How does Nextcloud weigh up against QNAP/Synology/Drobo with regards to privacy?

Hello!

So, I had foolishly opened this post across many different places online before posting it directly in /r/privacy - https://www.reddit.com/r/qnap/comments/7t1l2c/further_inquiry_into_qnap_privacy_policy/ Figured it would be good to post here as well.

Basically, I’m trying to figure out which NAS solution has the best privacy policy between the threee big shots: QNAP / Synology / Drobo. I’ve fully read through QNAP’s and I’m currently waiting to speak with corporate about my questions - almost done with Synology’s.

I’m really hoping that I can get answers to the following questions without annoying tin foil hat talk, or someone saying “If you’re not Snowden, I wouldn’t worry about it”. That kind of chat is really offensive to me personally - given I work in a field (journalism) where many coworkers get hit with things like PEN registers on their mobile devices, email subpeonas, and so forth to get information about people they’re working with. I’m hoping there’s some mainstream NAS manafacturer that will handle my data in a zero-knowledge manner where if they’re hit with a request for data / keys, they can’t really turn over much besides some basic data on when / where I connect to my server, my email address.

If that’s truly an outlandish request for the aforementioned brands - I get it. Lastly- I understand that the idea of having a server alone is somewhat of an opsec issue to begin with given the data is online and a 3rd party has some access to it versus things being backed up locally on encrypted drives… so if the idea of having a NAS is inherently flawed as far as privacy, so be it… I’ll take that risk and roll with it because it’s 2018 and I need one - but who should I roll with? The open source / DIY sector? All things point to Nextcloud.

And now, my questions, please ignore the “QNAP mentions” and replace those with anyone you please.

1.are my login credentials to my NAS stored by QNAP?

2.If so, do they ever access the contents of my NAS? The PP states that they can look through data I “publish”, but that sounds more like stuff outside of the confines of my NAS through other QNAP channels / services.

3.are my encryption keys to my storage ever stored by QNAP? If so, how are they stored? in plaintext? Encrypted? If encrypted, in what way? Can I opt out of this if so?

4.I tried to stay away from the use of a trendy word like ‘backdoor’ on my google searches, but this super old link definitely got me nervous, does QNAP in fact have a way to get into my device, or is it zero knowledge with regards to my encryption keys? https://www.baseline-security.de/downloads/BSC-Qnap_Crypto_Backdoor-CVE-2009-3200.txt

5.does my data within my NAS fall into the category of information that can be shared with a 3rd party? Be it an advertiser, a partner of QNAP, a law enforcement agency, etc?

Hi,

In addition to the QNAP crypto backdoor link you posted, you should read this as well:

And while I can’t provide a 100% true answer to your questions about if and how QNAP or others store the credentials to your Storage, I think that’s the point. You have to trust someone to do it right.
For me personally I just couldn’t. I liked the possibilities that cloud services promised and indeed provided, but while I never trusted Cloud providers to keep my data 100% private, I never used them.
For me the solutions of QNAP or WD are pretty much the same with the only difference that the storage is standing in front me. The access is still managed by the provider. And furthermore you never know if there are backdoors in your NAS like the ones already mentioned.

QNAP describes the authentication against the device on their website as follows:

Authentication

Your account and device information can only be accessed after your myQNAPcloud user account (QID) is authenticated. In addition, before a user can access files on the device or manage the device via CloudLink, that user is required to enter correct credentials for the device, even if that user has signed in his or her myQNAPcloud account. This enforces two-step authentication for stronger security.

I think this is a much better solution than granting everybody access to the NAS who can authenticate against the website of QNAP. But still QNAP is a man in the middle (I think about man in the middle attacks there). Especially when law needs to be enforced I see the danger that an authority can make QNAP or the other providers to collect your credentials by a man-in-the-middle-attack. Encrypted drives don’t help there.

Additionally QNAP uses weak ciphers for HTTPS:

TLS 1.2 (suites in server-preferred order)

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK 256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256

TLS 1.1 (suites in server-preferred order)

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256

TLS 1.0 (suites in server-preferred order)

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256

That’s something I can push to more security on my own server.

