bubbl
Posts: 85
Joined: Sun Jul 14, 2013 9:15 pm
Location: United Kingdom
Contact: Website

Security section/subsection

Thu Nov 28, 2013 6:23 pm

Hi,
I've got a message to the whole Raspberry Pi foundation, forum moderators and all the users.
I've been browsing the forum for some time now, but so far I haven't seen much topics connected with security. For god's sake, is there no self-preservation instinct in computer users nowadays? I realize it's kind of a tilt at windmills, as people don't really care about it unless it's too late. It's a bit as if we taught people to drive a car without seatbelts. They are there, but why would use them? Nothing will happen to me!
Security seems to be not spoken of enough, we want to teach people coding, but we forget about self-protection. People have to be taught about security, especially the beginners. Sure, create yourself a media centre, build a web server, but please, for god's sake, give some time for securing it or sooner or later you'll be in trouble! People should become more aware that they're not safe in the Net. Once you connect to the internet, you become vulnerable. And I'm not talking about viruses only (DON'T BELIEVE ANYONE WHO SAYS LINUX IS VIRUS-PROOF - it's not and you should protect yourself!), but brute force attacks, etc. How would you protect yourself? How?
Please, if you teach something, do it properly, as many computer users are so neglectful and lazy they don't even change default passwords. Not to mention mixing up elementary ideas.
I suggest creating at least a well maintained subsection to teach people about vulnerabilities and security issues, and spending more time on educating people how to use Linux in a good way. Linux (any OS in fact) is not a playground and a toy - it's serious and needs care and attention.
We're not here because we are free. We're here because we are not free. There is no escaping reason. No denying purpose. Because we both know without purpose, we would not exist.
http://www.bartbania.com/

User avatar
DougieLawson
Posts: 33787
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website

Re: Security section/subsection

Thu Nov 28, 2013 8:26 pm

That's a good idea. Perhaps we should start a SEPi project and borrow some of the things that SELinux have implemented.

There's too much of the "fix that with sudo" or "chmod 777 xyzzy" on here. As the RPi becomes more popular and more unsecure systems are port forwarded to the Internet then the hackers will see it as an ever easier target.

My Ubuntu system running on a small, low wattage x86 box is constantly being probed (and not just by Google's net crawlers). My RPi is still hidden behind my firewall (I can get in from outside through my Ubuntu system).
Microprocessor, Raspberry Pi & Arduino Hacker
Mainframe database troubleshooter
MQTT Evangelist
Twitter: @DougieLawson

2012-18: 1B*5, 2B*2, B+, A+, Z, ZW, 3Bs*3, 3B+

Any DMs sent on Twitter will be answered next month.

User avatar
DrDominodog51
Posts: 79
Joined: Sun Sep 29, 2013 6:16 pm

Re: Security section/subsection

Thu Nov 28, 2013 8:32 pm

A poll on who wants this would be a good idea.

bubbl
Posts: 85
Joined: Sun Jul 14, 2013 9:15 pm
Location: United Kingdom
Contact: Website

Re: Security section/subsection

Thu Nov 28, 2013 8:34 pm

DrDominodog51 wrote:A poll on who wants this would be a good idea.
a poll? it's not a matter of want/don't want. security is security, if you don't care about it, you are ignorant.
We're not here because we are free. We're here because we are not free. There is no escaping reason. No denying purpose. Because we both know without purpose, we would not exist.
http://www.bartbania.com/

bubbl
Posts: 85
Joined: Sun Jul 14, 2013 9:15 pm
Location: United Kingdom
Contact: Website

Re: Security section/subsection

Thu Nov 28, 2013 8:35 pm

DougieLawson wrote:As the RPi becomes more popular and more unsecure systems are port forwarded to the Internet then the hackers will see it as an ever easier target.
Agreed. People should be taught the basics. To repeat myself - it's fun to use, it's priority to know how to use.
We're not here because we are free. We're here because we are not free. There is no escaping reason. No denying purpose. Because we both know without purpose, we would not exist.
http://www.bartbania.com/

Heater
Posts: 9829
Joined: Tue Jul 17, 2012 3:02 pm

Re: Security section/subsection

Thu Nov 28, 2013 9:48 pm

bubbl,

I don't want to diminish in anyway your desire to make people aware of security issues but this:
Linux (any OS in fact) is not a playground and a toy
is totally not true.

Without the joy, playfulness, curiosity, creativity, enthusiasm... inspired by being one of best toys and playgrounds in the world Linux and much other software would not even be here.

