RPI4 soon?

[Gavinmc42]

I was updating Raspbian today when I noticed some interesting ....+rpi4_armhf.debs
Does that mean there is a RPI4 coming and the software guys are getting ready?

What will it be? Time to drag out all the old guesses?
Over clocked 1.5GHz Pi3 BCM2837 with heatsink already attached?
Or are they just messing with our heads

Has anyone else noticed? Or am I the only on that stares at the screen to see what gets updated/upgraded.
LibreOffice and Chromium seemed to be the big ones.

Latest kernel is 4.4.23, not 4.8.1 yet.

Thanks for the Flash update to Chromium, important for the Education market here in Oz.

[rpdom]

I was updating Raspbian today when I noticed some interesting ....+rpi4_armhf.debs
Does that mean there is a RPI4 coming and the software guys are getting ready?

No.
The rpi means the software has a Pi specific patch, and the 4 means it is the fourth version of the update

For example "bananas_1.0.1_armhf.deb" could be the standard version of "bananas", while "bananas_1.0.1+rpi1_armhf.deb" would be the same version with a patch just for the Pi, "bananas_1.0.1+rpi2_armhf.deb" would be the same version with an updated patch, etc...

The file names don't correspond to a particular model of Pi.

[CarlRJ]

Does that mean there is a RPI4 coming and the software guys are getting ready?

Nope. Oh, to be sure, there will be an RPi4 - but not for a couple of years. Any substantial update to the hardware (more RAM, more/newer/faster IO like USB3) will require redesign of the SoC, the central chip that is the Raspberry PI, and that is likely to cost millions. It'll happen, but not soon. Until then, the game is the same as it has been: see what cool things we can get done with the existing hardware.

Thanks for the Flash update to Chromium, important for the Education market here in Oz.

Actually, I loaded up the latest image on a new card last night and then did the apt-get update/dist-upgrade dance, and was kind of mortified to see a screen popping up about Flash. To me it is nothing but a severe security risk (and a way to watch HomeStarRunner). I can see there are uses, but for my machines I need to look into ways to defang it.

[Gavinmc42]

OK, so I can rule out Pi4's for xmas

mortified to see a screen popping up about Flash. To me it is nothing but a severe security risk

Well we have to have Flash on the Windows box's so the kid can do homework.
Flash on a Pi has got to be more secure?

[W. H. Heydt]

Flash on a Pi has got to be more secure?

Well....it won't be from Adobe, anyway.

[Gavinmc42]

Does anyone do their banking on a Pi?
If it is used just by the kids for their school work, Flash should not be a big deal?
Hmm, it will be on the home network, still a Pi even running Flash must be safer than Windows 10?

Been any Pi virus's yet?

[rpdom]

Been any Pi virus's yet?

I don't think anyone has really bothered with that yet. Far easier to find a Pi that is visible from outside with the default credentials and log in and install malware.

I see hundreds of attempts a day to ssh into each of our x86-64 servers with user=pi. Obviously they won't get in as that user doesn't exist and ssh will reject external connections, but I should tighten up the firewalls a bit, just to stop the log entries if nothing else.

[Gavinmc42]

I had to learn Linux the hard way because my work Pi's are behind firewalls.
Better for it, but it took much longer than it should have

Makes you wonder how many Pi's the Chinese used to DOS our census night

Pi vigilantes? Daytime mid mannered Raspbian SD, night time the Kali dark web SD goes in
With netbooting Pi3's this can be automatic.

[lumsdot]

Does anyone do their banking on a Pi?
If it is used just by the kids for their school work, Flash should not be a big deal?
Hmm, it will be on the home network, still a Pi even running Flash must be safer than Windows 10?

Been any Pi virus's yet?

Chromium on my pi3 is easily powerfull enough to run the home banking web pages. But i would not dare, i think open source software is easier to hack.
plus my windows 10 pc has a firewall and a free antivirus called windows defender.

Plus if you were hacked and you told your bank you were using a 30 pound pi with no antivurs and no firewall, they would use that as an excuse not to refund you.

