New user's registration have been closed due to high spamming and low trafic on this forum. Please contact forum admins directly if you need an account. Thanks !

moving to wheezy

Got problems with your B2 or B3? Share and get helped!
Post Reply
ingo2
Posts: 81
Joined: 06 Feb 2012, 10:32

Re: uboot update needed.

Post by ingo2 »

Thanks for your excellent work from me as well MouettE,

I am waiting for a safe upgrade to Wheezy as well. With the current "firmware" from Excito it is no longer safe to connect the box directly to the internet. Squeeze support for security updates on ARM platform is already EoL since a while.

Maybe your work will be written down in Wiki-style later, so anyone with reasonable Linux skills can do the dist-upgrade to stock Wheezy.

Best regards,
Ingo
UNIX is user friendly, it's just picky about who its friends are.
Gordon
Posts: 1461
Joined: 10 Aug 2011, 03:18

moving to wheezy

Post by Gordon »

ingo2 wrote:With the current "firmware" from Excito it is no longer safe to connect the box directly to the internet.
I wouldn't put it like that. In fact the last big security issue that hit linux platforms (ssl heart bleed) did touch Wheezy but not Squeeze.

Newer is simply not always better. In many cases new even means new issues. New may however be appealing to someone who wants to use the new features or protocols that come with it. The strength of the B2|3 is that you actually can install other or newer software. You can even build it yourself if it is not part of the regular distribution. Unless of course when the new software also requires a kernel feature that is not available in the current kernel.

So what is safe and what is unsafe? Essentially, everything you open up for other people to get in is unsafe. Also, every outbound connection may potentially be unsafe as well, but with a headless system that's hardly something to give much consideration. There's no difference in regards to security if you open up ssh on the internet side in Squeeze, Wheezy or even Woody. It gives people direct access to your box and allows them to start their (distributed) brute force password hacking programs to gain full control. Hackers may even sniff out your password any time you connect to the box and use an unencrypted protocol, such as http, imap, pop3, smtp/submission. Speaking about smtp, opening that one up may cause you to be sending millions of emails around the world to advertise stuff like male libido raising pills. However new your OS is, it will never stop you from making simple mistakes such as these.
ingo2
Posts: 81
Joined: 06 Feb 2012, 10:32

Re: uboot update needed.

Post by ingo2 »

Gordon wrote:
ingo2 wrote:With the current "firmware" from Excito it is no longer safe to connect the box directly to the internet.
I wouldn't put it like that. In fact the last big security issue that hit linux platforms (ssl heart bleed) did touch Wheezy but not Squeeze.
Hi Gordon,
I do know that Squeze was not affected by the heart bleet. However this resulted in thorough security reviews of other critical Linux components and subsequent patches. At least on my Debian desktop systems (Wheezy) this lead to numerous security updates. I cannot judge if any packages on the B3 are involved.

But there is another issue: I have installed some Debian-packages on my B3 and those do not receive updates anymore because armel is EoL.
UNIX is user friendly, it's just picky about who its friends are.
Stryker
Posts: 56
Joined: 17 Oct 2013, 11:03

Re: uboot update needed.

Post by Stryker »

Debian Squeeze was safe, because the latest available OpenSSL-Version from the squeeze-repos did not yet include the Heartbeat-Extension, that was discovered to be vulnerable earlier this year.
Gordon
Posts: 1461
Joined: 10 Aug 2011, 03:18

Re: uboot update needed.

Post by Gordon »

Ingo,

There is a difference between a desktop system and a server. And that is that the desktop system is operated by a user who can be tempted to click a link or run software that he shouldn't, whereas the server will only do what it is instructed to do.

Security is therefore defined by whether the server contains entrances that allow arbitrary code to be executed, i.e. become a user operated system. As a Bubba owner, you are the one that decides what services you want to expose (and to whom) and consequently the level of security that your box offers. And frankly the only thing that I don't really like about Bubba OS is that http and https are handled as a group in the firewall manager.
Ubi
Posts: 1549
Joined: 17 Jul 2007, 09:01

Re: uboot update needed.

Post by Ubi »

This discussion keeps on coming up every few months. We've all been told to keep up with updates or bad things happen. The reality is that the vast majority of updates have no bearing on functionality of a server platform, but yes, you need to actually read the update reports for that. The heartbleed was exceptional because it affected a production-level outward-facing process. This is something that hadnt happened for many years. But still, even heartbleed did not yield remote root privileges.

