NASLite Network Attached Storage

www.serverelements.com
Task-specific simplicity with low hardware requirements.
It is currently Fri Mar 29, 2024 4:53 am

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 38 posts ]  Go to page 1, 2, 3  Next
Author Message
 Post subject: NASLite+ spyware?
PostPosted: Sun Dec 18, 2005 3:03 pm 
Offline

Joined: Sun Dec 18, 2005 1:07 pm
Posts: 6
The SE02 utility distributed with NASLite+ generates pages with the following HTML:

Code:
<SCRIPT LANGUAGE="JavaScript"><!--
 function displaylatest() { if (checklatest.width > 10) { document.latestrelease.src = checklatest.src; } else { document.latestrelease.src = "pixel.gif"; } }
function checklatest() { checklatest = new Image(); checklatest.src = "http://updates.serverelements.com/latestrelease.php?lr=NL1P$SELT"; }
 setTimeout("checklatest()",50000);
 setTimeout("displaylatest()",60000);
 // --></SCRIPT>


which "phones home" with your license number and MAC address everytime you access the webserver. I reverse engineered the encryption on the SE{0,1,2,3,4,5} utilities to check what other suspicious behaviour is performed, and noticed that one of them creates a root account:

Code:
echo 'root:$1$$7ekGJ1vuvA6pgJgFs3QUJ0:0:0:root:/export:/bin/nascfg' > /etc/passwd


is this a backdoor? what is the corresponding password to this account? why is there no way to disable this account, or change the password? This seems very shady behaviour, I hope there is a reasonable explanation.

btw, that $SELT comes from here:

Code:
SELT="$(/etc/cfg/SE05 SE05 SE05)"
...
this is from SE05:
LID=$(cat $FLICENSE | grep 'LID=' | sed 's/LID=//g' )
PID=$(cat $FLICENSE | grep 'PID=' | sed 's/PID=//g' )
 
LICENSE="$(echo $LID | sed 's/-//g')"
MACADDR="$(ifconfig | grep HWaddr | sed 's/^.*HWaddr //' | sed 's/://g')"
 
ISSUEID="$LICENSE$MACADDR"
REPORT="$(echo $ISSUEID | tr [a-z] [A-Z] | tr [ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890] [0987654321ABCDEFGHIJKLMNOPQRSTUVWXYZ])"
echo -n "$REPORT"


so everytime you access the web server, your license number, IP address you're accesssing it from, and the MAC Address of the system you're running NAS on is reported home. this is 1984 stuff. Please provide an explanation.

(ps, I hope this isnt something you would do, but just in case, removing this post without explanation will force me to release this information publically so that your customers know what you're doing)


Top
 Profile  
 
 Post subject:
PostPosted: Sun Dec 18, 2005 3:25 pm 
I don't see what the fuss is all about? So what if they have my IP and Mac address?

I trusted Server Elements with My credit card details and have never had a problem with payments made to them. So in turn I trust them with my IP number, Hell they even got it by me using this forum so whats the fuss?

Server elements a front for a hacking group ERM NO.

God half my apps call home one way or another. Far to many other things to worry about then the comments you made.

Eden


Top
  
 
 Post subject:
PostPosted: Sun Dec 18, 2005 3:34 pm 
Offline

Joined: Sun Dec 18, 2005 1:07 pm
Posts: 6
edeng wrote:
I don't see what the fuss is all about? So what if they have my IP and Mac address?


and an undocumented root account on your file server. oops.

Sorry, but just because spyware seems to be everywhere these days does not make it okay. Of course, if you dont mind, that's great, but i can guarantee a lot of people will.


Top
 Profile  
 
 Post subject:
PostPosted: Sun Dec 18, 2005 3:52 pm 
I can't comment on the "undocumented root account" This is something for Tony,

But I am not worried one bit by your "Findings".

Most people who have Naslite+ paid for it, they used there credit card details or pay pal etc, so whats more scary them having your credit card details or your ip? Its down to trust, I parted with my cash and never looked back. why should anyone else?

if someone has a "warez" version then its good there IP is logged!


Top
  
 
 Post subject:
PostPosted: Sun Dec 18, 2005 4:06 pm 
Offline

Joined: Sun Dec 18, 2005 1:07 pm
Posts: 6
edeng wrote:
Most people who have Naslite+ paid for it, they used there credit card details or pay pal etc, so whats more scary them having your credit card details or your ip? Its down to trust, I parted with my cash and never looked back. why should anyone else?

if someone has a "warez" version then its good there IP is logged!


