[kstrauser]

You're right, but I'm not sure that we're saying different things. (FWIW, I actually bought an SSL cert just for my Synology DS412+.)

We don't have enough information to even guess at what the root problem might be, but I contend that this particular piece of hardware is designed for and meant to live on the open Internet. Yes, that's a very scare place. But it's not unreasonable to think that an up-to-date Unix server should be capable of the job, especially when it's vendor explicitly sales it on the basis that it is.

I'm strongly hoping that the vulnerability turns out to be something already patched in a software update and not a 0-day. That would go a long way toward making me feel better about the situation.

[Alupis]

> But it's not unreasonable to think that an up-to-date Unix server should be capable of the job

You are right, an up-to-date Unix/Linux server is capable of the job (but still requires routine security maintenance to keep secure!) -- however, this home appliance is far from being up-to-date... by design.

My CentOS boxes at the office update almost every few days... how often does this appliance update? Once a year? Maybe twice if you are lucky. Then how many users are actually applying all updates? Probably very few.

I would further contend that a nas-in-a-box like this can never be secure. The vendor isn't going to update it frequently enough -- not enough users will actually update -- they are likely using old out-dated/insecure versions of various open source projects or worse, crudely hacked together proprietary projects to run the webserver, webui, ssl layer, authentication, etc. By now, the manufacturer has probably already back-burnered this device and moved onto newer models, or will be shortly -- completely abandoning all the current users who will get stuck with a swiss-cheese-in-a-box.

I'll go further and content the only safe and secure way to do this is to go with something like FreeNAS or OwnCloud. Both are current projects with massive user-bases. Both are FOSS projects, and both have a corporate backing if you need support or more enterprise features. Both stay very up-to-date with bugfixes, security fixes, and new features rolling out often. Both have upgrade paths from older versions, etc. Basically, they are much more secure and will stay that way for the life of the project.

[kstrauser]

> how often does this appliance update? Once a year?

About once a month: http://www.synology.com/en-global/releaseNote/model/DS412+

Synology uses the same base distro across all their devices, so everyone gets updates at about the same time. The device emails me when a new software version is available.

I get what you're saying, but in this case it's totally wrong. They're very active about providing updates to add functionality (even to old systems!) and fix stuff.

So back to my original position: this is not an unreasonable thing to expect to be able to run on the Internet. It's a modern Linux box that gets monthly updates, designed with the explicit intention of providing secure services over the public Internet. It would absolutely suck if that proved not to be the case.