lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 04 Aug 2012 10:12:07 -0400
From: larry Cashdollar <larry0@...com>
To: rancor <therancor@...il.com>
Cc: full <full-disclosure@...ts.grok.org.uk>
Subject: Re: some distros for Raspberry Pi have sshd
 enabled and default logins.

My argument is they should prompt the user to change the password, not provide an insecure image
With the expectations that users will secure it themselves. It maybe obvious to us, but with a good deal
Of the audience being inexperienced users it should be part of the install.


Larry C$

On Aug 4, 2012, at 8:55 AM, rancor <therancor@...il.com> wrote:

> No shit Sherlock!
> 
> On Aug 4, 2012 3:38 AM, "larry Cashdollar" <larry0@...com> wrote:
> Vapid Labs
> Larry W. Cashdollar
> 8/2/2012
> 
> 
> Since a some RaspberryPi users maybe unaware of the security implications of sshd I thought I should just make a note of some issues.
> 
> RaspberryPi image Occidentalis v0.1
> 
> >From the site:
> 
> "Adafruit <3 Raspberry Pi - especially how easy it is to hack circuits using the electronics breakout pins! But sadly, the latest official 
> distro "July 15 Raspbian Wheezy" did not have many of the delicious hackables built in. That's why we decided to roll our own 
> 
> distribution. 
> 
> Our distro is based on "Wheezy" but comes with hardware SPI, I2C, one wire, and WiFi support for our wifi adapters. It also has 
> some things to make overall hacking easier such sshd on startup (with key generation on first boot) and  Bonjour (so you can simply 
> 
> ssh raspberrypi.local from any computer on the local network)"
> 
> Enables ssh by default but doesn't prompt user to change root & pi account passwords. 
> 
> http://learn.adafruit.com/adafruit-raspberry-pi-educational-linux-distro/occidentalis-v0-dot-1
> 
> Arch Linux ARM
> 
> "Arch Linux ARM is based on Arch Linux, which aims for simplicity and full control to the end user. Note that this distribution may not 
> be suitable for beginners."
> 
> Default login of root/root with sshd enabled, doesn't prompt to change password.
> 
> http://downloads.raspberrypi.org/images/archlinuxarm/archlinuxarm-13-06-2012/archlinuxarm-13-06-2012.zip
> 
> If your going to enabled sshd by default please prompt the user to change the default password upon first boot. If your going to connect 
> these PIs to a network be sure to use secure passwords.
> 
> 
> http://vapid.dhs.org/advisories/raspberrypi_image_security.txt
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