Who is going to warez it for the sake of $20 :)

That's not the point, the point is that everytime you login, everytime you change the computer you're running NAS on server elements knows about it. This is a privacy issue. I dont want the usage of my fileserver tracked, or to be monitored for compliance with their licensing...that's not what i signed up for.

This "if you have nothing to hide, you have nothing to worry about" argument is unacceptable. My privacy is valuable to me, and I despise being tracked. A lot of people agree with me, and while you may take it for granted right now, i guarantee you will miss it if you ever lose it.

I want an explanation, and I suspect a lot of other people will too.


Top
 Profile  
 
 Post subject:
PostPosted: Sun Dec 18, 2005 4:18 pm 
Well it has been warez I have seen it. Infact I helped put a stop to it on ebay. So people will warez no matter of cost, I have even seen FREE apps released as warez!

I think your jumping the gun a bit though Tony the developer has not even commented on these "features" so you might end up with egg on your face.


Top
  
 
 Post subject:
PostPosted: Sun Dec 18, 2005 5:37 pm 
Offline
Site Admin

Joined: Tue Jul 13, 2004 4:11 pm
Posts: 1771
Location: Server Elements
Hello galps,

Firstly, for the record - NASLITE IS NOT AND DOES NOT INCLUDE SPYWARE!

Quote:
ps, I hope this isnt something you would do, but just in case, removing this post without explanation will force me to release this information publically so that your customers know what you're doing


If your primary concern is whether NASLite is or isn't spyware, you should email Server Elements, Ralph or me privately with your inquiry. We'll respond and answer your question accordingly. By posting copyrighted code to this public forum, you've already devalued NASLite.

Now, I'll make an attempt to answer your questions and hopefuly put your concerns to rest.

There are 2 reasons for the javascript code you see on the top of the Info pages. The first one is to display the latest release. The second is to display an "ILLEGAL COPY" image when a pirated license ID is used. I hope this isn't something you would do, but are you using a pirated license ID?

The root account that the code creates is unnecessary and should have been removed prior to release. You'll also notice that the same code creates the admin, NAS-User and the nobody accounts. Is that also suspicious? If you take a closer look at the code that you decripted, you'll notice that the admin and root users are one and the same in every respect. The admin account is an alias of root and can do all that root can do. In the same way, if you continue examining the code, you'll notice that root can do nothing more than what admin can do.

NASLite does not create a backdoor. It does not provide any facilities for a gateway, so a backdoor is impossible. There is no way to access a NASlite server remotely but only through a LAN. Everyone can access NASLite on the LAN.

I hope the above explanation sheds some light on the code you are looking at. Please keep in mind that NASLite is a licensed, copyrighted product. From a developer's point of view, decripting the code to satisfy your curiosity is understandable. Posting that code to a public forum is unethincal and shows lack of integrity. Please do not publicly post any more of the management code. If you are interested in supporting our work and not disrupting development, my email address is tzt_at_serverelements.com.


Top
 Profile  
 
 Post subject:
PostPosted: Sun Dec 18, 2005 6:03 pm 
Offline

Joined: Sun Dec 18, 2005 1:07 pm
Posts: 6
Tony wrote:
Hello galps,
Firstly, for the record - NASLITE IS NOT AND DOES NOT INCLUDE SPYWARE!


Good, but you do collect personally identifiable information and track usage and hardware that your customers use? I dont think this was meant to invade my privacy, but I'm not too happy about it.

Quote:
By posting copyrighted code to this public forum, you've already devalued NASLite.

That wasnt my intention, as a programmer myself I absolutely respect copyright law. It was a very small extract just to illustrate what I was talking about. Very sorry if you really feel this way.

Quote:
There are 2 reasons for the javascript code you see on the top of the Info pages. The first one is to display the latest release. The second is to display an "ILLEGAL COPY" image when a pirated license ID is used. I hope this isn't something you would do, but are you using a pirated license ID?


No, absolutely not. But this could be construed as distrust for your customers, I'm sure the majority of us are honest. And of course the ones who do pirate it already know it's illegal, If your concern is that people could be sold black-market copies unknowingly, perhaps you could add a button like "Is this copy legal?" to the interface.

