In the install page, you propose the use of crosscloud (Download and install Nextcloud). I found their idea nice, I was a bit surprise that NC advertise a non open source solution though. Anyway they seemed to be the only one doing that so I gave it a try. Quickly I had an issue and I contacted the support and they reply quickly, and I was asked:
To investigate that in more detail it would be great if you could send me your logfiles.
For these purpose please send me a zip file of all the files in these folders:
on macOS:
/Users/[Username]/Library/Logs/CrossCloud/
/Users/[Username]/Library/Application Support/CrossCloud/
on Windows:
C:\Users[Username]\AppData\Local\CrossCloud
These files DO NO CONTAIN any of your passwords or access keys. These are simply logfiles.
I proceeded naively. Later on, I tried again crosscloud with another account, it was stuck again, I looked at their log, and surprise, my passwords were written in clear in the logfiles.
I changed my passwords and sent them an email.
My question: Is it normal ? Can we trust them ? Are there alternatives ?
Ideally passwords are stored in a keychain. I don’t know if something like that exists on Windows though. They definitely should not be logged. If they are, it’s an issue on their side.
As for stuff like this: Depends on how well support is educated and if someone fucked on their side. You never know. Never attribute something to malice etc.
I agree that it’s probably a mistake on their side (this is what they replied to me) and not malicious intent. However this is a big mistake, especially when it’s a software that aims at gathering the different clouds of a single user and thus lots of private data.
But maybe I’m overreacting, yet I wanted to address the issue somewhere (they don’t have a forum) so people would be aware of the bug.
Given this and that they apologize, can I (we) trust them for further releases ?
They acknowledged the bug, which affects apparently only Own/Nextcloud users, “the password is only printed in the log file while adding the account - not in normal operating mode”. It will be fixed in the next release. They also plan to open source (part of) their client software.
Meanwhile, every OC/NC user who used CrossCloud (version 2016.12.2 and before probably) have their password written in clear on their hard-drive, in their log files, on Mac OS, it’s there:
/Users/[Username]/Library/Logs/CrossCloud/
I guess you want to remove those logs and change your password.
The “new” Crosscloud is now yet another cloud based service like Odrive. Before that it was only a client, but that seems to be outdated now.
@jospoortvliet Is it really still advisable to advertise their service? It is about storing data on someones own system, a cloud service like Crosscloud does not really fit this anymore.
Hi, I am one of the founders of crosscloud and wanted to take this opportunity to quickly clarify.
We are terribly sorry for the described bug that lead to passwords being logged under certain circumstances as reported by @jean - thanks a lot for reporting this.
With crosscloud we now focus on B2B customers - but still decided to keep the service (and all client applications) available and free for private users. Crosscloud does still not store any data and the desktop client still synchronises data directly with different storage services (like NC) without any central server component for the sync in between.
Although, we added an administrator console (we offer on-premise as well) that let’s companies control how different cloud storages can be used in their organisation as well as enabling shared encryption in teams.
I understand that this change might not reflect the NC values any more and therefore understand the link got removed. Thanks.
Administrator Console access (Analytics, control, data protection)
Selfhosting everything and then relying on a service/application requiring an account in the “cloud” that does “analytics” and whatnot is just defeating the purpose. Although it would make a difference if you have a Nextcloud server app that does all of this so it would be still contained on a selfhosted system.
There are other client apps for multi-cloud sync that do not require an account linked to “somebody else computer” (just another term for “cloud”) uploading potentially sensitive data, except for maybe a mail address for license registration.
We offer customer to operate the administrator console on their own servers. Other customers can host the admin console with us (certified Eruopean provider).
We offer to completely shut down the “Analytics” - Features, which means that no usage information of any user is tracked or saved. In this case (which is how many teams are set up) the admin console is only used for user management (login etc.), sync of configuration between devices, policies (only if configured) and public key exchange between users so shared encryption works seamlessly. (A side note on that: the admin console never has access to any private keys, private keys are stored on user devices only. A protocol for private key exchange between devices is in place.)