[broe23]

OK, so I can rule out Pi4's for xmas

mortified to see a screen popping up about Flash. To me it is nothing but a severe security risk

Well we have to have Flash on the Windows box's so the kid can do homework.
Flash on a Pi has got to be more secure?

Chromium & Chrome use a modified version of Flash. No one should be using Flash at this point, since HTML5 is a lot better way in handling stuff. It has nothing to do with education stuff, other than whoever is creating the software with old coding methods, needs to catch up with the times.

Personally I would rather use Firefox than Chromium on the Pi. Runs a lot faster and not a hog. Plus FF is a lot more forgiving when it allows you to get into the back end of the browser and make it run better, along with capable of accessing those websites that do not like Chromium based browsers.

[broe23]

Does anyone do their banking on a Pi?
If it is used just by the kids for their school work, Flash should not be a big deal?
Hmm, it will be on the home network, still a Pi even running Flash must be safer than Windows 10?

Been any Pi virus's yet?

Linux cannot get a virus or malware, unless someone has allowed Root access and started opening up the OS to be able to let stuff run without permissions. Banking is an odd question, since it is done through a web browser and has nothing to do with the hardware. As for Flash, it does not matter if it is Linux, Windows, Chrome OS, Android OS, iOS, Mac OS, Steam OS, etc.

If security is your concern, Flash is very vulnerable to allowing hack attempts and the use of allowing a seemingly safe appearing add or game to get in and plant a payload on your machine if you are using Windows. Other OS's are made to have access locked down so that flash cannot be used to drop payloads on their own on a machine.

The biggest concern is that users realize that they are why systems get infected and hacked, not the operating system.

[bensimmo]

Does anyone do their banking on a Pi?
If it is used just by the kids for their school work, Flash should not be a big deal?
Hmm, it will be on the home network, still a Pi even running Flash must be safer than Windows 10?

Been any Pi virus's yet?

Linux cannot get a virus or malware, unless someone has allowed Root access and started opening up the OS to be able to let stuff run without permissions. Banking is an odd question, since it is done through a web browser and has nothing to do with the hardware. As for Flash, it does not matter if it is Linux, Windows, Chrome OS, Android OS, iOS, Mac OS, Steam OS, etc.

If security is your concern, Flash is very vulnerable to allowing hack attempts and the use of allowing a seemingly safe appearing add or game to get in and plant a payload on your machine if you are using Windows. Other OS's are made to have access locked down so that flash cannot be used to drop payloads on their own on a machine.

The biggest concern is that users realize that they are why systems get infected and hacked, not the operating system.

Windows (modern) isn't the problem, like the Pi it asks you if installing anything and the user is giving it permission*. Thinking about it though with the Pi, sudo never asks for permission on the Pi as Pi so surely permission is not actually needed to lift privileges and run what it likes?

*Unless it is targing faults in them, but that's the same with any OS.

[ShiftPlusOne]

Linux cannot get a virus or malware, unless someone has allowed Root access and started opening up the OS to be able to let stuff run without permissions.

Of course it can. There have been plenty of arbitrary code execution and root exploits in the past and there is no reason to think that there are none now. Debian pushes out security fixes almost every day. Shellshock, Heartbleed and sunxi's 'rootmydevice' blunder weren't that long ago.

[broe23]

Plus if you were hacked and you told your bank you were using a 30 pound pi with no antivurs and no firewall, they would use that as an excuse not to refund you.

That is a very biased statement. Open Source Code is not risky. Just because the Pi is $30 US or Pounds, has nothing to do with security either or thinking that it is a toy. You do not need Anti-Virus/Anti-Malware protection with Linux & BSD based platforms, same as the Firewall is there with IPTables, by using something like Firewall Builder or GUFW to create Firewall rules if you plan on using the Pi on a Public hotspot.

People need to get off of this whole kick that they think that the Pi is a toy. It was never meant to be a toy. It was meant to be a device that can be used in many areas and also has brought back the feeling of the whole Home Brew Computer Club days, by having individuals writing code and developing different ways to use the Pi in every day use, along with controlling micro controllers and even act as a server.

