Re: Some bad and unfortunate news
Someone asked about remote. Here. My twitter rant on the matter. Not getting into this anymore than this thing, but I want this public anyway, to protect the users of NVDA remote, because the devs won't just do whats right and at least make there flaw public.
I will never understand why the devs of NVDA remote think it's ok to put your auto connect key in a plane text file, then blame me for someone getting access to that. It ain't my fault. They always think there so amazingly secure and that it's your fault if you run something that exposes that information. Guys, NVDA remote is so unbelievably unsecure. All you have to do is run something, and it can send out an HTTP packet with the key. I've also been able to see keys be packet sniffed somehow. I don't get that part, but even if the devs of NVDA remote wern't so rediculisly arrogant this wouldn't be so bad. They say there secure and all it takes is you being careful. They won' ;t admit it, but i'm sure if someone gave them a python installer or they saw a game online they wanted to try, they'd run it and not even think twice. Well, I may have ran something, and when I last talked to the NVDA remote devs about this, They said I didn't have a security mind set. So wait, it's my fault that I ran something that exposed my key that they stored in a plane text file? Well i'm sorry but it's no more my fault then it would be yours. We all run shit, but sence getting the key is so fucking unbelievably easy, key=get_file_contents("c:/users/".$user."/appdata/roaming/nvda/remote.ini"), it's very hard to detect. It's not my fault if I ran something and the code used a nasty windows flaw. Logicly it could be, I ran it, yes, but especially when the devs know how unsecure it is, it becomes my fault for using there product, and there fault for making it this unsecure. If it was a bug that they didn't know ab out at all, that would be way different. But I blame this on the NVDA remote devs because they know about this. And again, logicly, it is my fault that I ran the program in the first place. But there's a point ware that shit doesn't matter anymore. If I would have ran something that reformatted my external drive with molitious code, yeah, well fuck me then. But no, I was targeted with an exe file that sent out my remote key to a server. NVDA remote devs, there is a couple things to consider, in my opinion, and the biggest, what about the people who arn't very tech savvi and don't know how easy it is to grab your NVDA remote keys. Yeah there are the smart ones who know the risks, but even they can easily be tricked. Hey john, can I have the teamtalk installer? Ehh hem... But for all of you guys out there, know this. If you have NVDA remote using the autoconnect method, check the file in the path mensioned in the little code snippet above. It will directly show you the key, in plane text. Anything you run can just grab that key, with out even requiring admin access. This key, once grabbed can be transmitted to a server ware then people can look at it, and connect using NVDA remote when ever they feel like it. Just keep this in mind. And it's usually hardly your fault. If you go to a popular shop and get coffee, it's not your fault if someone sneeks a sianide pill in there when your not looking. I'm sure most of you can connect that with this remote thing. If you ask for an installer, someone can give you a version of that installer that yes, runs the installer so you think nothing is rong, but also posts your key to there server. Personally, i'd recommend refraning from most NVDA remote use until they finily decide this little bout of lazy coding on there part can finily be undone. Seriously, what else do you expect it to be aside from complete lazy coding. I bet they coded there little config saving in like 30 seconds wit h some INI manager. Maybe i'll even go check out the code my self and look, but still. At least encrypt it, or store it on a server, not in plane text on the users fucking local machine. That is so cheap. Maybe for some offline game, but for a remote client that people donated to help you develop that people now use to control there home computers and servers? No fucking way is that even remotely acceptable. Your using SSL and that sort of stuff, and if you made this with out asking for a cent, maybe it would be acceptable, but what the hell. For a second, what are these outgoing connections to NVDARemote.com? I looked at packet annalization data, and like 2 times, my nvda on my VPS randomly made this outgoing connection on port 6837 to NVDARemote.com. Why? Maybe it's just for checking for updates and stuff, i'd still like to know what that was all about though. Anyway guys, please RT if you agree that in this remote client, the fact that people can view your entire c onfiguration including your autoconnect key in plane text is completely unacceptable.
_______________________________________________ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
