back to article RDX removable disk has ransomware protection begging to be bypassed

The RDX is a neat niche removable disk storage product that can now tell ransomware to get lost. Overland-Tandberg is a Sphere3D business unit that punts RDX QuikStor drives with 1, 2, 3 or 4TB capacities. It has introduced rdxLOCK software with a RansomBlock feature, which turns an RDX into a WORM (Write Once Read Many) drive …

  1. Anonymous Coward
    Anonymous Coward

    There was something newsworthy there

    But by parroting the press release you didn't really pull it apart. At over 500 notes for 1 TB, you could buy ten 1TB HDDs, treat them as write once, pull from the rack and stick them on a shelf, and still have change for a modest meal out.

    1. Mark 110

      Re: There was something newsworthy there

      Can't you con figure any SAN volume to be write once if you want? (I am not and never will be a storage admin. That might be a very silly question)

      1. Voland's right hand Silver badge

        Re: There was something newsworthy there

        Can't you con figure any SAN volume to be write once if you want?

        You can bake a similar service using a locked-down stand alone Linux machine with cold-swappable drives for the cost of less than 3% of the cost of the SAN. It is trivial to integrate with any existing backup software too - just make it export the "current backup" as filesystem. You can encrypt it or do anything else to your heart's content. The moment the backup run is over, unmount and mount the next one. "Freeze" the old one. Once a week/month/year/whatever, remove disk(s) containing the frozen snapshots and replace with fresh. There are like 20-odd ways to do that, none of which should take more than half an hour to rig and have running with no software costs and outright integration into most off the shelf backup systems (except the Apple TimeBomb idiocy which insists on Apple Only network shares to backup).

        None of them will be used in an RDX shop anyway. It is a toy for people with more money than sense. Its cost per TB is ridiculous compared to both LTO and disk based virtual tape libraries.

        1. TheVogon Silver badge

          Re: There was something newsworthy there

          "You can bake a similar service using a locked-down stand alone Linux machine with cold-swappable drives for the cost of less than 3% of the cost of the SAN."

          Yep but someone with local admin or remote RW access could still edit or delete that data. And you could delete the disk partition.

      2. TheVogon Silver badge

        Re: There was something newsworthy there

        "Can't you con figure any SAN volume to be write once"

        Not usually afaik except for specialist WORM products like EMC Centera, but you could configure a volume to be read only once it's written to. The problem there is that unless it's dedicated hardware that is locked down, someone could still go delete it, or configure it back to RW...

        1. J. Cook Silver badge

          Re: There was something newsworthy there

          The Netapp's Snapshot feature created data snapshots that could be read by windows client's using the Shadow Copy functionality in Vista and later (i.e. the 'previous versions' tab), but were forced read-only by the filer head. To my knowledge, there was no way or setting those to read-write.

          Not 100% certain on an actual windows file server using shadow copy- I've heard second- and third- hand rumors of malware and virii being able to trash shadow copies, but nothing first hand. (thankfully)

          YMMV, obviously, check with the vendor of your storage appliance/system for official 'word of god' regarding features and capabilities, etc. etc. etc. :)

        2. Robert Carnegie Silver badge

          Re: There was something newsworthy there

          I suspect the selling point of this product is that the disc write-protect setting itself is also write-once read many - once you make a disc read-only, it stays read-only. But I don't know this. If it is, then I recommend buying the deluxe edition of the software, that includes the "Are you sure?" prompt. :-)

    2. TheVogon Silver badge

      Re: There was something newsworthy there

      "But by parroting the press release you didn't really pull it apart."

      Bit harsh - these are potentially useful for compliance requirements, legal hold copies, preventing data tampering, etc.

      "At over 500 notes for 1 TB, you could buy ten 1TB HDDs, treat them as write once, pull from the rack and stick them on a shelf"

      Have you looked at the cost of dedicated WORM arrays?! And what you propose is not quite the same though. When you plug them back in they could get corrupted if you were not aware of a nasty. Or someone could go edit the contents...

      Also this includes white and black list capabilities which if actually secure is an unusual and potentially useful feature...

  2. Christian Berger Silver badge

    Ahh, it's application level granularity...

    therefore it's software.

    One obvious attack is attacking that software. Maybe if it crashes you get full access.

