California Bans Default Passwords on Any Internet-Connected Device (engadget.com) 240
In less than two years, anything that can connect to the internet will come with a unique password -- that is, if it's produced or sold in California. From a report: The "Information Privacy: Connected Devices" bill that comes into effect on January 1, 2020, effectively bans pre-installed and hard-coded default passwords. It only took the authorities about two weeks to approve the proposal made by the state senate. The new regulation mandates device manufacturers to either create a unique password for each device at the time of production or require the user to create one when they interact with the device for the first time. According to the bill, it applies to any connected device, which is defined as a "physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address."
Problem (Score:3)
The big problem right now is that devices that DO come with "unique" passwords are far too often based on the device's MAC address. If you can already connect to the device to communicate with it, odds are you'd already have the information needed to "generate" the default password on the device. The bill should have a specific provision that the passwords are indeed truly random, and not based on hardware IDs.
Re: (Score:3)
Only if you're on the same LAN segment. If you're just scanning random IPs from afar, you won't have the MAC.
Re: (Score:2)
Only if you're on the same LAN segment. If you're just scanning random IPs from afar, you won't have the MAC.
Unless you're using IPv6.
Re: (Score:2)
And not NATing or using IP privacy.
Re: (Score:2)
Only if you're on the same LAN segment. If you're just scanning random IPs from afar, you won't have the MAC.
Unless you're using IPv6.
In which case you would need to be intercepting traffic, to somehow get the device to connect to a server you control, or to scan the /48 to find the device. None of those are impossible, but they're significantly more difficult than just trying a bunch of IPv4 addresses.
That's the IPv6 link-local address (same LAN) (Score:2)
EUI-64 is typically used for the link-local address in IPv6.
The link-local address is, as it's name implies, valid only on the local link. Routers will not route it.
So in order to be exposed to the EUI-64 link-local address, you'd have to be on the same switched Ethernet link - which means you'd also see the Ethernet frames and the Mac addresses in the Ethernet header.
Can be (Score:2)
It can be. As you mentioned, it's typically not.
Re: (Score:2)
Re: (Score:2)
Again, only if you're on the same LAN segment.
Re: (Score:2)
Actually aircrack-ng I believe allows you to see client mac addresses when not connected to a network. its all part of wifi hacking. its rather simple to clone a 802.11 device mac address. Hope this helps.
Re: (Score:2)
if you have an idea of the device type, you can guess a good portion of the mac address to make brute forcing easier
if the device is using ipv6 without privacy and has the mac address embedded in the ip, you already have the mac then
nmap does a pretty good job of guessing the device type.
Re: (Score:2)
if you have an idea of the device type, you can guess a good portion of the mac address to make brute forcing easier
if the device is using ipv6 without privacy and has the mac address embedded in the ip, you already have the mac then
nmap does a pretty good job of guessing the device type.
nmap does a pretty shitty job of scanning a /48 ipv6 subnet.
Re: (Score:3)
Seems Reasonable to Discourage DOS Bots (Score:3)
Re: (Score:3)
I am sure that the IOT'mania crowd may not like this ...
As an IoT fanboi, I am all for this. If you scroll and read all the posts, you will see that most objections are from IoT naysayers ... because this will remove one of their talking points. Which just shows that whiners will whine, even if they get what they said they wanted.
Re: (Score:2)
I say the internet uses VLAN tagging and all IOT devices go on a private lan that you have to actually think and work to communicate with. would stop IdiOT ddos.
Re: (Score:3)
Why? The IoT crowd may want it too, to avoid having incidents like security cameras being available to be viewed by all.
https://www.cbc.ca/marketplace... [www.cbc.ca]
If a journalist on TV can view these security camera streams, imagine what a more determined person can do. In fact, they monitored the streams for several weeks until they could positively identify the house and confront the homeowner.
They then hired a pentesting com
It would be funny... (Score:2)
It would be funny if manufactures stopped sending their products to California.
Re: (Score:3)
Probably be a great investment to have large parcels of land right across the boarder with California zoned for manufacturing.
Re: (Score:2)
Probably be a great investment to have large parcels of land right across the boarder with California zoned for manufacturing.
The requirement applies to any device SOLD in California, not just MADE there.
Anyway, good luck recruiting factory workers in Primm, or getting a water hookup.
