I am not argueing the RPI foundations motives at all.
I am simply saying within what they hand us, we have to do the best we can with
it.
I actually use many other types of boards, and I follow the same principals
with them.
I think there a lot of companies etc that use Linux for convenience.
They see something that is "free" and they think that is one less cost point
for them.
I never leave the default security setups on the devices/software I use, but
there are a lot of people who do either through not knowing, or not thinking it
is important.
-----Original Message-----
From: raspberry-vi-bounce@xxxxxxxxxxxxx
[mailto:raspberry-vi-bounce@xxxxxxxxxxxxx] On Behalf Of Mike Ray
Sent: Sunday, December 11, 2016 6:59 AM
To: raspberry-vi@xxxxxxxxxxxxx
Subject: [raspberry-vi] Re: security and leaving ssh enabled?
Kelly.
I agree with everything you say Kelly. But I take issue with leaving the 'pi'
user able to use 'sudo' without having to give a password. It could be said
that because Raspbian is always supplied with the same password for the pi user
that stopping this is irrelevant.
Here is the truth about the Raspberry Pi Foundation...they don't care about
open source, and they don't care about Linux. If they did they would not
continue to 'pretend' that 'Pixel' is anything other than just another theme of
LXDE. Linux is convenient to the RaspberryPi, that is all.
Everybody should always use best practise with security. It takes little more
effort and is educational anyway.
Mike.
On 11/12/2016 12:38, Kelly Prescott wrote:
At risk of starting a religious war, Here is my take.
Security should always be taken seriously whether it be your purse,
wallet, car, house, cell phone, home computers etc.
Now to expound on this.
All these objects/devices contain various amounts of personal
information or possessions. If you do not protect them, there can be
damage either to you, your property, or loss of same.
In some extreme cases, your not protecting these objects could result
in harm or loss to others.
Now that I have made a broad statement, I will bring it down to your
home network.
This may not apply to all people, but it does apply to most, and
therefore it is worth reading.
You have devices on your network. The complexity and number of these
devices is increasing all the time.
Some of these devices punch holes in your firewall without your knowledge.
Some of these devices have flaws which can be exploited by hackers.
If only one device has such a flaw, and a hacker (usually an automatic
scan) gains control of that one device, then the hacker practically
owns your network.
Therefore, it is in everyones interest to follow best security
practices in securing even devices on your home network.
We have all sorts of stuff that connect to your network.
I just did a scan of my network and I counted
22 devices on my home network.
Now, I am a nerd so mine might be a little high, but probably not much.
I have 2 tv devices, 2 ipads, 2 cell phones, a couple of random
android tablets, various project computers, a couple pies, home
automation controller etc.
I only have moderate control of many of these devices as they run
closed software.
The majority of them do open holes in my firewall so certain functions
can be performed like setting up recordings when I am not at home.
I am not listing all these, that would broadcast all my potential
vulnerabilities.
My point is that We all probably have a few of them.
That is why the raspberryPi people updated the software to secure the ssh.
If you have just 1 problem, a bot could scan your network, devine you
have a Pi from the mac address and other factors, and then use the
default credentials to take it over.
That is how the MirorAI bot works.
This is the bot that took down a chunk of internet DNS a couple of
months ago.
I hope this helped to give you an idea of why this is important and
gives you some food for thought.
PS.. They even thought about headless installs like we do by enabling
the ssh with a file placed on the SD card so we can still use the Pi.
Yes, it takes a little more work, but it is worth it in my opinion.
Kp
-----Original Message-----
From: raspberry-vi-bounce@xxxxxxxxxxxxx
[mailto:raspberry-vi-bounce@xxxxxxxxxxxxx] On Behalf Of Tom Fowle
Sent: Saturday, December 10, 2016 10:05 PM
To: list <raspberry-vi@xxxxxxxxxxxxx>
Subject: [raspberry-vi] security and leaving ssh enabled?
In reading up on ssh, some have mentioned that leaving ssh enabled on
the pi, and presumably on any computer, can pose a security risk.
Any opinions on how seriously such should be taken?
Can someone outside one's local network get into a computer on that
local network with just a password?
Thanks
Tom Fowle
===========================================================
The raspberry-vi mailing list
Archives: //www.freelists.org/archives/raspberry-vi
Administrative contact: <mike.ray@xxxxxxxxxxxxxx>
-----------------------------------------------------------
Raspberry Pi and the Raspberry Pi logo are trademarks of the Raspberry
Pi Foundation.
This list is not affiliated to the Raspberry Pi Foundation and the
views and attitudes expressed by the subscribers to this list do not
reflect those of the Foundation.
Mike Ray, list creator, January 2013
===========================================================
The raspberry-vi mailing list
Archives: //www.freelists.org/archives/raspberry-vi
Administrative contact: <mike.ray@xxxxxxxxxxxxxx>
-----------------------------------------------------------
Raspberry Pi and the Raspberry Pi logo are trademarks of the Raspberry Pi
Foundation.
This list is not affiliated to the Raspberry Pi Foundation and the views and
attitudes expressed by the subscribers to this list do not reflect those of
the Foundation.
Mike Ray, list creator, January 2013