Re: NVDA Remote crash incident: trust and ethics are important just as technology is, never give out passwords publicly, developer responsibilities


jeremy <icu8it2@...>
 

Yeah, that's kind of how it appeared to me too. Main thing I think is important to keep in mind, as has already been said here, don't give out personal information or participate in things that may sound shady, unless you fully know what you're dealing with. It's also worth pointing out, in as much as I understand how it took place, it was mainly the remote server that allowed this to occur, so understand that in most cases, when you make a connection to a server, the admin of that server may be able to do things you may not necessary wish them to.

I personally don't see any issues using nvdaremote.com and for the few times I've used it, it's worked wonderfully, but then I'm not participating in this crap that got all this started either. I do however think that it would be a good idea for better documentation on the installation of the remote server to be placed somewhere, so that people have easier access to run their own, if they wish too.

I think that NVDA remote was an amazing contribution to the community and that Tyler and Tauth did a wonderful job, but I do kind of wish that we could see some updates in it's development. That's for another topic though, me thinks. :)
Take care.

Mallard wrote:

From the incident description, in my humble opinon, it looks as if the whole thing had been carefully planned, with the purpose of deliberately damaging the community and NVDA's reputation.


Unfortunately I've been seeing disruptive behavours on other lists lately, where some "clever" person(s) faked a group member's account and started trolling the list.

As Einstein once said, there are only two infinitethings: the Universe and human stupidity... And there are still doubts about the first one... (lol).

I'd say both these incidents, the NVDA Remote and the other one I was referring to, fall into this category.
Ciao,
Ollie




Il 11/10/2016 15:46, Jeremy ha scritto:
As I understand it, the individuals who had their remote sessions tinkered with had basically invited someone to screw with them. Once it became clear who the group was who had their sessions played with, or at least some of those in the group were, the whole thing became kind of entertaining. While the person who sent the playful strings of text could maybe have made slightly better choices, those individuals who received said playful strings were apparently trying to figure out how it was done, so they could use it on others.

had those individuals being messed with not had their own malicious intent, as I strongly suspect, I don't think it would have ever come to this. Either way, you try and screw with someone and every now and then, someone much more intelligent than you comes along and plays with you a little. That's the way of things on the internet.


Shaun Everiss wrote:
I read this to joseph.
1. yeah someone gave his public key which is basically giving his userid and password.
The user got his nvda crashed and lost data in ram, which for some stupid reason he hadn't even save.
It was all mindless fun and just users mucking round.
Sadly the same user has gone over the fact that the main dev criss is not responding to feadback and not hiding the public key, etc, etc.
He then decided to post on a public forum complaining about nv remote in general not being secure.
This same user has done this drama before.
He got what he deserved is all I am saying.

You shouldn't give out your security info.



On 11/10/2016 8:40 a.m., Joseph Lee wrote:
Dear NVDA community:



I give you permission to pass out the following to other community members:



Dear users of NVDA Remote Support add-on:



On the morning of October 10, 2016, a group of users connected via
nvdaremote.com experienced a general client crash, with the root of the
problem being a series of events that led to NVDA crashing with long strings
passed to a particular synthesizer. The event unfolded as follows:



In the evening of October 9, 2016, someone posted a message to a public
forum which included giving out his remote client password, with an
"invitation" for anyone to connect to his computer. Within moments, several
people connected to the poster's computer, but then the host disconnected. A
few moments later, the server admin came in using the published password,
changed some configurations and crashed NVDA by letting clients read long
strings and making their keyboards unusable. An audio recording was
published that provides some live evidence, with people posting on social
media advising others to stop using this, labeling this as "unsecure".



In light of this incident, as a community add-ons representative, I'd like
to request that add-on users follow these guidelines:



1. Never give out NVDA remote session password publicly.

2. The Remote host must provide the password and this should be done
privately.

3. The Remote client must tell host what he or she is going to do so
the host can be aware of what's going on.

4. The host should try to inform clients that he or she is
disconnecting so clients can disconnect properly.



Also, as an add-on developer, I'd like to propose the following action plan
in the future:



1. Please examine evidence you can find before coming to the conclusion
that things are insecure.

2. Developers should provide responses as soon as possible when
evidence becomes available.



The add-on can be found in our NVDA Community Add-ons website. Although
there is some things about this add-on that have contributed to this
incident, the ultimate root cause has to do with irresponsible user actions.



Thank you.

Cheers,

Joseph






Join nvda@nvda.groups.io to automatically receive all group messages.