Becoming unhappy

[deljones]

I have just upgraded my QNAP NAS to the latest firmware 4.5.1

I have owned a QNAP device for 8 years and during that time had two machine's that in whole have been very good.

However I do find myself becoming more unhappy with each upgrade as with almost each upgrade in the past 12 months QNAP remove more apps from the store.

All that we are left with is a bunch of poor QNAP apps with strange names and lots of sync apps that might be OK for "enterprise" but what about small buisness and home users?

The reasons given for these removals are

"To improve customer experience"
"Compatability issues"
"Security"
"Something about Google doing something or other"

I'm minded to move to a dedicated NEXTCLOUD box and not replace my NAS next time around.

Just saying

Dj

[spile]

I understand your frustration but I see it as necessary due to the current environment and the price we have to play in order to keep our devices free from malware.
Perhaps the angst should be aimed at those that are writing disruptive code rather than the vendors?

[syncthing]

which apps did they remove?
I didn't upgrade yet - is it already safe to do so? I am aware of the extra program before the ssh login already

[jaysona]

I understand your frustration but I see it as necessary due to the current environment and the price we have to play in order to keep our devices free from malware.
Perhaps the angst should be aimed at those that are writing disruptive code rather than the vendors?

That's a pretty silly notion. Here a practical world analog:

Automobiles are equipment with keys and locks to prevent easy automobile theft. What QNAP provides is like an automobile with a key and lock where any key can can be used to unlock the locks and start the car. QNAPs response is effectively like saying you need to remove the battery and gasoline to prevent the car from being stolen.

QNAP just needs to employ secure coding and the majority (aside from very targeted) of attacks would be rendered useless.

[deljones]

I understand your frustration but I see it as necessary due to the current environment and the price we have to play in order to keep our devices free from malware.
Perhaps the angst should be aimed at those that are writing disruptive code rather than the vendors?

I understand all the security issues and that the "holes need to be plugged" etc. But the answer is not to remove good quality apps from the store and replace them with what are really inferior QNAP apps.

I'm just pointing out that as time has gone on QNAP has removed good apps.

With respect your response is lazy. I do aim my frustration at the vendor if the vendor is pushing me away from apps that I used to use and trust by either removing them completely or replacing them with apps that do not come up to scratch.

Look at the readme before installing new firmware, the list of unsupported apps is large and it grows with each firmware update.

Dej

[spile]

Here a practical world analog:
Automobiles are equipment with keys and locks to prevent easy automobile theft. What QNAP provides is like an automobile with a key and lock where any key can can be used to unlock the locks and start the car. QNAPs response is effectively like saying you need to remove the battery and gasoline to prevent the car from being stolen.

QNAP just needs to employ secure coding and the majority (aside from very targeted) of attacks would be rendered useless.

Meanwhile from the Ministry of Silly Analogies...

The Wireless Key Problem
Most remarkable, perhaps, is that five years after the Swiss researchers' paper on the amplification attacks, so many models of car still remain vulnerable (secure coding?) to the technique. When WIRED contacted the Alliance of Auto Manufacturers, an industry group whose members include both European and American carmakers, a spokesperson said that the group was looking into the ADAC research but declined to comment for now. The VDA, a German automakers' group, downplayed the ADAC's findings in response to an inquiry from WirtschaftsWoche, pointing to decreasing numbers of car thefts in Germany and writing that "action taken by the automobile manufacturers to improve the protection against theft were and are very effective."

None of that is particularly comforting to the many millions of drivers with wireless key fobs. In fact, vulnerabilities (ring any bells?) in these systems seem to be piling up faster than they're being fixed. Last year researchers revealed that they'd cracked the encryption used by the chipmaker Megamos (secure coding again?)in several different makes of luxury car owned by Volkswagen. And at the Defcon security conference, hacker Samy Kamkar unveiled a tiny device he calls "RollJam," which can be planted on a car to intercept and replay the "rolling codes" vehicle locking system manufacturers developed to stay ahead of earlier replay attacks.

The ADAC researchers warn that there's no easy fix for the attack they've demonstrated. Yes, car owners can use Bilton's solution and store their keys in a freezer or other "faraday cage" (why are users being inconvenienced by poor coding?) designed to block the transmission of unwanted radio signals. But ADAC researcher Thiemel warns that it's difficult to know just how much metal shielding is necessary to block all forms of the amplification attacks. Far better, he says, would be for manufacturers to build defenses into their wireless key fobs, such as timing constraints that could catch the long-range attacks. "It is the duty of the manufacturer to fix the problem," Thiemel says. "Keyless locking systems have to provide equal security [to] normal keys." Until then, plenty of cautious car owners will no doubt be keeping their own key fobs well chilled.

