We need security!



  • It looks like nobody has given any attention at all to security!

    In the setup guide (http://docs.tingbot.com/guides/setup/), please provide instructions, and mention that it is CRUCIAL, to immediately change the password for the pi user from raspberry into something sensible.

    Next, Tide includes the tingbot.key that can be used to SSH into ANY tinbot that has not removed the key from /home/pi/.ssh/authorized_keys this key is not even limited to some kind of tool just for installing tingbot apps.

    Finally, why, oh why, do all tingapps run as root???! (That's not a question, fix it!)

    INSTRUCTIONS:

    1. Find the IP address of your Tingbot using Tide (dropdownmenu in the top right), Let's say the IP is 1.2.3.4. Below, replace 1.2.3.4 with the IP of your Tingbot.

    2. SSH into your Tingbot, password is "raspberry" (without the quotes):
      ssh pi@1.2.3.4

    3. Change the password:
      passwd
      (type old password "raspberry", think of a new password, enter it twice)

    4. Change the default SSH key, on your Mac, generate a new keypair:
      cd /Applications/Tide.app/Contents/Resources/vendor/tide-packages/tbtool
      ssh-keygen
      (it asks for a filename, type: "tingbot.key" (without the quotes), overwrite yes)

    5. Copy the contents of the file tingbot.key.pub to the tingbot as /home/pi/.ssh/authorized_keys overwriting the old one.

    I guess now your tingbot is somewhat secure... Have fun not being hacked!

    If you did not understand these instructions, DEMAND that the Tingbot OS will be secured, as the current state is UNACCEPTABLE. Do not accept excuses like "you will be behind a NAT anyway".


  • Core team

    Hi tader

    I think you make some good points, but first I'd like to discuss some of the design philosophies behind Tingbot.

    When we started work on Tingbot, our ambition was to create a platform that removes as much friction as possible from the joy of creating with software. We built this platform on top of Linux, which is great we can build on/ the work of the great Raspberry Pi community.

    Linux, however, has some different design goal. Being primarily a server OS, security is paramount, and it also brings a lot of stuff from the UNIX world (multiple users, permission model).

    So:

    • Yes, Tingbot is accessible to anyone on the local network, without a password. This is what we wanted, because we wanted to make a device that’s easy to use.

      Tingbot works more like a Sonos, or a Chromecast. You don’t require a password to play music on Sonos speakers, once you're on the network. Most people have secure Wifi these days, and NAT prevents traffic from the internet, so I think this is a reasonable default. (and FWIW, all Raspberry Pis ship like this, with their password as 'raspberry').

      But, all networks are different, so I'm now considering adding some other auth methods so the Tingbots can be more locked down, at the user's discretion.

    • The apps run as root.

      The Unix permission model doesn't make sense on an embedded system. It would be silly to need 'sudo' to write to a pin on Arduino. 'Permission denied' really trips up and frustrates beginners. If you own a device, you shouldn’t have to argue with it to get it to do what you want.

      The upside of 'root' is never limiting users with ‘permission denied’, the downside is the possibility that you might write a program that hoses your SD card, in which case you can reflash it and reinstall your apps, which are still on your PC. I think it's a good trade-off!

    Sorry if that got a bit rambly. I realise that security can be a hot topic, but hopefully this will give you some idea of where we're coming from!

    Joe


Log in to reply

Looks like your connection to We need security! was lost, please wait while we try to reconnect.