FreshRSS

πŸ”’
❌ About FreshRSS
There are new available articles, click to refresh the page.
Yesterday β€” April 7th 2020Nextcloud Planet

We’re partnering up with ITServicenet: delivering Nextcloud in Italy!

Meet ITServicenet

ITServicenet is an Italian company with over 2 decades of experience in managing open source servers and developing various software solutions. They handle virtualization, high availability, monitoring and storage, helping customers set up and manage a powerful, reliable infrastructure. ITServicenet offers Italian support and services around Nextcloud.

2 decades of open source experience

Over 100 companies, most of them Northern Italian, operating mainly in the Manufacturing industry and ITC trust the ITServicenet team to find the best solution for their IT needs.

The professionals who make up the team have over 20 years of experience in the implementation of open source enterprise solutions. In 2019 ITServicenet co-founded the Enterprise OSS association in order to spread the ‘open source for business’ philosophy and offer professional assistance to those who also believe in this philosophy and use open source technologies.

Nextcloud and ITServicenet

Among other open source solutions, Nextcloud is the one ITServicenet recommends to its customers for file sync & share and online collaboration. ITServicenet is one of the official Nextcloud partners and offers support services in the Italian language. Here’s some translation work they’ve been doing on some videos.

Dozens of businesses that are now using Nextcloud reacted with enthusiasm to the fact that they could access their office’s documents from anywhere, while all that data would still be on premises under their control and ownership. Work is now facilitated and lots of day to day tasks have become easier to handle.

Thanks, life’s now easier 😉 There’s a whole ecosystem of apps available for Nextcloud. Among all these, group folders, contacts, calendar and ONLYOFFICE that in the new Nextcloud Hub have been intelligently integrated, are highly appreciated by our clients!

More and more businesses in Italy are reaching out to benefit from the EFSS solution advantages and ITServicenet is planing to add an ad hoc training service so everyone can make the best use of the available Nextcloud features.

At ITServicenet, they strongly believe that the community behind the scene provides great added value to Nextcloud. And we, are always happy to welcome new open source advocate partners on board!

Before yesterdayNextcloud Planet

Learn from the crisis: strengthen digital civil society

A group of prominent NGO’s and social movement organizations in the digital sphere have banded together in an initiative to advocate for independent digital infrastructure and free access to knowledge during this crisis! Nextcloud fully supports their goal, telling government especially that:

Building a digital ecosystem that is oriented towards the common good must finally become a political priority!

This crisis, among health consequences, has had and will have a big economic impact. Individuals, organizations and companies have moved towards digital infrastructure in order to conduct their everyday tasks, resulting in major growth at the large technology corporations over the past weeks. The crisis has given these companies a quickly growing market penetration and, often, the winners are few and large, consolidating power further in the hands of a small number of mostly Silicon Valley based corporations.

The pressure has forced many organizations to forego the usual analysis of costs and risks and the near-absolute control a few companies now have over the data and productivity of much of the world and the way they monetize this position is worrisome. Just a few weeks of scrutiny on some of the suddenly-big players like Zoom has already resulted in an impressive and even more worrying list of problematic behaviors, some of which have been corrected but certainly many more still have to be found out.

There are a LOT of reasons to make an active digital ecosystem that offers real options a requirement, we can not be dependent on monopolies during hard times.

The ideal alternative that would stop these companies from being a monopoly and to allow the public and businesses to have a real choice. It would be a digital infrastructure made by software, decentralized platforms and voluntary or open source organizations. Luckily, the technology actually already exist and dozens of groups and organizations have been working together on decentralized and resilient digital infrastructures. These people and organizations have been fighting for everyone’s digital rights, now they are working on free access to the Internet. There are initiatives for free radio networks, the provision of secure communication channels, offers for free knowledge, and open data and free software applications. Long story short, there are many groups that fight for the common good, often relying on voluntary work and citizen donations, expecting only public support in return.

The German “Digitale Zivil Gesellschaft” or Digital civil society publicly demands that

Building a digital ecosystem that is oriented towards the common good must finally be given political priority!

Politics should ACT, RE PRIORITIZE, approach, acknowledge and SUPPORT these organizations and the good they’re trying to achieve! That is why, indeed, you can find our logo there.

What needs to be done is:

  • Politicians should open up even further to suggestions from society and include them in policy making
  • Targeted funding – new funding mechanisms are needed that support the establishment of sustainable structures and not only focus on innovation, but also on the maintenance and further development of existing technologies.
  • Public money, public good – legal foundations are required to make it compulsory for content developed with public funds to be made accessible and reusable. Data protection must always be guaranteed.
  • Development of public digital infrastructure – continuous government investment in developing and maintaining digital infrastructure and building resilient networks is recommended

We at Nextcloud, as open source software developers and supporters, strongly believe in knowledge freedom, we believe that in times of crisis everyone should have choices and we fully support the goal of this initiative.

