Someone scans the internet for NC/OC instances

Except that you could be freaked out and just remove such hard-to-upgrade software.

I really don’t understand the purpose of this bizarre action, if you really worry about users and their setups, you could provide an online check like ssllabs for the SSL setup except very specific for Nextcloud. With your server address and an empty account, they can check the webdav functionalities (litmus test) and the version.

2 Likes

Here’s the email our provider got, apparently they sent lists of Own/Nextcloud instances to all providers. Not sure who sent the email, my provider won’t tell me that because multiple customers are involved. I removed the Nextcloud email address to protect against spambots etc.

http://pastebin.com/XPhxpUva

My main issue with this is that the abuse process is meant for actual abuse. Sending spam or hacking attempts things like that. Not patching your software is simply not abuse. If every software developer starts doing this providers are going to be very busy very quickly.

It would be great if Nextcloud stops this practice.

I really don’t understand the purpose of this bizarre action, if you really worry about users and their setups, you could provide an online check like ssllabs for the SSL setup except very specific for Nextcloud. With your server address and an empty account, they can check the webdav functionalities (litmus test) and the version.

I suppose this stuff is mainly targeted at users that wouldn’t even use an extra service like this because the either dont care or dont know. It’s not that hard to follow new releases. I mean: do you really want to know that you are running an old version if you are running an old version ;D?

Other actions could include:

  • Automatic updates (people will kill you)
  • Update nagging like showing popups to people every day for out of date installations

Problem in the past, update notification didn’t work all the time. When new updates were released, it was completely unknown if or when your update notification would trigger an update (so it’s not possible to tell if the notification stuff is working or not).

  • Automatic updates are a bit critical, but if updates happen to be very stable why not offering people to do this (wordpress can do it).
  • If you have a very old unsupported version, I wouldn’t mind an option to be set manually in the config-file that you need to enable this. This still gives you the option to run the old version in a local network. But if you have a public setup, you can’t say that you didn’t know.

If you have a very old unsupported version, I wouldn’t mind an option to be set manually in the config-file that you need to enable this. This still gives you the option to run the old version in a local network. But if you have a public setup, you can’t say that you didn’t know.

I don’t think it really matters how old the software is. Think of a version 10.0.1 which could have a very seriousy flaw which is fixed in 10.0.2 (the latest version in that case). So essentially you’d need to implement some sort of “Am I the latest version phone home functionality” which could ofc be opted out

There is far more going on with an app like Nextcloud than just SSL stating that a check with ssllabs in anyway validates anything but basic security.
With all the Libs, apps and code any version is highly likely to contain exploits, or at least exploits to be found.

I am not sure if making the version number available is a good idea at all, opensource is about choice and choice of version you run, choice of what sources you make available and choice over what is publicly on show.

Forced obsolescence and shaming are not about choice and not what Opensource in my books is really about.

I jumped on the Nextcloud bandwagon because I was really pleased to see some of my previous reservations about Owncloud seem to be dispelled.
I am starting to get worried again, as for me there does some to be some very strange and dubious decisions being made that don’t fit my vision of efficient user led software development and the benefits of the crowd.

I have used various OpenSource platforms and scanning and being targeted is common, happens on Wordpress, Joomla, Oxwall… Depends on the plugins, some plugins deliberately advertise your site, so Nextcloud is not alone.

Security through obscurity in terms of not publicly bearing all on the internet of what you are and what you use for a vast number of Nextcloud users who do very much fit into the category of (Too small, No profit to attack / hack, not worth the effort) and also less technically competent to have rapid version upgrading and updating.

You don’t sell support by telling the internet the versions being run by users, WTF!

This could be an option and by default it should be off.

3 Likes

I understand your frustration and its perfectly fine to vent it :wink:

However

I am not sure if making the version number available is a good idea at all, opensource is about choice and choice of version you run, choice of what sources you make available and choice over what is publicly on show.

I asked around and it’s needed for using the correct routes for public sharing and syncing.

Apart from that you are mixing things up. FOSS is about being able to change the source code and has nothing to do with buttons and options.

Patching software doesnt really have anything to do with planned obsolescence :wink: It’s not shaming, it’s the BSI helping you people that they could be subject to attacks. They probably know more than us and maybe automated attacks are already under way.

As an analogy: Samsung warning their customers that their phones could explode so they should return it and get a replacment for free is a good idea right?

This could be an option and by default it should be off.

Right, you could request that feature in the issue tracker where disabling support for the sync client would also turn off the status.php

1 Like

For anyone interested: I’ve dug a bit into the topic and facts and compiled a few things:

  • Scanning was conducted by an unrelated third party (in France if you look at the IPs)
  • The BSI contacted you guys in order to prevent you from automated attacks
  • Re-phrasing “please update your instance” to “please buy support from us” is a bit silly :wink: The BSI decided to help you out because they think it was important based on the information they had.
  • Openly propagating the version number looks bad at first but it essentially doesn’t change the attack surface. It’s in fact completely irrelevant for attackers because these attacks usually brute force vulnerabilities (it’s in fact easier to program it in that way and more effective).

Nothing to see here, move along, keep your stuff up to date, be lucky that this was not an attack :wink:

1 Like

For anyone interested: I’ve dug a bit into the topic and facts and compiled a few things:

  • Scanning was conducted by an unrelated third party (in France if you look at the IPs)

The Nextcloud scan page and their email address was posted in the email I haven’t received any response denying involvement so I’m pretty sure it has been Nextcloud.

