Veuillez passer à une nouvelle version afin de préserver la sécurité de vos données !
Si vous utilisez Nextcloud Hub 6 ou 7, nous vous recommandons fortement de mettre à jour vers la version 27.1.9 ou 28.0.5 respectivement. Les mises à jour de maintenance comprennent d’importantes corrections de bugs, ainsi que des mises à niveau de la stabilité et de la sécurité. C’est un procédé rapide et sûr, comme toujours !
À propos de cette mise à jour
Les mises à jour comprennent plusieurs corrections de bugs, des améliorations dans la gestion des fichiers, l’optimisation des performances et d’autres améliorations dans toutes les versions prises en charge de Nextcloud Hub. Vous pouvez consulter la liste complète des modifications sur notre site web.
Tirez le meilleur parti de votre plateforme avec Nextcloud Hub 8
Encore plus automatisé et optimisé, Nextcloud Hub 8 est là pour vous aider à reprendre le contrôle de votre temps. Passez à la version la plus récente pour bénéficier des nombreuses nouvelles fonctionnalités de votre plateforme préférée :
Assistant Nextcloud : résumés des tchats, suggestions de réponses à un courrier électronique dans Nextcloud Mail, réponses basées sur vos données, et bien plus encore !
Prévisualisation interactive des fichiers, dossiers, tableaux et événements
Tchat fédéré et édition de messages dans Talk
Mini-applications basées sur Tables
Partage de Collectifs publics, prévisualisations et QR-codes
Gérez les ressources de votre équipe comme un pro avec Nextcloud Teams
Formulaires : synchronisation automatique avec une feuille de calcul
Et bien plus encore
Obtenir Nextcloud Hub 8
Téléchargez Nextcloud Hub 8 ici et procédez à son installation
Les versions mineures de Nextcloud se concentrent principalement sur la correction des vulnérabilités de sécurité et des bugs de fonctionnalité, en évitant les révisions majeures du système qui pourraient mettre en péril les données des utilisateurs. Il est essentiel de maintenir votre serveur à jour. Notre approche des tests et de la validation garantit que la mise à niveau vers des versions mineures se fait généralement en douceur et de manière fiable.
Pour les systèmes Nextcloud stratégiques dans les entreprises, envisagez de passer à Nextcloud Enterprise. Ce service vous assure un déploiement en toute confiance : accès direct à l’équipe d’ingénieurs de Nextcloud, assistance complète tout au long du déploiement et de l’intégration, et tranquillité d’esprit pour les administrateurs de système. Si vous êtes responsable de la maintenance de Nextcloud dans votre établissement, cette option peut être la solution idéale pour vous.
Please update to a new version to keep your data safe!
If you are using Nextcloud Hub 6 or 7, we strongly recommend you to update to version 27.1.9 or 28.0.5 respectively. Maintenance updates include important bug fixes, stability and security upgrades. It is a quick and safe process, as always!
About this update
The updates include several bug fixes, enhancements in file handling, performance optimization, and other improvements in all supported versions of Nextcloud Hub. You can find the full changelog on our website.
Make the most of your platform with Nextcloud Hub 8
Even more automated and optimized all around, Nextcloud Hub 8 is here to give you back control over your time. Upgrade today to unlock multiple new features in your favourite platform:
Nextcloud Assistant: Chat summaries, Nextcloud Mail reply suggestions, answers based on your data, and more!
Interactive previews for files, folders, boards and events
Federated chat and message editing in Talk
Mini-apps based on Tables
Public Collectives sharing, previews and QR-codes
Manage your team resources like a pro with Nextcloud Teams
Nextcloud’s minor releases primarily focus on addressing security vulnerabilities and functionality bugs, avoiding major system overhauls that could jeopardize user data. Keeping your server up to date is vital, and our approach to testing and validation ensures that upgrading to minor releases is generally smooth and reliable.
For mission-critical Nextcloud systems in enterprise settings, consider switching to Nextcloud Enterprise. The tier provides you with ultimate deployment confidence: direct access to the Nextcloud engineering team, full assistance throughout deployment and integration, and peace of mind for system administrators. If you’re responsible for maintaining Nextcloud in your setting, this option may be the ideal solution for you.
We’re excited about the upcoming Ubuntu 24.04 LTS release, Noble Numbat. Like all Ubuntu releases, Ubuntu 24.04 LTS comes with 5 years of free security maintenance for the main repository. Support can be expanded for an extra 5 years, and to include the universe repository, via Ubuntu Pro. Organisations looking to keep their systems secure without needing a major upgrade can also get the Legacy Support add-on to expand that support beyond the 10 years. Combined with the enhanced security coverage provided by Ubuntu Pro and Legacy Support, Ubuntu 24.04 LTS provides a secure foundation on which to develop and deploy your applications and services in an increasingly risky environment. In this blog post, we will look at some of the enhancements and security features included in Noble Numbat, building on those available in Ubuntu 22.04 LTS.
Unprivileged user namespace restrictions
Unprivileged user namespaces are a widely used feature of the Linux kernel, providing additional security isolation for applications, and are often employed as part of a sandbox environment. They allow an application to gain additional permissions within a constrained environment, so that a more trusted part of an application can then use these additional permissions to create a more constrained sandbox environment within which less trusted parts can then be executed. A common use case is the sandboxing employed by modern web browsers, where the (trusted) application itself sets up the sandbox where it executes the untrusted web content. However, by providing these additional permissions, unprivileged user namespaces also expose additional attack surfaces within the Linux kernel. There has been a long history of (ab)use of unprivileged user namespaces to exploit various kernel vulnerabilities. The most recent interim release of Ubuntu, 23.10, introduced the ability to restrict the use of unprivileged user namespaces to only those applications which legitimately require such access. In Ubuntu 24.04 LTS, this feature has both been improved to cover additional applications both within Ubuntu and from third parties, and to allow better default semantics of the feature. For Ubuntu 24.04 LTS, the use of unprivileged user namespaces is then allowed for all applications but access to any additional permissions within the namespace are denied. This allows more applications to more better gracefully handle this default restriction whilst still protecting against the abuse of user namespaces to gain access to additional attack surfaces within the Linux kernel.
Binary hardening
Modern toolchains and compilers have gained many enhancements to be able to create binaries that include various defensive mechanisms. These include the ability to detect and avoid various possible buffer overflow conditions as well as the ability to take advantage of modern processor features like branch protection for additional defence against code reuse attacks.
The GNU C library, used as the cornerstone of many applications on Ubuntu, provides runtime detection of, and protection against, certain types of buffer overflow cases, as well as certain dangerous string handling operations via the use of the _FORTIFY_SOURCE macro. FORTIFY_SOURCE can be specified at various levels providing increasing security features, ranging from 0 to 3. Modern Ubuntu releases have all used FORTIFY_SOURCE=2 which provided a solid foundation by including checks on string handling functions like sprintf(), strcpy() and others to detect possible buffer overflows, as well as format-string vulnerabilities via the %n format specifier in various cases. Ubuntu 24.04 LTS enables additional security features by increasing this to FORTIFY_SOURCE=3. Level three greatly enhances the detection of possible dangerous use of a number of other common memory management functions including memmove(), memcpy(), snprintf(), vsnprintf(), strtok() and strncat(). This feature is enabled by default in the gcc compiler within Ubuntu 24.04 LTS, so that all packages in the Ubuntu archive which are compiled with gcc, or any applications compiled with gcc on Ubuntu 24.04 LTS also receive this additional protection.
