You are not logged in. Please login or register.
AudioGames.net Forum → Off-topic room → NVDA remote unsecurity prooven, recording of dev included
Seriously though, I think it's unacceptable what happened. We didn't click allow control. And while the bug was parcially NVDA, it was remote that used it. It's not windows that is to blame for crypto locker, it's the software, in this case remote. I'll recover from my data loss and that's not my issue. It's how it was lost. And I am very glad q is trying to take the initiative to fix things.
Once again, it's sucks that you lost your data, but I think this is pretty much resolved. Toth is trying to find a fix and people know not to share their keys publicly.
Also, you wouldn't have needed to click allow control. When controlling another computer, your NVDA still needs to speak what the machine being controlled sends to it. You wouldn't be able to control the other computer otherwise.
I guess I don't totally understand, and from people's descriptions, I rather doubt the recording would enlighten things.
Were the client machines actually controlled? How was data lost?
And now for a rant. I've long believed that anyone who stores valuable/irreplaceable data in only one location is just asking for trouble. Something like this, or a virus, or even a good old fashioned hard drive failure could cause you to lose every last bit of data you've ever had, in an instant, with no warning, and with no way of ever getting any of it back.
My personal backup strategy might seem to some a bit overkill, but it does insure that a lot of horrible things would have to happen in order for me to lose much of importance. Anything important goes to an external drive, connected to my computer. That hard drive is updated frequently to another hard drive, which in between updates is removed from the system and not connected to anything whatsoever, not even power. A few times a year, this information is also copied to a drive at an off-site location, again, not connected to anything in any way whatsoever while not in use. And if that's not enough, I also back up my stuff to CrashPlan online backup.
ZOmg guys connect to my box so I can bitch about this like there's a flaw because one guy connected who knew what he was doing! You ask for people to connect for any reason on twitter and give out info for your machine: That's on you period. Hence why updates/OS security/account security, mentioned for good measure, is so important. Also, this recording is killing me guys: I don't miss my TT days after hearing this. Anyone who is wondering if this matters to their security of their NVDA remote sessions: This is just FUD unless you give someone you don't trust your key/private server URL, if you use it who was technically smart. Kids own people all the time. Sometimes, You shouldn't do stupid things.
I don't why you guys are fighting its a good adon. Sam stay out of things that don't concern you.
Sam first of all I don't even leave my computers connected to the server that is stupid to leave computers connected on startup. Your a idiot.
@JayBird - The way data was lost? Like Sam previously said, he was working on something that had to do with school work. I actually had a file open that contained code, which I could recreate, but its not easy, especially when it took me a while to work on.
And yes, I understand that this data could have easily been destroyed by you said it, hard drive failure/fire/the blue screen of death... The possibilities are endless, but I don't see that having much of a effect. It was the way I lost data that is important here.
@hhurstseth405 - Ok, unless you may want to explain a couple things, I don't see how this doesn't concern me, Sam, or anyone else on the server who was controlling another machine. And actually, its something that in a way, deals with anyone.
After reading this thing more closely, me, Sam, or whoever should seriously upload a version that just takes the key points of what happened, and was learned. I imagine that'd be a lot easier to follow
@34
Yeah, I agree. I listened for 10 minutes or so, then realized it wasn't getting anywhere.
Ok, there are a fiew things that need to get streightened out here, huge points that people sceme to not propperly understand in this situation. First one, this twitter key posting. Yes, ivan posted to twitter to connect to key 123. That was ivan. I didn't post that on twitter. You guys shouldn't get mad because anyone connected to it. We just followed a twitter tweat. After ivan disconnected, a VM of tylers connects and tells us that hacking can ruin peoples lives, he was defenatly against fucking up ivan. Then he crashes all the clients. So... Ivan posted the key and got his computer fucked up, but not the rest of us. And? If it was someone else that did this, then it could be a bug reported to the remote devs and done. But no, this was the dev him self connected to his own nvdaremote.com server, though the server doesn't matter. And everyone was connected as control another machine, not allow this amchine to be controled. So the only just reason for you guys talking about us connecting to a key posted publicly is that tyler was made aware of the key.
