Re: A simple, solid and stable P2P Bidirectional NAT Traversal technique for RealVNC users...
First Let it be known that: I, Jerry Westrick, have in no way intended to slur or impinge on the reputation of the honorable people at Hamachi. If some feel I have done so I hear by express my apoligies to Hamachi, and state unequivocally that this was not and is not my intention. As far as I know the people at Hamachi are kind people trying to help the world for free, and should be applauded! Now that I've cleared the air, 8-) I'm back to my complaint which I seamed to have so badly explained. This time I'll take a little more time to explain a little better. The company I work for writes software that connects electronic stock exchanges to Banks. We support some 15 banks. We use remote access constantly everyday. If we where not able to do so, we could not exist as a viable company. Our clients, the Banks, have obvious need to ASSURE that thier customer information is not accessable in anyway. They have extended thier trust to include the company I work for. This they did only did after studying our security practices. So now that you know where I'm coming from, maybe you can understand the following comments better. We cannot use a mediation server, to give us IP addresses. To do so would mean trusting: 1) The people at Himachi, which we obviously cannot do.. (No insult or slur is intended, but with the security of Banking information at risk, the rule to follow is DO NOT TRUST ANYONE!) and 2) the security practices of the people supporting that server (in this case Himachi). We (my company) do not know enough about thier security practices to make an informed opinion. and lastly, 3) Trusting everyone that the people at Himach place thier trust in. So this is what I meant by not being able to put the concept of Secure and Trust together under a single hat. Now, not everyone needs this kind of security, so there may be a valid need/use for the services you are so kindly offering the community. But let us inform the people of the level of security and/or risks that they are accepting, as most people cannot judge this for themselves... Once Again, I do NOT believe that the people at HIMACHI are trying to do anything evil/bad/nasty. Infact, I applaud them for offering thier work and services to the community, and hope that the community will appreceate thier efforts as much as I do. Jerry P.S. Your assumption that I was a Closed software hatter is also wrong 8-) On Thursday 03 March 2005 18:53, Zach Dennis wrote: Alex Pankratov wrote: Jerry, We are NOT paying lots of money as we do NOT relay your traffic. It is p2p system, the bandwidth usage for us is under few megs a day. Can you fit this together under one hat ? Alex, No need for the tone of your last sentence. I grasp what you are doing as I am sure many others are. I even see it's benefit, but I'll agree with Jerry, that using an outside initiation or mediation server is a little questionable. Nothing is free, and you can't assume people to be so trustworthy just because you say so. None of us know you, so we are allowed to have questions and to put what you say and do under speculation, especially with Hamachi's functionality. Is the the mediation server software available for download? This would answer alot of questions I think it if someone could put that on their server. Then a corporation, home user, small office, etc... would know where information is going. If it isn't available publicly, perhaps this would be for the next version of Hamachi, the server code as well? Your software, so your call... Zach ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: A simple, solid and stable P2P Bidirectional NAT Traversal technique for RealVNC users...
Hello Zach... All your scenarios are valid. The program functionality COULD be perfect. What bothers us the conflict of Secure Communications with trust in someone who is paying lots of money for Internet band width to provide the service for no visible reason. I'm sorry, I just can't fit the 2 of them under one hat! Jerry On Wednesday 02 March 2005 17:11, Paul Haskew wrote: Ed, You might want to check out this long thread about Hamachi. -Paul -Original Message- From: Zach Dennis [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 02, 2005 7:30 AM To: vnc-list@realvnc.com Subject: Re: A simple, solid and stable P2P Bidirectional NAT Traversal technique for RealVNC users... Bob Hartung wrote: Since my last posting, I've been trying to play devil's advocate with this technology. I've been trying to imagine legitimate scenarios for using this technology in a business environment. So far, I haven't been able to do it. It still seems to be a technology whose primary purpose is to thwart firewalls and company usage policies. Well for starters. This is a great tool for the IS/IT dept in a company and especially for admins. Maybe this won't work well for a typical end user on a large corporate network, but this is great in smaller to medium sized businesses and even SOHOs. If this works well with VNC, then the worth of this product just went 100% in my book. Here are some example scenarios: - In the northern country where it snows, the finance gal gets snowed in or runs into a ditch (its happened before) so she works from home. She needs to access some files from her work computer. (Her home computer is also a company laptop). She calls the IT dept and makes a request. The IT dept set her up to vnc into her machine from home and to drag over her files (thx hamachi). - A programmer codes both at home and at work. He does some sample coding at home late last night and then finds out tomorrow morning he needs that code. He vnc's in to his computer and drags the files over. (thx hamachi). - Engineers from a regional office are visiting headquarters. Their meeting is at 2pm, it's 10am now. What to do for 4 hours. They get on an extra workstation and vnc into their up north computer and review some of their revisions from yesterday. They decide to include the new ideas in their 2pm meeting. So they generate a pdf of their latest cad files. They drag the pdf over to the current workstation, and print it out. (thx hamachi) These are all scenarios our company has hit. And if I understand Hamachi right, the solution should be similar to what they are above in each example. If I dont' understand Hamachi right, please tell me. Zach ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: A simple, solid and stable P2P Bidirectional NAT Traversal technique for RealVNC users...