Re: (Score:2)
Hmm, State Line IoT Sales Store, anyone?
Also, if I mailorder something from a business in Vermont, is that a "sale in California", or a "sale in Vermont"?
Re: (Score:2)
Hmm, State Line IoT Sales Store, anyone?
Primm is 3 hours from Los Angeles, so a 6 hour round trip. How many people are going to do that just to get a device with worse security?
Also, if I mailorder something from a business in Vermont, is that a "sale in California", or a "sale in Vermont"?
It depends on who you order it from. If they have a presence in California, as Amazon does, then they have to comply with California law.
Since the cost of complying with this law is negligible, I don't think these work arounds will be worth it.
Re: (Score:2)
And even funnier when anyone anywhere with more than 1 functioning neuron in their head realizes that the phrase "Not for sale in the State of California" on any IOT device means it's hopelessly insecure and refuses to buy it.
Re:It would be funny... (Score:4, Insightful)
Entirely different regulation by different people with a different dynamic. Not all regulations are good or well considered. Not all regulations are bad or poorly thought out. More thinking, less knee jerking.
Re: (Score:3)
Nah. In the 1990s when California invented Car Exhaust standards that only applied to California, the manufacturers still sent cars (designated CARB-compliant or 49-state-compliant). California is too big an economy to ignore.
TRIVIA: My 49-state-compliant 2003 Honda Civic had "lean burn" for higher MPG. The CARB-compliant Civic had lean burn disabled, because it made too much NOx (and failed the California standard).
- More trivia: Volkswagen stopped selling Year 2005 and 2006 diesel-powered Jetta/Golfs/B
Re: (Score:2)
Nah. In the 1990s when California invented Car Exhaust standards that only applied to California
It actually was 1972, acting on a law passed in 1967.
Also, 10 other states passed their own laws to follow California's standards. So no, there isn't a "CA model" and an "other 49 states" model.
Re: (Score:3)
> It actually was 1972, acting on a law passed in 1967.
I'm talking about the ULEV and SULEV and ZEV designations, which did not exist until the mid-1990s (with PZEV added in 2001).
>10 other states passed their own laws to follow California's standards.
Yes but not until after 2007 (approximately). Prior to that year, only California followed CARB while the other 49 states followed EPA emissions. Therefore there were "CARB" and "49 state" models. If you don't believe me, look up 2003 Civic Hybrid in
No problem! (Score:2)
Default Password (Score:2, Interesting)
the default password will be part of the mac address of the device
part of the serial number of the device
production date for the device.
et voila, unique id. ... any other pretty obvious default password that is easy to remember like password. :-D
the users will have to change the default password on first use, and will change it to 12345 or secret or
caption -- milked
Next step... (Score:2)
On first look, this seems very sensible. (Score:5, Insightful)
I wonder what the unintended consequences will be.
Re: (Score:3, Insightful)
People getting locked out of their stuff because they forgot the password and cant reset to default.
Re: (Score:2)
People getting locked out of their stuff because they forgot the password and cant reset to default.
How exactly are either of those things related to what the manufacturer can use for default passwords?
Re: (Score:2)
This is a solved problem, devices like this usually have the password on the device for resetting. And before you talk about that being an attack vector for people with physical access, when you're talking home devices anyone having physical access to the device is a far larger problem than that.
Re: (Score:3)
The manufacturers' support phone lines are clogged the next day with calls Help, I forgot my password! and they are asked when their birthday was, in reply. Or the name of their first pet.
Routers? Firmware? (Score:2)
Re: (Score:2)
Your use case is not most consumers' use case.
Re: (Score:3)
Re: (Score:3)
Every time I pull an old router out of the closet, I do a reset to factory defaults, then look up the factory default password on the internet.
The text of the law [ca.gov] is publicly available and easily readable. The text relavent to your concern is "The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time." This does not necessarily preclude factory default passwords.
Re: (Score:2)
Does the law now say I'm no longer allowed to do that?
No, and that's a rather dumb question. You aren't selling a new device in California.
Are they going to ship every frickin' device with a different default password?
Yes. And several manufacturers already do.
That would send their return rate through the ceiling as customers couldn't login to configure their equipment.
They put a sticker on the device with the default password, MAC address, serial number and any other unique-to-this-device information. Sometimes it's physically printed on the case of the device instead of a sticker.
