Now it's even easier for an attacker. Someone gave the default password in the same thread as my description of the exploit. So you can pretty much assume you will be hacked with SSH and the default password.

The password was widely known before I mentioned it (http://www.google.com/search?q=rootme+nokia)...

There's no reason not to change it, and it's trivial to change.

Trivial to change perhaps ... BUT ... anyone who hasn't visited this specific thread (most Tablet owners) won't know they need to... !

By the way - as a non-Linux, fairly tech-savvy, user, but not geek - please can someone explain how to change the password ! It may be trivial, but *I* don't know how, just like many other readers of the thread I suspect ;-)

Walter

The linux command for changing the password is...

drums..





suspsense...











passwd

!!

This is a great thread, very informative. Thank you everybody.

A question: If I install ssh (and change the password) then is there a simple (one-click?) way for me to enable/disable ssh so that I can minimize the time I have port 22 open? Ideally, the tablet should boot with ssh disabled.

You'll need xterm and root access:
Take care, with the following steps, ssh will not start anymore at boot!
sudo gainroot
rm /etc/rc2.d/S20ssh

to revert the start at boot:
sudo gainroot
cd /etc/rc2.d
ln -s ../init.d/ssh S20ssh


To start ssh:
sudo gainroot
/etc/init.d/ssh start

To stop it:
/etc/init.d/ssh stop

You can also change the port ssh is listening:
/etc/default/ssh:
SSHD_OPTS="-p 666"
Will listen on port 666

Hi everyone.

I have a bit of knowledge in computer/apps/network security, and I have a N810 nit with SSH server and openvpn to my private server, etc.
I use it with several Wifi hotspots (and HSDPA networks, in Europe, through a 6120c). I use CIFS file sharing, SSH,...

It's true the tablet _is open_ (in terms of UDP/TCP/IP connectivity, i.e. NO firewall on it), and you don't have to install a server software to be vulnerable.
OS2008 is a Linux distro, and as such can be subject to all kind of attacks, even if the probability (it's mainly a _client_ device), impact, and risk (depending on what you store on your nit, and how) are (rather) low.

Right now, I'm looking for/to build a N8x0 firewall, but have few time to play arround with iptables on my tablet. I have a small script I ported from my servers, but cannot achieve what I want to.

Did someone write an app/patch/script such as "tablet firewall" ?
If not, but if there are people willing to make or port such an app ?

I've searched Maemo.org, Garage,... I've not found anything similar.

I have small knowledge of Linux Kernel, iptables, compilation, and right now, I have an (empty ;-) OS2008 dev environnment running...

I can help, and I really want to have at least a FW script (launched through Kerez ?).

XooH


EDIT : This thread is interresting (on NIT/linux/security) :
http://www.internettablettalk.com/fo...light=firewall

Hmm, isn't there a directory you can place scripts in so that when you say "ssh start" in bash or xterm it'd just run that script (it checks the directory then runs the relevant script or program?). I forget which directory it is..

Sure you do. Otherwise there won't _be_ anything to connect to.

A netstat -ant on my N800 shows that it's listening on the following TCP ports:

22 (because I installed an ssh server)
12493 (part of Skype)

Checking UDP:
2049 (dnsmasq)
12493 (part of Skype).

That's it. Without servers listening you're _not_ vulnerable. And using e.g. iptables to block the ports above would simply make those services stop working. (Edit: e.g. SSH must be secured by other means, e.g. using only RSA authentication, or changing password etc.)

while security is certainly a non-trivial issue...some folks out there definitely seem to require a tin-foil-hat 24/7...

I subscribe to the Darwinian idea of personal wireless security...stoopid people should not breed. If someone is arrogantly stoopid enough to splat their info out there w/no regard to proper encryption...they deserve what they get. Eventually these sorts will stop using the internet and the world will once again be safe from the AOL users of the world thus ending the way we are heading toward the Idiocracy style of life.

FYI, most serious wifi hotspot style routers now have full on virtual servers which completely isolate peers (or potential peers) not only from each other but also from the primary network served by the router. So, if desired, nodes cannot see each other over whatever network is being run. Even my travel/pocket Wifi router CTR350 from Cradlepoint has this all built-in...

And remember when getting your tin foil hat, get some ear plugs too so nobody can hear what you are thinking.