Jerry, We are NOT paying lots of money as we do NOT relay your traffic. It is p2p system, the bandwidth usage for us is under few megs a day. Can you fit this together under one hat ? Alex PS Sorry, James, I couldn't left this unanswered. Jerry Westrick wrote: Hello Zach... All your scenarios are valid. The program functionality COULD be perfect. What bothers us the conflict of Secure Communications with trust in someone who is paying lots of money for Internet band width to provide the service for no visible reason. I'm sorry, I just can't fit the 2 of them under one hat! Jerry On Wednesday 02 March 2005 17:11, Paul Haskew wrote: Ed, You might want to check out this long thread about Hamachi. -Paul -Original Message- From: Zach Dennis [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 02, 2005 7:30 AM To: vnc-list@realvnc.com Subject: Re: A simple, solid and stable P2P Bidirectional NAT Traversal technique for RealVNC users... Bob Hartung wrote: Since my last posting, I've been trying to play devil's advocate with this technology. I've been trying to imagine legitimate scenarios for using this technology in a business environment. So far, I haven't been able to do it. It still seems to be a technology whose primary purpose is to thwart firewalls and company usage policies. Well for starters. This is a great tool for the IS/IT dept in a company and especially for admins. Maybe this won't work well for a typical end user on a large corporate network, but this is great in smaller to medium sized businesses and even SOHOs. If this works well with VNC, then the worth of this product just went 100% in my book. Here are some example scenarios: - In the northern country where it snows, the finance gal gets snowed in or runs into a ditch (its happened before) so she works from home. She needs to access some files from her work computer. (Her home computer is also a company laptop). She calls the IT dept and makes a request. The IT dept set her up to vnc into her machine from home and to drag over her files (thx hamachi). - A programmer codes both at home and at work. He does some sample coding at home late last night and then finds out tomorrow morning he needs that code. He vnc's in to his computer and drags the files over. (thx hamachi). - Engineers from a regional office are visiting headquarters. Their meeting is at 2pm, it's 10am now. What to do for 4 hours. They get on an extra workstation and vnc into their up north computer and review some of their revisions from yesterday. They decide to include the new ideas in their 2pm meeting. So they generate a pdf of their latest cad files. They drag the pdf over to the current workstation, and print it out. (thx hamachi) These are all scenarios our company has hit. And if I understand Hamachi right, the solution should be similar to what they are above in each example. If I dont' understand Hamachi right, please tell me. Zach ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: A simple, solid and stable P2P Bidirectional NAT Traversal technique for RealVNC users...
Alex Pankratov wrote: Jerry, We are NOT paying lots of money as we do NOT relay your traffic. It is p2p system, the bandwidth usage for us is under few megs a day. Can you fit this together under one hat ? Alex, No need for the tone of your last sentence. I grasp what you are doing as I am sure many others are. I even see it's benefit, but I'll agree with Jerry, that using an outside initiation or mediation server is a little questionable. Nothing is free, and you can't assume people to be so trustworthy just because you say so. None of us know you, so we are allowed to have questions and to put what you say and do under speculation, especially with Hamachi's functionality. Is the the mediation server software available for download? This would answer alot of questions I think it if someone could put that on their server. Then a corporation, home user, small office, etc... would know where information is going. If it isn't available publicly, perhaps this would be for the next version of Hamachi, the server code as well? Your software, so your call... Zach ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: A simple, solid and stable P2P Bidirectional NAT Traversal technique for RealVNC users...
At 050303 12:53 -0500, Zach Dennis wrote: Alex Pankratov wrote: Jerry, We are NOT paying lots of money as we do NOT relay your traffic. It is p2p system, the bandwidth usage for us is under few megs a day. Can you fit this together under one hat ? Alex, No need for the tone of your last sentence. I grasp what you are doing as I am sure many others are... Whoa, Zach ... I think you mistook Alex's last sentence. I did not take it to be an insult but a play on words - playing off Jerry's skepticism (with which anyone should begin) about fitting Hamachi's apparent costs and benefits under one hat. It would have sounded different if we could have heard his voice. -- John ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: A simple, solid and stable P2P Bidirectional NAT Traversal technique for RealVNC users...
My my... Perhaps...just what the RealVNC list needed. All the previous posts on port forwarding, sshconverged into a simple interface. Whilst I would assume the majority of users are not technically inclined and putty is a great front end, the difficulties of implementing the open source SSH servers for the average Window users is noted. Unless, of course the average user is willing to pay for a commercial solution. ...but the plethora of no-cost RealVNC users tend to exist for a reason! The bigger questions generated are definitely worthwhile discussing, i.e. network admin's economic and security priorities with their overworked IT staff perpetually several internet generations behind vs the ever increasing computational power, security sophistication and internet savvy mobile independent users (consumers). The idea of virtual network adapters, secure and simple network pools, etc... is very powerful stuff, indeed. Thanks, Alex for stepping up to the plate. What is your take on SHA1 being recently broken by Chinese researchers? NK -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Pankratov Sent: March 1, 2005 11:25 PM To: Paul Haskew Cc: vnc-list@realvnc.com Subject: Re: A simple, solid and stable P2P Bidirectional NAT Traversal technique for RealVNC users... Paul Haskew wrote: While I am glad to see the main designer/developer here, I do not wear tin foil hats. :P I am just a concerned IT Admin, who will at one point will have to make a decision about this program. TCP/11975 ;-) ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: A simple, solid and stable P2P Bidirectional NAT Traversal technique for RealVNC users...
Since my last posting, I've been trying to play devil's advocate with this technology. I've been trying to imagine legitimate scenarios for using this technology in a business environment. So far, I haven't been able to do it. It still seems to be a technology whose primary purpose is to thwart firewalls and company usage policies. Perhaps Alex or other listers who are using the technology could provide some examples of how Hamachi is or could be used in a positive, legitimate fashion. Alex Pankratov wrote: Paul Haskew wrote: While I am glad to see the main designer/developer here, I do not wear tin foil hats. :P I am just a concerned IT Admin, who will at one point will have to make a decision about this program. TCP/11975 ;-) Also, about trusted outsiders, I am not worried about me setting up trusted persons. I am worried about those who have computer access, a little knowledge, and try to set this up and allow someone incorrect access. Thus compromising what is currently in place without realizing it. Don't get me wrong, I am all for making things as simple as possible for end users. Also, this is a wonderful idea, I am just hoping that certain safeguards or means of prevention will also be made avail with the product. Agreed. It is very hard to find the balance so that 'tolerant to accidental misuse' wouldn't become 'unusable out of the box'. I am not a sys admin, so any suggestions as to what these safeguards should be are really welcomed. ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list -- Bob Hartung, Dir of I.T. c\o Wisco Industries, Inc. P. O. Box 10 736 Janesville St. Oregon, WI 53575 Phone: (608) 835-3106 x215 Fax: (608) 835-9644 email: bhartung(at)wiscoind.com ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: A simple, solid and stable P2P Bidirectional NAT Traversal technique for RealVNC users...
