28 replies to this topic

[leppen]

After update I can't login to OpenWebif anymore, isn't login root-dreambox anymore?

i'm using a VU+ Solo box with OpenPli 4.0.

 

Thanks!

/leppen

 

[athoik]

Login via telnet (no password) and set password for root (passwd) or go to plugins, open OpenWebIf plugin and set Http Authentication to No.

Until recently the default was No, but it changed to Yes for extra security.

[leppen]

passwd did the trick!

thanks!

 

/leppen

[SpaceRat]

or go to plugins, open OpenWebIf plugin and set Http Authentication to No.
Until recently the default was No, but it changed to Yes for extra security.

Let's rephrase that: "less insecurity"

Actually the password login alone doesn't make it a good idea to open the OpenWebif to the outside world at all.

However, there are two colliding interests:
We have the user with OpenWebif configured to be opened securely to the outside world (Using key/cert and possibly key auth), but it would be wide open e.g. after reflashing his box (The port forwarding/firewall exception in his router would still be active) until he gets to entirely re-configure it.
This could lead to actual damage (Anyone could delete all your recordings while you are still busy restoring your bouquets or so).

On the other side we have users like leppen that do not want a login (e.g. because they do not open the Webif to the outside world at all), they now have to manually disable login.
This I have to admit is a bit of comfort loss.

Potential data loss during a re-installation however clearly outweights the "hassle" of changing one setting.

[WanWizard]

The side-effect for those stupid enough to put their box on the Internet. It's as stupid as installing Windows from the original CD's on a PC that has a live internet connection.

 

This change punishes the good, and allows the bad to get away with their behaviour. Therefore, bad idea.

[SpaceRat]

The side-effect for those stupid enough to put their box on the Internet.

Or clever enough to do it right.

It's as stupid as installing Windows from the original CD's on a PC that has a live internet connection.

Who spreads such a bullshit?

Some unrevised knowledge from the mid-90s?

In the 90s that was true, when people had single computers directly attached to modems/bridges of any kind and Windows was a pure DOS-AddOn with no firewall at all.
Lots of homemade pr0n originates from that time, when everybody and his grandma could e.g. access anybody's CIFS shares over the internet, just because NetBIOS over TCP/IP was bound to every new connection and the only PC inside the household was directly attached to some plain DSL-/Cable-Modem ...

Nowadays it is much more likely that you can not even replace your ISP provided router at all anymore than finding a PC that is directly attached to some plain bridge.
Secondly, any still supported Windows comes with its Firewall pre-activated which considers any new network as "public network" and thus blocks any contact from the outside and also even most connections from the inside ...

[WanWizard]

lol, yeah, a NAT router gives you security... And Windows is secure out of the box. Keep on dreaming.

 

I'm the governments CERT representitive in this country, and you don't want believe the shit I see on a daily basis, shit that even sofisticated systems like FireEye don't detect.

 

So unlike you're "suggestion', I do know what I'm talking about.

[SpaceRat]

lol, yeah, a NAT router gives you security... And Windows is secure out of the box. Keep on dreaming.

I'm not, you are.

I'm the governments CERT representitive in this country, and you don't want believe the shit I see on a daily basis, shit that even sofisticated systems like FireEye don't detect.
 
So unlike you're "suggestion', I do know what I'm talking about.

Then you would know that the only way to guarantee security is to pull the plug and to build a solid wall around the system.

And while there might be a slight security gain by installing Windows offline, then applying all fixes to the current date (Which you would need to have offline somewhere for that ...) and only then attaching the PC to the network, the realistic options are
- Install with the PC connected to the network, giving it the chance to download and apply fixes during installation
or
- Install offline, then connect the PC and download the security fixes while already working with the installation.


BTW:
I'm the government representative for the BER airport in this country ...
And my older brother is a General inside the army ... a bit childish, eh?

When you talk about concepts and shit, it might be helpful if you would stick to what is realistic in a private environment.
There, the PC gets attached to the home router anyways and then it's better the latest fixes get applied during installation rather than hours after the system went up (If at all).

[theparasol]

@Mods: Better checkout SpaceRats account, it seems to be hacked: Lately his replies are very violent towards other users.

Edited by theparasol, 10 October 2014 - 20:20.

[SpaceRat]

Hahaha ...

I just can't stay calm if people start explaining how to keep the cake ... without telling the whole truth, which is that you can't eat it too ...

... or if someone tells us that it would be stupid to take the bus from home to work because the bus could be bombed ...
... which is very helpful to know if you can't afford going by plane, buying your own car or if the distance is too long to go on foot or on a bicycle ...

I just tell you the truth:
Life suxx and in the end we are all dead.

[WanWizard]

You're full of **** as usual.

