Problem in the past, update notification didnât work all the time. When new updates were released, it was completely unknown if or when your update notification would trigger an update (so itâs not possible to tell if the notification stuff is working or not).
Automatic updates are a bit critical, but if updates happen to be very stable why not offering people to do this (wordpress can do it).
If you have a very old unsupported version, I wouldnât mind an option to be set manually in the config-file that you need to enable this. This still gives you the option to run the old version in a local network. But if you have a public setup, you canât say that you didnât know.
If you have a very old unsupported version, I wouldnât mind an option to be set manually in the config-file that you need to enable this. This still gives you the option to run the old version in a local network. But if you have a public setup, you canât say that you didnât know.
I donât think it really matters how old the software is. Think of a version 10.0.1 which could have a very seriousy flaw which is fixed in 10.0.2 (the latest version in that case). So essentially youâd need to implement some sort of âAm I the latest version phone home functionalityâ which could ofc be opted out
There is far more going on with an app like Nextcloud than just SSL stating that a check with ssllabs in anyway validates anything but basic security.
With all the Libs, apps and code any version is highly likely to contain exploits, or at least exploits to be found.
I am not sure if making the version number available is a good idea at all, opensource is about choice and choice of version you run, choice of what sources you make available and choice over what is publicly on show.
Forced obsolescence and shaming are not about choice and not what Opensource in my books is really about.
I jumped on the Nextcloud bandwagon because I was really pleased to see some of my previous reservations about Owncloud seem to be dispelled.
I am starting to get worried again, as for me there does some to be some very strange and dubious decisions being made that donât fit my vision of efficient user led software development and the benefits of the crowd.
I have used various OpenSource platforms and scanning and being targeted is common, happens on Wordpress, Joomla, Oxwall⌠Depends on the plugins, some plugins deliberately advertise your site, so Nextcloud is not alone.
Security through obscurity in terms of not publicly bearing all on the internet of what you are and what you use for a vast number of Nextcloud users who do very much fit into the category of (Too small, No profit to attack / hack, not worth the effort) and also less technically competent to have rapid version upgrading and updating.
You donât sell support by telling the internet the versions being run by users, WTF!
This could be an option and by default it should be off.
I understand your frustration and its perfectly fine to vent it
However
I am not sure if making the version number available is a good idea at all, opensource is about choice and choice of version you run, choice of what sources you make available and choice over what is publicly on show.
I asked around and itâs needed for using the correct routes for public sharing and syncing.
Apart from that you are mixing things up. FOSS is about being able to change the source code and has nothing to do with buttons and options.
Patching software doesnt really have anything to do with planned obsolescence Itâs not shaming, itâs the BSI helping you people that they could be subject to attacks. They probably know more than us and maybe automated attacks are already under way.
As an analogy: Samsung warning their customers that their phones could explode so they should return it and get a replacment for free is a good idea right?
This could be an option and by default it should be off.
Right, you could request that feature in the issue tracker where disabling support for the sync client would also turn off the status.php
For anyone interested: Iâve dug a bit into the topic and facts and compiled a few things:
Scanning was conducted by an unrelated third party (in France if you look at the IPs)
The BSI contacted you guys in order to prevent you from automated attacks
Re-phrasing âplease update your instanceâ to âplease buy support from usâ is a bit silly The BSI decided to help you out because they think it was important based on the information they had.
Openly propagating the version number looks bad at first but it essentially doesnât change the attack surface. Itâs in fact completely irrelevant for attackers because these attacks usually brute force vulnerabilities (itâs in fact easier to program it in that way and more effective).
Nothing to see here, move along, keep your stuff up to date, be lucky that this was not an attack
For anyone interested: Iâve dug a bit into the topic and facts and compiled a few things:
Scanning was conducted by an unrelated third party (in France if you look at the IPs)
The Nextcloud scan page and their email address was posted in the email I havenât received any response denying involvement so Iâm pretty sure it has been Nextcloud.
The BSI contacted you guys in order to prevent you from automated attacks
They contacted the providers with a abuse complaint, not the people running the sofware. These complaints are not taken lightly by most, in one instance a provider threatened to blackhole the server if I did not resolve the issue asap.
Re-phrasing âplease update your instanceâ to âplease buy support from usâ is a bit silly The BSI decided to help you out because they think it was important based on the information they had.
Agreed, although a marketing rep closing the discussion in the other thread likely brought that on.
Openly propagating the version number looks bad at first but it essentially doesnât change the attack surface. Itâs in fact completely irrelevant for attackers because these attacks usually brute force vulnerabilities (itâs in fact easier to program it in that way and more effective).
