I never “pointed fingers at the developers” other than to state that having a well-known, root-level, SSH password, enabled by default, on a consumer device was a bad idea.  They thought so too, after my article, and changed it.

In the comment posted 7 months ago, I pointed out how to get the PogoPlug to work from behind the Astaro Security Gateway.  So, again, not sure where your comment is coming from, as I believe I addressed your concerns either in the original article, or in the comments.

A user named Jamy Casteel contacted me and had this advice, “What fixed the whole issue was adding the pogoplug’s IP address to the exclusions list under the Transparent Mode skip list (under web security, http/s)”.
I also found a post here by @BAlfson that states, “If you have the Astaro using HTTP/S Proxy in “Transparent” mode. Then you need to put the IP address of the PogoPlug into the “Transparent Mode Skip List” on the Advanced Tab”.

Hopefully, that will help folks.

The purpose of my article was to alert users of the problem and to make them aware of what I perceive to be a serious security flaw. I do, and will continue to, see the value this type of solution provides to the consumer. However, it must be done with care, as making things very simple for the end user means the onus to provide security rests with the vendor.

As such, I would be thrilled to work with CloudEngines on this solution and would like to try out the March release of the unit. Following testing, I will post a follow up article of my findings. I am also willing to work with CloudEngines on getting the Astaro Home Gateway supported, as it is a very popular end user firewall.

Please use the contact form to provide me an email I can reach you at to discuss further.

Regarding auto-upgrade – if you change your password, auto upgrade will always continue to work and I have made sure that our support team has this correct information.

If you are up for it, I’ll send you a free unit in March after the release and work with you to get Astaro properly supported.

1) Actually it does. I have the documentation from your own support outlining the ports that MUST BE OPENED to enable BOTH the PogoPlug to register, and the PogoPlug to work. You’re welcome to also reference ticket numbers: #3437, #3450, and #3506. These cases document BOTH that support stated the password could not be changed AND get updates, the ports that MUST be opened for it to work, and the fact that it does not work through an Astaro Home Gateway Firewall (which is not PnP compatible).

2) Shipping with a "standard" username and password is one thing. Publishing that username and password on the web AND not providing an easy way for consumers to change that username and password is quite another. I’m pretty sure most of your users would not be comfortable with SSH, mounting filesystems RW, changing passwords at a command line, and then remounting a filesystem RO. Comparing yourself to a device that has a web GUI for changing the password isn’t valid.

3) From your own PogoPlug support on Ticket #3437, "Please note, however, should you do this, automatic firmware updates will not occur."

4) This is a false statement, as SSH is enabled BY DEFAULT and accepts connections from ANYWHERE. So you are relying on the end-user having a firewall to block these connections from the Internet as well as relying on the end-user to have a secure wireless and wired network to prevent these connections. It’s unacceptable to allow the ‘root’ account to SSH into the device BY DEFAULT.

I’m very happy to hear you are addressing this blatant security hole, I only wish your device would work behind a firewall without having to open ports. Support for the Astaro Home Gateway firewall would also be appreciated.

1. Pogoplug sits behind your router on your internal network and is safe from outside access by the firewall provided by your router. Pogoplug does NOT require opening any ports or making any changes to your firewall settings. In fact, we specifically do NOT use UPnP for exactly that reason – your network should never be exposed to the outside. By not requiring any kind of network changes, opening ports, or port forwarding, Pogoplug is one of the safest remote access solutions on the market.

2. Many common consumer electronics devices, including the most popular routers, ship with a standard username and password. They, like us, want your device to be open and available for you to make changes – again, with the knowledge that they are sitting behind your router (or they are your router) and there is no unauthorized external access allowed.

3. At any point you can change the root password of your Pogoplug. Your Pogoplug will continue to upgrade automatically as it always has, and in fact will work exactly the same in all regards.

4. The auto-upgrade check on the Pogoplug uses a secure handshake with the upgrade servers to find out if a new software (firmware) upgrade is available. The Pogoplug has no ability to upload software to our servers – it can only download the latest firmware, so there is no potential for a trojan style "injection" of malicious software. In the same regard, Pogoplug never accepts unsolicited requests for data, it only responds to remote access requests from the Pogoplug servers that were initiated by the Pogoplug itself, which further eliminates outside spoof attacks directed at individual Pogoplug devices.

We will add more information to the developer section of our site over the weekend clarifying some of his issues, especially about the fact that it’s fine to change the default password and everything will continue working as always, including auto-upgrades, and that Pogoplug sits behind a router/firewall where there is no direct public access and never opens any ports, don’t use UPnP, … so publishing the password is a convenience for the owner to keep the device open, rather than a security hole in this environment. As an aside, in the March release we are adding the ability to disable/enable ssh (default will be disabled) and change the root password from the UI.

The REAL problem is keeping the API secure. If a hacker were to make the API say "download this trojan firmware" then all Pogoplugs would be destroyed. It’s unlikely but possible.