back to article Raspberry Pi sours thanks to mining malware

Anti-virus vendor Dr. Web has found something nasty: malware named “Linux.MulDrop.14” that turns the Raspberry Pi into a cryptocurrency mining machine. To catch the malware you'll need to leave your rPi on with SSH ports open. If you've done so and the malware's scripts make their way in to your Pi, they'll install zmap, …

  1. Maventi
    WTF?

    Uh, that looks more like a typical crypt password hash (in this case SHA-512) rather than an actual password.

    It's a shame this worm is even a thing; recent-ish Raspbian versions warn you every time you login via SSH if you retain the default password.

    I'd have expected that most folks knowledgeable enough to get a public IP directly to their Pi (even if via port forwarding) should know better, but I guess you learn something every day.

    1. Doctor Syntax Silver badge

      "recent-ish Raspbian versions warn you every time you login via SSH if you retain the default password."

      Also, IIRC, Raspbian ships with sshd off by default. Turning it on is an option in the raspi-config script. It wouldn't be difficult to add a step to the script to require a password change at the same time.

      There are probably conflicting requirements here. While we - and, I'm sure, the Raspbian team - know that this would be a Good Thing the device is aimed at youngsters and it's quite likely that they'd lock themselves out by forgetting the password. However, flashing a new card would be a quick fix for that.

  2. Stevie

    Bah!

    Nonono, this has been disproved on any number of El Reg comment threads per various nice Mac users; malwear and virus writers only target inferior machines with inferior operating systems. Sheer target count is of no importance whatsoever.

    1. Anonymous Coward
      Anonymous Coward

      Re: Bah!

      Those nice Mac users who conveniently forget the regular results of the zero day hacking competitions

    2. ma1010
      Headmaster

      Re: Bah!

      "Malwear"? I think you mean "malware." Although I've seen a fair number of examples of "malwear" at the mall.

    3. Ian Joyner Bronze badge

      Re: Bah!

      There are technical reasons why the Unix used on Mac is more secure than Linux.

      There are quality reasons why Mac is more secure than Windows.

      There are enough people with malicious intent toward Apple and its users to mount attacks - but they go for the low-hanging fruit. Apple's response to any breach would be quick.

      Now playing around with Pi is great for hobbyists and nice a cheap. You can load Linux on it. But keep it off the net and don't use it for serious work where you need security.

      The cost of a computer system is not the hardware - it is the software. People think they can get that for free, but won't get the protection. You get what you pay for. Software and end-user requirements should be the drivers of the industry - not hardware and prices.

      1. Anonymous Coward
        Anonymous Coward

        Re: Bah!

        "There are technical reasons why the Unix used on Mac is more secure than Linux."

        Care to enumerate ?

        1. Dave Bell

          Re: Bah!

          The Mac uses a BSD base. Maybe nor more secure, but it is different. I can see how Linux might be bit less secure for other reasons but Windows is the existence proof for closed source not being safer.

        2. Ian Joyner Bronze badge

          Re: Bah!

          >>"There are technical reasons why the Unix used on Mac is more secure than Linux."

          Care to enumerate ?<<

          Yes, Linux trades off security for speed. IPC is the critical factor in security. For speed, Linux allows processes to communicate directly. In MacOS, based on Darwin with the Mach Kernel, all IPC is by default brokered through Mach and checked. Apple has some exceptions for speed. But they are the exceptions - in Linux they are the norm.

          Now that is not a bad thing, but in Linux you must manage and ensure your system is protected. That is alright for servers where professionals run them and are carefully about what gets installed. End users just download whatever app they feel like. Of course Apple tests the apps for them - so really end users are doubly protected.

          You did not ask about why I should say "There are quality reasons why Mac is more secure than Windows" - I guess that one is obvious!

          1. Richard Plinston

            Re: Bah!

            > End users just download whatever app they feel like. Of course Apple tests the apps for them - so really end users are doubly protected.

            Linux distro makers test the 'apps' for them and puts these in the repository - so really, end users are doubly protected.

            1. Ian Joyner Bronze badge

              Re: Bah!

              'Linux distro makers test the 'apps' for them and puts these in the repository - so really, end users are doubly protected.'

              Not sure what you mean here. Linux distributions test Linux and apps in the base release, but I don't think apps in general.

              1. Kiwi

                Re: Bah!

                'Linux distro makers test the 'apps' for them and puts these in the repository - so really, end users are doubly protected.'

                Not sure what you mean here. Linux distributions test Linux and apps in the base release, but I don't think apps in general.

                Everything in the standard repositories is tested and approved either by the distro maker or by someone they trust.

                You can install software from outside sources (including the same 3 sites I listed in an earlier message), but in general using the "software manager" makes that unnecessary. I believe I've heard that it could be done with IOS as well, but ICBW

              2. Richard Plinston

                Re: Bah!

                > Not sure what you mean here. Linux distributions test Linux and apps in the base release, but I don't think apps in general.

                This was in response to someone saying the same about Apple in a message about MacOS that was saying it was more secure because Apple tested stuff (when it seems he was confusing it with iOS).

                In fact with Linux there are _thousands_ of programs in the distro's repository so there is little need to look for alternate sources that may be insecure, and zero need for WareZ.

          2. Kiwi

            Re: Bah!

            End users just download whatever app they feel like. Of course Apple tests the apps for them - so really end users are doubly protected.

