Synology Free License and Subscription C2 Charge Changes AGAIN??? Here is Everything Affected

Synology has announced a set of changes to several of its online services, including Active Insight, C2 Storage, C2 Object Storage, C2 Identity, C2 Password, and C2 Transfer. Some of these changes are simple pricing or license adjustments, while others are larger service changes, including the launch of C2 OneStorage and the end-of-life process for C2 Password and C2 Transfer. Synology describes the move as a strategic realignment of its C2 cloud ecosystem, with C2 OneStorage becoming the new unified storage subscription for C2 Storage, Hybrid Share, and C2 Object Storage. I think the reason this matters is not simply that some prices are changing. Synology NAS systems have often carried a premium because of DSM and the surrounding software ecosystem, especially for home users, prosumers, and small businesses that value simplicity. In my video, I described this as another example of Synology reorganising its services while also creating concern about the gradual removal, restructuring, or monetisation of features that some users considered part of the wider platform value. The article below breaks down each affected service, what is changing, what is being renamed or merged, what is being discontinued, and which dates users need to pay attention to.

Active Insight Complimentary (Free) License Is Being Removed

The first major change is to Synology Active Insight, the cloud-based monitoring service used to keep an eye on Synology NAS systems remotely. Active Insight can show system status, performance information, backup status, login activity, and warning alerts from a central interface. Until now, many users had access to 3 complimentary licenses, which made it useful for smaller setups where someone might only have 1, 2, or 3 Synology devices to monitor. From June 22, 2026, Synology says complimentary licenses will no longer be available for new users, meaning new users will need to purchase subscribed licenses to monitor their hosts through Active Insight.

For existing users relying only on complimentary licenses, the service does not immediately stop. Synology’s timeline gives those users until June 22, 2027, after which the complimentary licenses will be fully removed. The new pricing model is listed at $29.99 USD per host per year, and a “host” means a Synology storage system monitored by Active Insight. In the video, I described this as probably the most widely felt change, not because every Synology user relies on Active Insight, but because it was a useful included extra for users managing systems remotely and it added to the wider feeling that Synology’s software ecosystem came bundled with the hardware.

C2 Storage and C2 Object Storage Are Becoming C2 OneStorage

The second major change is the move from separate C2 storage products into a new plan called C2 OneStorage. Previously, Synology had C2 Storage Basic, C2 Storage Advanced, and C2 Object Storage as separate or differently positioned services, with C2 Storage also being used for tools such as Hyper Backup and Hybrid Share. From June 22, 2026, Synology says C2 Storage will transition to C2 OneStorage, creating a single storage pool shared across multiple cloud and hybrid storage services. Synology’s own announcement describes this as a way to remove the need for separate storage plans and allow capacity to be used across C2 Storage for Hyper Backup, Hybrid Share, and C2 Object Storage.

I do think this part of the change is easier to understand than some of the others, because it is a genuine consolidation rather than a straight removal. In the video, I said this kind of C2 realignment was overdue, mainly because the old C2 naming and plan structure could be unclear for new users. However, the storage merge also changes the entry point. Existing 100 GB and 300 GB C2 Storage users are being moved to the C2 OneStorage 300 GB plan, while 1 TB users move to the 1 TB plan.

The listed C2 OneStorage pricing is $29.99 / €29.99 annually for 300 GB, and $77.99 / €77.99 per TB annually for 1 TB to 200 TB, with monthly pricing listed at $7.99 / €7.99 per TB. For users who only needed a small 100 GB plan, the new structure may be simpler, but it may also remove the lower-cost entry option.

C2 Identity Is Moving to a New License Model

The next change is to C2 Identity, Synology’s cloud identity and access management service. This is not being discontinued in the same way as C2 Password or C2 Transfer, but the old plan structure is being replaced. Synology says that from June 22, 2026, the new C2 Identity plan will be the only plan available to new subscribers. The existing C2 Identity Free plan is being deprecated on June 22, 2027, while C2 Identity Business is being deprecated on December 22, 2027. In place of the old model, C2 Identity will be available either through paid standard licenses or through limited lite licenses bundled with certain directory-dependent C2 services, such as C2 Backup Business.