So I first started to use a cloud server, when I was able to setup one on my own. And sure I have a NAS. It’s mounted in Nextcloud and isn’t directly reachable from the Internet.
In my opinion Nextcloud made it easier when ever before to setup ones own cloud server and the efforts they put into making it a totally secure and private solution for the user is impressing me. They know that no server is in-crackable and they provide and advert a solution for that as well, which they develop and push forward to be easy usable for everybody: end-to-end encryption. Correct me if I’m wrong, but I believe that’s not offered by QNAP, Synology, …

To make it short: I think, if data security is very important to you, you better don’t host a cloud server by any provider and you don’t use the cloud services by the NAS providers. It’s said: If you want it done right, you better do it yourself

Just my opinion, but I hope it’s helpful.

@jospoortvliet Something you would like to add here?

As a journalist, I think you already did a risk assessment about who your antagonists (be it intelligence agencies aka “nation state actors”, corrupt officials, criminals, corporations, …) are. Second, I hope you have a capable and trustworthy IT team behind you because this is a complex field where you need input/help. Third, don’t entirely trust what representatives tell you, check things yourself (again, with the help of independent, capable people you trust). I think as a journalist you know all of this anyway.

That said, comparing Nextcloud to QNAP, Synology and so on is not completely accurate. Nextcloud is just a web app, you still need a (trustworthy) server to run it on. Synology, QNAP and so on are complete solutions and run a lot of proprietary apps you have no control over next to some Open Source applications/code. Nextcloud is entirely FLOSS compared to that.

Aside from that, any software (and hardware, see for example Spectre/Meltdown or Intel’s Management Engine) has a lot of bugs and security flaws you know or don’t know about. Constant maintenance and careful security considerations is therefore needed.

As you already mentioned QNAP, if they can see for example file names alone in their diagnostic data and give it to the “right” people, this could be enough of a compromise for you. But not only your storage server is a problem, your client system can compromise you as well. Microsoft, Google, Apple etc. also gather more or less data, so if you work with this data on your local machine, that would be enough to compromise you as well. This could defeat any “zero-knowledge”/E2EE/client side encryption as well because it doesn’t involve the server directly. Another problem would be a backdoor (installed by a malicious actor either directly e.g. a border guard, hotel maid or via a compromised website) on your system which could make any data visible only on the client system accessible to your antagonists.

Given all of that, I would recommend you to work with trustworthy (for you, nobody else actually) IT experts and build a complete ecosystem where chance of a compromise is at least small (nothing is absolutely secure and you should remember that at all times). Free and Open Source software can help you with that because at least it can be reviewed by an independent 3rd party whereas with proprietary software you cannot do that. Also, stay away from anything with a “cloud” connection which only means it has a connection to a 3rd party server you have no control over and never know what happens with your data.

Regarding Nextcloud, your best bet would be to set it up on a trusted server/environment and use the (not yet released) E2EE feature in the future. You also need secure client devices for you to work with to minimize any data leakage at least.

I wouldn’t use a personal storage where I have to use an external authentication. Without it, you can then always isolate the system in your local network and block all external connections.

NAS solutions are a bit different from Nextcloud itself and you can find a few OpenSource projects (e.g. openmediavault, FreeNAS). They are based on large projects, provide quick security fixes and don’t contain proprietary code. The downside is that you have to do more yourself, you have to know how to set up a system, create backups, …

With commercial solutions, you have to trust these companies in many ways. You buy a cheap hardware device once, they make it easy to use, and provide a few updates. Your privacy is probably not their major concern, e.g. a hard-coded root access is very practical for support.

Alfred-

While I do appreciate the majority of your post - I suspected I’d get some very literal sass or ‘resting IT sass’ as I call it for not being super, super specific and all-telling. I was afraid of making my post a bit too verbose out of fear of people not even replying to me here… but I’ll go in a bit now that I know that’s not the case.

I have most definitely done a risk assesment and my luckily my only real concern is law enforcement and criminals - none of the other demographics you listed out. When my work could get those other parties involved… I’ll probably stop using storage connected to the internet completely haha. I do have several extremely talented individuals who I can personally work with and bounce questions off of - but I’m largely independent - minus the occasional collaboration with much, much larger institutions. Being independent actually makes me feel much safer, working full time at one major news institution was actually one of my biggest opsec nightmares ever, but no need to get into too many tales.

