back to article X-ray scanners, CCTV cams, hefty machinery ... let's play: VNC Roulette!

X-ray equipment, farm machinery, electricity generators. Security cameras, desktops with browsers logged into Facebook, stock inventory software. Sales registers, home alarm equipment ... the list goes on. All this and more on VNC Roulette: a website that popped up this week to remind us of the kinds of sensitive systems …

  1. Herby

    Fun to scan through

    From the looks of it, there are quite a few copier systems in hotels (at various prices) that are exposed.

    My fun would be to setup something that would be like the WOPR and have "Global Thermonuclear War" on it just to see who takes the bait.

    Then again it could be quite subtle: "White House Access Control", but that would be redundant (*SIGH*).

  2. Anonymous Coward
    Anonymous Coward

    Thanks Chris.

    "VNC lets people share their desktops over networks so they can access software and files from other computers. This is handy if you want to check into your home PC or some equipment on the other side of a site while away"

    I always wondered what VNC was.

    May as well buy the Daily Mail for my tech news.

    1. diodesign (Written by Reg staff) Silver badge

      Re: Thanks Chris.

      I'm writing a few pieces about parallel programming, Intel CPUs, and OpenCompute servers. Maybe they'll be more up your street.

      C.

      1. Anonymous Coward
        Anonymous Coward

        Re: Thanks Chris.

        Maybe, yes.

        I come here to learn and get informed opinion,

        Cut the dumbed down stuff out and I'll be much more on message :-)

    2. Gene Cash Silver badge

      Re: Thanks Chris.

      I didn't know what VNC was for a long time, because I'm a unix sort, and VNC is a mostly Windows thing.

      I'd much rather have "random TLA" be quickly explained, even if I know it, than have to stop and Google it if I don't.

      1. Michael Thibault

        Re: Thanks Chris.

        It would be useful to have acronyms and abbreviations expanded--even at some length--via balloons/tooltips/flyovers, etc.. I've mentioned it before, and even tried it (unsuccessfully) in the comments. A little pre-processing, perhaps. A little grep joy-riding across the site. Who knows? Probably could be done. And, being relatively unobtrusive, this approach would leave the information accessible (practically on-screen), but won't slow down anyone already in-the-know, but unknowingly hurrying to their appointment with the underside of a bus.

        As for VNC Roulette: a UI Horrors Roll if every I saw one.

      2. petur

        Re: Thanks Chris.

        Funny that... VNC is way more popular on linux because it is the only thing available to share your desktop (and is easy to setup). Windows users use remote desktop that is part of windows and is vastly superior.

        (NX is getting there but only recently)

        1. Chemist

          Re: Thanks Chris.

          "VNC is way more popular on linux because it is the only thing available to share your desktop (and is easy to setup)."

          Interesting. So the rdp session I've got running at the moment from my OpenSUSE laptop to a raspberry pi is just a figment of my imagination. Admittedly I've just installed the pi end and not exercised it much yet but it is working.

          Thank you for the incentive to try.

        2. Paul Crawford Silver badge

          Re: NX is getting there but only recently

          What, you mean to say administering a *NIX system over an SSH command terminal is new?

          Or maybe using ssh -X to allow running an X-windows program’s GUI on your local machine tunnelled over a secured link is also "recent"?

          1. petur

            Re: NX is getting there but only recently

            No, I mean taking over an existing desktop (ie shadowing in NX terms). Been available as payware fro a while but I just recently saw it got working in X2go

            As for RDP mentioned above: and when did that take off? Granted, I don't check every month how some tech advances, I sometimes have work to do ;)

            1. Chemist

              Re: NX is getting there but only recently

              "As for RDP mentioned above: and when did that take off? Granted, I don't check every month how some tech advances, I sometimes have work to do ;)"

              Version I'm using seems to be ~Nov 2013, but there are several later versions

          2. herman

            Re: NX is getting there but only recently

            VNC is promoted as 'easy'. The problem is that the only easy thing about it is the 'getting hacked' part. In my experience SSH is easier and better, so it is hard to fathom why people keep messing with VNC.

