up to date.

There are various config options to allow sharing, web access etc etc
trickytree19844 h, 8 m ago

I didn't ask about the dlink vulnerabilities. When we're the WD ones found …I didn't ask about the dlink vulnerabilities. When we're the WD ones found and when were they patched?


Same answer: discovered 2014 and patched Nov 2017.
W_jelly13 h, 25 m ago

As I set mine up the console web page had an option to upgrade the …As I set mine up the console web page had an option to upgrade the firmware as the first task, so unless you ignored it will be up to date.There are various config options to allow sharing, web access etc etc


During use, how often is the user informed of firmware updates being available?
AndyRoyd4 m ago

Same answer: discovered 2014 and patched Nov 2017.


33155164-nxunj.jpg
AndyRoyd44 m ago

http://gulftech.org/advisories/WDMyCloud Multiple …http://gulftech.org/advisories/WDMyCloud Multiple Vulnerabilities/125https://www.theinquirer.net/inquirer/news/3024001/western-digital-mycloud-vulnerability-list-grows-even-longerhttps://community.wd.com/t/my-cloud-vulnerability-comparison/219449


Im confused. You said 2014 but the citation provided for this claim says otherwise

33155476.jpg
Edited by: "trickytree1984" 28th Jan
trickytree19843 m ago

Im confused. You said 2014 but the citation provided for this claim says …Im confused. You said 2014 but the citation provided for this claim says otherwise[Image]


Agreed, you are clearly confused. Do some more research with correct interpretation.
Original Poster
AndyRoyd1 h, 1 m ago

During use, how often is the user informed of firmware updates being …During use, how often is the user informed of firmware updates being available?



See point 4 support.wdc.com/kno…997 but when I first opened it the firmware was out of date, so I guess when you check the console page, might be emails if you register
AndyRoyd47 m ago

Agreed, you are clearly confused. Do some more research with correct …Agreed, you are clearly confused. Do some more research with correct interpretation.


I don't need to. I know the answer already. I've been trying to get you to provide evidence for your claims that this was discovered in 2014 and was only just patched. Your own "evidence" shows that it was infact disclosed to WD in June 2017, and by your own admission was patched in November 2017. So please can you redact your previous incorrect statement that this was known to WD since 2014...unless of course you can provide the citation requested (which doesn't exist because it only took them 5 months)
trickytree19847 h, 28 m ago

I don't need to. I know the answer already. I've been trying to get you to …I don't need to. I know the answer already. I've been trying to get you to provide evidence for your claims that this was discovered in 2014 and was only just patched. Your own "evidence" shows that it was infact disclosed to WD in June 2017, and by your own admission was patched in November 2017. So please can you redact your previous incorrect statement that this was known to WD since 2014...unless of course you can provide the citation requested (which doesn't exist because it only took them 5 months)


Nah, your confusion is still present. The vulnerability was identified in 2014 as quoted in the gulftech statement. WD was asked in June 2017 when or if WD was going to implement a fix to the same vulnerability that another manufacturer had fixed three years earlier. This was mentioned way back in post 2 of this tread.
AndyRoyd1 h, 36 m ago

Nah, your confusion is still present. The vulnerability was identified in …Nah, your confusion is still present. The vulnerability was identified in 2014 as quoted in the gulftech statement. WD was asked in June 2017 when or if WD was going to implement a fix to the same vulnerability that another manufacturer had fixed three years earlier. This was mentioned way back in post 2 of this tread.


33157178-wk4Pk.jpg
AndyRoyd14 h, 46 m ago

During use, how often is the user informed of firmware updates being …During use, how often is the user informed of firmware updates being available?


That depends on how you configure it - personally, mine will automatically patch, as it checks for updates nightly. When it reboots after the patch, it e-mails me to let me know.
AndyRoyd28th Jan

http://gulftech.org/advisories/WDMyCloud Multiple …http://gulftech.org/advisories/WDMyCloud Multiple Vulnerabilities/125https://www.theinquirer.net/inquirer/news/3024001/western-digital-mycloud-vulnerability-list-grows-even-longerhttps://community.wd.com/t/my-cloud-vulnerability-comparison/219449


Thanks for sharing this!

Purchased one quite recently and haven't set it up yet. I was considering the idea of using it's cloud functionality across the WAN but having read two of those articles I think I'll just keep it LAN side only!

As you have said further down, this is the problem we face from a number of vendors who unfortunately are, let's be honest, playing at it with the "Internet of Things" and don't really understand security. Another good example of many car manufacturers who still don't get it. Mitsubishi springs to mind

I didn't buy this My Cloud for its cloud functionality as such...and it appears that that was just as well
Post a comment
Avatar
@
    Text