Hacker News new | past | comments | ask | show | jobs | submit login
VNC Roulette (vncroulette.com)
478 points by rwmj on Mar 26, 2016 | hide | past | web | favorite | 282 comments



So... what does this mean? I mean, if there are so many hydropower plans et al vulnerable for VNC, how come we didn't have some major catastrophe? Is it simply more common to have a "read only" VNC vulnerability? (which is still a huge problem). Is VNC by default not password protected for read only viewing (and requires password for taking control?) Obviously nothing should be password-less by default, and should not have a "changeit" password (I'm looking at you glassfish) but I really hope that even if VNC lets you be in "guest view only mode" without a password by just knowing an IP (who does that?!) then at least I hope they still require a password to also take control, right? please tell me they do. (otherwise I'll be surprised we are all still alive to be honest)

I mean there are some controls there that I'm sure if the wrong person pushes that red button, something will go kaboom.

And there is no shortage of people out there who would not think twice to blow things up.

So yes, this is scary, but also makes me be very surprised that statistically we are probably not supposed to be alive by now if so many critical control systems have VNC exposed like that in a way that allows full control on the system and not just viewing.

Perhaps it's just selection bias, if the world have ended by now then I would be able to type this.

But still seriously, with all these screenshots, I assume this is not something new, so how come I didn't hear yet on a major real world damage due to a VNC vulnerability?

Is this really most likely to be a read only privacy issue? (which is not to be taken lightly, but not the same as being able to press "shutdown" on some power plant controls)


And there is no shortage of people out there who would not think twice to blow things up.

I think this may be the essential flaw in the logic that says we should be dead by now. Maybe there is a shortage of people who want to blow things up without thinking.


Agreed. Given that airports have been closed because of an empty cardboard box with BOMB written in marker, if a lot of people wanted to mess up with everybody else they could have done so easily.


Hah! People always say this sort of stuff, and while I don't believe it, I could never come up with an answer simpler than "go read that Better Angels book." I never looked at it like that before. I am going to use this line now, I hope you don't mind!


I think survivorship bias is the central flaw in "why aren't we dead by now". If survival depends on an event not occurring, I'd be extra careful in estimating its odds.


How many nuclear power plants have been blown up by hackers? For whatever reason, civilizations suffer incredibly small damage relative the amount of technical insecurity. The worst destruction comes from large scale war, not attacks.


That only seems to apply to "why wasn't I hit by a SCADA exploit". Unless an exploit that affects everyone in one fell swoop is given a material likelihood.


And, if elected president, I will do something about this shortage.


Well depends how you define shortage. Every single ISIS member probably would be happy to save a trip and blow himself up and just click a button.


Judging by the continuous stream of people convicted for buying what they think are explosives from undercover FBI agents posing as jihadists, there are a lot of people that want to blow things up. Or take the 53,000 to 258,000 people that are estimated to be part of ISIS's military forces and allied groups. Thankfully, most of them are pretty stupid, but there are also plenty of highly educated terrorists and they tend to be engineers.

The flaw in the argument is likely GP's inference that "there are some controls there that I'm sure if the wrong person pushes that red button, something will go kaboom." Critical infrastructure tends to be better engineered than that. Cybersecurity threats are newer, less widely understood, and inadequately guarded against, but human error is an age-old problem.


> Judging by the continuous stream of people convicted for buying what they think are explosives from undercover FBI agents posing as jihadists, there are a lot of people that want to blow things up.

Well. If it were the case that there are lots of people trying to buy explosives from fbi agents posing as jihadists, I would go so far as to conclude that there are a lot of people who want _the ability_ to blow things up.

If there were a lot more office bombings, infrastructure bombings, etc, then I would agree that there appear to be a lot of people who want to actually blow things up.


In these cases, there's always a clear intention to carry out an attack. Here's one such case: http://www.npr.org/sections/thetwo-way/2015/01/14/377287190/...

By running these stings, the FBI has made it very hard for real terrorist plotters to get in contact with real would-be foot-soldiers. If someone agrees to carry out a bombing when a fake terrorist is asking, what makes you think they wouldn't do it when a real terrorist asks?


There's also this: "For months, the FBI used a confidential source to get close to Cornell, who allegedly said he wanted to hatch a plot inside the U.S."

