3.2b1 Duet 3 (DCS is not started)
-
@CaLviNx said in 3.2b1 Duet 3 (DCS is not started):
"should" have their home network secured.
Defence in depth would urge you to not assume any favorable circumstances exist.
-
@Phaedrux and to counter that why should people not be allowed to choose for themselves and a notification in the docs would suffice?
-
Given the huge number of hacking attempts made against everyone these days, we would rightly be castigated if we continued running DSF as root. This is even more important now that DSF supports plugins.
-
@CaLviNx said in 3.2b1 Duet 3 (DCS is not started):
@Phaedrux and to counter that why should people not be allowed to choose for themselves and a notification in the docs would suffice?
If you want to run DSF as root, you can modify DSF - it's open source. If you don't know how to, then IMO you shouldn't be trusted to run DSF as root. I don't want your RPi running DSF to be part of a botnet.
Duet WiFi hardware designer and firmware engineer
Please do not ask me for Duet support via PM or email, use the forum
http://www.escher3d.com, https://miscsolutions.wordpress.com -
@CaLviNx said in 3.2b1 Duet 3 (DCS is not started):
@Phaedrux and to counter that why should people not be allowed to choose for themselves and a notification in the docs would suffice?
because secure by default solves more problems than it can create? (ref OpenBSD it won't stop you from pulling down your pants, even though it ships with belts and suspenders)
-
@dc42 said in 3.2b1 Duet 3 (DCS is not started):
[...] I don't want your RPi running DSF to be part of a botnet.
Wait... is that, like, discouraged or something?
-
So these replies bring me to ask the next question.
If running in "root" is as dangerous as YOU GUYS are pushing it to be, why was this not implemented from the get go ?
For it to be as dangerous as is being said and for it to only be being implemented now many many months after the Rpi image was released shows recklessness and a lack of care for users in the extreme....
-
It's a best practice. I'm sorry it wasn't implemented initially and I'm sorry implementing it now has inconvenienced you. Your point about change for change sake is taken.
-
So it has just been proven that best practice has not been followed, but im the one getting preached at from multiple directions for even mentioning it...
On one hand being lectured about how important security is.
Then after its pointed out about the delay the importance of said security gets glossed over as "not best practise"
hypocrisy much.........
-
At a hazard, this came up during architecture review for plugins and has now been implemented, which is good. (Also, botnet membership is not the only risk; exposure in an internal network and being used for lateral moves or persistent footholds inside an internal network that has bridges to the outside somewhere is another risk scenario)
Somewhat related: Gina Häußge is fighting to keep people from exposing Octoprint to the internet unsecured, yet you can easily find many instances that are at risk if you know where to look.
I'm pretty sure if someone were to sponsor a thorough security review of DSF, that the results would be more than welcome by the Duet3D team.
