Synology Inc.

[sgtjohnson-117]

Considering that there are those who feel security is very important to them, (which I agree that security is must), I have to ask, are you using shield twisted pair Ethernet cords for your network? Are you using Encrypting File Systems on your Hard drives? Do you work with unscrupulous individuals? Do you have a security guard patrolling your network? Have you conducted a physical security check? Is your network closet secured behind a safe? Do you trust the people who you work with? Do you trust Windows? If security is a concern and you are using Windows, why do you use it, even though it is one of the most targeted operating systems for software exploitation? If you believe security is the most important thing, then I believe you should be using Linux.

While I agree that vulnerabilities must be addressed in a quick manner, one should ask how often would a system become exploitable in this fashion, and does it require a person to target a server, or can it be conducted by a Bot?

It seems that some of these posts are fear mongering and seems out of line.

An analogy of fear mongering is a new paper article reports that 25% of all high-school students within the US are subject to severe head injuries during school sanctioned activities. 25% seems to be a high number, until more research is done on the subject, and that the news paper article only studied 1000 students, and only in a small region of the US.

I'm surprised that no one attempted to hack NetBoot's machine, even though he has offered it up.

[dguido]

No one has tried to hack NetBoot's machine because it's clearly illegal.

Security is about balancing risk. Right now it is very *VERY* easy for someone to cause a high impact event (read: data loss) on my Synology NAS. However, it is unlikely and difficult for someone to get through the 3 doors or climb the 3 stories which lead to my apartment. Your analogies don't make sense and they are the ones that are out of line.

If you'd like to better understand the criticality of the vulnerabilities which have been presented so far, then I encourage you to go back to my original posts and examine them more closely. Also, any vulnerability can be automated (as you say with a bot), your question is irrelevant.

[HarryPotter]

No one has tried to hack NetBoot's machine because it's clearly illegal.

its not illegal as he offered it, but its a good excuse

[alfred]

Saying 'It's not logical to care about those vulnerabilities as long as your house isn't Fort Knox' is like saying 'It's not logical to care about starving people in Africa as long as people in Asia are starving'. I'm really fed up with this argument.

By the way, can anyone sharing this opinion tell me why should I improve the physical security of my DS at home as long as the software issues aren't resolved?

alfred


@HarryPotter: How can dguido know that it's really net's box? And a high probability alone wouldn't count for me.

[dguido]

@HarryPotter: How can dguido know that it's really net's box? And a high probability alone wouldn't count for me.

Good point. See: http://tech.yahoo.com/blogs/null/88388

Denying these vulnerabilities exist doesn't make them any less of a problem. I spent a considerable amount of my time tracking down the vulnerabilities that I gave to Synology (for free) and I will not be spending any more time demonstrating the issues for the non-believers out there. I have a job, I go to school, I don't have time to do everything for you. Why don't you spend time researching the issue yourself, write some code and get back to ME.

Exploit development is time-consuming and expensive (ie. not free). If you'd like more information, I suggest this paper:
http://weis2007.econinfosec.org/papers/29.pdf

[HarryPotter]

your posts are getting more and more ridiculous, especially after asking how to stop the automatic IP blocking function.
thank you for that, its always a good starter for the day

[aguida]

:lol:
your posts are getting more and more ridiculous, especially after asking how to stop the automatic IP blocking function.
thank you for that, its always a good starter for the day

Which post was asking to stop the IP blocking function? I don't recall it. Anyway nothing saying posts full of smileys are not adding any value to the discussion (beside increasing your post count) and are as ridicoulous as the ones you deem to be so.

What I see here are lots of users frustated by the lack of response and support from Synology. If I was a Synology executive I would react to that. Those boxes are shipped with functionalities meant to be used from the internet and it is a fare expecation from the users that vulnerabilities are fixed.

Also some very basic hardening as I reported before (for example removing the deafult administrator user and extending the ip-blocking to all outside facing services) would help making the boxes much more resilient and the customers more happy.

But most of all I think people should keep writing their opinions here as all the input is valuable (at least I would consider it so).

