On Fri, 27 Feb 2004 [EMAIL PROTECTED] wrote:
> Prevent the user from entering passwords with 9 or more characters,
> preferably with an alert saying "VNC passwords are limited to 8
> characters, sorry."
A number of things have been conflated in this discussion. I doubt that
the vncpasswd progra
> From: Glenn Lovitz [mailto:[EMAIL PROTECTED]
> > So, you're saying that Unix clients are using this
> >famous getpasswd() function! That means it's the answer to my
> >second question in another mail that nobody has answered:
> >client chop off from the password from the 9th characters
> >be
> So, you're saying that Unix clients are using this
>famous getpasswd() function! That means it's the answer to my
>second question in another mail that nobody has answered:
>client chop off from the password from the 9th characters
>before sending it out (encrypted or not is another matter
> -Message d'origine-
> De : James Weatherall [mailto:[EMAIL PROTECTED]
>
> Because certain platforms only provide the first eight characters of
> passwords entered by the user via getpasswd(), the server assumes the same
> limitation, whether or not the limitation actually exists on the s
> By definition quick and dirty alternatives aren't good, they just lead to
> people trying to use them instead of using a more secure alternative. If
> you can get a VNC connection you can get a connection with a secure
> tunneling program. If you choose to not take the time to set up that
> sec
> -Message d'origine-
> De : Mike Miller [mailto:[EMAIL PROTECTED]
> Envoyi : jeudi 26 fivrier 2004 01:18
> @ : VNC List
> Objet : RE: !!!DANGER Acute security risk! WAKE UP
>
> On Wed, 25 Feb 2004, William Hooper wrote:
>
> > If one of the pl
> -Message d'origine-
> De : Seak, Teng-Fong
> I agree with you, Mike. This has nothing to do with cross-platform
> compatibility.
> And it's not contradictory to cross-platform compatibility either. IMHO, I would
> rather say
> this is just a matter of coding. The win version wa
> > There is the server end and there is the viewer end. Why can't the
> > servers vary in the number of characters in a password? Does the
> > viewer need to know the number of characters accepted by
> the server?
> > Why can't the server just ignore trailing characters and the server
> >
Mike,
As is described in the protocol specification, the password is checked using
a challenge-response scheme. Passwords are not sent in the clear, nor using
reversible encryption.
Wez @ RealVNC Ltd.
___
VNC-List mailing list
[EMAIL PROTECTED]
To remo
On Thursday 26 February 2004 05:18, Seak, Teng-Fong wrote:
> I knew. Well, actually, I saw. There's the "too many security failures"
> message. But I also saw that it would grant me chance to input password
> again. I'm not sure, is it about after 20 seconds? And if I programme a
> robot
On Wed, 25 Feb 2004, William Hooper wrote:
> If one of the platforms is limited you need to make the rest of the
> software respect that limitation so that you can remain cross-platform.
(This is about password length.)
There is the server end and there is the viewer end. Why can't the
servers
Seak, Teng-Fong said:
[snip]
>> > Moreover, why should "the other platforms have
>> > been made compatible with this"? This somewhat seems absurd, don't
>> you
>> > feel so?
>>
>> How do you plan on making it cross-platform?
>
> I don't get it Why such question?
If one of the platform
> > I don't know how a VNC server handles session requests,
> > but I suppose a brute force robot tries one password before
> > trying another one instead of initiating n sessions at the
> > same time. Well, you know, iterative, or else it's not
> > called "brute force". And I suppose it need
> I don't know how a VNC server handles session requests,
> but I suppose a brute force robot tries one password before
> trying another one instead of initiating n sessions at the
> same time. Well, you know, iterative, or else it's not
> called "brute force". And I suppose it needs 1
If only hell could tell you to open your eyes and look at the bottom of every
mail ..
> -Message d'origine-
> De : Erick Nova [mailto:[EMAIL PROTECTED]
> Envoyi : mercredi 25 fivrier 2004 18:50
> @ : Seak, Teng-Fong
> Objet : RE: !!!DANGER Acute se
> -Message d'origine-
> De : William Hooper [mailto:[EMAIL PROTECTED]
> Envoyi : mercredi 25 fivrier 2004 17:07
> @ : [EMAIL PROTECTED]
> Objet : RE: !!!DANGER Acute security risk! WAKE UP
>
> Seak, Teng-Fong said:
> > I see. So are we sup
> -Message d'origine-
> De : Barn Owl [mailto:[EMAIL PROTECTED]
> Envoyi : mercredi 25 fivrier 2004 23:19
> @ : [EMAIL PROTECTED]
> Objet : RE: !!!DANGER Acute security risk! WAKE UP
>
> >>Talking about security, there's one severe bug tha
>> Talking about security, there's one severe bug that
>> needs to be corrected. Months ago, someone reported that
>> even though we could define a long password, but the
>> effective number of letters is only 8 (eight)!
