As a newbie to all of this, I just want to say that I really appreciate this discussion and have learned quite a bit (Its been quite entertaining as well). I downloaded the free version of RealVNC but I have decided to upgrade and purchase it so that I can receive the proper support and learn as much as I can to minimize any security threats.
Thanks everyone. Glenda Harris > > From: Hal Vaughan <[EMAIL PROTECTED]> > Date: 2006/06/06 Tue PM 02:13:51 EDT > To: [email protected] > Subject: Re: vnc security flaw? > > On Tuesday 06 June 2006 13:15, Dave Dyer wrote: > > It's really not realistic or reasonable to expect every PC user to be > > their own ever-vigilant security expert. > > Yes and no. It depends on how important security is to you. As pointed > out, the flaw was posted on this list. I find that just reading > Slashdot (http://slashdot.org) is enough to keep me informed of > security issues when I need to know about them. I also use Debian > Linux (Stable, whether it's Woody, Sarge, or Etch or whatever), which > means a program has to be really stable to be finally classified as > eligible for the Stable branch. That means most of the security > problems are gone by then. In addition, a one line cron job (for the > uninformed, cron is easily configured to run programs at any time) > updates my system every night, getting only security fixes and needed > updates. > > While you probably use different methods for safety, my point is that I > use a system that is known for secure updates and other issues are > easily flagged on Slashdot, which is one site. There are better sites > for security issues, but I'm just giving one example. > > > I try to keep up on these > > things, and I had barely noticed. I doubt that 10% of VNC users > > read either slashdot or vnc-list, much less never miss anything > > important there. > > I noticed it was blasted all over any news source that keeps track of > open source software. Were you actually keeping up with any news? > > Guess what? Software has flaws. I doubt there is a single piece of > published software without bugs and without security flaws that will be > discovered one day. If you use it, it is up to you to keep up with > that. For example, if you use Windows, there are frequent serious > issues. Some users ignore the situation. (They're the ones with so > much malware they can barely use their computers.) Some users get > automatic updates, but this is risky because sometimes Windows updates > hose the system. Then there are the aware users that know that for > safety, they need to keep up with all the security issues and that many > times there are 3rd party patches/fixes out before MS issues fixes. > > > Two things that occur to me that "ought" to have happened, which > > might have increased the visibility. > > > > 1) vnc should maintain it's own list, reserved for security flash > > alerts only, and strongly encourage anyone who installs vnc > > to sign up. > > > > 2) word should have been passed to norton, mcaffee, etc so they > > could target vulnerable versions of vnc on behalf of their customers. > > I don't know if this mechanism exists, but it ought to. > > Symantec and the other companies keep up with this stuff. Personally, I > don't use them, since I use other security measures (and wouldn't be > caught dead using Windows, other than testing my software for my > clients). They know about it when exploits are published, and this one > was published through all or most (that I saw) appropriate channels. > > As I said, I don't use Symantec or McAffee products, but I'm not sure > that they can protect from issues like this. They can watch for > malware and viruses, and will watch for whatever is in their > definitions, but I don't think they go out of their way to protect you > from flaws in other programs. With that in consideration, any malware > known to attack RealVNC or other programs would end up in their > database as soon as possible and would be downloaded to your system > with your next regular update. (You do update daily, don't you?) > > I'm not trying to be a pain, but, in the long run, the security of your > computer is YOUR responsibility. Maybe this will help, in the long > run, by alerting you to the fact that you do have to find ways to > ensure your systems' safety. > > Hal > _______________________________________________ > VNC-List mailing list > [email protected] > To remove yourself from the list visit: > http://www.realvnc.com/mailman/listinfo/vnc-list _______________________________________________ VNC-List mailing list [email protected] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
