Page 1 of 2

Security section/subsection

Posted: Thu Nov 28, 2013 6:23 pm
by bubbl
Hi,
I've got a message to the whole Raspberry Pi foundation, forum moderators and all the users.
I've been browsing the forum for some time now, but so far I haven't seen much topics connected with security. For god's sake, is there no self-preservation instinct in computer users nowadays? I realize it's kind of a tilt at windmills, as people don't really care about it unless it's too late. It's a bit as if we taught people to drive a car without seatbelts. They are there, but why would use them? Nothing will happen to me!
Security seems to be not spoken of enough, we want to teach people coding, but we forget about self-protection. People have to be taught about security, especially the beginners. Sure, create yourself a media centre, build a web server, but please, for god's sake, give some time for securing it or sooner or later you'll be in trouble! People should become more aware that they're not safe in the Net. Once you connect to the internet, you become vulnerable. And I'm not talking about viruses only (DON'T BELIEVE ANYONE WHO SAYS LINUX IS VIRUS-PROOF - it's not and you should protect yourself!), but brute force attacks, etc. How would you protect yourself? How?
Please, if you teach something, do it properly, as many computer users are so neglectful and lazy they don't even change default passwords. Not to mention mixing up elementary ideas.
I suggest creating at least a well maintained subsection to teach people about vulnerabilities and security issues, and spending more time on educating people how to use Linux in a good way. Linux (any OS in fact) is not a playground and a toy - it's serious and needs care and attention.

Re: Security section/subsection

Posted: Thu Nov 28, 2013 8:26 pm
by DougieLawson
That's a good idea. Perhaps we should start a SEPi project and borrow some of the things that SELinux have implemented.

There's too much of the "fix that with sudo" or "chmod 777 xyzzy" on here. As the RPi becomes more popular and more unsecure systems are port forwarded to the Internet then the hackers will see it as an ever easier target.

My Ubuntu system running on a small, low wattage x86 box is constantly being probed (and not just by Google's net crawlers). My RPi is still hidden behind my firewall (I can get in from outside through my Ubuntu system).

Re: Security section/subsection

Posted: Thu Nov 28, 2013 8:32 pm
by DrDominodog51
A poll on who wants this would be a good idea.

Re: Security section/subsection

Posted: Thu Nov 28, 2013 8:34 pm
by bubbl
DrDominodog51 wrote:A poll on who wants this would be a good idea.
a poll? it's not a matter of want/don't want. security is security, if you don't care about it, you are ignorant.

Re: Security section/subsection

Posted: Thu Nov 28, 2013 8:35 pm
by bubbl
DougieLawson wrote:As the RPi becomes more popular and more unsecure systems are port forwarded to the Internet then the hackers will see it as an ever easier target.
Agreed. People should be taught the basics. To repeat myself - it's fun to use, it's priority to know how to use.

Re: Security section/subsection

Posted: Thu Nov 28, 2013 9:48 pm
by Heater
bubbl,

I don't want to diminish in anyway your desire to make people aware of security issues but this:
Linux (any OS in fact) is not a playground and a toy
is totally not true.

Without the joy, playfulness, curiosity, creativity, enthusiasm... inspired by being one of best toys and playgrounds in the world Linux and much other software would not even be here.

Like all human endeavour our toys come with dangers, from bicycles and skate boards to landing man on the moon.

Actually, thinking about it, showing people how to hack into each other Raspberry Pi's, or even challenging them to do so, might be a playful way to raise awareness of security issues.

Hack my Pi!

It's here: http://a.linuxsecured.net/

Re: Security section/subsection

Posted: Thu Nov 28, 2013 9:52 pm
by bubbl
Heater wrote:bubbl,

I don't want to diminish in anyway your desire to make people aware of security issues but this:
Linux (any OS in fact) is not a playground and a toy
is totally not true.

Without the joy, playfulness, curiosity, creativity, enthusiasm... inspired by being one of best toys and playgrounds in the world Linux and much other software would not even be here.

Like all human endeavour our toys come with dangers, from bicycles and skate boards to landing man on the moon.