Like all human endeavour our toys come with dangers, from bicycles and skate boards to landing man on the moon.

Actually, thinking about it, showing people how to hack into each other Raspberry Pi's, or even challenging them to do so, might be a playful way to raise awareness of security issues.

Hack my Pi!

It's here: http://a.linuxsecured.net/

bubbl
Posts: 85
Joined: Sun Jul 14, 2013 9:15 pm
Location: United Kingdom
Contact: Website

Re: Security section/subsection

Thu Nov 28, 2013 9:52 pm

Heater wrote:bubbl,

I don't want to diminish in anyway your desire to make people aware of security issues but this:
Linux (any OS in fact) is not a playground and a toy
is totally not true.

Without the joy, playfulness, curiosity, creativity, enthusiasm... inspired by being one of best toys and playgrounds in the world Linux and much other software would not even be here.

Like all human endeavour our toys come with dangers, from bicycles and skate boards to landing man on the moon.

Actually, thinking about it, showing people how to hack into each other Raspberry Pi's, or even challenging them to do so, might be a playful way to raise awareness of security issues.

Hack my Pi!

It's here: http://a.linuxsecured.net/
Thanks for reply. You misunderstood me, or maybe I wrote not plainly enough ;) I don't diminish the joyful purpose of RPi. I just want to point out that teaching and learning is not only about the joyful things but also about security. that is my point.
As for hacking your Pi... What's the point? ;)
We're not here because we are free. We're here because we are not free. There is no escaping reason. No denying purpose. Because we both know without purpose, we would not exist.
http://www.bartbania.com/

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 20465
Joined: Sat Jul 30, 2011 7:41 pm

Re: Security section/subsection

Thu Nov 28, 2013 9:56 pm

Raspi runs a standard Linux. Linux security is well documented and understood. (Computer security as a whole is well documented and understood). Why does there need to be a dedicated Raspi forum for something that is already well documented?
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Please direct all questions to the forum, I do not do support via PM.

bubbl
Posts: 85
Joined: Sun Jul 14, 2013 9:15 pm
Location: United Kingdom
Contact: Website

Re: Security section/subsection

Thu Nov 28, 2013 10:00 pm

jamesh wrote:Raspi runs a standard Linux. Linux security is well documented and understood. (Computer security as a whole is well documented and understood). Why does there need to be a dedicated Raspi forum for something that is already well documented?
As hardly anyone knows where to find this kind of stuff, especially beginners?
We're not here because we are free. We're here because we are not free. There is no escaping reason. No denying purpose. Because we both know without purpose, we would not exist.
http://www.bartbania.com/

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 20465
Joined: Sat Jul 30, 2011 7:41 pm

Re: Security section/subsection

Thu Nov 28, 2013 10:04 pm

bubbl wrote:
jamesh wrote:Raspi runs a standard Linux. Linux security is well documented and understood. (Computer security as a whole is well documented and understood). Why does there need to be a dedicated Raspi forum for something that is already well documented?
As hardly anyone knows where to find this kind of stuff, especially beginners?
Hmm. I use something called 'google'. It's apparently a well know system for discovering information like this.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Please direct all questions to the forum, I do not do support via PM.

bubbl
Posts: 85
Joined: Sun Jul 14, 2013 9:15 pm
Location: United Kingdom
Contact: Website

Re: Security section/subsection

Thu Nov 28, 2013 10:05 pm

not everyone seems to be aware of google. following your lead, what's the point of this forum if google exists?
We're not here because we are free. We're here because we are not free. There is no escaping reason. No denying purpose. Because we both know without purpose, we would not exist.
http://www.bartbania.com/

User avatar
duberry
Posts: 379
Joined: Mon Jan 28, 2013 10:44 pm
Location: standing on a planet that's evolving. And revolving at nine hundred miles an hour

Re: Security section/subsection

Thu Nov 28, 2013 10:15 pm

> How would you protect yourself? How?

1) Lock door
2) Unplug the lan and or wifi .

Done! ( you wont find that on google ;) , i also offer self defence advice against maniac armed with a BANANA! )

bubbl
Posts: 85
Joined: Sun Jul 14, 2013 9:15 pm
Location: United Kingdom
Contact: Website

Re: Security section/subsection

Thu Nov 28, 2013 10:19 pm

duberry wrote:> How would you protect yourself? How?

1) Lock door
2) Unplug the lan and or wifi .

