lumsdot
Posts: 122
Joined: Wed Mar 11, 2015 5:29 pm

Re: RPI4 soon?

Sun Oct 16, 2016 1:08 pm

My point was , that if you want your bank to compensate you for a hacked bank account, you may have more luck if you tell them you are using the latest windows operating system with the default firewall and antivirus installed. If you tell them you are using a 30 pound pi, they may think toy.
I know its not a toy, but banks may punish those who don't conform to the norm.

mfa298
Posts: 1387
Joined: Tue Apr 22, 2014 11:18 am

Re: RPI4 soon?

Sun Oct 16, 2016 1:27 pm

rpdom wrote:
mfa298 wrote:
rpdom wrote:I see hundreds of attempts a day to ssh into each of our x86-64 servers with user=pi. Obviously they won't get in as that user doesn't exist and ssh will reject external connections, but I should tighten up the firewalls a bit, just to stop the log entries if nothing else.
Not just attempts, but based on these forums and IRC quite a few successful such compromises as well (I think I've seen posts / comments relating to at least 5 in the last month or two and no doubt there are many more).
.
No. Just attempts. There have been no successful compromises of that sort on our servers. As I said, they are x86-64 servers, not Pis. The "pi" user does not exist on them.

But this is going a bit off topic. I only mentioned the servers as an example of the fact that attacks using the "pi" login have become mainstream.
Sorry if there was some confusion, I was referring to others who have had Pi's compromised in that way (where there are confirmed cases of this happening on peoples Pis on this forum). I wasn't trying to suggest you had been compromised in that way.

The point being in terms of remotely compromised systems with no direct interaction from the end user to achieve that compromise the Pi is a fairly easy and inviting target. Ultimately these attacks are down to poorly educated users but then so are the majority of attacks on all other operating systems.

hippy
Posts: 5757
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: RPI4 soon?

Sun Oct 16, 2016 3:27 pm

broe23 wrote:People need to get off of this whole kick that they think that the Pi is a toy. It was never meant to be a toy.
Eben on the NEC-CM tie-up announcement, at 11:16 -

https://www.youtube.com/watch?v=BZGKnus ... u.be&t=676

Eben: "Raspberry Pi was originally designed as a toy, but it's an extremely well designed toy".

W. H. Heydt
Posts: 10741
Joined: Fri Mar 09, 2012 7:36 pm
Location: Vallejo, CA (US)

Re: RPI4 soon?

Sun Oct 16, 2016 3:33 pm

Gavinmc42 wrote: Been any Pi virus's yet?
While "security through obscurity" is a very bad practice, the following facts are relevant:
1 billion smart phones and tablets sold each year.
100 million PCs sold each year.
10 million Pis sold over 4.5 years.

If you were a self-respecting virus writer, what would you target?

hippy
Posts: 5757
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: RPI4 soon?

Sun Oct 16, 2016 3:46 pm

W. H. Heydt wrote:If you were a self-respecting virus writer, what would you target?
I would target the PI. Just to shut up those who keep saying it just isn't possible :P

A more reasonable argument for targeting a Pi would be that many are plugged in, then exposed with default credentials. Often by people who don't have the experience to know there is a potential problem nor would know how to recognise it when it arrived.

It's the same reason IoT devices have been the focus of attacks lately. It's not the quantity of devices out there per se; it's the increased chance of them being attackable.

Of course it depends what one hopes to achieve with a virus. Attacking a Pi or an IoT device is not as likely to get bank account information as attacking a mainstream desktop OS. But if it gets one onto the network; everything else is then potentially accessible.

Heater
Posts: 13066
Joined: Tue Jul 17, 2012 3:02 pm

Re: RPI4 soon?

Sun Oct 16, 2016 4:26 pm

Anyone who thinks Raspbian or Linux in general or any operating system is immune to virus or other malware attacks is living in cloud cuckoo land. Just watch all the Black Hat conference presentations on YouTube to get an idea why.

Have they really read and analysed every line of code in such a system? Have they really analysed all the code the various compilers and interpreters produce from it?

Have they understood how all these parts work together?

I guess not.

Ergo, it's impossible to say anything is secure.