As a security concerned and privacy respecting company, it is our job to spread awareness on digital sovereignty.

Find some great blogs (in German) from fellow signatories below, and read on for more thoughts and analysis from us.

https://netzpolitik.org/2020/digitale-zivilgesellschaft-staerken/ https://www.ccc.de/de/updates/2020/zivilgesellschaft

How this crisis affects business, governments and individuals

Moving digital, in the last couple of (yes!) years, has been the ultimate choice of businesses in order to be future ready in terms of growth, besides the benefits that online work offers on facilitating work and making everything easier in real time. These are benefits which governments as well, have started to admit.

Moving digital, though very beneficial, was not a necessity to every business or institution, until some weeks ago! The crisis our world is now facing brings every single team in front of a choice: move digital or (slowly) stop existing. Not only business, but also crucial governmental institutions have the need to move to an online infrastructure, if they haven’t yet.

While many can make assumptions, nobody really knows for sure how long this crisis will last, and in an unfortunate way, this crisis favours enterprises operating in the digital sphere as companies will aim to “survive and/or evolve” and governmental institutions should fulfill their own mission. Larger market share for digital businesses is the result and more citizen data will be available on servers than ever before.

And here comes the question: who owns those servers?

just a pretty picture

In the online world, security and data privacy are a huge concern for companies, governments and individuals whose data might be part of these organization’s jobs.

  • First, there are the many ‘free’ tools you can use. You don’t know what do they do with the data you feed their servers with. You just know that, given you are not paying, you’re not the customer – you’re the product being sold, to advertisers for example.
  • Then there are the paid proprietary software solutions, where you equally don’t know what happens in the code or how and what they do with the data you hand out to their servers, but perhaps you trust them more as you pay for the service. Of course, they can earn far more from you if they simply ALSO do what the first category does, so there are no guarantees.
  • Last, there are open source solutions which you can run on your own servers or at a hosting provider you choose and trust, either with full control by you and your system administrators or managed by a trusted party. You’ll always have full transparency in who has access to the server or its data!

This is a call for every organization or individual new to this “online world”. If you are an individual who’s just trying to get around, you still don’t want your data sold. It is a risk!

Risks for businesses

If you are a company that deals with employee and customer data, you don’t want this data handed to other parties as that exposes you to legal risks and can result in your competitors gaining a big advantage over you.

Just think of how, for a small business selling their products over Amazon gives Amazon complete knowledge of their products and customer demand. Amazon has made it its business to analyze that data and then simply replace the most popular of these products with a cheaper, better promoted, Amazon branded version – killing those businesses’ most profitable products in a single, completely legal ad within the terms-of-service, stroke of a pen.

And just because you don’t sell products on Amazon does not mean this can’t happen to you! Your data can always be ‘anonymized’ and sold to a competitor by your cloud provider – after all, if it can’t be traced to you, how could you ever prove (or know) they did find a way to earn a little extra on you?

Learn more

If you’re German speaking, check out Digitale Zivil Gesellschaft, if you’re not – here are some articles to help you learn more about security, privacy and how self-hosting open source technology can help.

https://nextcloud.com/yourdata/

https://nextcloud.com/blog/the-issue-with-public-cloud/

https://nextcloud.com/blog/over-70-of-enterprises-moving-applications-back-on-premises-among-security-and-cost-concerns/

https://nextcloud.com/blog/eu-and-us-government-agencies-converge-on-conclusion-us-cloud-platforms-not-compliant/

https://nextcloud.com/gdpr/

Data Protection Officer of Baden-WΓΌrtenberg recommends Nextcloud Talk

The Covid-19 crisis is putting a lot of pressure on organizations to enable remote working and collaboration. The ease of deploying cloud solutions means this is a route often taken, but it comes with significant data protection risks. The Data Protection Officer of the German state Baden-Würtenberg recently published an analysis of these challenges and recommends the use of ‘on-premises’ solutions over software-as-a-service solutions.

The analysis points out that when a choice for a solution is made:

care should be taken to ensure that the provider neither evaluates metadata (who communicated with whom and when) nor evaluates the content data of the communication for its own purposes or passes it on to third parties.

There are options:

There are numerous solutions based on open source software (e.g. Nextcloud Talk, Jitsi Meet, RocketChat or Matrix) that can be used in accordance with data protection principles.

They warn that it’s been shown that especially mobile apps sometimes reach out to their makers, or even third parties (like Zoom which was recently shown to share user data with Facebook, irrespective of the user having a Facebook account) and this is a risk a Data Protection Officer needs to be aware off. You are, as organization, responsible for where the data of your users ends up and pushing them to a solution with terrible terms of service is legally risky.