Done! ( you wont find that on google ;) , i also offer self defence advice against maniac armed with a BANANA! )
Cool. Ignorance is bliss.
We're not here because we are free. We're here because we are not free. There is no escaping reason. No denying purpose. Because we both know without purpose, we would not exist.
http://www.bartbania.com/

bubbl
Posts: 85
Joined: Sun Jul 14, 2013 9:15 pm
Location: United Kingdom
Contact: Website

Re: Security section/subsection

Thu Nov 28, 2013 10:20 pm

DougieLawson wrote:That's a good idea. Perhaps we should start a SEPi project and borrow some of the things that SELinux have implemented.

There's too much of the "fix that with sudo" or "chmod 777 xyzzy" on here. As the RPi becomes more popular and more unsecure systems are port forwarded to the Internet then the hackers will see it as an ever easier target.

My Ubuntu system running on a small, low wattage x86 box is constantly being probed (and not just by Google's net crawlers). My RPi is still hidden behind my firewall (I can get in from outside through my Ubuntu system).
Watching the answers... there's no point.
We're not here because we are free. We're here because we are not free. There is no escaping reason. No denying purpose. Because we both know without purpose, we would not exist.
http://www.bartbania.com/

Heater
Posts: 9829
Joined: Tue Jul 17, 2012 3:02 pm

Re: Security section/subsection

Thu Nov 28, 2013 10:20 pm

jamesh,
Raspi runs a standard Linux. Linux security is well documented and understood. (Computer security as a whole is well documented and understood). Why does there need to be a dedicated Raspi forum for something that is already well documented?
All very true but...

What we have with the Pi is two million users many of whom know nothing about Linux or it's security before they start out. What experts know about all of that is not relevant except as far as they can advise others.

Such users may not even know there is something they should google for, until something happens...

There have been dozens of posts on this forum where people described how they have connected a Pi to the net and arranged a web page it served up to control this and that. Or they have expressed a desire to do so.

How many of those have the where with all to set up HTTPS and generate their own self signed certificates and so on?

bubbl,
As for hacking your Pi... What's the point?
Well, you won't know until you get in there will you:)

User avatar
duberry
Posts: 379
Joined: Mon Jan 28, 2013 10:44 pm
Location: standing on a planet that's evolving. And revolving at nine hundred miles an hour

Re: Security section/subsection

Thu Nov 28, 2013 10:24 pm

bubbl wrote:Cool. Ignorance is bliss.
Eh what? That is the best digital securty advice any one can use ;
Simply DO NOT CONNECT TO ANY NETWORK .
And your safe no ignorance required.

And i cant find on google the refrence for this infosec bombshell ! :evil:


Any way if the forum was created it need's to be named 'insecurity section/subsection'
Last edited by duberry on Thu Nov 28, 2013 10:29 pm, edited 1 time in total.
lend me your arms, fast as thunderbolts, for a pillow on my journey.
If the environment was a bank, would it be too big to fail
so long; and thanks for all the pi

bubbl
Posts: 85
Joined: Sun Jul 14, 2013 9:15 pm
Location: United Kingdom
Contact: Website

Re: Security section/subsection

Thu Nov 28, 2013 10:28 pm

duberry wrote:
bubbl wrote:Cool. Ignorance is bliss.
Eh what? That is the best digital securty advice any one can use ;
Simply DO NOT CONNECT TO ANY NETWORK .
And your safe no ignorance required.

And i cant find on google the refrence for this infosec bombshell ! :evil:
oh, captain obvious, what're you doing here then, breaking your own advice? isn't it ironic? :twisted:
We're not here because we are free. We're here because we are not free. There is no escaping reason. No denying purpose. Because we both know without purpose, we would not exist.
http://www.bartbania.com/

Heater
Posts: 9829
Joined: Tue Jul 17, 2012 3:02 pm

Re: Security section/subsection

Thu Nov 28, 2013 10:36 pm

duberry,
Simply DO NOT CONNECT TO ANY NETWORK .
Which is about as helpful advice as telling a guy who owns a hammer never to bang nails in with it in case he bashes his thumb.

So lets take a typical scenario:

Hello everybody, I'm new to the Pi and Linux, I have a little experience of programming in C and PHP.
I'd like to tell you about my project to have the Pi control the watering system for my house plants whist I'm away from home.
I have this great web page that controls the water supply and heating form my plants. And I can see them growing on line via the Raspi's camera.
How do I ensure nobody can take over my watering system and drown my orchids?

