K4 and Linux Infrastructure

classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

K4 and Linux Infrastructure

Leroy Buller
So, K4 and the internal Linux system.  What is it doing for the radio,
processor type, clock speed  ram, any ssd,  and version.  I am assuming or
guessing it is a PI of some sort or tigally designed by Elecraft?

Will anyone know?

Lee K0WA
______________________________________________________________
Elecraft mailing list
Home: http://mailman.qth.net/mailman/listinfo/elecraft
Help: http://mailman.qth.net/mmfaq.htm
Post: mailto:[hidden email]

This list hosted by: http://www.qsl.net
Please help support this email list: http://www.qsl.net/donate.html
Reply | Threaded
Open this post in threaded view
|

Re: K4 and Linux Infrastructure

wayne burdick
Administrator
x86, not PI (ARM). It's the controller for internal/external displays and streaming I/O, runs the server for remote clients, and serves as the present/future app engine.

Additional details pending.

73,
Wayne
N6KR


> On Jun 1, 2019, at 2:18 PM, Leroy Buller <[hidden email]> wrote:
>
> So, K4 and the internal Linux system.  What is it doing for the radio,
> processor type, clock speed  ram, any ssd,  and version.  I am assuming or
> guessing it is a PI of some sort or tigally designed by Elecraft?
>
> Will anyone know?
>
> Lee K0WA



______________________________________________________________
Elecraft mailing list
Home: http://mailman.qth.net/mailman/listinfo/elecraft
Help: http://mailman.qth.net/mmfaq.htm
Post: mailto:[hidden email]

This list hosted by: http://www.qsl.net
Please help support this email list: http://www.qsl.net/donate.html
Reply | Threaded
Open this post in threaded view
|

Re: K4 and Linux Infrastructure

Dave New, N8SBE
In reply to this post by Leroy Buller
So, let's let the elephant in the room bellow a bit.

Ahem, CYBER SECURITY.

Now that you've put a popular, modern OS in the K4, and hooked it up to
Ethernet (and therefore the Internet), you've just opened a stinking
pile of attack vectors.

And please don't think that no one will bother figuring out how to 'own'
such a powerful connected processor.  If you spend anytime reading up on
things like Distributed Denial of Service (DDOS) attacks, you will find
that things like webcams and routers (which typically don't even have a
32-bit OS in them) have been marshaled to unleash frightening
multi-gigabit attacks on various targets.

Or, try the newest craze, dropping Bitcoin or other digital currency
mining engines on unsuspecting machines, taking them over hog mode, and
pegging the CPU at 100%, using your electric bill for their gain.

Or, maybe the K4 will be the first ham radio to suffer from a
ransom-ware attack, where the poor ham is asked to ante up some ransom
(in bitcoin usually, to make it hard to track) to get control of his
radio back.

True, at least one or more other companies have already stepped out
ahead, by putting Windows 10 in their radio.

I'm just wondering if anyone at Elecraft has been tasked with dealing
with the cyber security aspects of this new toy, and what plans you may
have for outside pen testing, etc. have been made.

At the very least, you should be using authenticated boot and
authenticated flash, protected by a root certificate in an internal
hardware trust anchor.

73,

-- Dave, N8SBE

-------- Original Message --------
Subject: Re: [Elecraft] K4 and Linux Infrastructure
From: Wayne Burdick <[hidden email]>
Date: Sun, June 02, 2019 11:52 am
To: Leroy Buller <[hidden email]>
Cc: Elecraft Reflector <[hidden email]>, Lee Buller
<[hidden email]>

x86, not PI (ARM). It's the controller for internal/external displays
and streaming I/O, runs the server for remote clients, and serves as the
present/future app engine.

Additional details pending.

73,
Wayne
N6KR



______________________________________________________________
Elecraft mailing list
Home: http://mailman.qth.net/mailman/listinfo/elecraft
Help: http://mailman.qth.net/mmfaq.htm
Post: mailto:[hidden email]

This list hosted by: http://www.qsl.net
Please help support this email list: http://www.qsl.net/donate.html
Reply | Threaded
Open this post in threaded view
|

Re: K4 and Linux Infrastructure

Rick WA6NHC-2
Much of that protection can be implemented at the router level (>90% of
all sites) and the internal linux (fairly bullet proof) will deal with
the radio talking to the world.

It shouldn't be too difficult for Elecraft to refine security to the
radio, you'd only need a few ports of network access, which if required,
could be coded to set values (MAC address) up to the menu level...  or
limited access into the linux side of the radio.

I'm confident it has been considered and managed with the usual Elecraft
elegance.

Rick NHC


On 6/3/2019 11:50 AM, Dave New, N8SBE wrote:

> So, let's let the elephant in the room bellow a bit.
>
> Ahem, CYBER SECURITY.
>
> Now that you've put a popular, modern OS in the K4, and hooked it up to
> Ethernet (and therefore the Internet), you've just opened a stinking
> pile of attack vectors.
>
> And please don't think that no one will bother figuring out how to 'own'
> such a powerful connected processor.  If you spend anytime reading up on
> things like Distributed Denial of Service (DDOS) attacks, you will find
> that things like webcams and routers (which typically don't even have a
> 32-bit OS in them) have been marshaled to unleash frightening
> multi-gigabit attacks on various targets.
>
> Or, try the newest craze, dropping Bitcoin or other digital currency
> mining engines on unsuspecting machines, taking them over hog mode, and
> pegging the CPU at 100%, using your electric bill for their gain.
>
> Or, maybe the K4 will be the first ham radio to suffer from a
> ransom-ware attack, where the poor ham is asked to ante up some ransom
> (in bitcoin usually, to make it hard to track) to get control of his
> radio back.
>
> True, at least one or more other companies have already stepped out
> ahead, by putting Windows 10 in their radio.
>
> I'm just wondering if anyone at Elecraft has been tasked with dealing
> with the cyber security aspects of this new toy, and what plans you may
> have for outside pen testing, etc. have been made.
>
> At the very least, you should be using authenticated boot and
> authenticated flash, protected by a root certificate in an internal
> hardware trust anchor.
>
> 73,
>
> -- Dave, N8SBE
>
> -------- Original Message --------
> Subject: Re: [Elecraft] K4 and Linux Infrastructure
> From: Wayne Burdick <[hidden email]>
> Date: Sun, June 02, 2019 11:52 am
> To: Leroy Buller <[hidden email]>
> Cc: Elecraft Reflector <[hidden email]>, Lee Buller
> <[hidden email]>
>
> x86, not PI (ARM). It's the controller for internal/external displays
> and streaming I/O, runs the server for remote clients, and serves as the
> present/future app engine.
>
> Additional details pending.
>
> 73,
> Wayne
> N6KR
>
>
>
> ______________________________________________________________
> Elecraft mailing list
> Home: http://mailman.qth.net/mailman/listinfo/elecraft
> Help: http://mailman.qth.net/mmfaq.htm
> Post: mailto:[hidden email]
>
> This list hosted by: http://www.qsl.net
> Please help support this email list: http://www.qsl.net/donate.html
______________________________________________________________
Elecraft mailing list
Home: http://mailman.qth.net/mailman/listinfo/elecraft
Help: http://mailman.qth.net/mmfaq.htm
Post: mailto:[hidden email]

This list hosted by: http://www.qsl.net
Please help support this email list: http://www.qsl.net/donate.html
Reply | Threaded
Open this post in threaded view
|

Re: K4 and Linux Infrastructure

Elecraft mailing list
Dave

DDOS is quite hard for any end point (PC, iPhone, K4 etc) to deal with effectively. If a million zombie Macs decide to simultaneously attack your end point your best chance is as Rick states, a device that makes up the perimeter defenses such as a firewall or cyber security alternative (i.e router, IDP). Most homes don’t have anything particularly sophisticated deployed and are therefore somewhat vulnerable. In truth DDOS attacks are quite rare and typically not aimed at Citizen Dave or his neighbors. Protection albeit optimistic is really in the realm of a corporate network but even then we have a few cases where iconic sites get hammered and go dark. Enabling the K4 to defend against DDOS is a little like building a house to withstand random bits of ISS dropping in unexpectedly; not something I’m expecting to be paying for.

Unwanted ransomware or bitcoin mining programs are most likely the result of an unwitting end user at and end point (PC, Android etc) doing something that resulted in the malware ending up on their end point. Could be surfing to a suspect web site (www.PawnStorm4U.com <http://www.pawnstorm4u.com/>) or even going to a compromised but reputable site such as NASA.gov <http://nasa.gov/>.  Alternatively, it could be someone opening a compromised PDF or Word/Excel attachment. The best protection here is to be cautious and mindful of what you do in the cyber world and absolutely make sure you are running the most uptodate OS (not XP) and to its most current patch level.

Presumably but maybe not, the K4 won’t make available to the ham operator a browser that allows them to surf wherever nor an email client that they can read Excel attachments at the whim of the ham operator. That is best done outside of the K4.

Hardening Linux, following best practices on coding and penetration testing are all things to be aware of and implement as appropriately.

For those who might be interested in perusing details of some of these topics these links might be interesting;
Secure Coding Practices https://msdn.microsoft.com/en-us/aa570401 <https://msdn.microsoft.com/en-us/aa570401>
Hardening Linux https://www.computerworld.com/article/3144985/linux-hardening-a-15-step-checklist-for-a-secure-linux-server.html <https://www.computerworld.com/article/3144985/linux-hardening-a-15-step-checklist-for-a-secure-linux-server.html>
Penetration Testing https://www.tenable.com <https://www.tenable.com/>
With Elecraft’s proximity to Silicon Valley and presumably contacts abounding, I’m optimistic the K4 will do us proud and I won’t have to rely on Rocky and Bullwinkle to keep nefarious foreign agents out of my K4.

Paul
W6PNG/M0SNA
www.nomadic.blog <http://www.nomadic.blog/>




> On Jun 3, 2019, at 7:58 PM, Rick WA6NHC <[hidden email]> wrote:
>
> Much of that protection can be implemented at the router level (>90% of all sites) and the internal linux (fairly bullet proof) will deal with the radio talking to the world.
>
> It shouldn't be too difficult for Elecraft to refine security to the radio, you'd only need a few ports of network access, which if required, could be coded to set values (MAC address) up to the menu level...  or limited access into the linux side of the radio.
>
> I'm confident it has been considered and managed with the usual Elecraft elegance.
>
> Rick NHC
>
>
> On 6/3/2019 11:50 AM, Dave New, N8SBE wrote:
>> So, let's let the elephant in the room bellow a bit.
>>
>> Ahem, CYBER SECURITY.
>>
>> Now that you've put a popular, modern OS in the K4, and hooked it up to
>> Ethernet (and therefore the Internet), you've just opened a stinking
>> pile of attack vectors.
>>
>> And please don't think that no one will bother figuring out how to 'own'
>> such a powerful connected processor.  If you spend anytime reading up on
>> things like Distributed Denial of Service (DDOS) attacks, you will find
>> that things like webcams and routers (which typically don't even have a
>> 32-bit OS in them) have been marshaled to unleash frightening
>> multi-gigabit attacks on various targets.
>>
>> Or, try the newest craze, dropping Bitcoin or other digital currency
>> mining engines on unsuspecting machines, taking them over hog mode, and
>> pegging the CPU at 100%, using your electric bill for their gain.
>>
>> Or, maybe the K4 will be the first ham radio to suffer from a
>> ransom-ware attack, where the poor ham is asked to ante up some ransom
>> (in bitcoin usually, to make it hard to track) to get control of his
>> radio back.
>>
>> True, at least one or more other companies have already stepped out
>> ahead, by putting Windows 10 in their radio.
>>
>> I'm just wondering if anyone at Elecraft has been tasked with dealing
>> with the cyber security aspects of this new toy, and what plans you may
>> have for outside pen testing, etc. have been made.
>>
>> At the very least, you should be using authenticated boot and
>> authenticated flash, protected by a root certificate in an internal
>> hardware trust anchor.
>>
>> 73,
>>
>> -- Dave, N8SBE
>>
>> -------- Original Message --------
>> Subject: Re: [Elecraft] K4 and Linux Infrastructure
>> From: Wayne Burdick <[hidden email]>
>> Date: Sun, June 02, 2019 11:52 am
>> To: Leroy Buller <[hidden email]>
>> Cc: Elecraft Reflector <[hidden email]>, Lee Buller
>> <[hidden email]>
>>
>> x86, not PI (ARM). It's the controller for internal/external displays
>> and streaming I/O, runs the server for remote clients, and serves as the
>> present/future app engine.
>>
>> Additional details pending.
>>
>> 73,
>> Wayne
>> N6KR
>>
>>
>>
>> ______________________________________________________________
>> Elecraft mailing list
>> Home: http://mailman.qth.net/mailman/listinfo/elecraft
>> Help: http://mailman.qth.net/mmfaq.htm
>> Post: mailto:[hidden email]
>>
>> This list hosted by: http://www.qsl.net
>> Please help support this email list: http://www.qsl.net/donate.html
> ______________________________________________________________
> Elecraft mailing list
> Home: http://mailman.qth.net/mailman/listinfo/elecraft
> Help: http://mailman.qth.net/mmfaq.htm
> Post: mailto:[hidden email]
>
> This list hosted by: http://www.qsl.net
> Please help support this email list: http://www.qsl.net/donate.html

______________________________________________________________
Elecraft mailing list
Home: http://mailman.qth.net/mailman/listinfo/elecraft
Help: http://mailman.qth.net/mmfaq.htm
Post: mailto:[hidden email]

This list hosted by: http://www.qsl.net
Please help support this email list: http://www.qsl.net/donate.html
Reply | Threaded
Open this post in threaded view
|

Re: K4 and Linux Infrastructure

Dave New, N8SBE
In reply to this post by Leroy Buller
Paul,

I believe you mistook the 'direction' of DDOS attack I was talking
about.

The K4 would not be the target of a DDOS attack, but rather an unwitting
participant in launching a DDOS attack as part of robot army of IoT
devices.

