8ish years ago, I wrote a script to search out Pis with port 22 opened to the internet with default un and pw. Let it run overnight.
The next morning I checked the log and it found thousands of Pis that I could have just logged into with root privileges if I wanted.
Never trust users.
But just search for "raspberry pi hosting" on your favorite search engine. There are tons of companies providing hosting on Pis, as crazy as it sounds and those come with IPs (but for a semi professional hosting place hopefully with different credentials ... but given how cheap many of those are it's more hope than expectation)
Still, it’s nice that you can get it online so wails but it was obviously not a good idea. Some software they sets WiFi and user info while flashing would be nice.
Fun anecdote: I used to log into people's Pis in college and show them that they needed to change the password. People don't react nicely to that.
Change their desktop picture to My Little Pony. (Some folks just left it.)
On macOS, put this into cron `5 */2 * * * sleep $$((RANDOM % 7200 )) ; creepily_say_random_words.sh` :
#!/usr/bin/env bash
words=$(awk 'BEGIN {srand()} !/^$/ { if (rand() <= .000015) print $0}' /usr/share/dict/words)
echo "${words}"
for voice in junior ralph whisper; do
say -r 70 -v "${voice}" "${words}" &
done
Once, when again she left for lunch without locking her computer, a colleague of ours got up, made a Screenshot of her desktop, put everything on her desktop into the download folder and replaced the background with the screenshot. When she returned from lunch she was very quickly irritated that her computer had stopped working, as she could no longer click any of her files and programs.
It was a blast. And she never let her computer unlocked again.
I also heard of one other company where the tradition was to send an email out to the rest of the company offering to bring in donuts.
I used to just dd the image, touch the 'ssh' file on the boot partition, and then change stuff over ssh.
> This file should contain a single line of text, consisting of username:encrypted- password – so your desired username, followed immediately by a colon, followed immediately by an encrypted representation of the password you want to use.
> To generate the encrypted password, the easiest way is to use OpenSSL on a Raspberry Pi that is already running – open a terminal window and enter
echo 'mypassword' | openssl passwd -6 -stdin
From the anouncement [0], under "Headless setup".
[0] https://www.raspberrypi.com/news/raspberry-pi-bullseye-updat...
For all other kind of early sys admin tasks for a headless system you can mount the image to your Linux workstation and chroot into it using binfmt_misc and qemu-static. https://wiki.debian.org/RaspberryPi/qemu-user-static seems to describe it. (I haven't used those instructions, but my own 10 year old cheatsheet.)
https://9to5linux.com/raspberry-pi-imager-now-lets-you-contr...
I wouldn’t be too worried, there will likely be a solution for “power users” who use the ssh file.
What can I possibly say to make this funnier.
Now, it's just an IoT/outdated device software thing.
LG, Samsung, or some other brand of dishwasher that happens to be inside Korea? /hj
In more serious discussion, I'm still unconvinced of the benefits of connecting your appliances to the internet considering that appliance makers are more likely to just abandon the "smart" part while the hardware is still in full working order.
So it was yet another reason for the RPi foundation to stop being stupid, and just conform their firmware to SystemReady, and post their fixes upstream. All these custom hoops they keep jumping through to duplicate what every other OS/firmware already supports just speaks to bad mgmt. So, yah they are the most successful Arm sbc vendor, and this all made sense 10 years ago when none of the distro's had working arm ports and there wasn't much in the way of standard arm system architecture. Those days are long gone, and the people clinging to them are just sticking their head in the sand. Particularly since 3rd parties have basically done 3/4 of the work for them and ported a full blown UEFI/ACPI environment to the darn thing.
So, they need to put on the big boy pants and stop playing the NIH game.
Because it's not aimed at the general purpose computer market?
The OS -- the features, the documentation, the learning focus, the ease-of-use planning, the designed support for school and code clubs -- is part of the product.
It's not just a little cheap linux box for nerds; it has a different focus.
Also the hardware itself is different, is it not? It has (for example) no battery-backed clock. It has connectors other distros cannot be expected to support (CSI for example).