The Armv8-M hardware architecture (provided by the “arm64” software architecture on Ubuntu) provides hardware-enforced pointer authentication and branch target identification. Pointer authentication provides the ability to detect malicious stack buffer modifications which aim to redirect pointers stored on the stack to attacker controlled locations, whilst branch target identification is used to track certain indirect branch instructions and the possible locations which they can target. By tracking such valid locations, the processor can detect possible malicious jump-oriented programming attacks which aim to use existing indirect branches to jump to other gadgets within the code. The gcc compiler supports these features via the -mbranch-protection option. In Ubuntu 24.04 LTS, the dpkg package now enables -mbranch-protection=standard, so that all packages within the Ubuntu archive enable support for these hardware features where available.
AppArmor 4
The aforementioned unprivileged user namespace restrictions are all backed by the AppArmor mandatory access control system. AppArmor allows a system administrator to implement the principle of least authority by defining which resources an application should be granted access to and denying all others. AppArmor consists of a userspace package, which is used to define the security profiles for applications and the system, as well as the AppArmor Linux Security Module within the Linux kernel which provides enforcement of the policies. Ubuntu 24.04 LTS includes the latest AppArmor 4.0 release, providing support for many new features, such as specifying allowed network addresses and ports within the security policy (rather than just high level protocols) or various conditionals to allow more complex policy to be expressed. An exciting new development provided by AppArmor 4 in Ubuntu 24.04 LTS is the ability to defer access control decisions to a trusted userspace program. This allows for quite advanced decision making to be implemented, by taking into account the greater context available within userspace or to even interact with the user / system administrator in a real-time fashion. For example, the experimental snapd prompting feature takes advantage of this work to allow users to exercise direct control over which files a snap can access within their home directory. Finally, within the kernel, AppArmor has gained the ability to mediate access to user namespaces as well as the io_uring subsystem, both of which have historically provided additional kernel attack surfaces to malicious applications.
Disabling of old TLS versions
The use of cryptography for private communications is the backbone of the modern internet. The Transport Layer Security protocol has provided confidentiality and integrity to internet communications since it was first standardised in 1999 with TLS 1.0. This protocol has undergone various revisions since that time to introduce additional security features and avoid various security issues inherent in the earlier versions of this standard. Given the wide range of TLS versions and options supported by each, modern internet systems will use a process of auto-negotiation to select an appropriate combination of protocol version and parameters when establishing a secure communications link. In Ubuntu 24.04 LTS, TLS 1.0, 1.1 and DTLS 1.0 are all forcefully disabled (for any applications that use the underlying openssl or gnutls libraries) to ensure that users are not exposed to possible TLS downgrade attacks which could expose their sensitive information.
Upstream Kernel Security Features
Linux kernel v5.15 was used as the basis for the Linux kernel in the previous Ubuntu 22.04 LTS release. This provided a number of kernel security features including core scheduling, kernel stack randomisation and unprivileged BPF restrictions to name a few. Since that time, the upstream Linux kernel community has been busy adding additional kernel security features. Ubuntu 24.04 LTS includes the v6.8 Linux kernel which provides the following additional security features:
Intel shadow stack support
Modern Intel CPUs support an additional hardware feature aimed at preventing certain types of return-oriented programming (ROP) and other attacks that target the malicious corruption of the call stack. A shadow stack is a hardware enforced copy of the stack return address that cannot be directly modified by the CPU. When the processor returns from a function call, the return address from the stack is compared against the value from the shadow stack – if the two differ, the process is terminated to prevent a possible ROP attack. Whilst compiler support for this feature has been enabled for userspace packages since Ubuntu 19.10, it has not been able to be utilised until it was also supported by the kernel and the C library. Ubuntu 24.04 LTS includes this additional support for shadow stacks to allow this feature to be enabled when desired by setting the GLIBC_TUNABLES=glibc.cpu.hwcaps=SHSTK environment variable.
Secure virtualisation with AMD SEV-SNP and Intel TDX
Confidential computing represents a fundamental departure from the traditional threat model, where vulnerabilities in the complex codebase of privileged system software like the operating system, hypervisor, and firmware pose ongoing risks to the confidentiality and integrity of both code and data. Likewise, unauthorised access by a malicious cloud administrator could jeopardise the security of your virtual machine (VM) and its environment. Building on the innovation of Trusted Execution Environments at the silicon level, Ubuntu Confidential VMs aim to restore your control over the security assurances of your VMs.
For the x86 architecture, both AMD and Intel processors provide hardware features (named AMD SEV SNP and Intel TDX respectively) to support running virtual machines with memory encryption and integrity protection. They ensure that the data contained within the virtual machine is inaccessible to the hypervisor and hence the infrastructure operator. Support for using these features as a guest virtual machine was introduced in the upstream Linux kernel version 5.19.
Thanks to Ubuntu Confidential VMs, a user can make use of compute resources provided by a third party whilst maintaining the integrity and confidentiality of their data through the use of memory encryption and other features. On the public cloud, Ubuntu offers the widest portfolio of confidential VMs. These build on the innovation of both the hardware features, with offerings available across Microsoft Azure, Google Cloud and Amazon AWS.
For enterprise customers seeking to harness confidential computing within their private data centres, a fully enabled software stack is essential. This stack encompasses both the guest side (kernel and OVMF) and the host side (kernel-KVM, QEMU, and Libvirt). Currently, the host-side patches are not yet upstream. To address this, Canonical and Intel have forged a strategic collaboration to empower Ubuntu customers with an Intel-optimised TDX Ubuntu build. This offering includes all necessary guest and host patches, even those not yet merged upstream, starting with Ubuntu 23.10 and extending into 24.04 and beyond. The complete TDX software stack is accessible through this github repository.
This collaborative effort enables our customers to promptly leverage the security assurances of Intel TDX. It also serves to narrow the gap between silicon innovation and software readiness, a gap that grows as Intel continues to push the boundaries of hardware innovation with 5th Gen Intel Xeon scalable processors and beyond.
Strict compile-time bounds checking
Similar to hardening of binaries within the libraries and applications distributed in Ubuntu, the Linux kernel itself gained enhanced support for detecting possible buffer overflows at compile time via improved bounds checking of the memcpy() family of functions. Within the kernel, the FORTIFY_SOURCE macro enables various checks in memory management functions like memcpy() and memset() by checking that the size of the destination object is large enough to hold the specified amount of memory, and if not will abort the compilation process. This helps to catch various trivial memory management issues, but previously was not able to properly handle more complex cases such as when an object was embedded within a larger object. This is quite a common pattern within the kernel, and so the changes introduced in the upstream 5.18 kernel version to enumerate and fix various such cases greatly improves this feature. Now the compiler is able to detect and enforce stricter checks when performing memory operations on sub-objects to ensure that other object members are not inadvertently overwritten, avoiding an entire class of possible buffer overflow vulnerabilities within the kernel.
Wrapping up
Overall, the vast range of security improvements that have gone into Ubuntu 24.04 LTS greatly improve on the strong foundation provided by previous Ubuntu releases, making it the most secure release to date. Additional features within both the kernel, userspace and across the distribution as a whole combine to address entire vulnerability classes and attack surfaces. With up to 12 years of support, Ubuntu 24.04 LTS provides the best and most secure foundation to develop and deploy Linux services and applications. Expanded Security Maintenance, kernel livepatching and additional services are all provided to Ubuntu Pro subscribers to enhance the security of their Ubuntu deployments.