            1. P. Lee

              Re: NX is getting there but only recently

              >n my experience SSH is easier and better, so it is hard to fathom why people keep messing with VNC.

              SSH with a text terminal is great over a WAN, ssh -X ... not so much. The display compression VNC adds makes it more usable. Also, I see a Mac VNC session in the example. Mac XWin is truly awful in speed terms.

              Just a thought... is the problem VNC, some sort of network PnP port forwarding (they didn't meant to share outside the local lan) on the routers or people who genuinely didn't realise that port forwarding wasn't a good idea without hardened services? I didn't think we had too many hosts connected to the internet directly with modems any more, so this indicates firewalling issues. Running insecure services on a small local lan often isn't a problem - it isn't a good idea, but most people wouldn't expect it to be a large problem.

              Or maybe its people who have already been hacked and VNC is being used a backdoor?

            2. Number6

              Re: NX is getting there but only recently

              VNC is promoted as 'easy'. The problem is that the only easy thing about it is the 'getting hacked' part. In my experience SSH is easier and better, so it is hard to fathom why people keep messing with VNC.

              It has its uses. Mostly I use ssh because all I need is a terminal window and that will do pretty much what I want. Where VNC comes in handy is where you need to set up a GUI application for a remote user, such as my father, who can be a tech support nightmare. I can set up a VNC session as him and either see what error he's getting on a GUI program or configure it properly for him. While it's theoretically possible to set up Thunderbird (as an example) entirely with text files, it's a lot faster with a GUI.

              That doesn't mean I dispense with ssh - I need that to get in to the machine and start the VNC session, which then gets taken down when I've finished with it.

        3. Grease Monkey Silver badge

          Re: Thanks Chris.

          "VNC is way more popular on linux because it is the only thing available to share your desktop "

          Nope. There's an RDP server for linux and its been around four some time. Which is useful because it allows you to control your linux machine from somebody else's Windows machine without installing a client.

          However just don't see the need in this day and age to remote control your desktop, whatever the OS.

          1. Chemist

            Re: Thanks Chris.

            "However just don't see the need in this day and age to remote control your desktop, whatever the OS."

            Well apart from a collection of raspberry pies, I also access my fileserver, mostly by ssh or fish but often by ssh/VNC

      3. Anonymous Coward
        Anonymous Coward

        Re: Thanks Chris.

        "because I'm a unix sort, and VNC is a mostly Windows thing."

        What !

      4. Mage Silver badge

        Re: Thanks Chris.

        MS RDP is the "Windows Thing", VNC is cross platform and often on Linux by default, you have to add it to Windows.

        It's usually a connection to an existing running local desktop*, unlike running X over a network, nothing is "lost" if connection is dropped, you just reconnect. So unlike X the desktop resolution is what ever it is on your target machine, the client opens a window to it, so having higher "resolution" client than remote helps.

        https://en.wikipedia.org/wiki/Virtual_Network_Computing

        Using a VPN to the VNC server is another idea.

        [*No, I don't know how to set up a VNC server on a computer with no graphics card, though the target's keyboard, screen and mouse could be disconnected (or off), I suppose.]

        1. Mike 16

          how to set up a VNC server on a computer with no graphics card

          Last millennium, IIRC, there was an "Embedded VNC server" (Open Source, vanilla C) that one could use with whatever your widget already used to paint into a bitmap style display. Details vague, but you just had to add a socket library and a few hooks for it into your draw/expose code.

    3. This post has been deleted by its author

    4. anonymous boring coward Silver badge

      Re: Thanks Chris.

      Even nerds get rusty. I first though it was some random acronym that resembled that connection software, before realising that VNC was indeed VNC.

      1. PNGuinn
        Happy

        Re: Thanks Chris.

        It seems to me that the problem is that this field of ours is now so vast that most of us only spend our lives grazing in a small part of it. We spend so much time trying to avoid the cowpats in our own little bit that we have little or no time to explore the whole field.