Certainly I like to think that any such vulnerabilities get discovered and fixed pretty quickly in the open source world.

Then it comes down to me personally to watch out for news of such dangers and upgrade my system accordingly.

Someone here mentioned the lack of automatic update in Raspbian. Which is true of Debian and as far as I know most other distributions.

That is fine by me. When one is running something one want's it to work. The history of automatic update shows that such updates can break your system. The cure can be worse than the threat it's supposed to fix.

One attack vector is to get people to install and run your malicious code. Well, guess what? These forums are full of posts instructing people to download and install some custom Linux version. Or hack with their apt sources list and keys to get some package installed. Or unpack and install some tar file as root.

I'm not saying these people have bad intent. I have done it myself with early builds of Qt5 for Raspbian. But you can never be sure....

Security is not an OS or an AntiVirus package or any particular technology. It's a process that you have to keep up with all the time.

Most people do not of course.

User avatar
CarlRJ
Posts: 599
Joined: Thu Feb 20, 2014 4:00 am
Location: San Diego, California

Re: RPI4 soon?

Sun Oct 16, 2016 5:58 pm

broe23, you need to stop treating Unix/Linux as a religion that you need to zealously defend, and learn some actual facts.

In a former life, I helped run a very large university network. No central authority had control over configuring all the machines (the way you would normally find in, say, a large corporation), instead many were maintained on the department, lab, office, or even individual level (we just had control over the network they all used). Similarly, the machines in the residence halls (aka "dorms") were all purchased, set up, and run by individual students (we eventually took to probing their IP address for known vulnerabilities, open server ports, etc., before permitting them to access the network, but nothing kept the users from installing software/opening ports after they gained access). As well, since the campus had a very large, very high speed, internet connection, machines on campus attracted lots of attention from anyone on the internet looking to cause trouble (since any machine, once compromised, could then make use of our high bandwidth to attack other machines anywhere in the world).

Over the years, we saw many, many Windows systems compromised - really untold numbers. As you might expect. We ALSO saw quite a few Unix/Linux systems compromised. Mostly because they weren't being properly administered. Many cases where, say, a professor had a student helper set up a Linux box for some purpose and then the student graduated and left, and the machine just kept running - the student likely did not fully understand the care and feeding of Unix-based systems in the first place, and the system was just steaming along, unpatched, for months or years (the professor/graduated-student scenario is just one of thousands). In addition, for a number of years, many Linux distributions shipped with a positively stupid number of services turned on by default, just like WinXP did (and, of course, every port listening on the network, with possibly-naive code behind it, is another potential attack vector).

(You have to be of a certain age before you're allowed to drink or vote. You have to have proper training and pass tests if you want to drive a car. But they'll let just anyone buy a computer and hook it up to the Internet. Proper system administration is severely undervalued by most people, if they even know what it is. Imagine if there were no established rules/laws for driving, no required instruction or tests to pass, no stop lights or stop signs. Just a bunch of FAQs on how to drive, and everyone was sort of figuring it out on their own. Imagine was a mess that would be. A lot of the Internet is like that. It's astounding that it works as well as it does.)

You seem to think that every vulnerability ever found on a Unix or Linux system is only found by good people ("white hats") who dutifully report it up the chain and it gets immediately fixed and the fix immediately gets distributed out to every applicable system in the world. That's a pretty picture but it's entirely wrong. Many vulnerabilities are found by bad people ("black hats"), who use them for their own nefarious purposes, or sell them to criminal groups that use them to make money, or to government agencies around the world who use them to spy on their citizens or other governments. Ever heard of a "zero-day" exploit? That's one the bad guys found and used, and the good guys eventually find out about - the bad guys have been actively using it since they found it, and the good guys may not find out for a long time (there are, no doubt, exploits that bad guys are using that the good guys don't know about yet). And even when an exploit does get patched, the fix may not get distributed to all affected systems for a long time, if ever. There are literally tons of Android phones (and Android is a Linux-based OS) out there running old unpatched versions of Android (because the carriers, or the phone owners, don't care). Moreover, as the Internet of Things takes off, and we find more and more devices that have tiny Linux machines inside the box - which are mostly never getting patched, this will be more and more of a problem. If you think convincing someone that they need to update their computer is hard, try convincing people their refrigerator needs a software update (not to add new features, not to give them some benefit, but to harden the OS so the device can't be subverted and used to launch attacks against other devices/computers on the internet).