The practical point is that C2 Identity is being restructured around paid access rather than keeping the old free and business split. Standard licenses are listed at $49.99 per year in North America, €49.99 per year in Europe, and NT$1,499 or $49.99 per year in Taiwan. C2 Backup Business subscriptions will include 250 lite licenses, but these are limited and cannot be purchased separately. Another important change is that the new C2 Identity plan no longer includes C2 Password Business. After conversion, C2 Identity and C2 Password Business become separate subscriptions, and existing C2 Password Business subscriptions cannot be converted or renewed.

C2 Password Is Being Discontinued, Not Merged

C2 Password is one of the services that is being fully retired rather than renamed or folded into a new product. This affects C2 Password Free, C2 Password Plus, and C2 Password Business. Synology says C2 Password will reach end of life on June 22, 2027, and after that date the service will no longer be available. New subscriptions can no longer be purchased from June 22, 2026, while existing C2 Password Free users can continue using the service until the end-of-life date. The important distinction here is that C2 Password is not becoming part of C2 OneStorage, and it is not being carried forward inside the new C2 Identity plan. In the C2 Identity changes, Synology states that the new C2 Identity plan does not include C2 Password Business, and after conversion C2 Identity and C2 Password Business become separate subscriptions. Existing C2 Password Business subscriptions cannot be converted or renewed, and they remain active only until the end of the current term before entering the grace period. For users, the practical advice is simple: export the vault data before the service reaches its end-of-life date.

C2 Transfer Is Reaching End of Life

C2 Transfer is also being discontinued rather than merged into another Synology service. This affects C2 Transfer Free, C2 Transfer Professional, and C2 Transfer Business. Synology says C2 Transfer will stop accepting new subscriptions from June 1, 2026, and the service will reach end of life on June 22, 2027. After that point, C2 Transfer will no longer be available. Unlike the C2 Storage changes, this is not a case of several services being renamed or placed under a shared storage pool. It is a straight retirement of the service. (kb.synology.com).  For existing C2 Transfer Professional and Business users, plan modifications such as upgrades, downgrades, and billing changes are no longer available after June 22, 2026. Renewals are available until December 22, 2026, and after that, users can continue using the service until their current subscription expires. Free users can continue until June 22, 2027, as long as the subscription remains active. Synology advises users to download and back up files, review shared links, and complete migration before the service ends. In the video, I noted that there is no clear indication that C2 Transfer is being absorbed into a replacement service, which means users should treat this as a service they need to move away from rather than wait for a renamed version.

Synology Account Is Becoming the Central Service Hub

Alongside the individual C2 service changes, Synology is also redesigning the Synology Account portal. This is not a discontinued product or a paid license change by itself, but it is still relevant because it shows how Synology is organising its wider service ecosystem. Synology says the redesigned Synology Account will act as the central hub for the C2 ecosystem, giving administrators a single place to view Synology resources, system and package licenses, active devices, services, and partner relationships. Synology also says current subscription workflows will remain intact during the transition, so this appears to be more of a management and visibility change than a direct service removal.

I see this as part of the same wider shift: Synology is making licenses, subscriptions, devices, and cloud services more central to the account experience. Synology’s existing account page already describes Synology Account as a place to manage device details, QuickConnect and DDNS information, warranty information, licenses, cloud subscriptions, group accounts, subscription management, and Active Insight information for group devices. In the video, I treated the redesigned account portal as an important signal, because improving license and subscription visibility at the same time as removing free tiers and changing paid plans suggests that Synology expects this kind of account-level service management to become more important going forward.

