My first thought was perhaps they're trying to fetch a favicon for rendering against the traces in the UI?

Sounds like a great way to get sentry to fire off arbitrary requests to IPs you don’t own.

sure hope nobody does that targeting ips (like that blacklist in masscan) that will auto report you to your isp/ans/whatever for your abusive traffic. Repeatedly.

> Is "clown GCP Host" a technical term I am unaware of, or is the author just voicing their discontent?

Clown is Rachel's word for (Big Tech's) cloud.

The circus left town, but the clowns are still here.

> Is "clown GCP Host" a technical term I am unaware of, or is the author just voicing their discontent?

The term has been in use for quite some time; It is voicing sarcastic discontent with the hyperscaler platforms _and_ their users (the idea being that the platform is "someone else's computer" or - more up to date - "a landlord for your data"). I'm not sure if she coined it, but if she did then good on her!

Not everyone believes using "the cloud" is a good idea, and for those of us who have run their own infrastructure "on-premises" or co-located, the clown is considered suitably patronising. Just saying ;)

Also, sometimes, we use the term 'weenie' rather than 'clown'. They are interchangeable.

Unless you know what you are walking into ahead of time I would not recommend Synology to someone who wants to host a bunch of stuff and also wants a NAS. I don’t touch any of the container/apps stuff on my Synology(s), they are simply file servers for my application server. For this purpose, I find Synology rock solid and I’ve been very happy with them.

That said, I’ll probably try out the UniFi NAS offerings in the near future. I believe Synology has semi-walked-back its draconian hard drive policy but I don’t trust them to not try that again later. And because I only use my Synology as a NAS I can switch to something else relatively easily, as long as I can mount it on my app server, I’m golden.

I bought Synology RS217 for $100 last year and it's the best tech purchase I made in years. The software it comes with is the best web interface I experienced in years. The simplicity, stability and attention to detail reminds me of old macs. I have macmini as application server and did not expect to use Synology for anything but file storage / replication. However it comes with a great torrent client that I use all the time now. We also use Synology Office instead of google docs now. It exceeded all my expectations and when it dies, I will immediately buy one of the new rack stations they offer.

You wanted a server and complain NAS is not just a server.

(Copied from an earlier comment of mine)

There are guides on how to mainline Synology NAS's to run up-to-date debian on them: https://forum.doozan.com/list.php

please don't do this to your synology

leave it to serve files and iscsi. it's very good at it

if you leave it alone, no extra software, it will basically be completely stable. it's really impressive

You can run a container on Synology and install your custom services, tools there. At least that is what I do. For custom kernel modules you still need a Synology package for something like Wireguard.

If you have OPNSense, it has an ACME plugin with Synology action. I use that to automatically renew and push a cert to the NAS.

That said, since I like to tinker, Synology feels a bit restricted, indeed. Although there is some value in a stable core system (like these immutable distros from Fedora Atomic).

I'm so happy I didn't buy a NAS, Synology or not. I think a proper computer running Linux gives me so much more flexibility.

"Darknet collection during final /8 run-down captured audio in UDP."

Mind elaborating on this? SIP traffic from which year?

In other words: never put sensitive information in names and metadata.

> Can't even name the domains on my own damn server with an expectation of privacy now.

You never could. A host name or a domain is bound to leave your box, it's meant to. It takes sending an email with a local email client.

(Not saying, the NAS leak still sucks)

The (somewhat affordable) productized NASes all suffer from big tech diseases.

I think a lot of people underestimate how easy a "NAS" can be made if you take a standard PC, install some form of desktop Linux, and hit "share" on a folder. Something like TrueNAS or one of its forks may also be an option if you're into that kind of stuff.

If you want the fancy docker management web UI stuff with as little maintenance as possible, you may still be in the NAS market, but for a lot of people NAS just means "a big hard drive all of my devices can access". From what I can tell the best middle point between "what the box from the store offers" and "how do build one yourself" is a (paid-for) NAS OS like HexOS where analytics, tracking, and data sales are not used to cover for race-to-the-bottom pricing.

From what I understand, sentry.io is like a tracing and logging service, used by many organizations.

This helps you (=NAS developer) to centralize logs and trace a request through all your application layers (client->server->db and back), so you can identify performance bottlenecks and measure usage patterns.

