Some bad and unfortunate news
Some bad and unfortunate news Hi all,So, yesterday, a lot of things happened. Despite my continued efforts to improve security, my accounts were yet again hacked into. Old news, right? Yeah. Let this twitter post explain everything.Hello all, and welcome to DarkFlier Productions! Here are my reasons for switching, yet again. Firstly, I've been meaning to get a shorter domain, and ultrocity.com was broken. I couldn't remove it or do anything like that. So moving on to yesterday. I figure out that somebody has hacked into my computer via NVDA Remote and stolen my passwords due to the unsecure NVRemote Key system, so that was pretty bad. I wanted a break from social media for a while, so I'm going to be a lot more private these days. I do have a protected twitter account which I will not disclose here. I deleted all of my previously existing accounts, skype, twitters, etc. I decided rather than mess with changing passwords and such, I'd just restart fresh. This way, everything is using the same email, etc etc. Hopefully, this is the last time this will happen.If you wish to follow that account, it's twitter name is @DarkFlierProd.Yes, I know this is old news and it happens every year, but I continue to improve security and hope it won't happen anymore. URL: http://forum.audiogames.net/viewtopic.php?pid=263753#p263753 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news I had that happen to me about 13 years ago. I was notified by a web site I had an account on that they had been hacked and that they were recommending that anyone who used the same password at other sites, change the passwords at those other sites.I was using the same password at any site that needed one.Fortunately I had just discovered RoboForm and had just started using it. For those who don't know, RoboForm is a program that works through your browser and can fill forms for you. The most common forms are log in forms, so RoboForm can remember all the passwords you use for various sites.RoboForm also has a password generator, so I started using it to generate random 16 character passwords. Now, no two sites use the same password, and the passwords are very strong, minimizing any chances of being hacked because of weak passwords.Once bitten, twice shy. URL: http://forum.audiogames.net/viewtopic.php?pid=263757#p263757 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news I had that happen to me about 13 years ago. I was notified by a web site I had an account on that they had been hacked and that they were recommending that anyone who used the same password at other sites, change the passwords at those other sites.I was using the same password at any site that needed one.Fortunately I had just discovered RoboForm and had just started using it. For those who don't know, RoboForm is a program that works through your browser and can fill forms for you. The most common forms are log in forms, so RoboForm can remember all the passwords you use for various sites.RoboForm also has a password generator, so I started using it to generate random 16 character passwords. Now, no two sites use the same password, and the passwords are very strong, minimizing any chances of being hacked because of weak passwords.Since then, none of my many accounts on the many web sites has ever been hacked.Once bitten, twice shy. URL: http://forum.audiogames.net/viewtopic.php?pid=263757#p263757 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news Hmm, I might have to check into tat. URL: http://forum.audiogames.net/viewtopic.php?pid=263759#p263759 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news Hi, that's not even your problem. You unlike most people, did not use all the same passwords, and they were pretty strong.Your main problem was that you stored all of your passwords in a text file, there for it would have just been asking to get hacked.The fact that Someone could of done this attack, the fact that it was all because of remote and a bgt script, will bring me to my next point.Users of NVDA remote, be very careful. It is quite easy to hack, if you look at my twitter, or Sam Tupy's twitter for that matter, its not that hard. URL: http://forum.audiogames.net/viewtopic.php?pid=263761#p263761 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news yeah. The problem is though, I'm never gonna remember them all if I don't. URL: http://forum.audiogames.net/viewtopic.php?pid=263762#p263762 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news well, you could code something like a password manager. How you might ask?Simple, make a bgt script that you open, and it requires a password to unlock. You then are taken in to a menu, and you can hit enter on a password, and closes.However, after doing this, I would recommend you remove its source code, unless you want to store the password in your appdata or a dat file that's encrypted. BTW, when is scrolling battles pro gonna come back?But as I said, at least encrypt things. URL: http://forum.audiogames.net/viewtopic.php?pid=263764#p263764 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news I would use something like 1password, so that if for some odd reason you forget your password, you could look back and see what your password is. Keep in mind that last time I checked, it