What These Changes Say About Synology’s Direction

Taken together, these changes point to a clearer split in Synology’s online service strategy. C2 Storage Basic, C2 Storage Advanced, and C2 Object Storage are being consolidated into C2 OneStorage, which should make the storage side of C2 easier to understand, but also changes the entry point for smaller users. C2 Identity is not being removed, but it is being moved into a new paid license structure with standard licenses and limited lite licenses. Active Insight is staying in place, but the 3 complimentary licenses are being removed and replaced by a per-host subscription model. C2 Password and C2 Transfer are different again, because these are not being merged into replacement services, they are being moved to end-of-life status. Synology’s official position is that this is a portfolio realignment focused on hybrid cloud, unified resource management, and business-critical workloads, with the main changes taking effect from June 22, 2026. For home users, prosumers, and smaller businesses, the main issue is not only whether any 1 service is worth paying for. It is whether the overall Synology value proposition is changing. In the video, I described this as another small cut to the lower and middle part of the user stack, where many people buy Synology primarily for DSM and the services around it rather than for the hardware alone. Cloud services do cost money to operate, and it is reasonable for any company to review pricing, free tiers, and product overlap over time. However, when free licenses are removed, lower-cost plans are reshaped, and entire services are discontinued, users need to check what they actually rely on before the relevant deadlines arrive. Active Insight users should check whether they want to pay for monitoring after the complimentary licenses end, C2 Storage users should compare their current plan against C2 OneStorage, C2 Identity users should review license and quota changes, and C2 Password or C2 Transfer users should plan a migration before June 22, 2027.

Join Inner Circle

Want to follow specific category? Also Read...Synology Free License and SubsSynology Official Cameras Now Synology Beestation BST151-4T Synology Beestation BST151-4T Synology RS1626xs+ NAS - WorthSynology RS1626xs+ NAS RevealeSynology FS200T NAS RevealedSynology FS200T NAS Revealed100 Reasons Why Users Choose T100 Reasons Why Users Choose S Subscribe You can also follow specific search terms:

This description contains links to Amazon. These links will take you to some of the products mentioned in today's content. As an Amazon Associate, I earn from qualifying purchases. Visit the NASCompares Deal Finder to find the best place to buy this device in your region, based on Service, Support and Reputation - Just Search for your NAS Drive in the Box Below

Need Advice on Data Storage from an Expert?

TRY CHAT

If you like this service, please consider supporting us. We use affiliate links on the blog allowing NAScompares information and advice service to be free of charge to you.Anything you purchase on the day you click on our links will generate a small commission which isused to run the website. Here is a link for Amazon and B&H.You can also get me a Ko-fi or old school Paypal. Thanks!To find out more about how to support this advice service check HEREIf you need to fix or configure a NAS, check Fiver Have you thought about helping others with your knowledge? Find Instructions Here  

Or support us by using our affiliate links on Amazon UK and Amazon US

    

 

WE LOVE COFFEE

Tony Goacher a résolu un petit casse-tête avec élégance. Son projet CrowdClock, ce sont des badges lumineux pour festival qui clignotent tous en rythme, parfaitement synchronisés. Sauf qu'il n'y a aucun badge maître, aucune appli, aucun appairage. Les badges se mettent d'accord tout seuls.

Le truc tient en une technique toute bête. Chaque badge fait tourner sa propre horloge interne et diffuse en continu sa valeur tout autour de lui, via ESP-NOW (un protocole sans fil léger, qui permet à de petits modules de discuter directement entre eux sans passer par le Wi-Fi). Quand un badge capte une valeur d'horloge plus élevée que la sienne, il adopte cette valeur, tout simplement.

Microsoft a levé le voile sur les jeux vidéo qui rejoindront les différents catalogues du Xbox Game Pass en mai. Un mois marqué par l'arrivée de Forza Horizon 6.

478 binaires Unix peuvent servir à devenir root sur un système mal configuré.

C'est ce que recense GTFOBins , le projet open source monté par Emilio Pinna et Andrea Cardaci, qui est devenu LE bookmark obligatoire de tout pentester Linux.

