Page 1 of 2

New Pi Malware is here

Posted: Thu Jun 08, 2017 2:23 pm
by gtechn
[mod fixed link]

https://www.bleepingcomputer.com/news/s ... i-devices/

Apparently this one mines for a certain cryptocurrency. Hopefully everyone has updated. Maybe the Raspberry Pi needs a real, official Software Updater tool (which is semi-automatic, similar to Ubuntu's)?

Re: New Pi Malware is here

Posted: Thu Jun 08, 2017 2:30 pm
by jamesh
I've just this moment added a new security page to the documentation...

https://www.raspberrypi.org/documentati ... ecurity.md

Re: New Pi Malware is here

Posted: Thu Jun 08, 2017 2:38 pm
by BMS Doug
This relies on the user making their Pi accessible from the internet without changing the default user name and password.

There is no security update possible that will prevent people accessing your Pi if you make it accessible from the internet with the default user name and password.

Re: New Pi Malware is here

Posted: Thu Jun 08, 2017 3:08 pm
by jamesh
BMS Doug wrote:This relies on the user making their Pi accessible from the internet without changing the default user name and password.

There is no security update possible that will prevent people accessing your Pi if you make it accessible from the internet with the default user name and password.
Indeed. Hence the page in the documentation on security. This is an educational rather than a technical issue.

Re: New Pi Malware is here

Posted: Fri Jun 09, 2017 10:08 pm
by mikerr
Nice to see "Make sudo require a password" on there

Passwordless sudo has long been raspbian's weakest feature, and I don't think it helps newbies that much either.

Re: New Pi Malware is here

Posted: Sat Jun 10, 2017 8:24 am
by Paul Webster
jamesh wrote:I've just this moment added a new security page to the documentation...

https://www.raspberrypi.org/documentati ... ecurity.md
In the section about making sud-ouest require a password, it is worth noting that having a RPi directly accessible from Internet is not the only way that this can cause a problem.
For example - following instructions on a web site about how to do something might involve running a script that uses sudo privileges ... and it might be malicious.

Also would be good to explain what will happen when running a script that includes sudo commands and password is enabled.
Plus - describe what will then happen when scripts with sudo in them (bad idea) are run from cron

Re: New Pi Malware is here

Posted: Sat Jun 10, 2017 8:32 am
by Heater
It's hopeless.

So many instructions around here for installing whatever include directions to change ones apt sources and apt-get whatever from some random web site.

And why does a Pi installation even have a default user and password, Debian does not?

Re: New Pi Malware is here

Posted: Sat Jun 10, 2017 11:03 am
by bensimmo
Default, as they have said many times before, it was design for the setup in an Education environment* and that legacy is still here. The work they did on trying to require changing passwords after SSH was enabled is there.
You know that.

*where ease of use is paramount. Security is not an issue as they are normally not connected to an inbound enabled not work etc..
The need to be root to run commands has over time been minimised, I don't know how much 'root' is needed now other than to install and update via 'apt', at least in the education environment.

etc..

Re: New Pi Malware is here

Posted: Sat Jun 10, 2017 11:07 am
by Martin Frezman
And why does a Pi installation even have a default user and password, Debian does not?
That ship has sailed.

The historical reason is the same as absolutely everything else in computing: At the beginning they wanted it to be as easy as possible so people would adopt the new technology.

I can see having a default user id - even though, as you say, most "regular" distributions don't go this route (they make you setup a username and a password, both of which are your choice) - but I've always thought it should make you choose a password (even if the user id name is fixed/given).

The problem, of course, if that if they change anything, it will create a whole new wave of support questions, but here's a suggestion. At this point in time, I don't think we need a default password anymore, since most machines are going to be setup to auto-login to the desktop anyway. With ssh off by default, there's no real reason to have a password - unless/until ssh is enabled. And since we are controlling the status of ssh through the various config programs and/or the dropping of file(s) in /boot, we should be able to make this work.

So, I would suggest that the way it should work is that there is no default password, but when the user enables ssh (via any of the 3 supported methods), they are then forced to choose a password. One idea is that if they enable ssh via the dropping a file /boot method, the contents of that file would be the password (yes, this invalidates a few zillion tutorials...).