They achieve all of this with their own slice of Debian; it's as close to being standard as is sensible.
They also provide a tool -- pi-gen -- to allow you to roll your own distro off the main; it's quite effective.
And they have a mainline OS (Ubuntu) if you want that.
But if you really want a tiny SBC without their OS platform -- buy one.
"The OS -- the features, the documentation, the learning focus, the ease-of-use planning, the designed support for school and code clubs"
Similarly with the RPi, the install process needs custom tools, instructions, and images because the normal distro install process (which are overwhelmingly UEFI based) simply don't work. So they are basically teaching everyone how to perform actions that any students that go into IT related fields will need to relearn.
https://ubuntu.com/tutorials/install-ubuntu-desktop#1-overvi...
And there isn't an argument that they are making it simpler either, since its entirely possible to create ubuntu/etc disk images as well while still burying a proper boot/etc interface in the firmware.
So, as I said earlier what they are doing made sense 10 years ago but today looks out of place vs what everyone else is doing.
PS: And as far as the hardware, normal distro's don't seem to have problems with missing RTCs (they all enable NTP AFAIK), and none of the interfaces on the board are that weird. Mainline Linux supports GPIO, and MIPI/CSI, etc.
https://www.kernel.org/doc/html/v4.10/media/kapi/csi2.html
If those don't work on the RPi in mainline, that is where the foundation should be focusing, in order to land their drivers upstream, or provide binary packages for the main distos (or both as some vendors do). They aren't special in this regard, they are only special because instead of doing what everyone else does, they created a custom linux distro.
Oh, this:
If I upgrade my existing Pis, are the currently in-use `pi` users (which have non-default passwords) going to be removed?
About half the article makes it sound like it's an OS update, but the other half makes it sound like an installer update, and there's a big difference between those two scenarios.
Existing installations will not be affected.
Raspberry Pi OS does not have an "installer".
Since the days desktop OSes (i.e. Windows 2000 Professional) first started to demand the user to name themselves and sign-in (which didn't protect their data anyway and still doesn't protect today as Windows Home doesn't include BitLocker) I hated this useless complexity. I in fact met many hundreds of PC users and just a minuscule fraction of them (also of those sharing a PC among a number of family members) used an actual multi-user set-up.
Linux seemingly did this from the very first day because it's non-PC Unix legacy.
Once I tried Raspberry Pi I felt a pleasant relief: it never asked (although allowed) me to personalize it and just worked. I didn't have to invent a nickname nor expose my real name. It was just a handy tool like in good old days when you didn't have to connect your oven to WiFi.
PS: I do understand how useful the OS's multi-user mechanism is to limit what untrusted app instances can do.
Reading this today it hits me that this change might just be the cause.
If that turns out to be the case, there should really be some indication in the RPi imager tool.
Instead, I downloaded a live Linux dist, kde-neon [2], wrote that to a USB stick with rufus [3], booted my PC with that, and imaged under Linux. Only then did it work.
[1] https://github.com/raspberrypi/rpi-imager
You can always mount the SD card partition and put your ssh key into /root to log in with that. An improvement could be to also load ssh key from the /boot partition so also windows/mac users could do that easily.
By the way using root with an ssh key is fine and not a problem in terms of security.
If you wanted to make some users really happy, support a hook script in the same way.
/boot/first-run.sh — or something to that effect
More importantly perhaps, I am willing (and actually want) to have the freedom to do this, and to take responsibility for any problems I might cause for myself.
This issue is part of a more general ethical conundrum spanning many areas of life: How much should people be protected from themselves? I guess my personal answer is, not a lot.
> Included within its scope are a range of devices, from smartphones, routers, security cameras, games consoles, home speakers and internet-enabled white goods and toys.
> But it does not include vehicles, smart meters and medical devices. Desktop and laptop computers are also not in its remit.
Wouldn't an RPi be considered to be a desktop computer?
I can confirm that I have dozens of public Linux servers with SSH exposed and user `pi` is constantly being attempted for login. I ban them all immediately and automatically.