You seem to think that Linux systems are perfectly secure until a vulnerability is found (uh, but then weren't they previously insecure when you thought them secure?), at which point that vulnerability is fixed and they go back to being perfectly secure again. You also seem to think that everyone in charge of a computer knows what they're doing.

As a very simple example, Raspbian installs with a default user "pi" with a default password of "raspberry", and NOTHING guides a new user through the process of changing the password - so any Pi connected directly to the Internet by a user who doesn't know to change the password will end up horribly insecure, waiting for any bad guy to come along, connect to it, do a "sudo -s", and add that Pi to their growing botnet. But you're telling us this doesn't happen?

The very first malware that spread itself over the network, by the way, was the Morris worm which, in 1988, broke a large part of the Internet for a while, and it only worked on Unix machines.

Computer security is NOT a yes or no, binary, "flip this switch and you're done" thing. It's an ongoing process, a sliding scale, and a battle being fought on many fronts. Going around saying, "Linux is perfect, it cannot get a virus or malware," isn't just wrong, it's harmful - because someone might accidentally believe you.

Microsoft isn't choosing to have vulnerabilities in their systems to keep anti-virus companies in business, that idea is just asinine. Microsoft would love to have no vulnerabilities, and they are striving towards that - each version of Windows is substantially more secure than previous versions, because they're paying attention to security now; Windows XP was truly horrible, it had an astounding number of vulnerabilities (and a ludicrous number of network services turned on by default so the user could get the "full benefit" of them), because none of the code had been written with much, or any, thought given to security, and because one of the goals of Windows was to bend over backwards to support legacy applications by keeping old interfaces and APIs up and running, including ones that had been designed without security in mind. Since XP, Microsoft has been making each new version better. The modern versions of Windows are decent, from a security standpoint (at least from what I've heard from security folk - I don't use them myself).

A large part of the reason a lot of Sys Admins recoil in horror to Flash - entirely aside from its perversion of the dream of an open standards-based web, its mediocre user experience, and its tendency to spin up fans and chew up CPU cycles - is that Adobe's attention to detail in making the software secure... well, it really harkens back to the heyday of Microsoft and Windows XP - new vulnerabilities are still constantly being found in Flash. Indeed, Apple regularly updates macOS to block the then-current version of Flash from running, because some show-stopping security hole has been found, which forces Adobe to patch that specific vulnerability and release a new version of Flash. I haven't had Flash installed on my Mac in a couple years, and this is a source of joy for me, because I remember all those problems, and I don't believe that Adobe has yet developed the proper mindset to write secure software. (By the way, I use Macs specifically because they are good computers running a version of Unix that has a terrific GUI - something Linux has always had trouble with, despite hearing every year for the last decade and a half, "next year will be the year of Linux on the desktop" - it's also a single-source system: all the hardware is fully supported by the OS with no finger pointing between vendors; but I'm having a lot of fun experimenting with, and developing on, my Raspberry Pi's as well.)

Linux can be quite secure, if configured and maintained properly, but it doesn't have any sort of magical "get out of jail free card" with respect to security. There will always be undiscovered vulnerabilities in any complex system (Linux included). The ongoing struggle to stay a few steps ahead of the bad guys involves a lot of hard work by a lot of smart people. Don't treat it like something that "just is."
Last edited by CarlRJ on Sun Oct 16, 2016 8:00 pm, edited 4 times in total.

Heater
Posts: 13066
Joined: Tue Jul 17, 2012 3:02 pm

Re: RPI4 soon?

Sun Oct 16, 2016 6:49 pm

Well said CarlRJ.

And thank you for writing that lengthy but important post.

User avatar
DougieLawson
Posts: 35784
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: RPI4 soon?

Sun Oct 16, 2016 8:29 pm

I think Carl has hit the nail on the head with that. Also bear in mind that Raspbian has been deliberately opened (the autologged in pi user has a trivial password AND has sudo - that isn't going to end well). The reason it was opened and pi gets autologged (by default) is to get the users coming to Raspbian from Windows over the hump easily. They'd run away if the security was tightened.