As for comparing Nextcloud to QNAP - again you’re going to have to excuse my brevity and vagueness in my original post… I was goofy enough to assume that these lines “…so if the idea of having a NAS is inherently flawed as far as privacy, so be it… I’ll take that risk and roll with it because it’s 2018 and I need one - but who should I roll with? The open source / DIY sector? All things point to Nextcloud.” - would help more IT minded people understand that I understood that I need a server setup in addition to the software I use. I would be using FreeNAS with Nextcloud if I were to build something. My question was more, if I build something, what parts should I used to build my server? Not to mention all of the finer / minutiae settings details like once it’s made, but I’m not there yet.

I really like your wording about maintenance and security considerations - I know I’m not going to get a turnkey security and privacy setup by moving away from QNAP (my current setup) or doing something like enabling 2FA. I’m with you.

I also really like your wording about filenames - and while file names would never personally compromise me, it’s surely a huge concern… same goes for client end blunders, and services I use (apple, google) and I think it’s great you relayed all of that here… seriously. No facetiousness there, you took a considerable amount of time and effort to write something very helpful.

I’m quite confident with my current understanding of OPSEC in my field, but my knowledge of building servers myself is quite limited and this post is a step towards me changing that! Luckily I’ll be working with one solid IT person and could also bother some solid work contacts with novice questions here and there.

Again, thank you for all of your words.

are you saying that you take your storage offline when you’re at home and only work on it locally - blocking all outgoing / incoming connections from your NAS? And that when you leave - you’d undo that work to access your files if needed?

That’s what I’m reading this as, which isn’t a bad idea - if I’m home and can work off the device locally- it certainly can be ‘offline’. Even if that’s not what you meant, it’s still a nice thought haha. Please clarify if needed.

See my above reply to alfred about understanding the difference between Nextcloud & a server, sorry about that… trying to be concise bit me in the bum here haha.

It is quite sad that we’re all aware of the shortcomings of commercial solutions… I guess I will really have to commit the time towards building myself.

Schmu-

Wow, that link is absolutely terrifying. Thank you for the share.

I’m with you, I’ve got to build my own setup if my work is going to continue to pose a a security risk for me where I’m concerned about a third party like QNAP accessing data or having my keys. Now, I know my own setup could be inherently flawed in many ways… but I PREFER that as supposed to not knowing what a commercial solution is capable of, or what they will do when under pressure from authorities. I rather have my own blunder be the thing that gets my data accessed versus my encryption keys simply handed over. As you said QNAP is a man in the middle.

Thanks for the reaffirmation.

Here are QNAP’s official responses from Jerome Wong:

"Hi,

1.are my login credentials to my NAS stored by QNAP?
–Login credentials are not stored by QNAP.

2.If so, do they ever access the contents of my NAS? The PP states that they can look through data I “publish”, but that sounds more like stuff outside of the confines of my NAS through other QNAP channels / services.

–QNAP does not have access to your content. If you are using myQNAPcloud, you do have the option of publishing your content. However that is up to the user’s control.

3.are my encryption keys to my storage ever stored by QNAP? If so, how are they stored? in plaintext? Encrypted? If encrypted, in what way? Can I opt out of this if so?

–QNAP does not store your encryption keys. It is stored only on your NAS. They are stored like a hash in Linux.

4.I tried to stay away from the use of a trendy word like ‘backdoor’ on my google searches, but this super old link definitely got me nervous, does QNAP in fact have a way to get into my device, or is it zero knowledge with regards to my encryption keys? https://www.baseline-security.de/downloads/BSC-Qnap_Crypto_Backdoor-CVE-2009-3200.txt

–This old link was referring to a security vulnerability we had in the past. That issue has long been resolved and we keep updating our security.

5.does my data within my NAS fall into the category of information that can be shared with a 3rd party? Be it an advertiser, a partner of QNAP, a law enforcement agency, etc?

–Sharing your data with a 3rd party falls in the hands of the user.

If you have any other questions, please let me know."