I dont see any reason why you need my MAC address and serial number to check if an update is available.

Quote:
The root account that the code creates is unnecessary and should have been removed prior to release. You'll also notice that the same code creates the admin, NAS-User and the nobody accounts. Is that also suspicious?

No, but it's suspicious that it's a valid working account that has a password. It does concern me that you could have admin access to a file server if you ever visit a LAN That uses your software...and if the password is found out any of the users on my network (okay, the kids :)) they could overwrite my settings. but as it's an mistake I suppose it will be corrected next version?

maybe a free update that disables the account could be provided as a security precaution? I expect it's a simple matter of removing the line and rerunning mkisofs.

Quote:
I hope the above explanation sheds some light on the code you are looking at. Please keep in mind that NASLite is a licensed, copyrighted product. From a developer's point of view, decripting the code to satisfy your curiosity is understandable. Posting that code to a public forum is unethincal and shows lack of integrity. Please do not publicly post any more of the management code.


Absolutely, you do not have to be concerned about this. Thanks for your response.


Top
 Profile  
 
 Post subject:
PostPosted: Sun Dec 18, 2005 6:16 pm 
I bet someone feels rather stupid now! threats of exposing Server elements for something that was untrue!

galps, you should have got your facts staight before posting, like you owe us all something, you don't if you don't like a product don't use it.

Egg in the face of galps!

Nuff Said!


Top
  
 
 Post subject:
PostPosted: Sun Dec 18, 2005 6:26 pm 
Offline

Joined: Sun Dec 18, 2005 1:07 pm
Posts: 6
edeng wrote:
I bet someone feels rather stupid now! threats of exposing Server elements for something that was untrue!

galps, you should have got your facts staight before posting, like you owe us all something, you don't if you don't like a product don't use it.

Egg in the face of galps!

Nuff Said!


Please explain how I have egg on my face, my claims:

* there is an undocumented root account distributed with NAS.
* NAS phones home with MAC address and serial number.

Please let me know which one or both was incorrect, KTHX!

btw, I like eggs :)


Top
 Profile  
 
 Post subject:
PostPosted: Sun Dec 18, 2005 7:47 pm 
You have egg on your face because you come to this forum post a bit of code and suggest that there is something we should all really need to know. something so important that

"removing this post without explanation will force me to release this information publically so that your customers know what you're doing)"

As a programmer you will know that not every feature or bug is documented and as pointed out the root and admin are the same so nothing fishy there! So you found it, WOW

And Tony never said Naslite+ phones home or not so I cant comment.

Come on you thought there was more to this and you feel a little stupid.
you thought you discovered something that was nothing. "backdoor"

I think maybe your better putting code together then pulling apart, i'd stick to that.


Top
  
 
 Post subject:
PostPosted: Sun Dec 18, 2005 7:59 pm 
Offline

Joined: Sun Dec 18, 2005 1:07 pm
Posts: 6
edeng wrote:
You have egg on your face because you come to this forum post a bit of code and suggest that there is something we should all really need to know. something so important that

"removing this post without explanation will force me to release this information publically so that your customers know what you're doing)"

As a programmer you will know that not every feature or bug is documented and as pointed out the root and admin are the same so nothing fishy there! So you found it, WOW

And Tony never said Naslite+ phones home or not so I cant comment.

Come on you thought there was more to this and you feel a little stupid.
you thought you discovered something that was nothing. "backdoor"

I think maybe your better putting code together then pulling apart, i'd stick to that.


Pay no attention to the man behind the curtain!!!

Tony says it's not spyware, so it isnt!!!!!!

sorry, but tony has invested interest in not having this product labelled spyware. It clearly fulfils the definition of monitoring users, as it demonstrably phones home and reports on the hardware it's running on, the ip address you are accessing the web interface with and a serial number that can be used to personally identify you.

Tony says it's not a backdoor!!!

wrong again, from Wikipedia:

"A backdoor in a computer system (or a cryptosystem, or even in an algorithm) is a method of bypassing normal authentication or obtaining remote access to a computer, while intended to remain hidden to casual inspection."

and

"A backdoor in a login system could take the form of a hard-coded user and password combination which gives access to the system."

This hardcoded account is clearly an example of a backdoor. This is a serious breach of trust that consumers need ot know about. Just because you're too much of a fanboi or too incompetent to know what this means doesnt mean it's not a big issue.

