Quoting H. Nikolaus Schaller (2019-05-21 15:48:06) > > Am 21.05.2019 um 15:13 schrieb Jonas Smedegaard <[email protected]>: > > Quoting H. Nikolaus Schaller (2019-05-21 12:51:43) > >>> Am 21.05.2019 um 12:26 schrieb Jonas Smedegaard <[email protected]>: > >>> Quoting H. Nikolaus Schaller (2019-05-21 12:02:06) > >>>>> Am 21.05.2019 um 11:00 schrieb Jonas Smedegaard > >>>>> <[email protected]>: Quoting H. Nikolaus Schaller (2019-05-21 > >>>>> 10:22:50) > >>>>>> BTW, here is another trick: You may (not) know that LetuxOS > >>>>>> images created by makesd come rooted. This means you can simply > >>>>>> ssh as root into the device without password check. This is > >>>>>> quite helpful for developers and debugging. > >>>>> > >>>>> A password-less network-accesible backdoor maybe unknown to the > >>>>> system owner sounds dangerous to me: I recommend documenting > >>>>> that very clearly (at least) everywhere passwords are currently > >>>>> menioned in documentation. > >>>> > >>>> Yes, please feel free to document it in the Wiki. [...] > > You really expect users to understand and document backdoors better > > than the developers implementing them?!? > > No. But I am the developer and in this case you are the user - and you > have a better understanding where this should be documented.
As quoted above, my understanding is that best place to document backdoor access is EVERY place frontdoor access is documented and whereever this-device-is-insecure-by-default warnings are suitable. > >>> Suggestion: Add a notice in /etc/motd > >> > >> Hm. Do your ever read/see that? > > > > Why on Earth would I suggest it otherwise? > > Ok, accepted. My fault. I assumed that because I am not using that that > it is rare that others use it. > > On the other hand in LetuxOS it is not enabled. And not displayed > anywhere. You have openssh/dropbear/tinysshd/lsh configured to not present MOTD when users log in via ssh? I don't mean to imply that I always carefully read the MOTD message when logging into systems, but recommend it as one of several places for users to _possibly_ notice that whoa, this system has unusually low security!!! - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
_______________________________________________ Community mailing list [email protected] http://lists.goldelico.com/mailman/listinfo.cgi/community http://www.tinkerphones.org
