Security quotes of the week [LWN.net]

My personal battle was not to burn down the NSA or the CIA. I even think they actually do have a useful role in society when they limit themselves to the truly important threats that we face and when they use their least intrusive means. We don't drop atomic bombs on flies that land on the dinner table. Everybody gets this except intelligence agencies.

— Edward Snowden (Thanks to Paul Wise.)

A Raspberry Pi is a tiny computer designed for [makers] and all sorts of Internet-of-Things types of projects. Make magazine has an article about securing it. Reading it, I am struck by how much work it is to secure. I fear that this is beyond the capabilities of most tinkerers, and the result will be even more insecure IoT devices.

— Bruce Schneier

to post comments

Security quotes of the week

Posted Sep 14, 2017 13:54 UTC (Thu) by excors (subscriber, #95769) [Link] (1 responses)

The RPi article says "By default, Raspbian installs a remote access shell (SSH) that can be accessed from anywhere". I don't think that's true - SSH was disabled by default almost a year ago, so you have to explicitly enable it with raspi-config (or with a magic file in the boot partition), and it'll warn if you enable SSH without changing the "pi" user's default password ("raspberry"). See e.g. https://www.raspberrypi.org/blog/a-security-update-for-ra..., https://www.raspberrypi.org/documentation/remote-access/ssh/.

(I mean, it's still pretty bad from a security point of view, but at least it's not as utterly terrible as it was before.)

Security quotes of the week

Posted Sep 14, 2017 21:05 UTC (Thu) by pizza (subscriber, #46) [Link]

> SSH was disabled by default almost a year ago

To this day, I get inquires from folks who are using brand-new RPis with Raspbian images far older than that.

Never underestimate the staying power of long-obsolete software.

Schneier RPi alarmism

Posted Sep 21, 2017 4:28 UTC (Thu) by Garak (guest, #99377) [Link]

the linked article comes off to me as having nothing (security related) specific to do with RPi vs the larger subset of debian linux systems. I guess the concern is that the RPi has a trajectory of increasing the number of people 'administering' debian linux systems, and as such that larger base of systems- that larger base of linux system administrators, will include those that make variously suboptimal security choices. So more people in 2020 will succumb to problems that fewer of us faced two decades earlier. The article goes out of its way to FUD people away from appliance/pre-cooked images. Obviously with many true statements. But in the long run, if not already, I presume the trajectory of RPi and RPi successors is to be deployed as appliances, where there is effectively a linux distributor kiosking all this complexity away from the vast majority of RPi owners. And like the wider embedded device/appliance market, it will be the long understood jungle rules, wild west, and NSA creeping around the tubes. This seems an odd thing for Schneier/LWN to focus on in this way (really, the Make article is straight up intro to the basic life of a debian admin). Very little nuance is given in the article as to the threat models for each advised thing, and the common situations where a threat model would obviate the effort of that mitigation. But maybe the RPi and IoT are buzzwords that permeate a broader audience of readers that popular writers are targetting. I for one am not worried about relatively significance of impacts from the security issues of RPi-s when looking at the total deployed devices picture. But sure, the RPi community could use a dose of either 'the real cyberjungle is a brutal battlefield' or 'the real reason you're RPi hasn't been Pwn3d is because the NSA has been doing things you probably would object to if you knew about in detail'.