Collins, Kevin (MindWorks) wrote: I looked at Hamachi after a mention of it on this list yesterday, and while it seems pretty cools, I have to ask: Am I the only one who has at least a slight distrust of using a mediation server in the middle of a secure connection? Maybe I just don't get it, or I do and am overly paranoid, but this seems to invite snooping, man in the middle attacks, etc... What level of trust do I need to place on servers I have no control over? You get it. I don't trust it. Just because you and I are overly paranoid doesn't mean the mediation server hasn't been 0wned or the admin curious. Besides, in a truly secure network environment (where I work) there is no way for users to install it in the first place. With 400 users on NT 4 network all using IE and Outlook we have never had a single virus or compromise of any kind in the last 9 years. Moreover, even if users could install it, or somehow get a machine authenticated to use the network and then the proxy and Internet, they would definitely get fired for violating the agreement they signed when they got hired (at least where I work anyway). In fact, I am betting that I am not able to make a connection from work to home through our firewall. Anyone care to wager? Rick ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: A simple, solid and stable P2P Bidirectional NAT Traversal technique for RealVNC users...
In fact, I am betting that I am not able to make a connection from work to home through our firewall. Anyone care to wager? No need to get cocky. It's all in how your firewall is setup. Most firewalls allow outgoing connections to occur, which allows you to create a bidirectional connection between inside the network and an outside network. If you're limiting the ports available to outgoing traffic then a default install probably won't work. However if you're allowing users to go through port 80, port 110, port 25, etc... to go outside your internal network then I'll state, it can be done! The only person I've ever met who *can't* install something on a computer is an end user. Any great sysadmin (especially in winbox environment) should be able to do what they need to regardless of how locked down the system is. ;) However this is only if all tools are availabe to the user except for physically modifying the workstation or performing a reinstall. TMTOWTDI Zach ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: A simple, solid and stable P2P Bidirectional NAT Traversal technique for RealVNC users...
Bob Hartung wrote: Since my last posting, I've been trying to play devil's advocate with this technology. I've been trying to imagine legitimate scenarios for using this technology in a business environment. So far, I haven't been able to do it. It still seems to be a technology whose primary purpose is to thwart firewalls and company usage policies. Well for starters. This is a great tool for the IS/IT dept in a company and especially for admins. Maybe this won't work well for a typical end user on a large corporate network, but this is great in smaller to medium sized businesses and even SOHOs. If this works well with VNC, then the worth of this product just went 100% in my book. Here are some example scenarios: - In the northern country where it snows, the finance gal gets snowed in or runs into a ditch (its happened before) so she works from home. She needs to access some files from her work computer. (Her home computer is also a company laptop). She calls the IT dept and makes a request. The IT dept set her up to vnc into her machine from home and to drag over her files (thx hamachi). - A programmer codes both at home and at work. He does some sample coding at home late last night and then finds out tomorrow morning he needs that code. He vnc's in to his computer and drags the files over. (thx hamachi). - Engineers from a regional office are visiting headquarters. Their meeting is at 2pm, it's 10am now. What to do for 4 hours. They get on an extra workstation and vnc into their up north computer and review some of their revisions from yesterday. They decide to include the new ideas in their 2pm meeting. So they generate a pdf of their latest cad files. They drag the pdf over to the current workstation, and print it out. (thx hamachi) These are all scenarios our company has hit. And if I understand Hamachi right, the solution should be similar to what they are above in each example. If I dont' understand Hamachi right, please tell me. Zach ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: A simple, solid and stable P2P Bidirectional NAT Traversal technique for RealVNC users...
Ed, You might want to check out this long thread about Hamachi. -Paul -Original Message- From: Zach Dennis [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 02, 2005 7:30 AM To: vnc-list@realvnc.com Subject: Re: A simple, solid and stable P2P Bidirectional NAT Traversal technique for RealVNC users... Bob Hartung wrote: Since my last posting, I've been trying to play devil's advocate with this technology. I've been trying to imagine legitimate scenarios for using this technology in a business environment. So far, I haven't been able to do it. It still seems to be a technology whose primary purpose is to thwart firewalls and company usage policies. Well for starters. This is a great tool for the IS/IT dept in a company and especially for admins. Maybe this won't work well for a typical end user on a large corporate network, but this is great in smaller to medium sized businesses and even SOHOs. If this works well with VNC, then the worth of this product just went 100% in my book. Here are some example scenarios: - In the northern country where it snows, the finance gal gets snowed in or runs into a ditch (its happened before) so she works from home. She needs to access some files from her work computer. (Her home computer is also a company laptop). She calls the IT dept and makes a request. The IT dept set her up to vnc into her machine from home and to drag over her files (thx hamachi). - A programmer codes both at home and at work. He does some sample coding at home late last night and then finds out tomorrow morning he needs that code. He vnc's in to his computer and drags the files over. (thx hamachi). - Engineers from a regional office are visiting headquarters. Their meeting is at 2pm, it's 10am now. What to do for 4 hours. They get on an extra workstation and vnc into their up north computer and review some of their revisions from yesterday. They decide to include the new ideas in their 2pm meeting. So they generate a pdf of their latest cad files. They drag the pdf over to the current workstation, and print it out. (thx hamachi) These are all scenarios our company has hit. And if I understand Hamachi right, the solution should be similar to what they are above in each example. If I dont' understand Hamachi right, please tell me. Zach ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: A simple, solid and stable P2P Bidirectional NAT Traversal technique for RealVNC users...