        However much we want to broaden and expand our horizons.

        That's why I find sites like this so useful. It doesn't treat us all as idiots - it'd very swiftly loose most of its readership if it did - but it is prepared to give the less knowledgeable amongst us a bit of help. It's a fine line to draw, but generally I think it succeeds well.

        It's not just articles which give me the opportunity to learn something new or different, this site has attracted an "interesting" commentardery.

        Some people here are obviously very experienced (not just in IT) and that knowledge shared is invaluable - especially when it can be debated in a mature and open forum.

        And it's nice to have a bit of fun.

    5. Anonymous Coward
      Anonymous Coward

      Re: Thanks Chris.

      Any key.

  3. Bluto Nash

    College lecture room?

    That software looks interesting. Anyone know what it is?

    1. Martin Summers Silver badge

      Re: College lecture room?

      Sniffs bespoke to me.

      1. TheFirstChoice

        Re: College lecture room?

        The major players in audio visual control systems are AMX, Crestron and Extron. Often the system integrator prefers one brand of control system over the others and with some systems the integrator is the only one with access to the source materials or ability to update the controls (usually through badly written contracts that don't mandate access to those materials).

        Most of them have a way of controlling or monitoring the system remotely and it's all too easy to make the system publicly accessible and/or with default credentials available to connect to them.

  4. Chris Miller

    Or a simpler (than SSH) solution

    Don't use default ports on private services. There was an experiment done a while back putting up two honeypots running completely unpatched (MS) web servers. One was on port 80 and would be pwned within minutes. The other was on port 81 and sat there quite happily for weeks on end.

    This solution isn't recommended for really sensitive stuff, but should be good enough to protect your torrents.

    1. Chemist

      Re: Or a simpler (than SSH) solution

      "This solution isn't recommended for really sensitive stuff, but should be good enough to protect your torrents."

      It certainly cuts down the amount of attempted accesses : I've had a ssh port open to the internet for years but on a non-standard port ( and with tight authentication etc ) and I've only ever had 1 attempt on the non-standard port.

      1. badger31
        Thumb Up

        Re: Or a simpler (than SSH) solution

        I used the trick on one of my servers. It was constantly being hit with login attempts over ssh. None ever succeed, but I didn't like it. I changed ssh port away from 22 and problem solved.

        I tried denyhosts, but occasionally locked myself out trying to remember the right password. Not an insurmountable problem, but it's not (or wasn't, maybe) trivial to unblock an ip address.

    2. Mage Silver badge

      Re: Or a simpler (than SSH) solution

      I use port 80 for VPN on my system, on the basis that some random place that has Internet access doesn't block port 80 outgoing and I don't run a public facing web server at home (I have hosting for those).

      1. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        Re: Or a simpler (than SSH) solution

        Better on 8443. You sometimes get networks that try to transparently proxy port 80, but they usually leave 8443 alone and unmolested.

    3. Adam 1

      Re: Or a simpler (than SSH) solution

      You are basically arguing the merits of security through obscurity there...

      1. vagabondo

        Re: Or a simpler (than SSH) solution

        @Adam1

        >You are basically arguing the merits of security through obscurity there...

        The rationale is not so much for security as considerably reducing log-file sizes (and increasing readability), plus taking some load off system resources by sidestepping continuous brute-force onslaughts.

      2. Sandtitz Silver badge

        Re: Or a simpler (than SSH) solution @Adam 1

        The actual connections is likely using the same SSH standards everyone else is using. Perhaps using non-standard port is security through obscurity, but since it works his argument is valid.

      3. Chemist

        Re: Or a simpler (than SSH) solution

        "You are basically arguing the merits of security through obscurity there..."

        No (if you mean me ) I'm arguing for using every means possible to increase security. Using a non-standard port doesn't stop anyone specifically targetting you but it does reduce the noise. I still use password on ssh but they're 20 chars hard passwords and only one user with a very unusual name is allowed access and that to a very limited account and that to limited times of the day if I'm feeling paranoid !