Nothing to see here, move along, keep your stuff up to date, be lucky that this was not an attack
I agree you need to keep your software up to date, however in the real world it does not work this simple all the time. We generally maintain a set update schedule and only divert if there is a serious issue. Some random software developer or agency does not get to decide this by attempting to force my hand hitting my provider with abuse complaints while noting actually happened.
The Nextcloud scan page and their email address was posted in the email I havenât received any response denying involvement so Iâm pretty sure it has been Nextcloud.
Nexctcloud does not employ people in France and the scans were from French IPs
Are we really discussing Nextcloudâs part in this or just ranting about how BSI used an easy way to contact you guys? If so please contact the BSI because this discussion is not changing anything ;D
The benefits of using FOSS can include decreasing software costs, increasing security and stability (especially in regard to malware), protecting privacy, and giving users more control over their own hardware.
Actually it would seem to be you, who is mixing things up. Buttons, options and tripe replies.
You know how it reads âcan includeâ and not âincludesâ FOSS is only about licensing at its core and when speaking about the most popular licenses itâs all about changing and distributing code. Thatâs it.
It is by some who have appropriated the FOSS movement for there own needs.
Maybe go and have a chat with Stallman and Raymond on your interpretation of what FOSS is and what it should be and why there was a need for its creation.
@BernhardPosselt I think your tone is winding people up, maybe dial it down a bit. No matter how trivial you feel this is your opinion clearly isnât shared by others commenting above.
@jospoortvliet do you still feel this isnât worth talking about? Seems fairly important to clear the air and assuming the intentions of NC are good having an official response here might lighten current tensions.
It isnât clear if this has been organized by Nextcloud, or on behalf of Nextcloud, or by an independent company (French IP only indicates that resources of a French ISP were used), obviously Nextcloud doesnât want to give any official statement. So letâs go back to a technical point of view:
If many of your domains are scanned for owncloud/Nextcloud setups, you can use this pattern on domains that are not used for owncloud/Nextcloud and block this IP (e.g. fail2ban). You can also report this IP to the ISP if there is a chance that they handle this request and you suspect illegal activities (search for potential victims). You could also send out fake status-reports on domains that are not using Nextcloud or just ignore it.
It was pointed out that the status-messages are required for setups, so you can only hide you setup behind a VPN if you donât want to allow public access or somehow restrict the IP range that can use Nextcloud.
It isnât that I donât consider it important enough - my lack of statement is due to privacy and security concerns.
And as I said in another thread: personally, if I was warned I left my wallet when leaving a cafe, left my door open when walking my dog or didnât lock my car, Iâd be happy and pick up my wallet/close my door/lock my car. If people hear from their provider that their server is at risk from (potentially automated!) attacks, perhaps the best course of action is to upgrade it to a secure version.
I think some people underestimate how easy it is to hack a outdated ownCloud or Nextcloud server. It is easy to get IP and web addresses on the web, there are services that simply sell them! Then, you can easily do an automated scan and then hack the servers and copy the data or even take over the entire server if the version on it is old enough.
If you ask me, that is a HUGE problem! I can only hope that there are not many insecure systems on the web. Many people are not aware that their privacy is being violated by companies like Google, Dropbox et all, and we started working on private cloud software to help defend people and their data. I personally would feel Iâd have to act in a similar way if I knew people were running insecure software. I can guarantee you I tell people who run Windows XP that what they do is potentially dangerous! Wouldnât you?
Of course I wouldnât want to lock them up and take their freedom to run Windows XP away⌠Though, if their system is used in a bot net, as ISP I might want to lock them out of the web.
Again, I canât talk about what happened here, though to me what Bernhard said about the French IP and such makes sense. I guess a hacker would use a proxy to hide where from he/she breaks (and TOR, maybe) so those attempts could have been from anywhere in the world and I think it is a good move to block them.
I donât personally have a problem seeing scans in my logs, itâs a public server and itâd be naive to assume it isnât going to happen - my linux access logs look like Iâm behind a locked door in a scene from the Walking Dead
But, if my ISP sent me a letter threatening to shut my connection down due to a.n.other company reporting security issues coming from my IP, Iâd rage. Especially given my contact details are in the WHOIS of the domain I host from - where Iâd more than welcome a notice to say Iâm out of date (as you referred to with XP there @jospoortvliet) - as Google did the other week following a nasty vuln in Wordpress that Iâd already patched.
Perhaps if you have any influence, ask them to find another means of contact. That appears to be the issue here.
But thatâs not their responsibility and you donât have a contract with them (âthemâ being the BSI). The potential thread they recognized is imposed from the ISPs properties and thatâs why they get informed and asked to do something about it.
I donât get why youâre having a problem with that. This shouldnât be a problem:
Because just fixing the issue at your end solves the problem, helps yourself and makes the internet a better place.
The BSI decided to help you out because they think it was important based on the information they had.