Ce ne sont pas des exploits, hein, mais juste des fonctions parfaitement légitimes de programmes installés partout, et qui dans le bon contexte (genre un bit SUID oublié, qui fait tourner un binaire avec les droits du propriétaire, souvent root) permettent de spawner un shell, lire un fichier protégé, ou grimper d'un cran dans la hiérarchie des privilèges. Petit rappel quand même, faut déjà avoir un pied sur la machine, ce n'est pas une porte d'entrée magique depuis Internet.

Une fois sur leur site, vous tapez le nom d'un binaire dans le moteur de filtre (ou vous cliquez sur une fonction), et hop, vous tombez sur les commandes exactes à recopier-coller, et c'est plié en moins de dix secondes.

Par exemple, si votre cible a un sudo find sans mot de passe, le site vous donne sur un plateau d'argent sudo find . -exec /bin/sh \; -quit.

Un mawk qui tourne en SUID root ? Direct, mawk 'BEGIN {system("/bin/sh")}' et bonjour le shell privilégié. Un vim mal configuré (compilé avec le support Python ou Lua, ce qui est le cas dans la plupart des distros desktop) ? La page documente comment l'utiliser via :py ou :lua pour exécuter du code arbitraire et retomber sur ses pattes.

C'est donc la fin des recherches désespérées sur StackOverflow à 3h du matin pendant un CTF...

La philosophie de ce projet est claire... on ne casse rien, on détourne juste l'usage prévu. Le hic, c'est que la frontière entre détournement et exploitation est mince quand un sudoers mal écrit donne accès à un binaire trop puissant.

Les 478 binaires sont rangés selon 11 fonctions et 4 contextes d'exécution. Côté fonctions, vous avez : Shell (228 binaires permettent de spawner un shell, oui presque la moitié du catalogue), File-read (199), File-write (84), Inherit (71), Upload (34), Download (32), Command (30), Reverse-shell (21), Privilege-escalation (14), Library-load (11), et Bind-shell (7). Côté contextes : Unprivileged, Sudo, SUID, et Capabilities.

Et sur la page d'un binaire, chaque case du tableau vous dit super clairement "voilà comment t'en sors selon ce que tu as sous la main".

Les champions toutes catégories ce sont les langages interprétés et les shells eux-mêmes. zsh, socat, ruby, python, php, node, lua plus bash, tous cumulent 7 fonctions différentes chacun. C'est logique, dès que vous avez un interpréteur sous la main vous pouvez faire à peu près tout (lire, écrire, exécuter, ouvrir une socket).

D'ailleurs c'est pour ça que les sysadmins paranoïaques tirent une tête bizarre quand on leur dit qu'on a installé Python sur un serveur de prod sans cas d'usage explicite. Pfff... je les comprends, un Python qui traîne sur un serveur Debian avec un sudo NOPASSWD au-dessus, c'est game over en trois lignes.

Y'a un autre détail que je trouve cool également, c'est l'intégration MITRE ATT&CK . Chaque fonction du site est mappée à une technique du framework officiel, accessible via /mitre.json.

Donc pour les blue teams qui veulent justifier une règle de détection en réunion, c'est tout simplement cadeau !! Et pour ceux qui automatisent leurs scans, l'API JSON complète est dispo sur /api.json, du coup vous pouvez parser les 478 entrées avec un jq ou un petit script Python pour générer des règles de monitoring custom.

Bref, GTFOBins c'est aussi un cadeau pour les défenseurs, à condition de retourner la logique du projet. Voilà, ça vaut le coup d'y passer dix minutes par mois sur un audit.

Pour les Windowsiens qui se sentent oubliés, sachez que l'équivalent existe et s'appelle LOLBAS (Living Off The Land Binaries And Scripts), bien suivi par les analystes Windows depuis 2018. Même philosophie, même format, même utilité, juste appliqué aux exécutables Microsoft signés que Windows installe par défaut.