"Get close to" in law enforcement parlance means "encourage criminal activity". If you read the details in these court cases, you repeatedly see an almost universal pattern of activity on the part of law enforcement to egg their targets on towards the criminal act. Drug "dealers" hassled for months to purchase LSD and repeatedly being told "no", only to finally give in and then get arrested. "Terrorists" being repeatedly contacted by informants or agents and plugged pro-terrorist encouragements for months until they agree to a part in some kind of "plot".

You have to remember that the vast majority of people won't take action by themselves. Even the crazy people that want to blow something up won't go out of their way to do it. It's the leaders you should be worried about. People that coordinate or incite others. Part of my career as an infantryman involved "riot police" training. The number one thing for arrest teams to do is to isolate and detain the people inciting the others. And this is why the powers that be are so hungry for mass surveillance: It's actually pretty easy to make giant relationship graphs of these networks to find the leaders. Remember the military talking about dropping five hundred pound bombs on phone numbers? They don't know who the person is, but they know he's a leader. Those people are easy to identify with enough information (and no, they don't need to unlock our iPhones to get at it).

It is in their best interest to keep pushing this idea that any random anti-government person is capable of an Oklahoma City bombing. The fact is, they're not.


How do you tell apart encouragement of activity that a person wouldn't otherwise do and getting a person to trust you enough?

> Drug "dealers" hassled for months to purchase LSD and repeatedly being told "no", only to finally give in and then get arrested.

That sounds exactly like pretty real dealers I know, who don't sell to people until they think they know them.


OK, does that sound like the FBI's marketed image of a guy hanging around a playground giving out free samples to get kids hooked? They pick people who aren't dealers, and pressure them into dealing.


Exactly! Because that is what our system incentivizes! Those law enforcement and intelligence organizations have grotesquely enormous budgets and let's face it: They are shit-awful at stopping legitimate threats. That means they need to offset that terrible lack of efficiency with some number of "busts", even if they involve people that otherwise wouldn't be "dealers" or "terrorists" without the police egging them on. There is a huge incentive to go out and find dealers and terrorists, even in places where there actually aren't any.


>"Get close to" in law enforcement parlance means "encourage criminal activity". If you read the details in these court cases, you repeatedly see an almost universal pattern of activity on the part of law enforcement to egg their targets on towards the criminal act.

Do you think that real terrorist plotters just ask nicely once and then leave you alone?

Also, we're talking about mass murder here, not selling some acid. Maybe you're right about some of these drug cases crossing over into entrapment. A lot of people feel that drugs "aren't that bad" and if a friend bugged them enough, maybe they would try to find some. I don't know the facts sufficiently to conclude either way. But that's not what we're talking about here.


Pretty much anyone can be turned into a killer with enough peer pressure. See also: the concept of war


Right. It's all about people with power targeting people susceptible to those kinds of pressures. We have this habit in the developed world of shunning and shutting out people that are in or have been to prison. But you would do well to talk to those kinds of people. Our justice system takes the word of law enforcement over anyone else. That is a pretty precarious amount of trust in what is nothing more than another human being.

"Out of the crooked timber of humanity, no straight thing was ever made."


That's a myth. The FBI radicalizes mentally unstable people (which frankly most people are to some extent) (where radicalize means basically getting to say the kind of shit people spam Facebook and reddit with all the time) and then arrest them. The reality is vanishingly few people are both radical and have any notion of initiative and means to perpetrate an attack.


They target people who have said things online or in person, or have met with certain people, indicating their support for terrorism. Voicing support for terrorism is not illegal in this country, so you're totally wrong that that's what they're arresting people for. They then run the sting to see if the person is willing to carry out an attack, and takes concrete action toward that, like acquiring "explosives" or guns. At that point, they're guilty of a conspiracy.

How would a real terrorist find recruits inside a Western country? They'd find people that posted something indicating their support, and then they'd try to talk them and coach them into carrying out attack.


People do all kinds of things under peer pressure and coercion they wouldn't do otherwise

There's plenty of stories of tptb totally overstepping the bounds of peer pressure and coercion. I'd even argue that most people will choose to follow the crowd to fit in, not rock the boat, rather than go against their peers.


>People do all kinds of things under peer pressure and coercion they wouldn't do otherwise

So should we wait for the real terrorists to apply this "peer pressure and coercion" instead?

We're talking about mass murder here, not pushing a little dope. Under what possible logic is an FBI agent able to convince someone to kill people, but a real terrorist isn't?


The only conclusion we can draw is that there are more FBI agents in a given part of the US than real terrorist recruiters. FBI agents also have training in persuasion (watch a segment from Last Week Tonight about interrogation to see an example).