While H is primarily oriented on home users (gaming, data sharing, etc), the primarily business usage is a remote access and p2p connectivity between remote points. Zach listed some. And while those should be enough to get you on the track, I will give you another one. Say you have two sales people sitting in the same city but in different hotels wanting to exchange documents. You would normally resolve this by having VPN concentrator at routable location in your central office and VPN clients on sales' notebooks. Now imaginethey are in Peru, your office is in Mongolia and the document is a PowerPoint presentation as lightweigth as usual at mere 40Megs. Remember - they are in the same city, probably 4 hops away. Bob Hartung wrote: Since my last posting, I've been trying to play devil's advocate with this technology. I've been trying to imagine legitimate scenarios for using this technology in a business environment. So far, I haven't been able to do it. It still seems to be a technology whose primary purpose is to thwart firewalls and company usage policies. Perhaps Alex or other listers who are using the technology could provide some examples of how Hamachi is or could be used in a positive, legitimate fashion. Alex Pankratov wrote: Paul Haskew wrote: While I am glad to see the main designer/developer here, I do not wear tin foil hats. :P I am just a concerned IT Admin, who will at one point will have to make a decision about this program. TCP/11975 ;-) Also, about trusted outsiders, I am not worried about me setting up trusted persons. I am worried about those who have computer access, a little knowledge, and try to set this up and allow someone incorrect access. Thus compromising what is currently in place without realizing it. Don't get me wrong, I am all for making things as simple as possible for end users. Also, this is a wonderful idea, I am just hoping that certain safeguards or means of prevention will also be made avail with the product. Agreed. It is very hard to find the balance so that 'tolerant to accidental misuse' wouldn't become 'unusable out of the box'. I am not a sys admin, so any suggestions as to what these safeguards should be are really welcomed. ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: A simple, solid and stable P2P Bidirectional NAT Traversal technique for RealVNC users...
In only one of your examples is the IT department involved. It that case, they could have accomplished the same as Hamachi by temporarily opening some ports in the firewall and forwarding them to her work computer. Or they could have e-mailed her the files she needed. In all your other examples, they represent well-meaning individuals circumventing company security. As an administrator, I'd be worried about showing employees how to by-pass security because it's convenient to do so. Who's to control their access after that? Zach Dennis wrote: Bob Hartung wrote: Since my last posting, I've been trying to play devil's advocate with this technology. I've been trying to imagine legitimate scenarios for using this technology in a business environment. So far, I haven't been able to do it. It still seems to be a technology whose primary purpose is to thwart firewalls and company usage policies. Well for starters. This is a great tool for the IS/IT dept in a company and especially for admins. Maybe this won't work well for a typical end user on a large corporate network, but this is great in smaller to medium sized businesses and even SOHOs. If this works well with VNC, then the worth of this product just went 100% in my book. Here are some example scenarios: - In the northern country where it snows, the finance gal gets snowed in or runs into a ditch (its happened before) so she works from home. She needs to access some files from her work computer. (Her home computer is also a company laptop). She calls the IT dept and makes a request. The IT dept set her up to vnc into her machine from home and to drag over her files (thx hamachi). - A programmer codes both at home and at work. He does some sample coding at home late last night and then finds out tomorrow morning he needs that code. He vnc's in to his computer and drags the files over. (thx hamachi). - Engineers from a regional office are visiting headquarters. Their meeting is at 2pm, it's 10am now. What to do for 4 hours. They get on an extra workstation and vnc into their up north computer and review some of their revisions from yesterday. They decide to include the new ideas in their 2pm meeting. So they generate a pdf of their latest cad files. They drag the pdf over to the current workstation, and print it out. (thx hamachi) These are all scenarios our company has hit. And if I understand Hamachi right, the solution should be similar to what they are above in each example. If I dont' understand Hamachi right, please tell me. Zach ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list -- Bob Hartung, Dir of I.T. c\o Wisco Industries, Inc. P. O. Box 10 736 Janesville St. Oregon, WI 53575 Phone: (608) 835-3106 x215 Fax: (608) 835-9644 email: bhartung(at)wiscoind.com ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: A simple, solid and stable P2P Bidirectional NAT Traversal technique for RealVNC users...
What is your take on SHA1 being recently broken by Chinese researchers? As far as I understand it, it's a little premature to say that it's been broken. The research hasn't been published formally as yet but those in the know suggest that it's a method of producing pairs of strings with a (relatively) high probability of a digest clash, rather than of producing a new string that clashes with an existing one. Regards, Wez @ RealVNC Ltd. ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: A simple, solid and stable P2P Bidirectional NAT Traversal technique for RealVNC users...
Bob Hartung wrote: In only one of your examples is the IT department involved. It that case, they could have accomplished the same as Hamachi by temporarily opening some ports in the firewall and forwarding them to her work computer. Or they could have e-mailed her the files she needed. In all your other examples, they represent well-meaning individuals circumventing company security. This depends on your security policy. As an administrator, I'd be worried about showing employees how to by-pass security because it's convenient to do so. Who's to control their access after that? I think this is just blowing hot air. Is ftp circumventing security? The administrator's can put rules and regulations on this type of functionality. All your doing is providing them with a graphical-way to inteface another computer and transfer files, all in 1 to 2 steps. Admins can block ports, or open ports. To many IT departments get stuck in paradaigm paralysis, where everything has to be one way. If it's not that one way, then red flags everywhere. For the most part this is for good reason, but I fail to see where this is bypassing security. The admin's are the ones who control the ports. Who said the end user has the ability to configure port forwarding orthe ability to create ssh tunnels? I didn't. Zach ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: A simple, solid and stable P2P Bidirectional NAT Traversal technique for RealVNC users...