Les deux projets se citent mutuellement et forment ensemble la cartographie communautaire des techniques de Living Off The Land cross-OS. Si vous bossez sur les deux côtés du fossé, gardez les deux onglets ouverts en permanence ^^ !

Maintenant si l'angle élévation de privilèges via shell restreint vous intéresse, j'avais déjà couvert une vieille faille sudo qui permettait carrément de sortir d'un chroot , et plus largement la bibliothèque Payloads All The Things qui complète bien GTFOBins sur tout ce qui est exploitation web et post-exploitation. Les deux projets sont complémentaires, GTFOBins se concentre sur les binaires Unix et les abus locaux de fonctionnalités légitimes (shells, transferts, lectures, élévation conditionnelle), PayloadsAllTheThings ratisse plus large côté exploitation web.

Côté admin, le réflexe utile, à vrai dire c'est de lister vos binaires SUID avec find / -perm -4000 -type f 2>/dev/null, vérifier /etc/sudoers plus les fichiers /etc/sudoers.d/* avec sudo -l, puis de passer chaque candidat dans le filtre GTFOBins.

Si une entrée matche, c'est qu'il y a une fuite potentielle à boucher. Attention quand même, l'absence dans GTFOBins ne valide pas une règle sudo ou un SUID custom (wildcards, variables d'env, paths inscriptibles peuvent toujours créer un chemin d'évasion). Bref, c'est à faire avant de filer le moindre sudo NOPASSWD à quelqu'un !

Voici l'histoire de Neukgu, un loup coréen de deux ans qui s'est fait la malle d'un zoo de Daejeon le 8 avril dernier, et qui a tenu en haleine toute la Corée du Sud pendant neuf jours.

Sauf que dans la foulée de l'évasion, un homme de 40 ans génère une fausse photo IA du loup en train de traverser un carrefour, la diffuse en ligne, et l'image finit par remonter jusqu'aux autorités qui n'y voient que du feu.

La séquence qui suit est assez improbable. La municipalité de Daejeon envoie une alerte d'urgence par SMS à la population, signalant un loup au niveau du carrefour en question. Les autorités présentent même l'image en conférence de presse officielle sur l'évasion.

Toute l'opération de recherche se déplace vers cette zone, alors que le vrai loup est très probablement ailleurs. Bref, des centaines d'agents lancés sur une fausse trace générée pour rigoler.

Pendant ce temps, Neukgu continue sa balade. Il sera finalement attrapé près d'une voie rapide neuf jours après l'évasion, sain et sauf.

La police, elle, remonte jusqu'au générateur d'images en croisant la vidéosurveillance et les logs d'utilisation des plateformes IA. Le suspect, 40 ans, raconte avoir fait ça "pour s'amuser".

Moyen rigolo du coup. Il est désormais poursuivi pour entrave au travail des autorités par tromperie, un délit qui peut coûter jusqu'à 5 ans de prison ou environ 7000 euros d'amende.

Côté postérité, Neukgu est devenu une star locale. Issu d'un programme de réintroduction du loup coréen (officiellement éteint à l'état sauvage), il a eu droit à des viennoiseries à son effigie dans une boulangerie du coin, plus d'un million de vues sur la vidéo de son retour, et la ville réfléchit même à le nommer mascotte officielle. Le président Lee Jae Myung avait publiquement prié pour son retour. Sympathique épilogue.

L'affaire pose quand même une vraie question sur l'authentification des images dans des contextes où elles deviennent opérationnelles. Quand une image IA arrive jusqu'à un SMS d'alerte gouvernemental, le filtre humain a clairement raté un étage, même si ça va devenir de plus en plus compliqué avec le temps.

Bref, premier cas vraiment grand public où une fausse photo IA détourne une opération policière, avec poursuites à la clé. Et ça ne sera pas le dernier.

Source : BBC

Source

Source

Source