> Well, not exactly the first time, but the first time for me outside of my home
> network. I'm writing this email on a virtual desktop of my computer from one
> of my night classes at school.
<snip>
Tom, sorry for using you as an example. You just highlighted the
simplist attached vector on this list. I am glad you could, but you
have not been listening to the security debate.
Most of you think that posting / not posting your address makes you
safer.
Tom posted from his home machine via VNC. What he, or most of you,
do not know or remember that IP addresses are in your mail headers.
That's right, Tom posted to this list, his home machine's IP in the
clear. Here is the line from his header:
Received: from tg37kgri0gejws [65.31.160.95] by gp32us.com with ESMTP
(SMTPD32-8.03) id A52B51B200D8; Tue, 24 Feb 2004 19:06:51 -0600
Tom, please check your logs, if you have them active, you should find
a single connect from my address 66.61.28.251 to your VNC server, and
your server offered to me "a log-in". I did not log-in nor try, but
to demostraight how easy from these PUBLIC lists it is to get the
information needed. Note: this is no different the connecting via
http to port 80 of a secured server. But there, it at least it asks
for two pieces of information user and password.
Each member that posts to this list, gives away this kind of
information, every time.
VNC security model is NOT built for direct connection to the
internet. It does reject nor shutdown after repeated failed log-ins.
Since this list is about VNC, it means a simple guess which single
port to try. A bot could be written to keep trying to connect and
guess passwords for IP address that are presented on this list, it is
easier for since no user or other security object is needed. Earlier
today, I wrote about my own daughter, under subject: LOGO, figured
out my password partially by trail and error.
Please, all, start thinking about some basic security. Remember
braces and belts, make really sure you do not loose your pants
(except by gambling).
I know a will be flamed over this. If you must, please send it
directly to me. It will save the list a lot of headaches.
jackb
_______________________________________________
VNC-List mailing list
[EMAIL PROTECTED]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
