alt Hacker News> Sure. but this is a Network Attached Storage product, and the user explicitly chose to use network functions (domains, http), it's not the same category of issue.
Is it fair to say that you're saying that it should be considered normal to expect that network-attached devices (designed and sold by reliable, aboveboard companies) connected to (V)LANs with no Internet access will be configured to use computers that use their management interfaces (whether GUI, CLI, or API) as "jumpboxes" to attempt to phone home with information about their configuration and other such "telemetry"?
Do carefully note what I'm asking: whether it should be considered normal to do this, rather than considering it to be somewhat outrageous. It's obviously possible to do this in the same way that it's obviously possible to do things like scratch the paint on a line of cars parked on the street, or adulterate food and medicine.
Yes, correct.
If you are using a storage device with a Layer 3 interface, you have already signed off that you aren't too concerned with the connection being airgapped. Otherwise you would have used a Layer 1 protocol, or hell, even a layer 2.
You are giving the thing an IP address and IP capabilities? It's like signing one of those lengthy disclaimers that you might die and won't sue anyone for side effects.
Not saying it needs to happen, but you can't be surprised if it does.