There is a number of other tips including on the use of video chat, and we recommend German readers the entire recommendation.

David and Jeff – Wirtschaftswoche interviewed Frank Karlitschek and Achim Weiß

Last January, two German cloud leaders partnered up: Nextcloud and IONOS wanted to offer a cloud solution that protects the digital sovereignty of European organizations. This week the prominent German Wirtschafswoche ("business week") published an interview with the founders and CEO's of both companies, Frank Karlitschek for Nextcloud and IONOS's Achim Weiß.

The interviewer visited the hosting center of IONOS in karlsruhe, which is home to over 13.000 servers spread over 11 rooms. European customers can be assured that their data is on one of the 90.000 servers in this or the other data centers in Europe.

The team collaboration solution from Nextcloud is a great fit for a German hosted cloud, offering full support for open standards and, if needed, integration of additional functionality, migration to other providers or easy export of data. This means the customer remains in control over their data. Many closed, foreign cloud solutions make migrating away hard if not impossible, creating a situation where data is sometimes nearly held hostage.

The interviewer points out that, of course, both European firms are dwarfed by the American Goliaths they compete with. With a turnover of 25 billion, the 842 million of IONOS is small and Nextcloud's single digit turnover even more. Yet the timing of the offer of the two firms is great, with more and more European organizations looking for a content collaboration solution that does not require them to hand over data to what is essentially a global jurisdiction with little transparency.

Only about 22% of the German medium sized companies is using cloud service, so there is plenty space for growth in the market and the interest in the offering is huge.

If you're able to read German and have a Wirtschaftswoche subscription, you can read the full interview and analysis (sadly behind a paywall) on their website or grab a magazine in one of the few stores still open!

Security in Nextcloud: how to block 99.9% of user account attacks

If tech sites would write about every individual data leak, they’d have no time to cover anything else. Generally, only email-and-password leaks numbered in the millions get covered. LinkedIn: 164 million. Adobe: 38 million. MySpace: 359 million. Facebook: 200 to 600 million.

It should be painfully clear that you can’t count on large tech companies to secure data sufficiently. The more important point here is, however, that passwords do not offer sufficient security. Most experts agree that it is time for a radical change. But how? A few solutions exist.

just a pretty picture

Password managers and single sign-on


Password Policy settings in Nextcloud

There are dozens of websites like Have I Been Pwned who inform users about theft of their accounts – Nextcloud uses this service to block users picking a leaked combination of username and passwords. The problem here is, of course, that users tend to re-use passwords across services. Password managers offer a solution to this, automatically generating a secure password for each site a user uses. While that does create a single location which could be hacked, there have been no known, large password manager leaks yet.

Another solution is single sign-on. Users can log into various services using their Google or Facebook account. The advantage is, indeed, that you only need to remember one password. The downside is, of course, that these companies gain incredible power and know everything the user does. The vendor-lock-in is severe. Users who wanted to cancel Facebook accounts due to the continuing stream of security, privacy and ethical violations discovered they would lose attached accounts. For example, a Spotify account, with all favorite music and playlists, would disappear as well.

The best solution: second-factor authentication

A far better solution is second-factor authentication (2fa). This essentially means that rather than logging in with a single method of identity verification, like knowledge of a password, a service will ask for a second verification factor. For example, a code the user receives in a SMS or from an app. This would prove that not only does the user know the password, he/she also has his or her phone on them. An attacker would of course have a much harder time getting their hands on both.

Is this more secure? You bet it is. While SMS itself is not the most secure method, Microsoft has estimated that 99.9% of all attacks on Hotmail and Outlook accounts is blocked by 2fa.

So why does not everybody use a second factor like an SMS to secure logging in? There is a variety of reasons for this. With regards to SMS as second factor, users are worried about the privacy implications. They are not comfortable handing over their phone number to a service, and those worries are not unjustified. Last year, it turned out that Facebook was using the phone numbers users gave for second-factor authentication for advertisement.

But there are other issues. Two-factor authentication via SMS is relatively easy, but other factors, like TOTP, which requires users to install an app, scan a qr code on the screen and then manually enter codes, are far more complicated. Or expensive – while hardware keys are easy to use and very secure, the prices are typically over 50 euro for a key.

2FA in Nextcloud: flexible and easy

So 2FA is a great solution, but it tends to complicate things. How does Nextcloud deal with this dilemma?

Our security team always works with two simple but important assumptions: if it is difficult to use, it is less secure. And not all users are the same!

