unRAID "Phone Home" discussion


Recommended Posts

Tom, thanks for the detail breakdown of the cal home in https://lime-technology.com/forum/index.php?topic=51379.msg493097#msg493097

 

I just wish we could have avoided all this predictable upset by publishing these details at the time the feature was added. It would have turned the whole thing positive and open from day 1 and saved countless man hours.

 

If this mechanism will be in place for all future beta release cycles i suggest we transplant the words to the wiki.

 

Kudos

Link to comment

Here's the "phone home" request:

 

Thank you. Glad to see the details of these requests, although I wonder what data protection policies you might need to adhere too given the storing of user information - certainly in the UK it's a tightrope to walk.

 

Do you keep IP logs of all these requests and tie those to GUIDs?

 

Can I ask what plans you have in place to prevent such a CVE backlog occurring again in future?

Link to comment

I'd also like to see clear confirmation from LT that the phone home and kill switch will be removed from the final release.

 

Also, why not disable array auto start and give the user a warning if there is a problem found with a beta instead of disabling booting as others have suggested?

 

I'm sure these features were implemented with the best intentions, but as a paying customer I don't want to be punished for paying for unraid and then treated like I'm incompetent when I volunteer to beta test for you.

Link to comment

Also, why not disable array auto start and give the user a warning if there is a problem found with a beta instead of disabling booting as others have suggested?

Not that it probably matters, but it is not booting that is disabled, but array start.  However if one has a full license then being able to start the array anyway seems a good idea/compromise.  Even if this happens every time the unRAID system is restarted it is still an improvement.

 

Related to this issue, I wonder if there are any plans to disable beta/RC releases (probably after a delay of a month or two of them being superseded to give users time to do something) using this mechanism.    Personally I think it would be a good idea so that once a beta program finishes users move to a general release version of some sort as this would significantly reduce support issues.

Link to comment

Tom, I can predict the future. Did you know that?

 

I suggest your responses here so far, and any future ones on this topic, be consolidated into a single, closed, sticky post in the announcement thread. I believe it will save you a lot of headache based on my predictions of the future when the next beta/rc cycle happens. Or sooner :-\

Link to comment

Here's the "phone home" request:

 

Thank you. Glad to see the details of these requests, although I wonder what data protection policies you might need to adhere too given the storing of user information - certainly in the UK it's a tightrope to walk.

 

Do you keep IP logs of all these requests and tie those to GUIDs?

 

Can I ask what plans you have in place to prevent such a CVE backlog occurring again in future?

I'd also like to see clear confirmation from LT that the phone home and kill switch will be removed from the final release.

Confirming: the phone home and kill switch will be removed from the final release.

 

There's a kill switch and a phone home. Nice.

 

I feel my questions are fair and need answering. Simply saying to users that unRAID isn't designed to be secure isn't a defense these days as there are many vulnerable devices on our networks - and that number will only grow.

 

Obviously you don't owe me an explanation as to why you have chosen, more than once, to architect your system in a fundamentally insecure way - but I think your userbase deserves an answer. CVEs are not to be ignored, they will bite you one day. I know you know this, which is what makes dealing with LT so frustrating sometimes. An OS manufacturer without a clear privacy or security policy. Sounds crazy when you say it like that. Sorry to be the one who did.

 

 

Link to comment

Well, you are asking about compliance with privacy laws in specific countries.  I imagine he has to be careful how he answers that.

 

My initial thought was that since this was entirely opt-in, people are making a mountain out of a molehill ;0

 

But your comment about the CVE backlog changes things a bit, since the only way for users of this platform to address the CVEs was to install the betas/RCs.  So for users who are concerned about fixing those security issues, the beta/RC cycle wasn't quite so optional.

 

Link to comment

Alright peeps, this is how much LT care about CVEs and your security. Pretty disrespectful.

 

This certainly seems like a topic that can never be resolved. For what it is worth RC4 is probably vulnerable to a kernel level MITM CVE-2016-5389. I have not posted this is the security sub forum because what is the point, no one ever acknowledges me and it certainly doesn't impact the timing of a fix.

 

I think it important we keep focused on what has been asked here because it really is pretty simple; there has to be a privacy policy because unless LT has made a considerable effort not to track personal data the typical name, address, IP, version will be stored in various places. This is to be expected by any online business but thats why a privacy policy is needed.

 

As for CVEs, I have made my case for this countless times. We need a security patching policy. This is an absolute requirement as due to the "firmware" nature of the product it can ONLY be patched completely at source. This does not need to be much and at its heart is simply a commitment to patch the release product once every XXX days/weeks/months under normal circumstances and an emergeny time line for critical issues. It should also have a basic "report a security issue" privately procedure.

 

With the exception of the actual patches the above is at most an evening work. As an OS manufacturer it not really optional and certainly to sell in the EU/UK the privacy policy is a legal requirement (luckily its 30 mins effort copying someone elses like everyone else does).

 

Why cant we simply debate this to conclusion? Why cant we help get it done? I just dont get why its silence or push back every year its brought up.

Link to comment

BTW @NAS - I agree 100% with everything you've written. It's absolutely shameful and is a completely avoidable situation.

 

Could someone link me to LT's privacy and security policies please? Also point me in the direction of where I can submit a FOI on the information they hold on me. That's a legal requirement in the UK, does this hold true in the US?

Link to comment
Guest
This topic is now closed to further replies.