The loop means that the computer stays put (barring removal of the table it sits on.) If a would-be thief wants the data, they would be stopped as soon as they disconnect the cable.
It also provides a theft deterrent function against would-be skulkers. If they knew that they disabled a device that would be worthless to a fence just by disconnecting it from a cable, they likely would leave it alone.
Of course, a Kensington lock slot wouldn't hurt either, especially if there were some way to detect someone trying to break the lock off.
There is always the Austin method of doing road "improvements"... if it is a new road or a lane add-on, make it a toll road with surge pricing. Delay the building by 2-3 years, and people will be grateful to pay for it, if only because the construction is gone.
Come to think about it, there is a lot that could be tossed with exclusively self-driving cars on the roads, be it lines (cars can be put in where they fit, width wise), guard rails, or even flyovers, as cars can be timed to speed up/slow down to pass at highway speeds through a four way intersection. Signage can be tossed as well.
Unless it is a red light camera or a speed trap, which generates revenue for some entity, there is no incentive to life a finger to do road sensors. Sadly, that is how the US works.
I'm actually impressed by this machine. Yes, a new NUC can probably do more, but the ORWL with a glass case is pretty impressive when it comes to security, especially if it can handle virtualization with the supported Ubuntu distro, so one can use it to run Windows 10 in a secure manner if need be. PCs designed for security from the ground up are not very common.
My only wish would be if they could add two ports for a fiber optic cable loop. This could be S/PDIF or any form factor. The goal is to have a fiber optic cable that could be looped around a desk or sturdy object, similar to a Kensington lock. If the cable is cut or unplugged, the machine goes into a locked state. This way, it turns the theft into "just" hardware.
"Security has no ROI" is a mantram I've heard uttered in a lot of places dealing with IoT. They don't care at all, because the EULA protects them from most stuff, the fact they can throw up their hands and say, "the blackhats can break into everything" gives them legitimacy with the press, and if push comes to shove, there are no real laws out there that have any teeth. Someone can have a root shell on a telnet port, and a company having that would not have to fret about stock prices. If people griped, they just tell users to buy the version 2 of the device that might move the open port from 23 to another ID, call it done.
What would be the ideal, would be something like UL listings, except instead of electrical safety, is for security. However, I wouldn't be surprised if this gets perverted into no real remote security, but "security" from the owner being able to do things with the device.
That has been my experience. I've felt like the IRS people I dealt with (when I had to deal with a case of ID theft, thanks to a previous job that viewed security as having no ROI, thus all my info became pretty much public) bent over backwards in order to find me records I needed.
Call me crazy, but taxes are the price one pays for civilization. I'd rather hand over some cash than have to man my own gun turrets, or pay a meter so I can use a park bench. Yes, I might pay taxes for a road that I may not used everyday, but someone is paying taxes for a road they don't use everyday that I drive on as well.
In my state (Texas), they pretty much killed Green Dot because they have a layer of registration to be used. Now, the bad guys wind up using store cards or iTunes cards.
I also use Git for storing documents. If ransomware comes a-knocking and trashes my files, a reinstall, reload of apps, and a git clone gets all my data back. Having a native command line for that, as well as for using a deduplicating backup program like borg backup, attic, or others, is quite nice to have.
The ironic thing is that of all the archive formats I've used,.rar has been quite reliable. I managed to recover some files from a ten year old set of CD-Rs that were in WinRAR segments, even though one of the disks was bad, because when I burned the disks, I had a few.rev files in place, so I used that in place of the bad CD, and got everything back.
Barring a mass extinction event, computers will be around, so we will have some method of reading optical media (just because optical drives are so prevalent.) I would hazard to assert that a good quality CD-R with a bunch of PDF/a documents will still be readable in some fashion 50-100 years from now.
In 2009, in Austin, someone rewrote the messages on some traffic signs to alert about zombies. This has popped up on occasion. (Currently, there are news alerts to be watching for people dressed as clowns that are menacing elementary schools, so zombies are out of fashion right now.)
It does make me wonder how one can tell if there is a real zombie invasion. I'm guessing if there are a lot of people staggering around, and it isn't an ACL or SXSW weekend, one might worry.