was $50, but I heard that they made it free. I'm not sure if that was just on IOS, though. URL: http://forum.audiogames.net/viewtopic.php?pid=263766#p263766 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news nah, its free on ios. And Mason, I usually base my passwords off something nobody in this blind community knows about, therefor making it more secure. I however, keep my stuff in a password protected DMG, so it can only be accessed on a mac. I would use one password, but don't understand why its free on one device, but paid on the other. URL: http://forum.audiogames.net/viewtopic.php?pid=263776#p263776 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news It's free on mobile because we expect mobile apps to be free. Another good example is A Blind Legend. URL: http://forum.audiogames.net/viewtopic.php?pid=263787#p263787 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
2016-06-10
Thread
AudioGames . net Forum — Off-topic room : the_ruler_of_dark_forces via Audiogames-reflector
Re: Some bad and unfortunate news Also, ms word and openOffice enable you to protect your documents with password. At least it's more secure than storing it in a text file, which, as it has been said before, is just asking to get hacked. URL: http://forum.audiogames.net/viewtopic.php?pid=263796#p263796 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news Ok, even if your going to have a file with your passwords in it, unprotected, at least have a hard drive where it is only located, and take extreme measures to secure it, right?That's still really insecure as well. when your thinking about security, you also need the hackers mindset. Think of what would be the easiest way to get hold of crap. URL: http://forum.audiogames.net/viewtopic.php?pid=263827#p263827 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news If RoboForm or something like it didn't exist, so I had to keep my passwords in a file, I'd either store the file encrypted, or store it on offline media like a flash drive, or both.That way the file is only readable when you need it. Otherwise it's either encrypted or offline, of both.I'll just be thankful RoboForm exists and is accessible. URL: http://forum.audiogames.net/viewtopic.php?pid=263838#p263838 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news I've always said NVDA Remote needs more security than just basically a password to enter when connecting. Why not have systems accessible via a private key? If you don't have the private key, you are not getting in. Period, end of story, closed subject. URL: http://forum.audiogames.net/viewtopic.php?pid=263845#p263845 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news Hi.Ok, As a user of NVDA remote, I want to ask something.I thought that when you are at your computer, you will always see what some other guy is doing to your pc with NVDA remote. But how can you hack those things then? Or more precicely, how can you detect this stuff?I really dont know anything about hacking, not how to do it, and not even how to find a kind of target. Furthermore I don't know how to secure my machine against hackers, tips would be appreciated. URL: http://forum.audiogames.net/viewtopic.php?pid=263847#p263847 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news Since other people have already touched on the subject of password managers, I want to say something about NVDA Remote. It seems the problem that people have is that your auto connect key is written to a file in text in your appdata directory. Apparently people want this file encrypted, but I really don't think that there is a way that this can be done. NVDA Remote is open source, so there is no way that I can think of that the authors could encrypt this file. They could make the encryption of this file not open source, but that would go against the GPL. Here's some other fun information for you. Your Twitter authentication information is stored by both TwBlue and Chicken Nugget in your appdata directory. As is log on information from Filezilla, profiles from Firefox, and many other programs. This isn't something that is as easy to change as people are making it out to be. URL: http://forum.audiogames.net/viewtopic.php?pid=263876#p263876 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news Setting aside weak passwords and storing them in locations that aren't secure, I want to say something about NVDA Remote. It seems the problem that people have is that your auto connect key is written to a file in text in your appdata directory. Apparently people want this file encrypted, but I really don't think that there is a way that this can be done. NVDA Remote is open source, so there is no way that I can think of that the authors could encrypt this file. They could make the encryption of this file not open source, but that would go against the GPL. Here's some other fun information for you. Your Twitter authentication information is stored by both TwBlue and Chicken Nugget in your appdata directory. As is log on information from Filezilla, profiles from Firefox, and many other programs. This isn't something that is as easy to change as people are making it out to be. URL: http://forum.audiogames.net/viewtopic.php?pid=263876#p263876 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news It seems