[HN Gopher] The curious case of the Raspberry Pi in the network ...
___________________________________________________________________
The curious case of the Raspberry Pi in the network closet (2019)
Author : thunderbong
Score : 205 points
Date : 2024-01-08 19:54 UTC (3 hours ago)
(HTM) web link (blog.haschek.at)
(TXT) w3m dump (blog.haschek.at)
| podiki wrote:
| Fun (or I guess "fun" depending on the outcome here) detective
| story. But would be nice to have the context of what sort of
| company this Pi was found at. What might be a motive to be
| tracking devices and be inside the network?
| sitzkrieg wrote:
| i have seen redteams do this for persistence
| declan_roberts wrote:
| It's still not clear to me whether the pi was malicious or not?
| anakaine wrote:
| Discreet hacked together device located in comms room,
| installed by former employee during a time when they were
| leaving the company.
|
| Malicious is implied.
| doublerabbit wrote:
| Maybe they just wanted to keep their Quake3 server running?
| BatmansMom wrote:
| And the application was called "logger" lol
| Damogran6 wrote:
| This. The intenet was that the machine COULD be used for ill.
| Just because it hadn't yet doesn't absolve the person.
| EricMausler wrote:
| I think the comment may be implying it isn't clear if they
| were successful in whatever malicious activity they were
| trying to do or what that activity was.
|
| Like were they snooping for something they could whistle-
| blow, or where they trying to gain access to financial
| accounts? What was the extent of damage possible by the
| setup? Are there ways to mitigate such damage now knowing a
| pi with such loaded software may be in wider distribution and
| might be installed somewhere on your network?
| HideousKojima wrote:
| At a previous job we had a Beaglebone mysteriously show up in
| our DC. We noticed it buried behind some network cables and
| immediately unplugged it. (Not) Coincidentally, we had gone
| through a merger a few months prior, and the new corporate IT
| team had come out (from clear across the country) right after
| the acquisition to get a feel for how our IT infrastructure
| was setup. The day after we unplugged the Beaglebone we got a
| pissed off call from one of the corporate IT guys, turns out
| he had installed it there to gather some network
| metrics/statistics or something like that when he had come
| out a few months prior and didn't tell any of of our network
| admins or sysadmins, but somehow it was our fault for not
| magically knowing what the suspicious SBC in our DC was.
| kencausey wrote:
| (2019)
| MOARDONGZPLZ wrote:
| Are raspberry pis in communications closets installed by
| outgoing employees no longer potential threads five years
| later?
| palemoonale wrote:
| Not if these have been found and removed.
| scubbo wrote:
| That's not the implication. It's the norm on this site to
| include the year of an article in the title (if it's not from
| the current year, or very recently in the preceding year if
| in January). There are _plenty_ of links in the top 100-or-so
| that follow this pattern - hell, I see one from 1997 in the
| top 30 right now. They can still be interesting/relevant/etc.
| - but it is worthwhile to read them with the knowledge of
| when they were published, e.g. if you are evaluating
| technical approaches.
| aliljet wrote:
| This is why terminating an employee has to be swift and complete.
| It's just too risky to bet otherwise.
| mytailorisrich wrote:
| Not _that_ complete, hopefully...
| seanw444 wrote:
| Unless you live in the world of Lethal Company.
| asd wrote:
| (2019) Previously: https://news.ycombinator.com/item?id=29965110
| dang wrote:
| Thanks! Macroexpanded:
|
| _The curious case of the Raspberry Pi in the network closet
| (2019)_ - https://news.ycombinator.com/item?id=29965110 - Jan
| 2022 (262 comments)
|
| _The curious case of the Raspberry Pi in the network closet_ -
| https://news.ycombinator.com/item?id=18919129 - Jan 2019 (154
| comments)
| atourgates wrote:
| OP posted a bit more info in this Reddit thread for anyone
| curious:
|
| https://www.reddit.com/r/sysadmin/comments/agij7x/remember_t...
| greyface- wrote:
| And this HN thread:
| https://news.ycombinator.com/item?id=29965250
| Bluescreenbuddy wrote:
| When we fire people we terminate ALL access. Digital and
| physical. When the call from HR comes in, your keycard is
| immediately disabled. If you left personal belongings, we'll box
| them up and give them to you.
| suprjami wrote:
| I've always thought such policy heavy handed and unfair. This
| article proves that's not the case. I've heard vague stories of
| someone doing a malicious delete on the way out, but never seen
| it myself.