 

Fact remains, you made a stupid decision, and a lot of people are annoyed by it. And instead of thinking it over, you go to great lengths to justify yourself, and make idiotic remarks. Very grown up of you.

[athoik]

@OpenPLi please fix SRC_URI or no images tonight.

-SRC_URI += "0001-Revert-Change-insane-default-again.patch"
+SRC_URI += "file://0001-Revert-Change-insane-default-again.patch"

Edited by athoik, 10 October 2014 - 21:46.

[SpaceRat]

You're full of **** as usual.
 
Fact remains, you made a stupid decision, and a lot of people are annoyed by it. And instead of thinking it over, you go to great lengths to justify yourself, and make idiotic remarks. Very grown up of you.

You haven't made a single point concerning the actual topic.
Instead you keep posting claims which aren't really wrong but pure theory.

I've probably kept more people from opening the WebInterface to the outside than all of you in this thread together
#1, #2, #3, ...

However, I can't and will not deny the reality:
In the real world we get 10 users opening the web interface for each one I or anyone else can keep from opening the web interface to the outside, if not more.

If having an at least semi-secure default can help to make some of them aware of the potential risks, I have already reached my goal.

[Erik Slagter]

SpaceRat, first you wil have to learn that often more views on a topic can exist and that even you might not have the one and only true view. As long as you can't live with that, I suggest you present yourself a bit more modest and friendly here, after all you are a guest, just like everyone else.

[SpaceRat]

SpaceRat, first you wil have to learn that often more views on a topic can exist and that even you might not have the one and only true view.

You must be confusing me with someone else.

It's not me who says that something which isn't good doesn't happen, that's MiLo.
His opinion is not only that opening the Webif to the outside world is bad (Which in general is true), he even enforces it by removing the slight protection there is whenever OpenPLi gets reinstalled, reset to factory defaults or loses its settings.
He puts his opinion above the reality, which is that you can easily find hundreds to thousands of opened WebInterfaces using Google and thanks to him some of them will have day of the open door today.

My opinion is that opening the Webif to the outside world in general is a bad idea (Unless you do it right, which involves a lot more than just adding a login/pass), but I accept that there are a lot of people that will do it anyways and that "even they" deserve a slight bit of protection too (Even if it is not really sufficient).
The impact on those who didn't open the Webif to the outside (and do not want password protection for any other reason, e.g. to keep out the children) is minimal: One toggle.

Everybody who reads this:
Which view is more balanced?


BTW:
What really p1sses me off is that MiLo instantly jumped in to enforce his opinion on this topic by patching the build process of OpenWebif.
If he would have spent the same effort in fixes autofs could work on OpenPLi by now, that's a one-liner too.

Edited by SpaceRat, 11 October 2014 - 11:57.

[Erik Slagter]

Again QED...

[littlesat]

OpenWebif is safe when you tunel it via ssh (putty).... or use VPN. Then no password is required at all... so the password is extreme anoying... In addition it gives those who share their webif via the WWW a fake safety...

 

Then better give a description how to use the suff safely...

 

note when a box is hacked... it is not the one who open their box on the WWW did it wrong... It is OpenPLi's fault...

Edited by littlesat, 11 October 2014 - 12:55.

[theparasol]

SSH and VPN are far too complicated to setup for the dumb crowd!

 

I agree with MiLo and my reason is that by setting the default webif protected with user/pass is useless.

First we have a hand full of people now what they are doing, they simply flip the usersetting and go to the webif unprotected again.

Second is the group of users complaining they cant get into the webif anymore and openpli need to tell over and over again how to do it.

Whatever openpli does: it is always wrong!

 

The majority that forwards on purpose the webif to the internet are very happy it "finally" works due to lack of knowledge e.g. how routers work / ip protocol in general.

Most people dont know shit about security and frankly I think most wont give a damn either. The day things start to go wrong badly they start to complain, its everybodies

fault exept theirs. You can tell them over and over again the webif is unsafe they just blame whoever not making it safe in the first place.

 

Same goes for precious data they have and stored on local harddrive. One bad day they got deleted by accident/error, drive dies, got encrypted by ransomware.

You name it. For that reason we have licenses for cars, planes, fire arms, fill in yourself. But not for using a computer or even having an internet connection.

 

Bottomline: you cant protect someone against their own stupidity. You cant warn them either since they consider themselves smart...

[Erik Slagter]

I'd think that a check for ip adresses (only RFC local ranges are allowed) would have more sense. That way also people that use a vpn won't even notice.

[theparasol]

That could work out but I'm sure a storm of topics will raise about: cant use webif over the internet any longer.

Good luck explaining how to setup vnp on the routers and clientdevices...

 

But... from then on it will be safe