Synology hacked by bitcoin miners?

More Fun with the Diskstation

After I'd made several posts in the past about my adventures hacking the Synology Diskstation, I got away from messing with the device due to several factors. First, I've been dealing with family issues that were more urgent and important than the device. Second, the client I was working with developed a different method for backing up their files so I didn't need to perform the remote backups anymore. 

A year later, I logged into the Diskstation to check on updates, as I'd not run any in a while. Synology updates the DSM software frequently and the update option in the control panel usually finds a new version. This time, there was no indication there was a new version available. This was very strange since I left my version, 4.2-3211 out of date on purpose due to bugs encountered in subsequent releases.

I then went to the Synology website and found that I was indeed several versions behind that the DSM software was up to version 5. I figured that perhaps my tinkering with the Diskstation caused a problem with the update. Or perhaps the Synology guys had read some of my posts and said, "Ok, we'll make sure your device is dropped from notifications. No updates for you!" 

Not a problem! The Synology site has a download page where you can get the update file and then manually update your device. But when I tried to perform the manual update I got an error saying "Field value is invalid". Those Synology guys must have really hated my posts, right?

The reality is much worse. The Internet is filled with pinheads. Crafty tech-savvy pinheads. There was an exploit from some hackers that found Diskstations and put processes on them to turn the servers into zombies doing mining/farming work for bitcoins. Older versions of the DSM software are vulnerable, and one of the signs of this is that it breaks the automatic update capability. 

Thank goodness the Internet is also filled with crafty good people. I found a post [Arinium Blog] at Arinium Blog [Sorry, the links appear to be broken as of 19-Jun-2020, I found an Ari Korhonen that is a software developer and might be the guy, but the other link I found for his blog doesn't seem to work either] that discussed the same issue I had. The fellow there had the same version of the DSM and was having trouble upgrading. He did not identify the hack as being the issue, but he successfully identified there was a problem with 4.2-3211 and that upgrading manually to 5 wasn't working. His solution was to tinker a bit and go to 4.3 before going to 5.

The bitcoin hack is referenced in the comments section of the post. One of the responses references a dialog with Synology where the exploit is noted. The Synology support team suggests two options:

1. Shut down the Diskstation. Pull out the hard drive, replace with a single spare hard drive, and then update the DSM. When finished, shut down the Diskstation again, reinstall the original hard drives, then start up. 
2. The other way is to reinstall the DSM software. There is a link in the post to instructions on how to do this. 

I didn't like Option 1 since it was a bit of hassle, getting a spare hard drive and messing with taking the existing drives out. Option 2 involves a mildly arcane exercise of pressing the reset button on the back of the Diskstation, then doing it again within 10 seconds and then doing some checks after logging into the station.

I instead did something else:

• Download the oldest version of the DSM 4.3 (in my case 4.3-3776)
• Download the latest version of DSM 5 
• Manually update to 4.3
• In my case, the Diskstation behaved a little oddly, like it wasn't taking the update, but then it rebooted on its own and came back with DSM 4.3 so it must have worked
• I then manually updated the Diskstation to DSM 5

This all seemed to work at successfully updating the DSM software, but it did reset a number of settings. I had to reinstall several of the applications like Audio Station and I had to reapply DDNS settings. I'm still working to configure some things. And I'm noticing so far that my old nemesis, the Diskstation's refusal to sleep, has returned. But reviewing the process monitor shows the new version of Audio Station is running the indexing process on the media files, so perhaps this will pass when it is done.

Your mileage may vary depending on how badly your system was compromised. Some of the posts indicate people had to do more tinkering to get things straight again, but I'm glad I was able to fix it without having to fiddle with hard drives.

In any event, a big "thank you" goes out to Ari, of the Arinium Blog for his post. 

Annual Memorial Day Post 2014: When the Truth is the Casualty, it Hurts Everyone

This is a day to remember our veterans and fallen heroes. The one I mourn the most for is a warrior we often forget, not just in the military or in IT but in all life. This warrior's name is Truth.

The truth is a simple but beautiful thing, if you allow yourself to accept it. It is the understanding of something with complete clarity, totally free of bias. It's something that is not subject to argument, it does not take sides, it brings us answers and as the old adage says, it sets us free.

Such a wonderful thing should be revered, even cherished. We humans instead fear the truth. We bury it under our weighty bureaucracies of politics and pettiness. We worry about the burden of individual accountability it brings and we spent more energy deflecting the truth than it would take to accept blame and issue a reparation for a mistake. We've turned lying into an art, an art that in some professions is lucrative.

