Before starting some case with lawyers (like mentioned in the link above) I would prefer to collect the actual resulting problems with that checks and discuss if the benefits are worth these problems. Same thing with the existence of the mentioned status.php and the possibility to check the nc instance with it for good or bad reasons.
In the end Nextcloud GmbH has the possibility to make their decision considering the community opinion. Wanted or not that means an opened discussion, but as these two topics exist now it is opened anyway. So make the best out of it ;).
It is a marketing campaign to raise the installation count of Nextcloud.
In the case of the BSI, it is the misuse of an authority for private purposes.
But shouldnât we usually take steps to ensure that the version information of our web stack is concealed, as far as possible? I thought this was good practice.
It seems at the very least like something that should be opt-inâŚ
My guess is that it was meant as a nice gesture but devs didnât really think things through and also communicated it badly.
But shouldnât we usually take steps to ensure that the version information of our web stack is concealed, as far as possible? I thought this was good practice.
It seems at the very least like something that should be opt-inâŚ
AFAIK certain services that use the API depend on it. Also I donât think it really changes anything, most automated attacks donât care about that and just brute force all the vulnerabilities ranging from newest to oldest.
Intentionally hiding version numbers is only security through obscurity and not really super useful.
If it helps itâs trivial to get the WordPress version a site runs generally also, which Google recently leveraged to send site console messages to admins informing them to upgrade from an insecure version.
I havenât noticed these in my logs, but I might look for them now
WTF? If a software company needs a federal agency to notify you about updates what does that tell about their update notification and update procedures? And if this were an advertisement for ownCloud users, this would be really really poorâŚ
I followed the German thread very lightly with imperfect translations. What exactly happens with this letter? Who are the providers who get it and what are they expected to do?
Nothing happened so far and in my opinion there is also no chance/reason that it will.
The results of the status.php scan were for germany forwarded to the german federal office for internet security (BSI) and they informed the respective ISP to inform at last the nextcloud operator.
So some people interpreted this as âattackâ where actually just the anyway opened status.php was scanned. So in my opinion there is no chance (and also no reason) to harm Nextcloud GmbH in a legal way.
Also it is criticized that the federal office is used for private purpose in this case. But actually the BSI states on there website: âThe BSI protects the networks of the Confederation; But it is also aimed at commercial and private providers such as users of information technology.â So it explizit also handles private providers and as nextcloud/owncloud is growing it becomes a more important share of public and private used web services. I donât know what other âprivatâ cases the BSI normally deals with, but at least there is some argument that they could also use their possibilities to force nextcloud/owncloud operators to do security updates.
But of course so far I would also always prefer a transparent way of doing such and let people make their own decision about if/when they want to do their updates/security hardening. Of course some well published information about all that security topics should be there, which IS on docs.nextcloud.com and here in the forum.
Except that you could be freaked out and just remove such hard-to-upgrade software.
I really donât understand the purpose of this bizarre action, if you really worry about users and their setups, you could provide an online check like ssllabs for the SSL setup except very specific for Nextcloud. With your server address and an empty account, they can check the webdav functionalities (litmus test) and the version.
Hereâs the email our provider got, apparently they sent lists of Own/Nextcloud instances to all providers. Not sure who sent the email, my provider wonât tell me that because multiple customers are involved. I removed the Nextcloud email address to protect against spambots etc.
My main issue with this is that the abuse process is meant for actual abuse. Sending spam or hacking attempts things like that. Not patching your software is simply not abuse. If every software developer starts doing this providers are going to be very busy very quickly.
It would be great if Nextcloud stops this practice.
I really donât understand the purpose of this bizarre action, if you really worry about users and their setups, you could provide an online check like ssllabs for the SSL setup except very specific for Nextcloud. With your server address and an empty account, they can check the webdav functionalities (litmus test) and the version.
I suppose this stuff is mainly targeted at users that wouldnât even use an extra service like this because the either dont care or dont know. Itâs not that hard to follow new releases. I mean: do you really want to know that you are running an old version if you are running an old version ;D?
Other actions could include:
Automatic updates (people will kill you)
Update nagging like showing popups to people every day for out of date installations
Problem in the past, update notification didnât work all the time. When new updates were released, it was completely unknown if or when your update notification would trigger an update (so itâs not possible to tell if the notification stuff is working or not).
Automatic updates are a bit critical, but if updates happen to be very stable why not offering people to do this (wordpress can do it).
If you have a very old unsupported version, I wouldnât mind an option to be set manually in the config-file that you need to enable this. This still gives you the option to run the old version in a local network. But if you have a public setup, you canât say that you didnât know.