And also, lets not forget this. When our computers were crashed, and a couple still working, Tyler wrote in notepad for us to guess who it was. We of course guessed him immediately, but its still something to consider that he didn't want to tell us either that, or the method that was used against our computers. Only later was it that we were told about the character string, one reason all the more for the chaos in the recording. I'm not going to forget his apology though, and the fact that he said he was just being a dick, but still. It can't be left unnoticed.
OK guys, so here's what happened. They all connected through remote as control this machine, then Tyler just sent a string to that key, it spoke and NVDA just died. Nothing got compromized, nothing got stolen, people are just being rediculous. Cary on.
Actually mason, it's more complicated than that. NVDA remote got stuck in the keyhook, so I had to hardboot and lose everything that wasn't save. For me, that was a lot at that particular moment. And guys, come on, what's all this about it being an NVDA issue. Is it a windows issue that killing the wrong process crashes the system and a program exploits it? Same with a unix processor? Remote was used to magnify an NVDA bug. I guess if I make a virus, it's now a harddrive bug when I delete a file. Right? As a remote client, I could care less how code wise I had to hard boot my computer. But I did. Maybe it is almost completely an NVDA issue. Not the keyhook, that wasn't and completely blocked me from restarting NVDA etc. So please combat this keyhook situation. If you guys all say this is an NVDA bug, then please explain why I couldn't restart NVDA with control alt n, or even go to the CMD to kill it? That's remotes little keyhook, and that's enough for me.
Reply to what mason posted to twitter, and on this forum as well:
*sighs* I really think its a matter of opinion at this point. but like was said before, anything could have happened. BlueScreen, HD failure… the list goes on. Then yes, nobody but you could be at fault. But when you don’t offer your computer up for control, and someone else does something like this, I really don’t think its my issue for not saving part of the code. And not saying all, but I really doubt many people press CTRL S extremely often, just to save something and expect something like this to happen to them.
@40
I press ctrl S constantly, especially with code and school assignments. It's actually ridiculous you guys don't. Since you guys are programmers, why not make a script to periodically press ctrl s, if it's too much of a hassle, haha.
Hi. I know at least I should save some of that more often. For me at least, it's not the fact that the data is gone, but how it is gone. If I added a command in stw to force shutdown the computer of any player I wanted, or maybe even pass a long string to NVDA, I know for a fact people would be pissed at me. They wouldn't say oh, meh, it's sending long strings. I'd have 0 players in 2 minutes if I coded the stw server to send long ass strings of data to anyone I wanted. Because it's my program still doing it, even though it's an NVDA bug. So i'm curious. What would you guys do. If I made something that could crash NVDA and throw you in a keyhook like this, would you stop playing and just completely move on? If you would stop playing, what makes the remote situation different? And the fact that I connected doesn't work either, you connected to STW. I'm hoping to get a good answer to this, because then maybe I could understand your guyses point of view.
42 not only that, but say "haha. Did it work? I just crashed your computer and guess what? restart your computer and call it a day, figure out how I crashed it." Just later, upon being threatened of this being posted, you tell us how it works. Now tel me this, wouldn't you suspect something? Wouldn't you think its strange as hell? And most of all, wouldn't you be suspicious of something else happening besides your computer doing that? Of corse you would have speculations, but nothing could be confirmed until your told by the person who did it, in this case Tyler.
I think if this happened to you, you would take a totally different approach
The reason we keep saying that it's an NVDA problem is because that's exactly what it is. Nothing more. I'm going to repeat myself again. It sucks that you lost data, but it happened, and no amount of ranting about how unacceptable it is will bring it back. You also keep saying that you didn't click allow this machine to be controlled. At no point were any of you being controlled. All that happened was your NVDA spoke a very long string which breaks things, and you had to hard reset. It seems to me that you're still trying to make this sound like a dangerous flaw in NVDA Remote, when in reality all that happened was a smart person new of a bug in NVDA and used it to cause problems for you. The exact same thing would have happened to you if he had sent you a very long message on Twitter, but because it happened through NVDA Remote, you're saying that it's different and a security flaw. You all set yourselves up for nefarious action when you connected to a publicly posted key. It doesn't matter who was connected as the controllable machine. What matters is that you were all connected to the same key, and that's not a risk you should take. You gambled, and you lost.