Discover how IBM Cloud’s bare metal servers offer highly confined and high-performing single-tenant cloud isolation through the use of Ubuntu Core and Snaps, supported by the AMD Pensando Elba DPU (Data Processing Unit). This setup enables the creation of secure and efficient environments for each tenant. Its design ensures the total separation of their servers from the cloud underlay. The architecture delivers consistent performance and enables non intrusive control from the cloud provider. Learn how this innovative solution can benefit your business and enhance your cloud infrastructure.
Introduction
Public cloud bare-metal servers offer dedicated physical resources, but can present isolation and performance challenges. Isolation requirements involve maintaining full control of compute capabilities by the tenant, while preserving the backend management of its infrastructure by the cloud provider and preventing unauthorised access. Performance requirements entail providing consistent performance even under heavy workloads. Cloud providers face challenges in ensuring physical and logical isolation, resource allocation, monitoring, management, scalability, and security. To address these complex requirements, providers must invest in advanced technologies and implement best practices for resource allocation, monitoring, and management. They also need to regularly review and update infrastructure to meet tenant needs.
In the following discussion, we will explore how IBM Cloud is addressing these challenges by harnessing the distinctive capabilities of Ubuntu Core and Snaps deployed on the AMD Pensando Elba infrastructure accelerators.
IBM Cloud Bare Metal Servers for VPC
IBM has always been dedicated to keeping clients essential data secure through a strong focus on resilience, performance, and compliance. IBM Cloud executes that focus within highly regulated industries such as finance and insurance organisations. Given IBM Cloud’s long-standing commitment to data security, it is unsurprising and essential that Bare Metal Servers for VPC (VPC BM) implements the most rigorous security guarantees to meet customers expectations.
Bare metal servers, which are physical servers dedicated to a single tenant, offer benefits such as high performance and customizability, but managing them in a multi-tenant environment can be complex. A key requirement is ensuring isolation between the tenant and the cloud backend, both to maintain security and to prevent performance issues caused by noisy neighbours.
VPC BM allows customers to select a preset server profile that best matches their workloads to help accelerate the deployment of compute resources. Customers can achieve maximum performance without oversubscription deployed in 10 minutes
VPC BM is powered with the latest technology. They are built for cloud-enterprise applications, including VMware and SAP, and can also support HPC and IOT workloads. They come with enhanced high-performance networking at 100 Gbps as well as advanced security features.
A network orchestration layer handles the networking for all bare metal servers that are within an IBM Cloud VPC across regions and zones. This allows for management and creation of multiple, virtual private clouds in multi zone regions and also improves security, reduces latency, and increases high availability.
“I selected IBM Cloud VPC because of 5 points that I thought and was proven correct based on my experience using the service. First is security. Secondly is agility. The third is isolation. Fourth is the high performance. Fifth, and last, is the scalability.”
Ivo Draginov CEO BatchService
AMD Pensando DSC2-200 “Elba”
In use with some of the largest cloud providers and Hyperscalers on the planet, the AMD Pensando DSC2-200 has proven itself as the platform of choice for cloud providers seeking to optimise performance, increase scale and introduce new infrastructure services at the speed of software. The DSC2-200 is full-height, half-length PCIe card powered by AMD Pensando 2nd generation DPU “Elba”. The DSC2-200 is the ideal platform for cloud providers to implement multi-tenant SDN, stateful security, storage, encryption and telemetry at line rate. The platform’s scale architecture allows cloud provider to offer multiple services on the same DPU card.
Developers can create customised data plane services that target 400G throughput, microsecond-level latencies, and scale to tens of millions of flows. The heart of the AMD Pensando platform is a fully programmable P4 data processing unit (DPU). High-level programming languages (P4, C) enable rapid development and deployment of new features and services.
The innovative design of AMD Pensando DPU provides secure air-gap between tenant’s compute instances and cloud infrastructure as well as secure isolation between tenants. This separation enables cloud operators to manage their infrastructure functions efficiently and independently of their tenant’s workloads while freeing up the valuable compute resources from the infrastructure tasks and fully dedicating them to revenue generating business applications. The exceptional throughput and performance of the Elba DSC2-200, along with its strong alignment with IBM’s security expectations, made it a top choice for inclusion in IBM Cloud’s bare metal servers for VPC. This combination of features enables IBM Cloud to provide highly secure and powerful environments for its customers.
Achieving IBM Cloud’s target outcomes with Ubuntu Core and Snaps
The first goal was to implement a secure and reliable operating system that IBM Cloud development teams could use to launch their management interface and functionality on the AMD Pensando DPU cards. Initially IBM Cloud selected Ubuntu Server as the operating system. They were familiar with it and could easily develop on top of it using the familiar Linux toolset and API.
To develop software running on the AMD Pensando DPU cards, the development kit provides a complete container-based development environment. It allows for the development of data plane, management plane, and control plane functions. To perform correctly, these containers must be allowed direct communication with the card hardware components with fine-grained isolation. Using traditional container runtimes such as Docker and Kubernetes alone cannot meet the unique requirements of this solution. Fortunately, Snap packages provide this access through secure and controlled interfaces to the operating system.
Using Snap packages, IBM Cloud developers were able to implement all the functionalities they needed in record time. This positive experience made them turn their attention to Ubuntu Core, the version of Ubuntu specifically designed for embedded systems such as AMD Pensando DPU cards. It is entirely made up of Snap packages, creating a confined, immutable and transaction-based system. Communication among containers and between containers and the operating system is locked down under full control. In addition, Ubuntu Core provides full disk encryption and secure boot, achieving additional mandatory security compliance objectives.
IBM Cloud successfully converted their bespoke AMD Pensando system image from Ubuntu Server to Ubuntu Core and, after positive results in the pre-production tests, proceeded to deploy it in production to support Bare Metal Servers on VPC.
Conclusion
In summary, Canonical’s Ubuntu Core and IBM Cloud’s components, when packaged as Snaps, provide a unique solution that effectively addresses the challenges faced by the company. This innovative approach has enabled IBM Cloud to enhance its offerings and deliver improved performance, security, and tenant isolation. The development of the solution completed in under a year and has been successfully operating in production since then. The implementation has been a resounding success. Ultimately addressing these challenges provided IBM Cloud with several advantages, including differentiation, cost savings, and improved efficiency.
The collaboration between IBM Cloud, Canonical, and AMD Pensando remains ongoing, with plans to expand the use of Ubuntu Core and Snaps to support other non-bare metal offerings, including Virtual Server for VPC. A key medium-term goal is to achieve FedRAMP compliance, which involves upgrading to Ubuntu Core 22 and ensuring FIPS compliance at the kernel and filesystem levels. This ongoing partnership and development aim to enhance the security, performance, and functionality of IBM Cloud’s solutions.
Ongoing public concerns over real-time video scams has been the spur to gain global attention as we witness new major incidents taking place increasingly more. Take a Hong Kong MNC recently falling prey to a scammer in a colossal $25.6 million heist — the deepfake technology has already evolved enough to bring on a whole new brand of fraud.
What remains is a call to action. Are there ways to protect yourself and your organization against con men posing as your boss, your business partner, or even your own mother? Let’s find out!
First things first, let us start with the definition.
What is a deepfake?
