I agree a strong password is required but I disagree that the Admin account is not an issue. Nearly every device has an admin account out the box and this is the easy way for a hacker to get in. If you remove the admin account its damn hard to guess your user name.
1 Like
Only if they know your password or it is simple enough to crack.
Most people will use their name or a nick name or something basic/simple. Any attacker who knows what they are doing already has this info or can get it or crack it.
I think you are missing my point. If you have an admin account the hacker is half way there. Its only the password they need to break. It is thousands times as hard to crack if they need both the account name and password.
1 Like
Security is a matter of layers. Every layer you add makes it more difficult for an intruder. If they are in it for the money, every layer you add increases the chance that they will move on to an easier prey.
Btw, don’t underestimate how easily a password can be brute forced in 2023 when a hashed form is obtained from compromised database. If you believe that “1L0v3Mu$!c” is a strong password, think again.
I think you are missing my point. Just because you don’t use the default admin account doesn’t mean the hacker doesn’t already have the account name you are using or enough info to figure it out.
I’d argue a hacker should never be able to get a login prompt to a device on your network in the first place.
I think something worth bearing in mind here is that we have a lot of expert tech users on the forum. It’s easy for them to forget that to many others it’s not child’s play, or obvious, to setup port forwarding, etc.
I’d like to know what things should/should not be done to make things more secure. I had no idea Rock was inherently insecure/exposed in the default way of setting it up, for example. That’s just not obvious to anyone not savvy with networking/hacking.
Perhaps it might be an idea for someone (Roon support perhaps?) to write a guide for forum members on the Roon specific tips and also recommend a good resource on how to secure a network, at least the basics…?
3 Likes
Frankly speaking: Users who feel unsure/badly prepared to correctly and securely setup routers and networks should refrain from doing it anyway and seek local assistance from experienced individuals or companies.
Stop believing the advertisement from companies, that just want to sell you their products, that this is all child’s play, easy and doesn’t require any knowledge. If at all, this is only true for first time setup out of the box of their products with default settings, which may not be optimal or even plainly wrong/not working for the use case a user may have bought the product for, and is no longer true as soon as users have to input data/change settings for any reason. When that happens, users should unterstand the questions/settings and possess the needed knowledge to proceed further as they are about to take responsibility for their actions and consequences those might have.
No one needs to be an expert in everything, but should probably consult one, for matters he isn’t, to prevent “accidents”.
2 Likes
I second that, I just haven’t got a clue myself and didn’t know these things were vulnerable until I read this thread. I’m a complete novice and just followed the install rock on nuc tutorial but after that I have zero protection I would anticipate
How do you remove the admin account on a router or change the admin account name it doesn’t seem that straight forward to me and what I’ve read admin remains the default user name and cannot be altered on many routers?.
That’s the thing though. In the default way of setting up Roon, ROCK isnt insecure / exposed by default. Or put differently, they aren’t going to hack you because of the way ROCK is setup by default.
There isn’t much to go on what happened to the user in the thread. He shouts “I’m hacked” but then doesn’t follow up with information. There’s no indication this happened because of ROCK.
I second some of the sentiments echoed here though: if you don’t know what you’re doing, then don’t do it and ask for advise.
And I’d like to add: when you get advise, don’t accept it at face value. Case in point, I’ve seen recommendations here that advised users to put there code in DMZ as a way to make ARC work. Don’t do this.
1 Like
Well yes. I can see that some of the well-informed people on this thread alone can’t agree on seemingly basic aspects. Which makes you wonder whether the advice to ask an expert is decent - which one? Hence the request for a decent resource/guide on this stuff which most people who know about such things agree is solid…
Separately, it feels like far more could be done to make all these things more secure out of the box, instead of expecting most end users to have knowledge they clearly don’t. It’s as though cars were sold without the brakes installed and the average driver were expected to know how to hook them up.
2 Likes
Everyone’s an expert on the internet 
Exactly the attitude you should adopt. Question the advise you’re given. Ask follow-up questions + push back and see whether / if their advise still holds up.
Having official documentation on the matter certainly doesn’t hurt. Dare I say, it’s even desirable.
I’m in the camp that roots for solutions that require minimal input from the user, implying less chance of them messing it up… And as such, I’m not a big fan of the route that Roon took when it comes to ARC (ie. port forwarding). It’s obvious from the cheer number of support tickets on the matter that upnp implementations aren’t exactly standardized, and therefore routers cannot always be configured automatically. Add to that double natting becoming more prominent (instead of ISPs going the IPv6 way), an increasing amount of users won’t be able to benefit from ARC. This in turn leads to users “trying to make it work” and unintentionally opening themselves up for attacks. Still, that doesn’t mean the solution they’ve opted for is inheritently insecure by default and/or by design.
1 Like
Cars are usually sold complete and secure to drive. It are then users who wish to individualize their experience (racing suspension for example), want to add more usability (add a trailer hitch for example), or the need to replace consumable parts (exchange worn-out breaks for example), … that lead to work to be done on the car. Feel free to do it yourself if you have the needed skill, tools and knowledge available. Keep in mind that if you don’t and do it yourself anyway, you (as the driver), passengers (if any) and other persons driving on roads potentially have to face the consequences of your action.
Same goes for routers (sold complete and with a secure default setup).
Wow, cant believe this thread isnt dead yet. The user doesn’t care enough to provide details or take advice. Why are we still here?
This thread will make for good reading on his 3rd breach.
4 Likes
Maybe all his systems are down.
This is worrying … Ive just bought a lifetime account
The user didn’t provide any useful information that could be used to understand what happened, and this is the most likely:
1 Like
Nothing to worry about.
Very unlikely but I understand the comment.
Still no further comments from MGX. Why has the 1st post got all those links in?