“MSPBackup” is Just Storegrid with a New Name and Changed File Dates

Vembu is a company in India who, in 2004, started selling online backup software to compete with Remote Backup Systems. It’s no secret that we don’t get along. They think I’m a bully, and I think their software is dangerous, ill conceived, and bad for the industry. We’ve fought blog wars.

They produced a product called “Storegrid,” which was discontinued after being exposed as a legitimate security risk in late 2014. Now it’s back. Here’s the story.

On Saturday July 18 Vembu sent out an email announcing their “new” MSPBackup product, but it is anything but “new”. We tested it, and found that it is the same old (REALLY old) Storegrid, with all the same problems. They simply changed its name, and changed file dates to try to fool us.

This article contains links to unflattering pages about Vembu. We don’t expect these pages to stay up very long. Many of them are on Vembu’s own website. If they go down, you can contact the author for copies.

We have previously reported on these security problems.

http://blog.remote-backup.com/vembu-storegrid-security-exploit-published-vembu-users-risk/

In the “MSPBackup” version we tested we noticed that they have changed the dates of the old component files in a fraudulent attempt to make them look new. They are not new.

We found that the Apache web server that is at the heart of the software is STILL eight years old, version 2.0.63, released in 2008, and according to the official Apache website, no longer maintained – even though it has a file date of 7/14/2015.

http://httpd.apache.org/docs/2.0/

The file dates on this eight year old component have been changed from 2008 to 14 July, 2015 to make us think it’s new.

 

directory

The Apache server in this software has missed fifty-two critical security updates, and that’s not all.

On 27 September 2014, Steven Ciaburri of Rack911, a hosting and security firm, reported “root level security flaws in the Storegrid HP (Hosting Provider) product that would allow a normal user to effectively take control of the server, the backup server and all of the configuration files to take control of anything else connected to it.”

The security company issued the following public warning:

“You are all hereby recommended to disable the software until further notice. There are many more security flaws that have not been reported to them and if you use this software you are at a grave risk of your servers being compromised along with your entire backup infrastructure.”

The following link is for a long and damning thread on the authoritative website Web Hosting Talk. It contains MANY reports of problems, and much more detail on security issues.

http://www.webhostingtalk.com/showthread.php?t=1310580&highlight=vembu

Vembu refused to acknowledge or repair the vulnerabilities, and instead responded with a snarky statement questioning the intelligence of the people who conducted the security audit.

“…it seems they lack knowledge on how the product is actually used in our customer’s environment and don’t have a clue about how Backup and Disaster Recovery is actually deployed.”

https://packetstormsecurity.com/files/127786/Vembu-Backup-Disaster-Recovery-6.1-Follow-Up.html

The security firm officially notified Vembu that unless they fixed their problems, the firm would publish the exploit, thereby rendering all Storegrid installations insecure, placing many end user networks at risk.

Vembu refused, and the exploit was published. I reported on this in a blog post on October 29, 2014.

http://blog.remote-backup.com/vembu-storegrid-security-exploit-published-vembu-users-risk/

Soon, under the direction of their new VP of Sales and Marketing, Vembu announced they were discontinuing the Storegrid product, and notified all of their partners that they would now be forced to use a new product called “Vembu BDR”. There was no upgrade path, and the new product required that partners store their data in Vembu’s data center instead of their own. All backups would have to be restarted from scratch.

They even published a paper entitled, “Managed Service Providers are Dead” in which they said (I’m paraphrasing) that the MSP business model – all their partners – was no longer viable.

http://www.crn.com.au/News/399577,backlash-over-backup-vendors-msps-are-dead-move.aspx#ixzz3Q90ayn6j

This upset Vembu’s partners to say the least. They had been betrayed, publicly humiliated, told their businesses were doomed, and were now being extorted into accepting an unworkable “solution” that would drain off most of their income from online backup.

According to a source inside Vembu who we won’t name, the company’s next two financial quarters were a catastrophe. The new product and business model essentially flopped, and the company’s reputation with its most valuable target market was destroyed.

This brings us to Saturday, July 18.

Vembu sent out an email announcing the new “MSPBackup.” We thought the feature set looked familiar so we downloaded it and discovered what I have reported here.

