
Vnc-roulette – Randomly connects to open VNC servers - allsprk
http://allsprk.koding.io/
======
tptacek
Thankfully, it's down right now.

If you knowingly tinker with a system you're not supposed to have access to
--- that is, you _either_ VNC into a system that isn't yours and see things
that a reasonable person would react to as an indication that they weren't
welcome, or that a prosecutor can claim a reasonable person would react that
way to --- you're violating the CFAA.

All current indications are that scanning the whole Internet for open VNC
systems is, if not lawful, then at least so close to the line that nobody's
going to make an issue of it.

But logging into a VNC server and poking around crosses a bright line.
Arguments about the implied welcome given by lack of a login screen will
probably not persuade a jury, let alone a prosecutor.

The idea of hooking open VNC servers up to a "roulette" game seems beyond
stupid. Maybe someone's thought about this more carefully than I have and can
explain why I'm wrong?

~~~
blazespin
Obviously deeply immoral and unethical, but illegal? No... Not unless there is
a warning that what you are doing is wrong. Maybe they are test VNC servers?
Scanning is definitely not illegal, nor immoral IMHO. Studying the Internet is
a valid exercise when done responsibly.

~~~
tptacek
I would be willing to put some money on you being very, very wrong about it
being legal to tinker with passwordless VNC server simply because there was no
explicit warning.

~~~
jen729w
IANAL but I'd have to agree. It reminds me of the time I got money deposited
in to my bank account that I knew wasn't mine. I asked my girlfriend's dad - a
lawyer - if I could keep it. Of course not, he said. It's like someone parking
their car in your driveway, he said, and leaving the keys in the ignition. Are
they trespassing on your driveway? Sure. Does that mean this car belongs to
you now and you can do with it whatever you please? Of course not.

~~~
aminorex
Nonsense. People put up open systems because they want others to enter them.
That's why public wifi is public. That's why public http servers are public.
That's why public restrooms are public. Et cetera, ad nauseam.

~~~
hobs
Just because you can enter someone's home because the door is unlocked does
not mean you are invited.

Similarly you will find that trespassing on a system you do not have
authorized use of (and no login is not implicit authorized use) is going to
get you in trouble pretty much everywhere.

~~~
alexandre_m
The difference is the degree of knowledge you have of doing something wrong
while transgressing the law.

It's like if my grand-mother with alzheimer accidentally entered the wrong
apartment room or house where the door was unlocked. It's not like she should
go to jail or get shot by the owner pretending she was a threat.

I haven't seen the website, but if they made it really easy to enter remote
systems then someone could defend himself saying he didn't know what it was
all about.

One could probably argue that some Popcorn Time users would enter this gray
zone.

However, the providers of those kind of services are mostly aware of the
illegality of their users behaviour, so they are infringing the law clearly.

------
kiallmacinnes
"Oh no... allsprk.koding.io is sleeping right now. Check again a little
later?"..

I'm taking a wild guess the host (koding.io) shut this one down, I can't
imagine is takes too long to get an abuse request from an app like this..

That said - If this does what I think it does, awesome :) Maybe people will
stop exposing systems over the internet like this after 5 or 10 more of these
sites/apps?

~~~
kibibu
On free accounts, it only lasts for an hour after a deploy.

------
dblooman
I guess this is using massscan, pretty interesting how many power station type
mainframes/servers there are

------
edcastro
This is either fake or people have way too little sense of software visuals.
Some of the stuff that it's appearing is downright nasty.

------
ntumlin
How legal is this?

~~~
pearjuice
As legal as walking into someone's house who didn't lock the door.

~~~
bottled_poe
It's more like entering an office or shop which didn't lock the door. Anyway,
it's a loose analogy.

------
ourmandave
Why would anyone leave a passwordless VNC server accessible to the internet?

~~~
Zuider
It is similar to the lack of oversight where people leave security cameras
open to the internet. Sometimes it is even possible to control the cameras.

------
dreen
This is amazing, I wonder how many of these machines are out there.

~~~
phatfish
These guys will tell you:
[https://www.youtube.com/watch?v=UOWexFaRylM](https://www.youtube.com/watch?v=UOWexFaRylM)

It is trivial to scan the whole ipv4 address space. I think the guys in this
video did it in 40mins or so while presenting.