Thousands of hacked IoT devices are for rent on the dark web, for any
script kiddie that wants to attack a particular target.

Also, it may be popular to use hacked web sites, or various documents
with trojan horse loads to deliver ransom ware or bitcoin miners, but
there are other known vectors, including various open ports found while
scanning.  It may be the a router would be able to block access, but the
very peer-to-peer nature of the K4 (controlling other K4's or being
controlled by another K4 or PC, tablet, etc, means that routers would
need to allow certain inbound connections through the router or
firewall.  These allow for interesting attack vectors, which will
certainly be exercised, if possible.

73,

-- Dave, N8SBE

-------- Original Message --------
Subject: Re: [Elecraft] K4 and Linux Infrastructure
From: Paul Gacek <[hidden email]>
Date: Mon, June 03, 2019 4:00 pm
To: "Dave New, N8SBE" <[hidden email]>
Cc: Elecraft Reflector <[hidden email]>, Rick WA6NHC
<[hidden email]>

Dave

DDOS is quite hard for any end point (PC, iPhone, K4 etc) to deal with
effectively. If a million zombie Macs decide to simultaneously attack
your end point your best chance is as Rick states, a device that makes
up the perimeter defenses such as a firewall or cyber security
alternative (i.e router, IDP). Most homes don’t have anything
particularly sophisticated deployed and are therefore somewhat
vulnerable. In truth DDOS attacks are quite rare and typically not aimed
at Citizen Dave or his neighbors. Protection albeit optimistic is really
in the realm of a corporate network but even then we have a few cases
where iconic sites get hammered and go dark. Enabling the K4 to defend
against DDOS is a little like building a house to withstand random bits
of ISS dropping in unexpectedly; not something I’m expecting to be
paying for.

Unwanted ransomware or bitcoin mining programs are most likely the
result of an unwitting end user at and end point (PC, Android etc) doing
something that resulted in the malware ending up on their end point.
Could be surfing to a suspect web site (www.PawnStorm4U.com) or even
going to a compromised but reputable site such as NASA.gov.
Alternatively, it could be someone opening a compromised PDF or
Word/Excel attachment. The best protection here is to be cautious and
mindful of what you do in the cyber world and absolutely make sure you
are running the most uptodate OS (not XP) and to its most current patch
level.


Presumably but maybe not, the K4 won’t make available to the ham
operator a browser that allows them to surf wherever nor an email client
that they can read Excel attachments at the whim of the ham operator.
That is best done outside of the K4.


Hardening Linux, following best practices on coding and penetration
testing are all things to be aware of and implement as appropriately.


For those who might be interested in perusing details of some of these
topics these links might be interesting;
Secure Coding Practices
https://msdn.microsoft.com/en-us/aa570401Hardening Linux
https://www.computerworld.com/article/3144985/linux-hardening-a-15-step-checklist-for-a-secure-linux-server.htmlPenetration
Testing https://www.tenable.com


With Elecraft’s proximity to Silicon Valley and presumably contacts
abounding, I’m optimistic the K4 will do us proud and I won’t have
to rely on Rocky and Bullwinkle to keep nefarious foreign agents out of
my K4.


Paul
W6PNG/M0SNA
www.nomadic.blog






On Jun 3, 2019, at 7:58 PM, Rick WA6NHC <[hidden email]> wrote:

Much of that protection can be implemented at the router level (>90% of
all sites) and the internal linux (fairly bullet proof) will deal with
the radio talking to the world.

It shouldn't be too difficult for Elecraft to refine security to the
radio, you'd only need a few ports of network access, which if required,
could be coded to set values (MAC address) up to the menu level...  or
limited access into the linux side of the radio.

I'm confident it has been considered and managed with the usual Elecraft
elegance.

Rick NHC


On 6/3/2019 11:50 AM, Dave New, N8SBE wrote:
So, let's let the elephant in the room bellow a bit.

Ahem, CYBER SECURITY.

Now that you've put a popular, modern OS in the K4, and hooked it up to
Ethernet (and therefore the Internet), you've just opened a stinking
pile of attack vectors.

And please don't think that no one will bother figuring out how to 'own'
such a powerful connected processor.  If you spend anytime reading up on
things like Distributed Denial of Service (DDOS) attacks, you will find
that things like webcams and routers (which typically don't even have a
32-bit OS in them) have been marshaled to unleash frightening
multi-gigabit attacks on various targets.

Or, try the newest craze, dropping Bitcoin or other digital currency
mining engines on unsuspecting machines, taking them over hog mode, and
pegging the CPU at 100%, using your electric bill for their gain.

Or, maybe the K4 will be the first ham radio to suffer from a
ransom-ware attack, where the poor ham is asked to ante up some ransom
(in bitcoin usually, to make it hard to track) to get control of his
radio back.

True, at least one or more other companies have already stepped out
ahead, by putting Windows 10 in their radio.

I'm just wondering if anyone at Elecraft has been tasked with dealing
with the cyber security aspects of this new toy, and what plans you may
have for outside pen testing, etc. have been made.

At the very least, you should be using authenticated boot and
authenticated flash, protected by a root certificate in an internal
hardware trust anchor.

73,

-- Dave, N8SBE

-------- Original Message --------
Subject: Re: [Elecraft] K4 and Linux Infrastructure
From: Wayne Burdick <[hidden email]>
Date: Sun, June 02, 2019 11:52 am
To: Leroy Buller <[hidden email]>
Cc: Elecraft Reflector <[hidden email]>, Lee Buller
<[hidden email]>

x86, not PI (ARM). It's the controller for internal/external displays
and streaming I/O, runs the server for remote clients, and serves as the
present/future app engine.

Additional details pending.

73,
Wayne
N6KR



______________________________________________________________
Elecraft mailing list
Home: http://mailman.qth.net/mailman/listinfo/elecraft
Help: http://mailman.qth.net/mmfaq.htm
Post: mailto:[hidden email]

This list hosted by: http://www.qsl.net
Please help support this email list: http://www.qsl.net/donate.html
______________________________________________________________
Elecraft mailing list
Home: http://mailman.qth.net/mailman/listinfo/elecraft
Help: http://mailman.qth.net/mmfaq.htm
Post: mailto:[hidden email]

This list hosted by: http://www.qsl.net
Please help support this email list: http://www.qsl.net/donate.html
______________________________________________________________
Elecraft mailing list
Home: http://mailman.qth.net/mailman/listinfo/elecraft
Help: http://mailman.qth.net/mmfaq.htm
Post: mailto:[hidden email]

This list hosted by: http://www.qsl.net
Please help support this email list: http://www.qsl.net/donate.html
Reply | Threaded
Open this post in threaded view
|

Re: K4 and Linux Infrastructure

Jeff Scaparra
I believe these are all good points that elecraft should consider. As for
myself I am a tinker-er and as such i can imagine many things i would like
to do with the on board system. Personally I would like the option of
"unlocking" access do that I could use the underlying linux system and
would be willing to be responsible for the security of the system if I did
so. I know there will be many who just want a good radio to operate and
that is why I am suggesting that maybe this is a opt into thing with the
caveat that if you unlock this your responsible to keep the radio secure.

Jeff
N5SDR

On Mon, Jun 3, 2019, 3:35 PM Dave New, N8SBE <[hidden email]> wrote:

> Paul,
>
> I believe you mistook the 'direction' of DDOS attack I was talking
> about.
>
> The K4 would not be the target of a DDOS attack, but rather an unwitting
> participant in launching a DDOS attack as part of robot army of IoT
> devices.
>
> Thousands of hacked IoT devices are for rent on the dark web, for any
> script kiddie that wants to attack a particular target.
>
> Also, it may be popular to use hacked web sites, or various documents
> with trojan horse loads to deliver ransom ware or bitcoin miners, but
> there are other known vectors, including various open ports found while
> scanning.  It may be the a router would be able to block access, but the
> very peer-to-peer nature of the K4 (controlling other K4's or being
> controlled by another K4 or PC, tablet, etc, means that routers would
> need to allow certain inbound connections through the router or
> firewall.  These allow for interesting attack vectors, which will
> certainly be exercised, if possible.
>
> 73,
>
> -- Dave, N8SBE
>
> -------- Original Message --------
> Subject: Re: [Elecraft] K4 and Linux Infrastructure
> From: Paul Gacek <[hidden email]>
> Date: Mon, June 03, 2019 4:00 pm
> To: "Dave New, N8SBE" <[hidden email]>
> Cc: Elecraft Reflector <[hidden email]>, Rick WA6NHC
> <[hidden email]>
>
> Dave
>
> DDOS is quite hard for any end point (PC, iPhone, K4 etc) to deal with
> effectively. If a million zombie Macs decide to simultaneously attack
> your end point your best chance is as Rick states, a device that makes
> up the perimeter defenses such as a firewall or cyber security
> alternative (i.e router, IDP). Most homes don’t have anything
> particularly sophisticated deployed and are therefore somewhat
> vulnerable. In truth DDOS attacks are quite rare and typically not aimed
> at Citizen Dave or his neighbors. Protection albeit optimistic is really
> in the realm of a corporate network but even then we have a few cases
> where iconic sites get hammered and go dark. Enabling the K4 to defend
> against DDOS is a little like building a house to withstand random bits
> of ISS dropping in unexpectedly; not something I’m expecting to be
> paying for.
>
> Unwanted ransomware or bitcoin mining programs are most likely the
> result of an unwitting end user at and end point (PC, Android etc) doing
> something that resulted in the malware ending up on their end point.
> Could be surfing to a suspect web site (www.PawnStorm4U.com) or even
> going to a compromised but reputable site such as NASA.gov.
> Alternatively, it could be someone opening a compromised PDF or
> Word/Excel attachment. The best protection here is to be cautious and
> mindful of what you do in the cyber world and absolutely make sure you
> are running the most uptodate OS (not XP) and to its most current patch
> level.
>
>
> Presumably but maybe not, the K4 won’t make available to the ham
> operator a browser that allows them to surf wherever nor an email client
> that they can read Excel attachments at the whim of the ham operator.
> That is best done outside of the K4.
>
>
> Hardening Linux, following best practices on coding and penetration
> testing are all things to be aware of and implement as appropriately.
>
>
> For those who might be interested in perusing details of some of these
> topics these links might be interesting;
> Secure Coding Practices
> https://msdn.microsoft.com/en-us/aa570401Hardening Linux
>
> https://www.computerworld.com/article/3144985/linux-hardening-a-15-step-checklist-for-a-secure-linux-server.htmlPenetration
> Testing https://www.tenable.com
>
>
> With Elecraft’s proximity to Silicon Valley and presumably contacts
> abounding, I’m optimistic the K4 will do us proud and I won’t have
> to rely on Rocky and Bullwinkle to keep nefarious foreign agents out of
> my K4.
>
>
> Paul
> W6PNG/M0SNA
> www.nomadic.blog
>
>
>
>
>
>
> On Jun 3, 2019, at 7:58 PM, Rick WA6NHC <[hidden email]> wrote:
>
> Much of that protection can be implemented at the router level (>90% of
> all sites) and the internal linux (fairly bullet proof) will deal with
> the radio talking to the world.
>
> It shouldn't be too difficult for Elecraft to refine security to the
> radio, you'd only need a few ports of network access, which if required,
> could be coded to set values (MAC address) up to the menu level...  or
> limited access into the linux side of the radio.
>
> I'm confident it has been considered and managed with the usual Elecraft
> elegance.
>
> Rick NHC
>
>
> On 6/3/2019 11:50 AM, Dave New, N8SBE wrote:
> So, let's let the elephant in the room bellow a bit.
>
> Ahem, CYBER SECURITY.
>
> Now that you've put a popular, modern OS in the K4, and hooked it up to
> Ethernet (and therefore the Internet), you've just opened a stinking
> pile of attack vectors.
>
> And please don't think that no one will bother figuring out how to 'own'
> such a powerful connected processor.  If you spend anytime reading up on
> things like Distributed Denial of Service (DDOS) attacks, you will find
> that things like webcams and routers (which typically don't even have a
> 32-bit OS in them) have been marshaled to unleash frightening
> multi-gigabit attacks on various targets.
>
> Or, try the newest craze, dropping Bitcoin or other digital currency
> mining engines on unsuspecting machines, taking them over hog mode, and
> pegging the CPU at 100%, using your electric bill for their gain.
>
> Or, maybe the K4 will be the first ham radio to suffer from a
> ransom-ware attack, where the poor ham is asked to ante up some ransom
> (in bitcoin usually, to make it hard to track) to get control of his
> radio back.
>
> True, at least one or more other companies have already stepped out
> ahead, by putting Windows 10 in their radio.
>
> I'm just wondering if anyone at Elecraft has been tasked with dealing
> with the cyber security aspects of this new toy, and what plans you may
> have for outside pen testing, etc. have been made.
>
> At the very least, you should be using authenticated boot and
> authenticated flash, protected by a root certificate in an internal
> hardware trust anchor.
>
> 73,
>
> -- Dave, N8SBE
>
> -------- Original Message --------
> Subject: Re: [Elecraft] K4 and Linux Infrastructure
> From: Wayne Burdick <[hidden email]>
> Date: Sun, June 02, 2019 11:52 am
> To: Leroy Buller <[hidden email]>
> Cc: Elecraft Reflector <[hidden email]>, Lee Buller
> <[hidden email]>
>
> x86, not PI (ARM). It's the controller for internal/external displays
> and streaming I/O, runs the server for remote clients, and serves as the
> present/future app engine.
>
> Additional details pending.
>
> 73,
> Wayne
> N6KR
>
>
>
> ______________________________________________________________
> Elecraft mailing list
> Home: http://mailman.qth.net/mailman/listinfo/elecraft
> Help: http://mailman.qth.net/mmfaq.htm
> Post: mailto:[hidden email]
>
> This list hosted by: http://www.qsl.net
> Please help support this email list: http://www.qsl.net/donate.html
> ______________________________________________________________
> Elecraft mailing list
> Home: http://mailman.qth.net/mailman/listinfo/elecraft
> Help: http://mailman.qth.net/mmfaq.htm
> Post: mailto:[hidden email]
>
> This list hosted by: http://www.qsl.net
> Please help support this email list: http://www.qsl.net/donate.html
> ______________________________________________________________
> Elecraft mailing list
> Home: http://mailman.qth.net/mailman/listinfo/elecraft
> Help: http://mailman.qth.net/mmfaq.htm
> Post: mailto:[hidden email]
>
> This list hosted by: http://www.qsl.net
> Please help support this email list: http://www.qsl.net/donate.html
______________________________________________________________
Elecraft mailing list
Home: http://mailman.qth.net/mailman/listinfo/elecraft
Help: http://mailman.qth.net/mmfaq.htm
Post: mailto:[hidden email]

This list hosted by: http://www.qsl.net
Please help support this email list: http://www.qsl.net/donate.html
Reply | Threaded
Open this post in threaded view
|

Re: K4 and Linux Infrastructure

Jeff Scaparra
Actually there is more to think about than security here as well. What
would elecraft do about users that break the system but misconfiguring
stuff, etc... if they allow users to opt in I would fully expect users to
have to agree to owning responsibility for any modifications. This would
mean that if you have a problem with the radio and send it in and the
problem is solved by reflashing the base image then you should be charged
for wasting their time. I would also expect to have the base image given to
users so we can fix our own mistakes.


