Re: Some bad and unfortunate news
I agree with Livrobo on this. There is no reason to uninstall NvDA remote simply because you now know how easy it is to use it to get personal information. Especially with the information about it which we now have. From what I understand, you are at greater risk if you have auto-connect on, and less risk if you don't. Auto-connect should never be used as a convenience, and that does not just apply to Remote, but anything that allows for potentially dangerous operations to be carried out. You should only use auto-connect if you know the connection will be lost temporarily and you need to restore it while the two computers are miles apart. The best example is if you need to restart the computer you are remoting into.
The way to protect yourself is to be proactive with your own personal and computer security! Use antimalware if and when you need, and be careful of where you browse and who is allowed access to what.
If a hacker catches your NVDA Remote key because it i
s sending the key to a server which a hacker can easily trace every time you connect, then that is a problem... the hacker could theoretically get all keys that server hosts. That is indeed not safe and the user can do little to stop it without taking what I would call overly drastic measures. But I've heard no evidence of that happening yet. We can't live in the constant fear of being the first one, however. Life isn't enjoyable that way. Besides, if a hacker is determined enough, he can find a way to exploit almost anything. NVDA Remote is just an easy target due to its open source license, but it is an unlikely one.
By using the software, you are expected to know what you are getting into. Most people don't, however. And I admit I never read licenses or try to understand them. But, as much as I hate to say it, those licenses are there for a reason. The most important one is for protection, so that if something does happen, you can't blame the develop
er for not warning you of such possibilities. I know nobody reads a lot of that stuff, but it is there. Many license agreements do state at the bottom that the developer will not be responsible for damages as a result of misuse of the product. I'm not sure if NVDA Remote comes with that sort of disclaimer. Regardless, "open source" should automatically tell you things. If you are not knowledgeable in terms like "open source," then I am explaining it to you now. Open source is never as secure as something that is closed source, because all the code is exposed. That means any security measures introduced have to have their code exposed as well, and that means any hacker could just read what the code does and apply opposite logic. The encryption could be done in such a way as to make reverse logic difficult.... but because the logic is exposed, it is much easier to take advantage of no matter what you do, unless you make the program closed source.
One thin
g I will say is that so far as I can tell, there is no emergency way to force quit the connection on both sides to save yourself, especially if you have auto-connect on for the machine that you believe is in danger. If you have auto-connect off, you can restart NVDA and disconnect your session quickly by pressing alt control N to force restart NVDA on the side you think is in trouble, or on both sides to be safe. That only works if your desktop shortcut key is intact and operational. Alternatively you can do a quick Insert Q followed by Enter on both sides to stop the damage, but if you have auto-connect on, you will risk further damage when you restart NVDA. In this case, you may have to use Narrator or a backup screen reader to modify the NVDA configuration files to disable auto-connect, or outright delete the remote add-on. We could argue that a more professional solution would be able to work with this shortcoming and allow easier recovery from this trap, but that is for another
day. At the end of it all, it is not hard to be mindful of when you use auto-connect. If using it is really such a concern, then avoiding trouble is pretty easy.
As much as the lack of interest in security by the developers may strike you as "insensitive to user's feedback," we have to accept that the decisions made by the NvDA Remote devs are not ours. However, you could hypothetically improve the add-on. If you can't, someone else can. If you really don't trust your security with Remote, it is not a free open source project's responsibility to accommodate for you.
Should the developers make it more secure? Sure! I am all for that. But that would likely mean making the add-on closed source. This complicates things, though is certainly possible. Look at Vocalizer. The synth is not open source, but the infrastructure that allows text to be sent to it is. That's why you still have to pay for the synth. If the developers decide to go
that route, great! But they are not obligated to. I strongly encourage it, it would make all of our lives better, but nobody can make them do it. If you want to take that on, go ahead. Make it better for all of us. But accusing the developers of inherent laziness helps nobody. The devs have said they will not concern themselves with such things now. We just need to deal with it and respect that decision. You do not have to use it if their philosophy causes you discomfort. But they are not causing us harm. No matter how their lack of interest may have been stated, No matter how unprofessionally or unthoughtful the developer seems to be, they are not putting malware on our computers, or hoping we will all get hacked. Those people who Refer to this insecure add-on as malware, or state the developers only care about themselves, or whatever else, are being unprofessional and unthoughtful themselves. No, your blunt words will not beat the developers into submission. No, you can not stop a
developer from being a jerk by shooting your fury at him. That will only start a fight. It's not worth it! If you are not in support of the developer, either be cordial or be gone.
Decisions should not be based on rants fueled by rage shouting about all the weaknesses. They should not be fueled by people who do not know much about what they are talking about and are easily persuaded. They should instead be fueled by a rational, honest description of what the program can and cannot do effectively. You don't have to verify facts a million times to make sure you got them strait, but you at least have to try to sort out what you will believe most. Word delivery can often help with that. If this were some other commercial solution which lacked encryption of a connection key, then things could be different. After all commercial software is held at a higher standard, so at least some form of security in a program of this potential power is considered necessary by many peopl
e if they are going to pay for it. I use NVDA Remote, despite its insecurities. That doesn't mean you have to use it. I am not scared of a hacker attack, as I try to be careful of what specific things I share, and who I share them with. I have not received some random attack from some random hacker who knew nothing about me. I do not use any security software with realtime protection these days, as I've found I don't need it. I would have regrets if I suddenly woke up tomorrow and found my computer completely void of my personal or important files, or inoperable due to a virus. I would regret not having more security interventions in place. I would have even more regrets if I unknowingly sent an infected file to someone else, and would do my best, with my limited knowledge, to help them repair the damage. But those things can happen to the best of us. I would not instantly blame Remote, or Skype, or Dropbox, for acting as a liaison. With Remote I would be a litt
le more cautious, in fact I have only allowed 2 machines to remote into my laptop thus far, one of them being my desktop, so that doesn't count! The key word is allow... don't allow anyone unnecessary access!
For my needs, the pros of NVDA Remote outweigh the cons. You may be the type of person who doesn't like to take any chances. In that case, I would tell you NVDA Remote is not for you, but the chances you are taking are not as severe as you may think if you just be mindful of its weaknesses. But no matter what you do, nobody has license to force their decision down your throat. I am honestly reaching my breaking point with how many times I read rants from people who clearly are on edge trying to convince everyone that they are right. It's that strong rage or fear, which hasn't been given proper time to settle and rationalize, that makes it difficult to deduce the truth from misinformation. It scares us into not trusting anyone. That is far different
from gently encouraging you to be careful with who you play ball with. I could be wrong in much of what I have said above, but I will at least know my own personal conclusions are made confidently and with comfort, so I likely won't regret what I've said in a burst of fury. That, I think, has extreme importance.
_______________________________________________ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