the problem that people have with NVDA Remote is that your auto connect key is written to a file in your appdata directory. Apparently people want this file encrypted, but I really don't think that there is a way that this can be done. NVDA Remote is open source, so there is no way that I can think of that the authors could encrypt this file. They could make the encryption of this file not open source, but that would go against the GPL. Here's some other fun information for you. Your Twitter authentication information is stored by both TwBlue and Chicken Nugget in your appdata directory. As is log on information from Filezilla, profiles from Firefox, and many other programs. This isn't something that is as easy to change as people are making it out to be. URL: http://forum.audiogames.net/viewtopic.php?pid=263876#p263876 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news Just another helpful little thing, 2 factor authentication is there with most services for a reason. Of course this won't work for NVDA remote, but Skype, email, and most other things. URL: http://forum.audiogames.net/viewtopic.php?pid=263888#p263888 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news True. I've ended up encrypting this and the key is not written anywhere. URL: http://forum.audiogames.net/viewtopic.php?pid=263891#p263891 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news Perfect, glad I could help. URL: http://forum.audiogames.net/viewtopic.php?pid=263898#p263898 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news There is a password manager called anypassword, it's free and has all your passwords in a nice treeview. The passwords are showing when inside the program to allow clipboard access, but to open the file you must type in the master password, and anypassword is the only program that can open files it creates. URL: http://forum.audiogames.net/viewtopic.php?pid=263912#p263912 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news Nice, I'll make sure to check that out. Thank you URL: http://forum.audiogames.net/viewtopic.php?pid=263943#p263943 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news Thanks for the suggestion. URL: http://forum.audiogames.net/viewtopic.php?pid=264047#p264047 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news
Someone asked about remote. Here. My twitter rant on the matter. Not getting into this anymore than this thing, but I want this public anyway, to protect the users of NVDA remote, because the devs won't just do whats right and at least make there flaw public. I will never understand why the devs of NVDA remote think it's ok to put your auto connect key in a plane text file, then blame me for someone getting access to that. It ain't my fault. They always think there so amazingly secure and that it's your fault if you run something that exposes that information. Guys, NVDA remote is so unbelievably unsecure. All you have to do is run something, and it can send out an HTTP packet with the key. I've also been able to see keys be packet sniffed somehow. I don't get that part, but even if the devs of NVDA remote wern't so rediculisly arrogant this wouldn't be so bad. They say there secure and all it takes is you being careful. They won'
;t admit it, but i'm sure if someone gave them a python installer or they saw a game online they wanted to try, they'd run it and not even think twice. Well, I may have ran something, and when I last talked to the NVDA remote devs about this, They said I didn't have a security mind set. So wait, it's my fault that I ran something that exposed my key that they stored in a plane text file? Well i'm sorry but it's no more my fault then it would be yours. We all run shit, but sence getting the key is so fucking unbelievably easy, key=get_file_contents("c:/users/".$user."/appdata/roaming/nvda/remote.ini"), it's very hard to detect. It's not my fault if I ran something and the code used a nasty windows flaw. Logicly it could be, I ran it, yes, but especially when the devs know how unsecure it is, it becomes my fault for using there product, and there fault for making it this unsecure. If it was a bug that they didn't know ab
out at all, that would be way different. But I blame this on the NVDA remote devs because they know about this. And again, logicly, it is my fault that I ran the program in the first place. But there's a point ware that shit doesn't matter anymore. If I would have ran something that reformatted my external drive with molitious code, yeah, well fuck me then. But no, I was targeted with an exe file that sent out my remote key to a server. NVDA remote devs, there is a couple things to consider, in my opinion, and the biggest, what about the people who arn't very tech savvi and don't know how easy it is to grab your NVDA remote keys. Yeah there are the smart ones who know the risks, but even they can easily be tricked. Hey john, can I have the teamtalk installer? Ehh hem... But for all of you guys out there, know this. If you have NVDA remote using the autoconnect method, check the file in the path mensioned in the little code snippet above. It will directly show you