As other comments have suggested, there are plenty of "ordinary" people who could easily be radicalized if 5/6 of their friends were actually agents telling them they had to do something for God and Country. We don't round them up in stings because they function just fine in society with nobody trying to push them over the edge. What the FBI is doing is entrapment.

Have any of the attacks in the US since 9/11 been caused by people recruited on the ground in the manner used by the FBI stings? No, they come from people acting spontaneously. The challenge isn't recruiters on the ground, it's extremist ideology. And FBI entrapment fuels that ideology, rather than tempering it.


>Have any of the attacks in the US since 9/11 been caused by people recruited on the ground in the manner used by the FBI stings?

There have been way more attacks in Europe, and people have been recruited with those tactics. Coincidentally, these kinds of sting operations aren't very common in Europe, and are even banned in many countries. If we want to win this battle, there's no room for bleeding-hearts. We must be methodical, cunning, and ruthless against those who would kill us.

This same bleeding-heart attitude is what leads to people serving a measly four years in prison for shooting at police officers with an AK-47 while trying to get away after committing a bank robbery. No one should be surprised that this same person was one of the Brussels bombers.

>The older brother, Ibrahim el-Bakraoui, robbed a Western Union branch in Brussels in 2010, spraying gunfire at police from a Kalashnikov as he attempted to flee, according to his lawyer at the time and government officials. Mr. Bakraoui was caught and sentenced to 10 years in prison. In 2014, he was released with an obligation to contact his parole officer once a month.

(http://www.wsj.com/articles/belgium-rues-missed-terror-signs...)


In discussions like this I always think of an episode of Star Trek TNG, "Hero Worship", that is a metaphor for human antagonism. https://en.wikipedia.org/wiki/Hero_Worship_%28Star_Trek:_The...

> Then, a shock wave hits the Enterprise and Timothy says that his ship was also hit by a shock wave. Picard tells Worf to raise shields but a new shock wave is even stronger than the first one. More power is diverted to the shields and another wave hits and is even stronger. Picard and Geordi discuss putting the energy of the warp engine to the shields. Timothy states that is what they said on his ship.

> Data suddenly asks Picard to lower shields and Worf does so. The next shock wave is harmless and the Enterprise is safe. Data realized that giving energy to the shields caused even heavier shock waves (the more power the ship generated, the heavier the shock), and these were ultimately responsible for the destruction of Timothy's ship.

The lesson learned is that a strong and more vicious front may be met by an even stronger response. Obviously analogies and metaphors are only illustrations, not arguments, but judging from what I know of human nature amidst intense opposition, I don't think that a "ruthless" approach will do anything but breed more ruthlessness.


I loved TNG, but it is also one of the most outrageously politically correct and moral relativist shows I've ever watched. And Voyager was even worse. One particularly sorry episode featured Janeway willing to sacrifice members of her crew, just to avoid turning off a holodeck that spawned interesting characters. In another episode, the captain would again rather let crewman die than use a medical treatment derived from historical unethical research. One episode of TNG comes to mind, where Picard is unwilling to beam a kid from his crew out of prison on some ass backwards totalitarian planet, where they are planning to execute him, because of the prime directive and "respect for their laws". Are you kidding me? Of course in the show, there's always some deus ex machina that saves the day and none of the good guys have to die. In fiction, you can have your cake and eat it too. In real life, bad decisions have real consequences, like people dying.

Another line comes to mind now, where Picard wonders in amazement about how silly we were to let differences about "economic systems" drive us apart during the Cold War. Star Trek is like the poster child for wishy-washy moral relativism.

I'll take my political and moral cues from reality, not fun scifi shows written by an eccentric with a political agenda.


I'm sick and tired of this "realpolitik" bull. The reason we can't have nice things is because people give up on trying to have nice things. It's this bizarre combination of defeatism and selfishness that leads to bad foreign policy decisions and people dying.

I already pointed out that I was using TNG as an illustration, not an argument. But if you want reality, here's reality: people get pissed off when you attack and marginalize them and their friends and family. It's the role of the greater power to deescalate and try to integrate the oppressed, not wipe them out. Reality is that ruthlessness begets ruthlessness, and if your best counterargument to that is to call a TV show "wishy-washy", then you already know it's true.


