[me1010]

> like PhotoStation, CloudStation, WebDAV,

There are secure ways to run things and insecure ways to run things. It's very possible to setup a postfix or exim smtp server as an insecure open relay running on port 25. It's also possible to have either running securely on port 25... And an open port is meaningless by itself. It's the security options applied by the system and application running a service on the port that matter.

The examples you give are just applications that run over http or https... https requires an SSL cert from a trusted CA, and http is a very bad idea for anything that you log into, or that has free access to your home network from the Internet.

I imagine most users skip this step... http://docs.qnap.com/nas/4.0/en/security.htm?zoom_highlights...

Note, the SSL certificate instructions... You can upload a secure certificate issued by a trusted provider. After uploading a secure certificate, users can connect to the administration interface of the NAS by SSL connection and there will not be any alert or error message.

...

The error message referred to here is the web browser message indicating that the SSL certificate doesn't match a trusted CA, and therefore your "secure" NAS connection might be Man-In-The-Middle attacked... And if you don't upload an SSL cert - and connect via http externally - it means that the most amateur of "bad guys" already has your 30 character username and your 45 digit/character/special character password...

[kstrauser]

You're right, but I'm not sure that we're saying different things. (FWIW, I actually bought an SSL cert just for my Synology DS412+.)

We don't have enough information to even guess at what the root problem might be, but I contend that this particular piece of hardware is designed for and meant to live on the open Internet. Yes, that's a very scare place. But it's not unreasonable to think that an up-to-date Unix server should be capable of the job, especially when it's vendor explicitly sales it on the basis that it is.

I'm strongly hoping that the vulnerability turns out to be something already patched in a software update and not a 0-day. That would go a long way toward making me feel better about the situation.

[Alupis]

> But it's not unreasonable to think that an up-to-date Unix server should be capable of the job

You are right, an up-to-date Unix/Linux server is capable of the job (but still requires routine security maintenance to keep secure!) -- however, this home appliance is far from being up-to-date... by design.

My CentOS boxes at the office update almost every few days... how often does this appliance update? Once a year? Maybe twice if you are lucky. Then how many users are actually applying all updates? Probably very few.

I would further contend that a nas-in-a-box like this can never be secure. The vendor isn't going to update it frequently enough -- not enough users will actually update -- they are likely using old out-dated/insecure versions of various open source projects or worse, crudely hacked together proprietary projects to run the webserver, webui, ssl layer, authentication, etc. By now, the manufacturer has probably already back-burnered this device and moved onto newer models, or will be shortly -- completely abandoning all the current users who will get stuck with a swiss-cheese-in-a-box.

I'll go further and content the only safe and secure way to do this is to go with something like FreeNAS or OwnCloud. Both are current projects with massive user-bases. Both are FOSS projects, and both have a corporate backing if you need support or more enterprise features. Both stay very up-to-date with bugfixes, security fixes, and new features rolling out often. Both have upgrade paths from older versions, etc. Basically, they are much more secure and will stay that way for the life of the project.

[kstrauser]

> how often does this appliance update? Once a year?

About once a month: http://www.synology.com/en-global/releaseNote/model/DS412+

Synology uses the same base distro across all their devices, so everyone gets updates at about the same time. The device emails me when a new software version is available.

I get what you're saying, but in this case it's totally wrong. They're very active about providing updates to add functionality (even to old systems!) and fix stuff.

So back to my original position: this is not an unreasonable thing to expect to be able to run on the Internet. It's a modern Linux box that gets monthly updates, designed with the explicit intention of providing secure services over the public Internet. It would absolutely suck if that proved not to be the case.

[jdong]

IDK what world you live in, but in my world I'm not getting actively MITMd by "amateur bad guys". If that was the case, my NAS would be the last thing I'd be worrying about.

Also, what security do you expect SSL to provide on a device with copious remote code execution vulns?