On Tuesday 06 June 2006 13:15, Dave Dyer wrote: > It's really not realistic or reasonable to expect every PC user to be > their own ever-vigilant security expert.
Yes and no. It depends on how important security is to you. As pointed out, the flaw was posted on this list. I find that just reading Slashdot (http://slashdot.org) is enough to keep me informed of security issues when I need to know about them. I also use Debian Linux (Stable, whether it's Woody, Sarge, or Etch or whatever), which means a program has to be really stable to be finally classified as eligible for the Stable branch. That means most of the security problems are gone by then. In addition, a one line cron job (for the uninformed, cron is easily configured to run programs at any time) updates my system every night, getting only security fixes and needed updates. While you probably use different methods for safety, my point is that I use a system that is known for secure updates and other issues are easily flagged on Slashdot, which is one site. There are better sites for security issues, but I'm just giving one example. > I try to keep up on these > things, and I had barely noticed. I doubt that 10% of VNC users > read either slashdot or vnc-list, much less never miss anything > important there. I noticed it was blasted all over any news source that keeps track of open source software. Were you actually keeping up with any news? Guess what? Software has flaws. I doubt there is a single piece of published software without bugs and without security flaws that will be discovered one day. If you use it, it is up to you to keep up with that. For example, if you use Windows, there are frequent serious issues. Some users ignore the situation. (They're the ones with so much malware they can barely use their computers.) Some users get automatic updates, but this is risky because sometimes Windows updates hose the system. Then there are the aware users that know that for safety, they need to keep up with all the security issues and that many times there are 3rd party patches/fixes out before MS issues fixes. > Two things that occur to me that "ought" to have happened, which > might have increased the visibility. > > 1) vnc should maintain it's own list, reserved for security flash > alerts only, and strongly encourage anyone who installs vnc > to sign up. > > 2) word should have been passed to norton, mcaffee, etc so they > could target vulnerable versions of vnc on behalf of their customers. > I don't know if this mechanism exists, but it ought to. Symantec and the other companies keep up with this stuff. Personally, I don't use them, since I use other security measures (and wouldn't be caught dead using Windows, other than testing my software for my clients). They know about it when exploits are published, and this one was published through all or most (that I saw) appropriate channels. As I said, I don't use Symantec or McAffee products, but I'm not sure that they can protect from issues like this. They can watch for malware and viruses, and will watch for whatever is in their definitions, but I don't think they go out of their way to protect you from flaws in other programs. With that in consideration, any malware known to attack RealVNC or other programs would end up in their database as soon as possible and would be downloaded to your system with your next regular update. (You do update daily, don't you?) I'm not trying to be a pain, but, in the long run, the security of your computer is YOUR responsibility. Maybe this will help, in the long run, by alerting you to the fact that you do have to find ways to ensure your systems' safety. Hal _______________________________________________ VNC-List mailing list [email protected] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
