QNAP shipped Hybrid Backup Sync with hardcoded credentials of walter:walter. This was used by ransomware criminals to encrypt photos and videos and demand payment in Bitcoin for the password to decrypt the data.
Was there any development on if there was an actual investigation or help from Google to identify the fraudsters, given these are @gmail email addresses?
If you want a small NAS in a similar form factor I'd recommend Helios64 5-bay NAS https://kobol.io/. It is an Arm64 board runs mainline Armbian. Also comes with 2.5Gbit networking and a built in UPS battery.
I don't understand why people who care about security and have linux knowledge would use Synology/QNAP. They are both proprietary, often exposed to the internet, and packed full of so many features that they are consistently full of vulnerabilities (SynoLocker/QLocker etc).
I use synology because I tried many alternatives, and none worked out of the box.
I finally got one (SmartOS; I also tried FreeNAS) working, but I used the intel chip with a timebomb clock line for the build.
Then, I gave up. 4 hours after the synology was home, I was much farther along than I’d gotten in a month on the other machine.
I’d definitely pay a premium for a supported open source + hardware NAS combo that supported docker, vm’s and offsite client-side encrypted backup (with dedupe/compression) out of the box. Also, I want it to draw < 10W, excluding disks.
Until then, synology wins, and isn’t a hobby project.
Well, I did buy a QNAP TS-419P many years ago. It's still running mainline Debian, that was why I bought it. I would have replaced it with a newer model if the new ones were similarly open, but they're not.
Seriously considering a Helios64, once they get their supply issues resolved.
That seems perfect spec-wise. Would you mind giving a quick review of the acoustic characteristics of the case?
I'm looking to move away from a QNAP box, and one of the driving reasons is the horrible "hard-plastic hard-mount everything" design that couldn't amplify hard drive noise any more if they'd done it on purpose.
(The other reasons are that I'd rather manage ZFS myself, and the need for more than gigabit ethernet)
Another suggestion for QNAP owners is to simply replace the firmware with a regular Linux distribution. This is what I’ve done and haven’t looked back.
I _desperately_ want something like this, but in a 1U 4-drive form factor. If someone is working on something like this, _please_ let me know. It doesn't even have to be an RK3399 based system, just something that works with a mainline (or near-mainline) linux distro and will host an SMB server & DLNA server.
I personally have a qnap Nas because I wanted something cheap. I did not enabled all the fonction and I will definetly not enable all the "internet functions".
Am I the only one that thinks that connecting the NAS directly to the internet is a stupid idea to begin with?
Don't get me wrong, I can totally understand why people (without much technical background) are tempted to do this. But with all the complexity these NAS systems nowadays have it was only a matter of time for something like this to happen.
The funny thing is that, they didn’t even bother to choose a longer password (the password is synopass). Even if people haven’t found them, an attacker brute forcing these passwords would easily find them.
Stopped buying storage appliances when my old drobo went out of support. Now I get a suitable case, fill it with drives and go from there. Even a usb tower with ten drives is far more preferable than some proprietary linux derivative with a downward ticking support window.
I genuinely believe you're better off with a combination of:
A. an integrated solution like freenas/truenas, unraid or even ceph if you want even more steps. Install and configure. Done.
B. a base linux install with just the particular file servers you need. Install and tinker. Auto-update. Remove unnecessary packages.
I feel bad for Walter and people blaming him as the sole responsible party are just part of a mob reaction - is this backdoor bad; yes, QNAP should suffer a financial setback*, but who among us hasn't done something like which then combined with pressure to release from management and (obviously) poor corporate code review and audit practices gone on to 'almost'** release something that shouldn't be.
My point, this isn't on Walter alone, in fact, most of it isn't, it's the software development processes (or lack thereof) that allowed this happen. My guess, Walter will be shown the door, QNAP will be able to say we took action and got rid of Walter but the true issue, the bad process that led to this, is probably still there. Worst, Walter's knowledge of the code base will also be gone.
And no, I'm not Walter if anyone is wondering.
* they won't
**'almost' is in quotes for plausible deniability reasons on my end..
Crazy when things like this happen people even rarely get fired and the company just says "oops, we'll do better." US retailers should stop selling QNAP after something like this. Who knows if this was accidental or intentional.
I was on the fence about getting some type of off-the-shelf ARM-based NAS, but once again my wariness of "consumer" hardware turned out to be a good call. I wish it could be otherwise.
My current NAS is an old PC that I built for the purpose many years ago with ECC RAM and an unlocked Phenom II, and currently runs Ubuntu Server after I experimented with OpenSolaris just in time for the Oracle takeover, and then took a detour through CentOS. It's getting kind of long in the tooth now, and I could get a lot more oomph for the same power consumption, or the same for less power.
