Photos not showing on shared access on Qphoto

[Bob2018]

I just created a folder for a family member to access all their photos in there area only. When they login they can see their folders and pictures on the file manager but on the Qphoto app there is no photos. WHY?

[dolbyman]

best to stop it
..photo station is a prime attack vector for malware..never expose your qnap to the internet

remove all port forwards and disable upnp

use a share service like dropbox,onedrive,etc

[Theliel]

qumagie and PhotoStation are quite safe. It is true that an existing vulnerability in old firmware and PhotoStation was recently patched. In any case, it is much safer and you maintain total control in your own system that you have access to, than in third-party systems that of course can also suffer from vulnerabilities and many other problems.

Regarding the problem that arises, they have recently been updating the associated applications, I would not be surprised if they had break something

[dolbyman]

Photostation is quite safe ?

Using 3rd party web hosters is less safe, than exposing part of your private LAN ?

Are you by any chance working for malware manufacturers? smh

[Theliel]

Photostation is quite safe ?

Using 3rd party web hosters is less safe, than exposing part of your private LAN ?

Are you by any chance working for malware manufacturers? smh

You probably know little about computer / network security.

In the worst case, you expose the content of the NAS, not your local network. Nothing else. A security breach in a third-party service in the worst case, exposes all the accounts of said service, not just all the content that once user have in it.

And of course that is only the lesser of evils. Third-party services have infinitely more attack vectors that are not applicable to their own NAS, they are also much more common targets for bot networks and targeted attacks ...

In addition, a local NAS has the enormous advantage that you can secure it in many different ways, which is impossible with a third-party service. Use non-standard ports, expose only those services that are really interesting, not directly expose any services to the outside and access them only through VPN created by the NAS itself...

I only need a person's email to know what cloud services they use, if there has been a breach, if said email is associated with a password leaked in the huge existing databases of past attacks, carry out social engineering attacks...

In order to start attacking my NAS you would have:

-Knowing IP / Domain where my NAS is located, much more complicated than knowing a user's email, which essentially rules out any targeted attacks.
-Make a complete port scan, from 1 to 65535, performing service detection on all of them, because I don't think anyone is so stup** to use known ports for known services. This would imply that an attacker would have to spend weeks or month just to discover a service, since it would trigger the Firewall, and with it the port scan protections.
-Know which VPN server is being used, with what parameters. In my case, authentication by client certificate of course, and User / Password. Quite difficult thing to achieve in my opinion.
-And when you achieve all of the above, you could at least access the local network and no try to access the NAS, in case it is vulnerable, with a old firmware/apps


So yeah sorry to tell you but a well configured NAS is infinitely much more secure than any third party cloud service.

[dolbyman]

QNAP apps have plenty of security holes, if just sloppy programing or intense pen testing due to value of target (ransomware encryption value) I don't know

If your NAS is hacked/infected your network is exposed to attacks as well (unless the NAS sits in a DMZ, separated from all other LAN devices)

Hackers don't care about YOU specifically, there is lists of pen tested IP's/System for purchase on the internet, it's about mass infection and ransom collection ..
Ask anyone who has exposed ports with a firewall log, bots pen test ALL THE TIME
Who is saying anything about VPN ? OP has the services directly exposed to WAN, no VPN used.


3rd party services only expose your files, and those services probably have extensive backups in place to mitigate any catastrophe (natural or man made)

Sorry .. YOU have sadly no idea what you are talking about

[Theliel]

What are you saying? Only through Social Engineering, hundreds of thousands of accounts (if not millions) are compromised daily.

In the worst case scenario that the NAS is compromised, your network is not compromised at all just like that. Of course, you could have access to shared resources without any protection and, potentially, back to outdated computers and without any protection. By exactly the same explanation, according to your theory, simply compromising a PC of any organization would be exposing the entire organization network, and obviously this is not the case, at least the vast majority of the time. Take a look at the numbers of Ransomware attacks on NAS in the last year, and compare it to the millions of hacked accounts that are leaked each year (imagine the ones that are not leaked).

