August 4, 201411 yr this should serve as a wake up call for all those that have their nas exposed to the internet / not protected / running whatever 3rd party apps.. etc. https://news.ycombinator.com/item?id=8128521 http://forum.synology.com/enu/viewtopic.php?f=3&t=88716 this could easily be an unraid user.. food for thought on best practices / tom making sure this kind of stuff doesnt happen with apps?
August 4, 201411 yr Author older exploit, but stuff like this just makes you scared to have your nas reachable via the internet: 'The OpenVPN module in Synology DiskStation Manager (DSM) 4.3-3810 update 1 has a hardcoded root password of synopass, which makes it easier for remote attackers to obtain access via a VPN http://www.cvedetails.com/cve/CVE-2014-2264/
August 4, 201411 yr Scary stuff! Running a port scanner now to see if anything is open that shouldn't be but I should be good. Just another example of why having offline backups of all critical files that you cannot live without is a really good idea.
August 5, 201411 yr Scary stuff! Running a port scanner now to see if anything is open that shouldn't be but I should be good. Just another example of why having offline backups of all critical files that you cannot live without is a really good idea. http://www.anandtech.com/show/8337/synology-advises-users-of-synolocker-ransomware They are asking 0.6 BTC as ransom! All those poor guys without their precious files.... :'(
August 5, 201411 yr Scary stuff! Running a port scanner now to see if anything is open that shouldn't be but I should be good. Just another example of why having offline backups of all critical files that you cannot live without is a really good idea. Agreed, though it's also a reason to keep your critical software up to date. There was someone posting a week or so ago on these forums about whether they should stay on 4.5 or move to 5.0 ( don't remember the user). There were comments of "if there is no value for you then stay where you are". I would say this is a good reason to upgrade to 5.0.5. There is no currently known issues/exploits for UnRAID, but any time you are running old versions of software/apps you have an increased risk of having left yourself open to something nasty. If you are going to pool everything you care about into a single server/box then you should be paying that much more attention to making sure it's as secure/up-to-date as possible. Just about every time we hear of major exploits it's usually affecting services that are not up to date (wasn't this the issue with Heartbleed?). It's an expensive lesson to learn for some.
August 6, 201411 yr Author this goes both ways.. in your example about heartbleed.. the users of older openssl didnt have the exploit that was introduced in the newer code ( a year ago?) .. thus if you were up to date.. you had the issue.. thus you had to either downgrade to older version that didn't have the exploit or wait for it to get patched and upgrade.. which sometimes is harder to do than said.. especially if your os stopped pushing out updates (not on lts - long term support). in some sense, youre damned if you do and damned if you don't. a lot of people just don't want to mess with something if its not 'broken'.. in fear of breaking something and having to deal with the time... nothing like a harmless upgrade like (upgrading video drivers) to lead you to wasting an afternoon and cursing at why didn't you just leave it the way it was.
August 6, 201411 yr this goes both ways.. in your example about heartbleed.. the users of older openssl didnt have the exploit that was introduced in the newer code ( a year ago?) .. thus if you were up to date.. you had the issue.. thus you had to either downgrade to older version that didn't have the exploit or wait for it to get patched and upgrade.. which sometimes is harder to do than said.. especially if your os stopped pushing out updates (not on lts - long term support). in some sense, youre damned if you do and damned if you don't. a lot of people just don't want to mess with something if its not 'broken'.. in fear of breaking something and having to deal with the time... nothing like a harmless upgrade like (upgrading video drivers) to lead you to wasting an afternoon and cursing at why didn't you just leave it the way it was. I had thought the heartbleed was affecting an older version, but current patched was okay, but I may have been wrong, and it may not have been the best example. So, you want to make sure you are running really old before an exploit gets introduced, or really new where it's been patched. I do sort of get the "if it ain't broke don't fix" mentality, but only to a point. This philosophy works fine with some items (if you have a 6 year old TV and it still works, why replace it?), however with computers I've always maintained that while you may not want to be bleeding edge, you at least want to try and stay current. You may introduce risk by upgrading to something current, however you stand a much better chance of getting support from the community around you as it's likely top of mind or current for many users. If you choose to lag far behind, you do eventually need to bring yourself more up-to-date, and if you are doing it years after the norm it can prove a lot more challenging to get support and the associated risk increases. I agree you are damned if you do, or damned if you don't. However.... if you know you are going to have to get damned when you do, I'd rather get damned with everyone else.
Archived
This topic is now archived and is closed to further replies.