            Rubbish. Absolute ejected-from-a-bull's-arse rubbish.

            mac.softpedia.com

            download.cnet.com/apps/mac/

            en.softonic.com/mac

            What's this about Apple "testing all the apps" hmm? Just 3 of a huge many rather untrustworthy places that have software for Macs. There's also a places I'd happily download software for WinXP from that also let you get stuff for Macs, and maybe the majority are trustworthy maybe not. But there is NOTHING stopping a Mac user from visiting a dodgy website, downloading a dodgy program, and installing it.

            Stuff for Linux in general comes from a repository, and I teach converts to either use stuff in the standard repos or give me a call first. Have only once had one of those calls. Last I checked (just after I started this reply) apple.com comes a few down the list for "firefox for mac" on Google, takes the top spot for "safari for mac" but the next 3 are malware sites. Some other software searches give better results (for Apple), but they don't support my argument so I'll gloss over them, but several others also put malware sites higher in the results than Apple. Unless you can convince people to look for official sites rather than the top billed, they'll get stung.

            Disclaimer : Last time I looked at the sites linked above they were quite bad for PUPs, bundled adware, and a number of other nasties that may not quite be classified as "virus" and by some not even as "malware", but still bad, and in a few cases the adware/etc was known to either open up other security holes or download other stuff that was even worse. That was over a year ago and one or more of these sites may've cleaned up their act since then, in which case I apologise for saying they're malware distributors and invite them to publicly challenge my statements on this forum, with evidence of them cleaning up their act.

            1. Ian Joyner Bronze badge

              Re: Bah!

              "End users just download whatever app they feel like. Of course Apple tests the apps for them - so really end users are doubly protected.

              What's this about Apple "testing all the apps" hmm? Just 3 of a huge many rather untrustworthy places that have software for Macs"

              Yes, you are right - my comments were about iOS, not about Macs. I was replying a bit out of context on that count. I don't know if I'd support MacOS going to the same strict controls as iOS.

              1. Kiwi
                Thumb Up

                Re: Bah!

                Yes, you are right - my comments were about iOS, not about Macs. I was replying a bit out of context on that count. I don't know if I'd support MacOS going to the same strict controls as iOS.

                Oh, in that case I "withdraw my objection" at least in part (my understanding is the Apple app store is much better than Android for security, however my knowledge in these matters is rather limited!)

                Thank you for the clarification.

      2. tr1ck5t3r

        Re: Bah!

        Yes those expensive chips which can have their firmware updated coupled with CPU virtualisation is not the issue, if the malware can hack your bios, switch on CPU virtualisation and then load itself up before the main OS.

        Probably explains why Stuxnet, Duqu, BadBios to name just a few names given to a suite of malicious code that exploits the unfiltered USB bus and direct hardware access provided by CPU virtualisation.

        https://www.theregister.co.uk/2017/05/01/intel_amt_me_vulnerability/

        HD firmware updates some going back to the 90's http://files.hddguru.com/index.php

        Bios https://www.coreboot.org/

        Just how many lines of machine code does it take to inject a jump to load malicious code stored elsewhere in a system where most of its USB devices like printers with updatable firmware are always plugged in?

        How much spare space is on a chip allowing for any future updates?

        How can your Antivirus system scan for malicious code if its stored on the chips?

        Have you got a bios which can not be updated from the OS?

        Software or rather the OS is just one part of the problem when you can so easily update the firmware on your chips. Long gone are the days when you had to peel the label off and expose the quartz window to UV light to blank an EEPROM before placing it in an offline programmer to reflash it.

        Sometimes convenience has its pitfalls!

        Question is, who is behind this malware that targets so many cpu's using different instruction sets?

      3. Chemist

        Re: Bah!

        "Now playing around with Pi is great for hobbyists and nice a cheap. You can load Linux on it. But keep it off the net and don't use it for serious work where you need security."

        Are you really suggesting that using a Pi properly is in any way riskier than anything else *?. Good practice is what is necessary (combined with updated software). No computer is likely to be 'safe' when used incorrectly. I use ssh to access my systems from outside ( and only ssh) through an unusual port with an unusual username and certificates to reach both a pi and x86 on my home network. I'm conscious that two points are worst than one so I'm planning to have the Pi as the only access point.

        Connecting your system to the internet requires some knowledge - education is necessary to discourage naive users from doing so.

        * commonly available hardware.

        1. Ian Joyner Bronze badge

          Re: Bah!

          "Are you really suggesting that using a Pi properly is in any way riskier than anything else *?"

          Yes. The Pi is meant for playing around or research into future systems. It is a good and cheap platform for that, but don't expect too much of it.

          "No computer is likely to be 'safe' when used incorrectly."

          That is why well-designed systems come with built in checks to make sure you don't use them incorrectly. So yes, you can attempt to do incorrect things and be stopped. The quicker you are stopped the better.

          "Connecting your system to the internet requires some knowledge - education is necessary to discourage naive users from doing so."

          That is the wrong approach. Computers are now widely used because we don't demand that end users need education to run systems correctly. Why should 'naive' users not use the Internet? That is exactly what they should do - the onus is on the system providers to make sure their systems are safe - at least as safe as possible.

          On the other hand, I think it is the naivety of the software community that we should be wary of in their 'trust the programmer' attitudes. No you can't trust programmers - that is naive.

          1. Richard Plinston

            Re: Bah!

            > Yes. The Pi is meant for playing around or research into future systems. It is a good and cheap platform for that, but don't expect too much of it.

            The Pi is running exactly the same operating system as is run on anything from phones and embedded devices to supercomputers. It is no more riskier than any other computer, and a lot less than many.