During their ill-fated experiment, Vembu aggressively marketed by posting web pages containing extremely (some would say actionable) negative “facts” about their competitors. They went after just about everyone – Veeam, Acronis, Backup Exec, Datto, Storagecraft, Dell AppAsure, Druva, Zerto, Box.net, SugarSync, DropBox, Unitrends, Carbonite, Axcient, and CrashPlan.

RBS didn’t make the list this time because they had already run out of ammunition for me after years of attacks. I fully expect them to restart their efforts after this article posts.

AND they were NASTY! They’re an Indian company, but they supposedly have a division in the USA. I wouldn’t be the least surprised if lawsuits started flying.

Here’s what they said about Acronis. “Bad interface lacking simple options; backup takes longer to complete; incomplete backups; failed restores.”

 

acronisvembu.com/acronis-vs-vembu-bdr/

 

They REALLY went after Veeam. They said, “Sample Veeam scams are: High pricing and misdirected offers; slow backups and repeating failures; consumes more storage space; unfriendly support.”

 

veeamvembu.com/veeam-vs-vembu-bdr/

veeam2vembu.com/blog/vembu-serves-time-veeam-test-customers/

Datto: “Most common headaches of Datto are: Eats storage space; increased backup duration; trouble with restores; bad user interface.”

 

dattovembu.com/datto-vs-vembu-bdr/

StorageCraft: “Why leave StorageCraft? A dull and difficult to navigate user-intereface; managing backup schedules is a hectic task; users pay more for individual products with each need; outdated compression methods with large CPU usage.”

 

appassurevembu.com/storagecraft-vs-vembu-bdr-lp5/

About Dell AppAssure they said, “One other thing. If you find a better backup software, buy it!”

 

lastonevembu.com/appassure-vs-vembu-bdr-lp1/

AND they did. Partners left in droves. Forums sprung up to talk about the betrayal, and alternatives to Vembu. Many former partners signed up with Remote Backup Systems. Some went to Ahsay. Some went to Wholesale Backup and others.

You see, the thing about all these above products is this: They are all virtually universally respected by experts who actually know what they’re talking about. These are huge companies, all MUCH bigger than Vembu, and all entrenched in the enterprise backup space.

Unlike Vembu, all these products from big, well known companies, have been tested and proven in many thousands of installations. Who is Vembu to call them out like this? If nothing else, it’s rude (and as I said probably actionable) and makes Vembu look petty and unprofessional.

Here’s an excerpt from a Vembu blog post, 17 February 2010, directed at me:

“We were just provoked by RBS’s constant focus in attacking our product and company without full understanding of what we are.”

Remember when Vembu attacked the security firm who disclosed its security problems by calling them (essentially) ignorant? Well here they go again, trying to cloak their own incompetence and lack of integrity by dismissing me as not understanding them.

They go on:

As a company we are down to earth to the point that we even feel uncomfortable beating our own drums leave alone indulge in mudslinging or attacking a competition with creating FUD about them.”

 

oklastonevembu.com/blog/moving-on/

 

F.U.D. means Fear, Uncertainty and Doubt. It’s kind of ironic considering all the FUD they tried to evoke against these other products.

To be honest, I guess I’m trying to sew a little FUD here with this article. I don’t think anyone should buy that product. Maybe the next one is OK – “Vembu BDR”. I don’t know. I’d just rather you buy something else, for your own safety and that of your customers. Have a look at Ahsay, Novastor, Asigra, or any of the better products they slammed in their web pages.

Sure, have a look at Remote Backup Systems too. If we’re the better solution for you, then OK. If we’re not, don’t partner with us. DO tell us what we need to do to improve, though. Unlike Vembu, we chose to grow through constructive criticism.

Vembu has now posted the prices for its “MSPBackup.” They are $30 per year for the “Basic Backup Type” and $90 – $120 per year for the “Application Backup”. Since some of you like a Pay As You Go model as opposed to RBS’ popular permanent licensing, I have set up a Pay As You Go license model for RBackup, and I have priced it at one half Vembu’s price.

AND RBS will buy your Vembu MCALs. We’ll trade you even for RBS Monthly Subscription Licenses.

Contact RBS by phone at 901-405-1234 or email sales@remote-backup.com for more info.

About The Author

Avatar
Steve Roberts / http://remote-backup.com

Steve Roberts is VP of Engineering at Remote Backup Systems (http://remote-backup.com), developers of the RBackup Online Backup software platform, providing software powering more than 9,500 Service Providers in 65 countries since 1987.