Alternatively, they put in a default password or other authentication and the device requires you change it before the device connects to the Internet.
Re: (Score:2)
Teeth? (Score:2)
IANAL, nor do I regularly read legislature bills. But, on my read of the bill, I don't see any teeth to the bill? What are the repercussions for a company for violating this law? Other than setting a more concrete bar for possible civil cases, are there any more repercussions?
If a bill don't have teeth, what's the point?
Re: (Score:2)
They passed universal background checks for all gun purchases in Washington. There are no real teeth to that bill, but it's still law. Even law enforcement refused to enforce it during an open resistance at the state Capitol. The law itself accomplishes absolutely nothing.
Sometimes a law exists, I think, merely as a stepping stone to more restrictive legislation.
Re: (Score:2)
IANAL, nor do I regularly read legislature bills. But, on my read of the bill, I don't see any teeth to the bill? What are the repercussions for a company for violating this law? Other than setting a more concrete bar for possible civil cases, are there any more repercussions?
If a bill don't have teeth, what's the point?
Without the law if you buy an IoT device that gets hacked and captures enough information that lets your bank accounts get compromised, that's your tough luck.
With the law, if people have their devices hacked through a fixed password and financial losses occur, then there's a basis for a lawsuit: "You broke the law and thus it is your fault this bad thing happened". And it can even be a class-action suit and make some law firm partners even richer.
What if I don't want a password? (Score:2)
I don't have a password on my phone, because it doesn't have personal data (it's strictly a phone). And there's none on my desktop computer, because it never leaves the security of my house.
I truly HATE when politicians force citizens to do something against their will, when the only person being harmed is the citizen himself. (If someone steals my phone, I am the only one harmed. Leave me alone.)
Maybe politicians should start calling themselves Daddy Brown and Mommy Pelosi, if they insist upon treating
Re: (Score:3, Insightful)
Your stuff being being hijacked because of a default password is not just harming you, it's being used to attack me and thousands of others. Since you can't be responsible enough to prevent that harm, a regulation is needed to prevent you being irresponsible in the first place.
Re: (Score:2)
I truly HATE when politicians force citizens to do something against their will, when the only person being harmed is the citizen himself.
Compromised devices are used to harm others. Instead of requiring manufacturers to follow this law, how about we make you personally liable when your device is compromised and used in a DDoS attack?
Re: (Score:2)
> Compromised devices are used to harm others
Why do the thieves need a "compromised" device to harm others? They can do exactly the same with uncompromised devices that they bought themselves. You made an invalid comment.
- Back to Topic: Yes if a thief steals your phone, and you didn't password-protect it, they might goto your amazon account and buy a bunch of stuff with your money. BUT that harms nobody else except yourself.
Re:What if I don't want a password? (Score:4)
> Compromised devices are used to harm others
Why do the thieves need a "compromised" device to harm others? They can do exactly the same with uncompromised devices that they bought themselves. You made an invalid comment.
Erm, no, they can't.
They can compromise millions of devices (which would be a bit much to buy), and use them (with their millions of separate connections) to launch denial of service or brute force password attacks. These are called "botnets". You may have heard of them :)
The attacks are coming from all different IP addresses so that intrusion detection systems can't block excessive attempts. And obviously tracing them is a bit more difficult.
You can't just do that with uncompromised devices that you bought yourself.
Re: (Score:2)
> They can compromise millions of devices (which would be a bit much to buy), and use them to launch denial of service
And how does a password on our phones stop them from doing this? They could just wipe the phones & use them passwordless.
Re: (Score:2)
Thieves use compromised devices because they are harder to trace back to the thief and offer large amounts of free, aggregated, distributed processing and network power. This makes it cheaper for the evildoer and makes their attacks harder to block since they're highly distributed.
Re: (Score:2)
Why do the thieves need a "compromised" device to harm others? They can do exactly the same with uncompromised devices that they bought themselves. You made an invalid comment.
Umm, this is where I disagree. If I'm going to DDoS someone, I'm not going to use anything I paid for, or can be traced back to me. More so if I am going to crack into a business, your neighbor, the DoD, etc.
Other common uses it becomes part of a botnet, or maybe it just uploads files in IRC, or seeds a torrent.(which can really really hurt you w/ lawsuits from RIAA/MPAA)
Your route, phone, smart thermostat, even fish tank water heater, can all be owned and used to hurt more than just you.
