Rune Audio some thoughts

Art Pepper Via the rune audio interface

Art Pepper Via the rune audio interf

I spent a few hours this weekend mucking about with an old V2 Raspberry pi and the open source product roon audio.

It’s a pretty good little media management system. I can keep all my music (I’ve copied it to a usb attached to the pi) in one place and access – play that data from the pi to the amplifier. The beauty of course is that I can control the playback and search etc via any device on my local network (be it a phone or computer, ipad, tablet – anywhere in the house). One thing that is nice is it’s simple interface, and it is fairly easy set up. But I also have a few concerns that I thought I’d mention hear.

Once you have burnt the roon audio image to your pi you just plug it in and start the device. You can access it via the url http://runeaudio.local/ or by working out the ip number (you might have to look at your router to find this).

This is very convenient but the issue is the product is not Password protected. So if your neighbour some how hacks your wireless network password, he or she could crank up your music system at 4 AM as a prank!

Another thing to consider is that the image has – uses a root super god user, and the password to that user is publicly available.  So after that neighbour cranks up your music they can ssh to the device with root privileges!

Also there is no basic user space (ie anyone on the network can control the server) although there is a hack that can be run via the htpasswd process within the web server . This allows you to hand code that functionality into the product.

This is not ideal for a basic user!

If you do install a roon audio server in your house – Do change the root ssh password, … NOW! See this link for more information on how to do that.

Also at the time of writing – wireless is not a secure medium,. I recommend a long wireless password that will take hours if not days to hack. As it is currently configured a roon audio server could be a nasty attack vector for a hacker. Changing the root ssh user password is a good start but the file system is rather open (see screen shot) and that could be problematic if not managed in a better way.
Rune via the finder
Unfortunately this is typical of may IOT style products – they need to take security as an important issue – an  initial configuration script could easily manage all of these faults and create a rounder better more secure product. So to sum up.

Ease of setup 8/10

User interface 8/10

Security 2/10

I’ll be keeping an eye on this product – If your not comfortable with the command line and security is important (it should be to everyone!)  it’s probably a good idea not to use this product just now – but if they get their act together around the security issues, I think it has the potential to be something that rivals some of the more expensive commercial products.

More crawling skin!

I’ve been following the company that says “Don’t be evil” on he issue of project Dragonfly – Googles “China” friendly search engine. The intercept has the lowdown on this project hear.

I have a belief that as companies get bigger they get more stupid and less focused. I think that this is indeed the case for Google. After reading the article I have to ask what sort of flavour of BS are these so called managers trying to stuff down the throats of humanity?

I’m starting to think it’s time to remove all my content from there platform.

Dec 1 post script 1
The register also has an article about the appalling behaviour of Googles’s senior management and it rightly points out that this is a company that is at a very serious fork in the road.

Dec 1 Post script 2
To expand on my thesis that “as companies get bigger they get more stupid” I also found this disturbing story…

Ah Facebook you’ve done it again!

Very interesting reading over the last few days from Gizmondo

In a nut shell it’s not a good idea to give FB your phone number. I’ve never felt right about FB wanting my phone number and I’m darn glad I’ve honoured that feeling.

From the article…
“They found that when a user gives Facebook a phone number for two-factor authentication or in order to receive alerts about new log-ins to a user’s account, that phone number became targetable by an advertiser within a couple of weeks.”

Also there is some confusion about how private address book data is, and what FB does with that information.

Again from the article…
“People own their address books,” a Facebook spokesperson said by email. “We understand that in some cases this may mean that another person may not be able to control the contact information someone else uploads about them.”

In addition, the use of the phone number for advertising, is something that destroys peoples trusting of 2 stage authentication. After this sort of abuse of data by one of the biggest brands in the world who would want to trust any one else with this degree of security?

They want more and more!

I also thought I’d mention this – a while back FB were trying to sucker people into giving them more data – email address info friend data… in return for more content… Don’t do it… FB wants you to rat on your friends. Also each user is worth up to about $158 to FB. So lets say you have 30 email address’s in your contacts, that’s $4,740.00 worth of data for more “Free” content – mainly generated by me and you.

But wait there’s more! Just at the time of writing this Zuk messes up again. From the NYT
Facebook Is Breached by Hackers, Putting 50 Million Users’ Data at Risk


hacky hack hack!

This morning I stumbled upon this. Apple one of the companies in the world that does sort of care about privacy was hacked by a 16 year old!

After busting the kid. Police uncovered a litany of hacking files and instructions all saved in a folder titled “hacky hack hack”.

Full link to the article

Quick shout out

Had a quick look at this today and it’s a doozy! Patrick Wardle has created a small python script that dumps the data from the macOS, notifications database. This is a whole lot of information that you may not want anyone to see, let alone audit. Be interesting if and how the Mac os X dev team may manage this issue.

More info hear…