The unique password requirement applies in the case where "a connected device is equipped with a means for authentication outside a local area network" which a beaglebone does not unless the user manually forwards ports on their router, which could be argued as the user intentionally compromising their own security.
That being said, I still like option 2. As for option 1: MAC addresses are visible over the network and are therefore not secure passwords. The serial number would be programmed into the EEPROM at the factory and is easily messed up by anyone messing with I2C, It's also a big hassle to type in a serial number every time we flash a board and boot the first time. Also, I thought we did away with root:root a along time ago in favor of debian:temppwd? Best, James Dept. Mechanical & Aerospace Engineering University of California, San Diego On Fri, Oct 5, 2018 at 12:26 PM Robert Nelson <[email protected]> wrote: > So looking at: > > > https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327 > > > ********************************************************************************************************************************************** > SECTION 1. Title 1.81.26 (commencing with Section 1798.91.04) is added > to Part 4 of Division 3 of the Civil Code, to read: > > TITLE 1.81.26. Security of Connected Devices > > 1798.91.04. (a) A manufacturer of a connected device shall equip the > device with a reasonable security feature or features that are all of > the following: > (1) Appropriate to the nature and function of the device. > (2) Appropriate to the information it may collect, contain, or transmit. > (3) Designed to protect the device and any information contained > therein from unauthorized access, destruction, use, modification, or > disclosure. > (b) Subject to all of the requirements of subdivision (a), if a > connected device is equipped with a means for authentication outside a > local area network, it shall be deemed a reasonable security feature > under subdivision (a) if either of the following requirements are met: > (1) The preprogrammed password is unique to each device manufactured. > (2) The device contains a security feature that requires a user to > generate a new means of authentication before access is granted to the > device for the first time. > > ********************************************************************************************************************************************** > > > So to meet (1), should we just use the "serial number" on the side of > the board, or mac address, etc...? > > Or to meet (2), require use to change default password, the problem, > #2 States: "before access is granted"... My initial fix is "after > access is granted"... > > Or Option 3: ship the boards blank... ;) > > and what about "root:root"... do we nuke "root" by default and just > let the user init it... > > Regards, > > -- > Robert Nelson > https://rcn-ee.com/ > > -- > You received this message because you are subscribed to the Google Groups > "Beagle Alpha" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- For more options, visit http://beagleboard.org/discuss --- You received this message because you are subscribed to the Google Groups "BeagleBoard" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/beagleboard/CAM1qevOXGoYqur8x-E2rEXpA413MjfejSEWyfHSwgC7Wafuj0w%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