Nick Kovats wrote: What is your take on SHA1 being recently broken by Chinese researchers? My take would be like this - 'when I win a lottery I should no more be buying Bentleys with gold plated door handles, because they tend to get cold in a winter time'. Ie it's not a yet problem worth worrying about. Besides in a network crypto SHA1 is not used by itself, it is normally used in conjunction with HMAC and they yet to analyze if this collision attack can be extended to HMAC-SHA1. ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: A simple, solid and stable P2P Bidirectional NAT Traversal technique for RealVNC users...
John: Heya. I know you didn't ask me, but as I'm the guy behind the Kaboodle and KaboodleProxy stuff, I thought I'd toss in my two coppers as well. When we started building the echoWare and echoServer stuff for Kaboodle, we initially looked at hole punching solutions such as what I believe Hamachi is doing (Alex, please correct me if I'm wrong). A really good discussion about hole punching is here: http://www.brynosaurus.com/pub/net/p2pnat/ As that paper discusses in detail, hole-punching thru a NAT'ing router works...but not always. Their studies show it's effective for 82% of the NAT'ing routers tested (using UDP; for TCP it drops to 64%). The paper is a bit slanted, of course, because it's clear they *want* hole-punching to work. To me (and I think to many of my company's customers), hole-punching looks a lot like session hijacking -- something a good, stateful firewall is specifically capable of preventing. That is, as far as I can tell, in the Hamachi system, the two clients send packets to the server, which will (presuming your firewall allows arbitrary traffic to flow to the server, rather than blocking all traffic which is not TCP to common service ports) open a return path in any NAT'ing router. The server then tells the two clients to, essentially, hijack that return path. A good, stateful firewall will see the arriving packets on that return path are *not* coming from where the return path originally sent them, and they will be blocked. A low-end NAT'ing router might not care about the discrepancy, and lets the packets in. If the timing all works out...the peer-to-peer connection becomes established, with strong encryption, and the server is out of the loop. Once that connection is established you can, very conveniently, run a tunneled VNC connection over it. On the other hand...there is the echoServer approach. It is a traditional TCP Relay Server which connects echoWare clients together. Un-traditionally, we let the users run their own relay servers; that's the lowest-cost solution (ie, my company doesn't need to charge GoToMyWallet kind of prices to keep a server farm well maintained). It also appears to be the most appealing solution to professional remote support providers: they can run their own servers, and their customers need only relay their data thru them (whom they trust already). Minimum firewall hassle, minimum setup cost, maximum open-source -- which I do believe maximizes the overall security -- everyone's happy. Currently, Kaboodle is the only echoWare-enabled application, but we're working to address that. Unfortunately, Kaboodle is in an unstable pre-1.0 release state, halfway thru a major GUI rework. Once it's stable and securely tunneling VNC connections again, with a minimum of firewall adjustments, I'll mention it here again. Hope that helps! Alex, please do let me know if I mis-spoke at all about Hamachi's approach. -Scott How is your app better than Kaboodle and their KaboodleProxy? They make the client source available and they even sell the proxy so you can run it on your own machine(s), which in my book, makes it a bit more trustworthy than having to trust someone else's machine. Granted the proxy is sold in binary-only form, but at least you can run it on your own machine and sniff what's going on. John ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: A simple, solid and stable P2P Bidirectional NAT Traversal technique for RealVNC users...
Hey Scott, Yes we do UDP hole punching, but the numbers given in the p2pnat paper are somewhat inaccurate. See my recent posts to p2p-hackers list for detailed statistics. To sum it up here - with around 2 unique IPs we saw so far we were successfully mediate 97% of requested tunnels. Which in my opinion is pretty darn good :) An issue of udp hole punching through symmetric firewalls is really not an issue at all. There are multiple ways around it, and all of them work like magic. Alex Scott C. Best wrote: John: Heya. I know you didn't ask me, but as I'm the guy behind the Kaboodle and KaboodleProxy stuff, I thought I'd toss in my two coppers as well. When we started building the echoWare and echoServer stuff for Kaboodle, we initially looked at hole punching solutions such as what I believe Hamachi is doing (Alex, please correct me if I'm wrong). A really good discussion about hole punching is here: http://www.brynosaurus.com/pub/net/p2pnat/ As that paper discusses in detail, hole-punching thru a NAT'ing router works...but not always. Their studies show it's effective for 82% of the NAT'ing routers tested (using UDP; for TCP it drops to 64%). The paper is a bit slanted, of course, because it's clear they *want* hole-punching to work. To me (and I think to many of my company's customers), hole-punching looks a lot like session hijacking -- something a good, stateful firewall is specifically capable of preventing. That is, as far as I can tell, in the Hamachi system, the two clients send packets to the server, which will (presuming your firewall allows arbitrary traffic to flow to the server, rather than blocking all traffic which is not TCP to common service ports) open a return path in any NAT'ing router. The server then tells the two clients to, essentially, hijack that return path. A good, stateful firewall will see the arriving packets on that return path are *not* coming from where the return path originally sent them, and they will be blocked. A low-end NAT'ing router might not care about the discrepancy, and lets the packets in. If the timing all works out...the peer-to-peer connection becomes established, with strong encryption, and the server is out of the loop. Once that connection is established you can, very conveniently, run a tunneled VNC connection over it. On the other hand...there is the echoServer approach. It is a traditional TCP Relay Server which connects echoWare clients together. Un-traditionally, we let the users run their own relay servers; that's the lowest-cost solution (ie, my company doesn't need to charge GoToMyWallet kind of prices to keep a server farm well maintained). It also appears to be the most appealing solution to professional remote support providers: they can run their own servers, and their customers need only relay their data thru them (whom they trust already). Minimum firewall hassle, minimum setup cost, maximum open-source -- which I do believe maximizes the overall security -- everyone's happy. Currently, Kaboodle is the only echoWare-enabled application, but we're working to address that. Unfortunately, Kaboodle is in an unstable pre-1.0 release state, halfway thru a major GUI rework. Once it's stable and securely tunneling VNC connections again, with a minimum of firewall adjustments, I'll mention it here again. Hope that helps! Alex, please do let me know if I mis-spoke at all about Hamachi's approach. -Scott How is your app better than Kaboodle and their KaboodleProxy? They make the client source available and they even sell the proxy so you can run it on your own machine(s), which in my book, makes it a bit more trustworthy than having to trust someone else's machine. Granted the proxy is sold in binary-only form, but at least you can run it on your own machine and sniff what's going on. John ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: A simple, solid and stable P2P Bidirectional NAT Traversal technique for RealVNC users...
