You know how it reads ācan includeā and not āincludesā FOSS is only about licensing at its core and when speaking about the most popular licenses itās all about changing and distributing code. Thatās it.
It is by some who have appropriated the FOSS movement for there own needs.
Maybe go and have a chat with Stallman and Raymond on your interpretation of what FOSS is and what it should be and why there was a need for its creation.
@BernhardPosselt I think your tone is winding people up, maybe dial it down a bit. No matter how trivial you feel this is your opinion clearly isnāt shared by others commenting above.
@jospoortvliet do you still feel this isnāt worth talking about? Seems fairly important to clear the air and assuming the intentions of NC are good having an official response here might lighten current tensions.
It isnāt clear if this has been organized by Nextcloud, or on behalf of Nextcloud, or by an independent company (French IP only indicates that resources of a French ISP were used), obviously Nextcloud doesnāt want to give any official statement. So letās go back to a technical point of view:
If many of your domains are scanned for owncloud/Nextcloud setups, you can use this pattern on domains that are not used for owncloud/Nextcloud and block this IP (e.g. fail2ban). You can also report this IP to the ISP if there is a chance that they handle this request and you suspect illegal activities (search for potential victims). You could also send out fake status-reports on domains that are not using Nextcloud or just ignore it.
It was pointed out that the status-messages are required for setups, so you can only hide you setup behind a VPN if you donāt want to allow public access or somehow restrict the IP range that can use Nextcloud.
It isnāt that I donāt consider it important enough - my lack of statement is due to privacy and security concerns.
And as I said in another thread: personally, if I was warned I left my wallet when leaving a cafe, left my door open when walking my dog or didnāt lock my car, Iād be happy and pick up my wallet/close my door/lock my car. If people hear from their provider that their server is at risk from (potentially automated!) attacks, perhaps the best course of action is to upgrade it to a secure version.
I think some people underestimate how easy it is to hack a outdated ownCloud or Nextcloud server. It is easy to get IP and web addresses on the web, there are services that simply sell them! Then, you can easily do an automated scan and then hack the servers and copy the data or even take over the entire server if the version on it is old enough.
If you ask me, that is a HUGE problem! I can only hope that there are not many insecure systems on the web. Many people are not aware that their privacy is being violated by companies like Google, Dropbox et all, and we started working on private cloud software to help defend people and their data. I personally would feel Iād have to act in a similar way if I knew people were running insecure software. I can guarantee you I tell people who run Windows XP that what they do is potentially dangerous! Wouldnāt you?
Of course I wouldnāt want to lock them up and take their freedom to run Windows XP awayā¦ Though, if their system is used in a bot net, as ISP I might want to lock them out of the web.
Again, I canāt talk about what happened here, though to me what Bernhard said about the French IP and such makes sense. I guess a hacker would use a proxy to hide where from he/she breaks (and TOR, maybe) so those attempts could have been from anywhere in the world and I think it is a good move to block them.
Didnāt mean to imply that.
I donāt personally have a problem seeing scans in my logs, itās a public server and itād be naive to assume it isnāt going to happen - my linux access logs look like Iām behind a locked door in a scene from the Walking Dead
But, if my ISP sent me a letter threatening to shut my connection down due to a.n.other company reporting security issues coming from my IP, Iād rage. Especially given my contact details are in the WHOIS of the domain I host from - where Iād more than welcome a notice to say Iām out of date (as you referred to with XP there @jospoortvliet) - as Google did the other week following a nasty vuln in Wordpress that Iād already patched.
Perhaps if you have any influence, ask them to find another means of contact. That appears to be the issue here.
Why would you? Iād be graceful and I wish ISPs would do more of that. It would help us all. Or am I missing something?
Did you read to ārageā and stop?
There are easier ways to contact me that donāt involve putting my contract with the ISP in peril.
But thatās not their responsibility and you donāt have a contract with them (āthemā being the BSI). The potential thread they recognized is imposed from the ISPs properties and thatās why they get informed and asked to do something about it.