            > That is why well-designed systems come with built in checks to make sure you don't use them incorrectly.

            Who is it that defines what is 'incorrect' ?

            1. Ian Joyner Bronze badge

              Re: Bah!

              Richard Plinston: "Who is it that defines what is 'incorrect' ?"

              What is correct and incorrect is decided by the system designer. Is is related to GIGO - Garbage In, Garbage Out - except we'd rather trap the garbage in and not do the computation.

              This a very very important design step in any system. Define the constraints and the axioms (rules) by which the system works. It is essential documentation for understanding the system. Most programmers know of such axioms for correctness as preconditions and postconditions or assertions.

              This is fundamental to software correctness and well designed systems.

              https://www.cs.cmu.edu/~crary/819-f09/Hoare69.pdf

              If you haven't decided what is incorrect and conversely correct, you don't really have a system design.

              1. Richard Plinston

                Re: Bah!

                > What is correct and incorrect is decided by the system designer.

                Then you don't understand what is meant by the term 'general purpose computer'. You want to have systems that are rigidly 'special purpose' and anything not specifically allowed by the 'designer' should be considered 'incorrect' and thus not allowed.

                1. Ian Joyner Bronze badge

                  Re: Bah!

                  Richard Plinston: "Then you don't understand what is meant by the term 'general purpose computer'. You want to have systems that are rigidly 'special purpose' and anything not specifically allowed by the 'designer' should be considered 'incorrect' and thus not allowed."

                  I certainly understand what is meant by 'general-purpose computer' and Universal Turning Machine. Yes, something without constraints you can do anything with - but it is exactly that power that makes them completely useless. To put other useful machines on top, you define the constraints that make them into those other machines. I suggest you read Roy Fielding's thesis which starts with the null architecture - no constraints and introduces constraints until we arrive at a useful paradigm.

                  https://www.ics.uci.edu/~fielding/pubs/dissertation/fielding_dissertation.pdf

                  Also read Tony Hoare's writings on axiomatic programming. Here's one:

                  https://www.cs.cmu.edu/~crary/819-f09/Hoare69.pdf

                  I'll repeat - what is correct and incorrect is decided by the system designer - that is the whole basis of computer systems design.

                  1. Richard Plinston

                    Re: Bah!

                    > 'general-purpose computer' ... you can do anything with - but it is exactly that power that makes them completely useless.

                    General purpose computers are not useless.

                    > I'll repeat - what is correct and incorrect is decided by the system designer - that is the whole basis of computer systems design.

                    What is correct and incorrect is decided by the _owner_ of the computer. It may well be that the 'system designer' hasn't considered that need or that usage, but the owner can do exactly what they want to.

          2. Chemist

            Re: Bah!

            "Computers are now widely used because we don't demand that end users need education to run systems correctly. "

            Computers are now widely abused because we don't demand that end users need education to run systems correctly.

            But seriously, at the present time no computer can be considered 'safe' without the user having some knowledge of the risk - no different to the rest of life really.

            1. Ian Joyner Bronze badge

              Re: Bah!

              Chemist: "Computers are now widely abused because we don't demand that end users need education to run systems correctly."

              Well, either computers can be used by everyone or reserved for some high priesthood with special powers.

              How much education should end users need? I do my bit for educating computer scientists, but the whole point is they learn abstraction - that is don't pass on the details to upper levels.

              While I encourage people to understand all levels of computing, it should not be necessary - and if it is, we have not done our jobs properly.

              Yes, we can educate users to some level - do backups, etc. But we should not depend on that, or them to do it, and then go 'oh, it was the user's fault'. That is blaming the victim.

              1. Chemist

                Re: Bah!

                "While I encourage people to understand all levels of computing, it should not be necessary - and if it is, we have not done our jobs properly."

                The point is that it is necessary however much you'd like it not to be. I don't think I'd be too happy with an unskilled bus/car/train driver.

                And that's before we take into account simple scamming/phishing by computer/phone or mail. We can't design/legislate for a risk-free world - people have to have an awareness of risk whatever activity is undertaken.

                1. Ian Joyner Bronze badge

                  Re: Bah!

                  Chemist: "The point is that it is necessary however much you'd like it not to be. I don't think I'd be too happy with an unskilled bus/car/train driver."

                  Altogether different. Passengers on the train don't need to train as a train driver in order to catch the train. So why should computer end users be required to be trained in computer science, or programming, or unix systems admin in order to use a computer. They don't.

                  That is abstraction - you don't need to know the details of lower layers.

                  Of course all users need some kind of knowledge, they do need to know some basic security practices. But even us 'experts' in security know it is much to big a subject to know everything. It is negligent on the part of systems vendors to not build security into their systems but to say the user must know what they are doing. That attitude should soon be seen as criminally negligent.

                  1. Chemist

                    Re: Bah!

                    "Passengers on the train don't need to train as a train driver in order to catch the train."

                    You miss the point. Any group of people using a particular technology need some in-depth knowledge to use it safely. I did, by the way, include driving a car which is a near ubiquitous 'skill' which in most places requires examination.

                    I don't expect the average user to be a security expert just to have an awareness of the basics od on-line safety. You certainly can't expect the technology to cope with all the diversity of attacks from the sophisticated to the banal.

                    On the other hand if you want to do something more unusual, but still reasonable, like give yourself access to your home network from outside then you do need to understand what you're doing or take advice.

                    1. Ian Joyner Bronze badge

                      Re: Bah!

                      Chemist: "You miss the point. Any group of people using a particular technology need some in-depth knowledge to use it safely. I did, by the way, include driving a car which is a near ubiquitous 'skill' which in most places requires examination."