It's clear that my next server is going to have to be one I build up myself, just as before. I'm leaning toward an AM4 server board (such things do exist), as it offers lots of CPU options from cheap/low-power to Ryzen 9 5950X. The latter is extreme overkill, but it's an option nonetheless. ;) I'd be most likely to go midrange on the CPU. ECC RAM is a no-exceptions must.
I'm on the fence whether or not I should spring for 10G Ethernet. I have absolutely nothing else that uses it right now, and I have perfectly good gigabit gear that has served me well and would rather not throw out or try to sell. It might be worthwhile anyway as a direct single-client SAN.
I was close to getting a QNAP as they are cheaper than a Synology. My use case is storing home security camera footage.
Currently, I have an old PC running Linux with software RAID. My motivation to switching to an appliance was power consumption and heat/noise. I live in a tropical country so I can't get away with passive cooling. Due to dust build up, the Intel Celeron CPU and motherboard broke down.
It's been replaced with an AMD Athlon. My plan was to replace the entire setup with an appliance NAS the next time it breaks down. I'm now hoping it will last long enough that an ARM-based CPU solution will work out. My top candidate is the ROCKPro64.
I wish I'd built my own instead of buying synology. The added value software is just a gimmick to pad the marketing material, most of it has only the most basic functionality and isn't particularly well made.
I really wish there was a small NAS case that didn't look like a massive box. The QNAP/Synology 4 bay low power form factor is just killer for fitting into small spaces, but if I could put a core i5 in one of those with some flash to get some more VMs going and run linux or some BSD distro, that'd be incredible.
As I can't find DIY hardware like that, Synology looks to have a slightly more mature vulnerability response program than QNAP -- apparently they have a bounty? I've heard about less Synology flaws, so hopefully they're a slightly better choice on the software side.
I have this one at home: https://www.mini-itx.com/~NAS6 . It measures roughly 20x20x30 cm and can fit a standard mini-itx motherboard. Not as small as a dedicated ARM box, but the smallest I could find. Fitting the PSU is very fiddly though, there is hardly any space between the PSU and the HDD backplane.
A lot of people seem to use refurbished enterprise sff machines (optiplex micro, thinkcentre m, etc) for vms and similar, if your storage needs are more modest. I've also seen some run WD externals from them via the stock usb enclosures, although I'm not sure if running raid or the like on usb devices is a good idea.
The HP Gen10Plus Microserver might do what you're after [0].
I've been running the Gen 7 since January 2013 with Ubuntu 16.04 then 20.04. It's travelled between New Zealand, Australia and South Korea multiple times. The Russian BIOS enabled hotplug and took the speed restriction off the CD-ROM SATA port.
I run a Sandisk SSD (purchased 2014) in the Cd rom bay and 3x 8GB WD Red (CMR) drives. The fourth bay I use for transferring or backing up other drives. I used Mdadm for software RAID as the "hardware RAID" needed special drivers and it was too hard at the time.
I haven't played with the Gen10Plus yet but it'll probably be the direction I head instead of a NAS. They come with Xeon processors and 4 ethernet ports!
QNAP has some enticing out of the box NAS products, but I guess I feel a bit better having chosen Synology.
That’s not to say I necessarily love any of these vendors too much. They feel a bit too much like feature mills that have lower incentive to adopt better security practices and higher incentives to add features and, well, provide a decent user experience. I appreciate the latter, but it isn’t ideal.
Still, as much as I’d love a NAS running open source software and maybe even open hardware, I think the amount of time and effort spent on doing so would not be well rewarded. So for now, I guess I’ll ride the useful life of my Synology NAS out and go from there.
As for this incident, it is embarrassing, but it happens. Hopefully this will motivate more people to do security research on these devices.
I am still happily running FreeNAS 11. I haven't updated to 12 and it's name change to TrueNAS. Anyway, the amount of janitoring I have to do with it is very minimal. Over the last year, less than 1 hour of time spent total.
I sold my QNAP NAS a year ago as QNAP does not have a strong security track record. If anyone is looking for an open source NAS solution, I recommend OpenMediaVault - it runs on Debian Linux and provides a management GUI for managing ZFS pools.
I'm currently using a 3 disk setup with WD Red (CMR) drives + SSD cache on ZFS with it and have had a good experience in the past year using it so far. I've had to replace one of the disks due to age and ZFS makes it super simple to replace and resliver disks.
Now that ReadyNAS (Netgear bought them years ago, but the hardware and software was still decent up until recently when they stopped releasing updates) seems to have given up in the (pro)consumer space (4+ drives), is Synology the only option now?
Asustor and WD seem to be making more advanced and larger drives, maybe they're options...
Synology has always had better software. But they have been more expensive and they have been threatening to lock out some features unless you use their drives.
There is no real competitor on the market right now except QNAP. And who wants to deal with FreeNAS, I have better and more important things to do with my time at work.
One of my roommates reset the router and accidentally enabled upnp, which I didn't notice for weeks. Just fixed it a few weeks ago, and seems like I avoided this, phew. I think I'm going to decom the QNAP and just roll my own...
I usually use the surveillance-line of disk drives. That's WD Purple, Seagate Skyhawk, or Toshiba S300. Theoretically, their firmware is supposed to be tuned to a higher queue depth and lower latency, which should be beneficial to RAID performance.
Haven't run any performance numbers on them, though.
NAS-oriented drives from manufacturers that don't lie about which disks are SMR and which are CMR. Right now, that means I buy Seagate Ironwolf drives and avoid WD like the plague.
Seagate Exos (x14, x16 or x18) and Ironwolf or WD HC520. Consumer drives, like the Ironwolf drives, are usually more expensive than enterprise. If you have a SAS backplane get SAS because they're cheaper as Chia caused the price of SATA drives to skyrocket.
[+] [-] criddell|4 years ago|reply
From that page:
> The code has 27 occurrences of e-mails: [email protected] or [email protected] in the code.
More information is available here:
https://www.helpnetsecurity.com/2021/04/26/qnap-nas-ransomwa...
[+] [-] judge2020|4 years ago|reply
[+] [-] trengrj|4 years ago|reply
I don't understand why people who care about security and have linux knowledge would use Synology/QNAP. They are both proprietary, often exposed to the internet, and packed full of so many features that they are consistently full of vulnerabilities (SynoLocker/QLocker etc).
[+] [-] hedora|4 years ago|reply
I finally got one (SmartOS; I also tried FreeNAS) working, but I used the intel chip with a timebomb clock line for the build.
Then, I gave up. 4 hours after the synology was home, I was much farther along than I’d gotten in a month on the other machine.
I’d definitely pay a premium for a supported open source + hardware NAS combo that supported docker, vm’s and offsite client-side encrypted backup (with dedupe/compression) out of the box. Also, I want it to draw < 10W, excluding disks.
Until then, synology wins, and isn’t a hobby project.
[+] [-] tremon|4 years ago|reply
Seriously considering a Helios64, once they get their supply issues resolved.
[+] [-] 1MachineElf|4 years ago|reply
[+] [-] manigandham|4 years ago|reply
[+] [-] paol|4 years ago|reply
I'm looking to move away from a QNAP box, and one of the driving reasons is the horrible "hard-plastic hard-mount everything" design that couldn't amplify hard drive noise any more if they'd done it on purpose.
(The other reasons are that I'd rather manage ZFS myself, and the need for more than gigabit ethernet)
[+] [-] xattt|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] azdle|4 years ago|reply
[+] [-] thinkmassive|4 years ago|reply
You had my hopes up for a moment there, haha
[+] [-] fonkyyack|4 years ago|reply
[+] [-] boromi|4 years ago|reply
[+] [-] ksec|4 years ago|reply
Unfortunately I only want 2 Bay.
[+] [-] ed25519FUUU|4 years ago|reply
[+] [-] zmix|4 years ago|reply
[+] [-] bbernhard90|4 years ago|reply
Don't get me wrong, I can totally understand why people (without much technical background) are tempted to do this. But with all the complexity these NAS systems nowadays have it was only a matter of time for something like this to happen.
[+] [-] aborsy|4 years ago|reply
https://blog.elcomsoft.com/2019/11/synology-nas-encryption-f...
The OpenVPN also had a hidden password:
https://www.cvedetails.com/cve/CVE-2014-2264/
The funny thing is that, they didn’t even bother to choose a longer password (the password is synopass). Even if people haven’t found them, an attacker brute forcing these passwords would easily find them.
[+] [-] kwdc|4 years ago|reply
I genuinely believe you're better off with a combination of:
A. an integrated solution like freenas/truenas, unraid or even ceph if you want even more steps. Install and configure. Done.
B. a base linux install with just the particular file servers you need. Install and tinker. Auto-update. Remove unnecessary packages.
[+] [-] sodality2|4 years ago|reply
Best line of the thread
[+] [-] bigmattystyles|4 years ago|reply
My point, this isn't on Walter alone, in fact, most of it isn't, it's the software development processes (or lack thereof) that allowed this happen. My guess, Walter will be shown the door, QNAP will be able to say we took action and got rid of Walter but the true issue, the bad process that led to this, is probably still there. Worst, Walter's knowledge of the code base will also be gone.
And no, I'm not Walter if anyone is wondering.
* they won't
**'almost' is in quotes for plausible deniability reasons on my end..
[+] [-] rkagerer|4 years ago|reply
Walter's a popular guy. (Apparently he's QNAP's Technical Manager)
[+] [-] bastard_op|4 years ago|reply
[+] [-] encryptluks2|4 years ago|reply
[+] [-] flyinghamster|4 years ago|reply
My current NAS is an old PC that I built for the purpose many years ago with ECC RAM and an unlocked Phenom II, and currently runs Ubuntu Server after I experimented with OpenSolaris just in time for the Oracle takeover, and then took a detour through CentOS. It's getting kind of long in the tooth now, and I could get a lot more oomph for the same power consumption, or the same for less power.
