I occasionally use my table remotely.
@sderos - This is a popular request. Later this year we’ll be looking at non-pairing options for Tablo Connect. Stay tuned!
I am also interested in this feature. I’m thinking of times that I want to watch on my work PC. I can’t take my work PC (desktop) home and get on my wifi in order to setup. I’d like to have a remote login feature.
Read this thread for how to do that in the meantime:
Any progress on non-pairing options for Tablo Connect?
I would love to see this. My most desired feature for sure.
I would like to put in my $.02. Whatever you decide, please get rid of that horrible UPnP! It is a security nightmare, and there is no way I will ever enable it on my home or work networks. In a perfect world we could implement some sort of federated sign-on.
Yes, a login feature for Tablo Connect where you did not have to pair a device locally would be great.
However, regardless if it’s a login feature or how it’s currently set up you still need to forward the necessary ports on your router in order for the Tablo to accept remote connections. If you are worried about security, you can disable UPnP on your router and manually setup the port forwarding. However, many consumers are not tech savvy enough to do this on their own which is exactly why UPnP was created. There is nothing wrong with using UPnP to have the Tablo automatically forward the necessary ports. It would be a detriment and a step backwards for them to remove the UPnP aspect for Tablo Connect. Not everyone understands networking as well as you do.
I hear what you are saying. Still, as a cybersecurity professional I do not like UPnP. Convenience is not a good enough reason to design a security mess. With UPnP enabled I, or any other half-way competent security dood white-hat or black-hat, could own your network in just a couple of hours without any trouble at all. I wish that entire protocol would be removed and never used in the United States.
I do not object to criminals and ISIS using it .
lol yes but most consumers do not have networks that people want to hack. I am just saying, if you know enough about network security then disable UPnP and forward the ports yourself.
If they removed the UPnP feature, those individuals without networking knowledge, would definitely complain, and you would get a lot more people complaining about how Tablo cannot make a simple product for an end user. Damned if you do, damned if you don’t.
Thanks @ ddd671 - you reminded me to turn off UPnP on my new router! Wish they didn’t set the default to enabled for that functionality.
I think we will just have to agree to disagree on this one. You are correct, I could forward the ports if I wanted. I don’t because remote viewing is not a big deal for me, but I do understand that others want that feature.
Here is another way to look at it. Is remote access worth $100/yr.? For that an SSL certificate could be purchased from Verisign for each subscribed user. Then, the remote access could be backed with SSL certificates and encryption keys. The burden of keeping the private keys would fall to the end user. Tablo could offer software to help manage the keys.
I know that SSL is not foolproof either, but it is a darn sight better than UPnP.
If someone spent two hours trying to hack into my network, they would be sorely disappointed.
The security on my home network is like the lock on my front door. It is good for keeping out the honest and the dumb. I do not expect it to stop a skilled hacker any more than I expect my deadbolt to stop a locksmith. All I am looking for is to keep my network locked down enough to make it more trouble than it is worth. I’m not a business. I don’t have anything interesting. I’m just some anonymous schmuck. No professional hacker is going to waste hours trying to crack my network.
As someone who has worked in IT development organizations for more than a decade and has seen first hand just how paranoid and carried away the security guys get, I tend to take what they say with a large dose of salt.
Well, consider me well salted.
I think that if anyone runs software that automatically opens holes in a firewall without authentication, and often without differentiating internal or external networks, they might as well not even use a firewall.
As someone who has worked for decades in IT security, I have seen the real damage done by not taking security seriously. It is not just the big boys that make the news like Target or Anthem, it is also the little guys. We all have bank accounts, credit cards, and data on our computers that is important to us.
Since such things often fail to translate on the internet, I will tell you that there was at least a certain amount of ball-busting in that post. There is always a natural tension between development and security and achieving balance is not easy. Some organizations are too lax. Others go so completely overboard that nobody can do their job. I’ve seen both and like neither.
I do not personally keep credit card, bank account or other financial data on computers in my house. In fact, I keep very little of anything on my computers. I do the bulk of my financial transactions directly with my bank’s portal and keep the bulk of my data on One Drive (nothing financial). The only thing on my NAS is media. If someone wants to hack my network to copy my movies, be my guest. They won’t find anything sensitive or confidential on either my NAS or my PCs.
From one pro to another, I appreciate your comments. I did catch the subtext, but had to play my role as a paranoid security weenie.
I’ve been on the devel side of things, and I can say that there needs to be balance. The best security guys are those who have actually worked on the design/coding side at one time in their career. I am often the voice of reason in our security team who does get that things need to work. Much of this can smoothed over if the requirements gathering phase is actually done right, but I’m sure you know as well as I do how often that actually happens!
I think the problem you were addressing is that a lot of folks open ports and enable protocols without having any understanding of what the implications are. I made an informed decision by weighing relative risks vs features and convenience. The bulk of the consuming public does not know enough to do that and simply trusts that it is all good. The problem companies like Tablo has it to make features available to people who are not very skilled and that often requires security compromises. The reason it does not pose a real-world problem for most people is basically security by obscurity. People are protected by the fact that it takes a targeted attack to exploit this type of vulnerability and the average residential network just isn’t worth the trouble.
I am an enterprise data architect and haven’t done any meaningful development in at least 8 years, so I basically know just enough about port configuration, firewalls and such to be dangerous.
You hit on the problem exactly. I disagree that it takes a targeted attack; there are bots running around the web looking for vulnerabilities to exploit. Sure, a criminal won’t get much from most home users but it doesn’t cost much to do, and if they can get a few dozen then it would pay for itself. I’ve read that about 40% of home routers are configured as Internet Gateway Device (IGD). If an IGD is using UPnP, then it will accept a request to open a firewall hole from an unauthenticated Internet user. At that point it is pretty easy to install ransom-ware or do a DNS redirection and create a water-hole to get CC data. All it would take is a couple of day’s work and maybe a thousand dollars to set up. The take would easily be 10 times that.
You illustrated that UPnP can be used (relatively) safely by implementing other security controls. You are doing just that by segmenting your storage and removing the sensitive data from the Internet connected devices. Just as you say that most users are not able to configure sophisticated network setups, I propose that they aren’t capable of designing a security architecture as you did.
In a perfect world the vendor (such as Nuvyyo) would take all this into consideration and design a system that is both automatic (from the user’s perspective) and secure. As you stated before, this is all about balancing security against functionality. I don’t know how to do this with UPnP without also requiring a pretty good handle on networking technology–and if the users had the know-how to secure UPnP, then they could also manually setup port forwarding.
There are ways to do this securely. I mentioned one in an earlier post–use SSL certificates to both authenticate and encrypt the data stream. Unfortunately that means creating a PKI infrastructure just for remote viewers, or to use a commercially available structure. Both would increase cost. Perhaps there is a better, cheaper way. I haven’t thought much about it, and Nuvyyo hasn’t hired me to research it.
I appreciate the back and forth conversation on this. I’m glad to see that others want this company to do well. I really love the product and wish to see it succeed.