the key, in plane text. Anything you run can just grab that key, with out even requiring admin access. This key, once grabbed can be transmitted to a server ware then people can look at it, and connect using NVDA remote when ever they feel like it. Just keep this in mind. And it's usually hardly your fault. If you go to a popular shop and get coffee, it's not your fault if someone sneeks a sianide pill in there when your not looking. I'm sure most of you can connect that with this remote thing. If you ask for an installer, someone can give you a version of that installer that yes, runs the installer so you think nothing is rong, but also posts your key to there server. Personally, i'd recommend refraning from most NVDA remote use until they finily decide this little bout of lazy coding on there part can finily be undone. Seriously, what else do you expect it to be aside from complete lazy coding. I bet they coded there little config saving in like 30 seconds wit
h some INI manager. Maybe i'll even go check out the code my self and look, but still. At least encrypt it, or store it on a server, not in plane text on the users fucking local machine. That is so cheap. Maybe for some offline game, but for a remote client that people donated to help you develop that people now use to control there home computers and servers? No fucking way is that even remotely acceptable. Your using SSL and that sort of stuff, and if you made this with out asking for a cent, maybe it would be acceptable, but what the hell. For a second, what are these outgoing connections to NVDARemote.com? I looked at packet annalization data, and like 2 times, my nvda on my VPS randomly made this outgoing connection on port 6837 to NVDARemote.com. Why? Maybe it's just for checking for updates and stuff, i'd still like to know what that was all about though. Anyway guys, please RT if you agree that in this remote client, the fact that
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news I am glad I found about this because I was just about to install that add-on. I think I have changed my mind now. URL: http://forum.audiogames.net/viewtopic.php?pid=264185#p264185 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news nothings wrong with installing the add-on. that's actually pretty secure. The unsecure thing comes when using auto-connect keys. URL: http://forum.audiogames.net/viewtopic.php?pid=264201#p264201 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news The way Sam puts it when he says "All you have to do is run something, and it can send out an HTTP packet with the key. " makes it sound like we are choosing to be very vulnerable if we use NVDA Remote. URL: http://forum.audiogames.net/viewtopic.php?pid=264206#p264206 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news I am glad I found out about this because I was just about to install that add-on. I think I have changed my mind now. URL: http://forum.audiogames.net/viewtopic.php?pid=264185#p264185 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news Cartertemm, that is what I was wondering after skimming through this thread. I don't know much about NVDA remote, but wouldn't this only affect people who set it to auto connect? Keep in mind that because I've never used this add-on, I am assuming that auto connect is something the user can choose to use or not use. URL: http://forum.audiogames.net/viewtopic.php?pid=264249#p264249 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news Hi,Yes, it would only be unsecure if you told it to autoconnect. URL: http://forum.audiogames.net/viewtopic.php?pid=264285#p264285 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news Good. Thanks for that clarification. URL: http://forum.audiogames.net/viewtopic.php?pid=264345#p264345 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news No problem. Really, NVDA Remote isn't that big of a deal, it's just some people make it out to be worse than it actually is. I mean who is gonna hack into you, connect you to a server and grab your remote key? It's highly unlikely. URL: http://forum.audiogames.net/viewtopic.php?pid=264371#p264371 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
2016-06-14
Thread
AudioGames . net Forum — Off-topic room : blindndangerous via Audiogames-reflector
Re: Some bad and unfortunate news Might wanna change your signature if you're not going to use that anymore. URL: http://forum.audiogames.net/viewtopic.php?pid=264382#p264382 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news Yep, just did. Thanks. URL: http://forum.audiogames.net/viewtopic.php?pid=264383#p264383 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news I agree something should be done about this. If you're going to encrypt the key, it needs to be encrypted uniquely for each user. If it's encrypted with some sort of master key, since the code is open-source, in theory anyone could decrypt it, so you're no better off. What should probably happen is that it generates a profile of hardware attributes unique to your computer I.E. MAC address of your network interface, hard drive serial number, etc. and maybe some less unique things like amount of RAM, number of CPU cores, etc. This is the sort of things copy protection systems do. Then, this unique computer profile is used as the encryption key. So if someone downloads the file containing your key, the encrypted data is useless, even if they have the same type of computer with the