And yes, there are
Re: (Score:2)
You didn't answer his question : will you take on the liability if your device is used to attack a 3rd party?
Here's your answer: No, I won't take on liability if my device is used in the attack due to a poor design decision made by the manufacturer.
The manufacturer is especially liable if the flaw is a well-known and solved security issue that they chose to ignore, such as using hard-coded default passwords and backdoor accounts.
Re: (Score:3)
> will you take on the liability if your device is used to attack a 3rd party?
I'm not liable if someone steals my car & runs over some children..... why would I be liable if someone steals my phone & uses it to make/distribute child porn? Your question was poorly thought out. Citizens are never liable for the actions of others, even if that other person used that citizen's car or phone.
Re: (Score:2)
Dude. We are talking about sane password policies on devices connected to the internet we all share. You need to get a fucking grip on yourself. I think it's wonderful you can sit in your house and be free without a password there, Grandpa. But I think you need to try actually living in a fucking police state before you start crying your pampered snowflake ass
Re: (Score:3)
> You can still choose to set no password.
That's not what the Summary says: "REQUIRE the user to create one when they interact with the device for the first time." So in other words going without a password is no longer an option.
Comment (Score:2)
And queue the list of devices with the trusty old admin/password combo... Tada! Security!
Forcing Users to pick non-default passwords? (Score:2)
I can see it now... the system boots and prompts
Please Enter Password> _
User enters: "password"
Confirm new Password> ********
Buck passed to user who has now entered a well known password. Problem solved !!!
Old Bluetooth (Score:2)
This will effectively deprecate compatibility with really old Bluetooth devices ( prior to 2.1, c.a. 2007) because manufacturers likely will drop support for legacy pairing (the 4 digit code, which is almost always "0000").
Not so sure that is a bad thing.
Re: (Score:2)
The law wouldn't apply to headsets/earpieces (the most common case here) because while they have a Bluetooth address they aren't connected to the Internet either directly or indirectly (section 1798.91.05(b)).
Tech support NIGHTMARE (Score:2)
"Yeah i cant log in to my router with the password provided"
"Well, you need to reset it and try it again, if it doesn't work return it, cos there's not a thing to be done. Thanks for calling"
Re: (Score:2)
How stupid would a manufacturer have to be to provide the wrong password on the device? Just because they have to provide a non default password doesn't mean they need to write the wrong thing on the device. This is a solved problem by many, many, many, manufacturers already, they simply write a different password on every device they ship out. In this case the government isn't requiring anything that isn't already common practice. They're simply enforcing it on those who have lagged behind what is currentl
It doesn't have to be a federal ban (Score:2)
Any company who wants to sell a product in CA will sell the same product everywhere else in the country. Abiding CA regulations alone will bring inheritance to other states. Bravo!!!
Re: (Score:2)
So you are the champion of the flashing 12:00?
You want security cameras to be wide open?
Do you leave your house unlocked because keys are too hard to use?
Re: (Score:2)
I want the freedom to die of lead poisoning.
I want to only have to flush my toilet once.
Re: (Score:3)
If California (or the EPA) wants to do something useful, they should ban the automatic toilets. Every time I use them, they flush 3 times... when I walk in, when I stand up, when I walk out.
These are known as "phantom flushes" because it flushes when the user does Not want it to flush. Complete waste of water.
Re: (Score:2)
Re: (Score:3)
That saves me from wasting water, but does nothing to stop the thousands of others wasting water. (And in dry California, we cannot afford to waste any of it.)
Re: (Score:2)
Good thing nobody has swimming pools in that area. What a waste of water that would be.
Re: (Score:3)
Yeah swimming pools and watering of lawns was technically illegal during drought season (2016-17) but the Hollywood producers JJ Abrahms and stars like Oprah thought they were above the law, and did it anyway. (They should have been prosecuted.)
Re: (Score:2)
And it flushes when it plugs up and overflows. And you have to manually flush because it can't swallow man poop + multiple softballs of toilet paper.
You have to wipe wipe wipe flush wipe wipe wipe flush wile wipe wipe flush then stand up and it flushes again. God help you if you plugged it and it flushed once prior to standing.
