It's just proof of concepts and maybe Raspbian should secure it more as it's the official distribution. All other is just toys.
I agree in general, but in this case I feel more relaxed about it On Aug 4, 2012 4:20 PM, "Gary Baribault" <[email protected]> wrote: > The default install shouldn't allow root access to SSHd. Should force > password changes to default logins and have a list of allowed SSH users. > Purchasers of PI computers aren't necessarily Linux gurus. > > Gary Baribault > > On 08/04/2012 10:12 AM, larry Cashdollar wrote: > > My argument is they should prompt the user to change the password, not > provide an insecure image > With the expectations that users will secure it themselves. It maybe > obvious to us, but with a good deal > Of the audience being inexperienced users it should be part of the install. > > > Larry C$ > > On Aug 4, 2012, at 8:55 AM, rancor <[email protected]> wrote: > > No shit Sherlock! > On Aug 4, 2012 3:38 AM, "larry Cashdollar" <[email protected]> wrote: > >> Vapid Labs >> Larry W. Cashdollar >> 8/2/2012 >> >> >> Since a some RaspberryPi users maybe unaware of the security implications of >> sshd I thought I should just make a note of some issues. >> >> RaspberryPi image Occidentalis v0.1 >> >> >From the site: >> >> "Adafruit <3 Raspberry Pi - especially how easy it is to hack circuits using >> the electronics breakout pins! But sadly, the latest official >> distro "July 15 Raspbian Wheezy" did not have many of the delicious >> hackables built in. That's why we decided to roll our own >> >> distribution. >> >> Our distro is based on "Wheezy" but comes with hardware SPI, I2C, one wire, >> and WiFi support for our wifi adapters. It also has >> some things to make overall hacking easier such sshd on startup (with key >> generation on first boot) and Bonjour (so you can simply >> >> ssh raspberrypi.local from any computer on the local network)" >> >> Enables ssh by default but doesn't prompt user to change root & pi account >> passwords. >> http://learn.adafruit.com/adafruit-raspberry-pi-educational-linux-distro/occidentalis-v0-dot-1 >> >> Arch Linux ARM >> >> "Arch Linux ARM is based on Arch Linux, which aims for simplicity and full >> control to the end user. Note that this distribution may not >> be suitable for beginners." >> >> Default login of root/root with sshd enabled, doesn't prompt to change >> password. >> http://downloads.raspberrypi.org/images/archlinuxarm/archlinuxarm-13-06-2012/archlinuxarm-13-06-2012.zip >> >> If your going to enabled sshd by default please prompt the user to change >> the default password upon first boot. If your going to connect >> these PIs to a network be sure to use secure passwords. >> >> http://vapid.dhs.org/advisories/raspberrypi_image_security.txt >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