In reality those streaming sticks and boxes are built at around the same costs as the Pi units are. It is just that people look at the price and go by that, instead of going by the software that runs on the unit to make or break the user experience.

[broe23]

Linux cannot get a virus or malware, unless someone has allowed Root access and started opening up the OS to be able to let stuff run without permissions.

Of course it can. There have been plenty of arbitrary code execution and root exploits in the past and there is no reason to think that there are none now. Debian pushes out security fixes almost every day. Shellshock, Heartbleed and sunxi's 'rootmydevice' blunder weren't that long ago.

Incorrect. Linux is no more capable of getting a virus than any of the non-Windows OS's. It takes someone on the device side to open up Root Permissions or allowing something to run and create its own Cronjob.

The minute that the Black Hats find an issue, you get a fix sent out to Linux devices, just like Android OS & iOS apps and the OS. People think that just because Windows is more widely used is why it is attractive to those who want to do bad things. That is incorrect. It is just that Microsoft knows that as long as they do not fix their code problems and keep using programs and coding language that is easy to use to hack machines, Microsoft will keep the Anti-Malware & Internet Security companies in business.

Really what causes a system to get infected is the person sitting that the keyboard who goes off to websites that have malware code on them, clicking on every attachment and email they get, along with downloading Torrents and letting their device get infected. Read this and it will back up what I have stated about Linux and the Pi being very secured platforms. If you want more information about Linux and Pi security, do a search and there is a vast wealth of information out there that states that it is very hard to infect Linux or the Pi. http://blog.trendmicro.com/trendlabs-se ... pi-secure/

[broe23]

Also the whole SSH generation fault story that they tried connecting to the Pi. It was an issue with every OS and SSH. That problem was nipped in the bud within a couple of days by a temp fix, then a permanent fix was pushed out before the end of the year last year.

[broe23]

Windows (modern) isn't the problem, like the Pi it asks you if installing anything and the user is giving it permission*. Thinking about it though with the Pi, sudo never asks for permission on the Pi as Pi so surely permission is not actually needed to lift privileges and run what it likes?

*Unless it is targing faults in them, but that's the same with any OS.

Again cannot happen with the Pi, because it does not contain any hardware that code can be placed on to make it run even if the SD card was swapped out. The Pi is what we call a Dumb Device. That means that it needs the SD card with the Boot Loader in the Fat partition to wake up the GPU RISC to then tell the Boot Loader Partition that it can now hand off to the Linux or Windows 10 IoT install either on same SD card or on a USB device.

The minute you pull the SD card or device that has the Linux Partition or Windows 10 IoT on it that the SD is only handling the Boot Loader. You are basically creating a brand new OS environment to run the Pi with.

Sudo is a session that grants a user temporary rights to do some administrative items like working in the CLI or installing software or running software that requires a higher permission. The program that you run in the CLI or on the GUI will never have Sudo rights, unless someone knows how to have it grab the user Sudo password.

Even if you enable Root and give it a Password. Root is not going to run as Super User without that password. Also Root can be set to not allow to be used to log into the system from the login screen if you are wanting it to stay enabled for tasks that you know that you are going to be always using Super User permissions on that device.

The only time I use Root in Linux, is with those servers that I am constantly having to do stuff in and they are already behind my Edge Router, which would make it very hard to have someone even get into the VLAN that I put my Pi's in for hardware and software testing purposes.

[bensimmo]

You cannot say anything about Android, there is no decent distribution system for updates to devices. Same with household internet routers.
They can patch all they want but if devices do not receive these updates.
At least Microsoft tries to give everyone updates for security fixes, most the AntiVirus software is actually anti user stupidity software and less antivirus nowadays.

[bensimmo]

Windows (modern) isn't the problem, like the Pi it asks you if installing anything and the user is giving it permission*. Thinking about it though with the Pi, sudo never asks for permission on the Pi as Pi so surely permission is not actually needed to lift privileges and run what it likes?

*Unless it is targing faults in them, but that's the same with any OS.