This is what you can find behind the 'anonymized diagnostics' and 'telemetry' settings you are asked to enable/consent.

For a WebUI it is implemented via javascript, which runs on the client's machine and hooks into the clicks, API calls and page content. It then sends statistics and logs back to, in this case, sentry.io. Your browser just sees javascript, so don't blame them. Privacy Badger might block it.

It is as nefarious as the developer of the application wants to use it. Normally you would use it to centralize logging, find performance issues, and get a basic idea on what features users actually use, so you can debug more easily. But you can also use it to track users. And don't forget, sentry.io is a cloud solution. If you post it on machines outside your control, expect it to be public. Sentry has a self-hosted solution, btw.

It couldn’t, but it tried.

It said knocking, not accessing

also

> you notice that you've started getting requests coming to your server on the "outside world" with that same hostname.

That hypothesis seems less likely and more complicated than the sentry one.

Scanning wildcards for well-known subdomains seems both quite specific and rather costly for unclear benefits.

I feel like the author would have noticed and said so if she was getting logs for more than just the one host.

But she mentioned: 1) it isn't in DNS only /etc/hosts and 2) they are making a connection to it. So they'd need to get the IP address to connect to from somewhere as well.

Because sentry.io is a commercial application monitoring tool which has zero incentive to any kind of application monitoring on non-paying customers. That's just costs without benefits.

You now have to argue that a random third party is using and therefore paying sentry.io to do monitoring of random subdomains for the dubious benefit of knowing that the domain exists even though they are paying for something that is way more expensive.

It's far more likely that the NAS vendor integrated sentry.io into the web interface and sentry.io is simply trying to communicate with monitoring endpoints that are part of said integration.

From the perspective of the NAS vendor, the benefits of analytics are obvious. Since there is no central NAS server where all the logs are gathered, they would have to ask users to send the error logs manually which is unreliable. Instead of waiting for users to report errors, the NAS vendor decided to be proactive and send error logs to a central service.

I've blown fairly competent colleagues' minds multiple times by showing them the existence of certificate transparency logs. They were very much under the impression that hostnames can be kept secret as a protection against external infrastructure mapping.

> any sensitive info is pushed to the URL Path

This too is not ideal. It gets saved in the browser history, and if the url is sent by message (email or IM), the provider may visit it.

> Definitely uninstall whatever junk leaked your domain though, but it's really nothing.

We are used to the tracking being everywhere but it is scandalous and should be considered as such. Not the subdomain leak part, that's just how Rachel noticed, but the non advertised tracking from an appliance chosen to be connected privately.

Obl. nitpick: you mean paranoia, presumably. Schizophrenia is a dissociative/psychotic disorder, paranoia is the irrational belief that you’re being persecuted/watched/etc.

Btw, in this case it can’t be paranoia since the belief was not irrational - the author was being watched.

TLS 1.3 has encrypted client hello which encrypts the domain name during an HTTPS connection.

> "So, no one competent is going to do this"

What about all the people who are incompetant?

If you're on an apple device, disable private relay. It appears the blog has tar pitted private relay traffic.

Rachel has blogged quite a bit about blocking badly behaved RSS Clients in recent years.

I'd link you to one of the articles if I wasn't blocked too, and my VPN wasn't also blocked!

Opens fine for me

You're IT, I'm IT, We're all IT.

Misconfigured clown - bad news indeed.

That may be related, but it's not what happened here. Wildcard-cert and all.

Why would you care that your hostname on a local only domain is published to the world if it is not reachable from outside? Publicly available hosts are alread published to the world anyway through DNS.

LetsEncrypt doesn't make a difference at all.

It's not just Let's Encrypt, right? CT is a requirement for all Certificate Authorities nowadays. You can just look at the certificate of www.google.com and see that it has been published to two CT logs (Google's and Sectigo's)

> the Internet is a bad place

FWIW - it’s made of people

I like only getting *.domain for this reason. No expectation of hiding the domain but if they want to figure out where other things are hosted they'll have to guess.

> If you use LetsEncrypt for ssl certs (which you should)

You meant you shouldn't right? Partially exactly for the reasons you stated later in the same sentence.