Actually, thinking about it, showing people how to hack into each other Raspberry Pi's, or even challenging them to do so, might be a playful way to raise awareness of security issues.

Hack my Pi!

It's here: http://a.linuxsecured.net/
Thanks for reply. You misunderstood me, or maybe I wrote not plainly enough ;) I don't diminish the joyful purpose of RPi. I just want to point out that teaching and learning is not only about the joyful things but also about security. that is my point.
As for hacking your Pi... What's the point? ;)

Re: Security section/subsection

Posted: Thu Nov 28, 2013 9:56 pm
by jamesh
Raspi runs a standard Linux. Linux security is well documented and understood. (Computer security as a whole is well documented and understood). Why does there need to be a dedicated Raspi forum for something that is already well documented?

Re: Security section/subsection

Posted: Thu Nov 28, 2013 10:00 pm
by bubbl
jamesh wrote:Raspi runs a standard Linux. Linux security is well documented and understood. (Computer security as a whole is well documented and understood). Why does there need to be a dedicated Raspi forum for something that is already well documented?
As hardly anyone knows where to find this kind of stuff, especially beginners?

Re: Security section/subsection

Posted: Thu Nov 28, 2013 10:04 pm
by jamesh
bubbl wrote:
jamesh wrote:Raspi runs a standard Linux. Linux security is well documented and understood. (Computer security as a whole is well documented and understood). Why does there need to be a dedicated Raspi forum for something that is already well documented?
As hardly anyone knows where to find this kind of stuff, especially beginners?
Hmm. I use something called 'google'. It's apparently a well know system for discovering information like this.

Re: Security section/subsection

Posted: Thu Nov 28, 2013 10:05 pm
by bubbl
not everyone seems to be aware of google. following your lead, what's the point of this forum if google exists?

Re: Security section/subsection

Posted: Thu Nov 28, 2013 10:15 pm
by duberry
> How would you protect yourself? How?

1) Lock door
2) Unplug the lan and or wifi .

Done! ( you wont find that on google ;) , i also offer self defence advice against maniac armed with a BANANA! )

Re: Security section/subsection

Posted: Thu Nov 28, 2013 10:19 pm
by bubbl
duberry wrote:> How would you protect yourself? How?

1) Lock door
2) Unplug the lan and or wifi .

Done! ( you wont find that on google ;) , i also offer self defence advice against maniac armed with a BANANA! )
Cool. Ignorance is bliss.

Re: Security section/subsection

Posted: Thu Nov 28, 2013 10:20 pm
by bubbl
DougieLawson wrote:That's a good idea. Perhaps we should start a SEPi project and borrow some of the things that SELinux have implemented.

There's too much of the "fix that with sudo" or "chmod 777 xyzzy" on here. As the RPi becomes more popular and more unsecure systems are port forwarded to the Internet then the hackers will see it as an ever easier target.

My Ubuntu system running on a small, low wattage x86 box is constantly being probed (and not just by Google's net crawlers). My RPi is still hidden behind my firewall (I can get in from outside through my Ubuntu system).
Watching the answers... there's no point.

Re: Security section/subsection

Posted: Thu Nov 28, 2013 10:20 pm
by Heater
jamesh,
Raspi runs a standard Linux. Linux security is well documented and understood. (Computer security as a whole is well documented and understood). Why does there need to be a dedicated Raspi forum for something that is already well documented?
All very true but...

What we have with the Pi is two million users many of whom know nothing about Linux or it's security before they start out. What experts know about all of that is not relevant except as far as they can advise others.

Such users may not even know there is something they should google for, until something happens...

There have been dozens of posts on this forum where people described how they have connected a Pi to the net and arranged a web page it served up to control this and that. Or they have expressed a desire to do so.

How many of those have the where with all to set up HTTPS and generate their own self signed certificates and so on?

bubbl,
As for hacking your Pi... What's the point?
Well, you won't know until you get in there will you:)

Re: Security section/subsection

Posted: Thu Nov 28, 2013 10:24 pm
by duberry
bubbl wrote:Cool. Ignorance is bliss.
Eh what? That is the best digital securty advice any one can use ;
Simply DO NOT CONNECT TO ANY NETWORK .
And your safe no ignorance required.

