What happened in the end?, did they fix the security issues you mentioned? I’m interested in getting a Synology NAS they seem to have the perfect feature set for my needs, but am not so sure now having read this article…

Thanks

I have recently been looking at buying a synology ds.
I had personally wondered what the security to be like, however I did expect it to be ok being a commercial product.
I found your not so recent post in the forums. It was interesting to find some possible issues.
I don’t think the post had the correct outcome. I didn’t like the way it was compared to everyday risked.
I’m still debating whether I should buy one or not. I have very limited knowledge of UNIX, however one thing I am warned against is running things as root unless required.
I’m not educated enough to know how bad all the flaws are; do these really hold a real world risk? Statically I think bot systems may have issues? But if it came under a direct attack then maybe things could be worse? I don’t know!?!?! Realistically how bad are these faults?
I think it has made me rethink how I’d used such a device; I need to remote access option. However I think the security I would take it to put no personal information on the device. I would use remote access for pdf files, music access and a web server.
I used to run a full linux webserver with php/mySQL. I wonder how many faults I had in the system, as I’m not too informed!
Would Windows Home Server be better 

What’s the latest progress?

Thank you VERY much!

Marco

I pretty much came to the same conclusion as you did, but by different (more subjective) means. It is very difficult to implement this much functionality in such a short amount of time. This way I got suspicious and found your post. I do not believe Synology to turn things around any time soon. You did me and many people out there a BIG BIG favour. Thanks!

Speaking on the issue, I have just purchased a Readynas and hope Netgear (or should I say Infant) have taken more time to make a proper NAS instead of a feature box. Now my question towards you is:

Could you make a wiki (or perhaps just a how-to) that describes to people how you have assessed the Synology. I could get pretty far on my own but the more people involved, the better. And yes, you may poke around my Readynas as much as you like. It needs proper testing before deployment anyway:-). Still, it would be useful for many user to be able to do an audit themselves.
Most reviewers out there don’t even scrape the surface of a security audit, praising products like Synology. Now THAT pisses me off:-)

regards,

Jeroen

Hard to wake up people nowadays…keep on sleeping peeps…

You have my full support and deserved way better than that on their smelly moderated forum…

Keep up the good work.

I stumbled upon your blog while looking if it was possible to use dm-crypt with Synology products. I just wanted to tell you that I, too, am now delaying buying a CS407. Also, the way those two “honorary moderators” and fanboys treated you is definitely not good publicity for Synology, IMO.

It’s too bad they don’t allow alternative firmwares, kinda like OpenWrt for wifi routers. That would really allow to get the best of both worlds, a cool piece of hardware with open-source, up-to-date software…

Anyway, I still think I’m going to buy a CS407 (performance and feature-wise, it’s still the best thing in its budget category) but only after they release a new firmware. Thanks a lot for the warning, more people should know about this!

(Sorry if I made any English mistakes, I’m not a native speaker.)

wlof

I bought some Diststations as file server and backup media. I find it quite frustrating that Synology is not updating their samba version to “recent” releases.

For me the big feature of those boxes is not the included services/applications, it’s the power consumption to price to performance balance. I’ll stick to my DSs (and will probably buy some more) – but they are not and will never be on the internet. In fact, in our network they live in their own security zone (Juniper/Netscreen) and run an updated version of samba (ipkg).

To me it was surprising from the very beginning, that somebody serious would put such a box “on the internet”. But then again, that’s what they are advertised for. In my opinion anything that runs a webserver with PHP (or any other form of cgi) is a timebomb in the hands of normal user.

I dont really share your fears about compiled CGIs (in general). Compiled or not isn’t more or less secure per se. In my eyes, the biggest problem with the compiled CGIs is that one can’t verify the source.

Regards,
Joachim