I donāt get why youāre having a problem with that. This shouldnāt be a problem:
Because just fixing the issue at your end solves the problem, helps yourself and makes the internet a better place.
I donāt understand why you canāt see past your own opinions here. The āserviceā (Iāll call it that) is great, and on par with what Google did recently with my Wordpress install thatād already been patched before they contacted me.
But therein itself lies an issue. I patched my Wordpress install the day the vuln was disclosed and the patch was provided. Google scanned it some time during that day and saw it hadnāt yet been patched so queued a notification to go out to me.
The same can happen here, except instead of me, the admin, being notified (by which Iād say thank you and perhaps even shout out the value of that service), Iād get a cease and desist type letter (as an ISP will often consider these alerts a complaint. Theyāre not smart.) 2 weeks later - by which time Iām on their radar for potentially doing something I shouldnāt. This puts my internet contract under threat.
Thereās a distinction here too; this notification sent to a datacentre will be handled in a completely different manner to the ISP of a home user - a vast userbase for these solutions.
I applaud the objective, and I fully support everyone being up to date within the constraints applied (see patch schedules, etc mentioned above), but the communications protocol in place is all wrong.
The proof of this is in the very existence of this topic.
All outdated software cause a potential threat (browsers, flash, ā¦) but ISPs will have to constantly sending notification letters to their customers if you want to set this as a standard. A list of IP addresses of clients of a bot network is a real threat and not only a potential one. From https://nextcloud.com/security/advisories/ I donāt see a warning where you can obtain root-permissions on a system. For me it seems exaggerated, especially when some could have been contacted via whois data as @JasonBayton pointed out.
For the community/developers here, there are much better ways to make sure/help users to keep their systems up to date.
Well, if the topic turns into the question who the BSI should best contact if they got aware of some issues, then this should probably discussed somewhere else. Donāt you think?
If thatās true and the online service are of any importance to you, Iād consider changing the ISP.
Guess what, ISPs have to handle that sort of stuff 24/7 and they really know how to handle these. If they donāt, they are not the right service provider.
Yes, and not only ISPs. When ever someone gets to know about a vulnerablity they should responsibly disclose that to someone who can deal with it. There is no reason to downplay any of that - but at the same time I canāt tell why there is a smell of panic in the air.
My original post was about an abservation and I asked a question because I wanted to understand whatās going on. Thatās achieved and the advise is probably best we all can/should do:[quote=ājospoortvliet, post:36, topic:8992ā]
so those attempts could have been from anywhere in the world and I think it is a good move to block them
[/quote]
No, as itās a service being conducted on behalf of Nextcloud, their involvement shown in the links to results and contacts provided. NC should have some say into how this service is provided, or switch to a provider of said service that doesnāt conduct its communications in this manner.
I wouldnāt consider changing my home ISP over this. Itās an edge case and something that shouldnāt involve the ISP at all.
Reading through it appears to be less panic and more concern/disdain for how this is being handled, which is justified. Applying enterprise policies to home admins is rarely going to be the right approach.
Youāre right though, NC is still not going to divulge any more information or offer any transparency in what should be an open, friendly service. So those who donāt like the idea of having their ISP involved where they have no reason to be, blocking the IPs is the way to go.
Iāve set this to autoclose now. If @tflidd or another moderator feel thereās more to be said feel free to re-open it when it closes, similarly non-mods feel free to message me, but it appears to be going around in circles (which is as much my fault as anyone else, sorry).
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.
Let me add that we have now talked about this publicly. You can get answers to your questions in our blog.
Thank you for caring about this! I hope you can help urge people to update their servers.
Sorry that being a bit secretive about this has led to some issues. This was done to protect the vulnerable installations out there and give people time to update. Itās standard security best practice, and working with the countryās Computer Emergency Response Teamās and the Shadowserver foundation team is the proper way to deal with this ā which is why we did it that way.