And i cant find on google the refrence for this infosec bombshell ! :evil:


Any way if the forum was created it need's to be named 'insecurity section/subsection'

Re: Security section/subsection

Posted: Thu Nov 28, 2013 10:28 pm
by bubbl
duberry wrote:
bubbl wrote:Cool. Ignorance is bliss.
Eh what? That is the best digital securty advice any one can use ;
Simply DO NOT CONNECT TO ANY NETWORK .
And your safe no ignorance required.

And i cant find on google the refrence for this infosec bombshell ! :evil:
oh, captain obvious, what're you doing here then, breaking your own advice? isn't it ironic? :twisted:

Re: Security section/subsection

Posted: Thu Nov 28, 2013 10:36 pm
by Heater
duberry,
Simply DO NOT CONNECT TO ANY NETWORK .
Which is about as helpful advice as telling a guy who owns a hammer never to bang nails in with it in case he bashes his thumb.

So lets take a typical scenario:

Hello everybody, I'm new to the Pi and Linux, I have a little experience of programming in C and PHP.
I'd like to tell you about my project to have the Pi control the watering system for my house plants whist I'm away from home.
I have this great web page that controls the water supply and heating form my plants. And I can see them growing on line via the Raspi's camera.
How do I ensure nobody can take over my watering system and drown my orchids?

Now, house plant safety might not be the most worry some thing in the world, but hey, I don't want anyone killing off my plants and filling the living room up with water.

Re: Security section/subsection

Posted: Thu Nov 28, 2013 10:38 pm
by duberry
bubbl wrote:oh, captain obvious, what're you doing here then, breaking your own advice? isn't it ironic? :twisted:
a) Calulated risk
b) Im unconcerned about the insecurity
c) I see FEAR used as tool to create new market & im not intresed in that :shock:

Image
img-text : 'war is big business'

Re: Security section/subsection

Posted: Thu Nov 28, 2013 10:42 pm
by bubbl
Image

Re: Security section/subsection

Posted: Thu Nov 28, 2013 10:43 pm
by duberry
Heater wrote: How do I ensure nobody can take over my watering system and drown my orchids?
The honest awnser is you can't. But you can try and minimise the posibility

In this case put a max water sensor to prevent over watering ....
But i dont think orchids need water? :roll:
Heater wrote: I don't want anyone killing off my plants and filling the living room up with water.
In reality of all the things a computer might kill in 2013 your plant's are an un likely target .

Re: Security section/subsection

Posted: Thu Nov 28, 2013 10:46 pm
by bubbl
duberry wrote:
bubbl wrote:oh, captain obvious, what're you doing here then, breaking your own advice? isn't it ironic? :twisted:
a) Calulated risk
b) Im unconcerned about the insecurity
c) I see FEAR used as tool to create new market & im not intresed in that :shock:

Image
and more and more people will ask questions like:
just wondering how you went about setting up your static ip and external ip? did you use noip.com? i want to try and use noip.com so i can access my rpi externally. ive searched around but havent had too much success. thanks

Re: Security section/subsection

Posted: Thu Nov 28, 2013 10:47 pm
by Heater
duberry,

OK, Perhaps Orchid care was not the best example. But I thought it conveyed the point as well as any.

Re: Security section/subsection

Posted: Thu Nov 28, 2013 10:56 pm
by duberry
@"Heater"
:P I-dig ( I overunderstand your example but
The only Enviroment im consearned about the security of is not digital (call me crazy :idea: )

Re: Security section/subsection

Posted: Thu Nov 28, 2013 11:08 pm
by Joe Schmoe
Cold hard fact is that the next generation doesn't give a whit about security.

Smartphones/Androids/tablets/etc are all based on a no-security model. You are owned by every single app maker whose app you've installed. It seems to work OK for most people.

Also, why all this concern about Linux and security? Most of the world runs Windows and again, like with Smartphones, etc - Windows has only rudimentary security. Yet, people use it everyday. They seem to survive.