> But it's not unreasonable to think that an up-to-date Unix server should be capable of the job
You are right, an up-to-date Unix/Linux server is capable of the job (but still requires routine security maintenance to keep secure!) -- however, this home appliance is far from being up-to-date... by design.
My CentOS boxes at the office update almost every few days... how often does this appliance update? Once a year? Maybe twice if you are lucky. Then how many users are actually applying all updates? Probably very few.
I would further contend that a nas-in-a-box like this can never be secure. The vendor isn't going to update it frequently enough -- not enough users will actually update -- they are likely using old out-dated/insecure versions of various open source projects or worse, crudely hacked together proprietary projects to run the webserver, webui, ssl layer, authentication, etc. By now, the manufacturer has probably already back-burnered this device and moved onto newer models, or will be shortly -- completely abandoning all the current users who will get stuck with a swiss-cheese-in-a-box.
I'll go further and content the only safe and secure way to do this is to go with something like FreeNAS or OwnCloud. Both are current projects with massive user-bases. Both are FOSS projects, and both have a corporate backing if you need support or more enterprise features. Both stay very up-to-date with bugfixes, security fixes, and new features rolling out often. Both have upgrade paths from older versions, etc. Basically, they are much more secure and will stay that way for the life of the project.
Synology uses the same base distro across all their devices, so everyone gets updates at about the same time. The device emails me when a new software version is available.
I get what you're saying, but in this case it's totally wrong. They're very active about providing updates to add functionality (even to old systems!) and fix stuff.
So back to my original position: this is not an unreasonable thing to expect to be able to run on the Internet. It's a modern Linux box that gets monthly updates, designed with the explicit intention of providing secure services over the public Internet. It would absolutely suck if that proved not to be the case.
You are right, an up-to-date Unix/Linux server is capable of the job (but still requires routine security maintenance to keep secure!) -- however, this home appliance is far from being up-to-date... by design.
My CentOS boxes at the office update almost every few days... how often does this appliance update? Once a year? Maybe twice if you are lucky. Then how many users are actually applying all updates? Probably very few.
I would further contend that a nas-in-a-box like this can never be secure. The vendor isn't going to update it frequently enough -- not enough users will actually update -- they are likely using old out-dated/insecure versions of various open source projects or worse, crudely hacked together proprietary projects to run the webserver, webui, ssl layer, authentication, etc. By now, the manufacturer has probably already back-burnered this device and moved onto newer models, or will be shortly -- completely abandoning all the current users who will get stuck with a swiss-cheese-in-a-box.
I'll go further and content the only safe and secure way to do this is to go with something like FreeNAS or OwnCloud. Both are current projects with massive user-bases. Both are FOSS projects, and both have a corporate backing if you need support or more enterprise features. Both stay very up-to-date with bugfixes, security fixes, and new features rolling out often. Both have upgrade paths from older versions, etc. Basically, they are much more secure and will stay that way for the life of the project.