Virtualization != sandboxing. You can sandbox on Windows with SandboxIE, where all writes from the sandboxed app are redirected elsewhere. Doing this doesn't require a separate OS or filesystem, so it doesn't add that context shifting as overhead.
You can also run your Web browser in a VM. You get better separation, but at a price, although with hypervisors becoming the norm and not the exception, running VMs may not have as onerous a penalty as they used to.
I like a combination of the two. I like browser windows and tabs separated from each other, like what Chrome/Chromium does, but the browser should run in its own VM so if something does get out of the browser, it is in a completely separate user and machine context. Without the VM isolation, even if malware just has context of a user, that can allow files to be uploaded and ransomware to do its dirty work.
Jails are another solution, but it can be argued that it might be best to completely isolate filesystems, especially if some software decides to do stuff like mkdir foo; cd foo loops, or just create tons of files in order to use up all inodes. Done on a VM, worst case, it means one dumps the VM and rolls back. Done on a desktop, it can mean work stoppage.
I've wondered about this myself, because I took some time out of my career to pursue my degree full time. Are companies using a B. S. or a B. A. as a filter these days, or has the filter mechanism moved to the keywords and/or certifications like a MCSE? Times have changed. About 10-15 years ago, in a recession, you could sidestep stuff by going back for a M. S., and when you got the degree, it would mean higher pay. Now, I don't see that being the case.
It depends on countries. When I was in college, I had classmates from Germany, China, and Chile. The Chinese government paid for the education for their citizen. The German had his paid for. The Chilean had his paid for by his government. It was the people in the US who were paying for their own education in a STEM major. The US needs to stop eating its seed corn.
If there is a need for transactions to be atomic, perhaps multiple signatures with expiration dates would be useful. One to "pre-sign" the transaction, and if that transaction isn't cancelled (perhaps with a nonce that is stored as a hash), after "x" amount of time, the transaction becomes permanent. Or, a signature to start a transaction, another to end it. One can use blockchain technology in a lot of ways, and allowing people to "un-sign" something is just asking for trouble.
At least it can ship with Ubuntu by default. If W10 is needed, it can be run under VMWare, VirtualBox, or one's virtualization utility of choice. That way, Windows 10 can be run, but it is isolated from the hardware.
As for options, I would go with the M7, 480GB SSD, and glass case. One can't argue with a beefier CPU (assuming cooling isn't an issue), and more disk space. The glass case is useful for tamper resistance.
My only wish is if the device had a port for a Kensington lock slot, with some mechanism to zero out keys if someone yanked out something out of the slot by force.
Of course, there is blue-sky stuff. For example, a S/PDIF port that would be used with a fiber optic cable as a tether. If the S/PDIF port got unplugged or the fiber optic cable got cut, the keys would be zapped. This would provide extreme security, with the only way to get around it is to destroy what the fiber optic cable was looped around.
I've ended up using VPNs to get around that. It isn't cheap, but a Linode box acting as a NAT/proxy box [1], with a VPN to your real machines can get around most of that. You can also use AWS, a router OS like VyOS or PFSense, and a VPC to also allow for your home servers to have a "legitimate" IP to handle incoming traffic.
[1]: Assume the Linode box can be compromised at any moment, so don't terminate your TLS connections there. Terminate them on your machines. It also is wise to have provisioning scripts (or Ansible playbooks) so if your Linode instance gets compromised, you can zero it out and rebuild it quickly.
That can be solved. It would take a PKI, but I can see something like USENET with some trusted CAs, ability for people to chose whom they trust, and signed messages doing a good job at stopping spam. If someone does spam, their cert gets revoked, or if a SLC based system is used, the CA just doesn't bother to sign the certs, and the nodes forwarding traffic just drop anything from that key.
The problem is that decentralized PKI research stopped at PGP, and the world moved to SSL/TLS's model of all or nothing trust. If we had various amounts of trust, a decentralized model would stop spam, but would also keep the same anti-spam mechanisms from being used for censorship.