same specs. If relevant hardware changes in your computer, you lose the auto connect setting but can just put it in again. URL: http://forum.audiogames.net/viewtopic.php?pid=264449#p264449 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news The problem is that anyone having access to the source code knows what info is being used to encrypt the key. The malware program that would be stealing your password could then just as easily view the same MAC address/system specs/attributes and again use it to decrypt the key. It would take a little more work on the part of the malware, but because these extra steps wouldn't actually make the encrypted key more secure, it would only offer users a false sense of security. Storing in plain text is Not the way a passsword should be stored, but making it seem encrypted when the key can be easily found, would actually be more misleading IMO. URL: http://forum.audiogames.net/viewtopic.php?pid=264463#p264463 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news @aprone, very true there. That's the problem with making open source things, it's easily hackable. URL: http://forum.audiogames.net/viewtopic.php?pid=264518#p264518 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news Python is very easy to learn. The code for NVDA remote is open source. If you want to encrypt it, you are all smart enough to write up your own encryption methods. You could even sell unique methods to people who don’t know how to code, or just give them to them for free. Though really.The only reasons I could see for using auto connect is for server administration, and in that case I’d rather use SSH. Using NVDA remote as a server manager means you’re using open source programs, (Highly unsecure), to gain access to your server. To make this viable, you would have to write up your own security protocols unique to your own specifications, within either the plugin itself, or your own plugin. The easiest way to get an accessible and secured network to your machine is through SSH. I’ve never tunneled into a windows machine, but I’m sure there are guides out there for it. I recommend PUTTY. URL: http://forum.audiogames.net/viewtopic.php?pid=264912#p264912 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
2016-06-18
Thread
AudioGames . net Forum — Off-topic room : blindndangerous via Audiogames-reflector
Re: Some bad and unfortunate news We'll see what Q does for his next version of Remote, apparently it's nearly done. URL: http://forum.audiogames.net/viewtopic.php?pid=265017#p265017 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news hiwell guys, the best secure thing on anywhere is to change the passwords periodicly which means evey week or every month. doing this will result in the hardest way to get hacked. URL: http://forum.audiogames.net/viewtopic.php?pid=265334#p265334 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news I don't get it. What does this have to do with the code heists? Who uses NVDA Remote with auto-connect on? Who is sharing NVDA Remote passwords? Who runs code from untrusted sources, and which code is it that's stealing NVDA Remote credentials?Really, it seems to me that a little common sense is missing in action here. Don't leave yourself vulnerable if you don't have to! Don't run stuff if you don't know what it's for, don't share your passwords with people who shouldn't have them, and don't leave the back door ajar for absolutely no reason at all. That's not the software's fault. That's a problem between the keyboard and the chair. URL: http://forum.audiogames.net/viewtopic.php?pid=265337#p265337 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news One thing to consider, even though encryption method used would be readily accessible if Remote encrypted the key, such an attack would be specifically targeted at NVDA Remote users using auto connect. For general attacks an encrypted key would look like just so much gibberish. Which would be preferable to storing it in plain text.@Sebby[rant]Get off your high horse! You are nowhere near as perfect as you think you are, and seeing you lord it over the rest of us as if you were is just plain disgusting. With posts like that, you don't deserve the status of moderator because that post proves that you yourself need moderating![/rant] URL: http://forum.audiogames.net/viewtopic.php?pid=265367#p265367 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news @Figment:Very good, I'll turn myself into the other moderators. Nevertheless, I see nothing wrong with that post. I'm open to suggestions on how it could be improved. URL: http://forum.audiogames.net/viewtopic.php?pid=265372#p265372 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news @Sebby,I totally agree that this is a user issue. If people didn't leave the door ajar, they wouldn't be hacked in this way.Its like leaving your front door unlocked and then getting mad when someone enters your house and calling it a break in.If the developers of NVDA remote want to make a fix for it, great, but really if they don't I wouldn't shaft them for it either. When you run a piece of software, even an add on. You should know how it works, and what it does.