Security Was: Yay, for the first time, vince is working for
toml "at" gp32us.com
Wed Feb 25 05:43:01 2004
----- Original Message -----
From: "Tom Lemcke" <toml "at" gp32us.com>
To: <jackb "at" guppy.us>
Sent: Tuesday, February 24, 2004 9:48 PM
Subject: Re: Security Was: Yay, for the first time, vince is working for me.
> Well, some of the security you mentioned kind of is on the mailing list
> side. I've seen mailing lists using anonymous SMTP IP server, instead of
> forwarding a message through a list of email recipients. The other thing
> that it seems most of use a home email account for the mailing list,
> of some kind of mobile emailing list. The other thing is that I hope most
> use a unique/complicated enough PW for our vince servers. I know mine is
> quite unique to me.
> Another thing with the security of the mailing list is that people could
> just be subscribed to this mailing list and contributing to the list. So
> I just brought up some trust issues we have on in this mailing list.
> Though, decent points you did bring up, I guess.
> ----- Original Message -----
> From: <jackb "at" guppy.us>
> To: <vnc-list "at" realvnc.com>
> Sent: Tuesday, February 24, 2004 8:39 PM
> Subject: Security Was: Yay, for the first time, vince is working for me.
> > > Well, not exactly the first time, but the first time for me outside of
> my home
> > > network. I'm writing this email on a virtual desktop of my computer
> > > of my night classes at school.
> > <snip>
> > Tom, sorry for using you as an example. You just highlighted the
> > simplist attached vector on this list. I am glad you could, but you
> > have not been listening to the security debate.
> > Most of you think that posting / not posting your address makes you
> > safer.
> > Tom posted from his home machine via VNC. What he, or most of you,
> > do not know or remember that IP addresses are in your mail headers.
> > That's right, Tom posted to this list, his home machine's IP in the
> > clear. Here is the line from his header:
> > Received: from tg37kgri0gejws [220.127.116.11] by gp32us.com with ESMTP
> > (SMTPD32-8.03) id A52B51B200D8; Tue, 24 Feb 2004 19:06:51 -0600
> > Tom, please check your logs, if you have them active, you should find
> > a single connect from my address 18.104.22.168 to your VNC server, and
> > your server offered to me "a log-in". I did not log-in nor try, but
> > to demostraight how easy from these PUBLIC lists it is to get the
> > information needed. Note: this is no different the connecting via
> > http to port 80 of a secured server. But there, it at least it asks
> > for two pieces of information user and password.
> > Each member that posts to this list, gives away this kind of
> > information, every time.
> > VNC security model is NOT built for direct connection to the
> > internet. It does reject nor shutdown after repeated failed log-ins.
> > Since this list is about VNC, it means a simple guess which single
> > port to try. A bot could be written to keep trying to connect and
> > guess passwords for IP address that are presented on this list, it is
> > easier for since no user or other security object is needed. Earlier
> > today, I wrote about my own daughter, under subject: LOGO, figured
> > out my password partially by trail and error.
> > Please, all, start thinking about some basic security. Remember
> > braces and belts, make really sure you do not loose your pants
> > (except by gambling).
> > I know a will be flamed over this. If you must, please send it
> > directly to me. It will save the list a lot of headaches.
> > jackb
> > _______________________________________________
> > VNC-List mailing list
> > VNC-List "at" realvnc.com
> > To remove yourself from the list visit:
> > http://www.realvnc.com/mailman/listinfo/vnc-list