I looked at Hamachi after a mention of it on this list yesterday, and while it seems pretty cools, I have to ask: Am I the only one who has at least a slight distrust of using a mediation server in the middle of a secure connection? Maybe I just don't get it, or I do and am overly paranoid, but this seems to invite snooping, man in the middle attacks, etc... What level of trust do I need to place on servers I have no control over? Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Kovats Sent: Monday, February 28, 2005 6:33 PM To: vnc-list@realvnc.com Subject: A simple, solid and stable P2P Bidirectional NAT Traversal technique for RealVNC users... For the typical users of RealVNC, the prevailing desire seems to be remote connectivity through home routers, corporate firewalls, etc. but the average user may be thwarted by diverse implementations of the dreaded Network Address Tranlations (NAT's). Well, NAT has it's uses but hey...I just wanna check in with my home PC! The following workaround will blow RealVNC users away with it's operational simplicity. It's called Hamachi, it can be found at http://hamachi.cc and displays some brilliant Canuck software engineering. Technically it's a P2P bidirectional NAT traversal solution with 3 levels of security, i.e. - DH group - 2048-bit MODP group from RFC 3526 http://ietf.org/rfc/rfc3526 - Message encryption - AES-256-CBC using ESP http://ietf.org/rfc/rfc2406-style padding - Message authentication - 96-bit version http://ietf.org/rfc/rfc2404 of HMAC-SHA1 http://ietf.org/rfc/rfc2104 It creates a virtual network adapter on your PC, issues Hamachi virtual IP addresses, i.e. 5.0.23.43 and speaks Hamachi protocol. It's not a true P2P implementation, i.e. it uses mediation servers to help connect the peers. But if you can operate a mouse, you can install and run Hamachi. It's free and about to become very popular. :) And it literally does punch right through most NAT's. In fact as I type this my Hamachi virtual adapter on my work PC has a solid connection with my home PC. I have inserted the Hamachi issued IP into my RealVNC viewer and, voila...there is my desktop. Remember to install Hamachi on every windows PC you wish to connect to ...in fact you can easily create multiple and distinct Hamachi networks each with their own unique password access. I work for a significantly sized NOC with multiple levels of firewalls, IDS and IPS. It's increasing popularity may soon have security personal frantically rewriting firewall app filter rules but hey...nows the time to try it out. Bottom Line: Install Hamachi on your remote and local PCs. Create a network name and common network password. Add trusted users by Hamachi IP or by nickname. You can also evict them...in Hamachi parlance. You now can enjoy an encrypted, operational and free virtual private network (VPN) that you can start tunneling your favorite applications right through, i.e. RealVNC. Have fun NK in Toronto ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: A simple, solid and stable P2P Bidirectional NAT Traversal technique for RealVNC users...
I have to wonder what the motivation for a company offering a service like this for free... As a network administrator, I don't like an application that by-passes firewalls and server-based virus scanning. They are there for a reason, regardless whether you want to check your home PC or not. Collins, Kevin (MindWorks) wrote: I looked at Hamachi after a mention of it on this list yesterday, and while it seems pretty cools, I have to ask: Am I the only one who has at least a slight distrust of using a mediation server in the middle of a secure connection? Maybe I just don't get it, or I do and am overly paranoid, but this seems to invite snooping, man in the middle attacks, etc... What level of trust do I need to place on servers I have no control over? Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Kovats Sent: Monday, February 28, 2005 6:33 PM To: vnc-list@realvnc.com Subject: A simple, solid and stable P2P Bidirectional NAT Traversal technique for RealVNC users... For the typical users of RealVNC, the prevailing desire seems to be remote connectivity through home routers, corporate firewalls, etc. but the average user may be thwarted by diverse implementations of the dreaded Network Address Tranlations (NAT's). Well, NAT has it's uses but hey...I just wanna check in with my home PC! The following workaround will blow RealVNC users away with it's operational simplicity. It's called Hamachi, it can be found at http://hamachi.cc and displays some brilliant Canuck software engineering. Technically it's a P2P bidirectional NAT traversal solution with 3 levels of security, i.e. - DH group - 2048-bit MODP group from RFC 3526 http://ietf.org/rfc/rfc3526 - Message encryption - AES-256-CBC using ESP http://ietf.org/rfc/rfc2406-style padding - Message authentication - 96-bit version http://ietf.org/rfc/rfc2404 of HMAC-SHA1 http://ietf.org/rfc/rfc2104 It creates a virtual network adapter on your PC, issues Hamachi virtual IP addresses, i.e. 5.0.23.43 and speaks Hamachi protocol. It's not a true P2P implementation, i.e. it uses mediation servers to help connect the peers. But if you can operate a mouse, you can install and run Hamachi. It's free and about to become very popular. :) And it literally does punch right through most NAT's. In fact as I type this my Hamachi virtual adapter on my work PC has a solid connection with my home PC. I have inserted the Hamachi issued IP into my RealVNC viewer and, voila...there is my desktop. Remember to install Hamachi on every windows PC you wish to connect to ...in fact you can easily create multiple and distinct Hamachi networks each with their own unique password access. I work for a significantly sized NOC with multiple levels of firewalls, IDS and IPS. It's increasing popularity may soon have security personal frantically rewriting firewall app filter rules but hey...nows the time to try it out. Bottom Line: Install Hamachi on your remote and local PCs. Create a network name and common network password. Add trusted users by Hamachi IP or by nickname. You can also evict them...in Hamachi parlance. You now can enjoy an encrypted, operational and free virtual private network (VPN) that you can start tunneling your favorite applications right through, i.e. RealVNC. Have fun NK in Toronto ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list -- Bob Hartung, Dir of I.T. c\o Wisco Industries, Inc. P. O. Box 10 736 Janesville St. Oregon, WI 53575 Phone: (608) 835-3106 x215 Fax: (608) 835-9644 email: bhartung(at)wiscoind.com ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: A simple, solid and stable P2P Bidirectional NAT Traversal technique for RealVNC users...
