So, Jack. Now that you pointed that one out, does your PUBLICLY posting Tom's IP info make him now more vulnerable to attack? Sure, it was public before, but you now took out your yellow highlighter and pointed it out for everybody.
And if we can't use VNC to do just exactly what Tom did, I suspect that you will probably end up with 80% of the people who USE VNC no longer using it for anything. I suspect that MOST people who download VNC did it for extactly the same reason that I did. I needed a simple, easy to use method of accessing my home PC from work and vice-versa. I don't have the time, or resources to set up a full VPN system as many suggested. I was tickled pink to jsut get THIS much to use! You also suggest a direct mail back directly to you, and not the list. Then why did you post to the LIST? 1) VNC is doing exactly what I want and how I want. 2) I am not a security "expert", but I'm not an idiot. I do take some basic precautions, but NOTHING is 100% secure. 3) This security thing to ME seems to be getting a bit more "interest" that one might expect -- especially considering there have not been many objecting posts, just a lot of supporting posts from unusually fanatic people about this VERY specific problem for some reason. My point? A post simply pointing out what is already implied and mentioned in the docs and faqs that "Don't forget, you aren't really secure" might have been very appropriate. The posts here have been unusually detailed for some odd reason. Either someone is out to make this whole VNC thing difficult for somebody, or there are "somebodys" who are trying to prove that they are smarter than us -- compensation problems? In the 2 weeks I have been here, I have enjoyed the conversation, the assitance I have recieved, and even have had fun tearing my hair out trying to figure out what the heck is up with Tom K's computer why he can't connect. But this stuff can make lists like this NOT FUN and NOT PRODUCTIVE. I GET YOUR POINT, ALL OF YOU. IT'S NOT SECURE. NOW GO AWAY AND LET US GO BACK TO SOLVING REAL PROBLEMS THAT REAL PEOPLE HAVE. JP ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, February 24, 2004 9:39 PM Subject: Security Was: Yay, for the first time, vince is working for me. > > Well, not exactly the first time, but the first time for me outside of my home > > network. I'm writing this email on a virtual desktop of my computer from one > > of my night classes at school. > <snip> > > Tom, sorry for using you as an example. You just highlighted the > simplist attached vector on this list. I am glad you could, but you > have not been listening to the security debate. > > Most of you think that posting / not posting your address makes you > safer. > > Tom posted from his home machine via VNC. What he, or most of you, > do not know or remember that IP addresses are in your mail headers. > That's right, Tom posted to this list, his home machine's IP in the > clear. Here is the line from his header: > > Received: from tg37kgri0gejws [65.31.160.95] by gp32us.com with ESMTP > (SMTPD32-8.03) id A52B51B200D8; Tue, 24 Feb 2004 19:06:51 -0600 > > Tom, please check your logs, if you have them active, you should find > a single connect from my address 66.61.28.251 to your VNC server, and > your server offered to me "a log-in". I did not log-in nor try, but > to demostraight how easy from these PUBLIC lists it is to get the > information needed. Note: this is no different the connecting via > http to port 80 of a secured server. But there, it at least it asks > for two pieces of information user and password. > > Each member that posts to this list, gives away this kind of > information, every time. > > VNC security model is NOT built for direct connection to the > internet. It does reject nor shutdown after repeated failed log-ins. > Since this list is about VNC, it means a simple guess which single > port to try. A bot could be written to keep trying to connect and > guess passwords for IP address that are presented on this list, it is > easier for since no user or other security object is needed. Earlier > today, I wrote about my own daughter, under subject: LOGO, figured > out my password partially by trail and error. > > Please, all, start thinking about some basic security. Remember > braces and belts, make really sure you do not loose your pants > (except by gambling). > > I know a will be flamed over this. If you must, please send it > directly to me. It will save the list a lot of headaches. > > jackb > _______________________________________________ > VNC-List mailing list > [EMAIL PROTECTED] > To remove yourself from the list visit: > http://www.realvnc.com/mailman/listinfo/vnc-list _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