| devmor wrote:
| Things like the occurrence in this article only occur because
| job termination is so heavy handed here. When people are
| immediately cut off from their income source without warning,
| in a society with very little social safety net, they get
| angry and do drastic things.
|
| In many, many other countries, letting someone go is a long
| process that involves a lot of time for both parties to shore
| things up and be prepared to move on without incident.
| AmVess wrote:
| Yes. Some people can become very difficult when they've just
| lost their job. This is the primary reason why firings are
| done via e-mail so people can flip out and lose their cool at
| home.
| turtledragonfly wrote:
| I don't think the article proves that. I think these policies
| can be a bit of a McNamara fallacy[1].
|
| When things go wrong, the benefits of aggressive termination
| are clear. But when things _don 't_ go wrong (vast majority
| of time), the alternative's benefits are not so clear --
| employees have more time to hand-off their work, document
| things that are in their head, better good-will towards the
| company and its management, etc.
|
| So, because one approach a clear, measurable benefit (avoid
| some disasters), and the other approach has un-clear hard-to-
| measure ones, people sometimes dismiss the hard-to-measure
| side as not important. That's the fallacy.
|
| [1] https://en.wikipedia.org/wiki/McNamara_fallacy
| Johnny555 wrote:
| The article doesn't say they fired him, it said he's an "ex-
| employee". I've stayed on in an hourly role with several
| companies I've left to be on-call for questions/problems for a
| month or 3 after leaving.
| skocznymroczny wrote:
| As an European, I thought that's only something people did for
| movies, I learned not long ago that it's actually reality in
| the US. In Poland you can leave on the spot if you arrange it
| with the company (e.g. for a severence package). Otherwise by
| law you are expected to work for a month or two after getting
| fired (or when changing jobs). This has some benefits for both
| employer and employee. The employee has time to find a new job
| and doesn't get cut off from income on the spot so he's
| unlikely to burn bridges on his way out. For employer the
| benefit is the same but also the company gets extra time to
| prepare a replacement for the fired employee.
| MBCook wrote:
| Unless there is a contract saying otherwise (or union
| agreement if in a union) you could show up to work at your
| job tomorrow to be told you're fired and escorted out of the
| building.
|
| For well paying jobs it's pretty rare unless you do something
| bad. Obviously if they just did that to random people it
| would really hurt morale and other workers may want to leave.
|
| But it's legal. On the other side, with similar exceptions,
| on any day you can walk into your job and say goodbye forever
| and never come back.
| dpflug wrote:
| "Pretty rare unless you do something bad."
|
| Or there are layoffs.
| MBCook wrote:
| That's fair. I was thinking of when they single out a
| single person.
| alistairSH wrote:
| _on any day you can walk into your job and say goodbye
| forever and never come back_
|
| Except in reality, almost nobody can do that, because they
| need to eat and pay rent. And if you did, you'd burn a lot
| of bridges.
| Verdex wrote:
| Yeah, it's not a symmetrical dynamic at all.
|
| Leaving without notice is a good way to alienate a lot of
| contacts that most people will really want to maintain.
| But even beyond that from what I understand most places
| have policies in place to prevent employees coming back
| if they've left without notice.
|
| Meanwhile, if my employer fires me without notice and
| I've got a mortgage, mouths to feed, and/or medical
| bills, then I don't really have the leverage to say "I'm
| sorry, by firing me without notice, you are ineligible
| from asking to rehire me."
| SoftTalker wrote:
| That's why it's always good to have a few months of
| essential living expenses in a savings account if you
| possibly can. More people could do this than actually do
| it.
|
| I've quit without notice once in my career. I already had
| the next job line up though.
| codetrotter wrote:
| At my job they let go of about ~30% of the work force
| around one year ago. I knew that this theoretically could
| happen, but this was the first time seeing it myself.
|
| And I am left thinking, if in the future I see a coworker
| leave on the day by his own choice. I wouldn't hold it
| against him. The company has shown how easily they are
| willing to let go of a huge number of people. Why should
| I be mad at any of my coworkers if they decide to leave
| on the day? The company already set the bar for how this
| works.
| Epa095 wrote:
| And the health insurance.
| MBCook wrote:
| Right. I only meant the legality.
|
| There are A TON of people people who would probably love
| to walk in and quit tomorrow if they had another job
| lined up or the means to go without one for a short
| while.
| theamk wrote:
| > you can walk into your job and say goodbye forever and
| never come back.
|
| when I was an intern, a person next to me just didn't come
| back one work. And wefound a large-font printout of
| employment contract with corresponding section highlighted
| by marker.
|
| I still wonder what made him quit, but as an intern I
| didn't talk to to people much and didn't care about company
| politics.