I remember a few years back, having a FB account was pretty much a job requirement, where I got told to bugger off because I didn't tell the world how many coils I dropped in the commode that morning. It has gotten better, but for a while, I eventually just wound up making a dummy account on there, Twitter, and other places just to make the HR people happy.
It isn't just Facebook. I'm seeing companies put all their eggs in the AWS basket. My fear is that cloud providers overtake having servers in-house, and we are back to the mainframe era. Cloud places have their use, but there is always the security question, and there is always the grave concern about data sitting on a remote site where you have zero physical control over it. If there is a security breach and the data is local, you can physically yank the network cable. If there is a breach at a cloud provider, trying to staunch the bleeding is a lot tougher, especially if one of the cloud accounts got hacked, and the rogue admin has just as much power as you do.
Right now, we are at the point where a technology is starting to be widely adapted, and people are nervous about it (perhaps rightly so.)
However, I can list a number of things that can save time:
1: Being able to use commute time for something else than watching the taillights of the car ahead. You can have a vehicle which can function as a mobile office, or a bedroom, where with longer commutes, use that time for useful things, be it reading, doing some work, or just going back to sleep.
2: Vehicles can take themselves to get oil changed and inspected. This can save a day's worth of work.
3: Fewer trips would be needed. With a self-driving van, one can call Home Labyrinth, run the credit card, have the van drive to the pickup depot, and come back. This way, if someone runs out of plywood, but still has stuff to do, all it takes is a quick order via a web page, and work can continue.
4: If you are drunk, stoned, tripping balls, high, or all the above, you can still go home in your own vehicle. This in itself will save a lot of time because the police will have to clean up fewer wrecks.
5: Vehicle safety can improve. Cars can be packed closer together, intersections for highways can be made into simple four way intersections, with the cars slowing up or speeding up so vehicles can fly through without having to stop.
6: It saves time parking. Parking of automated vehicles can be handled far more densely than normal parking. Vehicle parking can be moved to the outskirts and not downtown, with a small lot used for quick unloading/loading.
7: It would allow for long trips easily, assuming vehicle auto-fueling. Speed limits can be tossed out the window, with the speed of the vehicle being what it can do, as well as environmental conditions.
8: If you need to carry a lot of stuff to a jobsite, and you just have one person, you can load multiple vehicles.
Of course, there are a few issues that need to be solved:
1: Security. If a blackhat could lock a vehicle's doors and demand ransom, or else it will ram the vehicle (and its occupants) off a bridge, that would be a show-stopper.
2: Third party control. It could be done that cars could be told that they cannot stop at or near areas, or that when someone hops in their car, it takes them downtown for jail processing because of a warrant. Or, some bill collector gets with the car maker and shuts down cars.
3: Corner cases. Thankfully few, but there will be many people out there looking for many ways to get a driving AI to fuck up, so they can play the lawsuit lottery.
All and all, there are issues, but the benefits are quite useful, and far outweigh the risks (which can be mitigated.) Security can be done. For example, the XBox is going on years, with not a single working jailbreak. Similar with the PS4. Even humble old Blu-Ray is still a cat and mouse game, with fewer and fewer decoding utilities available. Third party control can be legislated. Corner cases are relatively few, and that is what insurance is for, as well as dash cams to show if it was a true deliberate action.
Is it possible to roll back to an earlier version? Even though it is rather old, the pre-AOL one wouldn't be too bad. Maybe the one before Canter & Seigel? Heck, I'd take the one before Eternal September.
Linux is nice because one can secure at as they see fit. Someone on the operator level can enable patching at certain times in RedHat and downstreams, Debian, and Ubuntu, with ease. This isn't something you would do in production for obvious reasons, but with modern mainstream Linux distros with their default installs, it actually is more work to not enable patching than to enable it.
An admin that is more versed would be using some sort of patch management system, if only to ensure that SSH, OpenSSL, the kernel, and other critical components are not just patched, but there is validation that things are at that patch level.
Next tier up, the admin would have a CM tool which either gets pushed or runs locally with a stanza like this:
The above stanza would get pushed to all boxes every so often.