There's an affliction of lying that's pervasive in human culture. It's probably older than prostitution, but I often use that convenient scapegoat of the Vietnam Conflict as a recognizable symbol to describe it. It was common in Vietnam for American "leaders" to only want to pass good news up the chain rather than the truth. No one wanted to lose a job, so they kept telling their bosses, "Everything is good." Tangible things like body counts became the superficial manifestations of managerial dog treats.

Does that sound familiar? If you work in any modern company, it probably does. In Vietnam, the cost of such institutionalized lying was a meager sixty thousand American and countless more Vietnamese lives. In Corporate America, the cost is a numbing level of inefficiency. I see it in every company I've ever worked for or dealt with. It's not that companies can't be profitable even with the inefficiency. Many are. They have to be to survive. But they could be so much better. Responding sensibly to the truth would improve many lives and jobs.

It appears however that we will be unable to overcome our fear of the truth. Our politicians continue to come across like a bumbling litany of clowns and in our companies I rarely see "leadership" serious about identifying real opportunities to improve and engage trans-formative measures. Serving clients and workers becomes less important than protecting management. What a shame. This is how we use the freedom our veterans died for?

I can understand why people fear the truth. Another old adage says, "The truth hurts." But it hurts because it scrubs away the fester left by lies. We can give lip service to our fallen troops until the end of time, but when do we make moves to be better than we are, to make a society that would truly honor them?

Second Thoughts on Having a Personal NAS

A year ago I finally took the plunge and joined Amazon Prime. What a happy prison it is. Good discounts, fast shipping, and lots of incentives to buy an Amazon Kindle tablet. But that's not really what I wanted to write about. It's fallout from being in the happy prison that has caused me to question whether my approach to having a personal NAS is a good idea.

So here's what's happening: I'm now buying a lot of ebooks from Amazon. I've got a Nook HD+ tablet so I also buy them from Barnes and Noble. I also have found my way on to some nice free ebook mailings. And I have digital magazines on Zinio. And comics on Comixology. And more ebooks on Steam, and some on Humble Bundle, and some more from Groupees and still more on BundleHunt. I also have a few loose ebooks on my local drive, managed by Calibre.

Do you begin to see the problem? In a world where technology is supposed to make life easier, I now have several more accounts and passwords to remember, and the sad truth is I'm probably not going to read but half of those ebooks, and that's being optimistic.

"So wait," you ask, "isn't this exactly why you got the NAS? To put all that content in one place and be able to access it from any device?" Well, sort of. The effort involved in transformation of that data from the commercial cloud to my personal cloud is sort of a pain in the ass. It's more effort than memorizing ten passwords.

When I use Amazon's cloud service for storing my MP3's or Microsoft's SkyDrive or DropBox for a commercially provided network storage, it's really convenient. Security, infrastructure, capacity and maintenance are all someone else's problem. I do get the point of the personal NAS: I have full control of my content and if Amazon goes out of business (unlikely) or Microsoft decides to pull the plug on SkyDrive or change it into something else (less unlikely) then my content is still safe on my own hardware. Not to mention that if any of the data is sensitive such as client information, it's better on my own device than on someone else's.

But for non-sensitive materials, I'm not sure having a personal NAS is really that big a deal. I love the Synology Diskstation I have, but it wasn't free. And it's not free to maintain, although as you've learned from my last several entries, harnessing additional functionality was really cool.

I think what I need is for someone to write a consolidation app that pulls all of this together. In the meantime, I've got a Frankenstein of a storage approach. And you know what? Even with all their problems, the happy prisons that Amazon and Steam give me for all those books, music, and games are awfully comfortable and I'm glad to have them.

The Best Bonus I Ever Got

I know I complain a lot on the blog about IT management. Well, in my opinion, IT management asks for it. Just like lawyers do when they send our society on a downward spiral to hell on riptides of lies and blame deflection.

But this post will be different. I promise. Today, I'll talk about the extra bits of cash compensation employees get outside of their base salaries. These have been far and few between in my career, so maybe this will also get to be a blessedly short post. Apologies again in advance, for some salty language that might follow.

The first bonus I got didn't come until about five years into my career. A lot of that had to do with the crappy company I worked for, but a lot also had to do with me being an inexperienced and poorly managed resource. Anyway, it was a day cruise given to my team for working hard. I appreciate the gesture, but it was on the lame side as rewards go. And I didn't like how only half the team got to go and in retrospect consider this a managerial mistake. Some of the newer team members weren't included (in what I would bet was a cost-cutting move). I felt that was not a smart way to handle team morale in an effort about raising team morale. But it's the thought that counts, so I count it as a bonus even though it sucked in more ways than one. Shit, sorry, I was supposed to be positive in this post. I'll try harder on the next paragraph.

