
Western Digital and OwnCloud Team Up to Bring OwnCloud to Home Users - LukasReschke
https://owncloud.org/blog/western-digital-and-owncloud-team-up-to-bring-owncloud-to-home-users/
======
scr4ve
I don't really get why one wants to trust ownCloud with private files:

\- "logging changes":
[https://github.com/owncloud/core/commit/eea96298951805dfc6eb...](https://github.com/owncloud/core/commit/eea96298951805dfc6eb9f58ccb172b5a718e7e2)
vs [https://owncloud.org/security/advisory/?id=oc-
sa-2014-020](https://owncloud.org/security/advisory/?id=oc-sa-2014-020)

\- ownCloud is a PHP application with quite a few third-party modules of
varying quality. Looking at the security history of Wordpress, it's not hard
to imagine what's going to happen.

\- The maximum bug bounty for ownCloud is 500 USD. I think my data easily
exceeds that.

\- From what I've heard, security fixes are provided to enterprise customers
first, so if you're lucky your adversary is one of them and knows about
vulnerabilities way ahead of you.

To their credit, ownCloud openly publishes security advisories for every
vulnerability, but I still think it's architecturally designed to fail.
Exposing this to the internet is probably a bad idea. If you just need
storage, you probably should just use dumb storage. If you need project
management stuff and care about privacy, maybe look at
[https://protonet.info/](https://protonet.info/) or something along those
lines. Also [https://www.boxcryptor.com](https://www.boxcryptor.com) is really
nice - the Dropbox desktop client does proper cert pinning (ownCloud doesn't)
at least.

Other than that, storage connected to a raspi via USB will probably yield
rather bad transfer speeds?

~~~
kentonv
If you're interested in something ownCloud-ish but with more security
emphasis, you might like Sandstorm:

[https://sandstorm.io](https://sandstorm.io)

[https://docs.sandstorm.io/en/latest/developing/security-
prac...](https://docs.sandstorm.io/en/latest/developing/security-practices/)

(Disclosure: I'm the lead developer.)

~~~
reitanqild
Happy user here. Sandstorm works amazingly well.

Especially enjoy

\- the usability of Sandstorm, -it just works.

\- extensibility - you can adapt other apps, open source or commercial, to run
on sandstorm. As far as I'm aware you can even upload them to the hosted
version.

\- security seems to be taken good care of by pragmatic and experienced
people.

\- the fact that I can pay a small amount monthly for it depending on my
storage and computing needs, making sure incentives are aligned (although last
time I checked I think Sandstorm hadn't even started the billing machine I
think.)

Furthermore it seems to be completely, real, free software, -I ran the OS
version at a maching at home for months before oasis became available to me,
and I haven't noticed any juicy parts missing or filed under "Enterprise
only". The only difference between the versions seems to be the storage and
compute resources available. (OK, the billing system doesn't seem to be in the
Open Source version, but that is OK to me. : )

~~~
kentonv
Thanks for the kind words. :)

------
Shank
> We will create a self-hosted device with Western Digital hardware and
> ownCloud software, to be made available for on-line purchase in early 2016.
> In preparation for this we’re looking for people who want to help us lower
> the barrier to self hosting and help turn this dream into reality.

Maybe I'm being cynical, but the way the first paragraph is worded seems a bit
odd. Is the goal of this project to act like free R & D for ways to deploy
this or make it compartmentalized? It seems like it. Why would you send 10
developer units out, require proposals, etc.? No compensation is offered --
just a devkit.

> This is where you come in! We’re looking for concrete proposals and offers
> for help. Can you build a disk image which boots up and allows a laptop to
> find it over the local network? Can you create a setup optimized for
> performance on the Pi? Can you write a simple web interface to finish
> configuring the Pi or to check how it is running? Develop a backup tool?
> We’re looking for creativity here!

Fantastic, that sounds a lot like crowdsourcing your product development.

> Sometime in February or March you can expect ownCloud and Western Digital
> Labs to release a goodie – and you will be there with a big thank-you in the
> manual!

A thank-you in the manual. My goodness!

> This is a project of the ownCloud community, not ownCloud, Inc.

But who's going to be shipping the final product, with the fixes that someone
makes, and gets the thank-you in the manual? The ownCloud community?

~~~
jospoortvliet
We're an open source project, remember. 'product development' happens in the
open.

ownCloud, Inc. is not involved other than allowing some of their employees (me
incluis) to spend some time on this, even though it isn't interesting for
customers at all. See [http://blog.jospoortvliet.com/2015/12/western-digital-
labs-a...](http://blog.jospoortvliet.com/2015/12/western-digital-labs-and-
owncloud.html)

so, on your last point: yes. As in - WD will ship the hardware, and the
software comes from volunteers - or not at all.

