I believe these are all good points that elecraft should consider. As for myself I am a tinker-er and as such i can imagine many things i would like to do with the on board system. Personally I would like the option of "unlocking" access do that I could use the underlying linux system and would be willing to be responsible for the security of the system if I did so. I know there will be many who just want a good radio to operate and that is why I am suggesting that maybe this is a opt into thing with the caveat that if you unlock this your responsible to keep the radio secure.
Jeff N5SDR On Mon, Jun 3, 2019, 3:35 PM Dave New, N8SBE <n8...@arrl.net> wrote: > Paul, > > I believe you mistook the 'direction' of DDOS attack I was talking > about. > > The K4 would not be the target of a DDOS attack, but rather an unwitting > participant in launching a DDOS attack as part of robot army of IoT > devices. > > Thousands of hacked IoT devices are for rent on the dark web, for any > script kiddie that wants to attack a particular target. > > Also, it may be popular to use hacked web sites, or various documents > with trojan horse loads to deliver ransom ware or bitcoin miners, but > there are other known vectors, including various open ports found while > scanning. It may be the a router would be able to block access, but the > very peer-to-peer nature of the K4 (controlling other K4's or being > controlled by another K4 or PC, tablet, etc, means that routers would > need to allow certain inbound connections through the router or > firewall. These allow for interesting attack vectors, which will > certainly be exercised, if possible. > > 73, > > -- Dave, N8SBE > > -------- Original Message -------- > Subject: Re: [Elecraft] K4 and Linux Infrastructure > From: Paul Gacek <w6...@yahoo.com> > Date: Mon, June 03, 2019 4:00 pm > To: "Dave New, N8SBE" <n8...@arrl.net> > Cc: Elecraft Reflector <elecraft@mailman.qth.net>, Rick WA6NHC > <wa6...@gmail.com> > > Dave > > DDOS is quite hard for any end point (PC, iPhone, K4 etc) to deal with > effectively. If a million zombie Macs decide to simultaneously attack > your end point your best chance is as Rick states, a device that makes > up the perimeter defenses such as a firewall or cyber security > alternative (i.e router, IDP). Most homes don’t have anything > particularly sophisticated deployed and are therefore somewhat > vulnerable. In truth DDOS attacks are quite rare and typically not aimed > at Citizen Dave or his neighbors. Protection albeit optimistic is really > in the realm of a corporate network but even then we have a few cases > where iconic sites get hammered and go dark. Enabling the K4 to defend > against DDOS is a little like building a house to withstand random bits > of ISS dropping in unexpectedly; not something I’m expecting to be > paying for. > > Unwanted ransomware or bitcoin mining programs are most likely the > result of an unwitting end user at and end point (PC, Android etc) doing > something that resulted in the malware ending up on their end point. > Could be surfing to a suspect web site (www.PawnStorm4U.com) or even > going to a compromised but reputable site such as NASA.gov. > Alternatively, it could be someone opening a compromised PDF or > Word/Excel attachment. The best protection here is to be cautious and > mindful of what you do in the cyber world and absolutely make sure you > are running the most uptodate OS (not XP) and to its most current patch > level. > > > Presumably but maybe not, the K4 won’t make available to the ham > operator a browser that allows them to surf wherever nor an email client > that they can read Excel attachments at the whim of the ham operator. > That is best done outside of the K4. > > > Hardening Linux, following best practices on coding and penetration > testing are all things to be aware of and implement as appropriately. > > > For those who might be interested in perusing details of some of these > topics these links might be interesting; > Secure Coding Practices > https://msdn.microsoft.com/en-us/aa570401Hardening Linux > > https://www.computerworld.com/article/3144985/linux-hardening-a-15-step-checklist-for-a-secure-linux-server.htmlPenetration > Testing https://www.tenable.com > > > With Elecraft’s proximity to Silicon Valley and presumably contacts > abounding, I’m optimistic the K4 will do us proud and I won’t have > to rely on Rocky and Bullwinkle to keep nefarious foreign agents out of > my K4. > > > Paul > W6PNG/M0SNA > www.nomadic.blog > > > > > > > On Jun 3, 2019, at 7:58 PM, Rick WA6NHC <wa6...