Yeah, the issue has existed for years and is widely documented in the security community. There are a few reasons why we haven't seen more widespread chaos:

1. Lack of network visibility by the owners of ICS

2. Availability > Forensics

3. VNC interfaces don't always provide full access

And keep in mind that there aren't a huge number of these anonymous VNC instances to begin with. We're talking less than 10,000 instances of servers that don't have any authentication and only a fraction of them are ICS-related.

I've written/ presented on the topic a few times, see:

https://blog.shodan.io/taking-things-offline-is-hard/

https://blog.shodan.io/why-control-systems-are-on-the-intern...

https://blog.shodan.io/state-of-control-systems-in-the-usa-2...


It's important to understand that VNC is an open standard implemented by hundreds of different client and server packages. VNC does specify a password-authentication mechanism, but whether or not it's used, or how it's used, is entirely up to the implementation. Likewise with whether or not clients have control of the mouse and keyboard.

Historically, open VNC servers have been relatively difficult to find. I don't really mean difficult, just that you had to put some concerted effort into it and very few people did. It's a reasonably modern phenomenon that things like Shodan and other large-scale network scans (including accidental ones, like Google sometimes) can be used to quickly find them, and it's quite recent that someone has nicely packaged it into a website. So this is a problem with very little visibility until today. And it still doesn't really have that much visibility in the right place, which is the somewhat insular ICS industry (and a couple dozen other industries to a lesser extent).

SCADA HMIs and other ICS systems of that sort do often expose a VNC interface with no mouse and keyboard control - effectively a 'read-only' interface as you say. This is certainly less of a concern than allowing people on the internet control, but it is a significant and unnecessary security exposure. The kind of information revealed there can be very helpful to an adversary in finding a way to gain control.

In most cases, access to change configuration is protected, although it's often not protected well. I expect common vandalism against internet-exposed ICS to become more and more common going forward. In most cases it doesn't really have the potential to cause permanent damage, only reduced productivity or mere irritation to the real operators. This is not always the case, though. Idaho National Laboratories conducted a notable demonstration of causing permanent and disabling damage to a diesel generator via unauthorized access to a SCADA interface (the Aurora demonstration).


FYI: Websites like this have actually existed since late 2013 when Paul McMillan scanned the Internet for VNC images live during his talk and made the results available via a website in real-time. He did it again in 2014 at Defcon together with Dan Tentler and Rob Graham. Later that year people at CCC released a VNC roulette and they did the same again in 2015. And Shodan has been grabbing VNC images as well since 2014, made available at https://images.shodan.io


I consider this timeframe to be quite recent, for the reason that most of these systems, in ICS especially, have been installed for quite a bit longer. One of the biggest problems in that industry, as I'm sure you're aware, is the relatively very long lifecycle of equipment, and low rate of in-the-field updates.


Yes, you're right. Compared to how long these systems have actually been connected to the Internet it's only recently that we've started measuring the extent of their exposure.


http://arstechnica.com/security/2016/01/analysis-confirms-co...

Not saying VNC is to blame, but there are a number of folks very gravely concerned about the insecurity of most SCADA systems. When your infrastructure and operations are built on hardware and software expected to last 30+ years, it's hard to consider the security implications so far out.


I think it is unreasonable to expect networked software to stay secure for that long. If it isn't networked in any way then sure, that might work but then again, 30 years is a long time.

Adding remote software control to physical things like water treatment and electrical systems adds a lot of convenience, safety, and saves loads of money but perhaps some of that savings should be spent on more vigilance in regards to security.


> if there are so many hydropower plans et al vulnerable for VNC, how come we didn't have some major catastrophe?

> And there is no shortage of people out there who would not think twice to blow things up.

From my observation, those people tend to be those that care more about doing "flashy" things (i.e. be seen), rather than solving problems and bypassing protections. People that get access to important systems or acquire the skills to mess things up tend to be satisfied by having solved a puzzle and being able to mess things up.


But surely some of ill intent have thought to put the two together in the same room?


Of course, some have. See Stuxnet (actually somewhat serious). The point is that this intersection is fairly small and only a fraction of compromised systems will actually get things messed up.


I hope I'm wrong but I feel that if a group like ISIS could do some major damage using a click of s button, then they would. And they are probably actively trying.

They can kidnap / recruit hackers and force them / brainwash them into doing anything.

They are not stupid and we saw they have no red lines. Instead of banning encryption the FBI and Interpol should force dangerous infrastructure to close their security gaps first.


I just browsed around a bit (with a VNC client) and while most are closed now maybe about one out of five-ten are still open. And they are not just read-only access. Some of them are demo systems though.