IF this turns out successful (as in, the first batch of devices has great
software and sells out in 2 weeks so a second, much bigger batch is made)
we'll talk to WD about sharing some of their profit with the community. Until
then, there is only costs for all involved and we're not asking for financial
donations to cover that. Isn't that cool?

------
pjc50
People are somewhat missing the point with the security discussion: the target
use case is almost certainly the "home NAS" box, such as the WD "My Cloud"
they already sell. You put it entirely inside your firewall and use it to
stream media and so on.

Having an open-source version supported by WD is much better than having a
random closed-source web UI on your NAS.

~~~
radiorental
Yeah, I'm looking at the security discussion with interest and a lot of
confusion.

I appreciate that security is important and those that give it up for
connivence deserve neither... but I'm at a loss as to why some 'hacker' would
go to the effort to sift through the type of content that is typically stored
on the average NAS box. Like you said, family photos, birthday videos...

If you're a digital nomad / homeoffice user then yes, your livelyhood depends
on something more secure - but that's not the userbase here.

I have rolled my own raspi/owncloud in the past but happily use the WD MyCloud
to sync all the devices in my house.

~~~
scr4ve
> but I'm at a loss as to why some 'hacker' would go to the effort to sift
> through the type of content that is typically stored on the average NAS box.
> Like you said, family photos, birthday videos...

It's not 'some hacker' going through your stuff, it's an automated attack
scheme. Your adversary may choose to do something CryptoLocker-like or more
stealthy stuff that makes your NAS part of a botnet. Neither option is good.

As others pointed out, it is highly likely that the ownCloud instance ends up
publicly accessible, because that's the primary way to access files from the
outside.

~~~
radiorental
Thank you. Out of curiosity, can you point me at a significant case
cryptolockering of NAS data? I've read windows boxes being hit.

I have nothing on my WD MyCloud that isn't duplicated somewhere else (either
it's a backup of google photos/videos, or dupe'd to a USB drive)

Again, a lock is the same as a HD failure to me. Both could happen with this
setup. If the information is too valuable to fall prey to either circumstance
then the system as implemented the wrong setup.

Now, a botnet is different. I assume one could not run off of the WD box and
the Raspi/Owncloud base is too small to target. Unless you can point me at
content that indicates otherwise?

~~~
scr4ve
> Out of curiosity, can you point me at a significant case cryptolockering of
> NAS data?

[http://www.theinquirer.net/inquirer/news/2358733/synology-
na...](http://www.theinquirer.net/inquirer/news/2358733/synology-nas-drives-
get-cryptolocker-clobbering)

> I have nothing on my WD MyCloud that isn't duplicated somewhere else (either
> it's a backup of google photos/videos, or dupe'd to a USB drive)

It sounds like it doesn't apply to your case, but a potential issue with
Dropbox/ownCloud/Google Drive is that the master server can instruct all copy-
holders to delete their copies. You should have off-site backups, but I
suspect many people don't.

> I assume one could not run off of the WD box and the Raspi/Owncloud base is
> too small to target.

This is not really an issue - there are multiple router-based botnets as well.
You can't really mine bitcoins, but there are tons of other stuff you can do,
e.g. DDoS is usually not constrained by the processing power.

------
0942v8653
I was about to ask if a Raspberry Pi 2 would be sufficient to run OwnCloud,
but it looks like it's the hardware of choice—great!

Is there a way to run OwnCloud along with a typical system (really, an ssh
server and a few utility programs) on the Pi? It's mentioned as an SD card
image, but it would be nice to run it on top of a normal Raspbian or Arch
installation.

~~~
Aeolos
ArchLinux ARM has packages for OwnCloud. Unfortunately, the software itself is
a PHP spaghetti monster from hell (is there any other kind?) that doesn't
really scale.

Even worse, the RPi is extremely limited in I/O capabilities, with only a
single USB2 hub shared between the 100Mbit ethernet and 4x USB2 connections
(including your harddrive.) This means that any file transfer is limited to
10-11 MB/s in the best case... We can only hope that a RPi3 will with USB3
support will materialize before 2020.

I am running a RPi2 as a home server / NAS / VPN / seedbox, and it works - as
long as you set your expectations right.

Finally, note that the RPi kernel stack is always slightly outdated due to
out-of-tree patches. Most ARM SOCs suffer from this problem, and the RPi
foundation is slowly taking steps to fix that after years of user pressure.
However, I have decided to switch to a low-power x86 CPU with a fully open
linux stack for my future home server needs, until ARM decides to fix their
driver mess.