                      No, I don't miss the point at all. The point was wrong. Now we are close to having self-driving cars. What you are saying is that passengers in such a car should not only know how to drive that car, but be experts in mechanics as well.

                      Chemist:" I don't expect the average user to be a security expert just to have an awareness of the basics od on-line safety. You certainly can't expect the technology to cope with all the diversity of attacks from the sophisticated to the banal."

                      That is exactly what I expect the technology to do. We can program computers to do anything - why not stop security attacks - or better still, make the systems strong in the first place. Hacks are very, very sophisticated. We must design systems that protect the user. How do you expect the user "to cope with all the diversity of attacks from the sophisticated to the banal." It is much better to expect the technology to do that.

                      Chemist: "On the other hand if you want to do something more unusual, but still reasonable, like give yourself access to your home network from outside then you do need to understand what you're doing or take advice."

                      OK, that almost makes sense. But at the right level of abstraction. Users need to know to set passwords, etc. But maybe other authentication factors are required, like fingerprints, etc that the system prompts them for. This must be built into the technology.

                      1. Chemist

                        Re: Bah!

                        "Now we are close to having self-driving cars. What you are saying is that passengers in such a car should not only know how to drive that car,"

                        Of course they'll need to able to drive - I guess it will be years before self-driving cars become trully autonomous

                        "We can program computers to do anything - why not stop security attacks "

                        You must be having a laugh now. The one thing we know is that bugs exist - where have you seen a software system that is perfect. (see the point about cars above"

                        "Hacks are very, very sophisticated"

                        Some are, some are trivial or even accidental . Many of the big 'hacks' have been by people with little skill but a lot of persistence.

                        1. Ian Joyner Bronze badge

                          Re: Bah!

                          >>Of course they'll need to able to drive - I guess it will be years before self-driving cars become trully autonomous<<

                          Well, in future I'm going to ask any one I give a lift to whether they can drive or not. 'Can't drive - you're out of luck, can't come in my car'.

                          >>You must be having a laugh now. The one thing we know is that bugs exist<<

                          No laugh at all. Yes bugs exist - they can be exploited, but when we find an exploit, we patch to close that hole. That is reactive security.

                          I've already posted this link for someone else, but please go and read and digest and thoroughly understand the axiomatic approach to system design and programming:

                          https://www.cs.cmu.edu/~crary/819-f09/Hoare69.pdf

                          Proactive security says we put security into the system to begin with. We think about it and build systems accordingly.

                          What you are suggesting is to give up altogether and just resort to reactive security. Both approaches are needed.

                          Many attacks use well-known mechanisms - the main one is a typical C and low-level machine defect - allowing writes beyond an end of buffer. This can also be used to subvert the stack. We can design machines where this is just not allowed and a whole large category of attacks goes away. Thus we should check that a process or data structure only reads and writes into the memory that it was allocated - bounds checking.

                          Most people who consider themselves software designers and programmers have a hard time understanding this. They think it is just the natural order of things. Well, it's not. In networked systems and systems with many interacting processes being in security a priori is essential, otherwise we are continuing to react to things.

                          So if computer people find this hard to understand - how can we expect end users to be this sophisticated. Although, it is often true that explaining such things is easier to someone with no knowledge than to those who think they have knowledge.

                          Software verification (against bugs and defects) is closely related to security. Having machines with bounds checking, and checks for other breaches benefits both software correctness and security.

                          1. Chemist

                            Re: Bah!

                            "What you are suggesting is to give up altogether and just resort to reactive security. Both approaches are needed."

                            No I'm not I'm suggesting that at the present time ( and for how much longer ) we still need to be very careful about security.

                            "Well, in future I'm going to ask any one I give a lift to whether they can drive or not. 'Can't drive - you're out of luck, can't come in my car'."

                            That's just nonsense. It's totally irrelevant most of the time if other occupants can drive or not but I'm guessing that you'll need one for quite a while.

                            "We can design machines where this is just not allowed and a whole large category of attacks goes away."

                            Well until we do and they become the norm it doesn't matter in the slightest.

                            1. Ian Joyner Bronze badge

                              Re: Bah!

                              >>No I'm not I'm suggesting that at the present time ( and for how much longer ) we still need to be very careful about security.<<

                              That was exactly your suggestion - 'we can't think of everything, so just react to it when it happens'. Machiavelli must be turning in his grave. Sun-tzu also.

                              >>That's just nonsense. It's totally irrelevant most of the time if other occupants can drive or not but I'm guessing that you'll need one for quite a while.<<

                              That is what I'm saying, please read carefully. But you started from the position of end users must know all about this or keep them away from the computer. Even us security experts can't keep up and understand it all.

                              Computing people really fail when the say they expect the user to be so sophisticated. No that is computing people failing to do their job. Like systems programmers also fail when they expect other programmers to need to deal with machine-level details (and hence program in C). They have failed at their job in programming the systems level.

                              >>Well until we do and they become the norm it doesn't matter in the slightest.<<

                              That is a lazy answer. Again an admission of failure. It is up to us present-day computer scientists to plan the future, which arises out of avoiding current failings.

      4. Kiwi
        Boffin

        Re: Bah!

        There are technical reasons why the Unix used on Mac is more secure than Linux.