I think this problem will exist one way or another. Quite likely elecraft
will be legally required to make available some or all of the base image of
the radio due to software licences. It is also likely that someone will
figure out how to get access to the underlying system. In my opinion
elecraft can get out in front by setting expectations and telling users if
you do this your on your own from a warranty perspective. It would be nice
of them to limit that but they could have that void the whole warranty.

It will be interesting to see how they handle this. This is precisely the
reason I got put my deposit for the second group. I want to see how this
shakes out before commiting which means I cant be the first one with the
radio.

Jeff N5SDR

On Mon, Jun 3, 2019, 4:04 PM Jeff Scaparra <[hidden email]> wrote:

> I believe these are all good points that elecraft should consider. As for
> myself I am a tinker-er and as such i can imagine many things i would like
> to do with the on board system. Personally I would like the option of
> "unlocking" access do that I could use the underlying linux system and
> would be willing to be responsible for the security of the system if I did
> so. I know there will be many who just want a good radio to operate and
> that is why I am suggesting that maybe this is a opt into thing with the
> caveat that if you unlock this your responsible to keep the radio secure.
>
> Jeff
> N5SDR
>
> On Mon, Jun 3, 2019, 3:35 PM Dave New, N8SBE <[hidden email]> wrote:
>
>> Paul,
>>
>> I believe you mistook the 'direction' of DDOS attack I was talking
>> about.
>>
>> The K4 would not be the target of a DDOS attack, but rather an unwitting
>> participant in launching a DDOS attack as part of robot army of IoT
>> devices.
>>
>> Thousands of hacked IoT devices are for rent on the dark web, for any
>> script kiddie that wants to attack a particular target.
>>
>> Also, it may be popular to use hacked web sites, or various documents
>> with trojan horse loads to deliver ransom ware or bitcoin miners, but
>> there are other known vectors, including various open ports found while
>> scanning.  It may be the a router would be able to block access, but the
>> very peer-to-peer nature of the K4 (controlling other K4's or being
>> controlled by another K4 or PC, tablet, etc, means that routers would
>> need to allow certain inbound connections through the router or
>> firewall.  These allow for interesting attack vectors, which will
>> certainly be exercised, if possible.
>>
>> 73,
>>
>> -- Dave, N8SBE
>>
>> -------- Original Message --------
>> Subject: Re: [Elecraft] K4 and Linux Infrastructure
>> From: Paul Gacek <[hidden email]>
>> Date: Mon, June 03, 2019 4:00 pm
>> To: "Dave New, N8SBE" <[hidden email]>
>> Cc: Elecraft Reflector <[hidden email]>, Rick WA6NHC
>> <[hidden email]>
>>
>> Dave
>>
>> DDOS is quite hard for any end point (PC, iPhone, K4 etc) to deal with
>> effectively. If a million zombie Macs decide to simultaneously attack
>> your end point your best chance is as Rick states, a device that makes
>> up the perimeter defenses such as a firewall or cyber security
>> alternative (i.e router, IDP). Most homes don’t have anything
>> particularly sophisticated deployed and are therefore somewhat
>> vulnerable. In truth DDOS attacks are quite rare and typically not aimed
>> at Citizen Dave or his neighbors. Protection albeit optimistic is really
>> in the realm of a corporate network but even then we have a few cases
>> where iconic sites get hammered and go dark. Enabling the K4 to defend
>> against DDOS is a little like building a house to withstand random bits
>> of ISS dropping in unexpectedly; not something I’m expecting to be
>> paying for.
>>
>> Unwanted ransomware or bitcoin mining programs are most likely the
>> result of an unwitting end user at and end point (PC, Android etc) doing
>> something that resulted in the malware ending up on their end point.
>> Could be surfing to a suspect web site (www.PawnStorm4U.com) or even
>> going to a compromised but reputable site such as NASA.gov.
>> Alternatively, it could be someone opening a compromised PDF or
>> Word/Excel attachment. The best protection here is to be cautious and
>> mindful of what you do in the cyber world and absolutely make sure you
>> are running the most uptodate OS (not XP) and to its most current patch
>> level.
>>
>>
>> Presumably but maybe not, the K4 won’t make available to the ham
>> operator a browser that allows them to surf wherever nor an email client
>> that they can read Excel attachments at the whim of the ham operator.
>> That is best done outside of the K4.
>>
>>
>> Hardening Linux, following best practices on coding and penetration
>> testing are all things to be aware of and implement as appropriately.
>>
>>
>> For those who might be interested in perusing details of some of these
>> topics these links might be interesting;
>> Secure Coding Practices
>> https://msdn.microsoft.com/en-us/aa570401Hardening Linux
>>
>> https://www.computerworld.com/article/3144985/linux-hardening-a-15-step-checklist-for-a-secure-linux-server.htmlPenetration
>> Testing https://www.tenable.com
>>
>>
>> With Elecraft’s proximity to Silicon Valley and presumably contacts
>> abounding, I’m optimistic the K4 will do us proud and I won’t have
>> to rely on Rocky and Bullwinkle to keep nefarious foreign agents out of
>> my K4.
>>
>>
>> Paul
>> W6PNG/M0SNA
>> www.nomadic.blog
>>
>>
>>
>>
>>
>>
>> On Jun 3, 2019, at 7:58 PM, Rick WA6NHC <[hidden email]> wrote:
>>
>> Much of that protection can be implemented at the router level (>90% of
>> all sites) and the internal linux (fairly bullet proof) will deal with
>> the radio talking to the world.
>>
>> It shouldn't be too difficult for Elecraft to refine security to the
>> radio, you'd only need a few ports of network access, which if required,
>> could be coded to set values (MAC address) up to the menu level...  or
>> limited access into the linux side of the radio.
>>
>> I'm confident it has been considered and managed with the usual Elecraft
>> elegance.
>>
>> Rick NHC
>>
>>
>> On 6/3/2019 11:50 AM, Dave New, N8SBE wrote:
>> So, let's let the elephant in the room bellow a bit.
>>
>> Ahem, CYBER SECURITY.
>>
>> Now that you've put a popular, modern OS in the K4, and hooked it up to
>> Ethernet (and therefore the Internet), you've just opened a stinking
>> pile of attack vectors.
>>
>> And please don't think that no one will bother figuring out how to 'own'
>> such a powerful connected processor.  If you spend anytime reading up on
>> things like Distributed Denial of Service (DDOS) attacks, you will find
>> that things like webcams and routers (which typically don't even have a
>> 32-bit OS in them) have been marshaled to unleash frightening
>> multi-gigabit attacks on various targets.
>>
>> Or, try the newest craze, dropping Bitcoin or other digital currency
>> mining engines on unsuspecting machines, taking them over hog mode, and
>> pegging the CPU at 100%, using your electric bill for their gain.
>>
>> Or, maybe the K4 will be the first ham radio to suffer from a
>> ransom-ware attack, where the poor ham is asked to ante up some ransom
>> (in bitcoin usually, to make it hard to track) to get control of his
>> radio back.
>>
>> True, at least one or more other companies have already stepped out
>> ahead, by putting Windows 10 in their radio.
>>
>> I'm just wondering if anyone at Elecraft has been tasked with dealing
>> with the cyber security aspects of this new toy, and what plans you may
>> have for outside pen testing, etc. have been made.
>>
>> At the very least, you should be using authenticated boot and
>> authenticated flash, protected by a root certificate in an internal
>> hardware trust anchor.
>>
>> 73,
>>
>> -- Dave, N8SBE
>>
>> -------- Original Message --------
>> Subject: Re: [Elecraft] K4 and Linux Infrastructure
>> From: Wayne Burdick <[hidden email]>
>> Date: Sun, June 02, 2019 11:52 am
>> To: Leroy Buller <[hidden email]>
>> Cc: Elecraft Reflector <[hidden email]>, Lee Buller
>> <[hidden email]>
>>
>> x86, not PI (ARM). It's the controller for internal/external displays
>> and streaming I/O, runs the server for remote clients, and serves as the
>> present/future app engine.
>>
>> Additional details pending.
>>
>> 73,
>> Wayne
>> N6KR
>>
>>
>>
>> ______________________________________________________________
>> Elecraft mailing list
>> Home: http://mailman.qth.net/mailman/listinfo/elecraft
>> Help: http://mailman.qth.net/mmfaq.htm
>> Post: mailto:[hidden email]
>>
>> This list hosted by: http://www.qsl.net
>> Please help support this email list: http://www.qsl.net/donate.html
>> ______________________________________________________________
>> Elecraft mailing list
>> Home: http://mailman.qth.net/mailman/listinfo/elecraft
>> Help: http://mailman.qth.net/mmfaq.htm
>> Post: mailto:[hidden email]
>>
>> This list hosted by: http://www.qsl.net
>> Please help support this email list: http://www.qsl.net/donate.html
>> ______________________________________________________________
>> Elecraft mailing list
>> Home: http://mailman.qth.net/mailman/listinfo/elecraft
>> Help: http://mailman.qth.net/mmfaq.htm
>> Post: mailto:[hidden email]
>>
>> This list hosted by: http://www.qsl.net
>> Please help support this email list: http://www.qsl.net/donate.html
>
>
______________________________________________________________
Elecraft mailing list
Home: http://mailman.qth.net/mailman/listinfo/elecraft
Help: http://mailman.qth.net/mmfaq.htm
Post: mailto:[hidden email]

This list hosted by: http://www.qsl.net
Please help support this email list: http://www.qsl.net/donate.html
Reply | Threaded
Open this post in threaded view
|

Re: K4 and Linux Infrastructure

k6dgw
Jeff:  In addition to the nightmare for Elecraft you point out, can you
imagine the traffic load it would create on this list?  "I loaded
WSJT-X, HRD, and N1MM+ and now the K4 doesn't work.  What's wrong?" [:-)

73,
Fred ["Skip"] K6DGW
Sparks NV DM09dn
Washoe County

On 6/3/2019 2:19 PM, Jeff Scaparra wrote:

> Actually there is more to think about than security here as well. What
> would elecraft do about users that break the system but misconfiguring
> stuff, etc... if they allow users to opt in I would fully expect users to
> have to agree to owning responsibility for any modifications. This would
> mean that if you have a problem with the radio and send it in and the
> problem is solved by reflashing the base image then you should be charged
> for wasting their time. I would also expect to have the base image given to
> users so we can fix our own mistakes.
>
>
> I think this problem will exist one way or another. Quite likely elecraft
> will be legally required to make available some or all of the base image of
> the radio due to software licences. It is also likely that someone will
> figure out how to get access to the underlying system. In my opinion
> elecraft can get out in front by setting expectations and telling users if
> you do this your on your own from a warranty perspective. It would be nice
> of them to limit that but they could have that void the whole warranty.
>
> It will be interesting to see how they handle this. This is precisely the
> reason I got put my deposit for the second group. I want to see how this
> shakes out before commiting which means I cant be the first one with the
> radio.
>
> Jeff N5SDR
>
>

______________________________________________________________
Elecraft mailing list
Home: http://mailman.qth.net/mailman/listinfo/elecraft
Help: http://mailman.qth.net/mmfaq.htm
Post: mailto:[hidden email]

This list hosted by: http://www.qsl.net
Please help support this email list: http://www.qsl.net/donate.html
Reply | Threaded
Open this post in threaded view
|

Re: K4 and Linux Infrastructure

Grant Youngman-2
The Elecraft guys might agree to this after a night of heavy drinking, but I doubt that will happen.  You’re right … if it isn’t locked down it would be a nightmare for them, and one for the rest of us, too.