      4. Anonymous Coward
        Anonymous Coward

        Re: Or a simpler (than SSH) solution

        "You are basically arguing the merits of security through obscurity there..."

        Only in the same way a password is just security through obscurity. Diff. is that you can make passwords long and difficult ( how many are !) but there's only so many ports that can be used.

        1. Adam 1

          Re: Or a simpler (than SSH) solution

          > but there's only so many ports that can be used.

          65536 to be precise.

          So as a password it is comparable to a 3 to 4 digit numerical PIN; or comparable to a password made up of a single English word that is in common use. It just isn't enough as a substitute method.

          1. Sandtitz Silver badge

            Re: Or a simpler (than SSH) solution @Adam 1

            "65536 to be precise."

            65535 to be precise. Port 0 is really unusable.

          2. Chemist

            Re: Or a simpler (than SSH) solution

            "65536 to be precise.

            So as a password it is comparable to a 3 to 4 digit numerical PIN"

            Not quite sure the point you are making. I've already said that moving ports doesn't stop a determined attacker. After all in ~12 years of having sshd open on a unusual port I have had 1 attempt that found that port. Any number of attacks go for port 22. I take that as reasonable evidence that shifting ports has a noticeable effect.

            I was merely pointing out that much of what we call security is in fact by obscurity. and passwords are no exception - that's why they need to be long and non-obvious.

            Almost everything helps confuse or slow an attacker - hence I use a very unusual username and very hard password* , just one account is available and then for a couple of hours a day

            *Example would be QspSbitjfphxtfjt1eUu which is never written down or remembered but generated from a memorized passphrase by a little c program and pasted. Of course I only use that sort of thing for important passwords like banking or ssh.

            1. Adam 1

              Re: Or a simpler (than SSH) solution

              @chemist

              Wasn't quoting your post so not quite sure why you would take my comment to be about you and your process.

              I was quoting AC whose argument seemed to be that because people (not you obviously) choose crap passwords then running on a non default port gave the same security. I worked out the equivalent entropy it gave to point out that you really need a bad password for that to be equivalent.

              I thought my post was pretty clear that this does not preclude taking additional steps such as non default ports or port knocking or timed activation for ports. That will improve your security or at worse make no difference and doesn't really make your life harder so go ahead with my blessing. It is a great additional step, not a replacement.

      5. Adam 1

        Re: Or a simpler (than SSH) solution

        It may be what you meant but it isn't what was written and what I responded to

        > Or a simpler (than SSH) solution

        This implies that the proposed solution is a replacement.

        I simply suggested that for me to accept such advice, I would have to then accept security through obscurity on equal argument.

        Note that I am not arguing that obscurity doesn't have a part to play. When I was younger and actually went bush walking, we would often park the 4wd off the fire trail behind some shrubs or an embankment where it wouldn't be easily visible from the said fire trail. It didn't substitute for locking your doors, but it did reduce risk from the opportunist smash and grab. By all means, run on non-default ports or use port knocking; but call it a suplementary measure not a solution in its own right.

  5. Christian Berger

    One should not that this is not the fault of VNC

    Most of those things are perfectly well examples for when to use VNC. For example having VNC access to a GUI running on a device saves you from having special client software which will be useless in a couple of years. Since it's a comparatively simple protocol, there are multiple implementations and most platforms have at least one to choose from. Since it's trivial compared to HTML/CSS/JS it's likely to have _much_ less implementation errors. It probably would even be a good alternative for web services.

    The problem here is that some people put such services on the Internet without any authentication.

  6. Lee D Silver badge

    I work in schools. In one of them, we had VNC-like vision of every client PC.

    We had a wall of displays, and four-to-a-screen sessions of every machine on campus. We never "watched" it - people are even more boring when they are on a computer than in real life - but it was interesting how quickly your brain picked up on something "wrong" just by glancing at it. Because it was a really rough school, the kids played games like "Who can print out porn before IT stop it" and things like that.

