NextCloud founder Frank Karlitschek joins us to discuss the recent remote version checking initiative of private NextCloud instances, the controversial notifications sent by ISPs to users found to be running out of date NextCloud instances & the larger security problems facing all open source projects like NextCloud.
Plus why Chromebook usage surging past Linux in the last year is a good thing, picks, news of the week & more!
— Show Notes: —
Brought to you by: Linux Academy
Founder of Nextcloud, founder of ownCloud, Free Software Developer, former KDE e.V. board member, photographer and founder of openDesktop .org
“While researching the product versions being used, his employees noticed that many customers were using disturbingly old software in order to store their data on the web. Karlitschek then informed the Cert emergency team at BSI. He says it was clear to him after the politically motivated hacker attacks in the U.S. that this was also “an explosive issue.”
While developing the security scanner we had a look at the state of security of private cloud servers online. Many administrators might not be aware how easy it is to get a list of servers on the web! Services like shodan.io provide the ability to search for specifics and it is simple to get a list of tens of thousands of instances and look at them.
- Nextcloud scanning people’s owncloud and nextcloud instances for security vulnerabilities and alerting “security organizations” about vulns. : selfhosted
Reporting that information to a third party after that is pretty hard to justify in my mind regardless of whatever ‘greater good’ argument you can make regarding internet security. That is simply not the way white hats work. You can’t report vulnerabilities to a third party without trying to contact the party in question first.
This is doubly important because it appears you picked up some residential users by accident. Nearly everyone on this sub does /r/selfhosted because they don’t like third parties to hold their info. The whole idea of a private cloud to protect privacy is the #1 selling point on your own website. On top of the privacy concerns, nearly every home user running nextcloud is doing so against their ISPs TOS. That makes the privacy issues doubly important because they could lose the ability to host their cloud altogether.
EDIT: I’d like to further add, that the integrity of an OSS project is entirely dependant on trusting the devs. Very few people have the time of skill to go through all the code themselves and so trusting OSS is akin to trusting the devs that run the show. If we can’t trust the devs, it may as well be closed source. Again, especially in this sub, there is a reason people like to use OSS. It’s pretty hard to justify using nextcloud if people can’t trust the devs to be open and transparent.
— PICKS —
Gemini is an ultra-thin clamshell mobile device with fully integrated tactile QWERTY keyboard, that fits in your pocket. Designed for Android, it also features a dual boot Linux option. Gemini is fully equipped with 4G, WiFi & Bluetooth enabling both data communications and mobile phone calls.
Desktop App Pick
A browsable, searchable and easily customizable archive and backup for your tweets
Distro of the Week
We are proud to announce a fresh new Update for our Plasma 5 version of Neptune 4.5.
This version brings the latest and greatest of the Plasma 5 world to you. This includes Plasma 5.8.5 together with the desktop fix for contextmenu aswell as Dolphin 16.12.2, Kdenlive 16.12.2, Chromium 56, Icedove 45.6.
— NEWS —
Just imagine what would happen if AMD started to produce cheap, affordable
libre hardware, to the point where Libreboot could start supporting newer systems
from AMD. The possibilities are endless! People would jump towards AMD
and AMD’s sales would go through the roof, while we in the libre hardware
community would finally have systems from a manufacturer that cares for
our freedoms to use our computers without proprietary software.
Firefox drops NPAPI support in this release (a change we’ve known about for a long time) for everything bar Adobe Flash. While this sounds trivial it does mean that GNOME users can’t install GNOME extensions from the GNOME Extensions website using Firefox as-is, as of this release.
The browser will now only run Flash. Anything else reliant on the Netscape Plugin API (NPAPI) is now verboten. Which means Silverlight, Java and Acrobat are gone, daddy, gone.
Chrome OS usage is up by over 50% compared to the previous year, when the thin-client OS hit a then-high of 2.02%.
Hi Noah! This isn’t really a question about the product. I just wanted to contact you. It’s hilarious because in the LAS episode, you were asked how and when do you run into LAS fans… well, here I am!
I’ve been on the market for an x260 since you unveiled your purchase in LAS episode 422, so I was shocked and excited to see the first great priced one I came across (fully equipped with WWAN too!) that wasn’t 720p belonged to you! Happy to be buying from you! Even more happy to escape 4GB of ram soldered and be able to use GNS3 on my laptop without sweating 🙂
Please be sure to mention your impressions of the X270 on LAS if you get the chance 🙂 I also have two requests if you don’t mind:
Please keep the LAS sticker on the windows key!
You don’t need to load windows on it, if you haven’t already! 🙂 100% Linux here.
The laptop remains as pure as the day you got it and installed Linux without a single boot into Windows! That’s good news 🙂
I’ll make a post on /r/linuxactionshow when I receive the laptop 🙂
p.s. I find it quite funny that the laptop is priced the same as the Galago Pro 13″ starting price 😉 Even though you posted this before SCALE.
- Name Stefan
Subject New Format Feedback
Hey there Chris and Noah,
First and foremost: I love the show, keep up the great work.
In my opinion the new show format is perfect for attracting new viewers, because there is nothing more disappointing on youtube than clicking on a video and having to listen trough like 40 min of random stuff before you get to the the actual information you want to hear about.
That said, I also have an Idea for the show notes (and yes I know this is a lot of work, but it would be very convenient for the viewers): timestamps for different topics during the show like “Bad Voltage” (http://www.badvoltage.org/2017/02/23/2×04/) does.
e.g. [00:14:22] Disassembled: Gitlab…
So if I wanted to listen to the Gitlab story first I could skip to that time, or if I don’t want to hear > about Gitlab on yet another Podcast I could skip to the next timestamp.
Just to be clear, I don’t want to tell you how to publish your Podcast, I’m just saying it would be convenient.
Also, an idea for an app pic:
Because I know you guys love CLI tools: Pandoc (http://pandoc.org/)
Pandoc is for text what ffmpeg is for audio/video or imagemagic is for pictures
It translates every text format you’ll ever use into every other text format you’ll ever want. You could even convert HTML to epub (gigantic wikipedia pages into eBooks)
Stefan aka thefenriswolf
Catch the show LIVE SUNDAY:
— CHRIS’ STASH —
Chris’s Twitter account has changed, you’ll need to follow!
Hang in our chat room:
— NOAH’S STASH —
Noah’s Day Job
noah [at] jupiterbroadcasting.com