Jig Posted January 17, 2018 Share Posted January 17, 2018 This is in regard to the security post made here: Why was this thread locked? This is a very relevant discussion for people using your product. I understand that the thread also contains personal matters. Please make a post acknowledging these security issues, or make a new sub-forum for users to discuss them among themselves. Security issues are absolutely on-topic, and the concerns posted by @livelace and @eth0 are valid. If you do not take interest in the issues researched by @Patrick Kolla-ten Venne, I fear that a malicious entity may. Please do not silence this matter; this is of high importance to us as daily users of your software. Link to comment Share on other sites More sharing options...
eth0 Posted January 17, 2018 Share Posted January 17, 2018 Oh boy, I didn't know they closed the thread. Now I go there to see why and the only response from the Symless staff is to say that @Patrick Kolla-ten Venne's account was refunded and that's why it didn't have access anymore. No word about the security issues at all. Let's leave aside the fact that looks pretty weird for a long-term customer with an existing license for Synergy 1 that has submitted a 30 page security review to request a refund immediately and close the door on any further discussion on the issues, so I have to wonder why would you guys refund him without him even asking for it. But as I said, let's not focus on that. For all I know, he might have requested a refund and you complied. Now, in the other thread I said the radio silence from Symless about the security issues was scary, and @Patrick Kolla-ten Venne's allegations about your negative response and refusal to address them looked like shady practices on Symless' part, but I tried not to make assumptions and wait for your official response about the matter. And then you go and lock the thread without so much as a “we'll open an official thread very soon”! Way to address the issues, guys! Certainly doesn't look like sweeping it under the rug now, does it? Link to comment Share on other sites More sharing options...
Patrick Kolla-ten Venne Posted January 17, 2018 Share Posted January 17, 2018 Thanks for raising this Meanwhile, just in case they were thinking this to be a hoax, I posted a rough description of an attack vector and one weak part in Synergy here. One week without a reply, but I hope they're going to address the issue in the background. You can also view the work in progress document at https://download.spybot.info/Reviews/Synergy2/Security Review Synergy2.pdf . I haven't updated this within the past week, there's still some stuff to add, and it covers the spyware issue more than the security issue, because under industry standards (ASC definitions), it would have to be regarded as such. Link to comment Share on other sites More sharing options...
livelace Posted January 17, 2018 Share Posted January 17, 2018 It's unbelievable, security recommendations and exhaustive report were ignored. Those things cost money, but in this case they just were ignored. It's unacceptable in modern world to just close eyes to threats and keep silence ! I did the right chose when turned off Synergy everywhere. I need to back to Nomachine until Synergy someday will fix all flaws. PS. Patrick Kolla-ten Venne, thank you for you work! Link to comment Share on other sites More sharing options...
eth0 Posted January 18, 2018 Share Posted January 18, 2018 @Patrick Kolla-ten Venne, I read your review, amazing work! But the part with the exchange you had with Symless about your findings… wow. The way Symless is handling this is mind boggling.Well, the way they're handling things in general since the beta came out is not great, to say the least. For anyone that hasn't yet read the report, here's an abridged version of that exchange: Quote — Hi Symless, ¿could you tell me exactly what bits of my personal information you have stored in any way in all of your systems? — Hi Patrick, we've just deleted it all, even your account. Thanks for contacting us. But they didn't delete it all. They didn't delete Patrick's logs, for example, which contain user IDs and other compromising information… and are publicly accessible. After reading the report, I'm not touching Synergy 2 with a ten foot pole, and I'm not recommending using Synergy 2 until they remove the cloud dependency completely. Not even as an optional feature, guys. Mind you: I don't want a refund. I still want my account and my licenses. But as long as Synergy 2 tries to connect to any host that's not the machines I want to interconnect, I won't use it or recommend it to anyone. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.