And, yes, whatever process picks up the 'ssh' file and processes it should "shred" that file before deleting it.

Re: New Pi Malware is here

Posted: Tue Jun 13, 2017 12:50 pm
by Navyscourge
by jamesh » Thu Jun 08, 2017 2:30 pm
I've just this moment added a new security page to the documentation...

https://www.raspberrypi.org/documentati ... ecurity.md
Thank you for adding this. I have just noticed the story in a technical news site. I usually check the RPi blog page for articles, and only read other pages when I have a need. It would be nice to see a brief notice in the blog page, since you have already done all the work :)

Re: New Pi Malware is here

Posted: Tue Jun 13, 2017 2:14 pm
by jamesh
Navyscourge wrote:
by jamesh » Thu Jun 08, 2017 2:30 pm
I've just this moment added a new security page to the documentation...

https://www.raspberrypi.org/documentati ... ecurity.md
Thank you for adding this. I have just noticed the story in a technical news site. I usually check the RPi blog page for articles, and only read other pages when I have a need. It would be nice to see a brief notice in the blog page, since you have already done all the work :)
The documentation changes almost every day with added pages and correction/improvements. You can keep track of changes (and proposed changes) on the github page which is the source of the documentation.

Re: New Pi Malware is here

Posted: Tue Jun 13, 2017 2:58 pm
by S0litaire
Martin Frezman wrote:
So, I would suggest that the way it should work is that there is no default password, but when the user enables ssh (via any of the 3 supported methods), they are then forced to choose a password. One idea is that if they enable ssh via the dropping a file /boot method, the contents of that file would be the password (yes, this invalidates a few zillion tutorials...).

And, yes, whatever process picks up the 'ssh' file and processes it should "shred" that file before deleting it.
Or just have a public key file and rename it "ssh" in the boot partition. (lot more secure)

It could work something like this:
Users can create their own key pair (loads of simple step by step instructions are available, They would use their own PC or a secure hosted hosted website could do it for them) and rename the public key to "ssh" and then copies it to the /boot partition.

On first boot : If the "ssh" file is found in the boot partition, it enables SSH for one time use as normal.
If "ssh" is not empty, it moves the "ssh" to /pi/.ssh/ and renames it to "authorized_keys".

That way enables first time login (and subsequent logins) using key instead or the default password.

Re: New Pi Malware is here

Posted: Tue Jun 13, 2017 4:41 pm
by bensimmo
jamesh wrote:
Navyscourge wrote:
by jamesh » Thu Jun 08, 2017 2:30 pm
I've just this moment added a new security page to the documentation...

https://www.raspberrypi.org/documentati ... ecurity.md
Thank you for adding this. I have just noticed the story in a technical news site. I usually check the RPi blog page for articles, and only read other pages when I have a need. It would be nice to see a brief notice in the blog page, since you have already done all the work :)
The documentation changes almost every day with added pages and correction/improvements. You can keep track of changes (and proposed changes) on the github page which is the source of the documentation.
Still, the blog is the news about the RaspberryPi for a lot of people, probably most people?.
Perhaps think about a monthly roundup to blow your own trumpet of new documentation or large updates to it etc. Not only does it make people aware of them or changes, they may actually use them too and other may reblog them.

Github is not really a place for normal people to find out what's happening.

MagPi blogs it's own articles, so should the main site :-D

Re: New Pi Malware is here

Posted: Wed Jun 14, 2017 9:00 am
by jamesh
bensimmo wrote:
jamesh wrote:
Navyscourge wrote: Thank you for adding this. I have just noticed the story in a technical news site. I usually check the RPi blog page for articles, and only read other pages when I have a need. It would be nice to see a brief notice in the blog page, since you have already done all the work :)
The documentation changes almost every day with added pages and correction/improvements. You can keep track of changes (and proposed changes) on the github page which is the source of the documentation.
Still, the blog is the news about the RaspberryPi for a lot of people, probably most people?.
Perhaps think about a monthly roundup to blow your own trumpet of new documentation or large updates to it etc. Not only does it make people aware of them or changes, they may actually use them too and other may reblog them.

Github is not really a place for normal people to find out what's happening.

