Let's try and get 1,000,000 replies to this post

[Travis The Dragon]

Ah, that's cool. No biggie since I already got enough Playboy goodies and more from torrents and newsgroups. Gotta love a 12 mbps cable connection!

 

[Wästed The Great]

Amen.

Oh, hey, Loosey-- SGU is now avail on Netflix as well, so I'm gonna watch that next!

 

[Travis The Dragon]

You know what's ironic but great? The fact that MaidenFansUnited has more members and topics than this site, but this site has a lot more action going on it.

 

[LooseCannon]

Amen.

Oh, hey, Loosey-- SGU is now avail on Netflix as well, so I'm gonna watch that next!

Do it the fuck up, it's great. Best SG since SG1 season 7.

 

[Wästed The Great]

Loaded!  I'm on epi 3 I believe... it is pretty entertaining so far-- better than I had expected.

 

[LooseCannon]

I told you eh!! Rush is awesome!

 

[Wästed The Great]

Yeah, I'd agree with that! I like Eli, he's pretty cool.

 

[LooseCannon]

And Lt. Bigtits.

 

[Deleted member 7164]

We use remote desktop assistance through our network. However, we used to use Microsoft's tool to jump on to a users PC to help out and that required the end user to allow us to view their desktop. But we have since been given a new tool - Bomgar. Bomgar does not require any authorisation from the end user (at least the way we have it configured) and that is a big security risk. I can view anyone's desktop on our network from anywhere in the world without their consent. Yes, they do get a big pop up message to say I'm on and could kick me out in an instant, but that could be too late. They may not be looking at their screen at the time and may not know for, what, 15 seconds or more? An example was the other day I was helping out a programmer. He needed to get on his PC, so I asked for his machine name and as he was sitting right next to me, he could only guess. So I jumped on to that PC and found myself on a finance users PC and could see the whole screen. Now, what if that was the MD's screen.....or my boss?

We work with a lot of customers that also use services from other computer companies...mainly software companies that don't have real networking departments. Our main policy is to close all external ports and strictly use VPN for remote access. However, some of those idiots are keen to RDP directly to somewhere - let's say database server where their management tools are installed. So we have no other option but to forward ports and hope someone doesn't go on bruteforcing rampage.

RDP has one big technical issue that's "inspired" directly by Microsoft's idiocracy with per-user licencing. Eg, only one user can be logged on their client system (2000 Pro, XP, Vista, 7). So the user gets dumped once you log-in remote. On some occasions it's good to do simultaneous work. I don't do Windows support (or Windows related stuff either), but i have a perfect real-world example; my cousin asked me to help her with web design exam. In 5 minutes, VNC was ready on my XP box, and basically i typed and worked, she watched everything i do. That kind of thing would be impossible with RDP, legally. If you want that kind of functionality on client OS, you need to copy a certain dll library from server-class operating system, then you'll have their basic 2/5 user restriction per computer.

VNC is by far the most flexible solution - it's a complete graphics/sound server, cross-platform and open source. On UNIX systems it can open another X11 session on the host, meaning that the user can work normally in his graphic environment without having any clue that you're working on the same computer in different GUI environment seamlessly. Which brings me to this;

Bomgar does not require any authorisation from the end user (at least the way we have it configured) and that is a big security risk

I don't see it that way. Someone installed that program, and even if it doesn't require administrative rights, you must open some ports on the firewall for the thing to work - hence some local administrator must be involved. It can use reversed connections, where the server contacts the client, no port forwarding - again, local network admin should block all outgoing traffic that's not verified by company's policies.

I mean, i have authorizations for domain administration accounts of a bunch of big companies. I can log in right now, sniff around every computer's hard drive, peek into every mailbox, i can even see all of their internal and external network activity. When somebody manages your information infrastructure, that somebody has access to information. That's called outsourcing.

Big companies lay down privacy contracts, where the outsourcer wants the outsourced to not reveal any information to 3rd parties. Likewise, the outsourced has same statements in contracts with his employees. Therefore - if i use my "powers" to sell some information, i'd have a problem with the law.

However in most cases law could do shit - if you have full rights, you can wipe out logs too. Drive to some other city and hook to some poor guy's open WLAN and off you go. Prior do some weird port scans, ICMP floods, a little bruteforcing, just that it looks like someone is trying to "hack" through the firewall - logs will be wiped, but ISPs also keep them. It wouldn't look nice if they listed a first, successful connection via VPN - that means somebody has an account. 

Information in this post cannot be used in any criminal activity 

 

[Travis The Dragon]

American Carnage in less than 2 weeks!!!
RUSH in less than 3!!!

 

[LordMaiden]

I'm posting this right now, only to contribute to the post count: NE wins next SB.

 

[Travis The Dragon]

Cool. What are NE and SB?

 

[LordMaiden]

Ah, not a fan of the NFL I see.

 

[LooseCannon]

Go Alouettes!

 

[Travis The Dragon]

Ah, not a fan of the NFL I see.

Oh, New England and Super Bowl. I'm in Minnesota and hope Favre is able to return to the Vikes. I know chances are VERY slim, but I haven't given up hope yet.

 

[LooseCannon]

I also think you're a n00b until you have 100 posts in GD.

 

[Perun]

So, apart from the n00b flood, what did I miss?

 

[Albie]

I don't see it that way. Someone installed that program, and even if it doesn't require administrative rights, you must open some ports on the firewall for the thing to work - hence some local administrator must be involved.

I'm not sure if you have heard of Bomgar but the way it works is that we have the full program installed on our PC's - not actually at the end user. When we offer remote assistance, we jump on to their PC - much in the same way that VNC works, but the client side is installed on the fly. The user has no say in this been installed, it's initiated by us. Only a few IT support people have the Bomgar software on their PC's to go out and the client side can only listen for Bomgar support requests from one of us. The problem is that the end user can not stop me getting on their PC (which is why not everyone has the full blown program) - they can kick me off when I get there but as I say, it may be too late.

The problem with VNC is that it has to be installed on the client side before hand - is that right, or can the port just be open?

 

[Deleted member 7164]

You cannot install something on somebody's computer just like that.
The way that Bomgar does it (and so does enterprise version of Ultra/RealVNC) - it uses domain administration credentials to initiate a remote installation via Windows Installer service. Of course, the target system must be a domain member, therefore it's enslaved by domain controller.

Again - someone typed that admin credentials in. Therefore, i see no security issue there. We use a similar product called VNCon. I just enter the computer name / IP address on the domain, and it installs VNC server on that computer + initiates session. I've read a wiki entry on Bomgar, it seems that they've based whole product around centralized administration - the client part is probably just an executable that serves as event/graphics server. Which is nice.

...and yeah, this is from their web :

Visitors to Bomgar's headquarters will notice a verse from Psalm 127 displayed as they enter the office: "Unless the Lord builds the house, those who build it labor in vain." Even though we take it as our responsibility to work diligently, this verse reminds us that the ultimate results belong to God.

Our Vision: To honor God by applying Biblical principles in relation to employees, customers and financial dealings.

Sick fucks.

---

The problem with VNC is that it has to be installed on the client side before hand - is that right, or can the port just be open?

Forgot to reply to this. I didn't mean that you can install something somewhere if that thing has an magical port open. In fact, you can if some trojan is listening on that port 

What i meant is that, in some cases, you don't need local administrative privileges to install some remote access software. Hence, an ordinary employee can do it. However, an ordinary employee can't forward appropriate port towards the Internet because he doesn't have access to firewall/router console. Therefore, no external client can connect to his computer.

Again, it was in the context of security breaches. You simply can't go on remote rampage on your own. Some administrator somewhere must approve it. He may insist that he approves it each and every time and monitor your sessions, or he can install something like that Bomgar, enter administration credentials and go and drink coffee.

 

[Wästed The Great]

@Per-no. n00b flood, I got a job, a few bdays, and random insanity.