• 0 Posts
  • 20 Comments
Joined 2 years ago
cake
Cake day: June 12th, 2023

help-circle


  • None of this forces you to use their imager though… It’s barely a hoop, most people running multiple pi’s as servers will have done this for a reason other than ssh anyway.

    And yes one solution to this security problem is to require changing the username and password, the more effective solution is to not have the process running at all, unless specifically enabled. I’m sure that sentence sounds familiar from your company’s security team.

    Raspberry pi’s serve a lot of purposes, many of those purposes don’t need ssh. But if you enable it by default that opens the pi up to being a target, which we saw be a huge problem before this change.

    Also, this is not the only distribution that has ssh disabled by default. It’s just the only popular distribution I’m aware of that doesn’t have a server image option 🤷‍♂️ it’s actually standard security procedure.

    For example, if you install Ubuntu desktop, it’ll have ssh disabled, because it is standard. Pretty much any distro should do this as well as long as it’s not their “server” ISO.

    In any case it’s a good practice to backup your images regardless of what hardware you’re running on, especially if you’re running a cluster, it allows for easy reproduction across the cluster.
















  • So the person you cross posted this from does not seem to have read this.

    This is not impactful of extensions or different browsers. The main point of this actually seems to be replacing captcha.

    The dumbed down version is, attestation of the software stack such that it is reasonable to assume a human is actually using it and not an automated process.

    Quite frankly, as a web dev I can already prevent certain browsers from accessing my webpage by trying to access unique functions of a browser as a condition of loading the rest of the content.

    So what the other user is concerned about already exists, in fact Google meet already does this to prevent Firefox users from accessing certain features, changing user agent doesn’t change the outcome of whether or not the features are available. (In this case it’s because Firefox will crash, but most of the time this is done is for bad reasons).

    Edit: this is the most reasonable criticism https://github.com/RupertBenWiser/Web-Environment-Integrity/issues/44

    I do agree with it completely (that the proposal can’t actually work)