In case the definition of a deepfake is still unclear to some, a deepfake is content generated using deep learning techniques that is intended to look real, but is in fact fabricated. Artificial intelligence (AI) used to generate deepfakes typically employs generative models, for example, Generative Adversarial Networks (GANs) or auto-encoders.
Deepfakes are used not only in video content, but also in audio recordings and images. The purpose of a deepfake is often to depict an individual or a group saying or doing something that they never did in reality. To produce content that appears convincing, the AI must use large datasets in its training. It allows the model to recognize and reproduce natural patterns present in content it is designed to mimic.
While deepfake technology is a breakthrough with great potential in the film industry and game development, as well as a rising social media trend, it also opens dangerous opportunities for illegal use. The examples are numerous and include identity theft, evidence forging, disinformation, slander and biometric security bypass. In all cases, fraudsters typically leverage the depicted person’s authority over the targeted individuals or personal connection to them, depending on the setting.
Secure your calls with Nextcloud Hub
Watch back our webinar on secure conferencing in Talk. learn how to set up reliable access control, prevent leaks and track back all suspicious activity.
Deepfakes are used to produce video, audio or image content, as a recorded media or a real-time stream. It can be a YouTube video, a ‘leaked’ recording in a social post, a phone call or a video conference – the opportunities are practically unlimited.
Depending on the purpose, the format is picked accordingly. For example, political disinformation works best where mass engagement is possible, meaning that spreading it publicly via social media is the best tactic. Whereas seeking a private gain from a company or or individual requires a more intimate setting and often a personal conversation.
When it comes to threats to your personal life, finance or security, we can narrow down the most dangerous deepfake scenarios to encounters with people you care about, trust , or report to. This can be a family member, a friend, or an authority figure at work such as your boss or a company executive.
The setting will most likely be private: whether over a phone call or a video meeting. Personal meetings are much easier to execute and give the faker much more control over the situation. The conversation, whatever the background is, will lead you to an action under a sense of urgency or fear – most likely to transfer a sum of money. The tactic is to deceive your logic and common sense using fear, compassion or even ambition.
As generative AI development drives a huge interest and investment, we are entering a dangerous zone: real-time video, the most sophisticated and convincing deepfake use case yet, still has a very little awareness.
Deepfakes in real-time video
Real-time video deepfakes generate manipulated video content in real-time for immediate application during live streams and video calls. Voice cloning and face swapping are the most frequently used techniques to compose a complete faked environment.
Face swapping
Face swapping is a common application of deepfakes, allowing the software to replace facial features of a target person with fake features, most often those of another person. With facial landmark detection and manipulation techniques, the blending appears seamless and hard to spot when caught unaware.
Voice cloning
In addition to looking convincing, a faker also needs to sound convincing. For this part, voice cloning is used. In voice cloning, the AI replicates the voice of the individual. A significant amount of high-quality audio data is required to train a voice cloning model, usually obtained from recordings of the target person speaking in various contexts and using different intonations.
Curiosity time: how does a deepfake setup actually work?
Deepfake technology is capable of impersonating real-life individuals and doing it in a real-time setting, making the result even more convincing (and terrifying!). But how does the software work in a way that we encounter deepfakes using familiar meeting platforms?
Deepfake generation software can be integrated with streaming platforms and video conferencing tools in many ways:
It could function as a separate application that captures the video feed, processes it in real-time, and then sends the manipulated feed to the video conferencing software.
Alternatively, it might be integrated directly into the video conferencing software as an optional feature or plugin.
Another way, even more sophisticated and hard to detect is camera input, namely a virtual camera. Virtual camera intercepts the video feed from the physical camera of the faker. It then outputs the manipulated feed to the video conferencing software. The faker just picks the virtual camera as their camera input and voilà! (not funny, we know).
How to protect yourself against deepfakes?
Finally, to the most important part. How do you protect yourself against a deepfake, or at least get prepared to spot a fake boss making a sketchy request over video?
Privacy-first videoconferencing software is a key to safe meetings. Meet Nextcloud Talk, a powerful chatting and meeting platform that lets you regain control.
AI face swapping technology maybe advanced, but it’s not perfect. There are red flags you can spot, or at least learn to look out for when something seems off or unnatural:
Unrealistic facial expressions or movements, including unnatural eye movements, inappropriate blinking, and/or weird lip sync.
Inconsistencies in lighting and shadows that don’t match the surroundings.
Unnatural head or body movements, as well as visible blurring or pixelation around the face or neck.
Inconsistent quality in audio and video and mismatch between the picture and the sound.
Suspicious? Be proactive
There are methods to help you fish out the red flags that generally won’t make the conversation awkward if the person is in fact real.
First, there’s nothing more natural than a casual conversation. Engage in small talk: ask about their day, routine, questions about people you both know, etc. A complete stranger will struggle to be spontaneous and maintain the same personal connection. It’s also easier to catch one off guard when they lose a sense of control.
You can also use other video conferencing features: ask the person to share their screen and show you something related to your common tasks. This will be very difficult to replicate without access.
Finally, once they make a suspicious request, you have more freedom to be alert openly — politely ask them to confirm their identity by providing some exclusive information or send you a confirmation message via a different channel.
Set up a passphrase
One more way to ensure confidence when it comes to sensitive topics is setting up a password or passphrase. This is an easy way to confirm the identity of the people you know, both at work and between family members, and it is equally effective via voice, video and text communication.
Verify identity outside of the meeting
If a faker poses as a person you know well, chances are you have more than one communication channel to reach out with. Use email, a messenger or a personal phone number to contact them and raise a question — the reason is valid.
Don’t let them harvest your data
To replicate and manipulate a person’s voice or image, AI needs a massive amount of data. This data is often gathered beforehand, during online calls and meetings. Features like Recording Consent in Nextcloud Talk may help you protect yourself and others from such a data haul.
Use company software
It’s unlikely for your real boss to set up a meeting via a platform you never use for work. And if they do, they must have a good reason! Don’t be afraid to stand up to suspicious activity.
Using company software means better control over the data and compliance with privacy regulations. Even better — if you run it on-premises! Should an incident happen, the company IT team can run an audit to retrieve the relevant data and investigate.
Ensure secure access to your videoconferencing platform with settings like 2FA, strong passwords, data encryption, activity monitoring, and login restrictions. This applies to your personal settings and administrative controls.
Nextcloud Talk: video and chat with privacy in mind
Using a privacy-oriented, unified workspace with admin control in all apps makes sure your security protocols are in place to detect and prevent breaches. Nextcloud Hub provides a user friendly videoconferencing platform that keeps users happy to stay within company IT.
https://vimeo.com/576684156
How Nextcloud Talk protects your data:
AI-powered suspicious login detection
Multi-layered encryption with end-to-end encrypted communication
Brute-force protection
Fully on-premises, 100% open source
Nextcloud is an open-source project backed by a strong community with proactive approach to vulnerability research and patching. It is designed to let you stay compliant with GDPR, CCPA, and the upcoming EU ePrivacy Regulation.
We are excited to share that Canonical participates in America Digital Congress in Santiago, Chile, for the first time ever. It’s one of the leading events in the region about digital transformation bringing together VPs and experts from the most relevant global tech companies.
Canonical, the publisher of Ubuntu, provides open source security, support and services. In addition to the OS, Canonical offers an integrated data and AI stack. With customers that include top tech brands, emerging startups, governments and home users, Canonical delivers trusted open source for everyone.