Again cannot happen with the Pi, because it does not contain any hardware that code can be placed on to make it run even if the SD card was swapped out. The Pi is what we call a Dumb Device. That means that it needs the SD card with the Boot Loader in the Fat partition to wake up the GPU RISC to then tell the Boot Loader Partition that it can now hand off to the Linux or Windows 10 IoT install either on same SD card or on a USB device.

The minute you pull the SD card or device that has the Linux Partition or Windows 10 IoT on it that the SD is only handling the Boot Loader. You are basically creating a brand new OS environment to run the Pi with.

Sudo is a session that grants a user temporary rights to do some administrative items like working in the CLI or installing software or running software that requires a higher permission. The program that you run in the CLI or on the GUI will never have Sudo rights, unless someone knows how to have it grab the user Sudo password.

Even if you enable Root and give it a Password. Root is not going to run as Super User without that password. Also Root can be set to not allow to be used to log into the system from the login screen if you are wanting it to stay enabled for tasks that you know that you are going to be always using Super User permissions on that device.

The only time I use Root in Linux, is with those servers that I am constantly having to do stuff in and they are already behind my Edge Router, which would make it very hard to have someone even get into the VLAN that I put my Pi's in for hardware and software testing purposes.

By Pi I refer to a default Pi running th default Raspian as people say for a PC, a default Win10 AE setup. I cannot speak for older versions since that is the users fault for not keeping up with updates.

Surly when I load Raspian, and use it as normal.
I can easily run sudo command, no password asked for?

Why would this be different for anyone running malicious code on the device, say via a website advert or similar or a please run this program to do this or an email attachment.
With that I can alter quite a bit of the bootup, get things to run at startup etc. No password has ever been needed other than logging on in the first place.

[broe23]

You cannot say anything about Android, there is no decent distribution system for updates to devices. Same with household internet routers.
They can patch all they want but if devices do not receive these updates.
At least Microsoft tries to give everyone updates for security fixes, most the AntiVirus software is actually anti user stupidity software and less antivirus nowadays.

What in the world does the Android OS have anything to do with this. It is also as secure as Linux, as long as people do not allow it to be capable of letting an injection of a targeted vulnerability that gets patched as quickly as Linux distro's get patched.

Windows gets a bad rap all because companies that market Anti-virus and Anti-Malware software want those who do not know better, to believe that because it is a Microsoft product, that it will get infected by just turning iton.

It is the end user that is thr issue not the OS. All of this what if and could happen stuff about Linux has been debunked so many times, that you are trying to believe and make others think that because the Pi is a fair priced product that can bring a computer to every home. Suddenly there is going to be a bunch of malware that does not and will never exist for Linux.

If you want more on the fact that the Pi and Linux cannot get infected, there are plenty of resources outthere that back my statements up.

[broe23]

Again Raspbian is not going to be able to get infected when you run it. Even if someone leaves the default password in place. The very small number of possibilities of some type of malware that suddenly appears out of nowhere, cannot run in Raspbian, because of thr safeguards that the Pi Foundation and thr writers who developed Raspbian have put into place.

You keep wanting to compare Windows to Linux, which are two totally different subjects and have nothing to do with the other. I have yet to see a widespread infection targeting Windows 10, because of the new safeguards that Microsoft has implemented in it. If it does get infected, it is because some user opened up some email with a infected attachment, or was going to websites that are known malware infectors.

[ShiftPlusOne]

Incorrect. Linux is no more capable of getting a virus than any of the non-Windows OS's.

I don't know what part of what I said implied that I thought it was more capable of getting a virus. I was only responding to this claim:

Linux cannot get a virus or malware, unless someone has allowed Root access and started opening up the OS to be able to let stuff run without permissions.

It takes someone on the device side to open up Root Permissions or allowing something to run and create its own Cronjob.

Those are the only two ways that you can get malicious code on Linux? Setting aside that the second one doesn't make sense, there are many other ways. To avoid going off on a tangent and being off-topic, I will leave it here, but highly recommend spending some time looking at a few hacking forums, security advisories and how systems have been compromised in the past.

[mfa298]

Been any Pi virus's yet?