Before GPIOzero everyone needed sudo to wiggle GPIO pins. Look at how many folks prefix every command with sudo because they don't know any better.

If you're going on-line as a client machine it's probably OK, if you're going online as a port-forwarded server then the machine needs to be hardened.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

broe23
Posts: 903
Joined: Thu Jan 28, 2016 9:35 pm
Location: Central IL
Contact: Website

Re: RPI4 soon?

Sun Oct 16, 2016 9:50 pm

ShiftPlusOne wrote: Those are the only two ways that you can get malicious code on Linux? Setting aside that the second one doesn't make sense, there are many other ways. To avoid going off on a tangent and being off-topic, I will leave it here, but highly recommend spending some time looking at a few hacking forums, security advisories and how systems have been compromised in the past.
I already know all of the tricks about what can and cannot be done with Linux. I have been messing around with computers since 1977, using different languages to write code it.

The fact remains that there are too many out there that tend to jump on boards like this and want to scare new users, because like the topic of this thread, it is all theory and those of us that have been using Linux since Linus created it, know that it in itself is not the target. The biggest target is the applications and those systems being used as LAMP servers, along with SQL, LDAP and email servers.

Those Pi units that we see people buy and run NOOBS with no changes to the default username and password are asking for trouble. The different OS platforms are locked down by default as you and I know. Those jumping in and acting like Linux distros suddenly became this huge hacking target over the weekend are so far off base, that thr Linux community debunked that myth in the inception of widly adopted use.

Arm architecture is very hard to infect, because of how it was developed and that it is not the target, Windows is with the x86 code base. Let's also not forget that Liz had the last laugh on some idiot thinking that the Pi Foundation would fall for some scam.
Ren: Now listen, Cadet. I've got a job for you. See this button? Ren: Don't touch it! It's the History Eraser button, you fool! Stimpy: So what'll happen? Ren: That's just it. We don't know. Maybe something bad, maybe something good.

W. H. Heydt
Posts: 10741
Joined: Fri Mar 09, 2012 7:36 pm
Location: Vallejo, CA (US)

Re: RPI4 soon?

Sun Oct 16, 2016 10:00 pm

And, after the excellent security discussion, people wonder why, when running a convention registration in a hotel, I insist on a *wired* network that has no WAN connection at all... That's just a piece of keeping stray fingers out of where I don't want them.

broe23
Posts: 903
Joined: Thu Jan 28, 2016 9:35 pm
Location: Central IL
Contact: Website

Re: RPI4 soon?

Mon Oct 17, 2016 12:17 am

W. H. Heydt wrote:And, after the excellent security discussion, people wonder why, when running a convention registration in a hotel, I insist on a *wired* network that has no WAN connection at all... That's just a piece of keeping stray fingers out of where I don't want them.
That is your choice. I have zero issues using Wifi at a hotel or any place, because I know how to secure my equipment to keep others from accessing if they try.

Security is like locks on a house. It is only as good as the person using it.
Ren: Now listen, Cadet. I've got a job for you. See this button? Ren: Don't touch it! It's the History Eraser button, you fool! Stimpy: So what'll happen? Ren: That's just it. We don't know. Maybe something bad, maybe something good.

W. H. Heydt
Posts: 10741
Joined: Fri Mar 09, 2012 7:36 pm
Location: Vallejo, CA (US)

Re: RPI4 soon?

Mon Oct 17, 2016 1:03 am

broe23 wrote:
W. H. Heydt wrote:And, after the excellent security discussion, people wonder why, when running a convention registration in a hotel, I insist on a *wired* network that has no WAN connection at all... That's just a piece of keeping stray fingers out of where I don't want them.
That is your choice. I have zero issues using Wifi at a hotel or any place, because I know how to secure my equipment to keep others from accessing if they try.

Security is like locks on a house. It is only as good as the person using it.
As my father used to say, locks are for honest people. I prefer to use a system that doesn't provide an extra "window" that I need to lock when I don't need that "window" to even be there.

broe23
Posts: 903
Joined: Thu Jan 28, 2016 9:35 pm
Location: Central IL
Contact: Website

Re: RPI4 soon?