Grant NQ5T
K3 #2091 KX3 #8342

> On Jun 3, 2019, at 5:43 PM, Fred Jensen <[hidden email]> wrote:
>
> Jeff:  In addition to the nightmare for Elecraft you point out, can you imagine the traffic load it would create on this list?  "I loaded WSJT-X, HRD, and N1MM+ and now the K4 doesn't work.  What's wrong?" [:-)
>
> 73,
> Fred ["Skip"] K6DGW
> Sparks NV DM09dn
> Washoe County
> \

______________________________________________________________
Elecraft mailing list
Home: http://mailman.qth.net/mailman/listinfo/elecraft
Help: http://mailman.qth.net/mmfaq.htm
Post: mailto:[hidden email]

This list hosted by: http://www.qsl.net
Please help support this email list: http://www.qsl.net/donate.html
Reply | Threaded
Open this post in threaded view
|

Re: K4 and Linux Infrastructure

alorona
In reply to this post by k6dgw
 You guys have now reached the scenario I was trying to ask about last week, but obviously didn't make myself understood.
When I asked if the K4 would be able to 'talk to the outside world', I meant an ability to initiate communications with a web site, a server, or something else.
Yes, allowing users to get down to the operating system would probably be unmanageable. But what about loading 'apps', in the same way that you install apps on your phone? I could see a logging app, a reverse beacon app, or something else that would add real functionality to the radio. I'm sure that's been talked about... and I wonder what the thinking is along these lines.
R,
Al  W6LX
______________________________________________________________
Elecraft mailing list
Home: http://mailman.qth.net/mailman/listinfo/elecraft
Help: http://mailman.qth.net/mmfaq.htm
Post: mailto:[hidden email]

This list hosted by: http://www.qsl.net
Please help support this email list: http://www.qsl.net/donate.html
Reply | Threaded
Open this post in threaded view
|

Re: K4 and Linux Infrastructure

NK7Z
In reply to this post by Jeff Scaparra
Based on the lack of ability to chance the CW rise times, I suspect
Elecraft will not give access to the processor, and OS.  I would not.

Why?  If too many users change things, and break things, the radio will
get a bad rep...  If Elecraft is smart, they will lock the users out of
that level of access.

73s and thanks,
Dave (NK7Z)
https://www.nk7z.net
ARRL Technical Specialist
ARRL Volunteer Examiner
ARRL Asst. Director, NW Division, Technical Resource

On 6/3/19 2:04 PM, Jeff Scaparra wrote:

> I believe these are all good points that elecraft should consider. As for
> myself I am a tinker-er and as such i can imagine many things i would like
> to do with the on board system. Personally I would like the option of
> "unlocking" access do that I could use the underlying linux system and
> would be willing to be responsible for the security of the system if I did
> so. I know there will be many who just want a good radio to operate and
> that is why I am suggesting that maybe this is a opt into thing with the
> caveat that if you unlock this your responsible to keep the radio secure.
>
> Jeff
> N5SDR
>
> On Mon, Jun 3, 2019, 3:35 PM Dave New, N8SBE <[hidden email]> wrote:
>
>> Paul,
>>
>> I believe you mistook the 'direction' of DDOS attack I was talking
>> about.
>>
>> The K4 would not be the target of a DDOS attack, but rather an unwitting
>> participant in launching a DDOS attack as part of robot army of IoT
>> devices.
>>
>> Thousands of hacked IoT devices are for rent on the dark web, for any
>> script kiddie that wants to attack a particular target.
>>
>> Also, it may be popular to use hacked web sites, or various documents
>> with trojan horse loads to deliver ransom ware or bitcoin miners, but
>> there are other known vectors, including various open ports found while
>> scanning.  It may be the a router would be able to block access, but the
>> very peer-to-peer nature of the K4 (controlling other K4's or being
>> controlled by another K4 or PC, tablet, etc, means that routers would
>> need to allow certain inbound connections through the router or
>> firewall.  These allow for interesting attack vectors, which will
>> certainly be exercised, if possible.
>>
>> 73,
>>
>> -- Dave, N8SBE
>>
>> -------- Original Message --------
>> Subject: Re: [Elecraft] K4 and Linux Infrastructure
>> From: Paul Gacek <[hidden email]>
>> Date: Mon, June 03, 2019 4:00 pm
>> To: "Dave New, N8SBE" <[hidden email]>
>> Cc: Elecraft Reflector <[hidden email]>, Rick WA6NHC
>> <[hidden email]>
>>
>> Dave
>>
>> DDOS is quite hard for any end point (PC, iPhone, K4 etc) to deal with
>> effectively. If a million zombie Macs decide to simultaneously attack
>> your end point your best chance is as Rick states, a device that makes
>> up the perimeter defenses such as a firewall or cyber security
>> alternative (i.e router, IDP). Most homes don’t have anything
>> particularly sophisticated deployed and are therefore somewhat
>> vulnerable. In truth DDOS attacks are quite rare and typically not aimed
>> at Citizen Dave or his neighbors. Protection albeit optimistic is really
>> in the realm of a corporate network but even then we have a few cases
>> where iconic sites get hammered and go dark. Enabling the K4 to defend
>> against DDOS is a little like building a house to withstand random bits
>> of ISS dropping in unexpectedly; not something I’m expecting to be
>> paying for.
>>
>> Unwanted ransomware or bitcoin mining programs are most likely the
>> result of an unwitting end user at and end point (PC, Android etc) doing
>> something that resulted in the malware ending up on their end point.
>> Could be surfing to a suspect web site (www.PawnStorm4U.com) or even
>> going to a compromised but reputable site such as NASA.gov.
>> Alternatively, it could be someone opening a compromised PDF or
>> Word/Excel attachment. The best protection here is to be cautious and
>> mindful of what you do in the cyber world and absolutely make sure you
>> are running the most uptodate OS (not XP) and to its most current patch
>> level.
>>
>>
>> Presumably but maybe not, the K4 won’t make available to the ham
>> operator a browser that allows them to surf wherever nor an email client
>> that they can read Excel attachments at the whim of the ham operator.
>> That is best done outside of the K4.
>>
>>
>> Hardening Linux, following best practices on coding and penetration
>> testing are all things to be aware of and implement as appropriately.
>>
>>
>> For those who might be interested in perusing details of some of these
>> topics these links might be interesting;
>> Secure Coding Practices
>> https://msdn.microsoft.com/en-us/aa570401Hardening Linux
>>
>> https://www.computerworld.com/article/3144985/linux-hardening-a-15-step-checklist-for-a-secure-linux-server.htmlPenetration
>> Testing https://www.tenable.com
>>
>>
>> With Elecraft’s proximity to Silicon Valley and presumably contacts
>> abounding, I’m optimistic the K4 will do us proud and I won’t have
>> to rely on Rocky and Bullwinkle to keep nefarious foreign agents out of
>> my K4.
>>
>>
>> Paul
>> W6PNG/M0SNA
>> www.nomadic.blog
>>
>>
>>
>>
>>
>>
>> On Jun 3, 2019, at 7:58 PM, Rick WA6NHC <[hidden email]> wrote:
>>
>> Much of that protection can be implemented at the router level (>90% of
>> all sites) and the internal linux (fairly bullet proof) will deal with
>> the radio talking to the world.
>>
>> It shouldn't be too difficult for Elecraft to refine security to the
>> radio, you'd only need a few ports of network access, which if required,
>> could be coded to set values (MAC address) up to the menu level...  or
>> limited access into the linux side of the radio.
>>
>> I'm confident it has been considered and managed with the usual Elecraft
>> elegance.
>>
>> Rick NHC
>>
>>
>> On 6/3/2019 11:50 AM, Dave New, N8SBE wrote:
>> So, let's let the elephant in the room bellow a bit.
>>
>> Ahem, CYBER SECURITY.
>>
>> Now that you've put a popular, modern OS in the K4, and hooked it up to
>> Ethernet (and therefore the Internet), you've just opened a stinking
>> pile of attack vectors.
>>
>> And please don't think that no one will bother figuring out how to 'own'
>> such a powerful connected processor.  If you spend anytime reading up on
>> things like Distributed Denial of Service (DDOS) attacks, you will find
>> that things like webcams and routers (which typically don't even have a
>> 32-bit OS in them) have been marshaled to unleash frightening
>> multi-gigabit attacks on various targets.
>>
>> Or, try the newest craze, dropping Bitcoin or other digital currency
>> mining engines on unsuspecting machines, taking them over hog mode, and
>> pegging the CPU at 100%, using your electric bill for their gain.
>>
>> Or, maybe the K4 will be the first ham radio to suffer from a
>> ransom-ware attack, where the poor ham is asked to ante up some ransom
>> (in bitcoin usually, to make it hard to track) to get control of his
>> radio back.
>>
>> True, at least one or more other companies have already stepped out
>> ahead, by putting Windows 10 in their radio.
>>
>> I'm just wondering if anyone at Elecraft has been tasked with dealing
>> with the cyber security aspects of this new toy, and what plans you may
>> have for outside pen testing, etc. have been made.
>>
>> At the very least, you should be using authenticated boot and
>> authenticated flash, protected by a root certificate in an internal
>> hardware trust anchor.
>>
>> 73,
>>
>> -- Dave, N8SBE
>>
>> -------- Original Message --------
>> Subject: Re: [Elecraft] K4 and Linux Infrastructure
>> From: Wayne Burdick <[hidden email]>
>> Date: Sun, June 02, 2019 11:52 am
>> To: Leroy Buller <[hidden email]>
>> Cc: Elecraft Reflector <[hidden email]>, Lee Buller
>> <[hidden email]>
>>
>> x86, not PI (ARM). It's the controller for internal/external displays
>> and streaming I/O, runs the server for remote clients, and serves as the
>> present/future app engine.
>>
>> Additional details pending.
>>
>> 73,
>> Wayne
>> N6KR
>>
>>
>>
>> ______________________________________________________________
>> Elecraft mailing list
>> Home: http://mailman.qth.net/mailman/listinfo/elecraft
>> Help: http://mailman.qth.net/mmfaq.htm
>> Post: mailto:[hidden email]
>>
>> This list hosted by: http://www.qsl.net
>> Please help support this email list: http://www.qsl.net/donate.html
>> ______________________________________________________________
>> Elecraft mailing list
>> Home: http://mailman.qth.net/mailman/listinfo/elecraft
>> Help: http://mailman.qth.net/mmfaq.htm
>> Post: mailto:[hidden email]
>>
>> This list hosted by: http://www.qsl.net
>> Please help support this email list: http://www.qsl.net/donate.html
>> ______________________________________________________________
>> Elecraft mailing list
>> Home: http://mailman.qth.net/mailman/listinfo/elecraft
>> Help: http://mailman.qth.net/mmfaq.htm
>> Post: mailto:[hidden email]
>>
>> This list hosted by: http://www.qsl.net
>> Please help support this email list: http://www.qsl.net/donate.html
> ______________________________________________________________
> Elecraft mailing list
> Home: http://mailman.qth.net/mailman/listinfo/elecraft
> Help: http://mailman.qth.net/mmfaq.htm
> Post: mailto:[hidden email]
>
> This list hosted by: http://www.qsl.net
> Please help support this email list: http://www.qsl.net/donate.html
>
______________________________________________________________
Elecraft mailing list
Home: http://mailman.qth.net/mailman/listinfo/elecraft
Help: http://mailman.qth.net/mmfaq.htm
Post: mailto:[hidden email]

This list hosted by: http://www.qsl.net
Please help support this email list: http://www.qsl.net/donate.html
Reply | Threaded
Open this post in threaded view
|

Re: K4 and Linux Infrastructure

Lynn W. Taylor, WB6UUT-3
Seriously folks, think about the folks in Elecraft support and Service.

Imagine spending an hour working through a problem just to find out that
someone is running modified firmware (and this is firmware, not software
for us to play with).

It's an embedded system.  If you break it, you own both parts, and
Elecraft would need a 100% reliable way to verify that you didn't
introduce bugs.

Let this idea go, folks.

-- Lynn

On 6/3/2019 3:31 PM, Dave Cole (NK7Z) wrote:

> Based on the lack of ability to chance the CW rise times, I suspect
> Elecraft will not give access to the processor, and OS.  I would not.
>
> Why?  If too many users change things, and break things, the radio will
> get a bad rep...  If Elecraft is smart, they will lock the users out of
> that level of access.
>
> 73s and thanks,
> Dave (NK7Z)
> https://www.nk7z.net
> ARRL Technical Specialist
> ARRL Volunteer Examiner
> ARRL Asst. Director, NW Division, Technical Resource
>
> On 6/3/19 2:04 PM, Jeff Scaparra wrote:
>> I believe these are all good points that elecraft should consider. As for
>> myself I am a tinker-er and as such i can imagine many things i would
>> like
>> to do with the on board system. Personally I would like the option of
>> "unlocking" access do that I could use the underlying linux system and
>> would be willing to be responsible for the security of the system if I
>> did
>> so. I know there will be many who just want a good radio to operate and
>> that is why I am suggesting that maybe this is a opt into thing with the
>> caveat that if you unlock this your responsible to keep the radio secure.
>>
>> Jeff
>> N5SDR
>>
>> On Mon, Jun 3, 2019, 3:35 PM Dave New, N8SBE <[hidden email]> wrote:
>>
>>> Paul,
>>>
>>> I believe you mistook the 'direction' of DDOS attack I was talking
>>> about.
>>>
>>> The K4 would not be the target of a DDOS attack, but rather an unwitting
>>> participant in launching a DDOS attack as part of robot army of IoT
>>> devices.
>>>
>>> Thousands of hacked IoT devices are for rent on the dark web, for any
>>> script kiddie that wants to attack a particular target.
>>>
>>> Also, it may be popular to use hacked web sites, or various documents
>>> with trojan horse loads to deliver ransom ware or bitcoin miners, but
>>> there are other known vectors, including various open ports found while
>>> scanning.  It may be the a router would be able to block access, but the
>>> very peer-to-peer nature of the K4 (controlling other K4's or being
>>> controlled by another K4 or PC, tablet, etc, means that routers would
>>> need to allow certain inbound connections through the router or
>>> firewall.  These allow for interesting attack vectors, which will
>>> certainly be exercised, if possible.
>>>
>>> 73,
>>>
>>> -- Dave, N8SBE
>>>
>>> -------- Original Message --------
>>> Subject: Re: [Elecraft] K4 and Linux Infrastructure
>>> From: Paul Gacek <[hidden email]>
>>> Date: Mon, June 03, 2019 4:00 pm
>>> To: "Dave New, N8SBE" <[hidden email]>
>>> Cc: Elecraft Reflector <[hidden email]>, Rick WA6NHC
>>> <[hidden email]>
>>>
>>> Dave
>>>
>>> DDOS is quite hard for any end point (PC, iPhone, K4 etc) to deal with
>>> effectively. If a million zombie Macs decide to simultaneously attack
>>> your end point your best chance is as Rick states, a device that makes
>>> up the perimeter defenses such as a firewall or cyber security
>>> alternative (i.e router, IDP). Most homes don’t have anything
>>> particularly sophisticated deployed and are therefore somewhat
>>> vulnerable. In truth DDOS attacks are quite rare and typically not aimed
>>> at Citizen Dave or his neighbors. Protection albeit optimistic is really
>>> in the realm of a corporate network but even then we have a few cases
>>> where iconic sites get hammered and go dark. Enabling the K4 to defend
>>> against DDOS is a little like building a house to withstand random bits
>>> of ISS dropping in unexpectedly; not something I’m expecting to be
>>> paying for.
>>>
>>> Unwanted ransomware or bitcoin mining programs are most likely the
>>> result of an unwitting end user at and end point (PC, Android etc) doing
>>> something that resulted in the malware ending up on their end point.
>>> Could be surfing to a suspect web site (www.PawnStorm4U.com) or even
>>> going to a compromised but reputable site such as NASA.gov.
>>> Alternatively, it could be someone opening a compromised PDF or
>>> Word/Excel attachment. The best protection here is to be cautious and
>>> mindful of what you do in the cyber world and absolutely make sure you
>>> are running the most uptodate OS (not XP) and to its most current patch
>>> level.
>>>
>>>
>>> Presumably but maybe not, the K4 won’t make available to the ham
>>> operator a browser that allows them to surf wherever nor an email client
>>> that they can read Excel attachments at the whim of the ham operator.
>>> That is best done outside of the K4.
>>>
>>>
>>> Hardening Linux, following best practices on coding and penetration
>>> testing are all things to be aware of and implement as appropriately.
>>>
>>>
>>> For those who might be interested in perusing details of some of these
>>> topics these links might be interesting;
>>> Secure Coding Practices
>>> https://msdn.microsoft.com/en-us/aa570401Hardening Linux
>>>
>>> https://www.computerworld.com/article/3144985/linux-hardening-a-15-step-checklist-for-a-secure-linux-server.htmlPenetration 
>>>
>>> Testing https://www.tenable.com
>>>
>>>
>>> With Elecraft’s proximity to Silicon Valley and presumably contacts
>>> abounding, I’m optimistic the K4 will do us proud and I won’t have
>>> to rely on Rocky and Bullwinkle to keep nefarious foreign agents out of
>>> my K4.
>>>
>>>
>>> Paul
>>> W6PNG/M0SNA
>>> www.nomadic.blog
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Jun 3, 2019, at 7:58 PM, Rick WA6NHC <[hidden email]> wrote:
>>>
>>> Much of that protection can be implemented at the router level (>90% of
>>> all sites) and the internal linux (fairly bullet proof) will deal with
>>> the radio talking to the world.
>>>
>>> It shouldn't be too difficult for Elecraft to refine security to the
>>> radio, you'd only need a few ports of network access, which if required,
>>> could be coded to set values (MAC address) up to the menu level...  or
>>> limited access into the linux side of the radio.
>>>
>>> I'm confident it has been considered and managed with the usual Elecraft
>>> elegance.
>>>
>>> Rick NHC
>>>
>>>
>>> On 6/3/2019 11:50 AM, Dave New, N8SBE wrote:
>>> So, let's let the elephant in the room bellow a bit.
>>>
>>> Ahem, CYBER SECURITY.
>>>
>>> Now that you've put a popular, modern OS in the K4, and hooked it up to
>>> Ethernet (and therefore the Internet), you've just opened a stinking
>>> pile of attack vectors.
>>>
>>> And please don't think that no one will bother figuring out how to 'own'
>>> such a powerful connected processor.  If you spend anytime reading up on
>>> things like Distributed Denial of Service (DDOS) attacks, you will find
>>> that things like webcams and routers (which typically don't even have a
>>> 32-bit OS in them) have been marshaled to unleash frightening
>>> multi-gigabit attacks on various targets.
>>>
>>> Or, try the newest craze, dropping Bitcoin or other digital currency
>>> mining engines on unsuspecting machines, taking them over hog mode, and
>>> pegging the CPU at 100%, using your electric bill for their gain.
>>>
>>> Or, maybe the K4 will be the first ham radio to suffer from a
>>> ransom-ware attack, where the poor ham is asked to ante up some ransom
>>> (in bitcoin usually, to make it hard to track) to get control of his
>>> radio back.
>>>
>>> True, at least one or more other companies have already stepped out
>>> ahead, by putting Windows 10 in their radio.
>>>
>>> I'm just wondering if anyone at Elecraft has been tasked with dealing
>>> with the cyber security aspects of this new toy, and what plans you may
>>> have for outside pen testing, etc. have been made.
>>>
>>> At the very least, you should be using authenticated boot and
>>> authenticated flash, protected by a root certificate in an internal
>>> hardware trust anchor.
>>>
>>> 73,
>>>
>>> -- Dave, N8SBE
>>>
>>> -------- Original Message --------
>>> Subject: Re: [Elecraft] K4 and Linux Infrastructure
>>> From: Wayne Burdick <[hidden email]>
>>> Date: Sun, June 02, 2019 11:52 am
>>> To: Leroy Buller <[hidden email]>
>>> Cc: Elecraft Reflector <[hidden email]>, Lee Buller
>>> <[hidden email]>
>>>
>>> x86, not PI (ARM). It's the controller for internal/external displays
>>> and streaming I/O, runs the server for remote clients, and serves as the
>>> present/future app engine.
>>>
>>> Additional details pending.
>>>
>>> 73,
>>> Wayne
>>> N6KR
>>>
>>>
>>>
>>> ______________________________________________________________
>>> Elecraft mailing list
>>> Home: http://mailman.qth.net/mailman/listinfo/elecraft
>>> Help: http://mailman.qth.net/mmfaq.htm
>>> Post: mailto:[hidden email]
>>>
>>> This list hosted by: http://www.qsl.net
>>> Please help support this email list: http://www.qsl.net/donate.html
>>> ______________________________________________________________
>>> Elecraft mailing list
>>> Home: http://mailman.qth.net/mailman/listinfo/elecraft
>>> Help: http://mailman.qth.net/mmfaq.htm
>>> Post: mailto:[hidden email]
>>>
>>> This list hosted by: http://www.qsl.net
>>> Please help support this email list: http://www.qsl.net/donate.html
>>> ______________________________________________________________
>>> Elecraft mailing list
>>> Home: http://mailman.qth.net/mailman/listinfo/elecraft
>>> Help: http://mailman.qth.net/mmfaq.htm
>>> Post: mailto:[hidden email]
>>>
>>> This list hosted by: http://www.qsl.net
>>> Please help support this email list: http://www.qsl.net/donate.html
>> ______________________________________________________________
>> Elecraft mailing list
>> Home: http://mailman.qth.net/mailman/listinfo/elecraft
>> Help: http://mailman.qth.net/mmfaq.htm
>> Post: mailto:[hidden email]
>>
>> This list hosted by: http://www.qsl.net
>> Please help support this email list: http://www.qsl.net/donate.html
>>
> ______________________________________________________________
> Elecraft mailing list
> Home: http://mailman.qth.net/mailman/listinfo/elecraft
> Help: http://mailman.qth.net/mmfaq.htm
> Post: mailto:[hidden email]
>
> This list hosted by: http://www.qsl.net
> Please help support this email list: http://www.qsl.net/donate.html
______________________________________________________________
Elecraft mailing list
Home: http://mailman.qth.net/mailman/listinfo/elecraft
Help: http://mailman.qth.net/mmfaq.htm
Post: mailto:[hidden email]

This list hosted by: http://www.qsl.net
Please help support this email list: http://www.qsl.net/donate.html
Reply | Threaded
Open this post in threaded view
|

Re: K4 and Linux Infrastructure

W2xj
In reply to this post by alorona
At this point I am pretty sure Elecraft is up to their neck getting a clean basic radio out on schedule. Additional bells and whistles will probably take a while.

Sent from my iPad

> On Jun 3, 2019, at 6:07 PM, Al Lorona <[hidden email]> wrote:
>
> You guys have now reached the scenario I was trying to ask about last week, but obviously didn't make myself understood.
> When I asked if the K4 would be able to 'talk to the outside world', I meant an ability to initiate communications with a web site, a server, or something else.
> Yes, allowing users to get down to the operating system would probably be unmanageable. But what about loading 'apps', in the same way that you install apps on your phone? I could see a logging app, a reverse beacon app, or something else that would add real functionality to the radio. I'm sure that's been talked about... and I wonder what the thinking is along these lines.
> R,
> Al  W6LX
> ______________________________________________________________
> Elecraft mailing list
> Home: http://mailman.qth.net/mailman/listinfo/elecraft
> Help: http://mailman.qth.net/mmfaq.htm
> Post: mailto:[hidden email]
>
> This list hosted by: http://www.qsl.net
> Please help support this email list: http://www.qsl.net/donate.html

______________________________________________________________
Elecraft mailing list
Home: http://mailman.qth.net/mailman/listinfo/elecraft
Help: http://mailman.qth.net/mmfaq.htm
Post: mailto:[hidden email]

This list hosted by: http://www.qsl.net
Please help support this email list: http://www.qsl.net/donate.html
Reply | Threaded
Open this post in threaded view
|

Re: K4 and Linux Infrastructure

Jeff Scaparra
In reply to this post by Lynn W. Taylor, WB6UUT-3
Missed reply all.

At some level even if they do "only" have apps they will have this problem.
App developers will need to be able to modify and test things. Also I doubt
that there would be many apps if this is a separate process than mainstream
linux/windows. why would a hobby developer want to build a separate thing
just for one pretty expensive radio when they could just build the app for
linux or windows and support everyone.

Maybe they have some trick to make app onboarding easy.