    And the number of systems online is scary - one school I worked for had boilers controlled by app that included things like pump duty cycle and pressure, and could have caused all kinds of mischief. Access control. CCTV. Digital signage. There's no amount of things that are connected these days.

    Even at a (infinitely better) school, there are any number of systems that I remote into all the time. We do put passwords on EVERYTHING though, but you can see how things can be overlooked, but how they become remote-accessible? That's just laziness.

    One of the first things I did at my current place was knock off every port-forward except mail and Remote Desktop (because our users use it for everything). I was amazed how much there was. Straight port-forwards to servers, to clients (in the finance office no less!), to the phone system, to the web filter, to lots of internal web services, etc. etc. etc. I replaced it with a Smoothwall that reverse-proxies all the web content, and performs IDS/IPS on all the exposed services (mail, Remote Desktop, etc.). The amount of login attempts and other things it detected in the first week was enough to tell me that I'd done the right thing.

    I'd quite like to do something that I've seen online, though. Given that we have a compulsory webfilter already, I think it would be a good idea to have a "wall of images" that go through the filter. As we specifically say the system is for school-use only (staff and pupil), I'm not that concerned about the odd Facebook or whatever popping through but I am concerned about quite what the kids are seeing and looking for, and I think a semi-public (i.e. well-known and visible but able to be turned off) display of every image that is being requested from the filter might reinforce correct use of it. It would wake people up a bit, because I do tell them that "in theory" I can see everything they do even if takes a lot of reconstruction, but they don't seem to care what they go looking for.

    People... make sure your gateway is secure. Nothing should be accessible remotely. If you want to do that, use VPN and open ONLY the VPN ports and make sure you log and monitor access to it. And then start realising that even your users can do a port-scan / Bonjour discovery and hit quite a lot of things that you don't want them to. And start passwording and IP-limiting those things.

    Hell, even printers. The system where I work, we have NO NEED to ever access a printer by any other protocol than SMB or by any other system than the print server. But those options are all open to everyone by default. Switch them off and use ACL's on your printer shares to control access. Especially if you have billed printing!

    1. herman

      You haven't heard of driftnet?

      1. Danny 14

        +1 for smoothwall. I moved to another school that had 10pct of the budget so i needed to smoothwall on the cheap (squid and diladele) but i did the same as i had from the smoothwall school. The network i inherited was flat with cctv, 814 boiler, denford milling machines, laser cutters, the door pass system and various pc vnc monitoring systems all accessible. Luckily externally there wasnt much but still a lot of exposed web servers with http logons.

        Madness what some people find acceptable.

    2. waldo kitty
      Angel

      One of the first things I did at my current place was knock off every port-forward except mail and Remote Desktop (because our users use it for everything). I was amazed how much there was. Straight port-forwards to servers, to clients (in the finance office no less!), to the phone system, to the web filter, to lots of internal web services, etc. etc. etc. I replaced it with a Smoothwall that reverse-proxies all the web content, and performs IDS/IPS on all the exposed services (mail, Remote Desktop, etc.). The amount of login attempts and other things it detected in the first week was enough to tell me that I'd done the right thing.

      +1 for the smoothwall reference :)

      kind wish there was a way to +more for the other good things you did, too...

  7. Grumpy Fellow
    Boffin

    Midwest Screen Shot

    That screen shot from the midwest looks like a sewage treatment plant to me. I'll bet its a honey pot. Nobody would put their sewage plant controls on the Internet. Would they?

  8. Anonymous Coward
    Childcatcher

    Holy shit

    There's an awful lot of SCADA systems left open to world + dog. I've just seen what looks like a building climate control system on VNC Roulette.

    ... and I've just seen a Spanish banking system ...

  9. molletts

    Not just VNC

    This reminds me of a time a few years ago when I was looking for something to do with one of our laser printers at work. Having typed a phrase from the web interface into Google, I was shocked (but not that surprised) when the search results included links to dozens of similar printers with internet-facing web interfaces. I tried half a dozen random ones and found that they all used the default username & password.