The next bonus was much better. It came in my sixth year with my first company. I had moved to a new, smaller, team and I was doing a much better job of being useful as I'd become more experienced. I also had a more laid-back supervisor and a pretty reasonable manager. My team received an end-of-year bonus of about three thousand dollars. Not enough to buy and island and retire, but nothing to sneeze at either. What is so damn goofy is that I worked less hard for that bonus than I did for the day cruise.

I switched to contracting for a while and bonuses are typically not part of the compensation structure for hourly employees, so there's nothing to report until I switched back to full-time work about 1999. Then I got a variety of bonuses. An annual performance bonus could be between two thousand to five thousand dollars. A spot performance bonus I got was three hundred dollars.

I bounced back and forth between full-time and contracting for a while after that but didn't get another bonus until I was again full time and had a manager that appreciated my work. I killed myself for more than a year straight of overtime and got a spot bonus of a thousand dollars.

I think it's fair at this point to note some lessons I've learned about bonuses. Your experience may be different. In fact, I hope it is. I hope you've done significantly better.

• Bonuses are usually but not necessarily tied to company profitability
• Bonuses are highly dependent on your immediate superiors and their superiors
• Bonuses are a very subjective thing.
• At one company I got almost no bonuses until the end, and I was working less hard than I did in the earlier years. Some employees told me of bonuses they got for putting in a mere hour of overtime. Now that's the kind of consistency that earns employee trust!
• At another company, bonuses sometimes came with formal recognition in the form of "President's Awards" or "Outstanding Performance Awards". These were REALLY ridiculous. It's not that some of the people getting them didn't deserve them. The problem was that the significance of the achievements earning these awards were all over the map. Some people got them for working hard on a specific important project, even though the teams on that project might have had several deserving people. Or two people might get awards for working on different projects, even though one was a multiple month or multiple year effort and the other was a one week commitment. It all came down to who had the manager that liked them, and in the end, I think this hurts morale more than it helps. Getting no recognition really hurts when you give your heart and soul for a long time and when you really make a difference. I'm not sure what the answer is for this bullshit though because for the people that deserve it, it is nice to see them get something.
• Don't depend on bonuses. They're not guaranteed. Hold their feet to the fire in salary negotiations. If you get a bonus, great, but either way you will get the salary.
• IT shops are pretty barren when it comes to bonuses especially when the company treats IT like a cost center. For sales and a few other divisions, bonuses may be a more legitimate part of the compensation structure.
• If you want to work in IT and get bonuses, find IT shops in companies where an annual bonus is universal to the pay structure. For example, one of my clients was a trading firm, and everyone, even IT, got significant bonuses (like 20-40% of the salary, a concept that is completely alien to me!).

So which of the bonuses above was the best one? I am thankful for them all, but the answer is, "none". The best one didn't come from management, it came from my users. One of my clients had a legacy system that had (and still has) a terrible user interface. They were suffering greatly on having to enter data one row at a time, spending multiple man-days of effort each month. I added a simple import capability so they could massage their data in Excel and then import it through cutting and pasting. Did it work? A few weeks after the feature went live, I got this from them:

That's right: a modest $25 gift card, for a place that makes food that's mostly not on my diet. It's the best bonus I ever got. Why? Because as Jeff Atwood would say, it showed that people were using my software. It showed that my work improved lives. What makes this bonus great is not even the $25, but the kind comments from my users on the card it came with. 

Now I'm sure there are managers looking at this and saying, "Gee what an asshole that Bernard is. How could that meaningless shit be worth more to him than a thousand dollars?" Man, if you're a manager saying that right now, I pity you. You have completely missed the boat on how to do your job and how to be a leader. And I pity even more your subordinates.

Oh shit, I'm supposed to be positive! Ah, ok, well, I took the card and had a nice date with my wife, eating wings before a movie.

And for any overly literal pinheads reading this, no, this doesn't mean I don't appreciate monetary bonuses. But really, this kind of recognition is truly special and particular to software developers in the same way that a compliment to a chef or an artist means as much emotionally as the money. The chef gets a paycheck either way, but if he knows his clients were enriched by his cooking, he has a sense of purpose fulfilled. And this really is where IT management really needs to get a better understanding of how technical people respond to feedback.

We really don't give a shit if you praise us for good attendance or being on time to meetings. We do like pizza, but throwing a pizza party isn't really doing much for morale. When you use metrics like how many SOX audits we passed or how little we were penalized for dress code violations, you're just drawing attention to the parts of the job that suck.