Agreed, this type of a program makes you sit back and wonder, why? If programs like these are freewheeling around, what is even the point of having a firewall, also what is there to prevent them giving total access to outsiders, even without knowing? -Paul Haskew -Original Message- From: Bob Hartung [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 01, 2005 10:31 AM To: Collins, Kevin (MindWorks) Cc: vnc-list@realvnc.com Subject: Re: A simple, solid and stable P2P Bidirectional NAT Traversal technique for RealVNC users... I have to wonder what the motivation for a company offering a service like this for free... As a network administrator, I don't like an application that by-passes firewalls and server-based virus scanning. They are there for a reason, regardless whether you want to check your home PC or not. Collins, Kevin (MindWorks) wrote: I looked at Hamachi after a mention of it on this list yesterday, and while it seems pretty cools, I have to ask: Am I the only one who has at least a slight distrust of using a mediation server in the middle of a secure connection? Maybe I just don't get it, or I do and am overly paranoid, but this seems to invite snooping, man in the middle attacks, etc... What level of trust do I need to place on servers I have no control over? Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Kovats Sent: Monday, February 28, 2005 6:33 PM To: vnc-list@realvnc.com Subject: A simple, solid and stable P2P Bidirectional NAT Traversal technique for RealVNC users... For the typical users of RealVNC, the prevailing desire seems to be remote connectivity through home routers, corporate firewalls, etc. but the average user may be thwarted by diverse implementations of the dreaded Network Address Tranlations (NAT's). Well, NAT has it's uses but hey...I just wanna check in with my home PC! The following workaround will blow RealVNC users away with it's operational simplicity. It's called Hamachi, it can be found at http://hamachi.cc and displays some brilliant Canuck software engineering. Technically it's a P2P bidirectional NAT traversal solution with 3 levels of security, i.e. - DH group - 2048-bit MODP group from RFC 3526 http://ietf.org/rfc/rfc3526 - Message encryption - AES-256-CBC using ESP http://ietf.org/rfc/rfc2406-style padding - Message authentication - 96-bit version http://ietf.org/rfc/rfc2404 of HMAC-SHA1 http://ietf.org/rfc/rfc2104 It creates a virtual network adapter on your PC, issues Hamachi virtual IP addresses, i.e. 5.0.23.43 and speaks Hamachi protocol. It's not a true P2P implementation, i.e. it uses mediation servers to help connect the peers. But if you can operate a mouse, you can install and run Hamachi. It's free and about to become very popular. :) And it literally does punch right through most NAT's. In fact as I type this my Hamachi virtual adapter on my work PC has a solid connection with my home PC. I have inserted the Hamachi issued IP into my RealVNC viewer and, voila...there is my desktop. Remember to install Hamachi on every windows PC you wish to connect to ...in fact you can easily create multiple and distinct Hamachi networks each with their own unique password access. I work for a significantly sized NOC with multiple levels of firewalls, IDS and IPS. It's increasing popularity may soon have security personal frantically rewriting firewall app filter rules but hey...nows the time to try it out. Bottom Line: Install Hamachi on your remote and local PCs. Create a network name and common network password. Add trusted users by Hamachi IP or by nickname. You can also evict them...in Hamachi parlance. You now can enjoy an encrypted, operational and free virtual private network (VPN) that you can start tunneling your favorite applications right through, i.e. RealVNC. Have fun NK in Toronto ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list -- Bob Hartung, Dir of I.T. c\o Wisco Industries, Inc. P. O. Box 10 736 Janesville St. Oregon, WI 53575 Phone: (608) 835-3106 x215 Fax: (608) 835-9644 email: bhartung(at)wiscoind.com ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: A simple, solid and stable P2P Bidirectional NAT Traversal technique for RealVNC users...
On Tuesday 01 March 2005 18:39, Collins, Kevin (MindWorks) wrote: I looked at Hamachi after a mention of it on this list yesterday, and while it seems pretty cools, I have to ask: Am I the only one who has at least a slight distrust of using a mediation server in the middle of a secure connection? Maybe I just don't get it, or I do and am overly paranoid, but this seems to invite snooping, man in the middle attacks, etc... What level of trust do I need to place on servers I have no control over? Kevin I Agree 100%. If they had offered the source, so that we can look at it. and so we could setup our own servers as mediators, then maybe... Otherwise I'd feel extremely uneasy about the whole thing... Jerry ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: A simple, solid and stable P2P Bidirectional NAT Traversal technique for RealVNC users...