Join us at the booth A31 to learn how Canonical can support your digital transformation journey securely and cost-efficiently.
Canonical Expert Talk: How to build a digital transformation strategy
Date & Time: April 11, 16:15 – 16:55. C-Level Forum AI & Digital Transformation
Juan Pablo Noreña, Canonical Cloud Field Software Engineer, is delighted to be speaking at America Digital Congress about digital transformation and AI. In this talk, he will explore the significant benefits of introducing open source solutions in all stages of the infrastructure implementation process, from virtualization to AI platforms.
Juan Pablo will also showcase how this approximation improves security, reduces costs in the infrastructure life cycle, and makes them predictable, offering companies a competitive advantage in the market.
Key topics:
A general perspective of the open source role in infrastructure and its benefits.
A guide for decision-makers on how and where to start the development of an infrastructure strategy using open source solutions.
Explanation of the relevance of support for the solutions to ensure the sustained success of the strategy.
Canonical Partner Programmes
At Canonical, we provide the services our partners need to ensure their hardware and software works optimally with the Ubuntu platform. We operate a range of partner programmes, from essential product certification to strategic collaboration, help with QA and long-term strategic alliances. For technology customers, this has created a thriving market of suppliers with Ubuntu expertise.
Are you interested to learn more about our partner programmes? Talk to the team at the booth or visit our partner webpage.
Come and meet us at America Digital
Come visit us at the booth to learn how Canonical could support you in the digital transformation journey. Check out our Data and AI offerings to learn more about our solutions.
If you were hoping to help test the upcoming release of Ubuntu 24.04 by way of the official beta that was due for release this week, I’ve some bad news: it’s been delayed. However, I reckon you may have expected this. Ubuntu 24.04 beta was scheduled for release on April 4, giving developers, testers, and enthusiasts several weeks to test the new features, find and report issues, check compatibility with and performance on real-world hardware, and all of that hyper-useful stuff. But then a major security issue was announced: an (obfuscated) backdoor was discovered in recent versions of xz compression […]
Please update to a new version to keep your data safe!
We strongly recommend you to update your Hub to version : 28.0.4, 27.1.8 or 26.0.13 . The maintenance updates include important bug fixes, stability and security upgrades. It is a quick and safe process, as always!
What’s new
The updates bring several fixes and performance improvements in all supported versions of Nextcloud Hub. Version 26 meets its end of life and will no longer receive the updates. The Nextcloud desktop client has also been updated to version 3.12.3, and we highly recommend updating to this version due to important bug fixes.
Find the full changelog on our website, or read the update summaries below.
Version 26.0.13
This is the final update before the end of life of version 26. The update involves a mixture of enhancements and fixes across various components. Notable enhancements include:
Collaboration, MailPlugin: Protect access to a potentially missing array component by ??
Docs(config.sample.php): Warn that updatedirectory will break updates if set to a value within the installation folder
Feat(share): save date and time for expiration
Fix: Avoid clear cache with prefix
Fix(api): Ignore “parsed” link and icon URLs when deleting
Fix(caldav): add EXDATE and EXRULE to confidential object
Fix(config): Make sure user keys are strings
Fix(mail): Use parsed action label in email notification
Fix(settings): posix_getpwuid can return false which should not be accessed like an array
Fix(UpdateNotifications): Handle numeric user IDs
Note: There will be no more releases of Nextcloud Hub 4 (26.x.x and older). Upgrade to Nextcloud Enterprise to continue to get security and stability updates or move to Nextcloud Hub 6 or Hub 7. Don’t forget that running web-facing software without regular updates is risky. Please stay up to date with Nextcloud releases of both the server and its apps, for the safety of your data! Customers can always count on our upgrade support if needed.
Version 27.1.8
Recent updates encompass various improvements and fixes across different modules. Key enhancements affecting security, data integrity, user experience and overall performance include:
Add recursive detection/prevention
Docs(config.sample.php): Warn that updatedirectory will break updates if set to a value within the installation folder
Fix: Avoid race condition that may initialize a document twice on the clients
Fix: No password set for new mail shares
Use the proper path to check if a file needs to be copied/moved to the actual target storage
Fix: Allow to disable multipart copy on external s3 storage
Fix: Avoid clear cache with prefix
Fix: Fetch custom app store URL without internet connection
Fix: Don’t return null for SharedStorage::getWrapperStorage with share recursion
Fix: Ensure nested mount points are handled in the correct order
Version 28.0.4
The update includes multiple enhancements. Among those, the following focus on fixing issues related to security, data integrity, and functionality, ensuring smooth operation and improved user experience:
Add recursive detection/prevention
Fix: Avoid clear cache with prefix
Fix: Avoid race condition that may initialize a document twice on the clients
Fix: Catch exception from LogIteratorFactory, throw a clean error when log_type is not file
Fix: No password set for new mail shares
Fix(admin role): fix old and wrong way to determine whether user is admin
Fix(backend): Accept pushes with only step1 messages by read-only clients
Fix(config): Make sure user keys are strings
Fix(settings): posix_getpwuid can return false which should not be accessed like an array
Fix(UpdateNotifications): Handle numeric user ids
Fix(user_ldap): Early failure for empty password login attempt
Fix(user_status): Fix status update request not being sent
Improve files version listing
Use the proper path to check if a file needs to be copied/moved to the actual target storage
Desktop client 3.12.3
Update is highly recommended
Due to important bug fixes released in this update, we highly recommend the users of version 3.12 to upgrade to the latest version.
Recent updates 3.12.1 and 3.12.3 include several important bug fixes to tackle issues reported by customers.
In version 3.12.1, there are multiple improvements in end-to-end encryption functionality and a fix to a data loss issue that affects the users when group folders and files are moved from one location to another. Find the full changelog on GitHub.
The biggest part of version 3.12.3 is improvements for Windows users with a crash issue fixed and a much faster contextual menu performance. The crash could happen depending on the user workflow with the Windows file manager and its Nextcloud client integration. It also includes an important fix for users of group folders. Find the full changelog on GitHub.
Stay tuned for Nextcloud Hub 8!
Sign up for the Nextcloud Hub 8 launch event on April 24. Register now to participate in the live online presentation and be among the first to experience the next big update!
Nextcloud’s minor releases primarily focus on addressing security vulnerabilities and functionality bugs, avoiding major system overhauls that could jeopardize user data. Keeping your server up to date is vital, and our approach to testing and validation ensures that upgrading to minor releases is generally smooth and reliable.
For mission-critical Nextcloud systems in enterprise settings, consider switching to Nextcloud Enterprise. The tier provides you with ultimate deployment confidence: direct access to the Nextcloud engineering team, full assistance throughout deployment and integration, and peace of mind for system administrators. If you’re responsible for maintaining Nextcloud in your setting, this option may be the ideal solution for you.
The German tabloid Bild featured an article covering the press release published by the German Ministry of Defence about the recent leaks of WebEX calls between army generals. The Bild noted that the password the Ministry of Defence used for the shared Nextcloud link was “1234”, assuming this was meant to ‘secure’ the link.
While a press release is obviously meant to be public, which is why the simple password was chosen, you might wonder why the ministry didn’t just use a completely password-less link for their Nextcloud share?
Secure sharing with Nextcloud
Nextcloud differentiates itself from public clouds like Microsoft 365, Dropbox or Google Drive with a focus on privacy and data sovereignty. Unlike public clouds, Nextcloud often runs on private cloud environments, giving the organization deploying it direct control over the data. It wouldn’t make sense for the German government (or any other) to hand over important data to foreign tech firms, which is why Nextcloud is widely deployed in the European public sector.