Mon Oct 17, 2016 2:31 am

W. H. Heydt wrote:
broe23 wrote:
W. H. Heydt wrote:And, after the excellent security discussion, people wonder why, when running a convention registration in a hotel, I insist on a *wired* network that has no WAN connection at all... That's just a piece of keeping stray fingers out of where I don't want them.
That is your choice. I have zero issues using Wifi at a hotel or any place, because I know how to secure my equipment to keep others from accessing if they try.

Security is like locks on a house. It is only as good as the person using it.
As my father used to say, locks are for honest people. I prefer to use a system that doesn't provide an extra "window" that I need to lock when I don't need that "window" to even be there.
Linux is more secure than Windows. Anything that someone has done to find a hole in a server or desktop running Linux, was because the person setting those systems up made mistakes in not properly securing the systems. By default Linux ships with nothing extra running that can allow remote access or even local access into the OS running on a computer or as embedded OS on a device.

You and those who keep wanting to circle the wagons and dream up every imaginable possibility that suddenly Linux and even the Pi is capable of a mass attack, you are in for a surprise. There is currently one item that targets the Arm chipset which is used in many different devices besides the Pi. It has already been seen as a non-threat, because of the fact that it was more of an experiment than a threat. Windows 10 IoT is always going to be open to malware, because it is based off of Windows and Microsoft does not want to issue the fixes to stop their OS from being used to serve up malware.

If you want to keep up on the ELF Binaries viri, then keep up on http://blog.malwaremustdie.org/ If you want to know more about the ELF binaries, then read up at https://linux-audit.com/elf-binaries-on ... -analysis/ for some basic understanding.

People try every day to break software and hardware security, because that is what they are paid to do. If someone comes across a problem and addresses it to the Linux Foundation if it is a Kernel issue or to the Pi Foundation if there is a issue that was found in their Raspbian edition or NOOBS, because they develop those two platforms in house, they get the fix out as quickly as they can and post to tell everyone. All of the other distro's are maintained by those who built the Third Party OS and they are set to automatically download and install the security fix. If the unit that the OS is not connected in any form to a network through wifi or ethernet or USB, you have to do it manually either by burning a new SD card or going in and installing the updates if you download them and want to install on your own.
Last edited by broe23 on Mon Oct 17, 2016 2:35 am, edited 1 time in total.
Ren: Now listen, Cadet. I've got a job for you. See this button? Ren: Don't touch it! It's the History Eraser button, you fool! Stimpy: So what'll happen? Ren: That's just it. We don't know. Maybe something bad, maybe something good.

broe23
Posts: 903
Joined: Thu Jan 28, 2016 9:35 pm
Location: Central IL
Contact: Website

Re: RPI4 soon?

Mon Oct 17, 2016 2:34 am

W. H. Heydt wrote:
broe23 wrote:
W. H. Heydt wrote:And, after the excellent security discussion, people wonder why, when running a convention registration in a hotel, I insist on a *wired* network that has no WAN connection at all... That's just a piece of keeping stray fingers out of where I don't want them.
That is your choice. I have zero issues using Wifi at a hotel or any place, because I know how to secure my equipment to keep others from accessing if they try.

Security is like locks on a house. It is only as good as the person using it.
As my father used to say, locks are for honest people. I prefer to use a system that doesn't provide an extra "window" that I need to lock when I don't need that "window" to even be there.
What extra window is that? You mean how Windows has everything enabled by default? There is no extra window that has to be locked on the Pi or Raspbian. You and the others are trying to dream up everything in theory and not realizing that those of us who have been around this stuff since the Home Brew Computer Club days have already figured out where the problem lies. It is that human in the chair at the computer.

By default, all Linux distro's ship with zero extras enabled. If the person that pulls the Pi out of its box and sticks in the NOOBS card and does not change the default username and password, only those who could sit down at it would get in. There is zero external access to the Pi from the Internet or on the network that someone could go through the CLI.
Ren: Now listen, Cadet. I've got a job for you. See this button? Ren: Don't touch it! It's the History Eraser button, you fool! Stimpy: So what'll happen? Ren: That's just it. We don't know. Maybe something bad, maybe something good.