Attacking a NAS usually involves specifically targeting a specific make / model, and possibly specific firmware or application version. Of course, the applications / firmware have bugs, like any device, and that generally with a good security policy and updates it can be solved. I was telling you is that obviously any targeted attack can be ruled out on a NAS, which leaves us only massive generalized attacks, which in third-party services you have to deal with both massive and specific attacks. Yes, on a NAS you can have your backups ... are you telling me that nobody uses Cloud services for backups? Obviously, it is the main use that is given, other than to share files, just like a NAS. And obviously, for the same reason, no one using a decent backup policy would have a single copy on one site.

Knowing the IP / Domain is just one of the complications. Yes, of course, you can buy or search a list of possible systems, but again you face problems and obstacles that make it much more secure than a third-party service:

a) Most home IPs are dynamic, and change every few days, so any list / IP is worth little.
b) Again, simply by using high or unknown ports you avoid 99,9% of any attack

Again, two non-existent "barriers" in third-party services, which even have their own access APIs, potentially also vulnerable. And yes, personally, I log any attempts to access my devices, And yes, obviously there will always be a certain "background noise" that you will have despite all this. But we return to the same thing, that "background noise" is infinitely less than the daily phising / scam attempts, or the 24/7 attacks that all third-party services suffer. I have been using NAS for some years, to date I have not registered a single real attempt at unauthorized access to it, obviously being directly exposed (without VPN)

it's very simple, again, or you sweep the 65535 ports with the target IP/domain (and probably will by dynamic for home users), with detect services, or you can do little. Which makes it almost impossible considering any port scan detectors and others, that would take months or years.

I am not saying that a NAS is inaccessible at all, but In essence, protecting your own NAS is infinitely easier, faster and more secure than any third-party service. And of course, again, you always have the option to also use a VPN connection if security is important, an option that you don't have either with a third-party service

I'm sorry, I'm afraid it's you who doesn't know too much about it

[dolbyman]

What are you saying? Only through Social Engineering, hundreds of thousands of accounts (if not millions) are compromised daily.

An exposed NAS needs no social engineering ..

In the worst case scenario that the NAS is compromised, your network is not compromised at all just like that. Of course, you could have access to shared resources without any protection and, potentially, back to outdated computers and without any protection. By exactly the same explanation, according to your theory, simply compromising a PC of any organization would be exposing the entire organization network, and obviously this is not the case, at least the vast majority of the time. Take a look at the numbers of Ransomware attacks on NAS in the last year, and compare it to the millions of hacked accounts that are leaked each year (imagine the ones that are not leaked).

Ask any organization with mass ransomware infection because of one compromised device .. and they will tell you how *unlikely* that scenario is

Don't mix up exploits in a public exposed NAS and people that expose their passwords through links in email forms.. very different things

Attacking a NAS usually involves specifically targeting a specific make / model, and possibly specific firmware or application version. Of course, the applications / firmware have bugs, like any device, and that generally with a good security policy and updates it can be solved. I was telling you is that obviously any targeted attack can be ruled out on a NAS, which leaves us only massive generalized attacks, which in third-party services you have to deal with both massive and specific attacks. Yes, on a NAS you can have your backups ... are you telling me that nobody uses Cloud services for backups? Obviously, it is the main use that is given, other than to share files, just like a NAS. And obviously, for the same reason, no one using a decent backup policy would have a single copy on one site.

Very unlikely a personally targeted attack, just an attack based on fingerprinting lists .. criminals buy lists (similar to shodan) and exploit given device with whatever exploit kit they have on hand (known old or zerodays)

Unless you are a cooperation or a high value target .. nobody is specifically targeting attacks

Knowing the IP / Domain is just one of the complications. Yes, of course, you can buy or search a list of possible systems, but again you face problems and obstacles that make it much more secure than a third-party service:

a) Most home IPs are dynamic, and change every few days, so any list / IP is worth little.
b) Again, simply by using high or unknown ports you avoid 99,9% of any attack

a) with the implementation of VOIP, many ISP have semi permanent IP's now, they don't force change every 24hours
b) nope ... security by obscurity does not work anymore

I'm sorry, I'm afraid it's you who doesn't know too much about it

Tell those clever words to all those people that had their private NAS units hacked an encrypted this year alone .. I am sure they will not agree with you

Talk is cheap .. read the forums/reddit.. or the news
https://www.zdnet.com/article/qnap-tell ... ansomware/
https://www.zdnet.com/article/hundreds- ... r-attacks/
https://www.zdnet.com/article/qnap-nas- ... e-attacks/
https://www.zdnet.com/article/cisa-says ... h-malware/