    More likely attacks are on the software a user uses. Many windows programs have a bug handling timer events. Essentially they activate a timer which will generate an event after some time. That event can have some data attached to it. In the 1990s it was common to put a pointer to the function you want to be called there. Additionally you can set the text of gui elements from another program (one important Windows feature, it's often used by screenreaders), so you can get code into them. Adding both problems and you can get any software to do anything.

    Ohh and of course if you allow Office full access, you can always use OLE Automation to open documents, encrypt them, and close them again, all with (moderately) easy to access and stable functions. You can even do it in the background. Also you can execute code in the context of Word or Excel.

    1. TheVogon Silver badge

      Re: Ahh, it's application level granularity...

      "therefore it's software.

      One obvious attack is attacking that software. Maybe if it crashes you get full access."

      Agreed. But unless it's likely to be specifically targeted it's probably a good low end solution versus the outrageous cost of say Centera...

    2. TheVogon Silver badge

      Re: Ahh, it's application level granularity...

      "Adding both problems and you can get any software to do anything."

      I believe that hole (that potentially allowed you to take over the elevated privileges of say antivirus programs!) was fixed some time ago.

      "if you allow Office full access, you can always use OLE Automation to open documents, encrypt them, and close them again, all with (moderately) easy to access and stable functions"

      True, but corporates would normally only allow trusted signed or trusted location macros to run. Even for consumers Office defaults to disabling active content by default and warning you before enabling them.

      However, If you have that level of access to Office and you ignore the warnings, malware could just as easily execute a script that encrypts everything of value outside of Office - not just documents. Which is why for all the attempted Office initiated attacks I have seen that's what they do...Also that makes it easier to install and trigger ransom demands.

      1. Christian Berger Silver badge

        Re: Ahh, it's application level granularity...

        "I believe that hole (that potentially allowed you to take over the elevated privileges of say antivirus programs!) was fixed some time ago."

        No it's been found some time ago, since it's an application problem, it needs to be fixed in every application... which is not going to happen, particularly for all that legacy stuff companies depend on.

        "True, but corporates would normally only allow trusted signed or trusted location macros to run. Even for consumers Office defaults to disabling active content by default and warning you before enabling them."

        The OLE Automation problem does not rely on Macros being enabled. You can simply control those applications from another program. It's an intended feature. Even if there wasn't OLE Automation, you could still just start the program, make the window invisible, and send keypresses.

        There simply are no security boundaries between Windows applications running under the same user by design.

  3. Anonymous Coward
    Anonymous Coward

    HOW much per TiB?

    Dayam, I wish I had that kind of money to flush down the bog for fekkin' stupid tech.

    "What's that, we need another 250TiB for archives? At 500 Pounds a pop that's chump change! Let's buy 10x what we need & bank the rest!" <- Phrases you'll never hear the boss say without having been brainwashed by the BOFH first.

    *Sigh*

    *Wanders off grumbling*

  4. kars1997

    So why is the ransomware protection "begging to be bypassed"? There's no discussion of a vuln, you're just describing the way the product is supposed to work.

    This article does not live up to the promise its title makes.

  5. J. Cook Silver badge

    That's kind of ridiculous for a software write blocker.

    According to the white paper, this product specifically is used for 'compliance archiving' and other situations where data needs to be archived in an immutable form, but allow for fast and random access once mounted. And the RDXLock software has to be used in order to read the data back. This implies possibly some form of encryption, or some proprietary filesystem?

    I can achieve the same effect with a disk dock, a handful of drives, and software that encrypts the data being put on the drives. (assuming the same software is also used to decrypt and read the drives later.) and for a lot less money.

    I can see this being useful with companies that have already adopted RDX as a backup medium or archival medium; I don't see a good cost benefit if one is switching from, say, LTO or other types of offline /archival media.

  6. John H Woods

    too expensive

    For this price to can buy a micro server, a couple of 2TB drives and setup BSD/ZFS.

    Snapshot every minute and it's as good as ransom proof.

    1. Anonymous Coward
      Anonymous Coward

      Re: too expensive

      That would be good as ransom proof for 1-2 minutes as you would snapshot the malware encrypted volume straight away.

  7. Jellied Eel Silver badge

    Naming conventions..

    "RDX removable disks" would probably apply to all disks, given a sufficient amount of RDX. And searching for 'RDX' may get more.. awkward if searching for forbidden things can put you in jail. :)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019