~~~
Carrok
> Unfortunately, the software itself is a PHP spaghetti monster from hell (is
> there any other kind?) that doesn't really scale.

And here you go invalidating your whole post with some unnecessary
inflammatory B.S.

Sure, I mean Facebook runs on PHP, but we all know it just doesn't scale and
can't be written cleanly.

~~~
gcommer
On the other hand, Facebook being built on PHP meant they eventually felt the
need to dedicate significant engineering time into building their own PHP VM
(HHVM) along with their own spin-off of the PHP language (Hack) to get it to
work for them.

~~~
thejosh
Yeah, and they could have switched to any language they wanted, but they stuck
with PHP and created HHVM (they most likely run other languages as well).

They also felt the need to create other open source things you have had heard
of, such as react.

~~~
bigiain
Heh - it's funny you mention React there, in the context of sticking with PHP
instead of jumping ship to some more appropriate technology:

[http://techcrunch.com/2012/09/11/mark-zuckerberg-our-
biggest...](http://techcrunch.com/2012/09/11/mark-zuckerberg-our-biggest-
mistake-with-mobile-was-betting-too-much-on-html5/)

It was only 4 years ago when creating HTML5 based hybrid mobile apps was "the
biggest mistake Facebook ever made", and it was all about "native apps" for
iOS and Android... Now React and React Native are "the new hotness"...

~~~
thejosh
Or maybe the devices are "good enough" now to actually run these sorts of
things?

But yes, it is a circle of life.

------
lisianne
There are already personal cloud products like tonido is available on pi
([http://www.tonido.com/tonido-for-raspberry-
pi-2/](http://www.tonido.com/tonido-for-raspberry-pi-2/)) They work rather
very well.

------
LordKano
I had high hopes for OwnCloud. I set up a server to manage my home backups and
found it to be far too slow for my needs.

It was estimating over a year to sync a directory that was about 180 GB in
size. That's just not going to cut it.

~~~
jospoortvliet
Well, I don't know what your upload speed was - a normal ownCloud setup can
saturate the link speed with large files, a bit less with small ones though
the latest versions get very close.

Of course, if the link is slow, 180GB is going to take a while.

If it wasn't the link speed then I suggest having a look at the manual:
[https://doc.owncloud.org/server/8.2/admin_manual/configurati...](https://doc.owncloud.org/server/8.2/admin_manual/configuration_server/performance_tuning.html)

~~~
LordKano
Thank you for replying. I should have specified.

I am running this on a 100mbps LAN. It's not even coming close to saturating
my switch.

------
kstenerud
I'm just curious...

I run a number of web apps as separate docker containers, and use nginx as a
frontend to force everything to HTTPS. Is there anything that these cloud
products provide over and above what I have now?

------
joshmn
Weird that they'd do this... They already kind of do with their My Book Cloud
offerings and MyCloud Files[0].

[0] [http://files.mycloud.com](http://files.mycloud.com)

~~~
jospoortvliet
yeah, but WD is in the business of selling hard drives and they look
everywhere for ways of doing that. In this case, connected to a Raspberry Pi
and such boards... We're happy to benefit by getting a cool, ownCloud branded
device for our users ;-)

------
aaronem
One hard drive? One _1TB laptop hard drive?_

I sure hope that's not the configuration they RTM with, because they're going
to have a lot of people upset about disk failure and data loss if they do.

~~~
jospoortvliet
backup is mentioned for a reason ;-)

We sure are looking for people to help us ensure thing are safe.

------
bqjfwkbwkjfb
I find this more than a bit ironic since WD was working with the NSA to insert
backdoors into all of its hard drives, and the entire point of OwnCloud is
supposedly privacy and escaping surveillance.

~~~
geofft
Can you provide a source? All the ones I can find (Der Spiegel's article on
TAO, Kaspersky's "Equation Group" report) seem to claim that the NSA had found
ways to reflash the firmware on the victim's machine to add backdoors, and had
high-quality, robust patches to WD's firmware to add backdoors. But I can't
track down a claim that WD shipped (knowingly or otherwise) malicious
firmware, or that they knowingly provided unpatched firmware sources to the
NSA.

~~~
jospoortvliet
Still an interesting point. Note that the software for this device will be
fully developed in the open on Github and IF WD builds in a backdoor between
us shipping the final image to them and them putting it on the devices before
they go out to users, it will not be terribly hard to find out. Heck, ownCloud
9 will already verify its own code and warn if things are modified, maybe we
can do something in the OS image which does some checks, too.

You're welcome to help out!