Of course, Linux can be horrific if unpatched, because there is so much a blackhat can do on a Linux box, even if root access is unavailable. However, in general, because Linux is open, there are fewer moving parts which are hidden away from the user. For example, when Shellshock came out, and a quick patch had to be done, it wasn't hard to build a static busybox binary as a workaround until a few hours later, bash was patched.
One ideal might be having good in and out firewall rules on the machine. It takes time for initial setup and maintaining, but isn't that bad (it can be put in your playbooks or.pp files.) That way, a telnet server will be not accessible by anything.
I agree with you. I have had very good luck with the apps Synology has. The Git app, though bare-bones, is useful. The Hyper Backup function works with many sources (especially with something like Amazon Cloud Drive that provides unlimited storage), the device easily supports 2FA (I just copy my google-authenticator file to/usr/syno/etc/preferences/, and the web server will ask for the Google Authenticator ID. SSH can be locked down as well.)
For a NAS, it is surprising how much stuff the Synology (and the QNAP offerings as well) support.
SynoLocker is an old issue, with DSM 5.x and 6.x patching it, and future items get autopatched if one turns that on during initial setup (the default is to auto install security patches). It also is wise to not have your internal NAS devices on the Internet (mine have a firewall script that allow incoming from the local segment, outgoing to Synology's patching sites, and blocking all other traffic.) It also is wise to use the Hyper Backup utility to back data up to somewhere (external HDD, cloud provider, etc.), preferably using encryption.
There isn't anything wrong with using unRAID, FreeNAS, or another utility. However, the main reason I use Synology products (QNAP is another good maker that tends to have an edge on hardware for the same price), is wattage use. The two I have use at most 40 watts, and significantly less than that when idle. A modern PC is thrifty on power, but having an ARM appliance is also quite nice. Of course, the PC gives a lot of flexibility, but having a NAS designed from the ground up, hardware and software for the dedicated purpose doesn't hurt either.
The price is right as well. I picked up a two drive unit with an ARM CPU for about $150, added drives, and it has been running 24/7 quite reliability.
Slashdot Mirror
The loop means that the computer stays put (barring removal of the table it sits on.) If a would-be thief wants the data, they would be stopped as soon as they disconnect the cable.
It also provides a theft deterrent function against would-be skulkers. If they knew that they disabled a device that would be worthless to a fence just by disconnecting it from a cable, they likely would leave it alone.
Of course, a Kensington lock slot wouldn't hurt either, especially if there were some way to detect someone trying to break the lock off.
There is always the Austin method of doing road "improvements"... if it is a new road or a lane add-on, make it a toll road with surge pricing. Delay the building by 2-3 years, and people will be grateful to pay for it, if only because the construction is gone.
Come to think about it, there is a lot that could be tossed with exclusively self-driving cars on the roads, be it lines (cars can be put in where they fit, width wise), guard rails, or even flyovers, as cars can be timed to speed up/slow down to pass at highway speeds through a four way intersection. Signage can be tossed as well.
Unless it is a red light camera or a speed trap, which generates revenue for some entity, there is no incentive to life a finger to do road sensors. Sadly, that is how the US works.
I'm actually impressed by this machine. Yes, a new NUC can probably do more, but the ORWL with a glass case is pretty impressive when it comes to security, especially if it can handle virtualization with the supported Ubuntu distro, so one can use it to run Windows 10 in a secure manner if need be. PCs designed for security from the ground up are not very common.
My only wish would be if they could add two ports for a fiber optic cable loop. This could be S/PDIF or any form factor. The goal is to have a fiber optic cable that could be looped around a desk or sturdy object, similar to a Kensington lock. If the cable is cut or unplugged, the machine goes into a locked state. This way, it turns the theft into "just" hardware.
"Security has no ROI" is a mantram I've heard uttered in a lot of places dealing with IoT. They don't care at all, because the EULA protects them from most stuff, the fact they can throw up their hands and say, "the blackhats can break into everything" gives them legitimacy with the press, and if push comes to shove, there are no real laws out there that have any teeth. Someone can have a root shell on a telnet port, and a company having that would not have to fret about stock prices. If people griped, they just tell users to buy the version 2 of the device that might move the open port from 23 to another ID, call it done.