Protect your public links with passwords
With Nextcloud, users can share directly with other users. This makes sure no data leaves the government data center. But sometimes data must be shared outside the organization, either to a single individual or fully in public like with a press release.
Nextcloud allows users to create one, or more, public links for this purpose. A public link lets a third party who has the link view and (depending on the settings) download and edit the file. As you might share a document for editing with one person, and create another link with only viewing permissions to a second, each link can have its own protections. Including a password, expiration date and more!
The system administrator can put in additional controls, to ensure data is always protected. The File Access Control can use rules to stop files from being accessed outside Germany, for example. Or a mandatory 30 day expiration date can make sure links get cleaned up after a while. And last, but very relevant, administrators can enforce a password on each public link.
This setting is clearly enabled on the Nextcloud server used by the German Ministry of Defense, and explains why a simple password (1234) had to be chosen. Note that administrators can even enforce a certain degree of password quality, blocking such simple passwords from being chosen by users!
In other words. Mr. Pistorius does not use the password ‘1234’ to protect any data – it was meant to make it easy to access the press release.
We hope the readers at Bild appreciate out explanation!
Please update to a new version to keep your data safe!
We strongly recommend you to update you Hub to version 26.0.12, 27.1.7 or 28.0.3. The maintenance updates include important bug fixes, stability and security upgrades. It is a quick and safe process, as always!
What’s new
The updates bring several important bug fixes and performance improvements in all supported versions of Nextcloud Hub. The Nextcloud desktop client has also been updated to version 3.12.0. Find the full changelog on our website, or read the update summaries below.
Version 26.0.12
In this update, several critical improvements have been made to enhance the system’s performance and security. The fixes tackle issues with partial cache entry in Files, auto-logout loop, brute-force protection for the federation endpoint, requests without read permission, and share status in WebDAV. These updates collectively contribute to a more robust and efficient user experience. Additionally, we handled issues with buffer chunked requests, storage background scanning, integer generation errors, preview generation, synchronization, file versioning. The capability for listing the root directory when using a case-insensitive option in SMB was also introduced.
Version 27.1.7
Several improvements and fixes have been implemented to enhance the overall functionality and security of the system. Noteworthy changes include logging when crypto session data is lost for better tracking and troubleshooting. Additionally, there are fixes in migration processes, checkbox functionality, auto-logout loop, brute-force protection for the federation endpoint, WebDAV, error handling, and a PHP codebase update. Other fixes include work on handling admin defaults in sharing, preview generation issues, video verification, errors in nextcloud/files, and storage background scanning.
Version 28.0.3
In the latest update, several enhancements and bug fixes have been introduced to ensure a smoother and more secure user experience. Notably, issues such as successful authentication detection in Kerberos tests and the slow logout problem on Chrome-like browsers have been addressed. There are fixes made in user status feature, disabling of SSL checks for JavaScript modules, visual enhancements for icons, PHP codebase update, webdav default header fix, and various performance improvements and bug fixes, ranging from quota warnings to cache issues in WebDAV.
Additionally, the release addresses buffer chunked requests, handling admin defaults in sharing, storage background scanning, URL pulse decoding, Photos picker, fixes related to file handling, and security enhancements including bruteforce protection to email endpoints.
Desktop client 3.12.0
Nextcloud desktop client update 3.12.0 includes several bug fixes and feature additions such as client status reporting and file-locking enhancements. Additionally, we made updates to workflows and dependency bumps, and ran a code cleanup.
Highlights of the version include client error reports in the server-like conflicts (data is available in the admin dashboard) and a restriction on moving the folders mounted in the external storage.
Nextcloud Hub 7 is the latest version of Hub. It brings even more synchronicity and comfort, introducing global features like Unified Search and cross-app out-of-office functionality, UX improvements and much more. What’s new:
Unified Search to find anything, anywhere.
Global Out-of-Office message in Mail, Calendar, and Talk.
Nextcloud’s minor releases primarily focus on addressing security vulnerabilities and functionality bugs, avoiding major system overhauls that could jeopardize user data. Keeping your server up to date is vital, and our approach to testing and validation ensures that upgrading to minor releases is generally smooth and reliable.
For mission-critical Nextcloud systems in enterprise settings, consider switching to Nextcloud Enterprise. The tier provides you with ultimate deployment confidence: direct access to the Nextcloud engineering team, full assistance throughout deployment and integration, and peace of mind for system administrators. If you’re responsible for maintaining Nextcloud in your setting, this option may be the ideal solution for you.
Researchers at Aqua Security say they’ve discovered a significant security issue with Ubuntu’s “command not found” feature. When you run a command for a package not installed Ubuntu’s “command not found” feature kicks in to tell you a) command not found and b) proactively suggests the relevant package(s) you need to install to run the command you tried. Packages recommendations are drawn from DEB software available in the Ubuntu repos (queried against a local database that doesn’t change often), and for snap packages on the Snap Store (which involves connecting to the store’s online database). Using snaps, security researchers say […]
Ubuntu is working on a new Desktop Security Center that aims to make it easier for users to access some of the distro’s underlying security features. An early version of the Flutter-based tool was made available to install from the Canonical Snap Store this week — but before anyone gets too excited I should stress it’s very much a WIP and not entirely functional (so set expectations accordingly)! Even so, there’s enough to pique interest. Read on for a more detail on what this tool is, the features Canonical plans to surface through, and how you can install the early […]
Please update to a new version to keep your data safe!
We strongly recommend you to update you Hub to version 27.1.6, 26.0.11 or 28.0.2. The maintenance updates include important bug fixes, stability and security upgrades. It is a quick and safe process, as always!
Update summary
We updated Nextcloud server, focusing on several key performance improvements, bug fixes, and security enhancements. Find a brief overview of the updates below and access the full changelog for each version on our website.
New in version 26.0.11
The version brings several updates, including fixes for a semaphore issue, enabling multiple organizers support, and ensuring proper Certificate Revocation List (CRL) updates. LDAP group formatting, shared lock TTL restoration, and improved performance in token login have been addressed.
Throttling mechanisms for restore processes and enhanced error handling for Exif metadata read errors are implemented. Furthermore, user timezone parsing for share expiration and subscription key validation for improved security are now part of the updated features.
New in version 27.1.6
Version 27.1.6 includes the enhancement of the Psalm configuration for improved static code analysis. A language-related issue affecting grammatical accuracy has been addressed in the Internationalization module. Fixes include preventing floating-point value truncation in Quota settings for non-English locales and optimizing Calendar Query Handling in the CalDAV module for increased efficiency.
Accessibility and user experience have been improved by ensuring sufficient contrast for app menu entries and dashboard welcome messages, as well as resolving issues with the reference picker in the Files module. Security measures include preventing writing .htaccess files on read-only file systems and introducing a Two-Factor Authentication Bypass in the AppAPI under specific conditions.
Additionally, service worker issues in the Files module have been addressed to enhance performance, and changes have been made to reduce memory consumption during scans.
New in version 28.0.2
The Hub 7 update includes enhancements like replacing input fields with password fields and adding password error messages, adjusting theming utilities for better color contrast, and adding a setup check for maintenance_window_start configuration. Various bug fixes address issues such as dragging previews in the Files module, handling calendar notifications, and fixing user status errors. Additionally, the release focuses on accessibility improvements, security updates, and performance enhancements.