@figment,I see nothing wrong with Sebby's post, he was just stating the obvious here in my opinion, but the other mods can weigh in as well of course. You seem angry for some reason, and I'm not sure why that is. URL: http://forum.audiogames.net/viewtopic.php?pid=265390#p265390 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news Agreed with posts 39 and 40. While not everyone hides behind a router, many people do, which brings us to t total of two things that need to happen in order for anyone to be hacked:1. Your IP address must be discovered.2. Your ports must be properly forwarded in order for such a connection to be successful.Let's make it 3, honestly, because I can. The person in question who is trying to hack you must know that your computer is running as a server to which they can connect. I'll take it further than Nightshade, because I can do that too. It's like placing a sign on your front yard that in neon writing that blatantly screams, "OPEN MY UNLOCKED DOOR!" URL: http://forum.audiogames.net/viewtopic.php?pid=265395#p265395 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news Agreed with posts 39 and 40. While not everyone hides behind a router, many people do, which brings us to a total of two things that need to happen in order for anyone to be hacked, if you really want to call it that, assuming you don't connect directly to the outside world with your PC:1. Your IP address must be discovered.2. Your ports must be properly forwarded in order for such a connection to be successful.Let's make it 3, honestly, because I can. The person in question who is trying to hack you must know that your computer is running as a server to which they can connect. I'll take it further than Nightshade, because I can do that too. It's like placing a sign on your front yard that in neon writing that blatantly screams, "OPEN MY UNLOCKED DOOR!" URL: http://forum.audiogames.net/viewtopic.php?pid=265395#p265395 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news Moderation! Looking at this discussion from a fresh perspective I do believe I can see the issue here. While Sebby's points about security are valid, at the same time given the problems Mason has had with hacks, Sebby's tone could come across as somewhat abrupt and acusatory without meaning to. I would therefore recommend that in future when dealing with an issue which has caused problems in the past, taking into account the fact that internet posts have no tone and attempting to be as clear as possible with intentions is a good idea. Equally however Figment, I do think your reaction was a little too overboard here, simply a "remember that Mason has had problems with security" might have been enough, since Sebby's post was not! actually insulting, just possibly slightly abrupt if considered in the wrong tone. Hope this clears the air for everybody. URL: http://forum.audiogames.net/viewtopic.php?pid=265397#p265397 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news For the avoidance of doubt, in case it wasn't already clear, that post was _not_ meant to be insulting. It should go without saying, I hope.I can see, though, that if I were to clarify that I was asking an honest question, as opposed to suggesting that nobody did it without being intentionally stupid, the tone would have been clearer. I won't edit my post at this stage, but I'll apologise for not being clearer about it. Sorry about the abruptness of the post.And I really _do_ know want to have answers to the questions. Who is doing it? Why are they doing it? URL: http://forum.audiogames.net/viewtopic.php?pid=265418#p265418 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news For the avoidance of doubt, in case it wasn't already clear, that post was _not_ meant to be insulting. It should go without saying, I hope.I can see, though, that if I were to clarify that I was asking an honest question, as opposed to suggesting that nobody did it without being intentionally stupid, the tone would have been clearer. I won't edit my post at this stage, but I'll apologise for not being clearer about it. Sorry about the abruptness of the post.And I really _do_ now want to have answers to the questions. Who is doing it? Why are they doing it? URL: http://forum.audiogames.net/viewtopic.php?pid=265418#p265418 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news HmmA lot to think about and consider. One things for sure, NVDA Remote will no longer stay on auto connect at this stage, I still have phisical access to the machine I have NVDA remote running on. At sneak: ssh is open source so it's no argument to use it because nvda remote is open source as well. Some sort of machine specific key, with enough encryption, and a allowed hosts file, preferable encrypted as well, might go a long way to protect unautorized access. If it somehow would be possible to through nvda remote behind a vpn with only your machines having access to that vpn, that at least would make things a bit safer. Also the ability to configure the adon to use custom ports, could help. Enough ramble on my part ... URL: http://forum.audiogames.net/viewtopic.php?pid=266986#p266986 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news HmmA lot to think about and consider. One things for sure, NVDA Remote will no longer stay on auto connect at this stage, I still have phisical access to the machine I have NVDA remote running on. At