[Trolli]

Saying 'It's not logical to care about those vulnerabilities as long as your house isn't Fort Knox' is like saying 'It's not logical to care about starving people in Africa as long as people in Asia are starving'. I'm really fed up with this argument.

By the way, can anyone sharing this opinion tell me why should I improve the physical security of my DS at home as long as the software issues aren't resolved?

I was talking about high secutity needs for industry use. I don't think a home user has the need for enhanced physical security. And in my opinion also the needs for enhanced software security are not relevant for home users.

In general the most vulnerable point in a home system is the desktop PC. Even the strongest software security will be irrelevant if someone manages to get the access information to your Synology Station from your PC. If you store sensible data on systems that can be accessed from the internet I would suggest you to use a strong encryption software anyway (and backup data of cause).

Trolli

[HarryPotter]

Which post was asking to stop the IP blocking function?

http://www.synology.com/enu/forum/viewtopic.php?p=31943#p31943

Anyway nothing saying posts

It says a lot and reflects my meaning about it: ridiculous and derisory making on panic

What I see here are lots of users frustated by the lack of response and support from Synology.

very, really very relative... on the contrary - synology is well known for its superb support and forum...
However the forum is NOT the address to communicate with synology support! there is a synology moderator who does its best but if you want communication with synology stuff, submit a support form.
"a lot of users" (3 or 4...) did it refering to this thread and received detailed answers (also published on the forum)
Hello, what else do you expect?

But most of all I think people should keep writing their opinions here

exactly, and therefore I published mine

[alfred]

I was talking about high secutity needs for industry use. I don't think a home user has the need for enhanced physical security. And in my opinion also the needs for enhanced software security are not relevant for home users.

I am a home (office) user, and this is relevant for me. I don't want other people to access or delete my personal or business data (event though it's backed up quite often and partly encrypted and others couldn't financially profit from it). It's not paranoia, it's simply that I expect Synology (which I still think do a fantastic job otherwise) to fix known securtiy issues. Common practice nearly anywhere else. There's just no reason not to care about it. There simply isn't.

Furthermore, even for industry use the physical security argument doesn't work. Physical security is just a completely different thing.

In general the most vulnerable point in a home system is the desktop PC. Even the strongest software security will be irrelevant if someone manages to get the access information to your Synology Station from your PC. If you store sensible data on systems that can be accessed from the internet I would suggest you to use a strong encryption software anyway (and backup data of cause).

So should business users. Actually, I don't see why company data should be more important than personal data. I want mine protected as well as possible. That's what I expect of a product marketed for SoHo use. Full Stop.
And again, pointing out that there _might_ be other security holes does not mean that there's less need for Synology to fix the firmware. That's like saying: We don't need to ban guns because you can also be stabbed...

Fact: the current firmware has vulnerabilities. Fact: they can be fixed. Question: why shouldn't they? And they are obviously working on it, which means that in contrast to some users in this thread, they do take it seriously.

alfred (who often feels like discussing mac flaws with apple disciples when reading this thread)

[dguido]

:lol:
your posts are getting more and more ridiculous, especially after asking how to stop the automatic IP blocking function.
thank you for that, its always a good starter for the day

Fyi, I had 100+ users connecting to the Synology FTP server and hit the builtin connection limit on the server. People started getting FTP 530 errors because the poor little thing couldn't handle any more TCP. There's no configuration option for that in the GUI and that's what I was asking about.

You're doing a great job moderating. Character attacks and moderation go hand in hand...

Also next time, maybe you should RTFP: viewtopic.php?p=31943#p31956

[Franklin]

Greetings all

1) This threaded will be locked due to the diverse amount of varying degrees of opinions and users approaching the "gray area" of flaming
2) Both sides have valuable and valid input
3) We appreciate the security conscious opinions, as especially they are valuable for Enterprise Environments where Administrators cannot trust thousands of users with their computer network. Thanks for dguido for raising these concerns.
4) We also appreciate the opinions of those who wish to maintain a practical and feature-rich Synology system
5) We are currently working on a release for May, where most of the security concerns raise by dguido should be addressed.
6) All development is subject change without notice.
7) After the security updates in May, the Synology firmware should meet the needs of both camps.

Thanks again for all input which was raised in this discussion; have a good weekend everyone.