What would be the ideal, would be something like UL listings, except instead of electrical safety, is for security. However, I wouldn't be surprised if this gets perverted into no real remote security, but "security" from the owner being able to do things with the device.
That has been my experience. I've felt like the IRS people I dealt with (when I had to deal with a case of ID theft, thanks to a previous job that viewed security as having no ROI, thus all my info became pretty much public) bent over backwards in order to find me records I needed.
Call me crazy, but taxes are the price one pays for civilization. I'd rather hand over some cash than have to man my own gun turrets, or pay a meter so I can use a park bench. Yes, I might pay taxes for a road that I may not used everyday, but someone is paying taxes for a road they don't use everyday that I drive on as well.
In my state (Texas), they pretty much killed Green Dot because they have a layer of registration to be used. Now, the bad guys wind up using store cards or iTunes cards.
I also use Git for storing documents. If ransomware comes a-knocking and trashes my files, a reinstall, reload of apps, and a git clone gets all my data back. Having a native command line for that, as well as for using a deduplicating backup program like borg backup, attic, or others, is quite nice to have.
The ironic thing is that of all the archive formats I've used, .rar has been quite reliable. I managed to recover some files from a ten year old set of CD-Rs that were in WinRAR segments, even though one of the disks was bad, because when I burned the disks, I had a few .rev files in place, so I used that in place of the bad CD, and got everything back.
Barring a mass extinction event, computers will be around, so we will have some method of reading optical media (just because optical drives are so prevalent.) I would hazard to assert that a good quality CD-R with a bunch of PDF/a documents will still be readable in some fashion 50-100 years from now.
In 2009, in Austin, someone rewrote the messages on some traffic signs to alert about zombies. This has popped up on occasion. (Currently, there are news alerts to be watching for people dressed as clowns that are menacing elementary schools, so zombies are out of fashion right now.)
It does make me wonder how one can tell if there is a real zombie invasion. I'm guessing if there are a lot of people staggering around, and it isn't an ACL or SXSW weekend, one might worry.
Virtualization != sandboxing. You can sandbox on Windows with SandboxIE, where all writes from the sandboxed app are redirected elsewhere. Doing this doesn't require a separate OS or filesystem, so it doesn't add that context shifting as overhead.
You can also run your Web browser in a VM. You get better separation, but at a price, although with hypervisors becoming the norm and not the exception, running VMs may not have as onerous a penalty as they used to.
I like a combination of the two. I like browser windows and tabs separated from each other, like what Chrome/Chromium does, but the browser should run in its own VM so if something does get out of the browser, it is in a completely separate user and machine context. Without the VM isolation, even if malware just has context of a user, that can allow files to be uploaded and ransomware to do its dirty work.
Jails are another solution, but it can be argued that it might be best to completely isolate filesystems, especially if some software decides to do stuff like mkdir foo; cd foo loops, or just create tons of files in order to use up all inodes. Done on a VM, worst case, it means one dumps the VM and rolls back. Done on a desktop, it can mean work stoppage.
I've wondered about this myself, because I took some time out of my career to pursue my degree full time. Are companies using a B. S. or a B. A. as a filter these days, or has the filter mechanism moved to the keywords and/or certifications like a MCSE? Times have changed. About 10-15 years ago, in a recession, you could sidestep stuff by going back for a M. S., and when you got the degree, it would mean higher pay. Now, I don't see that being the case.
It depends on countries. When I was in college, I had classmates from Germany, China, and Chile. The Chinese government paid for the education for their citizen. The German had his paid for. The Chilean had his paid for by his government. It was the people in the US who were paying for their own education in a STEM major. The US needs to stop eating its seed corn.
If there is a need for transactions to be atomic, perhaps multiple signatures with expiration dates would be useful. One to "pre-sign" the transaction, and if that transaction isn't cancelled (perhaps with a nonce that is stored as a hash), after "x" amount of time, the transaction becomes permanent. Or, a signature to start a transaction, another to end it. One can use blockchain technology in a lot of ways, and allowing people to "un-sign" something is just asking for trouble.