MagPi blogs it's own articles, so should the main site :-D
I really don't think that documentation updates are that interesting!

Re: New Pi Malware is here

Posted: Wed Jun 14, 2017 9:19 am
by bensimmo
You're not the one using them.
New ones
Always good to know (things are very burried in the website, there is no easy list, most of the time it is chance you stumble over them.)
For example how to create an AP, knowledge about it is burried in this forum to rest it.
Security burried in a post in here.

Updates
Not little updates and formatting, but things like the move to the SenseHAT documentation being changed to have inline trinkit (useful in a school if I suddenly refer to the page and it's changed and we now don't need to fire up python)
or update to new methods (Jessie ways of doing things or new implementations).

There is a lot of hard work from you lot doing but things people don't see and so don't use.

Re: New Pi Malware is here

Posted: Wed Jun 14, 2017 9:49 am
by DougieLawson
bensimmo wrote:You're not the one using them.
New ones
Always good to know (things are very burried in the website, there is no easy list, most of the time it is chance you stumble over them.)
For example how to create an AP, knowledge about it is burried in this forum to rest it.
Security burried in a post in here.
Those things are not buried when they're the current news. The forum, various Raspberry Pi blogs and security notices were awash with chatter about the folks who stick their RPi on an open port but forget to change the default userid. The fact that they're then surprised that an attacker reaches their system was news for a while (to the point of tedium).

The biggest problem with documentation is the maintenance of that documentation. About five minutes after something is published it's stale. About a month later it's wrapping for your chips. About a year later it's probably wrong. After a switch from version to version of DebIan/Raspbian (Wheezy to Jessie to Stretch) it's probably dangerous and likely to crash your system.

The authors of blogs and stuff never come back to fix or delete things when they've expired and that's an insurmountable problem.

The benefit of the Raspberry Pi Foundation docs being on github is that it gives us all a way to leave "reader's comments". I've been giving IBM my comments on their mainframe documentation for thirty-five years, that's one of the reasons for the high quality of docs on http://ibm.com

Re: New Pi Malware is here

Posted: Wed Jun 14, 2017 9:55 am
by jamesh
bensimmo wrote:You're not the one using them.
New ones
Always good to know (things are very burried in the website, there is no easy list, most of the time it is chance you stumble over them.)
For example how to create an AP, knowledge about it is burried in this forum to rest it.
Security burried in a post in here.

Updates
Not little updates and formatting, but things like the move to the SenseHAT documentation being changed to have inline trinkit (useful in a school if I suddenly refer to the page and it's changed and we now don't need to fire up python)
or update to new methods (Jessie ways of doing things or new implementations).

There is a lot of hard work from you lot doing but things people don't see and so don't use.
The documentation is here...

https://www.raspberrypi.org/documentation/

It's all hyperlinked. There a section on how to build an AP under configuration, as you might expect. The forum searches should be unnecessary - that why the documentation exists.

Posting links in a blog post to things in the documentation seems unlikely to help the situation.

Re: New Pi Malware is here

Posted: Wed Jun 14, 2017 11:13 am
by bensimmo
It's informing the reader there is something new from when they may have last looked.

It may peak their interest, they may use it. Try something new and be educated.
They then might not search, find some old documents on the web, try it out, get messed up give up or come here and be given loads of ways until someone points then to the documents.

But it's up to you, you put in the work and if few use it or know about it, that's up to you.

It's why people like changelogs for apps, programs, raspbian releases, windows insider updates (excellent blog information given there), Google maps updates etc.

You spend a lot of time in here informing the few, why not inform a wider population.

Anyway, it's up to you.

Re: New Pi Malware is here

Posted: Wed Jun 14, 2017 11:18 am
by bensimmo
jamesh wrote:
The documentation is here...

https://www.raspberrypi.org/documentation/

It's all hyperlinked. There a section on how to build an AP under configuration, as you might expect. The forum searches should be unnecessary - that why the documentation exists.
Give AP as an example, nobody but the few new you had added it.
So nobody would go back in there to see if it was there, a new user might.

For me running through links to link to link is a pain (others may like it). It fancy in a primary school way.
There is no overview/outline list and quick scanning.
But that a problem for the website style. Pretty for a few things.

