Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > NAS/Storage Megathread: What is this "File Deletion" You Speak of
 
  • Post
  • Reply
Wiggly Wayne DDS
Sep 11, 2010

Axe-man posted:

I will say as an aside, that the synology devices are tough little buggers, I've never seen them cracked by software directly. It is always some weak password/other computer on the network compromised.
uh... https://www.synology.com/en-global/security/advisory

https://www.kb.cert.org/vuls/id/404187

quote:

Synology NAS servers contain insecure default credentials

Synology NAS servers DS107, firmware version 3.1-1639 and prior, and DS116, DS213, firmware versions prior to 5.2-5644-1, use non-random default credentials of: guest:(blank) and admin:(blank) . A remote network attacker can gain privileged access to a vulnerable device.
* # ¿ Apr 30, 2021 17:53
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ May 14, 2024 00:46
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

Axe-man posted:

"Synology NAS servers DS107, DS116, and DS213, use default credentials."
That is over 10 year old except for the DS116 which is only 6

"Firmware versions prior to 5.2-5644-1"

That firmware is all over 10 years old, for the 3.1 and the 5.2 is from (2015-05-12)

So yeah, they did back in the day. Looks like they patched out the version too in like a week or so.

Not saying they are perfect but it appears they learned that lesson.
you were claiming

Axe-man posted:

I will say as an aside, that the synology devices are tough little buggers, I've never seen them cracked by software directly. It is always some weak password/other computer on the network compromised.
just focusing on hard-coded credentials here's two more that jump to mind:
2012 telnet hard-coded credentials generated via date: https://wrgms.com/synologys-secret-telnet-password/
2014 vpn hard-coded root credentials: https://www.kb.cert.org/vuls/id/534284

both the main vendors need to up their game, but they've also not had a lot of focus by the general security community really so consider all the vulns the tip of the iceberg

* # ¿ Apr 30, 2021 18:20
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

Wibla posted:

I don't like pushing drives beyond 45C... that's just my personal opinion though, they're often rated to do 0-50C or even 0-60C.
I cannot in good conscience recommend running NAS appliances in small cabinets with lacking airflow. That's just begging for trouble.
yeah i made a custom cabinet ala https://geoffruddock.com/soundproof-synology/ with a similar design and none of the drives go past 40c even in heat waves here (uk) and the cpu temp is unreliably peak 60-70c but that's with a noctua a-12-x25 pwm as exhaust to the cabinet which cools better than the internal fan of my nas so i knock the internal down to 5% to ensure some level of airflow is happening there, otherwise the entire unit is whisper quiet

* # ¿ Sep 9, 2023 22:53
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

YerDa Zabam posted:

Couple of new Def Con videos that I thought you lot might enjoy.
The hard drive stats one in particular I enjoyed. (It's Backblaze btw)

https://www.youtube.com/watch?v=pY7S5CUqPxI

alright video covering the western digital mycloud, and synology cloud services but lol at them acting surprised at the certificate transparency log existing. western digital only really cared if you have a valid token, not one for your specific device. given how low-hanging that fruit is no surprise it got locked down 2 weeks before pwn2own. really all their research was pretty low in complexity, which is telling for the state of nas security as a whole. can't help but notice their synology attack needed local network access or at least the mac/serial/model so they didn't have as much wide access as they implied

YerDa Zabam posted:

https://www.youtube.com/watch?v=YhWyaZ__fL8
really bad recording for a decent talk going over what everyone should already know about backblaze's methodology. if you read the report nothing in this should be new to you, just a few mentions of ssds holding strong for longevity but being too expensive for them to test in the scale they want and complaining about smart being inconsistent across manufacturers

the rest of the talks at defcon are dire...

* # ¿ Sep 16, 2023 12:19
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

BlankSystemDaemon posted:

Does anyone have experience with QuTS Hero? It's apparently a ZFS based appliance OS for QNAP systems with 8GB RAM or more.
yeah works for my use case

* # ¿ Dec 11, 2023 12:49
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

BlankSystemDaemon posted:

I wonder how many people have considered the implications of the amount of trust required in the remote server and who has access to it from an infosec point of view.
i have, part of why i don't use plex (it also doesn't like handling long video files for seeking/resume purposes... and hates non-tv/movie video folder structures)

* # ¿ Dec 19, 2023 21:23
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

BlankSystemDaemon posted:

Are you also a Kodi user then?