  • The BSI contacted you guys in order to prevent you from automated attacks

They contacted the providers with a abuse complaint, not the people running the sofware. These complaints are not taken lightly by most, in one instance a provider threatened to blackhole the server if I did not resolve the issue asap.

  • Re-phrasing “please update your instance” to “please buy support from us” is a bit silly :wink: The BSI decided to help you out because they think it was important based on the information they had.

Agreed, although a marketing rep closing the discussion in the other thread likely brought that on.

  • Openly propagating the version number looks bad at first but it essentially doesn’t change the attack surface. It’s in fact completely irrelevant for attackers because these attacks usually brute force vulnerabilities (it’s in fact easier to program it in that way and more effective).

Nothing to see here, move along, keep your stuff up to date, be lucky that this was not an attack :wink:

I agree you need to keep your software up to date, however in the real world it does not work this simple all the time. We generally maintain a set update schedule and only divert if there is a serious issue. Some random software developer or agency does not get to decide this by attempting to force my hand hitting my provider with abuse complaints while noting actually happened.

The Nextcloud scan page and their email address was posted in the email I haven’t received any response denying involvement so I’m pretty sure it has been Nextcloud.

Nexctcloud does not employ people in France and the scans were from French IPs

Are we really discussing Nextcloud’s part in this or just ranting about how BSI used an easy way to contact you guys? If so please contact the BSI because this discussion is not changing anything ;D

The email I got from the provider said to contact Nextcloud if I had any questions so here I am.

In case of questions on the tests performed by the German company please
reach out to ########@nextcloud.com.

So what questions do you have left?

The benefits of using FOSS can include decreasing software costs, increasing security and stability (especially in regard to malware), protecting privacy, and giving users more control over their own hardware.

Actually it would seem to be you, who is mixing things up. Buttons, options and tripe replies.

You know how it reads “can include” and not “includes” :wink: FOSS is only about licensing at its core and when speaking about the most popular licenses it’s all about changing and distributing code. That’s it.

It is by some who have appropriated the FOSS movement for there own needs.

Maybe go and have a chat with Stallman and Raymond on your interpretation of what FOSS is and what it should be and why there was a need for its creation.

@BernhardPosselt I think your tone is winding people up, maybe dial it down a bit. No matter how trivial you feel this is your opinion clearly isn’t shared by others commenting above.

@jospoortvliet do you still feel this isn’t worth talking about? Seems fairly important to clear the air and assuming the intentions of NC are good having an official response here might lighten current tensions.

5 Likes

It isn’t clear if this has been organized by Nextcloud, or on behalf of Nextcloud, or by an independent company (French IP only indicates that resources of a French ISP were used), obviously Nextcloud doesn’t want to give any official statement. So let’s go back to a technical point of view:

If many of your domains are scanned for owncloud/Nextcloud setups, you can use this pattern on domains that are not used for owncloud/Nextcloud and block this IP (e.g. fail2ban). You can also report this IP to the ISP if there is a chance that they handle this request and you suspect illegal activities (search for potential victims). You could also send out fake status-reports on domains that are not using Nextcloud or just ignore it.

It was pointed out that the status-messages are required for setups, so you can only hide you setup behind a VPN if you don’t want to allow public access or somehow restrict the IP range that can use Nextcloud.

It isn’t that I don’t consider it important enough - my lack of statement is due to privacy and security concerns.

And as I said in another thread: personally, if I was warned I left my wallet when leaving a cafe, left my door open when walking my dog or didn’t lock my car, I’d be happy and pick up my wallet/close my door/lock my car. If people hear from their provider that their server is at risk from (potentially automated!) attacks, perhaps the best course of action is to upgrade it to a secure version.

I think some people underestimate how easy it is to hack a outdated ownCloud or Nextcloud server. It is easy to get IP and web addresses on the web, there are services that simply sell them! Then, you can easily do an automated scan and then hack the servers and copy the data or even take over the entire server if the version on it is old enough.

If you ask me, that is a HUGE problem! I can only hope that there are not many insecure systems on the web. Many people are not aware that their privacy is being violated by companies like Google, Dropbox et all, and we started working on private cloud software to help defend people and their data. I personally would feel I’d have to act in a similar way if I knew people were running insecure software. I can guarantee you I tell people who run Windows XP that what they do is potentially dangerous! Wouldn’t you?

Of course I wouldn’t want to lock them up and take their freedom to run Windows XP away… Though, if their system is used in a bot net, as ISP I might want to lock them out of the web.

Again, I can’t talk about what happened here, though to me what Bernhard said about the French IP and such makes sense. I guess a hacker would use a proxy to hide where from he/she breaks (and TOR, maybe) so those attempts could have been from anywhere in the world and I think it is a good move to block them.

1 Like

Didn’t mean to imply that.

I don’t personally have a problem seeing scans in my logs, it’s a public server and it’d be naive to assume it isn’t going to happen - my linux access logs look like I’m behind a locked door in a scene from the Walking Dead :stuck_out_tongue:

But, if my ISP sent me a letter threatening to shut my connection down due to a.n.other company reporting security issues coming from my IP, I’d rage. Especially given my contact details are in the WHOIS of the domain I host from - where I’d more than welcome a notice to say I’m out of date (as you referred to with XP there @jospoortvliet) - as Google did the other week following a nasty vuln in Wordpress that I’d already patched.

Perhaps if you have any influence, ask them to find another means of contact. That appears to be the issue here.

2 Likes

@JasonBayton This is typical German.