![]() The only problem i needed to solve was ad-hoc access to files on mobile devices, preferably without opening ports, and since VPN doesn't always work from other private networks (ip scope clash usually), i chose not to use Synology tools for this. My wife defaults to the iOS notes app, i switch between various clear text editors.įile synchronization on desktops/laptops is handled by Synology Drive, which syncs beautifully whenever the machine is connected to our LAN, either directly or through VPN. Notes are handled by whatever each person finds the easiest. My Nextcloud was only for myself and my family, and we only used it for "files on the go".Ĭalendar/contacts is handled by iCloud (Apple household, it's a Danish thing.) The container has only the absolute minimum of binaries to allow Resilio to work, so you toolkit is kinda limited, at least when compared to Nextcloud which requies a lot of binaries/libraries to work, along with a PHP interpreter. So even if you make it inside the container, you can (probably) wreak havoc with the files on the NFS shares, but those are backed up, and unless you can find a way out of the container, or a bug in NFS, that's pretty much it. Access to the shares is managed through Kerberos. It runs in a container on my public server, and files i need access to are mounted as NFSv4 shares "outside" the container. Instead i have working documents, books, notes and more that i need access to, and while i'd rather not share them with the rest of the world, it would probably not make much difference if it was.įurthermore, i can completely "wall off" Resilio Sync. I very rarely need those documents "on the go". No more than i worry about my operating system or office suite being closed source.īut then again, i don't put my sensitive information like passwords, ssh/pgp keys, tax returns and stuff like that in Resilio. I’d certainly pay more than the (very reasonable) price the authors ask for, for the additional peace of mind given by open source. The risk may be small but at stake is all your data. Based on my assessment of their conduct and the factors above, I feel almost certain Mobiussync does the right thing by its users.īut economic incentives change, authors change, bugs in code happen, and a good feeling is not the same as verifiability. and appreciated the way the author engaged with the Syncthing community here. I imagine it also would be easy to detect if the app was exfiltrating credentials by monitoring app communications. It aligns with their economic interests to not steal credentials, since nothing would kill their app sales faster if found out. Now, I’d like to believe Mobiussync is doing the right thing. It is significant because the credentials entered into the closed source Mobiussync app (that wraps the open source Syncthing node) would allow the author (if malicious, which I have no reason to believe they are) to access all of your files (even if your other nodes are behind firewalls, by design). > For Syncthing there is of course the potential problem of the client leaking the secrets to the author, giving them unauthenticated access to the server. > I'm not too worried about the client being closed source, especially not when the server is open sourced. After some years I moved to Facebook to do application security there :-) is shady at best.ĭisclaimer: I wrote a significant part of the ownCloud code ( ), then forked it into Nextcloud. That's not really secure and copy-pasting Django core code and then removing security checks. Generate a random string (currently a random number as a string) )įurthermore, the Django secret key was generated as shown at. They removed the check for the password hasht here. and removed some security-critical checks. I did a small audit of Seafile years ago and I don't think that argument flies.įor example, they copied. > and they are big piles of PHP with a lot more complexity than Seafile (Remote Code Execution = 10k, Auth Bypass = 4k - compare that to rewards that the FAANG pays and you'll see it's not that bad) There's also a bug bounty program that pays pretty decently considering the company size. ![]() Nextcloud does receive security audits and is in fact also used by quite some security-conscious organizations (to name a few: German Government, Siemens. Plus as far as I know neither ownCloud nor nextCloud went through a security audit
0 Comments
Leave a Reply. |