My 2 cents
Jeff N6SDR


>> On Mon, Jun 3, 2019, 5:45 PM Lynn W. Taylor, WB6UUT <
>> [hidden email]> wrote:
>>
>>> Seriously folks, think about the folks in Elecraft support and Service.
>>>
>>> Imagine spending an hour working through a problem just to find out that
>>> someone is running modified firmware (and this is firmware, not software
>>> for us to play with).
>>>
>>> It's an embedded system.  If you break it, you own both parts, and
>>> Elecraft would need a 100% reliable way to verify that you didn't
>>> introduce bugs.
>>>
>>> Let this idea go, folks.
>>>
>>> -- Lynn
>>>
>>> On 6/3/2019 3:31 PM, Dave Cole (NK7Z) wrote:
>>> > Based on the lack of ability to chance the CW rise times, I suspect
>>> > Elecraft will not give access to the processor, and OS.  I would not.
>>> >
>>> > Why?  If too many users change things, and break things, the radio
>>> will
>>> > get a bad rep...  If Elecraft is smart, they will lock the users out
>>> of
>>> > that level of access.
>>> >
>>> > 73s and thanks,
>>> > Dave (NK7Z)
>>> > https://www.nk7z.net
>>> > ARRL Technical Specialist
>>> > ARRL Volunteer Examiner
>>> > ARRL Asst. Director, NW Division, Technical Resource
>>> >
>>> > On 6/3/19 2:04 PM, Jeff Scaparra wrote:
>>> >> I believe these are all good points that elecraft should consider. As
>>> for
>>> >> myself I am a tinker-er and as such i can imagine many things i would
>>> >> like
>>> >> to do with the on board system. Personally I would like the option of
>>> >> "unlocking" access do that I could use the underlying linux system and
>>> >> would be willing to be responsible for the security of the system if
>>> I
>>> >> did
>>> >> so. I know there will be many who just want a good radio to operate
>>> and
>>> >> that is why I am suggesting that maybe this is a opt into thing with
>>> the
>>> >> caveat that if you unlock this your responsible to keep the radio
>>> secure.
>>> >>
>>> >> Jeff
>>> >> N5SDR
>>> >>
>>> >> On Mon, Jun 3, 2019, 3:35 PM Dave New, N8SBE <[hidden email]> wrote:
>>> >>
>>> >>> Paul,
>>> >>>
>>> >>> I believe you mistook the 'direction' of DDOS attack I was talking
>>> >>> about.
>>> >>>
>>> >>> The K4 would not be the target of a DDOS attack, but rather an
>>> unwitting
>>> >>> participant in launching a DDOS attack as part of robot army of IoT
>>> >>> devices.
>>> >>>
>>> >>> Thousands of hacked IoT devices are for rent on the dark web, for any
>>> >>> script kiddie that wants to attack a particular target.
>>> >>>
>>> >>> Also, it may be popular to use hacked web sites, or various documents
>>> >>> with trojan horse loads to deliver ransom ware or bitcoin miners, but
>>> >>> there are other known vectors, including various open ports found
>>> while
>>> >>> scanning.  It may be the a router would be able to block access, but
>>> the
>>> >>> very peer-to-peer nature of the K4 (controlling other K4's or being
>>> >>> controlled by another K4 or PC, tablet, etc, means that routers would
>>> >>> need to allow certain inbound connections through the router or
>>> >>> firewall.  These allow for interesting attack vectors, which will
>>> >>> certainly be exercised, if possible.
>>> >>>
>>> >>> 73,
>>> >>>
>>> >>> -- Dave, N8SBE
>>> >>>
>>> >>> -------- Original Message --------
>>> >>> Subject: Re: [Elecraft] K4 and Linux Infrastructure
>>> >>> From: Paul Gacek <[hidden email]>
>>> >>> Date: Mon, June 03, 2019 4:00 pm
>>> >>> To: "Dave New, N8SBE" <[hidden email]>
>>> >>> Cc: Elecraft Reflector <[hidden email]>, Rick WA6NHC
>>> >>> <[hidden email]>
>>> >>>
>>> >>> Dave
>>> >>>
>>> >>> DDOS is quite hard for any end point (PC, iPhone, K4 etc) to deal
>>> with
>>> >>> effectively. If a million zombie Macs decide to simultaneously attack
>>> >>> your end point your best chance is as Rick states, a device that
>>> makes
>>> >>> up the perimeter defenses such as a firewall or cyber security
>>> >>> alternative (i.e router, IDP). Most homes don’t have anything
>>> >>> particularly sophisticated deployed and are therefore somewhat
>>> >>> vulnerable. In truth DDOS attacks are quite rare and typically not
>>> aimed
>>> >>> at Citizen Dave or his neighbors. Protection albeit optimistic is
>>> really
>>> >>> in the realm of a corporate network but even then we have a few cases
>>> >>> where iconic sites get hammered and go dark. Enabling the K4 to
>>> defend
>>> >>> against DDOS is a little like building a house to withstand random
>>> bits
>>> >>> of ISS dropping in unexpectedly; not something I’m expecting to be
>>> >>> paying for.
>>> >>>
>>> >>> Unwanted ransomware or bitcoin mining programs are most likely the
>>> >>> result of an unwitting end user at and end point (PC, Android etc)
>>> doing
>>> >>> something that resulted in the malware ending up on their end point.
>>> >>> Could be surfing to a suspect web site (www.PawnStorm4U.com) or even
>>> >>> going to a compromised but reputable site such as NASA.gov.
>>> >>> Alternatively, it could be someone opening a compromised PDF or
>>> >>> Word/Excel attachment. The best protection here is to be cautious and
>>> >>> mindful of what you do in the cyber world and absolutely make sure
>>> you
>>> >>> are running the most uptodate OS (not XP) and to its most current
>>> patch
>>> >>> level.
>>> >>>
>>> >>>
>>> >>> Presumably but maybe not, the K4 won’t make available to the ham
>>> >>> operator a browser that allows them to surf wherever nor an email
>>> client
>>> >>> that they can read Excel attachments at the whim of the ham operator.
>>> >>> That is best done outside of the K4.
>>> >>>
>>> >>>
>>> >>> Hardening Linux, following best practices on coding and penetration
>>> >>> testing are all things to be aware of and implement as appropriately.
>>> >>>
>>> >>>
>>> >>> For those who might be interested in perusing details of some of
>>> these
>>> >>> topics these links might be interesting;
>>> >>> Secure Coding Practices
>>> >>> https://msdn.microsoft.com/en-us/aa570401Hardening Linux
>>> >>>
>>> >>>
>>> https://www.computerworld.com/article/3144985/linux-hardening-a-15-step-checklist-for-a-secure-linux-server.htmlPenetration
>>> >>>
>>> >>> Testing https://www.tenable.com
>>> >>>
>>> >>>
>>> >>> With Elecraft’s proximity to Silicon Valley and presumably contacts
>>> >>> abounding, I’m optimistic the K4 will do us proud and I won’t have
>>> >>> to rely on Rocky and Bullwinkle to keep nefarious foreign agents out
>>> of
>>> >>> my K4.
>>> >>>
>>> >>>
>>> >>> Paul
>>> >>> W6PNG/M0SNA
>>> >>> www.nomadic.blog
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>> On Jun 3, 2019, at 7:58 PM, Rick WA6NHC <[hidden email]> wrote:
>>> >>>
>>> >>> Much of that protection can be implemented at the router level (>90%
>>> of
>>> >>> all sites) and the internal linux (fairly bullet proof) will deal
>>> with
>>> >>> the radio talking to the world.
>>> >>>
>>> >>> It shouldn't be too difficult for Elecraft to refine security to the
>>> >>> radio, you'd only need a few ports of network access, which if
>>> required,
>>> >>> could be coded to set values (MAC address) up to the menu level...
>>> or
>>> >>> limited access into the linux side of the radio.
>>> >>>
>>> >>> I'm confident it has been considered and managed with the usual
>>> Elecraft
>>> >>> elegance.
>>> >>>
>>> >>> Rick NHC
>>> >>>
>>> >>>
>>> >>> On 6/3/2019 11:50 AM, Dave New, N8SBE wrote:
>>> >>> So, let's let the elephant in the room bellow a bit.
>>> >>>
>>> >>> Ahem, CYBER SECURITY.
>>> >>>
>>> >>> Now that you've put a popular, modern OS in the K4, and hooked it up
>>> to
>>> >>> Ethernet (and therefore the Internet), you've just opened a stinking
>>> >>> pile of attack vectors.
>>> >>>
>>> >>> And please don't think that no one will bother figuring out how to
>>> 'own'
>>> >>> such a powerful connected processor.  If you spend anytime reading
>>> up on
>>> >>> things like Distributed Denial of Service (DDOS) attacks, you will
>>> find
>>> >>> that things like webcams and routers (which typically don't even
>>> have a
>>> >>> 32-bit OS in them) have been marshaled to unleash frightening
>>> >>> multi-gigabit attacks on various targets.
>>> >>>
>>> >>> Or, try the newest craze, dropping Bitcoin or other digital currency
>>> >>> mining engines on unsuspecting machines, taking them over hog mode,
>>> and
>>> >>> pegging the CPU at 100%, using your electric bill for their gain.
>>> >>>
>>> >>> Or, maybe the K4 will be the first ham radio to suffer from a
>>> >>> ransom-ware attack, where the poor ham is asked to ante up some
>>> ransom
>>> >>> (in bitcoin usually, to make it hard to track) to get control of his
>>> >>> radio back.
>>> >>>
>>> >>> True, at least one or more other companies have already stepped out
>>> >>> ahead, by putting Windows 10 in their radio.
>>> >>>
>>> >>> I'm just wondering if anyone at Elecraft has been tasked with dealing
>>> >>> with the cyber security aspects of this new toy, and what plans you
>>> may
>>> >>> have for outside pen testing, etc. have been made.
>>> >>>
>>> >>> At the very least, you should be using authenticated boot and
>>> >>> authenticated flash, protected by a root certificate in an internal
>>> >>> hardware trust anchor.
>>> >>>
>>> >>> 73,
>>> >>>
>>> >>> -- Dave, N8SBE
>>> >>>
>>> >>> -------- Original Message --------
>>> >>> Subject: Re: [Elecraft] K4 and Linux Infrastructure
>>> >>> From: Wayne Burdick <[hidden email]>
>>> >>> Date: Sun, June 02, 2019 11:52 am
>>> >>> To: Leroy Buller <[hidden email]>
>>> >>> Cc: Elecraft Reflector <[hidden email]>, Lee Buller
>>> >>> <[hidden email]>
>>> >>>
>>> >>> x86, not PI (ARM). It's the controller for internal/external displays
>>> >>> and streaming I/O, runs the server for remote clients, and serves as
>>> the
>>> >>> present/future app engine.
>>> >>>
>>> >>> Additional details pending.
>>> >>>
>>> >>> 73,
>>> >>> Wayne
>>> >>> N6KR
>>> >>>
>>> >>>
>>> >>>
>>> >>> ______________________________________________________________
>>> >>> Elecraft mailing list
>>> >>> Home: http://mailman.qth.net/mailman/listinfo/elecraft
>>> >>> Help: http://mailman.qth.net/mmfaq.htm
>>> >>> Post: mailto:[hidden email]
>>> >>>
>>> >>> This list hosted by: http://www.qsl.net
>>> >>> Please help support this email list: http://www.qsl.net/donate.html
>>> >>> ______________________________________________________________
>>> >>> Elecraft mailing list
>>> >>> Home: http://mailman.qth.net/mailman/listinfo/elecraft
>>> >>> Help: http://mailman.qth.net/mmfaq.htm
>>> >>> Post: mailto:[hidden email]
>>> >>>
>>> >>> This list hosted by: http://www.qsl.net
>>> >>> Please help support this email list: http://www.qsl.net/donate.html
>>> >>> ______________________________________________________________
>>> >>> Elecraft mailing list
>>> >>> Home: http://mailman.qth.net/mailman/listinfo/elecraft
>>> >>> Help: http://mailman.qth.net/mmfaq.htm
>>> >>> Post: mailto:[hidden email]
>>> >>>
>>> >>> This list hosted by: http://www.qsl.net
>>> >>> Please help support this email list: http://www.qsl.net/donate.html
>>> >> ______________________________________________________________
>>> >> Elecraft mailing list
>>> >> Home: http://mailman.qth.net/mailman/listinfo/elecraft
>>> >> Help: http://mailman.qth.net/mmfaq.htm
>>> >> Post: mailto:[hidden email]
>>> >>
>>> >> This list hosted by: http://www.qsl.net
>>> >> Please help support this email list: http://www.qsl.net/donate.html
>>> >>
>>> > ______________________________________________________________
>>> > Elecraft mailing list
>>> > Home: http://mailman.qth.net/mailman/listinfo/elecraft
>>> > Help: http://mailman.qth.net/mmfaq.htm
>>> > Post: mailto:[hidden email]
>>> >
>>> > This list hosted by: http://www.qsl.net
>>> > Please help support this email list: http://www.qsl.net/donate.html
>>> ______________________________________________________________
>>> Elecraft mailing list
>>> Home: http://mailman.qth.net/mailman/listinfo/elecraft
>>> Help: http://mailman.qth.net/mmfaq.htm
>>> Post: mailto:[hidden email]
>>>
>>> This list hosted by: http://www.qsl.net
>>> Please help support this email list: http://www.qsl.net/donate.html
>>>
>>>
______________________________________________________________
Elecraft mailing list
Home: http://mailman.qth.net/mailman/listinfo/elecraft
Help: http://mailman.qth.net/mmfaq.htm
Post: mailto:[hidden email]

This list hosted by: http://www.qsl.net
Please help support this email list: http://www.qsl.net/donate.html
Reply | Threaded
Open this post in threaded view
|

Re: K4 and Linux Infrastructure

Leroy Buller
In reply to this post by Lynn W. Taylor, WB6UUT-3
Interesting discussion.  I think and surmise that the engineers at Elecraft
had to put in a pretty powerful OS and processor to do all of what they
want to do in the box.  Especially with 4 RX in the box plus all the other
things it will do.  But, besides the issues mentioned in this thread  it is
exciting what the possibilities are with the CPU in the box.  I think it is
ingenuous.

Lee K0WA

On Mon, Jun 3, 2019, 5:45 PM Lynn W. Taylor, WB6UUT <
[hidden email] wrote:

