Bjorn:
Heya. Some comments to your comments:
> If I wanted to sniff other people's VNC traffic i'd first try to find
> an existing program to do this. If I couldn't find one I would:
>
> 1: use one of the existing programs that can intercept TCP sessions.
> Maybe I'd have to teach it how to recognize the RFB protocol. That's no
> big problem.
A company I used to work at was founded by this guy who
was world-class in coming up with setups such as "if you could do
this one impossible thing, you could make a *ton* of money". :)
Perhaps it's both a great way for entrepreneurs to think of their
next company *and* for security-paranoid people to consider their
networks.
Which is to say...hijacking an arbitrary TCP connection
off of the Internet is galatically difficult. As I said in my post,
though, stealing packets off of a local network (or capturing a
local keyboard) is trivial, even if the data was encrypted across
the Internet with 256-bit AES.
> On the Internet, either you have encryption, or you have *no* security.
See, I'm worried that this is misleading. Because even with
encryption, you can still be left with no security. I mean, what's
the point of 256-bit AES securing my VNC connection if my VNC server
has no AuthHosts setting, its password is just "password", and the
RPC vulnerability CERT announced last month hasn't been patched on my
server yet? Or as Chesnick and Bellovin put it in _Firewalls and
Internet Security_:
"But encryption is useless if you cannot trust one of the
endpoints. Indeed, it can be worse than useless: the untrusted
endpoint must be provided with your key, this compromising it."
> > But it might not be a matter of time because it's so much work for
> > so little gain?
>
> How little gain exactly? Your company's trade secrets? The administrator
> passwords to all your servers? All the money in your bank account?
A good rule of thumb here is that you should spend at least
as much time protecting your network assets as the Black Hats would
spend trying to steal them, and at least as much money as the assets
are worth. Part of that solution *of course* involves good encryption.
But IMO, encryption is a little like recycling: on its own, it's pretty
useless and pretty easy to delude yourself with. Nevertheless, it's
also a necessary part of a much larger, much more effective, overall
policy.
cheers,
Scott
_______________________________________________
VNC-List mailing list
[EMAIL PROTECTED]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