W. H. Heydt
Posts: 10741
Joined: Fri Mar 09, 2012 7:36 pm
Location: Vallejo, CA (US)

Re: RPI4 soon?

Mon Oct 17, 2016 3:14 am

broe23 wrote:
W. H. Heydt wrote:And, after the excellent security discussion, people wonder why, when running a convention registration in a hotel, I insist on a *wired* network that has no WAN connection at all... That's just a piece of keeping stray fingers out of where I don't want them.
What extra window is that? You mean how Windows has everything enabled by default? There is no extra window that has to be locked on the Pi or Raspbian.
I have left the relevant quote in place and removed the intervening commentary. The "window" is WiFi. Yes, properly configured WiFi can be locked down...pretty well. But why should I go through that if I don't need WiFi in the first place? That way, I don't need to worry about any holes that permit wireless access to my systems because it is turned off at the router driving the LAN and none of the systems connected to the LAN has WiFi. Sure, the biggest risk is the volunteers using the data entry stations, but without *any* sort of network access, they're limited to what they can do actually *on* those data entry stations. Why would I enable WiFi access--no matter how well I think I've locked it down--allowing the guy sitting across the lobby a shot at the systems when I don't have to?

User avatar
Gavinmc42
Posts: 3607
Joined: Wed Aug 28, 2013 3:31 am

Re: RPI4 soon?

Mon Oct 17, 2016 3:16 am

Kind of off track on my original post ;)
But it should be on this forum because it is important.
Not sure how to change the Subject title.

Security is the reason I am porting my Pi IoT gadgets code to Ultibo and away from Linux.
At the moment they are behind a Uni firewall, but I have read up on Stuxnet.
My 1st versions had Raspbian 4GB of code.
2nd versions have piCore 60MB of code.
3rd version are Ultibo about 2MB of code.

Which OS system is going to be the easiest to check for holes?
Sure they still might be vulnerable to hacking but not by the "normal" ways.
I have not rolled out lots of these things and most are only data loggers.
But I have a few now controlling equipment, all have remote access.

There is a risk with anything connected.
We can only minimize risk to the amount our most paranoid selves are happy with.
But I am not a IT security guy, my Pi's are tolerated on the network.
The early days I was told not to put them on until I had an update method and virus checker :lol:
I'm dancing on Rainbows.
Raspberries are not Apples or Oranges

stderr
Posts: 2178
Joined: Sat Dec 01, 2012 11:29 pm

Re: RPI4 soon?

Mon Oct 17, 2016 4:00 am

broe23 wrote: Anything that someone has done to find a hole in a server or desktop running Linux, was because the person setting those systems up made mistakes in not properly securing the systems. By default Linux ships with nothing extra running that can allow remote access or even local access into the OS running on a computer or as embedded OS on a device.
The biggest problem is usually something in the browser. Those are routinely used by nearly everyone with a computer on the planet, including those who are using linux. Most of the browsers have their own internal scripting language, extensions and the javascript, all of which potentially are cross platform to support multiple architectures and operating systems. You are buying something with a unix like OS but you aren't buying utter imperviousness.

The only real defence is layered, even to the point of having systems that are read only or booted only from a secure source, that are running forward facing services and especially running browsers. Running the same system to randomly click on the internet that you use to access your bank is probably insane.

Regarding if setting up your system wrong is the problem, I'm running noscripts and some kind of ad blocking software, those sorts of things. I think those are going to improve the situation but they also make running some things more complicated. Most people have none of this running and it would be wrong to expect them to.

User avatar
DavidS
Posts: 4334
Joined: Thu Dec 15, 2011 6:39 am
Location: USA
Contact: Website

Re: RPI4 soon?

Mon Oct 17, 2016 5:35 am

I have exactly 3 secure desktop computers. 1 Raspberry Pi 2B (sometimes switch that with the Raspberry Pi 3B that is running an OS on an SD that is never used on a machine connected to the Internet (this is where I do most of my work) and transfers out are done only by writing CD's. One Macintosh PowerPC Perfoma 6100/120 that is never connected to the internet, and all data transfer to other systems is done by writing to CD's. And one home built 65816 based computer, all data transfer out of it being in the form of OTP's (one time programmable ROM's).