    I could have printed documents to incriminate the owners, changed settings to make them do 100 copies of everything or even uploaded PostScript code or modified firmware to siphon off (possibly sensitive) documents that were being printed to them.

    I did toy with the idea of printing a warning message to them, alerting the owners that their printers were insecure and giving them step-by-step instructions on how to change the password and a suggestion that getting a firewall would be a good idea but didn't bother in the end.

    1. herman

      Re: Not just VNC

      Years ago, I was bored and changed the LCD displays on the company laser printers all around the world to "Hamster is out of peanuts in tray 3" or similar. IT never figured out who dunnit or how.

    2. MachDiamond Silver badge

      Re: Not just VNC

      A bit of fun would be to create a memo outlining the restructuring plans of the company in the wake of the CFO embezzling all of the pension money and leaving the country. Another part could state that it is the responsibility of the executive staff to keep this issue away from the media. Maybe mentioning that business news sites/publishers would pay somebody for leaking the story.

      Ok, I'm horrible, but I do like my fun.

    3. Tim Bates
      FAIL

      Re: Not just VNC

      >I was shocked (but not that surprised) when the search results included links to dozens of similar printers with internet-facing web interfaces.

      I'm surprised how many "HP-Setup" and similar WiFi networks are out there... Some of them even let you scan whatever document has been left in the flatbed scanner ;)

  10. JEF_UK

    IPMI/Lights-Out + UPNP??

    A large number of these are IPMI type devices I think, When combined with a UPNP router I think they are opening ports.

  11. Daniel Hall

    Well....

    I tried connecting to 20 hosts on that website and not a single one would connect. So I call BS

    1. Anonymous Coward
      Anonymous Coward

      Re: Well....

      i was wondering about the 500k VNC hosts, compared with over 3 million Remote Desktop hosts, and VNC gets the focus in the story?

      1. Anonymous Coward
        Anonymous Coward

        Re: Well....

        VNC in its vanilla form is unencrypted, including passwords. Passwords are also limited to 8 characters(!) and there is no separate user authentication mechanism, same password for everyone. RDP is encrypted and the authentication requires user name and a password. Badly setup credentials on both systems are of course possible and not the fault of either protocol.

        VNC is fine between tightly firewalled systems. It's slower than RDP, doesn't do multi-monitor well, nor file transfers (in vanilla VNC) but works well on even Windows 95 systems we still employ, takes next to no resources and doesn't lock out the local user when you're using the system remotely. Of course VPN is mandatory if you need to use VNC from the WAN side.

        Teamviewer blows both out of water...except you're relying on a 3rd party to relay the data, and there's a one time license payment. If you're fine with those then there really is no better alternative.

        1. Anonymous Coward
          Anonymous Coward

          Re: Well....Teamviewer blows both out of water

          Indeed Teamviewer seems to be the access tool of choice for criminals pretending to be Microsoft or Talktalk. I'd actually like to see it blocked by default in Windows, along with VNC variants, and a message come up if the user attempts to enable it about the risk of fraudsters.

          1. Mr_Pitiful

            Re: Well....Teamviewer blows both out of water

            Some organisations use teamviewer legally, I.E. ours

            Many others are blocked and only teamviewer will work, with the critical systems we run, sometimes it's our only option. so no blocking please!

          2. Sandtitz Silver badge
            Meh

            Re: Well....Teamviewer blows both out of water @Voyna i Mor

            'It's not the fault of the tool, but the fault of the tools using the tool.'

            I and many others use Teamviewer and other such software for very legit reasons. Such specific blocking would probably be of no use anyway - the fraudsters would just use software packages not mentioned in the OS blacklist.

            Similarly you could ask restrictions for every sort of remote use software and on every platform - if e.g. OSX or Linux ever gained enough critical mass to attract those kind of fraudsters they'd be instructing how to install the software through packet management and when to type the superuser password and so on.

    2. Manolo
      Linux

      Re: Well....

      Some are off-line, some have a password now. Try checking them on shodan.io first.

      Shodan will even have screenshots of VNC sessions initiated by them. One one of them I saw a number of warnings on the desktop of the unsecured system.

