QNAP caught napping as disclosure delay expires, critical NAS bugs revealed

Re: A safe connection to the Internet

QNAP do issue firmware updates pretty frequently for both the OS and apps. Even models that their website says are out of support still get OS security updates. I only use my NAS on my local network and I've locked it out of direct access to the web using my router's firewall and I install updates manually.

Re: A safe connection to the Internet

My QNAPs receive firmware updates every 6weeks or so.

The QTS OS also let’s you apply them automatically if you want to.

The problem here - as with the more serious QNAP vulnerabilities of a couple of years ago - is where people set it up as a NAS or Internet-facing server and never apply updates. That is a problem, regardless of the device/manufacturer/OS.

Re: A safe connection to the Internet

"Companies that build devices that connect to the Internet, normally invest effort in making them secure, but then features are added and independently updated - resulting is this type of problem."

That's a common feature across many areas of industry, especially the many service industries. There's always money for new stuff and not enough for maintenance. Making new stuff is cool. Fixing broken stuff is drudgery.

Re: A safe connection to the Internet

If google was making these devices the would probably mirror your data (or metadata) and it would be hidden in the 108 page t&c's you didn't bother to read.

Re: thus all users have identical authorization

Sorry, but on my Synology DS414j I have five user profiles and none of them can do all the same things as any others.

Each profile has its level of access to the 8 partitions my NAS has, from no access to read access to write access. Not every profile can write on the same partitions.

It's very granular. I don't understand where Stoneshop is coming from. Of course, if two users have write access to a partition, they both have the same write access, but hey, what do you expect ?

Re: TS-231 spinning disks up when OFF

I bought an new 4-bay QNAP a few months ago and I don't see this. Make sure you're really turning it off - e.g. poweroff via ssh - and not just hibernating it. Get in touch with QNAP support - I've found them helpful in the past.

Re: Confused ...

Just guessing, but I assume it's based on the fact that many of their desired customers are non-tecchie home and small business users who need extra storage, so the OS is designed to make things like RAID, integrity monitoring, share management, backup, etc. something they can do without needing specialists to set up and support it. I wouldn't be surprised if, in the early days, the proprietary OS's were little more than GUIs for standard server software.

As others have pointed out, most NAS comes with suites of apps for streaming, backup, web and mail servers, cloud, , surveillance, etc. and if you're going to discriminate against competitors then some autonomy in developing these is probably necessary, for which a proprietary OS is more convenient.

Re: Confused ...

QNAPs run a Linux distribution plus (I think) BusyBox, but support a load of packaged apps (e.g. media apps, Docker and LXC Container Station). I run pi-hole as a LXC container for example.

If you want you can package your own apps as QPKG format to install them.

They are running a proper OS, but it is packaged so that you can run it as an appliance without needing to do much config. What they could do is set the firmware update to be automatic by default, so that sufficiently technical users can disable it to match their desired manual update cadence. This then catches the “set and forget” users whose devices would otherwise never get updated.

Re: Confused ...

"I'm probably missing something here, but what do you get from a QNAP or other consumer device that you don't get from a small server"...?

Nothing, but you can plug it in and go, more convenient. This article aside, QNAP does release fairly frequent firmware updates for their devices, even old ones, so (unlike some products) this isn't a "roll your own and get updates" or "use stock firmware, and get updates until the product is discontinued then 0 updates".

I don't have a QNAP, but I do have my wireless access points where I got a wireless access point rather than building one from components (... that said, I did replace the terrible stock firmware with DD-WRT.) Simply for convenience really.

QNAP was and is GARBAGE......every MOFO in business becomes a storage expert....now we have NAS "specialists" writing web front ends.... execs asking why "if i can do it at home for $200us can I not do it in a business"

I probably share many of your frustrations, but not about NAS systems and not about QNAP in particular. I love that average people can benefit from RAID and network storage at home or in small businesses. I've been doing this for several years and never saw someone write a custom web front-end for a NAS appliance. Why would they?

Sure, I've talked with businesses who wanted to know why they couldn't just buy home-consumer-grade stuff for their business. I just ask whether they buy consumer-grade phone service, Internet connection, property insurance, furniture, printers, etc. I let them answer their own question, no drama, no hard feelings. If they're that cheap, I wouldn't work for them anyway.