Re: VNC Security

[Mike Miller <mbmiller () taxa epi umn edu>]

On Tue, 19 Apr 2005, Andy Bruce - softwareAB wrote:

> I have to agree with Steve that this is, for all practical purposes, a 
> non-existent security risk. The only things that could go wrong:
>
> a. "Somebody" is sniffing the packet stream while the VNC passwords are 
> being exchanged, and, during that 20 minute interchange, cracks the 
> password and logs onto the VNC server. Of course, we would notice this 
> problem on both ends!


I don't know if it is possible to crack the VNC password, but I don't 
agree that you would necessarily notice this on both ends.  If the 
attacker were to log into the session when you weren't using it, he could 
then make some changes to your system (for Windows) that would allow him 
more access to your machine later.  If you were using Windows he could 
start up another VNC desktop that you might not notice, and he could use a 
different password if he wanted to (by copying the vnc password file, 
changing the password, and copying it back).

I hope that it is hard to crack the passwords.  I think it is hard to do 
it but I'd like to hear more about that.

Mike