Any computer I have connect to the internet is NOT secure simply because it is attached to the internet. I do attempt to keep my internet computers as secure as I can, though I know that the fact they are connected to the internet means that they are NOT secure.
RPi = The best ARM based RISC OS computer around
More than 95% of posts made from RISC OS on RPi 1B/1B+ computers. Most of the rest from RISC OS on RPi 2B/3B/3B+ computers

mfa298
Posts: 1387
Joined: Tue Apr 22, 2014 11:18 am

Re: RPI4 soon?

Mon Oct 17, 2016 7:20 am

broe23 wrote: By default, all Linux distro's ship with zero extras enabled. If the person that pulls the Pi out of its box and sticks in the NOOBS card and does not change the default username and password, only those who could sit down at it would get in. There is zero external access to the Pi from the Internet or on the network that someone could go through the CLI.
Stop living in the '90s (and even then Linux distros came with things a lot of stuff enabled).

Nmap of a pi host running raspbian-lite

Code: Select all

mike@gateway:~$ nmap pi
Starting Nmap 6.40 ( http://nmap.org ) at 2016-10-17 08:08 BST
Nmap scan report for pi(192.168.33.68)
Host is up (0.051s latency).
rDNS record for 192.168.33.68: pi
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 0.65 seconds
and an nmap of a windows10 system.

Code: Select all

mike@gateway:~$ nmap win10
Starting Nmap 6.40 ( http://nmap.org ) at 2016-10-17 08:08 BST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.03 seconds
Tell me again how windows ships with everything enabled by default and everything is off by default in all linux distros.

broe23
Posts: 903
Joined: Thu Jan 28, 2016 9:35 pm
Location: Central IL
Contact: Website

Re: RPI4 soon?

Mon Oct 17, 2016 8:21 am

W. H. Heydt wrote:[I have left the relevant quote in place and removed the intervening commentary. The "window" is WiFi. Yes, properly configured WiFi can be locked down...pretty well. But why should I go through that if I don't need WiFi in the first place? That way, I don't need to worry about any holes that permit wireless access to my systems because it is turned off at the router driving the LAN and none of the systems connected to the LAN has WiFi. Sure, the biggest risk is the volunteers using the data entry stations, but without *any* sort of network access, they're limited to what they can do actually *on* those data entry stations. Why would I enable WiFi access--no matter how well I think I've locked it down--allowing the guy sitting across the lobby a shot at the systems when I don't have to?
Again there is no window to get into the Pi unless someone has say Rasbian Lite running without SSH or FTP. The same with the other distros like Mate. Unless you can Putty into the unit or someone has enabled certain items, you cannot break into the Linux OS to get into the install.

You are at this point just trying to figure out how many ways that you can spin your story in thinking that there is going to be some random odd way that someone can get onto your network or into the Pi device. If someone has your Passphrase to your Wifi, yes they can gain access. Without the Passphrase, they cannot. Ethernet they would need physical access to connect to the Gateway or switch. It still does not in any way allow someone unlimited ability to get into the OS running on the Pi.

If you are allowing SSH or FTP to run. You still have to put in place a password for them, along with setting them up for the Hash key, since they will not run without them. Now if you want to let the whole world into your Pi, that is again your choice. Not the whole Linux user base and admin's will allow services to be out in the wild just because someone random on the Internet stated that it can be done.

All of your far-fetched theories have been busted and continue to be debunked in no matter what way you try and spin them to think that the answer is going to change.

I can hook up one of my Pi's right now and no one would even know that it is attached to my network, unless they are looking for it with the right tools, which they would never be able to, since no one has the freedom to get into my network through my Gateway, let alone connect to it without the passphrase.
Ren: Now listen, Cadet. I've got a job for you. See this button? Ren: Don't touch it! It's the History Eraser button, you fool! Stimpy: So what'll happen? Ren: That's just it. We don't know. Maybe something bad, maybe something good.

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 5854
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: RPI4 soon?

Mon Oct 17, 2016 8:28 am

The off-topic discussion carried on for a bit too long. Since everyone ganged up on broe, he/she gets the last word.

Return to “General discussion”