I don't think anyone has really bothered with that yet. Far easier to find a Pi that is visible from outside with the default credentials and log in and install malware.

I see hundreds of attempts a day to ssh into each of our x86-64 servers with user=pi. Obviously they won't get in as that user doesn't exist and ssh will reject external connections, but I should tighten up the firewalls a bit, just to stop the log entries if nothing else.

Not just attempts, but based on these forums and IRC quite a few successful such compromises as well (I think I've seen posts / comments relating to at least 5 in the last month or two and no doubt there are many more).

In terms of getting rid of the log messages moving SSH to a non standard port it a good way of stopping the attempts. It's not really adding any security but puts a block in the way for people trying to find poorly configured ssh systems with little effort.

Linux cannot get a virus or malware, unless someone has allowed Root access and started opening up the OS to be able to let stuff run without permissions.

You view on viruses and malware and system susceptibility seem to be rooted in the state of things 15-20 years ago. All computer systems can get Viruses (they're not just the realm of windows machines). And there are plenty of examples of worms and other malware that affected *nix systems rather than windows - Usually via commonly installed software.

These days the majority of malware seems to rely on user stupidity and that can apply to any system - just look at the number of Pi users blindly following guides and opening up ssh to the world with the default user/password still in place.

This is the same for a number of exploits in the world of windows, here's your invoice / cool new games /... in the form of an .exe file that you just need to run. The Pi (particularly via ssh scans) is becoming a more popular target and for the majority of cases there's very little effort to get root access on it (I think I could run something as root on a remotely accessible pi with a one liner from my client system).

[bensimmo]

You cannot say anything about Android, there is no decent distribution system for updates to devices. Same with household internet routers.
They can patch all they want but if devices do not receive these updates.
At least Microsoft tries to give everyone updates for security fixes, most the AntiVirus software is actually anti user stupidity software and less antivirus nowadays.

What in the world does the Android OS have anything to do with this. It is also as secure as Linux, as long as people do not allow it to be capable of letting an injection of a targeted vulnerability that gets patched as quickly as Linux distro's get patched.

Windows gets a bad rap all because companies that market Anti-virus and Anti-Malware software want those who do not know better, to believe that because it is a Microsoft product, that it will get infected by just turning iton.

It is the end user that is thr issue not the OS. All of this what if and could happen stuff about Linux has been debunked so many times, that you are trying to believe and make others think that because the Pi is a fair priced product that can bring a computer to every home. Suddenly there is going to be a bunch of malware that does not and will never exist for Linux.

If you want more on the fact that the Pi and Linux cannot get infected, there are plenty of resources outthere that back my statements up.

You mentioned Andorid, that is what it has to do with it.
I was replying to that, it is a very poor example of 'getting updates' Not because they don't fix them, but because there is no way many of the tablets and phones out there will ever get them.
Windows(10) at least auto updates as much as people let it, Raspian(Jessie) on the other hand does not it doesn't even bother to check and ask the user, which leaves any exploits open no matter how often they get fixed.

I'm not debating which is more secure at this current particular time, that was what someone else mentioned.

So what have they Raspbian Foundation release put in place to stop me opening a link/file/script/email, having something alter my files to allow malicious code to be run, much as the methods used to exploit windows system.
What have they in place to stop older system (the problem with much of windows), having code run to exploit older bugs they have not received a fix for because nobody has told them there is one.

No need to actually answer as there is no Pi4 released so there is no problem with it

[rpdom]

I see hundreds of attempts a day to ssh into each of our x86-64 servers with user=pi. Obviously they won't get in as that user doesn't exist and ssh will reject external connections, but I should tighten up the firewalls a bit, just to stop the log entries if nothing else.

Not just attempts, but based on these forums and IRC quite a few successful such compromises as well (I think I've seen posts / comments relating to at least 5 in the last month or two and no doubt there are many more).

.
No. Just attempts. There have been no successful compromises of that sort on our servers. As I said, they are x86-64 servers, not Pis. The "pi" user does not exist on them.

But this is going a bit off topic. I only mentioned the servers as an example of the fact that attacks using the "pi" login have become mainstream.