vpetersson
Posts: 395
Joined: Wed Jul 25, 2012 9:23 am
Contact: Website

WoTT - An attempt to automate Raspberry Pi security

Tue Jun 25, 2019 10:37 am

Hi guys,

Viktor here, the creator of Screenly. Recently, I’ve been busy hacking on a new project called Web of Trusted Things (WoTT). The concept behind WoTT is to simplify credential management (think API keys and password etc), certificate management (every device gets an x509 certificate as an identity) as well as to do an ongoing security audit of your fleet of devices.

I’d like to invite my fellow Raspberry Pi friends as early testers of our beta.

Here’s what we have right now:

We have a number of use cases on Github and we are actively posting new ones. We would love to get your feedback and for you to tell us what problems we can solve for you.

Here are some things we have on the roadmap for the next few weeks:
  • Docker and Balena (former Resin) integration
  • Ubuntu Core (former Snappy) integration
  • Integrations and tutorials for the most popular IoT platforms
  • TPM integration for additional security hardening

I'd invite you all to test it. You can find quick installation instructions here:
https://github.com/WoTTsecurity/agent#installation

If you have any questions, please post them in this thread and we will try to answer as quickly as possible and if you encounter any bugs, please file them on Github (https://github.com/WoTTsecurity/agent).
Creator of Screenly (Screenly.io), the leading digital signage solution for the Raspberry Pi. Now hacking on WoTT (github.com/WoTTsecurity/agent),
Twitter: @vpetersson | vpetersson.com

bigfoot_rights
Posts: 1
Joined: Tue Jun 25, 2019 5:41 pm

Re: WoTT - An attempt to automate Raspberry Pi security

Tue Jun 25, 2019 5:51 pm

Hi,

Really big fan of Screenly. The headaches it has eliminated from using other digital signage solutions (even expensive paid ones) won't be missed.

I've used WoTT a little and it was straightforward and simple. The question I have is about the specifics of the Active Devices section of the dashboard. How often does it ping a device and is that/will it be configurable? I noticed it still reported my Pi as active for a while after I had turned it off. It could be that I'm just used to PRTG Network Monitor that I currently use to ping all of my Pis to see if they're up and it reported as inactive right after I stopped looking.

Thanks a million, Screenly is great.

vpetersson
Posts: 395
Joined: Wed Jul 25, 2012 9:23 am
Contact: Website

Re: WoTT - An attempt to automate Raspberry Pi security

Tue Jun 25, 2019 6:13 pm

bigfoot_rights wrote:
Tue Jun 25, 2019 5:51 pm
Really big fan of Screenly. The headaches it has eliminated from using other digital signage solutions (even expensive paid ones) won't be missed.
Thank you for the kind words!
bigfoot_rights wrote:
Tue Jun 25, 2019 5:51 pm
I've used WoTT a little and it was straightforward and simple. The question I have is about the specifics of the Active Devices section of the dashboard.
If I'm not mistaken, "Active Devices" is defined as devices who have pinged our backend in the last 24 hours (but need to double check the specific cut-off we use as I didn't write this code). Since we don't have any permanent connection (such as MQTT or WebSocket) to our backend, we get a bit less granularity. Moreover, since we anticipate that a lot of devices being on 3G/4G/5G or flakey WiFi, we expect devices to periodically drop off and return a few hours later (much like we have seen with Screenly).
bigfoot_rights wrote:
Tue Jun 25, 2019 5:51 pm
How often does it ping a device and is that/will it be configurable?
Good question! Right now we ping every hour, but we are working on breaking that down to more based on the task. For instance, we might not need to check for default credentials more than say once every 24 hours, but other things (such as suspicious network traffic), we will need to do more frequently (perhaps every 5 or 15 minutes) in order to determine a baseline and to perform abnormality detection.
bigfoot_rights wrote:
Tue Jun 25, 2019 5:51 pm
I noticed it still reported my Pi as active for a while after I had turned it off. It could be that I'm just used to PRTG Network Monitor that I currently use to ping all of my Pis to see if they're up and it reported as inactive right after I stopped looking.
No, this is expected as per the above. We've designed the system for large fleets, and at scale, you'd expect devices to periodically drop off, so we don't want to perhaps raise an alert early on.
bigfoot_rights wrote:
Tue Jun 25, 2019 5:51 pm
Thanks a million, Screenly is great.
Thanks again for your kind words!

Let me know if you have any other feedback or questions!

P.S. Screenly is not going anywhere. We have a fairly large capable team working on moving it forward too and the user base is growing every day D.S.
Creator of Screenly (Screenly.io), the leading digital signage solution for the Raspberry Pi. Now hacking on WoTT (github.com/WoTTsecurity/agent),
Twitter: @vpetersson | vpetersson.com

otobey
Posts: 1
Joined: Thu Jul 11, 2019 9:47 am

Re: Buster still not support?

Thu Jul 11, 2019 10:07 am

Hello!

I'm started WOTT install, but I can't install.
Error message is
"Err:3 https://packagecloud.io/wott/agent/raspbian buster Release
404 Not Found [IP: 54.193.63.214 443]
E: The repository 'https://packagecloud.io/wott/agent/raspbian buster Release' does not have a Release file."

Should I change its 'Suite' value from 'testing' to 'stable' ? or back to Raspberry Stretch?

vpetersson
Posts: 395
Joined: Wed Jul 25, 2012 9:23 am
Contact: Website

Re: Buster still not support?

Thu Jul 11, 2019 3:53 pm

otobey wrote:
Thu Jul 11, 2019 10:07 am
Hello!

I'm started WOTT install, but I can't install.
Error message is
"Err:3 https://packagecloud.io/wott/agent/raspbian buster Release
404 Not Found [IP: 54.193.63.214 443]
E: The repository 'https://packagecloud.io/wott/agent/raspbian buster Release' does not have a Release file."

Should I change its 'Suite' value from 'testing' to 'stable' ? or back to Raspberry Stretch?
The release of Buster somewhat came as a surprise to us (as it pre-dated even the upstream Debian release). Adding support for Buster is however on the agenda and you can track the ticket here https://github.com/WoTTsecurity/agent/issues/185.

We hope to knock this out soon.
Creator of Screenly (Screenly.io), the leading digital signage solution for the Raspberry Pi. Now hacking on WoTT (github.com/WoTTsecurity/agent),
Twitter: @vpetersson | vpetersson.com

vpetersson
Posts: 395
Joined: Wed Jul 25, 2012 9:23 am
Contact: Website

Re: WoTT - An attempt to automate Raspberry Pi security

Mon Jul 15, 2019 5:53 pm

I'm happy to announce that we now have support for the Raspberry Pi 4. Installation instructions remain the same.
Creator of Screenly (Screenly.io), the leading digital signage solution for the Raspberry Pi. Now hacking on WoTT (github.com/WoTTsecurity/agent),
Twitter: @vpetersson | vpetersson.com

Return to “Other projects”