If you have a very old unsupported version, I wouldnât mind an option to be set manually in the config-file that you need to enable this. This still gives you the option to run the old version in a local network. But if you have a public setup, you canât say that you didnât know.
I donât think it really matters how old the software is. Think of a version 10.0.1 which could have a very seriousy flaw which is fixed in 10.0.2 (the latest version in that case). So essentially youâd need to implement some sort of âAm I the latest version phone home functionalityâ which could ofc be opted out
There is far more going on with an app like Nextcloud than just SSL stating that a check with ssllabs in anyway validates anything but basic security.
With all the Libs, apps and code any version is highly likely to contain exploits, or at least exploits to be found.
I am not sure if making the version number available is a good idea at all, opensource is about choice and choice of version you run, choice of what sources you make available and choice over what is publicly on show.
Forced obsolescence and shaming are not about choice and not what Opensource in my books is really about.
I jumped on the Nextcloud bandwagon because I was really pleased to see some of my previous reservations about Owncloud seem to be dispelled.
I am starting to get worried again, as for me there does some to be some very strange and dubious decisions being made that donât fit my vision of efficient user led software development and the benefits of the crowd.
I have used various OpenSource platforms and scanning and being targeted is common, happens on Wordpress, Joomla, Oxwall⌠Depends on the plugins, some plugins deliberately advertise your site, so Nextcloud is not alone.
Security through obscurity in terms of not publicly bearing all on the internet of what you are and what you use for a vast number of Nextcloud users who do very much fit into the category of (Too small, No profit to attack / hack, not worth the effort) and also less technically competent to have rapid version upgrading and updating.
You donât sell support by telling the internet the versions being run by users, WTF!
This could be an option and by default it should be off.
I understand your frustration and its perfectly fine to vent it
However
I am not sure if making the version number available is a good idea at all, opensource is about choice and choice of version you run, choice of what sources you make available and choice over what is publicly on show.
I asked around and itâs needed for using the correct routes for public sharing and syncing.
Apart from that you are mixing things up. FOSS is about being able to change the source code and has nothing to do with buttons and options.
Patching software doesnt really have anything to do with planned obsolescence Itâs not shaming, itâs the BSI helping you people that they could be subject to attacks. They probably know more than us and maybe automated attacks are already under way.
As an analogy: Samsung warning their customers that their phones could explode so they should return it and get a replacment for free is a good idea right?
This could be an option and by default it should be off.
Right, you could request that feature in the issue tracker where disabling support for the sync client would also turn off the status.php
For anyone interested: Iâve dug a bit into the topic and facts and compiled a few things:
Scanning was conducted by an unrelated third party (in France if you look at the IPs)
The BSI contacted you guys in order to prevent you from automated attacks
Re-phrasing âplease update your instanceâ to âplease buy support from usâ is a bit silly The BSI decided to help you out because they think it was important based on the information they had.
Openly propagating the version number looks bad at first but it essentially doesnât change the attack surface. Itâs in fact completely irrelevant for attackers because these attacks usually brute force vulnerabilities (itâs in fact easier to program it in that way and more effective).
Nothing to see here, move along, keep your stuff up to date, be lucky that this was not an attack
For anyone interested: Iâve dug a bit into the topic and facts and compiled a few things:
Scanning was conducted by an unrelated third party (in France if you look at the IPs)
The Nextcloud scan page and their email address was posted in the email I havenât received any response denying involvement so Iâm pretty sure it has been Nextcloud.
The BSI contacted you guys in order to prevent you from automated attacks
They contacted the providers with a abuse complaint, not the people running the sofware. These complaints are not taken lightly by most, in one instance a provider threatened to blackhole the server if I did not resolve the issue asap.
Re-phrasing âplease update your instanceâ to âplease buy support from usâ is a bit silly The BSI decided to help you out because they think it was important based on the information they had.
Agreed, although a marketing rep closing the discussion in the other thread likely brought that on.
Openly propagating the version number looks bad at first but it essentially doesnât change the attack surface. Itâs in fact completely irrelevant for attackers because these attacks usually brute force vulnerabilities (itâs in fact easier to program it in that way and more effective).
Nothing to see here, move along, keep your stuff up to date, be lucky that this was not an attack
I agree you need to keep your software up to date, however in the real world it does not work this simple all the time. We generally maintain a set update schedule and only divert if there is a serious issue. Some random software developer or agency does not get to decide this by attempting to force my hand hitting my provider with abuse complaints while noting actually happened.
.
The BSI decided to help you out because they think it was important based on the information they had.