        Wot, like Macs having default admin:password login for the shell (maybe even no password, just ssh root@ip being enough, ICBRIW), having NOTHING in the GUI to change that, having SSH open by default (so all one needed was the IP and ability to use ssh)*, as in wide open with the Mac's GUI-using user not only unable to change anything without going to a terminal, but not even knowing that there was an issue, and not being able to change the password via the GUI's password manager (even though it said it was changing the administrator passwords)

        Macs are generally more secure than Windows (but so is a wide open door!), but they've had some pretty horrifying security flaws in their time - stuff that'd make MS security devs weep with envy! **

        The cost of a computer system is not the hardware - it is the software. People think they can get that for free, but won't get the protection. You get what you pay for.

        Er, I'm pretty sure you can download and install OSX (anyversion) for free, with just an Apple ID and hardware to run it on (though I've only ever done it for Macs not PC's so maybe there's something in the HW requirements). So long as your box will run OSX you can download newer versions for free as well. But with Windows you have to pay a fair bit for each install, and each new version (generally - GWX aside). So by your logic, Windows must be better than Mac[scuse me while I puke just for saying those words!] because you pay a lot more for the OS!

        *This was back sometime from 2006-2008, on at least one version of OSX, no idea if it's been fixed since.

        ** I'm sure MS's security devs think their job is to add more rediculous security flaws into the system, eg the recent Defender bugs, or the lack of testing on SMB allowing WC to get through, etc etc etc etc etc etc etc etc etc etc etc etc etc etc etc etc etc ***

        *** Yes, I'm good at multitasking. I can bash Apple and MS security stupidity in the same post, all while conveniently ignoring the rest of the OS worlds!

        1. Ian Joyner Bronze badge

          Re: Bah!

          "Wot, like Macs having default admin:password login for the shell (maybe even no password, just ssh root@ip being enough, ICBRIW), having NOTHING in the GUI to change that, having SSH open by default (so all one needed was the IP and ability to use ssh)*"

          Sounds like you have not tested it since 2008. At one point there was no root UC. I have not heard that they brought it back.

          "Er, I'm pretty sure you can download and install OSX (anyversion) for free"

          Yes, but the cost of the system is the software. That software does not come for free. It is built into to cost of the box you buy. So while you might get the software installed originally for free, and get free upgrades, that has little to do with the actual cost.

          1. Kiwi

            Re: Bah!

            "Wot, like Macs having default admin:password login for the shell[..]*"

            Sounds like you have not tested it since 2008. At one point there was no root UC. I have not heard that they brought it back.

            True, I haven't looked for that in a long time.

            "Er, I'm pretty sure you can download and install OSX (anyversion) for free"

            Yes, but the cost of the system is the software. That software does not come for free. It is built into to cost of the box you buy. So while you might get the software installed originally for free, and get free upgrades, that has little to do with the actual cost.

            I can (and have) installed OSX into a VM running on Linux. Think it was Mountain Lion IIRC but was a few years back. From what I could tell I was perfectly legitimately doing the installation (which was to test AV options for a customer), and nothing in the license prevented that (nothing I saw anyway, but if you've ever read an OS license you can understand how stuff could be missed in one reading by a non-lawyer). Unless that has changed, I could repeat the exercise should I desire to. My VM manager appears to support it fairly directly even.

            IOW, I can have a machine running OSX that costs nothing but the time to get OSX installed in a VM. I've heard the term "hackintosh" as well which I guess refers to running OSX on generic PC hardware, but outside of my area of play.

  3. Frumious Bandersnatch

    change the password for the username “Pi” to

    You mean "pi". (yes, I used "logical" quoting there)

    1. Ken Hagan Gold badge
      Headmaster

      Re: change the password for the username “Pi” to

      I might have given you a thumbs up for the logical quoting.

      (but your parenthetical remark completely blew it)

  4. Frumious Bandersnatch

    "Change your default user name"

    You mean "change your default password".

    Jeez.

    1. Doctor Syntax Silver badge

      Re: "Change your default user name"

      Both.

  5. JeffyPoooh
    Pint

    "...it's a sufficiently common devuce..."

    You spelled "it's" correctly, which may confuse some people.

    Now, about "devuce"...

    1. heyrick Silver badge

      Re: "...it's a sufficiently common devuce..."

      Covfefe?

      1. Matt Hawkins

        Re: "...it's a sufficiently common devuce..."

        Hey how did you guess the password I use on all my Pis!

    2. J. R. Hartley

      Re: "...it's a sufficiently common devuce..."

      *spelt

      1. Anonymous Coward
        Anonymous Coward

        Re: "...it's a sufficiently common devuce..."

        Both 'spelled' and 'spelt' are correct but 'spelt' is little used outside the UK. 'Spelled' is the more internationally acceptable version, unless you're after the baking flour used by the Romans. I'll get my coat... ;)

        1. Kiwi

          Re: "...it's a sufficiently common devuce..."

          Both 'spelled' and 'spelt' are correct but 'spelt' is little used outside the UK. 'Spelled' is the more internationally acceptable version, unless you're after the baking flour used by the Romans. I'll get my coat... ;)

          If Cosby ever gets out of prison, he can start a new TV show I think.. "People downvote the darnedest things"

  6. Frumious Bandersnatch

    "Raspberry Pi sours"

    https://www.quora.com/What-do-blueberries-raspberries-and-blackberries-taste-like

    Raspberries are already sour ("sauer" being the German for "acid[ic]")

    1. dajames

      Re: "Raspberry Pi sours"

      Raspberries are already sour ("sauer" being the German for "acid[ic]")

      Indeed, that's why they're red. Raspberry juice is an indicator, and turns blue when made less acidic (you can sometimes see this happen as the juice is diluted with water when washing crockery that has contained raspberries).