| justsomehnguy wrote:
| INAPL but I think is what _by default_ both the employee can
| expect some weeks after the notification (and depending om
| the circumstances - have an opportunity to move to another
| job of similar title and /or pay in the same company) and
| employer can expect some weeks if nothing unexpected surface
| up. But both parties can terminate their relationship in the
| same dame on a mutual agreement.
| gumby wrote:
| At a minimum in the US the company has to pay you for unused
| vacation days and send you your outstanding pay within 3
| days. Also, if you give two weeks notice they might
| reasonably can you but pay you for the extra two weeks if
| they are afraid of looking punitive (a smaller company thing
| -- big companies typically don't worry about being sued for
| that kind of thing).
|
| But not always; my kid resigned from AWS in November and they
| asked him to work the two weeks, even having him push to prod
| on the second to last day.
| neuralspark wrote:
| I've only ever encountered the unused vacation days and
| outstanding pay by end-of-week in California. It's
| certainly not true in several other states.
| shagie wrote:
| It's complicated.
|
| https://www.helpside.com/wp-
| content/uploads/2017/12/Vacation...
| ponector wrote:
| Unused 7 days of annual PTO. And there are companies with
| "unlimited" vacation which means no unused vacation.
| lostlogin wrote:
| > As an European, I thought that's only something people did
| for movies, I learned not long ago that it's actually reality
| in the US
|
| It's not quite like this in New Zealand, but wow would an
| employer be foolish to have an employee leave under a cloud
| and not immediately block all access.
|
| It's borderline impossible to fire someone here, so it's not
| US style lockdown, but cutting access seems basic.
| ponector wrote:
| It is wild how people in one of the richest and developed
| country have so little working rights and are ok with it.
|
| Especially wild if you consider health insurance is tied to
| the employment.
|
| 3-6 months notice period is standard in EU countries. Unless
| you are sabotaging or always drunk there are no ways they
| will fire you quickly.
| skinkestek wrote:
| People in leading positions who leave for competitors get
| told to not show up again, but of course get paid so it is
| a paid holiday.
| Ductapemaster wrote:
| To be fair, these rights extend in both directions. This
| may seem extreme from an employer -> employee direction,
| but I have the right to do the same in reverse: I could
| call my manager at 8:30AM tomorrow morning and quit on the
| spot with no justification.
|
| At Will employment cuts both ways.
| herpdyderp wrote:
| Keeping a known-to-be-terminated employee is a huge risk for
| the employer. People are usually not happy when they lose
| their jobs which sometimes leads to irrational behaviors
| (like intentionally sabotaging the no-longer-employer).
|
| I've personally been involved on the employer side of such a
| situation with an irrational person and it's a pretty scary
| deal when you're in a small team where each dev has a lot of
| power.
| kstrauser wrote:
| The wise will _insist_ that ex-employers do this, if not
| immediately, then over a very small number of hours. If I 'm to
| be let go, I want all of my access to go away ASAP. That means
| they can't blame me for things that go missing afterward (minus
| logic bombs and other kinds of criminality that _we do not do,
| ever, ok?_ ). The last thing I want is for, say, a computer to
| go missing a week after I left but when I still have an office
| key, or data to be deleted while I still have AWS access. Take
| my keys, OK?
| cortesoft wrote:
| If you are fired, sure, but that usually doesn't happen if
| someone voluntarily leaves. You usually set an end date, and
| work on transitioning your work during that time.
| SoftTalker wrote:
| Depends, some places will just pay you to stay home during
| your notice period and disable all your access and accounts
| immediately upon you providing your notice.
| johnwalkr wrote:
| You may think so but in IT or especially industries that "have"
| IT but are not IT, who knows what people/teams have installed
| or are using without you knowing.
| milliams wrote:
| What I find interesting is the SSH-based comment system
| (https://blog.haschek.at/2023/ssh-based-comment-system.html) for
| their blog.
| liquidgecka wrote:
| I saw the title and instantly thought of the "Load bearing mac
| mini" at Twitter.
|
| In our server closet there was a mac mini sitting on another rack
| mounted server and plugged directly into a switch. IT found it,
| asked around and nobody knew what it was, so they unpugged it.
| Immediately the whole of engineering and support were basically
| offline.
