I donāt understand why you canāt see past your own opinions here. The āserviceā (Iāll call it that) is great, and on par with what Google did recently with my Wordpress install thatād already been patched before they contacted me.
But therein itself lies an issue. I patched my Wordpress install the day the vuln was disclosed and the patch was provided. Google scanned it some time during that day and saw it hadnāt yet been patched so queued a notification to go out to me.
The same can happen here, except instead of me, the admin, being notified (by which Iād say thank you and perhaps even shout out the value of that service), Iād get a cease and desist type letter (as an ISP will often consider these alerts a complaint. Theyāre not smart.) 2 weeks later - by which time Iām on their radar for potentially doing something I shouldnāt. This puts my internet contract under threat.
Thereās a distinction here too; this notification sent to a datacentre will be handled in a completely different manner to the ISP of a home user - a vast userbase for these solutions.
I applaud the objective, and I fully support everyone being up to date within the constraints applied (see patch schedules, etc mentioned above), but the communications protocol in place is all wrong.
The proof of this is in the very existence of this topic.
All outdated software cause a potential threat (browsers, flash, ā¦) but ISPs will have to constantly sending notification letters to their customers if you want to set this as a standard. A list of IP addresses of clients of a bot network is a real threat and not only a potential one. From https://nextcloud.com/security/advisories/ I donāt see a warning where you can obtain root-permissions on a system. For me it seems exaggerated, especially when some could have been contacted via whois data as @JasonBayton pointed out.
For the community/developers here, there are much better ways to make sure/help users to keep their systems up to date.
Well, if the topic turns into the question who the BSI should best contact if they got aware of some issues, then this should probably discussed somewhere else. Donāt you think?
If thatās true and the online service are of any importance to you, Iād consider changing the ISP.
Guess what, ISPs have to handle that sort of stuff 24/7 and they really know how to handle these. If they donāt, they are not the right service provider.
Yes, and not only ISPs. When ever someone gets to know about a vulnerablity they should responsibly disclose that to someone who can deal with it. There is no reason to downplay any of that - but at the same time I canāt tell why there is a smell of panic in the air.
My original post was about an abservation and I asked a question because I wanted to understand whatās going on. Thatās achieved and the advise is probably best we all can/should do:[quote=ājospoortvliet, post:36, topic:8992ā]
so those attempts could have been from anywhere in the world and I think it is a good move to block them
[/quote]
No, as itās a service being conducted on behalf of Nextcloud, their involvement shown in the links to results and contacts provided. NC should have some say into how this service is provided, or switch to a provider of said service that doesnāt conduct its communications in this manner.
I wouldnāt consider changing my home ISP over this. Itās an edge case and something that shouldnāt involve the ISP at all.
Reading through it appears to be less panic and more concern/disdain for how this is being handled, which is justified. Applying enterprise policies to home admins is rarely going to be the right approach.
Youāre right though, NC is still not going to divulge any more information or offer any transparency in what should be an open, friendly service. So those who donāt like the idea of having their ISP involved where they have no reason to be, blocking the IPs is the way to go.
Iāve set this to autoclose now. If @tflidd or another moderator feel thereās more to be said feel free to re-open it when it closes, similarly non-mods feel free to message me, but it appears to be going around in circles (which is as much my fault as anyone else, sorry).
Thank you for caring about this! I hope you can help urge people to update their servers.
Sorry that being a bit secretive about this has led to some issues. This was done to protect the vulnerable installations out there and give people time to update. Itās standard security best practice, and working with the countryās Computer Emergency Response Teamās and the Shadowserver foundation team is the proper way to deal with this ā which is why we did it that way.