Bjorn: Heya. Some comments to your comments:
> If I wanted to sniff other people's VNC traffic i'd first try to find > an existing program to do this. If I couldn't find one I would: > > 1: use one of the existing programs that can intercept TCP sessions. > Maybe I'd have to teach it how to recognize the RFB protocol. That's no > big problem. A company I used to work at was founded by this guy who was world-class in coming up with setups such as "if you could do this one impossible thing, you could make a *ton* of money". :) Perhaps it's both a great way for entrepreneurs to think of their next company *and* for security-paranoid people to consider their networks. Which is to say...hijacking an arbitrary TCP connection off of the Internet is galatically difficult. As I said in my post, though, stealing packets off of a local network (or capturing a local keyboard) is trivial, even if the data was encrypted across the Internet with 256-bit AES. > On the Internet, either you have encryption, or you have *no* security. See, I'm worried that this is misleading. Because even with encryption, you can still be left with no security. I mean, what's the point of 256-bit AES securing my VNC connection if my VNC server has no AuthHosts setting, its password is just "password", and the RPC vulnerability CERT announced last month hasn't been patched on my server yet? Or as Chesnick and Bellovin put it in _Firewalls and Internet Security_: "But encryption is useless if you cannot trust one of the endpoints. Indeed, it can be worse than useless: the untrusted endpoint must be provided with your key, this compromising it." > > But it might not be a matter of time because it's so much work for > > so little gain? > > How little gain exactly? Your company's trade secrets? The administrator > passwords to all your servers? All the money in your bank account? A good rule of thumb here is that you should spend at least as much time protecting your network assets as the Black Hats would spend trying to steal them, and at least as much money as the assets are worth. Part of that solution *of course* involves good encryption. But IMO, encryption is a little like recycling: on its own, it's pretty useless and pretty easy to delude yourself with. Nevertheless, it's also a necessary part of a much larger, much more effective, overall policy. cheers, Scott _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list