|
| Despite the thing looking suspicious as possible, I had set this
| thing up as an employee a year before. We were not allowed direct
| network access to our hosted prod network so as a "stop gap" I
| setup a SSH tunnel that listened on the mini's IP. At first we
| used this for access to the support web interface so it could be
| taken off the internet. At the time my request for a server was
| rejected. One by one more things got added to the list of things
| proxied over the device, eventually including basically all
| internal pages, git access, and about a dozen other random
| services. I finally got it moved into the server room, but not to
| real hardware. Once we built a DC we got peered access and the
| mini finally died.
| yjftsjthsd-h wrote:
| > so as a "stop gap"
|
| There's Nothing as Permanent as a Temporary Solution(tm):)
| orenlindsey wrote:
| I always thought the load bearing Mac mini was a myth, it's
| such an impossible story and it's been so widely shared. I
| guess it's just a case of programmers taking the easiest route
| and having it backfire.
| dijit wrote:
| Things like this happen all the time.
|
| "Shadow IT" is the official name for circumstances that lead
| to this and it's the consequence of:
|
| A) Deprioritising "non-urgent" but "important" tasks
| consistently
|
| and
|
| B) IT being bureaucratic and/or unable to allocate budget
|
| I had a Mac Pro (trashcan) at Ubisoft that was the only way
| people were able to play our studios live game from within
| the office. (Ubisoft had a "NO OUTBOUND CONNECTIONS TO
| INTERNET" policy for Studios)
|
| That same Mac Pro was running our internal slack bot to run
| Maintenances (and, insult people).
|
| I left Ubisoft 5 years ago, as far as I know that Mac Pro is
| _still_ plugged in on my former desk chugging along, last
| time I asked my former manager about it was last year.
|
| ----
|
| At another company (now owned by Oracle), we had an internal
| IRC (this was before Slack) and nobody thought about it.
|
| One day it went down, and traceroute had indicated it was in
| our server room; after checking every single server we could
| not find it, until someone noticed an ethernet cable that
| went through a run into the floor but didn't come back out.
|
| After opening the suspended floor we noticed a laptop running
| Solaris. That was our IRCd and the OS had an uptime of close
| to 8 years.
| stefan_ wrote:
| Don't forget IT ignorance. A lot of places IT is full of
| Microsoft MVPs that have no understanding of the needs of
| people developing in and for Linux systems.
| DiggyJohnson wrote:
| Ding ding ding. So much friction from this factor alone.
| lostlogin wrote:
| > Shadow IT
|
| Universities seem to install unlimited hurdles to achieving
| anything. The stuff staff and students do within the
| network to make shit work is amazing.
| echohack5 wrote:
| > request was denied
|
| > mac mini proxy server
|
| I love that the programmer's solution is more expensive than
| doing it the right way had OP's request been approved.
| liquidgecka wrote:
| ... At the end of the the deal with had two mac mini's with
| auto fail over configured via health checking. Thank
| goodness we got rid of the service provider that refused to
| let us pair with the network. Once that happened the
| networking team could just do normal peering with a
| standard router.
|
| But yea, in the early days that mac sat on my desk. It only
| got moved when I pointed out the issue to our new security
| team and their jaw hit the floor. =)
| NavinF wrote:
| I think it was pretty common in the 2000s when devs could't
| provision machines/VMs without asking for permission
| SoftTalker wrote:
| Also when you could just plug something into a switch and
| a) the port is active and b) it goes unnoticed.
|
| Probably still the case in a lot of startups.
| liquidgecka wrote:
| Most startups I deal with these days don't even have
| offices anymore, let alone network ports. =)
|
| But yea.. same deal with wifi. Its amazing how often the
| wifi password is posted on something visible. In fact I
| have found the password in so many public images which
| means somebody on the street could just connect to the
| wifi network fomr the street.
| tomjakubowski wrote:
| I would have thought so too, before I worked on a team where
| we had our own load-bearing Mac Mini installed at a client
| site - in that case, load-bearing for A/V reasons (no one was
| able to get PulseAudio working in time).
|
| Client's IT loved to unplug that thing.
| SoftTalker wrote:
| Also proving yet again that the best way to find out if
| something is in use is to unplug it and see who complains.
| gurchik wrote:
| So-called "scream test."
| csmattryder wrote:
| Chesterton yelling from miles away "that's my damn fence,
| you moron!"
| shagie wrote:
| There was an article by Microsoft back in November about
| their scream tests -
| https://www.microsoft.com/insidetrack/blog/microsoft-
| uses-a-...
| Booourns wrote:
| I once took over a decommissioning project of a DMZ set up
| for a connection to a third party no longer used.
| Everything documented showed that all connections were no
| longer active.
|
| Step 1 was to do the 'scream test'. Some how the enterprise
| routed the most random traffic through there as we took
| offline random servers and people's desktops. Turns out the
| screaming that happens is at you for making things break
| instead of a pat on the back for discovering bad
| networking.
