Synology Inc.

[Franklin]

Greetings all-

dguido's report is currently be reviewed by our engineering department, however please note that our systems are not that much different from using a regular Linux computer. What dguido's report shows or implying is that he wants our system to be more secure from INTERNAL attacks, such as attacks from within the same LAN (example, an employee attacks a company Synology Box from his company terminal). As long as you are using a firewall, and you don't allow your system to be accessed from the Internet, you are pretty much secure from EXTERNAL attacks.

[dguido]

Hi Franklin,

Please wait for your engineering department to review it before stating whether you are covered or not. I would disagree with your statement.

[Toxic]

Deja vu:

viewtopic.php?f=61&t=6308

[grimse]

hi franklin,

where is the difference to exploit a php-vulnerability from inside or outside? from my opinion there's none.
for sure you are right when saying the system is secure when it`s not reachable from the internet but the discussion was about public reachable services (photostation, managment, ...)


apart from this i appreciate to see synology moving and responding. hope to see some positiv feedback from the development, too.

kind regards, grimse

[grimse]

Hi!
Is it already possible to get a feedback from the development?

Best regards, grimse

[pz1]

I am also curious if they are taking this seriously, and consequently focus on security over features with the next release.

[dvmrp]

sometimes I feel pretty sick with those guys yelling "security vulnerabilities", my 107e and 406 are working as my home server. The only services opening to Internet is cert based SSH and Downstation on 107e only. I need functionities and I appreciate what synology is doing so far. If security is so much concern then probably you should look for other products, that only offer samba services of whatever version that you think there is no known exploit and system is running TE.

[alfred]

Obviously you did not get the point. Please read the whole thread.

[dguido]

I am also curious if they are taking this seriously, and consequently focus on security over features with the next release.

So far they are taking it seriously. I've been privately discussing these issues with them and will talk about them more once the next release is out.

In the meantime, turn off your NAS

[dvmrp]

even 40x is cheaper than a cell phone. you expect something in this class that can safeguard your valuable data as the same level as something far more expensive? would you use a $10 lock chain to safeguard a $2000 bicycle? Give me a break. To me, they are toys on my home net, not something I will put my life on. That's why I prefer Synology to put more effort on feature, instead of security.

and for dguido, yelling on other threads that you have too many features, your interface is too fancy, I know how to develop product better than you, release source code, I don't use this NAS and other guys shouldn't too, bah bah bah

a user, or ...?

[dguido]

dvmrp,

I'm sure you wouldn't mind if someone broke into your house and stole your NAS then, right?

There are 3 reasons why your argument falls apart:

1. If we went by your logic, then just because someone buys a low-cost car means they're not entitled to live in the event of an car accident. The price of Synology's products are irrelevant. They are selling them, they are responsible for them.

2. Need I mention that Synology's NAS products are marketed as having "Hack-Prevention" and as providing "reliable data protection"? I, and many others I would think, buy NAS products for the easy-to-implement RAID and the inherent protections it provides. This protection is compromised completely by the insecurity of the operating system running on the device.

3. Just because you use your NAS in a certain way does not mean that other's aren't using it differently. You want to talk about mission critical? Fingerprint ftp.synology.com: it's running on a Cubestation. People use these devices for all different purposes, some critical, some not.

And to answer your question about whether I own a Synology product or not, the answer is yes, I do. I own a CS407 with a 2TB RAID5 array. I bought it because it was something I could afford and something that would be large enough to store all of my data. I don't have backups, RAID5 is my backup. That's why I was particularly pissed when I found out how unsafe these devices are.

Security and features don't necessarily have to be a trade-off. You can have all the features you want, but there are right ways to implement them and there are wrong ways. Right now, it's evident that many wrong decisions were made in how to implement these features. That's what we want fixed.

[SydneyGuy]

I see your point about being worried about security but honestly I'd be more worried about you considering RAID5 to be your "backup". RAID is NOT a backup solution. If you accidentally delete something it's gone and gone for good as there is no "recycle bin". If something goes wrong with the array then all your data is gone.

If you are using the NAS as a backup device for your PCs etc then there is no need to back it up but if it contains the only copy of your data then running without a backup is risky to say the least.

[dguido]

I'm a student. I only have money to buy 4 500gb drives once .

I see what you're saying but I'm ranking my risk of hard drive failure much higher than my risk of accidental deletion.

I do, however, disagree with you on what you said about 'something with the array going wrong' causing me to lose all my data. If the Synology hardware goes bad, I can plug the drives in my Linux desktop and recover them. If a drive goes bad, RAID5 will continue to function. The greatest risk to me losing all my data right now is one of these many security holes I noticed (which can easily end up being reliability problems).

This is getting off-topic though. Speaking of off-topic: viewtopic.php?f=21&t=7333&p=31799

[rodef]

I am very glad I read this thread. I was set on buying a DS-509 when it's released, but these security vulnerabilities would be a dealbreaker if they're not fixed.

dguido, thanks for posting this. You have argued your points extremely well. Given the flak you've taken, I'm glad you didn't give up. Otherwise I (and lots of others) might have been misled by your detractors.

[cyprids]

I fully support dguido' point of view
I do not understand that people simply accept that their synology box has security exploits just because it is cheap...If you are a Linux guy i would guess that you care about security, and if you are a Windows guy you probaply been critical towards Microsoft's way to handle security...so why is the deal with Synology any different?...