It's clear that my next server is going to have to be one I build up myself, just as before. I'm leaning toward an AM4 server board (such things do exist), as it offers lots of CPU options from cheap/low-power to Ryzen 9 5950X. The latter is extreme overkill, but it's an option nonetheless. ;) I'd be most likely to go midrange on the CPU. ECC RAM is a no-exceptions must.
I'm on the fence whether or not I should spring for 10G Ethernet. I have absolutely nothing else that uses it right now, and I have perfectly good gigabit gear that has served me well and would rather not throw out or try to sell. It might be worthwhile anyway as a direct single-client SAN.
[+] [-] jploh|4 years ago|reply
Currently, I have an old PC running Linux with software RAID. My motivation to switching to an appliance was power consumption and heat/noise. I live in a tropical country so I can't get away with passive cooling. Due to dust build up, the Intel Celeron CPU and motherboard broke down.
It's been replaced with an AMD Athlon. My plan was to replace the entire setup with an appliance NAS the next time it breaks down. I'm now hoping it will last long enough that an ARM-based CPU solution will work out. My top candidate is the ROCKPro64.
[+] [-] bombcar|4 years ago|reply
[+] [-] dsego|4 years ago|reply
[+] [-] rhexs|4 years ago|reply
Smallest one I've found is https://www.u-nas.com/xcart/cart.php?target=product&product_..., but not quite as compact as I'd hope.
As I can't find DIY hardware like that, Synology looks to have a slightly more mature vulnerability response program than QNAP -- apparently they have a bounty? I've heard about less Synology flaws, so hopefully they're a slightly better choice on the software side.
[+] [-] tremon|4 years ago|reply
[+] [-] aDfbrtVt|4 years ago|reply
[1] https://m.aliexpress.com/item/33038670915.html?spm=a2g0n.pro...
[+] [-] eightails|4 years ago|reply
[+] [-] jaidan|4 years ago|reply
I've been running the Gen 7 since January 2013 with Ubuntu 16.04 then 20.04. It's travelled between New Zealand, Australia and South Korea multiple times. The Russian BIOS enabled hotplug and took the speed restriction off the CD-ROM SATA port.
I run a Sandisk SSD (purchased 2014) in the Cd rom bay and 3x 8GB WD Red (CMR) drives. The fourth bay I use for transferring or backing up other drives. I used Mdadm for software RAID as the "hardware RAID" needed special drivers and it was too hard at the time.
I haven't played with the Gen10Plus yet but it'll probably be the direction I head instead of a NAS. They come with Xeon processors and 4 ethernet ports!
[0] https://buy.hpe.com/au/en/servers/proliant-microserver/proli...
[+] [-] vangelis|4 years ago|reply
[+] [-] jchw|4 years ago|reply
That’s not to say I necessarily love any of these vendors too much. They feel a bit too much like feature mills that have lower incentive to adopt better security practices and higher incentives to add features and, well, provide a decent user experience. I appreciate the latter, but it isn’t ideal.
Still, as much as I’d love a NAS running open source software and maybe even open hardware, I think the amount of time and effort spent on doing so would not be well rewarded. So for now, I guess I’ll ride the useful life of my Synology NAS out and go from there.
As for this incident, it is embarrassing, but it happens. Hopefully this will motivate more people to do security research on these devices.
[+] [-] zf00002|4 years ago|reply
[+] [-] buro9|4 years ago|reply
[+] [-] theogravity|4 years ago|reply
I'm currently using a 3 disk setup with WD Red (CMR) drives + SSD cache on ZFS with it and have had a good experience in the past year using it so far. I've had to replace one of the disks due to age and ZFS makes it super simple to replace and resliver disks.
[+] [-] knrdjngr|4 years ago|reply
[+] [-] berkut|4 years ago|reply
Asustor and WD seem to be making more advanced and larger drives, maybe they're options...
[+] [-] karmicthreat|4 years ago|reply
There is no real competitor on the market right now except QNAP. And who wants to deal with FreeNAS, I have better and more important things to do with my time at work.
[+] [-] lmilcin|4 years ago|reply
[+] [-] __jem|4 years ago|reply
[+] [-] gumby|4 years ago|reply
[+] [-] tremon|4 years ago|reply
Haven't run any performance numbers on them, though.
[+] [-] KozmoNau7|4 years ago|reply
You never want an SMR drive. Just say no.
[+] [-] OldTimeCoffee|4 years ago|reply
[+] [-] strictfp|4 years ago|reply
[+] [-] strictfp|4 years ago|reply