Security measures and and dependency updates
In all maintenance releases, security measures have been implemented to prevent writing .htaccess files on read-only file systems, and additional configurations have been marked as sensitive. We also limited the validity of the authorization codes in Nextclud to 10 minutes.
The updates also cover dependency changes across various modules like activity, firstrunwizard, logreader, notifications, and more.
Desktop client 3.11.1
Version 3.11.1 of the desktop client includes several bug fixes and performance updates, such as interface improvements, various file management issue fixes, missing translations for AppImage, spelling improvement in end-to-end encryption messages, and more.
You can find the full changelog on GitHub to access the details of this update and the previous minor and major versions. To browse system reqirements for the latest version, refer to our client manual.
Note: There will be no more releases of Nextcloud Hub 3 (25.x.x and older). Upgrade to Nextcloud Enterprise to continue to get security and stability updates or move to a newer version. Running software without regular updates is risky, so we urge you to keep your server and apps updated. Customers can always count on our upgrade support if needed.
Upgrade to Hub 7
Watch the Hub 7 launch video on YouTube
Nextcloud Hub 7 is our most integrated platform so far, bringing global features such as Unified Search and cross-app out-of-office functionality. New features include:
Unified Search to find anything, anywhere.
Global Out-of-Office message in Mail, Calendar, and Talk.
Nextcloud’s minor releases primarily focus on addressing security vulnerabilities and functionality bugs, avoiding major system overhauls that could jeopardize user data. Keeping your server up to date is vital, and our approach to testing and validation ensures that upgrading to minor releases is generally smooth and reliable.
For mission-critical Nextcloud systems in enterprise settings, consider switching to Nextcloud Enterprise. The tier provides you with ultimate deployment confidence: direct access to the Nextcloud engineering team, full assistance throughout deployment and integration, and peace of mind for system administrators. If you’re responsible for maintaining Nextcloud in your setting, this option may be the ideal solution for you.
Online sharing security is a topic brought up often enough, yet the majority of people just don’t want to delve too much into the technicalities of how to share files securely. Others seem to be always on guard but inevitably miss one or two important safeguards.
Sharing files without privacy risks considered can lead to a variety of issues, exposing individuals and organizations to potential threats. Here are only some of the common problems faced when you don’t share files securely:
Unauthorized access
Sensitive data interception and leaks
Malware distribution
Compliance violations
Phishing risks
Data corruption and loss
What we know for sure is that both companies and individuals absolutely need to know the basics of secure file sharing. And while it may seem like too much to handle to an average user, in fact all the instruments are there for you. Let’s explore!
1. Choose a secure file storage
Protecting your file storage is basic file security 101. We know it sounds very general, so what are the the most important things to start with? Here are the storage protection basics to keep in mind.
Access control
Implement strong access controls to limit who can access and modify files.
Use role-based access controls to assign permissions based on team’s roles or responsibilities.
Data location
Storing files locally, meaning keeping them on your personal device (computer, smartphone, etc.) or on a local network, has certain security advantages. In this case, you truly own your data, and none of it is available to a cloud provider.
Authentication
Enforce strong user authentication mechanisms. Use complex passwords, two-factor authentication (2FA) and Single Sign-On to add an extra layer of security — all depending on the level of security required and your resources.
Backups
Regularly backup your files to prevent data loss due to hardware failures, accidental deletions, or other unforeseen events. Keep backup copies in a secure and separate location — on your local disk or in another cloud.
A secure storage that doesn’t spy on your data is a fundamental choice. No sophisticated security features are worth your while when you are using unsafe services to store and share your documents. Moving away from Big Tech providers like Google and Microsoft already puts you on the right track.
Security by design in Nextcloud Hub
Nexctloud Hub is secure by design, allowing you to host your data locally or in the trusted cloud. Flexible sharing options help control access not only to the files in your storage, but to many other items including Deck boards, Collectives, and more.
Enterprise-class authentication security in Hub provides features like 2FA, SSO, SAML 2.0, support for LDAP/Active Directory, and reliable backup options including peer-to-peer backup for private users with Nextcloud Backup app.
Temporary links are a magic tool that helps you get a better file security without much effort. Not only they limit access time for the target user when there’s no other way to revoke access, they also help minimize the opportunity window for others. This is particularly useful in scenarios where you need to share a file temporarily for a specific purpose or event.
Be mindful of the link’s expiration date, and choose a secure and reputable file-sharing service. It still needs to employ additional security measures. For example, encryption in transit and at rest to ensure comprehensive protection of shared files.
External link sharing in Nextcloud
In Nextcloud, you can share file and folder links securely with optional expiration dates. If your link starts going around, you can rest assured it is not for long. There’s also no need to worry about mitigating forgotten shares. Instead of relying on individuals to revoke access after a certain point, the link automatically becomes inactive.
3. Restrict file reusing
Sometimes you need to share content in full but want to make sure it is not reused inappropriately: downloaded, printed, copied, etc. There are additional measures that help prevent these actions.
Apply watermarks
Whatermarks help protect document content when users have full access to the file. When printed, for example, such documents will contain additional info about the author to protect your rights. A watermark can be customized and typically includes author’s name, creation date and other essential information. Most office suites support watermarking.
Restrict downloads
Some sharing options may include download restriction – the users can access your file online but cannot download it to their device to reuse, send to other users via unauthorized channels or upload somewhere on the web.
File restrictions in Nextcloud
In Nextcloud Hub, you can use watermarks and hide the download option from other users. Besides, you can add extra permission levels that forbid certain actions like editing and deleting. External link sharing is managed centrally in the link settings, and can be evoked any time you wish.
4. Share files via safe channels
Secure storage and file protection are vital, but sharing your file passwords via private messages brings it all into jeopardy. Channels we mostly use for sharing our files or links are messengers and email apps which are not always secure. How to pick the right one?
Make sure service provides encryption
If sharing files via email, consider using secure email services like ProtonMail or Tutanota. Those offer end-to-end encryption for emails and attachments. Use messaging apps that offer end-to-end encryption, such as Signal or WhatsApp. These apps ensure that only the intended recipient can decrypt and access the shared files. Nextcloud Hub integrates both online mail client and Talk chat, providing an all-in-one secure communication platform that works naturally with your file exchange.
Use VPN
If sharing files over a network, use a VPN to encrypt the connection and protect the data from potential eavesdropping. When you connect to a public Wi-Fi network, your data is vulnerable to interception by malicious actors on the same network. A VPN encrypts your data, making it significantly more challenging for hackers to eavesdrop on your chat conversations or any other sensitive information.
Move to a secure collaboration platform
Use secure collaboration platforms that provide end-to-end encryption and other security features. All-in-one platforms like Nextclud Hub incorporate a whole ecosystem of tools including mail and messaging. Moreover, sharing your files within the same perimeter is the most secure you can get. Even better — you host locally and fully own your data.
Password protection is available in most of the modern office suites, both online and offline. Some storage apps have password protection functionality too. While not entirely convenient, this feature is very safe and therefore suitable when you need ultimate security.
What happens when you protect a document with a password? The content of the document is encrypted using a cryptographic algorithm. This means that the actual text, images, and other data within the document are scrambled or transformed into a format that is not readable without the correct decryption key. This lets you share files securely even via common channels.
