Privacytools.io: Add note to Nextcloud recommendation warning users of developer action against them

Created on 10 Mar 2017 · 5Comments · Source: privacytools/privacytools.io

It came to light today that Nextcloud devs are actively scanning users for vulnerabilities without consent, and notifying the owners of their IP blocks (almost always their ISPs) of them hosting nextcloud instances. They have no intention of stopping, based on the latest message from them above (it's on reddit, they could easily have edited it since this post to 'soften' it).
This unsolicited pen testing + possible consequences for users with their ISPs should warrant a warning message on the site under the Nextcloud recommendation.

Source

craftyguy

👍2

Most helpful comment

When a web service is live on the internet, it's available to users, hackers, crackers, bots. It's public. So it is more to prevent the sysadmin in charge of his Nextcloud instance that it's out of date and can/(will) be exploited. Have a look at the discussion with Frank from Nextcloud
https://youtu.be/mh9elFRHAQ8?t=25m25s

So what do you suggest?
Is it better to let the crackers exploit flaws in out of date Nextcloud instances without sysadmin in charge knowing it?

jinformatique on 27 Apr 2017

👍2

All 5 comments

So what do you suggest?
Is it better to let the crackers exploit flaws in out of date Nextcloud instances without sysadmin in charge knowing it?

jinformatique on 27 Apr 2017

👍2

That's silly, and quite frankly a red herring. There are better ways to go about notifying users, like a notification in the web app itself.

On April 27, 2017 2:07:46 AM PDT, jinformatique notifications@github.com wrote:

When a web service is live on the internet, it's available to users,
hackers, crackers, bots. It's public. So it is more to prevent the
sysadmin in charge of his Nextcloud instance that it's out of date and
can/(will) be exploited. Have a look at the discussion with Frank from
Nextcloud
https://youtu.be/mh9elFRHAQ8?t=25m25s

So what do you suggest?
Is it better to let the crackers exploit flaws in out of date Nextcloud
instances without sysadmin in charge knowing it?

--
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub:
https://github.com/privacytoolsIO/privacytools.io/issues/197#issuecomment-297657817

craftyguy on 27 Apr 2017

like a notification in the web app itself.

Which is what nextcloud does now, of course. But they found a very serious vulnerability in the old version and had no way to tell the people who host the servers that, because the older version didn't have a web app checking for updates.

It's supposed to be really a one-time thing because of this reason.

I'm not saying that it's the end-al be-all best solution, but I do understand why they made the choices that they made, and I'm honestly not sure what I would have done. Neither options were good.

driminicus on 14 May 2017

👍1

It was a one-time thing, we now offer it for users on-demand: https://scan.nextcloud.com - only scans when you hit the button.

Our updater has improved a lot so most people are updating, I think, though any hacker can of course still use shodan and other services to scan for ownCloud and Nextcloud servers and hack them if they haven't been updated and didn't respond to the message from their country's web security organization.

I suggest closing this issue, it's old news anyway and not something "Nextcloud does".