lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 24 Jan 2012 21:31:46 -0800
From: coderman <coderman@...il.com>
To: Ben Bucksch <news@...ksch.org>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: VNC viewers: Clipboard of host automatically
 sent to remote machine

On Tue, Jan 24, 2012 at 6:45 PM, Ben Bucksch <news@...ksch.org> wrote:
> ...
> "The VNC protocol (RFB) is very simple, based on one graphic primitive
> from server to client ('Put a rectangle of pixel data at the specified
> X,Y position') and event messages from client to server."

what Dan was trying to point out to you was the vast difference in
attack surface between an IP KVM and the VNC protocol and
architecture.

IP KVM: keyboard, video, mouse interface to physical ports. dumb dumb dumb.

VNC: not so simple full of bugs year after year privileged service
running on host hooking into various OS facilities and exposing all
sorts of vulnerabilities between server and client. sma^H^H^H^H stupid
stupid stupid (from a security perspective)

if you believe these present *precisely* the same risk profile,
well... can i have some of what you're smoking?



On Tue, Jan 24, 2012 at 6:34 PM, Ben Bucksch <news@...ksch.org> wrote:
> On 25.01.2012 02:05, coderman wrote:
>> you keep using that word.
>> i do not think it means what you think it means...
>
> Where else did I use that word?
> And what does it mean, in your understanding, that differs from my usage? I
> checked the dict and it seems fine.

let me spell it out: your precise equivalency between a KVM device and
a VNC service is neither accurate nor correct.

http://www.youtube.com/watch?v=OHVjs4aobqs

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