      1. David Nash Silver badge

        Re: "Raspberry Pi sours"

        As in raspberry slushies? I always wondered why they were blue. Or perhaps they are just pumped full of blue dye.

  7. Brenda McViking
    Childcatcher

    Captain Bodge-tastic speaking

    I wouldn't overestimate the abilities of your average raspberry pi user - it's become very easy to follow a simple set of instructions in an online forum and without understanding a lot about what you're doing, and in doing so open the thing wide open to abuse. An awful lot of them are connected to the net.

    I had to double check that my one of mine, which is online and will accept SSH connections, is not visible from the public IP it's on. I've changed the default password as I do for all devices, but aside from a weekly cron job to perform an automatic update, it is sat there, as a VPN server. I think that I've firewalled everything off with iptables (apart from the VPN port used), but I set this up 3 years ago and I really cannot remember. I'm currently 7000km away from it without a computer so it's difficult to check right now... (posting from a mobile)

    I imagine there are a lot of such devices out there connected to the net, as some ameteur project set up by an enthusiastic hobbyist. In my experience it was hard enough getting it working as intended, let alone hardening it against attackers beyond the basics of changing a password (which I think is enough to defeat this malware if I RTFA properly)...

    1. Ken Hagan Gold badge

      Re: Captain Bodge-tastic speaking

      Give a ten-year-old a small, battery-powered computer of their own and let them discover some interweb instructions about how to set up their pi-cam so that they can use it over the internet as a spying device.

      Hmm ... I'd guess that an awful lot of pis are connected to the net with no thought to security at all.

    2. Anonymous Coward
      Anonymous Coward

      Re: Captain Bodge-tastic speaking

      I'm currently 7000km away from it without a computer so it's difficult to check right now... (posting from a mobile)

      Give me your IP and password and I will check for you...

      1. Anonymous Coward
        Anonymous Coward

        Re: Captain Bodge-tastic speaking

        "Give me your IP and password and I will check for you..."

        IP is: 127.0.0.1

        Password is: hunter1

    3. werdsmith Silver badge

      Re: Captain Bodge-tastic speaking

      For fun I have hung a Pi on the net via a port forward, changed the password for pi user and within a few minutes there were failed login attempts showing up in the log. I've no idea how they are found so quickly.

      1. Chemist

        Re: Captain Bodge-tastic speaking

        "and within a few minutes there were failed login attempts showing up in the log"

        I have a pi & my x86 fileserver both with ssh port forwarded. However I don't use the standard ports and both use rsa keys and indeed very unusual usernames..

        My x86 server has had 1 login attempt in 10+ years. So although it is really sec. by ob. it cuts down the attempts by a huge factor as port 22 gets a few a day.

        1. John Sager

          Re: Captain Bodge-tastic speaking

          Just analysing my firewall logs for the last 4 months & I've had 36k hits on telnet and 6k hits on ssh port 22. Those are the top 2 TCP ports for hits, followed by 5358, 1433 & 7547. I occasionally see a hit on my obscure ssh login port - 1 every few months perhaps.

      2. Richard Plinston

        Re: Captain Bodge-tastic speaking

        > within a few minutes there were failed login attempts showing up

        That sounds like a job for fail2ban or denyhosts.

      3. waldo kitty
        Boffin

        Re: Captain Bodge-tastic speaking

        I've no idea how they are found so quickly.

        They were likely MIRAI or a variant of it. They're running rampant all over the 'net looking for IoT devices to conscript into their botnet. They specifically target the telnet and ssh ports along with a few others.

  8. allthecoolshortnamesweretaken

    1. Which cryptocurrency exactly? Bitcoin? The mythical Maycoin?*

    2. Are there that many Raspberries out in the wild that, even assuming they are connected and still on their default settings, they could mine coin in a useful timeframe?

    Somehow this smells like proof of concept.

    * A cryptocurrency I have just made up. It is designed for post-brexit Britain, traceable by the authorities, but totally anonymous for anyone else thanks to the ingenious FlexiCrypt system. The FlexiCrypt system, which I have also just made up, uses deep learning AI algorithms that can recognise who is mining and using any given Maycoin and whether it is a legitimate use of it or not. If it is a legitimate use like a donation to the conservative party, the whole transaction stays completely anonymous. If it is used for something clearly related to terrorism like paying for a VPN service, all availiable data is automatically transferred to the relevant authorities.

    1. Anonymous Coward
      Anonymous Coward

      non binary choice

      "a legitimate use like a donation to the conservative party [or] something clearly related to terrorism"

      How do you classify arms deals with Saudi?

      1. allthecoolshortnamesweretaken

        Re: non binary choice

        "How do you classify arms deals with Saudi?"

        Depends. On where the kick-backs end up.

        1. sisk

          Re: non binary choice

          How do you classify arms deals with Saudi?

          Oh that? It's just a donation to some guy's retirement fund. He was so appreciative that he gave me a couple hundred AKs to thank me.

    2. Alister

      I hope I'm not giving too much away here, but I'd heard that the FlexiCrypt system is based on the use of hashtags:

      #verysecure

      #backdoorencryption

      #ilovetheresamay

      which makes it extra secure for everybody, (except if you're a terrist)

    3. Cuddles

      "Are there that many Raspberries out in the wild that, even assuming they are connected and still on their default settings, they could mine coin in a useful timeframe?"

