Hi Scott,
> Heya. Yes, it's a safe bet that many people on this list
> have a router with port 5900 forward to a Windows machine. Of
At least
> course, this increases "risk", but only some much as the integrity
> of what *listens* to that port, namely the VNC Server itself.
Admittedly, the timer makes a brute force attack difficult but
then there are distributed attacks.
> Of course, as I wrote back in Sept on a similar thread, I
> agree with you that VNC users should try to use a secure-tunnel
> whenever they VNC across the Internet. That just a inarguable Good
> Idea. For those using VNC to remotely administer their content-
Inarguable.
> sensitive servers, I'm sure it's one of the first things done.
Usually, maybe.
> But even a secure tunnel isn't a panacea. To implement a
> good network security strategy (and/or a good network attack
> strategy), go after the biggest holes first. For VNC users, the
Then as soon as the biggest are closed, go after the rest. There is
no reason to procrastinate. (Prioritization is not procrastination)
> biggest weakness isn't forwarding ports, it's choosing weak VNC
> passwords. For *all* Windows, the even-bigger weakness is reading
Yes, I suppose, whoever would choose a weak password, would
choose a weak passphrase as well.
> email with Outlook and not keeping up with MSoft's near-weekly
> release of security patches. Maybe 5th or 6th on my list would be
> "running VNC without a secure-tunnel". Your mileage may vary. :)
I do agree that those who use dangerous applications and don't
protect themselves by patching known holes are beyond help and
there is no need to waste time telling them about secure tunnels.
> In closing, as I used to tell my IT clients and I'm sure
> you know, the Black Hats don't want to break into your PC to steal
> your credit card numbers. Not their intent. If it were, then the
> rationalization I heard 90-percent of the time ("Oh, I don't keep
> anything on that computer anyone would want to steal") would make
> good sense. Instead, though, the Black Hats want to break into your
> computer so that when they next try to crash Amazon's servers, or
> setup an illegal content reflector, they do it from *your* computer.
All the more reason to be security aware. Don't become an
unknowing accomplice.
Carlyle
> > Let me echo Jack with a bit of emphasis. Look, some of you
> > are publishing the IP addresses of your routers, the make and version
> > of your routers, WHICH PORTS YOU ARE OPENING and the ip
> > addresses and operating systems of the machines behind your
> > routers. This is a public mailing list that anybody can subscribe to.
> > Your routers should be serving as FIREWALLS and many of you
> > are degrading them to be simple routers and then letting the world
> > know where to send their probes.
> >
> > Please look into VPN and SSH. Use VNC exclusively through one of
> > these.
> <snip>
--
Diese E-Mail enthdlt vertrauliche und/oder rechtlich gesch|tzte Informationen. Wenn
Sie nicht der richtige Adressat sind oder diese E-Mail irrt|mlich erhalten haben,
informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das
unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.
This e-mail may contain confidential and/or privileged information. If you are not the
intended recipient (or have received this e-mail in error) please notify the sender
immediately and destroy this e-mail. Any unauthorized copying, disclosure or
distribution of the material in this e-mail is strictly forbidden.
_______________________________________________
VNC-List mailing list
[EMAIL PROTECTED]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