| renewiltord wrote:
| > _Comment using SSH! Info
|
| > ssh rogueraspi@ssh.blog.haschek.at_
|
| Now that's cool haha!
| BatmansMom wrote:
| Is WiGLE a thing people know about? How does that work, its a
| service that listens to all publicly available wifis in the
| country? I understand how it could be possible in theory but how
| is it actually practical?
| arcfour wrote:
| It's crowdsourced... You drive around and collect data for it
| and send it in.
| SushiHippie wrote:
| It's data comes from people who do "Wardriving"
| https://en.wikipedia.org/wiki/Wardriving
| Deathmax wrote:
| Data is crowdsourced and contributed by users. On a much larger
| scale, Apple and Google collect data from iOS and Android
| devices to power their WiFi/mobile tower based geolocation
| services.
|
| Android's Location Services:
| https://support.google.com/android/answer/3467281#location_a...
|
| iOS's Location Services: https://support.apple.com/en-gb/102515
|
| In fact, Google provides it as a paid API: https://developers.g
| oogle.com/maps/documentation/geolocation..., but you require
| BSSID's and not just SSID names to try to curb abuse.
| chatmasta wrote:
| Mozilla also has such a service although I believe they're
| deprecating it. You can still query it today, but as a
| privacy measure you need to include the MAC of 3+ SSIDs to
| get location info, since otherwise you could check the SSIDs
| from probe scans of passerby to locate their homes.
| dzhiurgis wrote:
| It's obviously not public data, but satellites have been
| wardriving WiFi for over a decade.
| dougdonohoe wrote:
| One of the guys behind the project, bobzilla, worked for me in
| a previous life. Great guy; fond of tea.
| sylware wrote:
| I have a raspberry PI in my room... but this is my email server,
| my noscript/basic (x)html map server (using OSM tile servers), my
| web server...
|
| :)
|
| (next step is RV64 hardware with linux, then this RV64 hardware
| with an ultra-minimal kernel not using gcc/clang compilers).
| born2discover wrote:
| My apologies for hijacking the thread, but could you please
| elaborate on your noscript/(x)html map setup ?
|
| How would one even handle zooming and paning in such a case ?
| With forms ?
| sylware wrote:
| https://www.rocketgit.com/user/sylware/lnanohtmltiledmap
|
| Yes, with basic and stupid html forms.
|
| Have a look at links web browser.
| voakbasda wrote:
| Where's the follow up? I want to know what happened next with
| legal....
| exabrial wrote:
| court records are public. They don't mention any names, but I'd
| poke around and see what you can find.
| lifestyleguru wrote:
| Plot twist: it was company's jenkins and payroll cronjob server.
| The other "proper" CI server was always stuck on some
| Java+Angular monster pipeline.
| fnord77 wrote:
| as in most cases like this, the whole thing ended with zero
| consequences for the perp
| donatj wrote:
| A number of years ago at a previous job we had building security
| doing a sweep of our building with a big heavily antenna'd device
| because some sort of unauthorized wifi access point showed up.
|
| Never found out what came of it, but I wondered then as I do now
| if someone had just enabled AP mode on their phone.
| lostlogin wrote:
| This seems weird - most places would have dozens of wifi APs
| within range of their network unless they were very remote.
| storyinmemo wrote:
| Hey friends, use 802.1X for your datacenters and enterprise
| (certificate) wifi auth so you can audit and rotate credentials
| to prevent... exactly this problem. Everything else iot-like gets
| a very limited VLAN / alternate WiFi network.
| dmitrygr wrote:
| Hard to take the article seriously with so many inaccuracies. I
| cannot shake the feeling that the writer tried to make more of
| this than there is by exaggerating.
|
| "almost as powerful as the Rasberry Pi itself: the nRF52832-MDK.
| A very powerful wifi, bluetooth and RFID reader."
|
| First of all, the puny little Cortex-M is no where near as
| powerful as the rPi. Second of all, nRF52 series does not do
| WiFi, and third of all, RFID will not work without the coil
| plugged in (which it is not in the picture), and in any case only
| has a range of an inch at best.
| WhackyIdeas wrote:
| It's almost as if the person didn't think for a second about
| someone discovering it... all those traces. Unless it was a set
| up, fake AP (anyone can create a hotspot quickly on their phone
| with any SSID). Either a complete reckless amateur or a total set
| up I am thinking.
___________________________________________________________________
(page generated 2024-01-08 23:00 UTC)