I think Mason wrapped it up nicely.
So let me sum this up. Please correct me if I'm missing something.
There's a publicly available key that people use with NVDa remote.
Someone connected to it. It being the publicly available key.
They exploited a bug in NVDA which caused the machine to crash.
And people are upset?
Guys. It's a publicly available key. that's like me going. Hey. Here's the key to my house. Everyone. come on over. Then I get upset because someone came in and stole some DVD's.
Way to solve this in future is simple.
Private keys.
thank you.
I just saw your post about STW. To answer your question, If I played stw, I would stop playing if you made it break our NVDA. That's similar to how I would not Remote with someone who sends me long strings in order to break NVDA. I would blame you for being a dick since you caused the problem, similar to how you blame Tyler for doing it to you. If people asked me what I thought of STW, I'd tell them that the developer likes to abuse a bug in NVDA to cause problems. They'd probably avoid playing Survive the Wild, and nothing more would happen. Just like if you were given the option to NVDA Remote with Tyler, you'd say no. You're trying to make a comparison of two things that aren't very similar. You weren't using Remote for its intended use. If you were, none of this would have happened.
I can see what you mean there. I do understand what your coming from. The only reason I continue to hold my point of view is because were talking about the dev of the add on him self. Or at least one of them. I used to do shit bogged down, but similar to this about 2 years ago on stw. Now i'm really sensitive to it. And We didn't try to gamble. We were a bunch of kids being really stupid. I think we'll have to agree to disagree. I did what I felt was right to notify everyone and I don't have to keep pushing my point for much longer. If on stw I sent a really long that, it would technically be an NVDA issue. But as soon as I get down and modify the stw server and type the comma dn/crash playername, well... And also, I am again going to ask for an in depth explination of the keyhook. If I wasn't locked in it, I could just restart NVDA. But we were licked in the NVDA Remote Keyhook. So please, if you may, explain why that is an NVDA issue? I have this feeling that if I coded something very similar for stw, i'd be fucked. And if was someone other than the dev mind you, I could report it to the dev and get on with my life. But with Q telling me to shut up 4 months ago, getting and seeing people get hacked with remote 4 months ago, and now seeing it locking me into a keyhook crashing my NVDA, i've really had enough.
Just saw your last post stargate, and I can say that is fair enough. Keep this in mind though, if we hadn't threatened the hell out of tyler, we would have thought eo this day it was a remote thing. I understand differently, however consider this from a clients point of view rather than the coders. @liam, it's wayyy more complicated. A public key, but no one connected was set to allow this machine to be controled. So actually, it would be closer to, here is the key to my house. Everyone connects, then you kick us out. We all stay standing there with a key. Then basicly, we have to think futuristic here, tylers house appeared with the key to your house in the lock. The door was then opened from the inside, with tyler pointing a gun and owned us. Strong analigy for crashed NVDA, but again I must ask... the keyhook... Remote was used for more than a method to send the string. It was also used to block us from restarting NVDA, accessing the task manager, etc etc. If I get a valid reason that was an NVDA issue, i'd love to hear it. But pleeeeeeeeaaase explain the keyhook and how that is an NVDA only issue to me.
So the topic title is total nonsense. Let me point out 2 things:
1. The nvda remote file being stored as it is can not be hidden. If you know of a way to make it hidden, please say so and Q or whatever would probably be glad to implement it.
2. This is not nvda remote's fault, it's nvda's, after all, nvda crashed.
And Tylor maybe a dick I honestly don't know and don't care, I'm sure there are dicks who have contributed to opensource projects. So you should probably change your post/topic title to something like "tylor is a total dick, proven with recording!", would be far more accurate if that's what you believe.
@49 The last time we gave suggestions to that, we were told to in a way, shut up and code something ourselves. and how about the remote KeyHook?
AudioGames.net Forum → Off-topic room → NVDA remote unsecurity prooven, recording of dev included
Generated in 0.023 seconds (60% PHP - 40% DB) with 9 queries