We therefore designed a number of second factors and allow administrators and users to enable and use any number of them. Currently, the following are supported and we’ll explain each of them quickly:

Matrix style picture of hacker behind code

  • Time-based One-Time Password (TOTP, including Google Authenticator or similar apps)
  • Universal 2nd Factor hardware tokens (U2F, like Yubikeys or Nitrokeys, also supports NFC)
  • Gateways: SMS, secure messaging apps Telegram, Signal and more
  • Code in an email
  • Notification (just click to approve login on an existing device like phone)
  • User backup code (User has to generate these in advance and store them in a safe location)
  • Administrator backup code (creating those can be delegated to group admins)

Now, as you can imagine, each of these methods has its downsides and benefits. SMS are quite easy – if you have set it up as administrator and if you trust the telephone network. Signal and Telegram are nice as well, but it is hard to guarantee that all users have these chat apps!

TOTP has many apps available and can be used on many devices but is more complicated, U2F is very secure but expensive. Receiving a code in an email is a familiar method but emails can be intercepted. Notifications are supremely easy to use and secure. That last option should not be missing on Nextcloud installations!

Backup codes are a great way to ensure users don’t get stuck without being able to log in.

Let’s dive deeper into all these methods so you know what their benefits and downsides are, and which you should consider enabling on your Nextcloud server.

(Time-based) One-Time Password

This ‘factor’ is a device-generated code. This code can be used to log in, usually only once. An OTP code can have an expiration date, though often they are quite long. The user has to enter them to log in.

The popular time-based variant changes the code frequently – the most used TOTP standard generates 6 digits every 30 seconds. There are hardware tokens which have a simple display showing the codes. On mobile phones, various apps for implement this standard, from the Google Authenticator app to various free and paid alternatives.

To set up TOTP, users have to give the TOTP device a long code to initiate the connection, in many cases this can be done by scanning a QR code to avoid having to type anything.

During use, a TOTP device does not need to communicate with the service being used, it does not even need to know anything about it. This thus works without connection or on a local, firewalled network.

A downside of TOTP is that it is vulnerable to various forms of man-in-the-middle attacks. A hacker can set up a fake website designed to trick visitors into submitting their credentials. When a user falls into the trap and enters their information, the hacker gains access to their account. This attack is not easy to pull off: users have to visit the site of the attacker and mistake it for their usual website.

When enabled by the admin, users can set up TOTP in their security settings:

network cable with condom around it and laptop

Universal 2nd Factor hardware tokens

U2F is a bit similar to OTP, in that a device generates a code. But, unlike OTP, users don’t have to enter it. The process has to be handled by the client, for example a browser, or an application, directly. A U2F device thus has to be connected physically. USB or NFC are the most typically used methods for this.

The service will communicate with the U2F device, using a public key encryption and a challenge-response model, which makes it impossible to ‘attack’ using the man-in-the-middle attack that (T)OTP is vulnerable to.

The downside is the need of support for the devices. Browsers and apps all have to work with this and connecting a phone to a computer via USB or NFC, or connecting a hardware U2F key to a phone can be difficult in some situations.

U2F can also be setup by users in their security settings:

entering sms code in Nextcloud login dialog

Gateways: SMS, secure messaging apps Telegram, Signal and more

Many users are probably familiar with receiving a code through SMS and entering it into a website login portal. Nextcloud supports connecting to such a ‘SMS gateway’, and can also use Telegram and Signal through this system. While it is not extremely hard to intercept an SMS, Telegram and Signal messages are quite secure. Unfortunately, not many users have these apps installed, so they are not suitable as general solutions for all users.

Another issue is that it takes some work from the system administrator to set up and configure these methods. You can find documentation here.

Code in an email

The fourth method is also rather familiar to users: receiving a code in their email. While email, too, is relatively easy to intercept, this nonetheless makes logging in a lot more secure and it is easy to set up and use.

dialog asking to accept code on another device

Notification

Probably the easiest way for users to log into their Nextcloud is through a notification on an existing device or session. Nextcloud will simply create a notification, allowing the user to click ‘approve’ or ‘deny’. This works from a browser session, mobile phone and desktop client and requires no configuration on the side of the user.

User backup code

In the user security settings, a option for creating backup codes is given. This allows the user to generate a series of codes and store them in a secure location. Each of these codes can be used, once, as second factor to log into Nextcloud. If all other methods fail, this gives the user still access to their account…

Administrator backup code

In case all else fails, users can contact their system administrator. If enabled, the admin can create a one-time login code the user can use as second factor. To make it easy for companies to delegate this to personnel in a support team without giving them full administrator access, group admins also have the ability to create second-factor backup codes for their users.

Enable two-factor authentication

Recapping: second-factors are incredibly important to secure accounts. While they typically have some drawbacks, the wide range of options in Nextcloud, including the incredibly user friendly ‘notification’ option, make 2fa a must-have on Nextcloud. Enable it today and leave feedback on your experience below!

hand with code behind it

❌