      A quick Google suggests an RPi gets somewhere from 50-200 MFLOPS single precision depending on version. That would mean at least 30,000 of them to hit 6 TFLOPS, around the equivalent of a decent GPU (GTX 1070 for example). With 12.5 million sold according to the article, if you took control of every RPi ever sold, you'd have the equivalent of around 400 relatively up-to-date but not particularly impressive PCs. Depending on how those total sales break down by version, it might be closer to 100 PCs.

      So yeah, not particularly useful by the looks of it. Even if there are tens of thousands of vulnerable RPis out there, you only need to compromise one or two home PCs to get just as much computing power at your disposal.

    4. phuzz Silver badge

      "Are there that many Raspberries out in the wild"

      Pretty much anywhere there's screens displaying a slide show, if you look behind you'll see a RPi dangling from the wires. Museums, restaurants, bus companies, they get used all over the place.

  9. Brian Miller

    I just hooked it to the DMZ, and it's fine...

    How many people do this? Really? Buy something, and then just throw it open to world+dog, and think it's all just fine and dandy.

    When logging into the Raspberry Pi, it nags you to change the password!! Really, every single time you log in, there's a message nagging about changing user pi's password to something other than raspberry.

    If somebody's too lazy to change the password, keeps it on, exposed to world+dog, then they should pay a stupid tax for their actions.

    1. as2003

      Re: I just hooked it to the DMZ, and it's fine...

      The joke's on the hackers: it turns out that all the vulnerable Pis were actually honeypots run by security researchers.

    2. Mage Silver badge

      Re: I just hooked it to the DMZ, and it's fine...

      ports open?

      Wut no firewall.

      I take no prisoners. We have no DMZ.

    3. Blitheringeejit
      Holmes

      Re: I just hooked it to the DMZ, and it's fine...

      >>How many people do this? Really? Buy something, and then just throw it open to world+dog, and think it's all just fine and dandy.

      Apparently there's this new-fangled teckernology called "The Internet of Things" which is all the rage...?

  10. Anonymous Coward
    Anonymous Coward

    Default password? It's easy to be smug, but default password is asking for it and will get you little sympathy or insurance coverage.

  11. Anonymous Coward
    Anonymous Coward

    Not being funny but...

    If you have a Pi this already puts you ahead of the daily mail reading celebrity spotting unwashed therefore you would instinctively change the password on first use as you did on that shiny router you bought. You would also have to enable ssh which again puts you above the general poo flicking human.

    I can't see this infecting many pi's.

    1. Anonymous Coward
      Anonymous Coward

      re: this already puts you ahead of the daily mail reading celebrity spotting unwashed

      Get over yourself.

      1. Anonymous Coward
        Anonymous Coward

        Re: re: this already puts you ahead of the daily mail reading celebrity spotting unwashed

        Why? I make a valid point. If you buy a pi then you must have some knowledge and if you have some knowledge you would know to change the password.

        Furthermore how does this even get onto the pi? Would you not need to forward the port in the first place? Again this indicates knowledge.

        Therefore poo flicking daily mail readers would probably not buy a pi in the first place.

        Have you actually read the daily mail?

        http://www.dailymail.co.uk/news/article-4597798/KATIE-HOPKINS-AmberRose-flashing-doesn-t-make-feminist.html

        I rest my case.

        1. Anonymous Coward
          Anonymous Coward

          Re: re: this already puts you ahead of the daily mail reading celebrity spotting unwashed

          Hey, I liked that article, I read the daily mail, I hate celebs and I bought a Pi and I changed the passwd. Am I in a special category? Am I a special person?

          ...I think I am!

    2. Milton

      "daily mail reading celebrity spotting unwashed"

      Anon said—"If you have a Pi this already puts you ahead of the daily mail reading celebrity spotting unwashed therefore you would instinctively change the password on first use as you did on that shiny router you bought. You would also have to enable ssh which again puts you above the general poo flicking human."

      I wonder why he got so many downvotes? Yes, it's a rather dismissive, insulting opinion of Daily Mail readers, but in what respect is it actually, um, wrong?

      Or was it the reference to the Axis of Stupid Liars: "poo flicking human" that upset readers? (I assume it's a reference to Boris Johnson and Donald Trump, correct?)

      Well, I suppose it doesn't matter if Daily Mail readers have IQs in single digits or occasionally even two, the important things in our world are, as ever: Strong Crypto+Strong Passwords!!

      1. Naselus

        Re: "daily mail reading celebrity spotting unwashed"

        "I wonder why he got so many downvotes?"

        Because he's literally talking as if simply owning a device designed for 8 year olds was proof of superior computing skills. It's like suggesting that purchasing a skateboard is indicative of superb Formula-1 driving ability. He misunderstands the purpose of the device, it's main audience, the skillset it aims to teach, and his own awesomeness for owning one. Oh, and he commits a logical fallacy in presuming the only possible people who could own one are either super-sysadmins or drooling Daily Mail readers, too.

        So it's a factually incorrect argument, made badly. That's why he got downvotes.

        1. Anonymous Coward
          Anonymous Coward

          Re: "daily mail reading celebrity spotting unwashed"

          @Naselus

          I really am not.

          I don't mind the downvotes however to get the thing onto the internet with an open port and enable SSH usually requires a knowledge above that of an 8 year old kid learning to program and even if they do have that knowledge I would hope the adult guiding them changes the password or advises them to do that themselves.

          http://www.dailymail.co.uk/news/article-4596940/Dog-chills-shark-floatie-pool.html

          EDIT: Who plugs the Pi into the network or connects to the wifi? Certainly not a Daily Mail Poo Flinger

    3. Jason Bloomberg Silver badge

      The Pi's raison d'etre is teaching kids to code; by design it's going into the hands of those least knowledgeable about security and more likely to fall prey to "latest Minecraft mod" and "free Ariana tickets" social engineering.