Ref https://www.wired.com/2016/03/study-fin ... tion-hack/

[spile]

Analogies aside, I understand the frustrations that removing apps and functionality cause deljones and I am sorry if my curt response was dismissive.

[jaysona]

Meanwhile from the Ministry of Silly Analogies...

The Wireless Key Problem
Most remarkable, perhaps, is that five years after the Swiss researchers' paper on the amplification attacks, so many models of car still remain vulnerable (secure coding?) to the technique. When WIRED contacted the Alliance of Auto Manufacturers, an industry group whose members include both European and American carmakers, a spokesperson said that the group was looking into the ADAC research but declined to comment for now. The VDA, a German automakers' group, downplayed the ADAC's findings in response to an inquiry from WirtschaftsWoche, pointing to decreasing numbers of car thefts in Germany and writing that "action taken by the automobile manufacturers to improve the protection against theft were and are very effective."

None of that is particularly comforting to the many millions of drivers with wireless key fobs. In fact, vulnerabilities (ring any bells?) in these systems seem to be piling up faster than they're being fixed. Last year researchers revealed that they'd cracked the encryption used by the chipmaker Megamos (secure coding again?)in several different makes of luxury car owned by Volkswagen. And at the Defcon security conference, hacker Samy Kamkar unveiled a tiny device he calls "RollJam," which can be planted on a car to intercept and replay the "rolling codes" vehicle locking system manufacturers developed to stay ahead of earlier replay attacks.

The ADAC researchers warn that there's no easy fix for the attack they've demonstrated. Yes, car owners can use Bilton's solution and store their keys in a freezer or other "faraday cage" (why are users being inconvenienced by poor coding?) designed to block the transmission of unwanted radio signals. But ADAC researcher Thiemel warns that it's difficult to know just how much metal shielding is necessary to block all forms of the amplification attacks. Far better, he says, would be for manufacturers to build defenses into their wireless key fobs, such as timing constraints that could catch the long-range attacks. "It is the duty of the manufacturer to fix the problem," Thiemel says. "Keyless locking systems have to provide equal security [to] normal keys." Until then, plenty of cautious car owners will no doubt be keeping their own key fobs well chilled.

Ref https://www.wired.com/2016/03/study-fin ... tion-hack/

You're trying to equate an attack that requires physical access, proximity and opportunity (an attack that is expensive (in terms of req'd resources and opportunity to execute) to perpetrate in comparison to compromising a NAS? Yes, that is probably to most perfect example of "Ministry of Silly Analogies..."

I have executed both attacks (and many other types) multiple times, how many have you attempted, let alone successfully perpetrated?

With regards to the car key fobs - there are two main attack vectors:
1. Replay attack - this is the simplest to execute but also requires the most effort, is more of a targeted attack vs opportunistic attack.
2. A derivative of the Weiner attack, where the private key is known and therefore any car based on the private key can be taken. Getting the private key is harder (effort) but once obtained, the potential opportunity is massive.

In to compromise a NAS by comparison, requires little effort, little financial resources (none really) and the opportunity is unparalleled. With less than 10 - 15 minutes of effort a campaign can be launched against all NAS' world wide, and the attacker just needs to sit back and let the ransomware payments start to roll-in.

Secure coding would negate such an attack type and make attacks against NAS' for more expensive in terms of time required and opportunity available, and would basically relate NAS attacks to the realm of what would be akin to spear fishing vs open dragnet fishing - which is what is currently underway.

[spile]

Yes we have demonstrated that analogies can be unhelpful. I agree; so let’s avoid dragnet fishing whatever that is. No please don’t.

The issue for me is that I do not accept that there is such a thing as a secure system.
As the environment changes so will the need to adapt. That is why we carry out risk assessments.

Common ground? Difficult and judging by your tone, I am not certain that you would be interested. Sharing CV’s is unhelpful. It’s a consumer forum for goodness sake. I do get that some companies write code that is insecure at the time of its release and hasn’t undergone thorough testing. Perhaps you should send your CV off to Qnap right now?

I am sorry if you feel any of the above is disrespectful given your rank and status.