At least it can ship with Ubuntu by default. If W10 is needed, it can be run under VMWare, VirtualBox, or one's virtualization utility of choice. That way, Windows 10 can be run, but it is isolated from the hardware.
As for options, I would go with the M7, 480GB SSD, and glass case. One can't argue with a beefier CPU (assuming cooling isn't an issue), and more disk space. The glass case is useful for tamper resistance.
My only wish is if the device had a port for a Kensington lock slot, with some mechanism to zero out keys if someone yanked out something out of the slot by force.
Of course, there is blue-sky stuff. For example, a S/PDIF port that would be used with a fiber optic cable as a tether. If the S/PDIF port got unplugged or the fiber optic cable got cut, the keys would be zapped. This would provide extreme security, with the only way to get around it is to destroy what the fiber optic cable was looped around.
I've ended up using VPNs to get around that. It isn't cheap, but a Linode box acting as a NAT/proxy box [1], with a VPN to your real machines can get around most of that. You can also use AWS, a router OS like VyOS or PFSense, and a VPC to also allow for your home servers to have a "legitimate" IP to handle incoming traffic.
[1]: Assume the Linode box can be compromised at any moment, so don't terminate your TLS connections there. Terminate them on your machines. It also is wise to have provisioning scripts (or Ansible playbooks) so if your Linode instance gets compromised, you can zero it out and rebuild it quickly.
That can be solved. It would take a PKI, but I can see something like USENET with some trusted CAs, ability for people to chose whom they trust, and signed messages doing a good job at stopping spam. If someone does spam, their cert gets revoked, or if a SLC based system is used, the CA just doesn't bother to sign the certs, and the nodes forwarding traffic just drop anything from that key.
The problem is that decentralized PKI research stopped at PGP, and the world moved to SSL/TLS's model of all or nothing trust. If we had various amounts of trust, a decentralized model would stop spam, but would also keep the same anti-spam mechanisms from being used for censorship.
I remember a few years back, having a FB account was pretty much a job requirement, where I got told to bugger off because I didn't tell the world how many coils I dropped in the commode that morning. It has gotten better, but for a while, I eventually just wound up making a dummy account on there, Twitter, and other places just to make the HR people happy.
It isn't just Facebook. I'm seeing companies put all their eggs in the AWS basket. My fear is that cloud providers overtake having servers in-house, and we are back to the mainframe era. Cloud places have their use, but there is always the security question, and there is always the grave concern about data sitting on a remote site where you have zero physical control over it. If there is a security breach and the data is local, you can physically yank the network cable. If there is a breach at a cloud provider, trying to staunch the bleeding is a lot tougher, especially if one of the cloud accounts got hacked, and the rogue admin has just as much power as you do.
Right now, we are at the point where a technology is starting to be widely adapted, and people are nervous about it (perhaps rightly so.)
However, I can list a number of things that can save time:
1: Being able to use commute time for something else than watching the taillights of the car ahead. You can have a vehicle which can function as a mobile office, or a bedroom, where with longer commutes, use that time for useful things, be it reading, doing some work, or just going back to sleep.
2: Vehicles can take themselves to get oil changed and inspected. This can save a day's worth of work.
3: Fewer trips would be needed. With a self-driving van, one can call Home Labyrinth, run the credit card, have the van drive to the pickup depot, and come back. This way, if someone runs out of plywood, but still has stuff to do, all it takes is a quick order via a web page, and work can continue.
4: If you are drunk, stoned, tripping balls, high, or all the above, you can still go home in your own vehicle. This in itself will save a lot of time because the police will have to clean up fewer wrecks.
5: Vehicle safety can improve. Cars can be packed closer together, intersections for highways can be made into simple four way intersections, with the cars slowing up or speeding up so vehicles can fly through without having to stop.
6: It saves time parking. Parking of automated vehicles can be handled far more densely than normal parking. Vehicle parking can be moved to the outskirts and not downtown, with a small lot used for quick unloading/loading.