I am principle designer and developer of Hamachi. I got few hits from this maillist, checked out the comments and since we don't have much information on the website I thought I'd offer some answers here. Since I just joined the list I don't have original emails, so here's a summary with my comments in it - Am I the only one who has at least a slight distrust of using a mediation server in the middle of a secure connection? Mediation server is NOT in the middle of the connection. All it does is allows clients locate their peers and learn their external (routable) IP/port numbers. The clients then hook up on their own and the rest of the traffic flows directly between them. See my next comment regarding security of the connection. Maybe I just don't get it, or I do and am overly paranoid, but this seems to invite snooping, man in the middle attacks, etc... What level of trust do I need to place on servers I have no control over? Have a look at Security page on H website. This should take care of your m-n-m worries. I come from a network security background and take security architecture very seriously. If you can find an exploitable flaw in it, I'd be very happy to hear about it. I'll assume that by 'snooping' you mean our client software doing something nasty on your machine and pushing the results back to the servers. Well, you will have to have the same amount of trust in H you have in any other application distributed in binary form. This includes, btw, pre-build open-source packages. In fact, you cannot even trust applications that you compile yourself unless you go and inspect entire codebase line by line. So the 'level' is clearly subjective and based on your risk tolerance. I have to wonder what the motivation for a company offering a service like this for free... Few reasons. First - it doesn't cost much to maintain. We don't relay traffic, so bandwidth requirements are fairly low. Second - there is a demand for this kind of application and offering basic services for free is common approach for building a customer base. Agreed, this type of a program makes you sit back and wonder, why? Well, you are most certainly entitled to this. However, I would suggest to take your tinfoil hat off :) and have another look at the application. If programs like these are freewheeling around, what is even the point of having a firewall, also what is there to prevent them giving total access to outsiders, even without knowing? Trusted outsiders. This makes the world of difference. If they had offered the source, so that we can look at it. and so we could setup our own servers as mediators, then maybe... Otherwise I'd feel extremely uneasy about the whole thing... I am a big propent of Open Source - you can look me up on sf.net and freshmeat, but in this particular case opening the source up gives us very little benefit, but does take away quite a bit of an avantage away. However we plan to do something better than opening the sources - we are going to open cli-srv protocol after the first production release. If you don't trust our client implementation for some reason - feel free to build your own. In case if you wonder how it is better, opening protocol spec means making a commitment to maintaining it, while opening sources merely says 'here, look how _current_ version is implemented'. ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
RE: A simple, solid and stable P2P Bidirectional NAT Traversal technique for RealVNC users...
While I am glad to see the main designer/developer here, I do not wear tin foil hats. :P I am just a concerned IT Admin, who will at one point will have to make a decision about this program. Also, about trusted outsiders, I am not worried about me setting up trusted persons. I am worried about those who have computer access, a little knowledge, and try to set this up and allow someone incorrect access. Thus compromising what is currently in place without realizing it. Don't get me wrong, I am all for making things as simple as possible for end users. Also, this is a wonderful idea, I am just hoping that certain safeguards or means of prevention will also be made avail with the product. -Paul -Original Message- From: Alex Pankratov [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 01, 2005 1:25 PM To: vnc-list@realvnc.com Subject: Re: A simple, solid and stable P2P Bidirectional NAT Traversal technique for RealVNC users... I am principle designer and developer of Hamachi. I got few hits from this maillist, checked out the comments and since we don't have much information on the website I thought I'd offer some answers here. Since I just joined the list I don't have original emails, so here's a summary with my comments in it - Am I the only one who has at least a slight distrust of using a mediation server in the middle of a secure connection? Mediation server is NOT in the middle of the connection. All it does is allows clients locate their peers and learn their external (routable) IP/port numbers. The clients then hook up on their own and the rest of the traffic flows directly between them. See my next comment regarding security of the connection. Maybe I just don't get it, or I do and am overly paranoid, but this seems to invite snooping, man in the middle attacks, etc... What level of trust do I need to place on servers I have no control over? Have a look at Security page on H website. This should take care of your m-n-m worries. I come from a network security background and take security architecture very seriously. If you can find an exploitable flaw in it, I'd be very happy to hear about it. I'll assume that by 'snooping' you mean our client software doing something nasty on your machine and pushing the results back to the servers. Well, you will have to have the same amount of trust in H you have in any other application distributed in binary form. This includes, btw, pre-build open-source packages. In fact, you cannot even trust applications that you compile yourself unless you go and inspect entire codebase line by line. So the 'level' is clearly subjective and based on your risk tolerance. I have to wonder what the motivation for a company offering a service like this for free... Few reasons. First - it doesn't cost much to maintain. We don't relay traffic, so bandwidth requirements are fairly low. Second - there is a demand for this kind of application and offering basic services for free is common approach for building a customer base. Agreed, this type of a program makes you sit back and wonder, why? Well, you are most certainly entitled to this. However, I would suggest to take your tinfoil hat off :) and have another look at the application. If programs like these are freewheeling around, what is even the point of having a firewall, also what is there to prevent them giving total access to outsiders, even without knowing? Trusted outsiders. This makes the world of difference. If they had offered the source, so that we can look at it. and so we could setup our own servers as mediators, then maybe... Otherwise I'd feel extremely uneasy about the whole thing... I am a big propent of Open Source - you can look me up on sf.net and freshmeat, but in this particular case opening the source up gives us very little benefit, but does take away quite a bit of an avantage away. However we plan to do something better than opening the sources - we are going to open cli-srv protocol after the first production release. If you don't trust our client implementation for some reason - feel free to build your own. In case if you wonder how it is better, opening protocol spec means making a commitment to maintaining it, while opening sources merely says 'here, look how _current_ version is implemented'. ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
Re: A simple, solid and stable P2P Bidirectional NAT Traversal technique for RealVNC users...
Paul Haskew wrote: While I am glad to see the main designer/developer here, I do not wear tin foil hats. :P I am just a concerned IT Admin, who will at one point will have to make a decision about this program. TCP/11975 ;-) Also, about trusted outsiders, I am not worried about me setting up trusted persons. I am worried about those who have computer access, a little knowledge, and try to set this up and allow someone incorrect access. Thus compromising what is currently in place without realizing it. Don't get me wrong, I am all for making things as simple as possible for end users. Also, this is a wonderful idea, I am just hoping that certain safeguards or means of prevention will also be made avail with the product. Agreed. It is very hard to find the balance so that 'tolerant to accidental misuse' wouldn't become 'unusable out of the box'. I am not a sys admin, so any suggestions as to what these safeguards should be are really welcomed. ___ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list