> Seriously folks, think about the folks in Elecraft support and Service.
>
> Imagine spending an hour working through a problem just to find out that
> someone is running modified firmware (and this is firmware, not software
> for us to play with).
>
> It's an embedded system.  If you break it, you own both parts, and
> Elecraft would need a 100% reliable way to verify that you didn't
> introduce bugs.
>
> Let this idea go, folks.
>
> -- Lynn
>
> On 6/3/2019 3:31 PM, Dave Cole (NK7Z) wrote:
> > Based on the lack of ability to chance the CW rise times, I suspect
> > Elecraft will not give access to the processor, and OS.  I would not.
> >
> > Why?  If too many users change things, and break things, the radio will
> > get a bad rep...  If Elecraft is smart, they will lock the users out of
> > that level of access.
> >
> > 73s and thanks,
> > Dave (NK7Z)
> > https://www.nk7z.net
> > ARRL Technical Specialist
> > ARRL Volunteer Examiner
> > ARRL Asst. Director, NW Division, Technical Resource
> >
> > On 6/3/19 2:04 PM, Jeff Scaparra wrote:
> >> I believe these are all good points that elecraft should consider. As
> for
> >> myself I am a tinker-er and as such i can imagine many things i would
> >> like
> >> to do with the on board system. Personally I would like the option of
> >> "unlocking" access do that I could use the underlying linux system and
> >> would be willing to be responsible for the security of the system if I
> >> did
> >> so. I know there will be many who just want a good radio to operate and
> >> that is why I am suggesting that maybe this is a opt into thing with the
> >> caveat that if you unlock this your responsible to keep the radio
> secure.
> >>
> >> Jeff
> >> N5SDR
> >>
> >> On Mon, Jun 3, 2019, 3:35 PM Dave New, N8SBE <[hidden email]> wrote:
> >>
> >>> Paul,
> >>>
> >>> I believe you mistook the 'direction' of DDOS attack I was talking
> >>> about.
> >>>
> >>> The K4 would not be the target of a DDOS attack, but rather an
> unwitting
> >>> participant in launching a DDOS attack as part of robot army of IoT
> >>> devices.
> >>>
> >>> Thousands of hacked IoT devices are for rent on the dark web, for any
> >>> script kiddie that wants to attack a particular target.
> >>>
> >>> Also, it may be popular to use hacked web sites, or various documents
> >>> with trojan horse loads to deliver ransom ware or bitcoin miners, but
> >>> there are other known vectors, including various open ports found while
> >>> scanning.  It may be the a router would be able to block access, but
> the
> >>> very peer-to-peer nature of the K4 (controlling other K4's or being
> >>> controlled by another K4 or PC, tablet, etc, means that routers would
> >>> need to allow certain inbound connections through the router or
> >>> firewall.  These allow for interesting attack vectors, which will
> >>> certainly be exercised, if possible.
> >>>
> >>> 73,
> >>>
> >>> -- Dave, N8SBE
> >>>
> >>> -------- Original Message --------
> >>> Subject: Re: [Elecraft] K4 and Linux Infrastructure
> >>> From: Paul Gacek <[hidden email]>
> >>> Date: Mon, June 03, 2019 4:00 pm
> >>> To: "Dave New, N8SBE" <[hidden email]>
> >>> Cc: Elecraft Reflector <[hidden email]>, Rick WA6NHC
> >>> <[hidden email]>
> >>>
> >>> Dave
> >>>
> >>> DDOS is quite hard for any end point (PC, iPhone, K4 etc) to deal with
> >>> effectively. If a million zombie Macs decide to simultaneously attack
> >>> your end point your best chance is as Rick states, a device that makes
> >>> up the perimeter defenses such as a firewall or cyber security
> >>> alternative (i.e router, IDP). Most homes don’t have anything
> >>> particularly sophisticated deployed and are therefore somewhat
> >>> vulnerable. In truth DDOS attacks are quite rare and typically not
> aimed
> >>> at Citizen Dave or his neighbors. Protection albeit optimistic is
> really
> >>> in the realm of a corporate network but even then we have a few cases
> >>> where iconic sites get hammered and go dark. Enabling the K4 to defend
> >>> against DDOS is a little like building a house to withstand random bits
> >>> of ISS dropping in unexpectedly; not something I’m expecting to be
> >>> paying for.
> >>>
> >>> Unwanted ransomware or bitcoin mining programs are most likely the
> >>> result of an unwitting end user at and end point (PC, Android etc)
> doing
> >>> something that resulted in the malware ending up on their end point.
> >>> Could be surfing to a suspect web site (www.PawnStorm4U.com) or even
> >>> going to a compromised but reputable site such as NASA.gov.
> >>> Alternatively, it could be someone opening a compromised PDF or
> >>> Word/Excel attachment. The best protection here is to be cautious and
> >>> mindful of what you do in the cyber world and absolutely make sure you
> >>> are running the most uptodate OS (not XP) and to its most current patch
> >>> level.
> >>>
> >>>
> >>> Presumably but maybe not, the K4 won’t make available to the ham
> >>> operator a browser that allows them to surf wherever nor an email
> client
> >>> that they can read Excel attachments at the whim of the ham operator.
> >>> That is best done outside of the K4.
> >>>
> >>>
> >>> Hardening Linux, following best practices on coding and penetration
> >>> testing are all things to be aware of and implement as appropriately.
> >>>
> >>>
> >>> For those who might be interested in perusing details of some of these
> >>> topics these links might be interesting;
> >>> Secure Coding Practices
> >>> https://msdn.microsoft.com/en-us/aa570401Hardening Linux
> >>>
> >>>
> https://www.computerworld.com/article/3144985/linux-hardening-a-15-step-checklist-for-a-secure-linux-server.htmlPenetration
> >>>
> >>> Testing https://www.tenable.com
> >>>
> >>>
> >>> With Elecraft’s proximity to Silicon Valley and presumably contacts
> >>> abounding, I’m optimistic the K4 will do us proud and I won’t have
> >>> to rely on Rocky and Bullwinkle to keep nefarious foreign agents out of
> >>> my K4.
> >>>
> >>>
> >>> Paul
> >>> W6PNG/M0SNA
> >>> www.nomadic.blog
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> On Jun 3, 2019, at 7:58 PM, Rick WA6NHC <[hidden email]> wrote:
> >>>
> >>> Much of that protection can be implemented at the router level (>90% of
> >>> all sites) and the internal linux (fairly bullet proof) will deal with
> >>> the radio talking to the world.
> >>>
> >>> It shouldn't be too difficult for Elecraft to refine security to the
> >>> radio, you'd only need a few ports of network access, which if
> required,
> >>> could be coded to set values (MAC address) up to the menu level...  or
> >>> limited access into the linux side of the radio.
> >>>
> >>> I'm confident it has been considered and managed with the usual
> Elecraft
> >>> elegance.
> >>>
> >>> Rick NHC
> >>>
> >>>
> >>> On 6/3/2019 11:50 AM, Dave New, N8SBE wrote:
> >>> So, let's let the elephant in the room bellow a bit.
> >>>
> >>> Ahem, CYBER SECURITY.
> >>>
> >>> Now that you've put a popular, modern OS in the K4, and hooked it up to
> >>> Ethernet (and therefore the Internet), you've just opened a stinking
> >>> pile of attack vectors.
> >>>
> >>> And please don't think that no one will bother figuring out how to
> 'own'
> >>> such a powerful connected processor.  If you spend anytime reading up
> on
> >>> things like Distributed Denial of Service (DDOS) attacks, you will find
> >>> that things like webcams and routers (which typically don't even have a
> >>> 32-bit OS in them) have been marshaled to unleash frightening
> >>> multi-gigabit attacks on various targets.
> >>>
> >>> Or, try the newest craze, dropping Bitcoin or other digital currency
> >>> mining engines on unsuspecting machines, taking them over hog mode, and
> >>> pegging the CPU at 100%, using your electric bill for their gain.
> >>>
> >>> Or, maybe the K4 will be the first ham radio to suffer from a
> >>> ransom-ware attack, where the poor ham is asked to ante up some ransom
> >>> (in bitcoin usually, to make it hard to track) to get control of his
> >>> radio back.
> >>>
> >>> True, at least one or more other companies have already stepped out
> >>> ahead, by putting Windows 10 in their radio.
> >>>
> >>> I'm just wondering if anyone at Elecraft has been tasked with dealing
> >>> with the cyber security aspects of this new toy, and what plans you may
> >>> have for outside pen testing, etc. have been made.
> >>>
> >>> At the very least, you should be using authenticated boot and
> >>> authenticated flash, protected by a root certificate in an internal
> >>> hardware trust anchor.
> >>>
> >>> 73,
> >>>
> >>> -- Dave, N8SBE
> >>>
> >>> -------- Original Message --------
> >>> Subject: Re: [Elecraft] K4 and Linux Infrastructure
> >>> From: Wayne Burdick <[hidden email]>
> >>> Date: Sun, June 02, 2019 11:52 am
> >>> To: Leroy Buller <[hidden email]>
> >>> Cc: Elecraft Reflector <[hidden email]>, Lee Buller
> >>> <[hidden email]>
> >>>
> >>> x86, not PI (ARM). It's the controller for internal/external displays
> >>> and streaming I/O, runs the server for remote clients, and serves as
> the
> >>> present/future app engine.
> >>>
> >>> Additional details pending.
> >>>
> >>> 73,
> >>> Wayne
> >>> N6KR
> >>>
> >>>
> >>>
> >>> ______________________________________________________________
> >>> Elecraft mailing list
> >>> Home: http://mailman.qth.net/mailman/listinfo/elecraft
> >>> Help: http://mailman.qth.net/mmfaq.htm
> >>> Post: mailto:[hidden email]
> >>>
> >>> This list hosted by: http://www.qsl.net
> >>> Please help support this email list: http://www.qsl.net/donate.html
> >>> ______________________________________________________________
> >>> Elecraft mailing list
> >>> Home: http://mailman.qth.net/mailman/listinfo/elecraft
> >>> Help: http://mailman.qth.net/mmfaq.htm
> >>> Post: mailto:[hidden email]
> >>>
> >>> This list hosted by: http://www.qsl.net
> >>> Please help support this email list: http://www.qsl.net/donate.html
> >>> ______________________________________________________________
> >>> Elecraft mailing list
> >>> Home: http://mailman.qth.net/mailman/listinfo/elecraft
> >>> Help: http://mailman.qth.net/mmfaq.htm
> >>> Post: mailto:[hidden email]
> >>>
> >>> This list hosted by: http://www.qsl.net
> >>> Please help support this email list: http://www.qsl.net/donate.html
> >> ______________________________________________________________
> >> Elecraft mailing list
> >> Home: http://mailman.qth.net/mailman/listinfo/elecraft
> >> Help: http://mailman.qth.net/mmfaq.htm
> >> Post: mailto:[hidden email]
> >>
> >> This list hosted by: http://www.qsl.net
> >> Please help support this email list: http://www.qsl.net/donate.html
> >>
> > ______________________________________________________________
> > Elecraft mailing list
> > Home: http://mailman.qth.net/mailman/listinfo/elecraft
> > Help: http://mailman.qth.net/mmfaq.htm
> > Post: mailto:[hidden email]
> >
> > This list hosted by: http://www.qsl.net
> > Please help support this email list: http://www.qsl.net/donate.html
> ______________________________________________________________
> Elecraft mailing list
> Home: http://mailman.qth.net/mailman/listinfo/elecraft
> Help: http://mailman.qth.net/mmfaq.htm
> Post: mailto:[hidden email]
>
> This list hosted by: http://www.qsl.net
> Please help support this email list: http://www.qsl.net/donate.html
______________________________________________________________
Elecraft mailing list
Home: http://mailman.qth.net/mailman/listinfo/elecraft
Help: http://mailman.qth.net/mmfaq.htm
Post: mailto:[hidden email]

This list hosted by: http://www.qsl.net
Please help support this email list: http://www.qsl.net/donate.html
Reply | Threaded
Open this post in threaded view
|

Re: K4 and Linux Infrastructure

k6dgw
In reply to this post by Jeff Scaparra
Well, all good discussion, but I advise that you do not hold your breath
for "open firm/software in the K4," or basically any access at all. 
It's just beyond what any manufacturer can do.  I suppose Eric, who is
noted for his business skills, could start up an "E-tunes" app store for
the K4, with developer standards, testing, and the like.  I doubt that's
remotely close to the top of his To-Do list however.

Having just had my 79th birthday yesterday [thanks for all the HB's!], I
remember when Heath came out with an analog computer at what would have
been the beginning of the "Science Hobbyist" revolution.  Without the
Internet, there were no Email lists of course, but the number of "I did
this and it didn't do what I expected" inquiries was way more than they
expected.  Fortunately [for Heath] the customer base was very rapidly
exhausted and the Heathkit Analog Computer silently sailed into the sunset.

73,
Fred ["Skip"] K6DGW
Sparks NV DM09dn
Washoe County

PS:  Anyone who tells you "79 feels just like 78" is smoking their socks.

On 6/3/2019 4:02 PM, Jeff Scaparra wrote:

> Missed reply all.
>
> At some level even if they do "only" have apps they will have this problem.
> App developers will need to be able to modify and test things. Also I doubt
> that there would be many apps if this is a separate process than mainstream
> linux/windows. why would a hobby developer want to build a separate thing
> just for one pretty expensive radio when they could just build the app for
> linux or windows and support everyone.
>
> Maybe they have some trick to make app onboarding easy.
>
> My 2 cents
> Jeff N6SDR
>

______________________________________________________________
Elecraft mailing list
Home: http://mailman.qth.net/mailman/listinfo/elecraft
Help: http://mailman.qth.net/mmfaq.htm
Post: mailto:[hidden email]

This list hosted by: http://www.qsl.net
Please help support this email list: http://www.qsl.net/donate.html
Reply | Threaded
Open this post in threaded view
|

Re: K4 and Linux Infrastructure

Richard S. Leary
In reply to this post by Leroy Buller


Sent from my Verizon Wireless 4GLTE smartphone

----- Reply message -----
From: "Lynn W. Taylor, WB6UUT" <[hidden email]>
To: <[hidden email]>
Subject: [Elecraft] K4 and Linux Infrastructure
Date: Mon, Jun 3, 2019 15:45


Seriously folks, think about the folks in Elecraft support and Service.

Imagine spending an hour working through a problem just to find out that
someone is running modified firmware (and this is firmware, not software
for us to play with).

It's an embedded system.  If you break it, you own both parts, and
Elecraft would need a 100% reliable way to verify that you didn't
introduce bugs.

Let this idea go, folks.

-- Lynn

On 6/3/2019 3:31 PM, Dave Cole (NK7Z) wrote:

> Based on the lack of ability to chance the CW rise times, I suspect
> Elecraft will not give access to the processor, and OS.  I would not.
>
> Why?  If too many users change things, and break things, the radio will
> get a bad rep...  If Elecraft is smart, they will lock the users out of
> that level of access.
>
> 73s and thanks,
> Dave (NK7Z)
> https://www.nk7z.net
> ARRL Technical Specialist
> ARRL Volunteer Examiner
> ARRL Asst. Director, NW Division, Technical Resource
>
> On 6/3/19 2:04 PM, Jeff Scaparra wrote:
>> I believe these are all good points that elecraft should consider. As for
>> myself I am a tinker-er and as such i can imagine many things i would
>> like
>> to do with the on board system. Personally I would like the option of
>> "unlocking" access do that I could use the underlying linux system and
>> would be willing to be responsible for the security of the system if I
>> did
>> so. I know there will be many who just want a good radio to operate and
>> that is why I am suggesting that maybe this is a opt into thing with the
>> caveat that if you unlock this your responsible to keep the radio secure.
>>
>> Jeff
>> N5SDR
>>
>> On Mon, Jun 3, 2019, 3:35 PM Dave New, N8SBE <[hidden email]> wrote:
>>
>>> Paul,
>>>
>>> I believe you mistook the 'direction' of DDOS attack I was talking
>>> about.
>>>
>>> The K4 would not be the target of a DDOS attack, but rather an unwitting
>>> participant in launching a DDOS attack as part of robot army of IoT
>>> devices.
>>>
>>> Thousands of hacked IoT devices are for rent on the dark web, for any
>>> script kiddie that wants to attack a particular target.
>>>
>>> Also, it may be popular to use hacked web sites, or various documents
>>> with trojan horse loads to deliver ransom ware or bitcoin miners, but
>>> there are other known vectors, including various open ports found while
>>> scanning.  It may be the a router would be able to block access, but the
>>> very peer-to-peer nature of the K4 (controlling other K4's or being
>>> controlled by another K4 or PC, tablet, etc, means that routers would
>>> need to allow certain inbound connections through the router or
>>> firewall.  These allow for interesting attack vectors, which will
>>> certainly be exercised, if possible.
>>>
>>> 73,
>>>
>>> -- Dave, N8SBE
>>>
>>> -------- Original Message --------
>>> Subject: Re: [Elecraft] K4 and Linux Infrastructure
>>> From: Paul Gacek <[hidden email]>
>>> Date: Mon, June 03, 2019 4:00 pm
>>> To: "Dave New, N8SBE" <[hidden email]>
>>> Cc: Elecraft Reflector <[hidden email]>, Rick WA6NHC
>>> <[hidden email]>
>>>
>>> Dave
>>>
>>> DDOS is quite hard for any end point (PC, iPhone, K4 etc) to deal with
>>> effectively. If a million zombie Macs decide to simultaneously attack
>>> your end point your best chance is as Rick states, a device that makes
>>> up the perimeter defenses such as a firewall or cyber security
>>> alternative (i.e router, IDP). Most homes don’t have anything
>>> particularly sophisticated deployed and are therefore somewhat
>>> vulnerable. In truth DDOS attacks are quite rare and typically not aimed
>>> at Citizen Dave or his neighbors. Protection albeit optimistic is really
>>> in the realm of a corporate network but even then we have a few cases
>>> where iconic sites get hammered and go dark. Enabling the K4 to defend
>>> against DDOS is a little like building a house to withstand random bits
>>> of ISS dropping in unexpectedly; not something I’m expecting to be
>>> paying for.
>>>
>>> Unwanted ransomware or bitcoin mining programs are most likely the
>>> result of an unwitting end user at and end point (PC, Android etc) doing
>>> something that resulted in the malware ending up on their end point.
>>> Could be surfing to a suspect web site (www.PawnStorm4U.com) or even
>>> going to a compromised but reputable site such as NASA.gov.
>>> Alternatively, it could be someone opening a compromised PDF or
>>> Word/Excel attachment. The best protection here is to be cautious and
>>> mindful of what you do in the cyber world and absolutely make sure you
>>> are running the most uptodate OS (not XP) and to its most current patch
>>> level.
>>>
>>>
>>> Presumably but maybe not, the K4 won’t make available to the ham
>>> operator a browser that allows them to surf wherever nor an email client
>>> that they can read Excel attachments at the whim of the ham operator.
>>> That is best done outside of the K4.
>>>
>>>
>>> Hardening Linux, following best practices on coding and penetration
>>> testing are all things to be aware of and implement as appropriately.
>>>
>>>
>>> For those who might be interested in perusing details of some of these
>>> topics these links might be interesting;
>>> Secure Coding Practices
>>> https://msdn.microsoft.com/en-us/aa570401Hardening Linux
>>>
>>> https://www.computerworld.com/article/3144985/linux-hardening-a-15-step-checklist-for-a-secure-linux-server.htmlPenetration 
>>>
>>> Testing https://www.tenable.com
>>>
>>>
>>> With Elecraft’s proximity to Silicon Valley and presumably contacts
>>> abounding, I’m optimistic the K4 will do us proud and I won’t have
>>> to rely on Rocky and Bullwinkle to keep nefarious foreign agents out of
>>> my K4.
>>>
>>>
>>> Paul
>>> W6PNG/M0SNA
>>> www.nomadic.blog
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Jun 3, 2019, at 7:58 PM, Rick WA6NHC <[hidden email]> wrote:
>>>
>>> Much of that protection can be implemented at the router level (>90% of
>>> all sites) and the internal linux (fairly bullet proof) will deal with
>>> the radio talking to the world.
>>>
>>> It shouldn't be too difficult for Elecraft to refine security to the
>>> radio, you'd only need a few ports of network access, which if required,
>>> could be coded to set values (MAC address) up to the menu level...  or
>>> limited access into the linux side of the radio.
>>>
>>> I'm confident it has been considered and managed with the usual Elecraft
>>> elegance.
>>>
>>> Rick NHC
>>>
>>>
>>> On 6/3/2019 11:50 AM, Dave New, N8SBE wrote:
>>> So, let's let the elephant in the room bellow a bit.
>>>
>>> Ahem, CYBER SECURITY.
>>>
>>> Now that you've put a popular, modern OS in the K4, and hooked it up to
>>> Ethernet (and therefore the Internet), you've just opened a stinking
>>> pile of attack vectors.
>>>
>>> And please don't think that no one will bother figuring out how to 'own'
>>> such a powerful connected processor.  If you spend anytime reading up on
>>> things like Distributed Denial of Service (DDOS) attacks, you will find
>>> that things like webcams and routers (which typically don't even have a
>>> 32-bit OS in them) have been marshaled to unleash frightening
>>> multi-gigabit attacks on various targets.
>>>
>>> Or, try the newest craze, dropping Bitcoin or other digital currency
>>> mining engines on unsuspecting machines, taking them over hog mode, and
>>> pegging the CPU at 100%, using your electric bill for their gain.
>>>
>>> Or, maybe the K4 will be the first ham radio to suffer from a
>>> ransom-ware attack, where the poor ham is asked to ante up some ransom
>>> (in bitcoin usually, to make it hard to track) to get control of his
>>> radio back.
>>>
>>> True, at least one or more other companies have already stepped out
>>> ahead, by putting Windows 10 in their radio.
>>>
>>> I'm just wondering if anyone at Elecraft has been tasked with dealing
>>> with the cyber security aspects of this new toy, and what plans you may
>>> have for outside pen testing, etc. have been made.
>>>
>>> At the very least, you should be using authenticated boot and
>>> authenticated flash, protected by a root certificate in an internal
>>> hardware trust anchor.
>>>
>>> 73,
>>>
>>> -- Dave, N8SBE
>>>
>>> -------- Original Message --------
>>> Subject: Re: [Elecraft] K4 and Linux Infrastructure
>>> From: Wayne Burdick <[hidden email]>
>>> Date: Sun, June 02, 2019 11:52 am
>>> To: Leroy Buller <[hidden email]>
>>> Cc: Elecraft Reflector <[hidden email]>, Lee Buller
>>> <[hidden email]>
>>>
>>> x86, not PI (ARM). It's the controller for internal/external displays
>>> and streaming I/O, runs the server for remote clients, and serves as the
>>> present/future app engine.
>>>
>>> Additional details pending.
>>>
>>> 73,
>>> Wayne
>>> N6KR
>>>
>>>
>>>
>>> ______________________________________________________________
>>> Elecraft mailing list
>>> Home: http://mailman.qth.net/mailman/listinfo/elecraft
>>> Help: http://mailman.qth.net/mmfaq.htm
>>> Post: mailto:[hidden email]
>>>
>>> This list hosted by: http://www.qsl.net
>>> Please help support this email list: http://www.qsl.net/donate.html
>>> ______________________________________________________________
>>> Elecraft mailing list
>>> Home: http://mailman.qth.net/mailman/listinfo/elecraft
>>> Help: http://mailman.qth.net/mmfaq.htm
>>> Post: mailto:[hidden email]
>>>
>>> This list hosted by: http://www.qsl.net
>>> Please help support this email list: http://www.qsl.net/donate.html
>>> ______________________________________________________________
>>> Elecraft mailing list
>>> Home: http://mailman.qth.net/mailman/listinfo/elecraft
>>> Help: http://mailman.qth.net/mmfaq.htm
>>> Post: mailto:[hidden email]
>>>
>>> This list hosted by: http://www.qsl.net
>>> Please help support this email list: http://www.qsl.net/donate.html
>> ______________________________________________________________
>> Elecraft mailing list
>> Home: http://mailman.qth.net/mailman/listinfo/elecraft
>> Help: http://mailman.qth.net/mmfaq.htm
>> Post: mailto:[hidden email]
>>
>> This list hosted by: http://www.qsl.net
>> Please help support this email list: http://www.qsl.net/donate.html
>>
> ______________________________________________________________
> Elecraft mailing list
> Home: http://mailman.qth.net/mailman/listinfo/elecraft
> Help: http://mailman.qth.net/mmfaq.htm
> Post: mailto:[hidden email]
>
> This list hosted by: http://www.qsl.net
> Please help support this email list: http://www.qsl.net/donate.html
______________________________________________________________
Elecraft mailing list
Home: http://mailman.qth.net/mailman/listinfo/elecraft
Help: http://mailman.qth.net/mmfaq.htm
Post: mailto:[hidden email]

This list hosted by: http://www.qsl.net
Please help support this email list: http://www.qsl.net/donate.html
______________________________________________________________
Elecraft mailing list
Home: http://mailman.qth.net/mailman/listinfo/elecraft
Help: http://mailman.qth.net/mmfaq.htm
Post: mailto:[hidden email]

This list hosted by: http://www.qsl.net
Please help support this email list: http://www.qsl.net/donate.html
Reply | Threaded
Open this post in threaded view
|

Re: K4 and Linux Infrastructure

Eric Swartz - WA6HHQ, Elecraft
Administrator
In reply to this post by NK7Z
I apologize if we have created any confusion on this topic.  (Yup - we have been
a little busy as of late with the K4 introduction ;-)

To be clear - we do not plan on granting open access to the main CPU or K4
internal operating system. That would be a impossible situation to support and
it would significantly impact product stability.

At this point, any additional internal software applications developed for the
K4 will be coming via Elecraft.

Of course we will certainly will have a robust external API for the K4.

In the interest of reducing list bandwidth overload, lets end this thread at
this time.

73,
Eric
/elecraft.com/

On 6/3/2019 3:31 PM, Dave Cole (NK7Z) wrote:
> Based on the lack of ability to chance the CW rise times, I suspect Elecraft
> will not give access to the processor, and OS.  I would not.
>
> Why?  If too many users change things, and break things, the radio will get a
> bad rep...  If Elecraft is smart, they will lock the users out of that level
> of access.

______________________________________________________________
Elecraft mailing list
Home: http://mailman.qth.net/mailman/listinfo/elecraft
Help: http://mailman.qth.net/mmfaq.htm
Post: mailto:[hidden email]

This list hosted by: http://www.qsl.net
Please help support this email list: http://www.qsl.net/donate.html
Reply | Threaded
Open this post in threaded view
|

Re: K4 and Linux Infrastructure

Elecraft mailing list
In reply to this post by Leroy Buller
Hi.

The problem these days, is not only if something is exposed to the www,
but even if it can only be "seen" by other nodes on the same LAN.   Such
as the main shack PC, that probably can reach out to the WWW.  Once
"something" gets into that PC (or your IoT lightbulbs!)  It can at it's
leisure scan your shack (and/or home) LAN, looking for other
nodes/devices to poke at later, after "phoning home" with the details of
what it found.

You all have got your dumb IoT devices (including TV's and PVR's) on a
segregated VLAN haven't you?  No!  You have work to do then!

Also, irrespective of the OS used, one way to reduce the chance of user
induced mayhem, is to boot from a (protected) read only medium, copy the
OS to RAM (for speed) and use another SD card as persistent storage,
with an option during the initial boot (if for example) some combination
of keys are held down, to load the default settings into the "user"
area, as an easy "Factory Reset" feature.

Then, whatever the user does, when (not if) they muck it up, there is an
easy get out of jail free card.

As to the network security issue, the only "secure" network device, is
disconnected, powered off and in a sealed & screened box!  Period.  What
may be regarded as secure "now", in six weeks time could be hacked to
hell and back by script kiddies all over the world.  In truth,
currently, the bad types have the upper hand.

Sadly (as with any OS) a continual surveillance of the ecostructure is
needed, and the inevitable updates.  There are many ways to do that of
course, some easier, and some more "secure" than others.  Security and
convenience are mutually exclusive, sadly.  (In the case of a RO boot
medium, a switch would need to be flipped to allow a (once verified)
image to be flashed onto it, one time, said switch auto resetting once
programmed.)  Or another card shipped in by post, and that's not as
secure as you might think either!

Regarding legitimate use of a LAN/WAN connection.  One would hope(?)
that at the bare minimum:-

The radio control firmware is not run as root.

Incoming ssh requests are ignored/blocked.

In the case ssh connections are allowed, root login by ssh is blocked,
and only pre authorised (by certificate) user(s) are allowed in
(Elecraft themselves for example.)

The use of su and sudo are blocked if anyone does get to a command line
as "a user".  Also browsing the OS software/settings folders is blocked,
should the firmware die, leaving the user at a command line.

Have the radio "reach out" to Elecraft central when needed using OpenVPN
(for example, using the current state of the art security model) to
check for updates (user initiated) or for Elecraft to remote admin,
after telling the user how to initiate that feature..

Any such automatic updates are "staged" within the rig, until they can
be verified as complete, uncorrupted and genuine, before being applied.

Any custom daemon software intended for legitimate remote
control/interface use, should be written in such a way, that any corrupt
or unknown commands (and/or parameters) are ignored, not even returning
any error code to the initiator.  Greatly reducing the ability of it to
be "fuzzed" for vulnerabilities.

Also, . 

Similarly, any code created to allow the radio to control accessories
via the LAN port (PA's ATU's etc) should be created with security in
mind.  Such command & communication links should be encrypted, so only
the intended endpoints can see/use the data.  ESPECIALLY, in the case
that such links traverse the public internet...  (A licence requirement
here in the UK by the way!)

Any built in Digimode software (PSK, RTTY, CW, JT modes etc) should also
be run in a VM, within the radio.  Hopefully preventing any possible
remote takeover issues via that route!  (None that I know of at this
time, but ...)

~ ~ ~

Trouble with all the above it, it takes */a lot of time and effort/* by
the equipment makers to do, and do right, plus the testing of it all, or
contracting in some qualified penetration-testing types to test it all
for you.  And that cost money.   That, and capable hardware to do all
that, is also not exactly low cost (but is getting lower in cost.)

Also, all the above is not unique to Linux, */all OS's/* have their
issues, just that some are better(or worse) than others.

Effective Security is difficult to make user proof.  Educate the users
first.  If nothing else, listen to the "Security Now" podcasts by your
countrymen.  https://twit.tv/sn  (Another episode later today.) 
Entertaining, and you might get an appreciation of just how much mayhem
is going on out there right now.

Happy Days!

Dave B G0WBX.

(I have learnt much of the above the hard way, by digging friends and
family, and some work colleagues, out of the mire induced by a lack of
knowledge of how to stay safe on-line, and from the Security Now podcasts.)


--
Created on and sent from a Unix like PC running and using free and open source software:

______________________________________________________________
Elecraft mailing list
Home: http://mailman.qth.net/mailman/listinfo/elecraft
Help: http://mailman.qth.net/mmfaq.htm
Post: mailto:[hidden email]

This list hosted by: http://www.qsl.net
Please help support this email list: http://www.qsl.net/donate.html