Re: Backdoor in KiwiSDR


Jim Lill
 

I agree and let's hope that John will continue to help us even if it means one on one access.  My recent ALE experiment was only possible becaus eJohn had that access to one of my Kiwi's for example

On 7/17/21 10:03 AM, Rob Robinett wrote:
I share Glenn and Stu's perspective on this issue.
Over the years John has demonstrated that he deserves our trust and appreciation for all of his work.
Hopefully all of this negative publicity doesn't drive him away from further work on the Kiwi.

On Fri, Jul 16, 2021 at 10:41 PM Stu C <stu@...> wrote:
As I understand it the access was permitted from only one IP address so
unless the miscreant managed to get hold of that base then launch
attacks the risk is small.
I too trust John and have made an SDR available to him via SSH many
times without a moments hesitation. One thing a generation focussed on
"correct" pronouns forgets is the morals and ethics of the older
generation bare little resemblance to (many) of those today. People who
lived most of their lives before the internet would generally not have
stolen music or avoided paying for goods (like software).

I had a Chinese NVR that I had somehow forgotten the password to,
support did not have a way for me to personally reset it at the hardware
but if I just gave it internet access they would do it for me in
minute... yeah no thanks. Half the complication of my home network
subnets, NAT and firewall is aimed at using off the shelf CCTV bits
without inviting a complete take over of my home network or being base
for further attacks. It is probably illegal to export an item from
country X without enabling a gov backdoor.

The fact that so many KiwiSDR's are still online makes me think that
most users understand this event and have decided the intention was good
if the inclusion does not suit today's world.

Has made me view the reporting of these events slightly differently,
drama sells, click bait etc.

Stu



On 17/07/2021 06:10, Glenn Elmore wrote:
>
>
> That John has had root access to KiwiSDRs has not been a secret for
> many years. To even a casual reader of the forum this has been
> obvious. Personally I have been aware of this and felt John was
> trustworthy and him having root access to a host on my private network
> and being able to help with troubleshooting had acceptable
> risk/benefit ratio.
>
> What seems new is simply the high level publicity of this fact.
> Perhaps I'm being naive but the only new risk I see here is that the
> announcement may trigger increased hacking attempts. Hopefully the
> changes in v .461 have/will mitigate these risks.
>
> Does anyone know of an instance where this 'vulnerability' has been
> exploited? Am I being silly with this perspective?
>
> Glenn n6gn
>
>
> On 2021-07-16 13:55, Carol KP4MD wrote:
>
>> "On Wednesday, users learned that for years, their devices had been
>> equipped with a backdoor that allowed the KiwiSDR creator—and
>> possibly others—to log in to the devices with administrative system
>> rights. The remote admin could then make configuration changes and
>> access data not just for the KiwiSDR but in many cases to the
>> Raspberry Pi <https://arstechnica.com/tag/raspberry-pi/>, BeagleBone
>> Black, or other computing devices the SDR hardware is connected to."
>>
>> The full story is at
>> https://arstechnica.com/gadgets/2021/07/for-years-a-backdoor-in-popular-kiwisdr-product-gave-root-to-project-developer/
>> <https://arstechnica.com/gadgets/2021/07/for-years-a-backdoor-in-popular-kiwisdr-product-gave-root-to-project-developer/>
>
>









--
Rob Robinett
AI6VN
mobile: +1 650 218 8896

Join wsprdaemon@groups.io to automatically receive all group messages.