7: It would allow for long trips easily, assuming vehicle auto-fueling. Speed limits can be tossed out the window, with the speed of the vehicle being what it can do, as well as environmental conditions.
8: If you need to carry a lot of stuff to a jobsite, and you just have one person, you can load multiple vehicles.
Of course, there are a few issues that need to be solved:
1: Security. If a blackhat could lock a vehicle's doors and demand ransom, or else it will ram the vehicle (and its occupants) off a bridge, that would be a show-stopper.
2: Third party control. It could be done that cars could be told that they cannot stop at or near areas, or that when someone hops in their car, it takes them downtown for jail processing because of a warrant. Or, some bill collector gets with the car maker and shuts down cars.
3: Corner cases. Thankfully few, but there will be many people out there looking for many ways to get a driving AI to fuck up, so they can play the lawsuit lottery.
All and all, there are issues, but the benefits are quite useful, and far outweigh the risks (which can be mitigated.) Security can be done. For example, the XBox is going on years, with not a single working jailbreak. Similar with the PS4. Even humble old Blu-Ray is still a cat and mouse game, with fewer and fewer decoding utilities available. Third party control can be legislated. Corner cases are relatively few, and that is what insurance is for, as well as dash cams to show if it was a true deliberate action.
Is it possible to roll back to an earlier version? Even though it is rather old, the pre-AOL one wouldn't be too bad. Maybe the one before Canter & Seigel? Heck, I'd take the one before Eternal September.
Linux is nice because one can secure at as they see fit. Someone on the operator level can enable patching at certain times in RedHat and downstreams, Debian, and Ubuntu, with ease. This isn't something you would do in production for obvious reasons, but with modern mainstream Linux distros with their default installs, it actually is more work to not enable patching than to enable it.
An admin that is more versed would be using some sort of patch management system, if only to ensure that SSH, OpenSSL, the kernel, and other critical components are not just patched, but there is validation that things are at that patch level.
Next tier up, the admin would have a CM tool which either gets pushed or runs locally with a stanza like this:
---
- name: Update openssl
package: name=openssl state=latest
The above stanza would get pushed to all boxes every so often.
Of course, Linux can be horrific if unpatched, because there is so much a blackhat can do on a Linux box, even if root access is unavailable. However, in general, because Linux is open, there are fewer moving parts which are hidden away from the user. For example, when Shellshock came out, and a quick patch had to be done, it wasn't hard to build a static busybox binary as a workaround until a few hours later, bash was patched.
One ideal might be having good in and out firewall rules on the machine. It takes time for initial setup and maintaining, but isn't that bad (it can be put in your playbooks or .pp files.) That way, a telnet server will be not accessible by anything.
I agree with you. I have had very good luck with the apps Synology has. The Git app, though bare-bones, is useful. The Hyper Backup function works with many sources (especially with something like Amazon Cloud Drive that provides unlimited storage), the device easily supports 2FA (I just copy my google-authenticator file to /usr/syno/etc/preferences/, and the web server will ask for the Google Authenticator ID. SSH can be locked down as well.)
For a NAS, it is surprising how much stuff the Synology (and the QNAP offerings as well) support.
SynoLocker is an old issue, with DSM 5.x and 6.x patching it, and future items get autopatched if one turns that on during initial setup (the default is to auto install security patches). It also is wise to not have your internal NAS devices on the Internet (mine have a firewall script that allow incoming from the local segment, outgoing to Synology's patching sites, and blocking all other traffic.) It also is wise to use the Hyper Backup utility to back data up to somewhere (external HDD, cloud provider, etc.), preferably using encryption.
There isn't anything wrong with using unRAID, FreeNAS, or another utility. However, the main reason I use Synology products (QNAP is another good maker that tends to have an edge on hardware for the same price), is wattage use. The two I have use at most 40 watts, and significantly less than that when idle. A modern PC is thrifty on power, but having an ARM appliance is also quite nice. Of course, the PC gives a lot of flexibility, but having a NAS designed from the ground up, hardware and software for the dedicated purpose doesn't hurt either.
The price is right as well. I picked up a two drive unit with an ARM CPU for about $150, added drives, and it has been running 24/7 quite reliability.