Also note using the Search on the main site does not pick up
AP or Access Point documentation.
It does show something from 2012 to try though as the first option.

Re: New Pi Malware is here

Posted: Wed Jun 14, 2017 11:36 am
by jamesh
bensimmo wrote:
jamesh wrote:
The documentation is here...

https://www.raspberrypi.org/documentation/

It's all hyperlinked. There a section on how to build an AP under configuration, as you might expect. The forum searches should be unnecessary - that why the documentation exists.
Give AP as an example, nobody but the few new you had added it.
So nobody would go back in there to see if it was there, a new user might.

For me running through links to link to link is a pain (others may like it). It fancy in a primary school way.
There is no overview/outline list and quick scanning.
But that a problem for the website style. Pretty for a few things.

Also note using the Search on the main site does not pick up
AP or Access Point documentation.
It does show something from 2012 to try though as the first option.
The site search is basically useless, will be fixed in the future. I hope. Google is the best option. I just did a search "Raspberry Pi access point", our documentation was the second link in the results.

Not sure how the current documentation architecture could be improved. It's already in categories, it's just a few links to get where ever you want to go. What is the alternative? A massive list of links to every available page? That doesn't seem particularly useful, scrolling through ten pages of links is prone to missing what you actually want to find.

I suppose a 'recent changes' page might be useful, but it's an added workload to maintain/keep updated and time is short given our workload.

Re: New Pi Malware is here

Posted: Wed Jun 14, 2017 11:44 am
by jahboater
Well I would like to see a "News" section in the forum (or somewhere visible).

Each entry is just a quick one line note and url to announce:- new documents published, new products, new software releases, important updates. Shouldn't take too long.

Re: New Pi Malware is here

Posted: Wed Jun 14, 2017 12:29 pm
by jamesh
jahboater wrote:Well I would like to see a "News" section in the forum (or somewhere visible).

Each entry is just a quick one line note and url to announce:- new documents published, new products, new software releases, important updates. Shouldn't take too long.
OK, I sorta like that idea. No specific page to keep updated, old news just falls off the bottom of the page. Any mod can add a news item, reduces the RPFT workload. I'll run it past those who make the decisions.

Re: New Pi Malware is here

Posted: Wed Jun 14, 2017 3:52 pm
by DougieLawson
jamesh wrote:
jahboater wrote:Well I would like to see a "News" section in the forum (or somewhere visible).

Each entry is just a quick one line note and url to announce:- new documents published, new products, new software releases, important updates. Shouldn't take too long.
OK, I sorta like that idea. No specific page to keep updated, old news just falls off the bottom of the page. Any mod can add a news item, reduces the RPFT workload. I'll run it past those who make the decisions.
We've got that, it's called the home page and the blog.
https://www.raspberrypi.org/blog/
Just publish a blog item when there's something exciting to announce to the world.

Re: New Pi Malware is here

Posted: Thu Jun 15, 2017 12:04 am
by gtechn
DougieLawson wrote:
jamesh wrote:
jahboater wrote:Well I would like to see a "News" section in the forum (or somewhere visible).

Each entry is just a quick one line note and url to announce:- new documents published, new products, new software releases, important updates. Shouldn't take too long.
OK, I sorta like that idea. No specific page to keep updated, old news just falls off the bottom of the page. Any mod can add a news item, reduces the RPFT workload. I'll run it past those who make the decisions.
We've got that, it's called the home page and the blog.
https://www.raspberrypi.org/blog/
Just publish a blog item when there's something exciting to announce to the world.
No, we don't. That is for new projects and things like that. For actual code updates, extra technical stuff, upcoming releases, and multiple posts per day, the forum page would make more sense. I want to see it happen.

Like, the Raspberry Pi blog is for major new stuff and projects. This would be for the minor, everyday stuff of less importance.

Re: New Pi Malware is here

Posted: Thu Jun 15, 2017 8:21 am
by jahboater
gtechn wrote: Like, the Raspberry Pi blog is for major new stuff and projects. This would be for the minor, everyday stuff of less importance.
+1
Yes I think the forum is a better place. You wouldn't want a big thing on the home page just to announce a minor new document.
It costs nothing to set up, the posts can be short, and users can "Watch" to get emails when a message appears.