Re: NVDA Remote crash incident: trust and ethics are important just as technology is, never give out passwords publicly, developer responsibilities


jeremy <icu8it2@...>
 

Lol, that was really too bad, as I really liked the note line of devices. Figured it was Samsung's attempt at contributing to some sort of a bang poppy celebration, but no one seems to appreciate their version of fireworks.

In all seriousness though, It's not only the note that I've seen that can get really hot, if put in certain situations. I've seen IPhones that have gotten hot enough that you could barely touch the glass on the face of them.
Then again, I've also seen people forget to set their laptops to sleep or hibernate and then slip it into a case, leading to a pretty decent smoke out.

Shaun Everiss wrote:

I agree, I reported this in my blog last week.
So many are doing stupid things all the time.
If we need to be worried about anything it is if we have a shiny new galaxy note bomb or not.
Samsung recalled all gn7s and has canciled production, some sources say thats the end of the note.
However a expert says as we get better and faster phones they become more like our computer units, and more powerfull and the energy needs to go somewhere, they don't have fans, fans would drain battery faster but the fact is even with flash chips we will need to get our phones cool somehow.
And since our phones live in cases, etc and we havn't really had the need to cool them as such that will only become more an issue as it comes up.



On 12/10/2016 7:41 a.m., Jeremy wrote:
It kind of reminds me of the thing going around about the headphone jack
on the newer IPhone 7s. Apparently one can take a drill to the bottom of
their pretty new device and if you've got the placement just right, you
can reveal a hidden jack.

I find it absolutely crazy how many people apparently have fallen for
this crap and caused serious problems to brand new IPhones, just because
they seen it on youtube or facebook. While I feel bad that people fall
for things like this, it still makes me scratch my noggin in amazement.
Take care.

Brian's Mail list account wrote:
Yes its like when these folk ring you up pretending you have a virus,
and asking you to do a remote desktop or some other control your
machine from afar program. You just do not do it or give them any
secret key you have to get into it on your machine.
I think one can only go so far with protection, some people need to be
made aware that its perfectly possible to invite trouble and that
passwords were created for a reason.


As an aside there is also a rumour going on on sighted forums that a
file associated with dropbox is some kind of malware and even goes
into details of how to remove it.
Dbxcon or some such name. the only evidence people are using is that
its not actually signed by dropbox but another name. However If you
remove all copies it will completely screw up your access to dropbox,
so don't take any notice of such things unless they can be absolutely
validated by a reputable organisation.
There is far too much misinformation and nasty people about as it is
without spreading paranoia about other software.
Brian

bglists@blueyonder.co.uk
Sent via blueyonder.
Please address personal email to:-
briang1@blueyonder.co.uk, putting 'Brian Gaff'
in the display name field.
----- Original Message ----- From: "Shaun Everiss" <sm.everiss@gmail.com>
To: <nvda@nvda.groups.io>
Sent: Tuesday, October 11, 2016 11:34 AM
Subject: Re: [nvda] NVDA Remote crash incident: trust and ethics are
important just as technology is, never give out passwords publicly,
developer responsibilities


I read this to joseph.
1. yeah someone gave his public key which is basically giving his
userid and password.
The user got his nvda crashed and lost data in ram, which for some
stupid reason he hadn't even save.
It was all mindless fun and just users mucking round.
Sadly the same user has gone over the fact that the main dev criss is
not responding to feadback and not hiding the public key, etc, etc.
He then decided to post on a public forum complaining about nv remote
in general not being secure.
This same user has done this drama before.
He got what he deserved is all I am saying.

You shouldn't give out your security info.



On 11/10/2016 8:40 a.m., Joseph Lee wrote:
Dear NVDA community:



I give you permission to pass out the following to other community
members:



Dear users of NVDA Remote Support add-on:



On the morning of October 10, 2016, a group of users connected via
nvdaremote.com experienced a general client crash, with the root of the
problem being a series of events that led to NVDA crashing with long
strings
passed to a particular synthesizer. The event unfolded as follows:



In the evening of October 9, 2016, someone posted a message to a public
forum which included giving out his remote client password, with an
"invitation" for anyone to connect to his computer. Within moments,
several
people connected to the poster's computer, but then the host
disconnected. A
few moments later, the server admin came in using the published
password,
changed some configurations and crashed NVDA by letting clients read
long
strings and making their keyboards unusable. An audio recording was
published that provides some live evidence, with people posting on
social
media advising others to stop using this, labeling this as "unsecure".



In light of this incident, as a community add-ons representative,
I'd like
to request that add-on users follow these guidelines:



1. Never give out NVDA remote session password publicly.

2. The Remote host must provide the password and this should be
done
privately.

3. The Remote client must tell host what he or she is going to
do so
the host can be aware of what's going on.

4. The host should try to inform clients that he or she is
disconnecting so clients can disconnect properly.



Also, as an add-on developer, I'd like to propose the following
action plan
in the future:



1. Please examine evidence you can find before coming to the
conclusion
that things are insecure.

2. Developers should provide responses as soon as possible when
evidence becomes available.



The add-on can be found in our NVDA Community Add-ons website. Although
there is some things about this add-on that have contributed to this
incident, the ultimate root cause has to do with irresponsible user
actions.



Thank you.

Cheers,

Joseph







Join nvda@nvda.groups.io to automatically receive all group messages.