>
As already noted this is not a bug. A second point,Most users do _N
Seak, Teng-Fong said:
> I see. So are we supposed to live with this "feature" forever? Isn't
> there any workaround? Moreover, why should "the other platforms have
> been made compatible with this"? This somewhat seems absurd, don't you
> feel so?
How do you plan on making it cross-platf
> -Message d'origine-
> De : Mike Miller [mailto:[EMAIL PROTECTED]
> Envoyi : mercredi 25 fivrier 2004 16:12
> @ : VNC List
> Objet : RE: !!!DANGER Acute security risk! WAKE UP
>
> On Wed, 25 Feb 2004, Seak, Teng-Fong wrote:
>
> > Talking
econd point? Anyway to define password without human
intervention?
> -Message d'origine-
> De : William Hooper [mailto:[EMAIL PROTECTED]
> Envoyi : mercredi 25 fivrier 2004 16:04
> @ : [EMAIL PROTECTED]
> Objet : RE: !!!DANGER Acute security risk! WAKE UP
>
&
On Wed, 25 Feb 2004, William Hooper wrote:
> Seak, Teng-Fong said:
> > Talking about security, there's one severe bug that needs to be
> > corrected. Months ago, someone reported that even though we could define
> > a long password, but the effective number of letters is only 8 (eight)!
>
> T
On Wed, 25 Feb 2004, Seak, Teng-Fong wrote:
> Talking about security, there's one severe bug that needs to be
> corrected. Months ago, someone reported that even though we could
> define a long password, but the effective number of letters is only 8
> (eight)!
>
> I've tested with VNC
Seak, Teng-Fong said:
> Talking about security, there's one severe bug that needs to be
> corrected. Months ago, someone reported that even though we could define
> a long password, but the effective number of letters is only 8 (eight)!
This isn't a bug, it is a documented limitation.
http
> Talking about security, there's one severe bug that
> needs to be corrected. Months ago, someone reported that
> even though we could define a long password, but the
> effective number of letters is only 8 (eight)!
This is not a bug. This is a deliberate limitation of the password
mec
2004 19:11
> @ : [EMAIL PROTECTED]
> Objet : Re: !!!DANGER Acute security risk! WAKE UP
>
> Carlyle:
>
> Heya. Yes, it's a safe bet that many people on this list
> have a router with port 5900 forward to a Windows machine. Of
> course, this increases &qu
Hi William,
> "William Hooper" <[EMAIL PROTECTED]>
> Tue, 24 Feb 2004 10:50:46 -0500 (EST)
>
> > Let me echo Jack with a bit of emphasis. Look, some of you
> > are publishing the IP addresses of your routers, the make and version
> > of your routers, WHICH PORTS YOU ARE OPENING
>
> You can get tha
Hi John,
> "John E. Peterson" <[EMAIL PROTECTED]>
>
> I agree with the problem of publishing the IP's and so forth, but
>
> You suggest using VPN and SSH. The whole problem is that a few people can't
> get it to work without the extra layers of protection. And a few of them,
> it doesn't ma
Hi Scott,
> Heya. Yes, it's a safe bet that many people on this list
> have a router with port 5900 forward to a Windows machine. Of
At least
> course, this increases "risk", but only some much as the integrity
> of what *listens* to that port, namely the VNC Server itself.
Admittedly, the time
True. And the next best thing is to pull most of the cables, virtually speaking,
by tunnelling. That way you only have one "cable" connected to the
internet. The difficulty of cracking a passphrase makes a successful
breach all but impossible.
> "Vince" <[EMAIL PROTECTED]>
> 02/25/2004 02:02 AM
>
I am sure that people can scan networks, find VNC servers, guess
passwords, etc., but this seems fairly rare. I might have seen *one* scan
for port 5900 in two years of checking daily iplogs. Things might change
any day now, so best to be cautious, but I don't imagine there have been a
lot of VNC
Carlyle:
Heya. Yes, it's a safe bet that many people on this list
have a router with port 5900 forward to a Windows machine. Of
course, this increases "risk", but only some much as the integrity
of what *listens* to that port, namely the VNC Server itself.
Of course, as I wrote ba
Carlyle Sutphen said:
> Let me echo Jack with a bit of emphasis. Look, some of you
> are publishing the IP addresses of your routers, the make and version
> of your routers, WHICH PORTS YOU ARE OPENING
You can get that from a simple port scan.
>and the ip
> addresses and operating systems of the
I agree with the problem of publishing the IP's and so forth, but
You suggest using VPN and SSH. The whole problem is that a few people can't
get it to work without the extra layers of protection. And a few of them,
it doesn't make sense that they can't connect. They seem to have pretty
st
34 matches
Mail list logo