And this was the result of a cursory examination of some of the components of NASLite, what else would an in depth examination uncover? I will probably be migrating after this, as I have lost confidence in Server Elements. But I still want this stuff to be either fixed, or documented for the benefit of other customers.


Top
 Profile  
 
 Post subject:
PostPosted: Sun Dec 18, 2005 8:45 pm 
Come on, having to go to wikipedia and post quotes.

If you really want a challange try pulling a MS OS apart and am sure you will find plenty of undocumented features and backdoors in there.

Then you could make your findings "PUBLIC"

Are a super hero who is out to protect us, or spyware cop. or just a geek who has nothing better to do.

if you don't like Naslite galps don't use it, This is getting boring now.

http://en.wikipedia.org/wiki/Troll


Top
  
 
 Post subject:
PostPosted: Sun Dec 18, 2005 10:59 pm 
Offline
Site Admin

Joined: Tue Jul 13, 2004 4:11 pm
Posts: 1771
Location: Server Elements
I am not a fan of splitting hairs galps, so I'll do my best not to. Here are the issues that you claim concern you:
Quote:
there is an undocumented root account distributed with NAS.

The reason you gave for your concern is:
Quote:
It does concern me that you could have admin access to a file server if you ever visit a LAN That uses your software...and if the password is found out any of the users on my network (okay, the kids Smile) they could overwrite my settings.

I don't mean any disrespect by this, but you have got to be kidding. NASLite is an open server. Every file is read/write visible to everyone, so why would anyone want to change the settings? For the purpose of what? What exactly does one have to gain by changing the settings of a NASLite server? Besides, unlike a conventional distribution, all you have to do is pull the floppy out, reboot and reconfigure.

The second issue that you have with NASLite:
Quote:
NAS phones home with MAC address and serial number.

Quote:
I dont see any reason why you need my MAC address and serial number to check if an update is available.

NASLite does not "phone home". It has no facilities to do so since it has no concept of a gateway. We established that above. What NASLite does do is to create an encripted string (the code for which now you have made public), containing the ID and MAC. That string is then passed to our server by your browser in a similar way as you would with an HTTP cookie. Is your browser spyware since it hands over referrer, and a host of other info to a server? Disable javascript on your browser and no "phone home" as you put it.

Initial versions of NASLite did not include the facilities to envoke the "ILLEGAL COPY" image from our server. That oversite on our part resulted in thousands of copies being traded on warez sites, Ralph and I answering thousands of support emails by people that obviously did not purchase the software, hardware vendors selling their NAS devices all over the place with pirated copies of NASLite+, etc. The point is that the little image on the top does something very fundamental for us. It allows us development time. Otherwise, both Ralph and I would have to regretfully step back and witness the demise of Server Elements. That will be both unfair to the users that support us and also to the tolerant families we go home to in the evening.
Quote:
That wasnt my intention, as a programmer myself I absolutely respect copyright law. It was a very small extract just to illustrate what I was talking about. Very sorry if you really feel this way.

I am really puzzled by your approach galps. You are obviously skilled enough to decrypt the code. As a programmer, you should also be aware that there is a reason why the code is encrypted in the first place. Both Ralph and I know that keys are for honest people. The encryption simply states that the code has an owner and is not for public viewing. As I said in my previous post, I understand the curiosity even though I am not happy about it. You chose a rather distructive way to illustrate what you are talking about and made it so on this public forum

What I am satisfied about is the fact that you acknowledge my concern and will respect the license and copyright.


Top
 Profile  
 
 Post subject:
PostPosted: Mon Dec 19, 2005 2:36 am 
Offline

Joined: Thu Sep 15, 2005 1:44 pm
Posts: 14
Quote:
sorry, but tony has invested interest in not having this product labelled spyware. It clearly fulfils the definition of monitoring users, as it demonstrably phones home and reports on the hardware it's running on, the ip address you are accessing the web interface with and a serial number that can be used to personally identify you.


So let me get this straight,

ip address : they got it when i come here and also when i bought it
serial number: they issued it to me, so i assume they know it belongs to me

mac address: what are they gonna do with that?

Im not getting any of this paranoia unless you've pirated the software.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 38 posts ]  Go to page 1, 2, 3  Next

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 9 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group