Password-protected documents are usually universally accessible across apps. A file with a password set in one software can be opened in another app that supports work with passwords. Some apps even allow protecting certain actions like editing or commenting with password while document’s content remains generally available.
Password protection in Nextcloud Office
Nextcloud Office also allows you to protect links with passwords to make sure only the authorized users have access to the shared file even if the file link becomes available to the public. This is also a way to protect individual files when you are sharing the folder publicly. Link protection is more convenient than file encryption: there’s no risk of forgetting your own password since you don’t need it.
File passwords are also supported in Office, in case you need to work with more sensitive data. Those files can be opened in other software that supports password protection, making files easy to share with anyone outside of Hub.
6. Use end-to-end encryption to share confidential files securely
In simple words, end-to-end encryption is when the data is encrypted on one device and then decrypted on another, with those devices being the two “ends”. Files encrypted end-to-end are stored and transferred in a secure, encrypted form before a user with authorized access needs to open a file to work on it. It often involves encrypting a file with a password, but sometimes the entire storage or some of its folders can be encrypted for ultimate protection.
Encrypted file sharing in Nextcloud
The Nextcloud desktop client offers client-side end-to-end encryption as a folder-level feature. This option enhances the security of highly sensitive data, ensuring its complete protection even in the event of a server breach.
File Drop: secure enterprise file exchange
The File Drop functionality in Nextcloud allows customers, patients, clients, or partners to securely upload files to a designated cloud folder that you have shared with them via a hyperlink. Data remains, at all times, on-premise, under full authority of IT. File Drop also features temporary link creation, encryption at rest and in transit, and file password protection.
Nextcloud Hub is one of the most safe collaboration platforms thanks to our dedication to privacy. And it’s not only about file sharing. Every app we build and add to our ecosystem has privacy in mind — Mail, Talk, Calendar, Notes, Files, and more — working together in ultimate synergy to deliver first-class collaboration for individuals and enterprises.
And most importantly, Nextcloud Hub is free and limitless for both private users and companies. Opt for the Enterprise version to get 24/7 dedicated support and stable performance guarantee when you maintain a mission-critical deployment.
File synchronization and sharing with Nextcloud is available on mobile platforms and in desktop environments, delivering even higher privacy level and ultimate comfort.
Get Nextcloud Hub
A new generation of online collaboration
that puts you in control.
Please update to 27.1.5 or 26.0.10 to keep your data safe!
Besides new features, minor releases include important bug fixes, stability and security upgrades. Updating to a new minor version is designed to be a quick and safe process.
We’ve made available new minor releases for Hub 4 and 6. You can find the full changelog of fixes and improvements for these releases on our website.
New in version 26.0.10
Highlights in version 26.0.10 include security-related fixes, such as updating the CA certificate bundle and handling potential vulnerabilities in the WebDAV component. The release improves performance with SFTP enhancements and optimizations in components like the TemplateManager and brute force protection mechanism. And, as always, backports of fixes aswell.
New in version 27.1.5
Highlights in version 27.1.5 include updating the CA certificate bundle, addressing CSRF check failures at login, and handling potential vulnerabilities such as idn_to_utf8 returning false, and other security-related fixes. Performance improvements involve lowering the threshold for system address book sync, optimizing file-sharing logic, and avoiding file operations when disk space is low. Additionally, the release introduces various system stability and reliability fixes, such as proper version fetching from shared files and avoiding unnecessary deletions. And, as always, …backports!
In other news, the Desktop Client team pushed out a minor release, 3.11.0, fixing bugs and improving performance. You can find the full changelog here.
Improvements include the ability to remove remotely deleted files locally in case of upload errors and Material icons used for folders. Plus, we added multiple improvements for macOS, such as better reply notifications in Talk and opening Nextcloud after installation.
Don’t forget the desktop client now requires macOS version 12.0+.
It’s time to move to Nextcloud Hub 7
Watch our Hub 7 launch video!
Nextcloud Hub 7 was released one week ago, and we recommend that you check it out to see if you can benefit from its latest features. Here is a quick summary:
Unified, advanced search to find anything, anywhere.
Global Out-of-Office message that works in Mail, Calendar, and Talk apps.
Phone dial-out to call participants directly from within Talk.
Recording consent in Talk to comply with privacy laws.
iOS Live Photo viewing and EXIF metadata support in the Photos app.
Annotating and saving PDFs right in your Nextcloud.
Improved tag management and tag colors in the Mail app.
Marking Deck cards as completed to stay productive.
On-premises Stable Diffusion by Stability AI for local image generation and the new Aleph Alpha model.
Much, much more!
Did you know?
With Hub 7, you can view Live Photos made on iOS even on Android devices.
Check out the full release announcement here. Note that the AI features are optional – and updating is easy as Hub 7 is built on the same foundation as Hub 6, not requiring any heavy migrations.
Minor Nextcloud releases are security and functionality bug fixes, not rewrites of major systems that risk user data! We subject our codebase to extensive automated testing, followed by validation on a series of real-world systems before releasing them to the public. This ensures that minor release upgrades are generally painless and reliable. As the updates not only fix feature issues but also security problems, it is highly recommended to upgrade!
If you are maintaining a mission-critical Nextcloud system for your enterprise, we also highly recommended Nextcloud Enterprise. With a hotline to the core Nextcloud developers, it’s the best guarantee of reliable service for your users and peace-of-mind for system administrators – maybe that’s you!
We are receiving information requests from customers and users worried about the severe security breaches. These occurred in ownCloud (recently aqcuired by US file sync and share vendor Kiteworks) as reported on by Arstechnica and others.
We want to make clear that these absolutely do not affect Nextcloud. Nextcloud has a strict security process backed by a USD 10K bug bounty program. We, for example, have a policy to remove test data from libraries that are shipped, to avoid risks like these.
Nextcloud has diverged significantly over the last years from ownCloud, accelerating our development. There are serious risks associated with using legacy, minimally-maintained software and we would want to point out to users and customers that migration to Nextcloud is quick, easy, painless, and helps keep their data private.
Connexion
If you were hoping to help test the upcoming release of Ubuntu 24.04 by way of the official beta that was due for release this week, I’ve some bad news: it’s been delayed. However, I reckon you may have expected this. Ubuntu 24.04 beta was scheduled for release on April 4, giving developers, testers, and enthusiasts several weeks to test the new features, find and report issues, check compatibility with and performance on real-world hardware, and all of that hyper-useful stuff. But then a major security issue was announced: an (obfuscated) backdoor was discovered in recent versions of xz compression […]
Researchers at Aqua Security say they’ve discovered a significant security issue with Ubuntu’s “command not found” feature. When you run a command for a package not installed Ubuntu’s “command not found” feature kicks in to tell you a) command not found and b) proactively suggests the relevant package(s) you need to install to run the command you tried. Packages recommendations are drawn from DEB software available in the Ubuntu repos (queried against a local database that doesn’t change often), and for snap packages on the Snap Store (which involves connecting to the store’s online database). Using snaps, security researchers say […]
Ubuntu is working on a new Desktop Security Center that aims to make it easier for users to access some of the distro’s underlying security features. An early version of the Flutter-based tool was made available to install from the Canonical Snap Store this week — but before anyone gets too excited I should stress it’s very much a WIP and not entirely functional (so set expectations accordingly)! Even so, there’s enough to pique interest. Read on for a more detail on what this tool is, the features Canonical plans to surface through, and how you can install the early […]