      This one:

      https://www.shodan.io/host/219.218.122.194

      Personally I was shocked about the things you find people leave exposed to the INternet as a whole.

  12. PaulAb

    I like.....

    I know all the comments so far seem very serious but,..watching users when they can't control the mouse....because I'm playing....... priceless..Snicker!

  13. allthecoolshortnamesweretaken

    Wow. Just ... wow.

  14. Andy A

    I like the machine name used for collecting the screen shots, which was displayed on at least one site.

    "A user on the computer 'want.some.vodka' is remotely controlling your desktop".

  15. Mr_Pitiful

    The servers are open ish

    Some of the 2003 servers appear to be there, I attempted connections from a safe offsite box and got a connection trier administrator and password, but no joy!

  16. PJD

    Medical records

    http://vncroulette.com/index.php?picture=8 is (for me at least) showing seven people's names, medical record numbers, and full home address - in highly litigious southern california. I'm half tempted to print off the screenshot and drop a copy in the mail to those seven people with a note suggesting they call a lawyer and start having fun.

    1. Pirate Dave Silver badge
      Pirate

      Re: Medical records

      I saw that one too, and it was picture 8 for me as well, which leads me to think these are relatively static screen caps.

  17. Grease Monkey Silver badge

    It's amazing that its possible to set up a VNC server without even the most basic of logon credentials.

  18. Grease Monkey Silver badge

    Two things I particularly liked were:

    Windows XP machines with no logon credentials for VNC. That's adding insecurity to something that's already insecure.

    And conversely inherently secure OS's with no logon credentials for VNC. So you take a secure OS and then remove most of the security.

    Why do people use VNC these days anyway? There are so many better alternatives.

    1. Pirate Dave Silver badge
      Pirate

      "Why do people use VNC these days anyway? There are so many better alternatives."

      1. It's been around a while so it's a known vector for those of us who know better than to put it on a machine directly reachable by the Internets. Also, it's been implemented several times by several different groups (Tight, Tridia, Tiger, etc, not to mention the original AT&T code), so the code has been beaten upon quite a lot in the past 15+ years.

      2. It can be made somewhat more secure using SSH tunnels. Still, I wouldn't put that directly against the Internet, but it does secure it fairly well for internal, behind-the-firewall use in case you don't trust your internal users either.

      3. It's free.

      4. It runs natively as a compiled C program (iirc), and does not require Java (although I think there is a Java port) or any kinds of runtimes or plugins.

      5. It doesn't require an Internet connection - so you can use it perfectly well on isolated networks.

      6. It's been implemented cross-platform for ages. Windows, Mac, *nix, all work well and can talk to each other. (It is also the foundation for Apple Remote Desktop, FYI).

      7. It's fairly open. I can't remember if AT&T still hold copyright or if they've released it completely, but AFAIK, nobody will come knocking if you decide to write a new client/server from the ground up.

      So yes, there are alternatives, but VNC still has a place.

  19. Unicornpiss
    Meh

    Geez...

    You can argue forever about how insecure it is to use VNC. But if some of these machines' admins would just go the the bother of setting a password.. You can use LDAP if you wish. Yes, it's more secure to use SSH. But VNC does have some security. Use it.

    1. Stuart Castle Silver badge

      Re: Geez...

      Or put the network behind a properly configured firewall. While it won't protect against every kind of attack (even properly configured firewalls can still be vulnerable), the firewall will make it a lot more difficult for attackers to get to even the most insecure systems. Having said that, even putting them on private-range IPs can help.

      For instance, at work, the network is protected by a firewall, with exceptions granted to machines that need to be visible from the outside (e.g. Web Servers, the VPN server), but any systems that don't need full internet access (printers, CCTV, door access control etc) are on private IPs, with any updates distributed internally as and when needed.

      It's not perfect, but certainly safer than nothing.

  20. John Brown (no body) Silver badge
    Alien

    An X-ray machine in a facility in Nevada, US

    Any idea which Area its in?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon