Re: NVDA Remote crash incident: trust and ethics are important just as technology is, never give out passwords publicly, developer responsibilities


Gene
 

Respect is not the point.  You are discussing what you believe should be done to dispel the rumor.  Also, your views are being seen and considered by a lot of list members.  I therefore, as is common on lists and is one of the purposes of lists, am discussing your comments.  Respect is not the issue.  The issue is how people determine how credible a rumor is. 
 
Gene

----- Original Message -----
Sent: Wednesday, October 12, 2016 6:48 PM
Subject: Re: [nvda] NVDA Remote crash incident: trust and ethics are important just as technology is, never give out passwords publicly, developer responsibilities

I don't doubt Joseph Lee's credibility or his ethics, nor do I assume that Tyler is guilty of what he was accused of doing. You have stated your views, which I respect. I have stated my views in my previous message, which I ask you to equally respect.


      David Goldfield,
Assistive Technology Specialist

Feel free to visit my Web site
WWW.DavidGoldfield.Info
On 10/12/2016 7:31 PM, Gene wrote:
Joseph Lee is very credible and his post should serve to dispel the rumor.  He develops add ons and vets add ons for NVDA official approval.  If Tyler wants to make a statement, that's fine but my point is that if Joseph lee comments on a question like this in the manner he has, that is very credible.  Rumors are just that.  Joseph lee's comments should be more than adequate to dispel this rumor.
 
gene
----- Original Message -----
Sent: Wednesday, October 12, 2016 6:06 PM
Subject: Re: [nvda] NVDA Remote crash incident: trust and ethics are important just as technology is, never give out passwords publicly, developer responsibilities

I am not a software developer. However, if I developed any type of software and was accused of what Tyler was accused of I would, at the very least, make a public statement denying the allegations. Therefore, since Tyler is on this list, I would like to ask if he would make a statement regarding the accusation which was brought before him via the Facebook post. As a user of the NVDA Remote addon I know I would feel much better hearing from him directly.

      David Goldfield,
Assistive Technology Specialist

Feel free to visit my Web site
WWW.DavidGoldfield.Info
On 10/12/2016 1:52 AM, Felix G. wrote:
Hello,
now please correct me if I'm oversimplifying, but isn't this entire thing analogous to someone giving out their Teamviewer password to the entire web and then complaining how insecure Teamviewer is because someone went and trashed their system?
I strongly trust this community is mature enough not to be damaged by this.
Kind regards,
Felix

Shaun Everiss <sm.everiss@...> schrieb am Di., 11. Okt. 2016 um 22:26 Uhr:
Yeah I agree.
I had a laptop with a bios that didn't update and a fan that didn't work
and packed it away and it was dead.
Due to heat in summer especially with the humidity in new zealand though
other countries and places can get hotter, I have had to put a coolant
fan desk under my computer at all times.
In fact during summer especially if my laptop is on my lap which it can
be from time to time I have got vary burned legs from just putting it
there so yeah.
A friend who has his system in an well ventelated atic room still says
that even with his fans full up on his gaming wrig he needs to stick 1
or 2 fans into his case just to cool it down.
He probably needs several heat pumps or something on the other hand the
solar panels are in his rough so yeah who knows.
Things can get quite hot.
For myself I have a room with 2 computers, 1 workstation and a small
desk server.
It does have 2 sides to open windows but even then well.



On 12/10/2016 9:05 a.m., Jeremy wrote:
> Lol, that was really too bad, as I really liked the note line of
> devices. Figured it was Samsung's attempt at contributing to some sort
> of a bang poppy celebration, but no one seems to appreciate their
> version of fireworks.
>
> In all seriousness though, It's not only the note that I've seen that
> can get really hot, if put in certain situations. I've seen IPhones that
> have gotten hot enough that you could barely touch the glass on the face
> of them.
> Then again, I've also seen people forget to set their laptops to sleep
> or hibernate and then slip it into a case, leading to a pretty decent
> smoke out.
>
> Shaun Everiss wrote:
>> I agree, I reported this in my blog last week.
>> So many are doing stupid things all the time.
>> If we need to be worried about anything it is if we have a shiny new
>> galaxy note bomb or not.
>> Samsung recalled all gn7s and has canciled production, some sources
>> say thats the end of the note.
>> However a expert says as we get better and faster phones they become
>> more like our computer units, and more powerfull and the energy needs
>> to go somewhere, they don't have fans, fans would drain battery faster
>> but the fact is even with flash chips we will need to get our phones
>> cool somehow.
>> And since our phones live in cases, etc and we havn't really had the
>> need to cool them as such that will only become more an issue as it
>> comes up.
>>
>>
>>
>> On 12/10/2016 7:41 a.m., Jeremy wrote:
>>> It kind of reminds me of the thing going around about the headphone jack
>>> on the newer IPhone 7s. Apparently one can take a drill to the bottom of
>>> their pretty new device and if you've got the placement just right, you
>>> can reveal a hidden jack.
>>>
>>> I find it absolutely crazy how many people apparently have fallen for
>>> this crap and caused serious problems to brand new IPhones, just because
>>> they seen it on youtube or facebook. While I feel bad that people fall
>>> for things like this, it still makes me scratch my noggin in amazement.
>>> Take care.
>>>
>>> Brian's Mail list account wrote:
>>>> Yes its like when these folk ring you up pretending you have a virus,
>>>> and asking you to do a remote desktop or some other control your
>>>> machine from afar program. You just do not do it or give them any
>>>> secret key you have to get into it on your machine.
>>>> I think one can only go so far with protection, some people need to be
>>>> made aware that its perfectly possible to invite trouble and that
>>>> passwords were created for a reason.
>>>>
>>>>
>>>> As an aside there is also a rumour going on on sighted forums that a
>>>> file associated with dropbox is some kind of malware and even goes
>>>> into details of how to remove it.
>>>> Dbxcon or some such name. the only evidence people are using is that
>>>> its not actually signed by dropbox but another name. However If you
>>>> remove all copies it will completely screw up your access to dropbox,
>>>> so don't take any notice of such things unless they can be absolutely
>>>> validated by a reputable organisation.
>>>> There is far too much misinformation and nasty people about as it is
>>>> without spreading paranoia about other software.
>>>> Brian
>>>>
>>>> bglists@...
>>>> Sent via blueyonder.
>>>> Please address personal email to:-
>>>> briang1@..., putting 'Brian Gaff'
>>>> in the display name field.
>>>> ----- Original Message ----- From: "Shaun Everiss"
>>>> <sm.everiss@...>
>>>> To: <nvda@nvda.groups.io>
>>>> Sent: Tuesday, October 11, 2016 11:34 AM
>>>> Subject: Re: [nvda] NVDA Remote crash incident: trust and ethics are
>>>> important just as technology is, never give out passwords publicly,
>>>> developer responsibilities
>>>>
>>>>
>>>>> I read this to joseph.
>>>>> 1.  yeah someone gave his public key which is basically giving his
>>>>> userid and password.
>>>>> The user got his nvda crashed and lost data in ram, which for some
>>>>> stupid reason he hadn't even save.
>>>>> It was all mindless fun and just users mucking round.
>>>>> Sadly the same user has gone over the fact that the main dev criss is
>>>>> not responding to feadback and not hiding the public key, etc, etc.
>>>>> He then decided to post on a public forum complaining about nv remote
>>>>> in general not being secure.
>>>>> This same user has done this drama before.
>>>>> He got what he deserved is all I am saying.
>>>>>
>>>>> You shouldn't give out your security info.
>>>>>
>>>>>
>>>>>
>>>>> On 11/10/2016 8:40 a.m., Joseph Lee wrote:
>>>>>> Dear NVDA community:
>>>>>>
>>>>>>
>>>>>>
>>>>>> I give you permission to pass out the following to other community
>>>>>> members:
>>>>>>
>>>>>>
>>>>>>
>>>>>> Dear users of NVDA Remote Support add-on:
>>>>>>
>>>>>>
>>>>>>
>>>>>> On the morning of October 10, 2016, a group of users connected via
>>>>>> nvdaremote.com experienced a general client crash, with the root
>>>>>> of the
>>>>>> problem being a series of events that led to NVDA crashing with long
>>>>>> strings
>>>>>> passed to a particular synthesizer. The event unfolded as follows:
>>>>>>
>>>>>>
>>>>>>
>>>>>> In the evening of October 9, 2016, someone posted a message to a
>>>>>> public
>>>>>> forum which included giving out his remote client password, with an
>>>>>> "invitation" for anyone to connect to his computer. Within moments,
>>>>>> several
>>>>>> people connected to the poster's computer, but then the host
>>>>>> disconnected. A
>>>>>> few moments later, the server admin came in using the published
>>>>>> password,
>>>>>> changed some configurations and crashed NVDA by letting clients read
>>>>>> long
>>>>>> strings and making their keyboards unusable. An audio recording was
>>>>>> published that provides some live evidence, with people posting on
>>>>>> social
>>>>>> media advising others to stop using this, labeling this as
>>>>>> "unsecure".
>>>>>>
>>>>>>
>>>>>>
>>>>>> In light of this incident, as a community add-ons representative,
>>>>>> I'd like
>>>>>> to request that add-on users follow these guidelines:
>>>>>>
>>>>>>
>>>>>>
>>>>>> 1.      Never give out NVDA remote session password publicly.
>>>>>>
>>>>>> 2.      The Remote host must provide the password and this should be
>>>>>> done
>>>>>> privately.
>>>>>>
>>>>>> 3.      The Remote client must tell host what he or she is going to
>>>>>> do so
>>>>>> the host can be aware of what's going on.
>>>>>>
>>>>>> 4.      The host should try to inform clients that he or she is
>>>>>> disconnecting so clients can disconnect properly.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Also, as an add-on developer, I'd like to propose the following
>>>>>> action plan
>>>>>> in the future:
>>>>>>
>>>>>>
>>>>>>
>>>>>> 1.      Please examine evidence you can find before coming to the
>>>>>> conclusion
>>>>>> that things are insecure.
>>>>>>
>>>>>> 2.      Developers should provide responses as soon as possible when
>>>>>> evidence becomes available.
>>>>>>
>>>>>>
>>>>>>
>>>>>> The add-on can be found in our NVDA Community Add-ons website.
>>>>>> Although
>>>>>> there is some things about this add-on that have contributed to this
>>>>>> incident, the ultimate root cause has to do with irresponsible user
>>>>>> actions.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Thank you.
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> Joseph
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>
>
>
>
>





Join nvda@nvda.groups.io to automatically receive all group messages.