For me, I'd rather have an old system that is well maintained and secured than a bleeding-edge distro with untested flaws and an assumption that keeping up with updates is all yo uneed to do.
ingo2
Posts: 81
Joined: 06 Feb 2012, 10:32

Re: uboot update needed.

Post by ingo2 »

Ubi wrote:This discussion keeps on coming up every few months. We've all been told to keep up with updates or bad things happen.
Ubi,

you probably got me wrong. I did not mean the usual cases where the box is running behind a router with a NAT firewall (like here). I said "directly connected to the internet", which means it is acting as a router and at the same time as a server running several daemons.

In fact this setup implies security concerns already by design. I know that even todays routers are running several daemons an act as a tiny nas box, print server, ... From security point of view firewall+router should run on dedicated hardware with only one secure channel for service and maintainence, and services on a different box ideally in a different subnet (exposed host, DMZ).
UNIX is user friendly, it's just picky about who its friends are.
Ubi
Posts: 1549
Joined: 17 Jul 2007, 09:01

Re: uboot update needed.

Post by Ubi »

I'm aware of linux security models. Ive been running an ISP for over 15 years.

Really this thread is about uboot, and these last few posts are detrimental to the very cool hacks that were discussed on previous pages. So please create a new topic that discusses the security model, or continue one of the old ones. This thread is not the place
ingo2
Posts: 81
Joined: 06 Feb 2012, 10:32

Re: uboot update needed.

Post by ingo2 »

I didn't start this discussion, I just made a positve comment on the uboot progress and said "THANKS" to MouettE for the good work and asked for later documentation.
UNIX is user friendly, it's just picky about who its friends are.
Gordon
Posts: 1461
Joined: 10 Aug 2011, 03:18

Re: uboot update needed.

Post by Gordon »

Ubi wrote:I'm aware of linux security models. Ive been running an ISP for over 15 years.

Really this thread is about uboot, and these last few posts are detrimental to the very cool hacks that were discussed on previous pages. So please create a new topic that discusses the security model, or continue one of the old ones. This thread is not the place
I guess that would be my doing, overreacting to the comment that being able to upgrade to Wheezy would be required to keep the system secure.

In any case, if the u-boot from MouettE can be verified and upgrading to it can made to be an official Excito release, this would definitely open up the possibility to create a new bubba-kernel of version 3.x and change distribution without loosing the Bubba OS front end. I guess that would make a lot of people very happy.

Can't be bothered to check at this moment, but what's up with this comment?
But there is another issue: I have installed some Debian-packages on my B3 and those do not receive updates anymore because armel is EoL.
MouettE
Site admin
Posts: 341
Joined: 06 Oct 2011, 19:45

Re: uboot update needed.

Post by MouettE »

Gordon wrote:In any case, if the u-boot from MouettE can be verified and upgrading to it can made to be an official Excito release, this would definitely open up the possibility to create a new bubba-kernel of version 3.x and change distribution without loosing the Bubba OS front end. I guess that would make a lot of people very happy.
Upgrading the kernel is not the only task. All the excito packages (bubba-*) should be adapted to wheezy as well. I don't think it should be extremely difficult but it's going to take a lot of time. Not to mention the necessary tests.

I plan to try porting and maintaining the official 3.2 kernel branch from wheezy to the b3 and make it a debian package similar to the excito one. My goal is to make everything work but I won't spend hours on the wi-fi if I can't get it to work. I would like to port it on the b2 also but we need at least the u-boot source of the current b2 release (1.3.4-00056-gf6f51b1-dirty) to upgrade U-Boot first.
ingo2
Posts: 81
Joined: 06 Feb 2012, 10:32

Re: uboot update needed.

Post by ingo2 »

Gordon wrote: Can't be bothered to check at this moment, but what's up with this comment?
But there is another issue: I have installed some Debian-packages on my B3 and those do not receive updates anymore because armel is EoL.
Sorry, my fault, wanted to say Squeeze-armel. Squeeze on i386 and amd64 got LTS status and will be maintained for another 2-3 years, but not for armel.
UNIX is user friendly, it's just picky about who its friends are.
johannes
Posts: 1470
Joined: 31 Dec 2006, 07:12
Location: Sweden
Contact:

Re: moving to wheezy

Post by johannes »

This topic was split out from uboot update needed, as requested. Best /Johannes (forum owner)
/Johannes (Excito co-founder a long time ago, but now I'm just Johannes)
Post Reply