[Theliel]

Again, you still don't get into the main question. At no point have I said that a NAS is 100% secure. What is being debated is a properly configured NAS, or a third-party service, more secure. And obviously a NAS is much more secure, without entering the greater control that one has of it

-An exposed NAS needs no social engineering...?
Because it is not feasible, it requires much more complex techniques, which are equally applicable to third-party services

-Ask any organization with mass ransomware infection because of one compromised device .. and they will tell you how *unlikely* that scenario is
Are you telling me that most companies that have problems with ransomware have a decent policy regarding knowledge of their employees, and backups? The vast majority of all attacks on companies are not due to system failures or security holes, but due to the "credibility" of their employees and thanks to Social engineering.

-Don't mix up exploits in a public exposed NAS and people that expose their passwords through links in email forms.. very different things
It is not about mixing, it is about comparing which systems are more or less vulnerable, if a NAS that is still exposed is safer, or a third-party service. Obviously they are two totally different scenarios, with their pros and cons. The NAS can be more susceptible to hypothetical specific attacks on software, third-party services are equally susceptible to massive data leaks, which by the way does not affect one user, but hundreds of thousands.

-Very unlikely a personally targeted attack, just an attack based on fingerprinting lists .. criminals buy lists (similar to shodan) and exploit given device with whatever exploit kit they have on hand (known old or zerodays) Unless you are a cooperation or a high value target .. nobody is specifically targeting attacks.
Of course, I totally agree, and removing exceptions 99% of any attack is usually massive, which still does not take away from me the reason for targeted attacks. And the non-targeted attacks are in their vast majority generic, looking for specific signatures / ports, or looking for a specific vulnerability of a specific device / service, which makes them ineffective the moment you modify ports, you keep the software completely updated .. .

-a) with the implementation of VOIP, many ISP have semi permanent IP's now, they don't force change every 24hours. b) nope ... security by obscurity does not work anymore
a) Its not true. Most of ISP dont use semi-perm IPs because VoIP. Most of the ISPs that provide VoIP services over their connections, use different networks for this, totally independent of the connection to the Internet, configuring totally independent WAN interfaces in the client routers (for example, my own ISP). Yes, IP for the VoIP WAN Interface is semi-perm, but the IP traffic is not routed outside the internal network of the ISP, and as I say totally independent of the Internet traffic. And those ISPs that use VoIP over the same Internet connection (using the same WAN interface), don't have any kind of problem using dynamic IPs either.
b) Completely false, it is very simple. To be able to attack any service you need a port, whether or not the service behind it is vulnerable. Of course, you can find a service that has been "hidden" by changing the port, nobody disputes that, the question is how long it takes. Scanning the 65535 ports externally of a Router and learning about the services behind them can take weeks, months at best if the Router has any simple protection against DDoS / ScanPorts. It has never been about it being impossible, but rather about it not being feasible. The security based on RSA or elliptical curve uses the same principle, it is not that it is impossible, what it is about is that the time required to carry it out in an acceptable way makes it totally ineffective

I know perfectly the security notices that appear, especially those that may affect me. And yes, as I said above, a ransomware attack has recently appeared using a well-known CVE that is almost 1 year old. How many users have really been affected by keeping their NAS updated? Even without having them updated, how many? The% is minimal. Of course there are thousands or hundreds of thousands exposed, not that all of them are vulnerable, and less that they have been infected. Ransomware / malware / exploit attacks happen every day to any device that is exposed, there is no news on it. The only real danger is the ZedoDay or the user's own negligence of not updating the software, using incorrect security policies and others.

It is so stupid to use a password in any cloud service "123456" than to have a NAS (or any device connected directly to the Internet) with the software without updating and patches without applying. Again, we return to the same, in any case a NAS is still much more secure in almost every aspect than any third party service

[OneCD]

* topic locked *

BTW: @Theliel please consider the many people out there who own a NAS, but don't know the first-thing about securing it. Your comments may be correct (in a rather limited general sense, and not specific to QNAP), but may also mistakenly convince someone with little-to-no knowledge that running "cloud" services from their own NAS is quite safe.

This is a support forum. Please conduct your debates on discussion forums like Reddit.