sneak: ssh is open source http://www.openssh.com/so it's no argument to use it because nvda remote is open source as well. Some sort of machine specific key, with enough encryption, and a allowed hosts file, preferable encrypted as well, might go a long way to protect unautorized access. If it somehow would be possible to through nvda remote behind a vpn with only your machines having access to that vpn, that at least would make things a bit safer. Also the ability to configure the adon to use custom ports, could help. Enough ramble on my part ... URL: http://forum.audiogames.net/viewtopic.php?pid=266986#p266986 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news Hi.Well the only time I run autoconnect at all is if I need to say restart a system during admin tasks.Then it gets turned off.I have been using a key I can remember, now I will use the generator.I don't need to be active all the time on a system for much bar support.And if I wanted to perminantly manage something I would probably buy a package like teamviewer or something to do that in fact if I needed to do that it would justify the cost of such a program.Nvda remote was only meant in its basic form as a support app it was not for a server manager.I also don't think it was meant to be used as such, hence the insecure nature of autoconnect.Its opensource though so in theory you could use it as an engine and write in security.However I'd still like an indipendant program not just tied to nvda to remote a system with all the security.I am not sure about python but if you could intergr ate the gpg or pgp engines into that its the standard of incription.Myself I store a lot of personal files on the cloud zipped.These are pasword protected as well as my account.2 step authentication sounds really nice.Up to the point that every app you connect to your account say gmail has to have a different password, that includes every app on your pc or device including the pc or device.You have to accept codes to your phone all the time to keep things valid and while it could be more secure it kind of gets annoying after a while.Whenever I connect to something like a remote I never use the same key anyway.It goes without saying you should connect on a clean system.In theory unless you are unlucky all your windows flores should be patched anyway unless they aren't ofcause.Saying that linux is what you do if you really want something to work with. URL: http://forum.audiogames.net/viewtopic.php?pid=267017#p267017 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news I never even keep NVDA Remote installed. I use it for one thing then uninstall it. Not ready for that security breach. URL: http://forum.audiogames.net/viewtopic.php?pid=267125#p267125 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news Why uninstall it? It seems like a lot of people are overreacting a bit. If you don't use auto-connect you won't have a problem. If you do use auto-connect, you should have other security measures in place, but that goes for any remote solution. URL: http://forum.audiogames.net/viewtopic.php?pid=267128#p267128 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news I agree with Livrobo on this. There is no reason to uninstall NvDA remote simply because you now know how easy it is to use it to get personal information. Especially with the information about it which we now have. From what I understand, you are at greater risk if you have auto-connect on, and less risk if you don't. Auto-connect should never be used as a convenience, and that does not just apply to Remote, but anything that allows for potentially dangerous operations to be carried out. You should only use auto-connect if you know the connection will be lost temporarily and you need to restore it while the two computers are miles apart. The best example is if you need to restart the computer you are remoting into.The way to protect yourself is to be proactive with your own personal and computer security! Use antimalware if and when you need, and be careful of where you browse and who is allowed access to what.If a hacker catches your NVDA Remote key because it i s sending the key to a server which a hacker can easily trace every time you connect, then that is a problem... the hacker could theoretically get all keys that server hosts. That is indeed not safe and the user can do little to stop it without taking what I would call overly drastic measures. But I've heard no evidence of that happening yet. We can't live in the constant fear of being the first one, however. Life isn't enjoyable that way. Besides, if a hacker is determined enough, he can find a way to exploit almost anything. NVDA Remote is just an easy target due to its open source license, but it is an unlikely one.By using the software, you are expected to know what you are getting into. Most people don't, however. And I admit I never read licenses or try to understand them. But, as much as I hate to say it, those licenses are there for a reason. The most important one is for protection, so that if something does happen, you can't blame the develop er for not warning you of such possibilities. I know nobody reads a lot of that stuff, but it is there. Many license agreements do state at the bottom that the developer will not be responsible