Risks of not using encryption

[twipley]

are there any risks of going without encryption, except every info i receive from the other computer could be seen by an intruder?

EDIT: i don't mind other people receiving, without my permission, copies of files that i choose to download from the other computer. nor i would really mind other people seeing me, without my permission, helping the person in troubles with his computer. what i would care about, though, is a hacker being able to take control over the other computer, or something catastrophic like that happening.

note: the package i'm using can be found at http://tinyurl.com/ultrarat
- i'm using reverse connection. the other person has to execute [topic=4530]remote.exe[/topic]

EDIT: you can use the package i've posted two lines above, as it is now updated with the latest vncviewer release.

[YY]

The viewer in you package is ver 1.0.4 RC11

According the information from Core Security, the Vulnerable packages are UVNC 1.0.2 and 1.0.5, so I believe the 1.0.4 series is affected too.

Since you are using listening mode, you should update the viewer to protect your pc.

i don't mind other people receiving, without my permission, copies of files that i choose to download from the other computer. nor i would really mind other people seeing me, without my permission, helping the person in troubles with his computer. what i would care about, though, is a hacker being able to take control over the other computer, or something catastrophic like that happening.

Even you don't mind any other people seeing your operation, or copying any information when you download them from the remote computer, YOU SIMPLY SHOULD NOT ALLOW THIS TO BE HAPPENED.

These information are not your properties, and you should not determine if they are disclosable, important or not. The client may be not technical mind enough to understand the risk, and as a Technical Support, we should NOT do anything resulting the client's system becomes vulnerable, or their information be disclosed because of OUR IMPROPER OPERATION.

You should consider using the DSMplugin.

Just my humble opinion.

[twipley]

thanks for the info, yy. still, concerning the "unsecure" vncviewer, i remain doubtful, because after having read the red and blue lines on the page it seems to me that my viewer is used as a "server?"

have a good day yy,
and all others who read this

[YY]

as for the "unsecure" vncviewer, i'm still doubtful, because after having read the red and blue lines on the page it seems to me that my viewer is used as a "server?"

Yes, somehow we may consider the viewer working like a server.

What is a server? There is a lot, like Web Server, VNC Server, SQL Server.

There are working for different purpose, but have one thing similar.
They listen to a particular port, and wait for a connection and the request to do their jobs.

So it is similar to a VNCviewer in listening mode, It listens on 5500 and wait for the connection of a VNCserver.
It's the point. IT WAITS FOR THE CONNECTION.

The vulnerability is that an attacker can craft a specical program, to connect to such vulnerable listening viewer, and execute their code, which may result damage of your system.

Again, I think 1.0.4 series is not safe, you should update the viewerr, specially you need to use it in listening mode.

[twipley]

thanks yy, but i thought they said: "if you are connecting to untrusted VNC servers, it is highly recommended to update your vncviewer to the fixed one." because i am not connecting to a server, but myself am the server.

[JDaus]

thanks yy, but i thought they said: "if you are connecting to untrusted VNC servers, it is highly recommended to update your vncviewer to the fixed one." because i am not connecting to a server, but myself am the server.

You are opening a listening port to the internet, so therefore anyone can connect to your viewer if they know or find your IP ... i would highly recommend you update your package with the latest viewer, as it is NOT in any way shape or form secure.

[twipley]

thanks yy and jdaus.

do you know where i can find the main differences between my previous version and the newer version i'm upgrading to? for example, with the newer i can help vista users from my xp machine?

plus, what is the difference between vncviewer and vncviewer_tab packages?

thanks,
farewell,
arrivederchi

twipley-shape-form

[YY]

For best I know, the VNCviewer hadn't changed too much since 1.0.2.
Most of the upgrade is for security patch, or minor bug fix.

If you are talking about the support/compatibility with vista, the vncviewer is not a problem. It can run on vista smoothly.

However, SC (the remote.exe you used) is not so good when running on Vista. The developer had considered to retired this project, and replace it with PcHelpWare.

But there are a lot of fans of SC. They developed their versions to support Vista, such as:
NiTr0's [topic=14063]SC Builder 2009[/topic]
Caramel's [topic=11485]SC + Vista Compatibility - WORKING!!!!!![/topic]

what is the difference between vncviewer and vncviewer_tab packages?

I had never used vncviewer_tab before, may be these threads can let you know more:
[post=55490]what's the difference between 'DirectX viewer' and 'viewer'?[/post]
[post=53624]1.05.2 Tabbed Viewer[/post]

[twipley]

i don't mind other people receiving, without my permission, copies of files that i choose to download from the other computer. nor i would really mind other people seeing me, without my permission, helping the person in troubles with his computer. what i would care about, though, is a hacker being able to take control over the other computer, or something catastrophic like that happening.

Even you don't mind any other people seeing your operation, or copying any information when you download them from the remote computer, YOU SIMPLY SHOULD NOT ALLOW THIS TO BE HAPPENED.

These information are not your properties, and you should not determine if they are disclosable, important or not. The client may be not technical mind enough to understand the risk, and as a Technical Support, we should NOT do anything resulting the client's system becomes vulnerable, or their information be disclosed because of OUR IMPROPER OPERATION.

that's not worse than talking or videoing through live messenger, though. of course, like you've noted, one that would send confidential infos completely unencrypted is just playing with fire, or simply not knowing the risks of doing so.

true, for the technician, he must operate within certain guidelines. but with friend helping friend (as i do), he may continue using the remote sc i was talking about (which does not support encryption). but i think when someone understands someone might be sniffing on the data, care should be used in not transferring any form of confidential data.

when the other person writes up his password in a window, though, i wonder if his keypresses are caught by ultravnc and sent back to me in some form or another. i think they aren't, so it would be safe, but still i wonder. risks are being calculated here, to see if they are present at all. because the only confidential thing i ever remember having done through ultravnc is letting the friend enter his password (in asterisk form) when some site prompted for it.

thanks, and thanks for letting me know i should always update to most recent vncviewer. also thanks for letting us be aware of the risks of not using encryption. i do not encrypt my ongoing msn messenger conversations, nor my email conversations, so why would i encrypt my operations when i help a friend solve his problems? as i see it, the goal is to not share any confidential data, unless one is sure the connection is encrypted.

[twipley]

sorry, i've browsed through the site, and found no mention of this. i assume client kepresses aren't being transmitted to the techie?

[JDaus]

from what i know, on the server side, key presses are NOT captured (only screen changes), on the viewer side keypresses ARE captured (and sent to the server) ... but i could be wrong, i'm not developer

[twipley]

thanks, jd. i, too, think that should be the case.

love,
twipley