----- Original Message ----- From: "Tom Lemcke" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, February 24, 2004 9:48 PM Subject: Re: Security Was: Yay, for the first time, vince is working for me.
> Well, some of the security you mentioned kind of is on the mailing list > side. I've seen mailing lists using anonymous SMTP IP server, instead of > forwarding a message through a list of email recipients. The other thing is > that it seems most of use a home email account for the mailing list, instead > of some kind of mobile emailing list. The other thing is that I hope most of > use a unique/complicated enough PW for our vince servers. I know mine is > quite unique to me. > > Another thing with the security of the mailing list is that people could > just be subscribed to this mailing list and contributing to the list. So now > I just brought up some trust issues we have on in this mailing list. > > > Though, decent points you did bring up, I guess. > ----- Original Message ----- > From: <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, February 24, 2004 8:39 PM > Subject: Security Was: Yay, for the first time, vince is working for me. > > > > > Well, not exactly the first time, but the first time for me outside of > my home > > > network. I'm writing this email on a virtual desktop of my computer from > one > > > of my night classes at school. > > <snip> > > > > Tom, sorry for using you as an example. You just highlighted the > > simplist attached vector on this list. I am glad you could, but you > > have not been listening to the security debate. > > > > Most of you think that posting / not posting your address makes you > > safer. > > > > Tom posted from his home machine via VNC. What he, or most of you, > > do not know or remember that IP addresses are in your mail headers. > > That's right, Tom posted to this list, his home machine's IP in the > > clear. Here is the line from his header: > > > > Received: from tg37kgri0gejws [65.31.160.95] by gp32us.com with ESMTP > > (SMTPD32-8.03) id A52B51B200D8; Tue, 24 Feb 2004 19:06:51 -0600 > > > > Tom, please check your logs, if you have them active, you should find > > a single connect from my address 66.61.28.251 to your VNC server, and > > your server offered to me "a log-in". I did not log-in nor try, but > > to demostraight how easy from these PUBLIC lists it is to get the > > information needed. Note: this is no different the connecting via > > http to port 80 of a secured server. But there, it at least it asks > > for two pieces of information user and password. > > > > Each member that posts to this list, gives away this kind of > > information, every time. > > > > VNC security model is NOT built for direct connection to the > > internet. It does reject nor shutdown after repeated failed log-ins. > > Since this list is about VNC, it means a simple guess which single > > port to try. A bot could be written to keep trying to connect and > > guess passwords for IP address that are presented on this list, it is > > easier for since no user or other security object is needed. Earlier > > today, I wrote about my own daughter, under subject: LOGO, figured > > out my password partially by trail and error. > > > > Please, all, start thinking about some basic security. Remember > > braces and belts, make really sure you do not loose your pants > > (except by gambling). > > > > I know a will be flamed over this. If you must, please send it > > directly to me. It will save the list a lot of headaches. > > > > jackb > > _______________________________________________ > > VNC-List mailing list > > [EMAIL PROTECTED] > > To remove yourself from the list visit: > > http://www.realvnc.com/mailman/listinfo/vnc-list _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