for damages as a result of misuse of the product. I'm not sure if NVDA Remote comes with that sort of disclaimer. Regardless, "open source" should automatically tell you things. If you are not knowledgeable in terms like "open source," then I am explaining it to you now. Open source is never as secure as something that is closed source, because all the code is exposed. That means any security measures introduced have to have their code exposed as well, and that means any hacker could just read what the code does and apply opposite logic. The encryption could be done in such a way as to make reverse logic difficult but because the logic is exposed, it is much easier to take advantage of no matter what you do, unless you make the program closed source.One thin g I will say is that so far as I can tell, there is no emergency way to force quit the connection on both sides to save yourself, especially if you have auto-connect on for the machine that you believe is in danger. If you have auto-connect off, you can restart NVDA and disconnect your session quickly by pressing alt control N to force restart NVDA on the side you think is in trouble, or on both sides to be safe. That only works if your desktop shortcut key is intact and operational. Alternatively you can do a quick Insert Q followed by Enter on both sides to stop the damage, but if you have auto-connect on, you will risk further damage when you restart NVDA. In this case, you may have to use Narrator or a backup screen reader to modify the NVDA configuration files to disable auto-connect, or outright delete the remote add-on. We could argue that a more professional solution would be able to work with this shortcoming and allow easier recovery from this trap, but that is for another day. At the end of it all, it is not hard to be mindful of when you use auto-connect. If using it is really such a concern, then avoiding trouble is pretty easy.As much as the lack of interest in security by the developers may strike you as "insensitive to user's feedback," we have to accept that the decisions made by the NvDA Remote devs are not ours. However, you could hypothetically improve the add-on. If you can't, someone else can. If you really don't trust your security with Remote, it is not a free open source project's responsibility to accommodate for you.Should the developers make it more secure? Sure! I am all for that. But that would likely mean making the add-on closed source. This complicates things, though is certainly possible. Look at Vocalizer. The synth is not open source, but the infrastructure that allows text to be sent to it is. That's why you still have to pay for the synth. If the developers decide to go th
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news I don't get why nvda remote auto connect is less secure then teamviewer, for example. As said in the beginning of this topic, the attacker needs to get the password from the machine before he can access it. If nvda remote was secure, Are there not a milion other ways to get control of a system once an exe is running? firefox profiles for example? Would you say that firefox is also insecure because you can simply extract all the saved passwords from it once you have access to someone's profile? The thing that isn't being cracked isn't nvda remote encryption, it's user machines which are first given a malicious exe which then uses nvda remote for remote control. I've not researched this at all, but I imagine that there are plenty of other programs which give you remote control of a system if you have an exe running. URL: http://forum.audiogames.net/viewtopic.php?pid=267265#p267265 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news I didn't uninstall it only because of that. I uninstalled it because I never use it. Only occasionally. URL: http://forum.audiogames.net/viewtopic.php?pid=267370#p267370 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
Re: Some bad and unfortunate news
Re: Some bad and unfortunate news True, with every thing auto connecting, there are issues involved, that goes without saying. But take ssh for instance: you can use a certificate to log in wich doesn't require you to enter a password all the time. Where is that certificate generated? If I remember correctly at the client side, after wich it has to be transfered to the server and added into some files before it can be used. It could also be the server, and than added to a client, don't remember. Take openvpn. Setting up clients requires a certificate and a key file with 1024 bit encryption, or even 2048. It's a complicated mess to get those things in place, but at least when done propperly, with a good firewall, and other measures to prevent your system to be an easy target, it at least is as secure as it can get. I do wonder why there isn't such a thing in nvda remote: in stead of plain text passwords, why not make a machine specific certificate with custom parameters etc. It would probably st ill be hackable if you'd really put your mind to it, but it would be way harder then sending some http requests with plain text passwords as answers. Add that with custom ports, and it's even better URL: http://forum.audiogames.net/viewtopic.php?pid=267423#p267423 ___ Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