    4. Doctor Syntax Silver badge

      "you would instinctively change the password on first use as you did on that shiny router you bought. You would also have to enable ssh"

      These are aimed at kids (my 8-yo grandson for instance). They won't necessarily have basic sysadmin skills. Also, as he did, they might forget the P/W if changed. (Actually in his case it was a different OS with a different default P/W. An OS update appeared to have reset it probably back to the OS default. I'd tarred off his home directory and re-flashed the OS before I realised the default was different.)

      You're right in that they'd have to enable ssh. On Raspbian that's done through the same menu as changing the password but unfortunately the two aren't linked.

  12. Ben1892

    All your 800Mhz are belong to us !

    So even if you if you pwnd 12.5 million Pis, by my back-of-fag-packet calcs would give you somewhere between 1.3Th/s and 2.5Th/s

    1. Adam 52 Silver badge

      If I've done the sums right that turns into about $5/day.

      1. Doctor Syntax Silver badge

        "If I've done the sums right that turns into about $5/day"

        Riches! If you're and 8-yo.

    2. Ross 12

      What if it's clever enough to use the Pi's GPU for calculation goodness?

  13. Terry 6 Silver badge

    if the password for “Pi” suddenly stops working it may be easier to flash a new SD-card

    When I use my Pi for anything that is going to be online for more than a few minutes I'll give it a proper p/w. Until then, it's just a few minutes messing about here or there. (It took me a couple of weeks sporadic use to find out that the little screen I bought won't install drivers if I used NOOBS).

    And I'm guessing that since this is essentially a hobbyist sort of device, that's how most users will treat it. For me it's about trying to remember how to code, thirty odd years after my (amateur) programming days hit the buffers of having a proper job, home, family, mortgage.

    If, at some point I/we decide to put it to work then setting up security will probably be more of a priority.

  14. The Bionic Man
    Trollface

    At last someone found a use for the Raspberry Pi.

    1. Doctor Syntax Silver badge

      "a use for the Raspberry Pi"

      There are plenty of those, for instance running a local instance of Nextcloud with a 1TB disk.

  15. mark l 2 Silver badge

    I don't have a Pi but am a Linux user (Mint). Why does the Pi not force people to change the default password on first login like other Linux distros do? Even if the end user change it to a weak password it's better than them continuing on the default

    1. Alister

      Why does the Pi not force people to change the default password on first login like other Linux distros do?

      It does.

      1. Jason Bloomberg Silver badge

        It does.

        Things changed recently after the Pi Foundation appeared to become aware of the risks of de-facto enabled SSH and default password, but I believe any insistence the password is changed only occurs when SSH is enabled.

        As far as I am aware there is still no general 'you must change/choose a password' prompt otherwise. Therefore it is still possible to expose a Pi to the Internet with the default password and all the risk associated with doing that. SSH isn't the only risk.

  16. Milton

    On a more serious note: schools

    I understand the Pi is widely used, and for obvious reasons, in schools. I hope school It departments are paying attention today, because that is one environment where I *suspect* rules may be a bit lax: getting kids to change default passwords and remember new, strong ones sounds a little like cat-herding.

    Once a single Pi is infected, there is the troubling prospect of transmission of malware over internal networks, which schools already under siege from idiot politicians really do not need right now.

    1. Doctor Syntax Silver badge

      Re: On a more serious note: schools

      I'd guess in schools you'd want a common password for your common login ID with maybe personal IDs for the pupils. Good practice would be to set up one Pi, change the pi password and then clone that card for the the rest.

  17. sisk

    To catch the malware you have to not only leave your pi on with SSH ports open to the internet, but you also have to leave your password on the default. The current version of Raspian will complain every time you log in if the SSH server is on and you haven't changed the password. What kind of fool uses default passwords?

  18. felixuribe

    IoT Malware AGAIN!

    The problem with malware like this is the fact that the Raspberry Pi has become one of those devices used to built lots of IoT devices out there. Malsubjects will continue to explore ways to break into every single connected device for all criminal purposes, this is just one of them! My advise, make sure that your devices has a security classification! https://uribe100.com/index.php?option=com_content&view=article&id=147:internet-of-things-iot

  19. JulieM Silver badge

    It's a Storm in a Pi Dish

    How many people plug a Raspberry Pi straight into the public Internet? And you have to configure a router deliberately to forward Port 22.

    You would have to re-image all your machines at once, to be sure none of them were going to infect any of the others.

    Might be fun to set up a honeypot, though .....

  20. edfelt

    Just Me

    CHANGE YOUR DEFAULT PASSWORD! PLEASE, FOR THE LOVE OF PETE, JUST CHANGE THE PASSWORD THE SYSTEM KEEPS WARNING YOU ABOUT!

  21. Anonymous Coward
    Anonymous Coward

    if they get every Pi to mine continuously for them... they get 1 bit coin in 5 years 7 months.

  22. JulieM Silver badge

    Honeypot

    Try running this command on a public-facing server:

    $ sudo useradd -gusers -pzKVyZZU/0syU2 -m -s/bin/cat pi

    This will set up a honeypot account. Username pi, password raspberry, just like a default raspbian install ..... but typing commands will have absolutely no effect.

  23. Wolfclaw

    12.5m machines all using a fraction of CPU power is a decent miner !

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like