And if you plugged it, now you have to figure out how to stand and pull your pants up and get out before it overflows, and without running outta the stall with your pants down into
Re: (Score:2)
The toilet thing is sadly federal. It really pisses me off, because the total amount of water used inside households it trivial: there's no win to be had there in the first place. From useless shower head to annoying toilets, they're all "feelgood" measures that accomplish nothing and reduce basic hygiene.
Let people have their own values, don't try to force your values at gunpoint on others!
Re: (Score:2)
That simple improvement would never have been invented without the regulatory push.
Except it isn't a large fraction of water use and just pushes off the need to increase water sourcing due to population growth by a few years.
It was literally admitted at the time to be largely for show, but more importantly, it got people onboard by taking pride in it after years of grumbling, making acceptance of more harsh regulations to come easier.
You would be better served by allowing unlimited water use in areas that got water some other way, e.g. from the sea, and let that make your lives better.
Re:It's time for revolt (Score:5, Insightful)
So you are the champion of the flashing 12:00?
You want security cameras to be wide open?
Do you leave your house unlocked because keys are too hard to use?
Sigh...
Please try to understand that because someone is against a particular idea does not automatically mean they are in favor of the polar opposite of it. This type of thinking is extremist thinking and ruins any chance at useful dialog where both parties can try to understand each other.
I am in favor of companies stopping this "default password" crap. However, the idea of a government entity mandating it makes me uncomfortable. In choosing the lesser of evils, I would be against such a mandate and depend upon customers pressuring their vendors to change their behavior using the most effective tool known: their wallets.
Re:It's time for revolt (Score:5, Insightful)
It's the mandate or nothing. Companies have had DECADES to understand that default passwords are a terrible idea. Do you figure they were somehow within seconds of the light bulb going on when the bill was signed?
If the corporations themselves were the only ones to suffer, that would be fine. If their customers might suffer as well, I could almost buy in to the idea that they should have done more research. But neither is the case. The unsecured devices get rooted and then attack 3rd parties that had no input into the terrible decision to have default passwords. In some cases (looking at you Cisco) the customer had no knowledge of or input into the default password either (nor the ability to remove it if they ever do find out about it).
When their bad dogs stop crapping in my yard, they can be free to do as they will.
Re: (Score:2)
In some cases (looking at you Cisco) the customer had no knowledge of or input into the default password either (nor the ability to remove it if they ever do find out about it).
Re:It's time for revolt (Score:4, Insightful)
Stupid government requiring businesses and consumers to avoid unnecessarily hazardous practices.
I too an uncomfortable with mandates to use GFCIs in the kitchen and bathroom, carry gasoline in approved containers, not leave my keys in a running car when I go to the store, and all the rest.
You should merely be in favor of me doing so, and trust that I wish for you to avoid electrocution, conflagration, and general mayhem.
Oh, you were serious. *snicker* All 0.01% of you that might use that as a pre-purchasing criterion will surely justify the expense.
Re: (Score:3)
I just honestly don't know how an of us can even live our lives with all this oppressive big government evil hanging over you at all times. This password policy is just another stop on the inevitable march to tyranny.
Re: (Score:2)
Stupid government requiring businesses and consumers to avoid unnecessarily hazardous practices.
I too an uncomfortable with mandates to use GFCIs in the kitchen and bathroom, carry gasoline in approved containers, not leave my keys in a running car when I go to the store, and all the rest.
You should merely be in favor of me doing so, and trust that I wish for you to avoid electrocution, conflagration, and general mayhem.
Oh, you were serious. *snicker* All 0.01% of you that might use that as a pre-purchasing criterion will surely justify the expense.
Right, because life is completely binary, and either you favor the most safety regulation humanely possible, or else that means you are in favor of babies juggling electrified knives.
Re: (Score:3)
Fine. Pretend that those are not regulations that you are already subject to right now, that government has no business regulating commerce to forbid unreasonable hazards, and that IoT botnets have not proven that devices with generally-applicable default passwords are unreasonable hazards.
IoT botnets are totally ficitonal [csoonline.com], li
Re: (Score:3)
Oooohhhhh ok. What a brillinat idea. Well, I'm sure Joe and Jane public will get riiiiiight on top of that, intelligently voting with their dollars for the product that has an effective default password policy.
That's the lesser of the "evils" of "big government" just saying "if you want to sell a product,
Re: (Score:2)
The free market does not solve ever problem. The free market won't solve this problem, either. How many people do you know have declined to purchase an Internet connected gizmo because it had a default password? How much money and time has been lost by default passwords on Internet connected gizmos?