Now, house plant safety might not be the most worry some thing in the world, but hey, I don't want anyone killing off my plants and filling the living room up with water.

User avatar
duberry
Posts: 379
Joined: Mon Jan 28, 2013 10:44 pm
Location: standing on a planet that's evolving. And revolving at nine hundred miles an hour

Re: Security section/subsection

Thu Nov 28, 2013 10:38 pm

bubbl wrote:oh, captain obvious, what're you doing here then, breaking your own advice? isn't it ironic? :twisted:
a) Calulated risk
b) Im unconcerned about the insecurity
c) I see FEAR used as tool to create new market & im not intresed in that :shock:

Image
img-text : 'war is big business'
Last edited by duberry on Tue Dec 03, 2013 11:43 am, edited 1 time in total.
lend me your arms, fast as thunderbolts, for a pillow on my journey.
If the environment was a bank, would it be too big to fail
so long; and thanks for all the pi

bubbl
Posts: 85
Joined: Sun Jul 14, 2013 9:15 pm
Location: United Kingdom
Contact: Website

Re: Security section/subsection

Thu Nov 28, 2013 10:42 pm

Image
We're not here because we are free. We're here because we are not free. There is no escaping reason. No denying purpose. Because we both know without purpose, we would not exist.
http://www.bartbania.com/

User avatar
duberry
Posts: 379
Joined: Mon Jan 28, 2013 10:44 pm
Location: standing on a planet that's evolving. And revolving at nine hundred miles an hour

Re: Security section/subsection

Thu Nov 28, 2013 10:43 pm

Heater wrote: How do I ensure nobody can take over my watering system and drown my orchids?
The honest awnser is you can't. But you can try and minimise the posibility

In this case put a max water sensor to prevent over watering ....
But i dont think orchids need water? :roll:
Heater wrote: I don't want anyone killing off my plants and filling the living room up with water.
In reality of all the things a computer might kill in 2013 your plant's are an un likely target .
Last edited by duberry on Thu Nov 28, 2013 10:47 pm, edited 1 time in total.
lend me your arms, fast as thunderbolts, for a pillow on my journey.
If the environment was a bank, would it be too big to fail
so long; and thanks for all the pi

bubbl
Posts: 85
Joined: Sun Jul 14, 2013 9:15 pm
Location: United Kingdom
Contact: Website

Re: Security section/subsection

Thu Nov 28, 2013 10:46 pm

duberry wrote:
bubbl wrote:oh, captain obvious, what're you doing here then, breaking your own advice? isn't it ironic? :twisted:
a) Calulated risk
b) Im unconcerned about the insecurity
c) I see FEAR used as tool to create new market & im not intresed in that :shock:

Image
and more and more people will ask questions like:
just wondering how you went about setting up your static ip and external ip? did you use noip.com? i want to try and use noip.com so i can access my rpi externally. ive searched around but havent had too much success. thanks
We're not here because we are free. We're here because we are not free. There is no escaping reason. No denying purpose. Because we both know without purpose, we would not exist.
http://www.bartbania.com/

Heater
Posts: 9829
Joined: Tue Jul 17, 2012 3:02 pm

Re: Security section/subsection

Thu Nov 28, 2013 10:47 pm

duberry,

OK, Perhaps Orchid care was not the best example. But I thought it conveyed the point as well as any.

User avatar
duberry
Posts: 379
Joined: Mon Jan 28, 2013 10:44 pm
Location: standing on a planet that's evolving. And revolving at nine hundred miles an hour

Re: Security section/subsection

Thu Nov 28, 2013 10:56 pm

@"Heater"
:P I-dig ( I overunderstand your example but
The only Enviroment im consearned about the security of is not digital (call me crazy :idea: )

Joe Schmoe
Posts: 4277
Joined: Sun Jan 15, 2012 1:11 pm

Re: Security section/subsection

Thu Nov 28, 2013 11:08 pm

Cold hard fact is that the next generation doesn't give a whit about security.

Smartphones/Androids/tablets/etc are all based on a no-security model. You are owned by every single app maker whose app you've installed. It seems to work OK for most people.

Also, why all this concern about Linux and security? Most of the world runs Windows and again, like with Smartphones, etc - Windows has only rudimentary security. Yet, people use it everyday. They seem to survive.
And some folks need to stop being fanboys and see the forest behind the trees.

(One of the best lines I've seen on this board lately)

Return to “General discussion”

Who is online

Users browsing this forum: andrum99, llucis and 40 guests