@gmail.com> wrote: > > Much of that protection can be implemented at the router level (>90% of > all sites) and the internal linux (fairly bullet proof) will deal with > the radio talking to the world. > > It shouldn't be too difficult for Elecraft to refine security to the > radio, you'd only need a few ports of network access, which if required, > could be coded to set values (MAC address) up to the menu level... or > limited access into the linux side of the radio. > > I'm confident it has been considered and managed with the usual Elecraft > elegance. > > Rick NHC > > > On 6/3/2019 11:50 AM, Dave New, N8SBE wrote: > So, let's let the elephant in the room bellow a bit. > > Ahem, CYBER SECURITY. > > Now that you've put a popular, modern OS in the K4, and hooked it up to > Ethernet (and therefore the Internet), you've just opened a stinking > pile of attack vectors. > > And please don't think that no one will bother figuring out how to 'own' > such a powerful connected processor. If you spend anytime reading up on > things like Distributed Denial of Service (DDOS) attacks, you will find > that things like webcams and routers (which typically don't even have a > 32-bit OS in them) have been marshaled to unleash frightening > multi-gigabit attacks on various targets. > > Or, try the newest craze, dropping Bitcoin or other digital currency > mining engines on unsuspecting machines, taking them over hog mode, and > pegging the CPU at 100%, using your electric bill for their gain. > > Or, maybe the K4 will be the first ham radio to suffer from a > ransom-ware attack, where the poor ham is asked to ante up some ransom > (in bitcoin usually, to make it hard to track) to get control of his > radio back. > > True, at least one or more other companies have already stepped out > ahead, by putting Windows 10 in their radio. > > I'm just wondering if anyone at Elecraft has been tasked with dealing > with the cyber security aspects of this new toy, and what plans you may > have for outside pen testing, etc. have been made. > > At the very least, you should be using authenticated boot and > authenticated flash, protected by a root certificate in an internal > hardware trust anchor. > > 73, > > -- Dave, N8SBE > > -------- Original Message -------- > Subject: Re: [Elecraft] K4 and Linux Infrastructure > From: Wayne Burdick <n...@elecraft.com> > Date: Sun, June 02, 2019 11:52 am > To: Leroy Buller <lee.bul...@gmail.com> > Cc: Elecraft Reflector <elecraft@mailman.qth.net>, Lee Buller > <lgbul...@k0wa.com> > > x86, not PI (ARM). It's the controller for internal/external displays > and streaming I/O, runs the server for remote clients, and serves as the > present/future app engine. > > Additional details pending. > > 73, > Wayne > N6KR > > > > ______________________________________________________________ > Elecraft mailing list > Home: http://mailman.qth.net/mailman/listinfo/elecraft > Help: http://mailman.qth.net/mmfaq.htm > Post: mailto:Elecraft@mailman.qth.net > > This list hosted by: http://www.qsl.net > Please help support this email list: http://www.qsl.net/donate.html > ______________________________________________________________ > Elecraft mailing list > Home: http://mailman.qth.net/mailman/listinfo/elecraft > Help: http://mailman.qth.net/mmfaq.htm > Post: mailto:Elecraft@mailman.qth.net > > This list hosted by: http://www.qsl.net > Please help support this email list: http://www.qsl.net/donate.html > ______________________________________________________________ > Elecraft mailing list > Home: http://mailman.qth.net/mailman/listinfo/elecraft > Help: http://mailman.qth.net/mmfaq.htm > Post: mailto:Elecraft@mailman.qth.net > > This list hosted by: http://www.qsl.net > Please help support this email list: http://www.qsl.net/donate.html ______________________________________________________________ Elecraft mailing list Home: http://mailman.qth.net/mailman/listinfo/elecraft Help: http://mailman.qth.net/mmfaq.htm Post: mailto:Elecraft@mailman.qth.net This list hosted by: http://www.qsl.net Please help support this email list: http://www.qsl.net/donate.html