Re: (Score:3)
So who do I sue when their customer leaves the default password set and the device is used to DDOS me?
'Cause me suing someone is the only recourse you are leaving me for recovering those damages. So is it the customer who failed to secure their device who's liable, or the manufacturer negligent for not setting per-device passwords?
Oh, I'm sorry, this is delusion-land where third parties are never harmed by the actions of others.
Re: (Score:2)
Re: (Score:2)
Those idiots couldn't feed themselves if they had to
*Looks at statistics of how much of the US food supply comes from CA*
Um...actually, they've got that covered pretty well.
Re: (Score:2)
Those idiots couldn't feed themselves if they had to...
I was planning to just look for replies to mod up, but I found no responses to this part of your argument, and, well... I figure it deserves a reply as much as anything else you said (which is to say, it probably doesn't merit a response).
For your edification, here are just a couple of the top google hits for "california america's breadbasket":
source: https://naturalresources.house... [house.gov]
Re: (Score:2)
I'd like to thank Californians for putting up with idiotic toilets that save a few percent off state usage so they can send 90% of their water to water a desert so we can have winter vegetables and "California" as an adjective on many prepared foods, meaning avocado.
Thanks, put-upon Califlushers!
Re: (Score:2)
Yeah, I wish California the best of luck with that one. What are they going to do, have inspectors check every piece of IoT garbage that gets imported from China to make sure that it complies with their password policy?
Re:Good job (Score:4, Informative)
Nope, just companies who do business in California. In California, you are not required to register a foreign business with the state, but you do not have any rights to use the courts and if a suit is brought against you, the judge can choose not to hear your side of the case. So while the Chinese garbage will likely never be effected, anyone selling that chinese garbage will be and so, by proxy, this law will be implemented as sellers who don't wish to be liable, start selling chinese crap rather than chinese garbage.
Re: (Score:2)
Non-citizens legally register to vote in San Francisco school elections
San Francisco began registering non-citizens, including undocumented immigrants, to register to vote Monday in the November election for the city school board, reported The San Francisco Chronicle.
https://www.sacbee.com/news/st... [sacbee.com]
Re: (Score:2)
What are they going to do, have inspectors check every piece of IoT garbage
The citizens can do that. The state just needs to have a website for reporting noncompliance.
This is something that costs manufacturers almost nothing. So why would they refuse to comply?
Re: (Score:3)
The short version is - a company makes 20 million of something. If they can save four cents on each unit, they've still saved over $2 million. Every bit they can shave off of a large volume item makes a difference.
Re: (Score:3)
They'll save $800,000, but your point is still valid.
Re: (Score:2)
If it's like most other laws, no. What you do is wait for someone to complain, then you investigate the complaint. You never need to go looking for trouble; the public will happily volunteer to bring it to you. (The public has various motivations to do this, and caring about the password issue might possibly even be one of them.)
Re: (Score:2)
Making an effort would be fining anybody found to have a default password set on a device they own. It shouldn't be the manufactures responsibility to make sure you are not an idiot.
Re:Dupe (Score:4, Funny)
No, those are not default passwords so they don't count. cisco has backdoor passwords.
Re: (Score:2)
Re: (Score:2)
...but do they do, scan all your devices and fine you?
No, you rely on people filling complaints.
It's one thing to make manufacturers *in* California to do this; I don't see how you can stop other manufacturers from motoring along as they are whether or not it's a good idea
You make it a condition for selling the product in CA, and go after the people in CA that are selling the product with a default password.
Also, we already burn unique serial numbers and MAC addresses into devices during manufacture. It's really not that hard to put in a unique password while you're doing that, and put that password on the same label you put the MAC address.......and there are manufacturers that already do this.
Alternatively, you set up the device
Re: (Score:2)
Oddly enough, this was my first thought. Raspbian is the only thing I have that is internet connected, and comes with a default username and password, and worse yet, it neither prompts you to change it at first boot, nor provides a menu option to do so in it's configuration.
Sure, I know how to change a username and password from the command line in raspbian, but I shouldn't need that level of knowledge to perform such a basic task on a device that ships insecure by default.
Unfortunately, I doubt this law wi
Re: (Score:2)