Kelly.
I agree with everything you say Kelly. But I take issue with leaving
the 'pi' user able to use 'sudo' without having to give a password. It
could be said that because Raspbian is always supplied with the same
password for the pi user that stopping this is irrelevant.
Here is the truth about the Raspberry Pi Foundation...they don't care
about open source, and they don't care about Linux. If they did they
would not continue to 'pretend' that 'Pixel' is anything other than just
another theme of LXDE. Linux is convenient to the RaspberryPi, that is all.
Everybody should always use best practise with security. It takes
little more effort and is educational anyway.
Mike.
On 11/12/2016 12:38, Kelly Prescott wrote:
At risk of starting a religious war, Here is my take.
Security should always be taken seriously whether it be your purse, wallet,
car, house, cell phone, home computers etc.
Now to expound on this.
All these objects/devices contain various amounts of personal information or
possessions. If you do not protect them, there can be damage either to you,
your property, or loss of same.
In some extreme cases, your not protecting these objects could result in
harm or loss to others.
Now that I have made a broad statement, I will bring it down to your home
network.
This may not apply to all people, but it does apply to most, and therefore
it is worth reading.
You have devices on your network. The complexity and number of these
devices is increasing all the time.
Some of these devices punch holes in your firewall without your knowledge.
Some of these devices have flaws which can be exploited by hackers.
If only one device has such a flaw, and a hacker (usually an automatic scan)
gains control of that one device, then the hacker practically owns your
network.
Therefore, it is in everyones interest to follow best security practices in
securing even devices on your home network.
We have all sorts of stuff that connect to your network.
I just did a scan of my network and I counted
22 devices on my home network.
Now, I am a nerd so mine might be a little high, but probably not much.
I have 2 tv devices, 2 ipads, 2 cell phones, a couple of random android
tablets, various project computers, a couple pies, home automation
controller etc.
I only have moderate control of many of these devices as they run closed
software.
The majority of them do open holes in my firewall so certain functions can
be performed like setting up recordings when I am not at home.
I am not listing all these, that would broadcast all my potential
vulnerabilities.
My point is that We all probably have a few of them.
That is why the raspberryPi people updated the software to secure the ssh.
If you have just 1 problem, a bot could scan your network, devine you have a
Pi from the mac address and other factors, and then use the default
credentials to take it over.
That is how the MirorAI bot works.
This is the bot that took down a chunk of internet DNS a couple of months
ago.
I hope this helped to give you an idea of why this is important and gives
you some food for thought.
PS.. They even thought about headless installs like we do by enabling the
ssh with a file placed on the SD card so we can still use the Pi.
Yes, it takes a little more work, but it is worth it in my opinion.
Kp
-----Original Message-----
From: raspberry-vi-bounce@xxxxxxxxxxxxx
[mailto:raspberry-vi-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Fowle
Sent: Saturday, December 10, 2016 10:05 PM
To: list <raspberry-vi@xxxxxxxxxxxxx>
Subject: [raspberry-vi] security and leaving ssh enabled?
In reading up on ssh, some have mentioned that leaving ssh enabled on the
pi, and presumably on any computer, can pose a security risk.
Any opinions on how seriously such should be taken?
Can someone outside one's local network get into a computer on that local
network with just a password?
Thanks
Tom Fowle
===========================================================
The raspberry-vi mailing list
Archives: //www.freelists.org/archives/raspberry-vi
Administrative contact: <mike.ray@xxxxxxxxxxxxxx>
-----------------------------------------------------------
Raspberry Pi and the Raspberry Pi logo are trademarks of the Raspberry Pi
Foundation.
This list is not affiliated to the Raspberry Pi Foundation and the views and
attitudes expressed by the subscribers to this list do not reflect those of
the Foundation.
Mike Ray, list creator, January 2013
===========================================================
The raspberry-vi mailing list
Archives: //www.freelists.org/archives/raspberry-vi
Administrative contact: <mike.ray@xxxxxxxxxxxxxx>
-----------------------------------------------------------
Raspberry Pi and the Raspberry Pi logo are trademarks of the Raspberry Pi
Foundation.
This list is not affiliated to the Raspberry Pi Foundation and the views and
attitudes expressed by the subscribers to this list do not reflect those of
the Foundation.
Mike Ray, list creator, January 2013
