Thank you VERY much!

Marco

I pretty much came to the same conclusion as you did, but by different (more subjective) means. It is very difficult to implement this much functionality in such a short amount of time. This way I got suspicious and found your post. I do not believe Synology to turn things around any time soon. You did me and many people out there a BIG BIG favour. Thanks!

Speaking on the issue, I have just purchased a Readynas and hope Netgear (or should I say Infant) have taken more time to make a proper NAS instead of a feature box. Now my question towards you is:

Could you make a wiki (or perhaps just a how-to) that describes to people how you have assessed the Synology. I could get pretty far on my own but the more people involved, the better. And yes, you may poke around my Readynas as much as you like. It needs proper testing before deployment anyway:-). Still, it would be useful for many user to be able to do an audit themselves.
Most reviewers out there don’t even scrape the surface of a security audit, praising products like Synology. Now THAT pisses me off:-)

regards,

Jeroen

Hard to wake up people nowadays…keep on sleeping peeps…

You have my full support and deserved way better than that on their smelly moderated forum…

Keep up the good work.

I stumbled upon your blog while looking if it was possible to use dm-crypt with Synology products. I just wanted to tell you that I, too, am now delaying buying a CS407. Also, the way those two “honorary moderators” and fanboys treated you is definitely not good publicity for Synology, IMO.

It’s too bad they don’t allow alternative firmwares, kinda like OpenWrt for wifi routers. That would really allow to get the best of both worlds, a cool piece of hardware with open-source, up-to-date software…

Anyway, I still think I’m going to buy a CS407 (performance and feature-wise, it’s still the best thing in its budget category) but only after they release a new firmware. Thanks a lot for the warning, more people should know about this!

(Sorry if I made any English mistakes, I’m not a native speaker.)

wlof

I bought some Diststations as file server and backup media. I find it quite frustrating that Synology is not updating their samba version to “recent” releases.

For me the big feature of those boxes is not the included services/applications, it’s the power consumption to price to performance balance. I’ll stick to my DSs (and will probably buy some more) - but they are not and will never be on the internet. In fact, in our network they live in their own security zone (Juniper/Netscreen) and run an updated version of samba (ipkg).

To me it was surprising from the very beginning, that somebody serious would put such a box “on the internet”. But then again, that’s what they are advertised for. In my opinion anything that runs a webserver with PHP (or any other form of cgi) is a timebomb in the hands of normal user.

I dont really share your fears about compiled CGIs (in general). Compiled or not isn’t more or less secure per se. In my eyes, the biggest problem with the compiled CGIs is that one can’t verify the source.

Regards,
Joachim

I’m sorry, I can’t give you any recommendations as I haven’t looked at any other NAS manufacturer’s devices. If I do a vulnerability assessment of another NAS manufacturer, I’m likely going to look at Netgear’s ReadyNAS product line.

I followed your post very closely on the Synology forum. I do not own a Synology product and did not bother to create an account on the forum, in order to express my support for your observations. I thought that it would be obvious that your reports had to be taken seriously - which quite evidently was not so obvious, at least not to the moderators and the Synology staff.

I am sorry to see the treatment that they gave you. You have my full support.

Do you plan on reviewing any other NAS products in the future? I was very close to buying a Synology product, until I read your post. Now I am searching for another product. I have noticed your recommendation of FreeNAS, however I not sure that I want to spend the time building my own NAS. I would like a compact, sleek, silent and low power solution - and most important _secure_.

Do you have any experience with QNAP TS209 PRO or TS209 PRO II?
Do you have any other recommendations?

Best regards,
Casper