It's what I've consistently stuck with for my HTPCs, and I do both YouTube, Twitch, DR (the Danish equivalent of BBC) and others live/VoD services on it just fine.
yeah kodi with an emby plugin covers 99% of my use-case

* # ¿ Dec 20, 2023 02:52
  • Quote
Wiggly Wayne DDS
Sep 11, 2010



 see the advantage to just having kodi as the media centre app and using a plugin on that to interface with jellyfin/emby/plex is that you don't need to worry about codecs, subtitles, or anything. that'll handle anything you can throw at it and decode it properly (unless we go into the mess of hdr...). you really shouldn't be running a mysql backend these days for any of that, just have kodi act as a thin-client and hold any resume/watched data on the nas

hell even on my steamdeck i just have kodi running in desktop mode (with a shortcut from the main ui so its seamless) and that can be a plug and play media centre or watching/playing music outside. transcoding was a necessity a decade ago and only sits around now because of hevc<->browser problems and extremely low power devices that were never meant to do anything good to begin with (imo)

e: and subtitles are way more hosed up than you think when you get into the fine details. there's still really poo poo subtitles out there throwing in html tags, or using forks of subtitling software that is straight up encoding colours and placements wrong

* # ¿ Dec 21, 2023 01:01
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

Pablo Bluth posted:

QNAP is gathering a history of terrible security in it's products.
so uh i haven't seen that in practice at all. there has a lot of extra multimedia cruft they've been trying to remove that keeps getting cves and the usual "don't put your nas into a cloud service" vulns, but nothing especially unique. there's hardcoded credentials that were fixed a while ago, but if you're isolating the device it's p good

src: i have qnap nas'es and haven't seen a relevant security flaw

* # ¿ Jan 2, 2024 15:15
  • Quote
Wiggly Wayne DDS
Sep 11, 2010



 the one real criticism you could give was they didn't release automatic firmware updating until a couple of years ago. any of the big ransomware issues are about issues patched a long time ago and people not updating their devices by the time the campaigns started using them

* # ¿ Jan 2, 2024 17:41
  • Quote
Wiggly Wayne DDS
Sep 11, 2010



 the vulns are remediated in 22/23 depending on the build. the exposure left over was that it was still vulnerable mid-install and the timeline of notification to patches isn't noteworthy at all either

i've said it before by qnap's security is nowhere near as bad as the reactions imply. it's the same shitpile as other appliance vendors but they're upfront about it and if you keep on top of firmware updates that's good enough. the entire idea of them having bad security comes from some weird factional userbase from reddit that doesn't understand security as much as they want to convince themselves, we don't need to import that insane mindset here

2.5Gb networking existing is a terrible stopgap and reduced research and manufacturing money on making 10Gb viable for the home market imo

* # ¿ Feb 14, 2024 15:24
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ May 14, 2024 00:46
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

Scruff McGruff posted:

It might be a byproduct of the fact that they just launched their bug bounty program last year. It's always tough with these types of announcements, is QNAP really more vulnerable than others or are they just more transparent about when security flaws are found? If they're more vulnerable people should avoid them, but if they're really not and are just more transparent about discovered flaws we should encourage that behavior from companies.
given the latest patched builds for the worst vuln date back to november/december depending on the os they're just holding off on announcing until everyone's had time to update
code:
We have already fixed the vulnerabilities in the following versions:
Affected Product 	Fixed Version
QTS 5.1.x 		QTS 5.1.3.2578 build 20231110 and later
QTS 4.5.x 		QTS 4.5.4.2627 build 20231225 and later
QuTS hero h5.1.x 	QuTS hero h5.1.3.2578 build 20231110 and later
QuTS hero h4.5.x 	QuTS hero h4.5.4.2626 build 20231225 and later
QuTScloud c5.x 		QuTScloud c5.1.5.2651 and later
myQNAPcloud 1.0.x 	myQNAPcloud 1.0.52 (2023/11/24) and later
* # ¿ Mar 11, 2024 21:57
  • Quote
  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > NAS/Storage Megathread: What is this "File Deletion" You Speak of