I didn't even know read-only vnc was a thing, and I feel a lot less mortified about the various control panels with instrument status we're seeing. I dont give a crap if the wider Internet can see the temperature of the walk-in fridge at the lab.


some are read only, some are full control access but the local user has to authorise, and some are full control with password.


I just found a PracticeFusion machine at a pediatrics' office, with patient names, addresses and dates of birth. Not quite the same scale as taking down a dam, but I would surely be unhappy if my daughter's credit score tanked before her age hit single digits.


I guess it's just luck that no mischief-maker has gone and tried to do as much damage as possible.


I just spent two hours trying to get in contact with the owner of a small Swedish hydropower plant that had an open vnc connection, where anyone could turn on/off generators, open the damn completely etc.

Once I got in contact with him, this is the conversation we had:

1. I explain the critical situation

2. he pretends there's a bad reception and ask for my number and quickly says 'I'll call you tomorrow'

3. I explain that I am not trying to sell him anything and that I spent 2 hours to find him to tell him about how anyone can control his powerplant

4. He nonchalantly ignores my warning and says "I have two powerplants that you can control like this, nothing to worry about."

5. I try to explain that a LARGE group of people now know about his powerplant and that I could garantuee that people will login and tamper with it

6. "Hmm, it is a really bad reception here right now, i'll call you tomorrow.'

7. Click

What the actual fuck!


If the hydropower plant that is referenced here is "Nordansjö Kraftverk" - then it's been fixed yesterday, through a tipoff to CERT-SE at MSB (Swedish Civil Contingencies Agency).


Mind pming the phone through Twitter? Maybe I can help, I'll try to call. My handle is @fallenshell.


Get his attention. Open the Damn! :)


Naah, will not do that.

People in Sweden made that joke as well. Kind of worried I will get in trouble legally because of this. If there is gonna be any issues with the damm, he will probably blame me. :(


Should have recorded the call, if he said that is not a problem then I guess it's like you're not trespassing at all.


Your periodic reminder that under US law, you do not have to somehow get past a login page to be exceeding authorized access to a computer system. A prosecutor needs only to show that a reasonable person, looking at the same computer system, would have known they had no authorized access to it.

That makes things like this a pretty bad idea. At least, in the US.


By any chance, do you know what's the legal status of, say, shodan.io in US?

If the screenshots weren't reviewed - or, worse, hand-picked - by a human, but fetched in completely automated and unsupervised manner, then it's essentially the same as any other crawler bot (like Shodan or even Google/Bing) does. Connecting to random public services running on globally-routeable addresses and politely asking them what they do (then storing the result) can be argued to be perfectly legal.


The technical details don't much matter. What matters is what the users do with it, and whether their uses can be shown, by a prosecutor, to represent the kind of access that a reasonable person looking at the same computer system would know was not authorized.


I don't even live in the US and I cleared my cache after looking at one of the pages.


To be fair to the post, and anyone viewing the page, all you're seeing is a screenshot of what I am assuming a bot or crawler made when it successfully connected to various IPs over port 5900.


Still, I don't like having a screenshot of people's addresses from a health database on my computer.


at this moment we got 91 reports from random companies claiming we breached their networks, i guess they gonna force us to take it down since they are so fucking stupid to add a 8 digits password to their vnc server! lolz


Taking it down is probably a very good idea, especially if anyone involved in it is subject to US law.


I think you don't understand tptacek's remark. It doesn't matter if they have setup passwords or not.


It is quite apparent that he most likely isn't an American and is well aware of what he's doing.


There seems to be an accompanying blog post: http://hahasecurity.blogspot.com/2016/03/hack-millions-of-de...


I saw patient data for a some healthcare provider (including patient date of birth, phone # and addresses) and corporate emails that are obviously not intended to be public. Wow

EDIT: It looks like a pediatrician's practice too - so all those patients are children. And all their information is just out there in the open....this doctor needs to be contacted asap and secure their system.


I think I saw the same one, seems to be a place near LA. Pretty scary stuff.


Today I learned that Chinese (Japanese?) character support in terminals looks way cooler than western fonts[1].

http://vncroulette.com/images/115.218.120.95.jpg


Each character is a 16*16 dot matrix encoded by the 16-bit integer. Old systems (from the beginning of IBM compatibles until early 1990-ish) had hardware accelerators if they wanted to use multiple fonts, IIRC one of the few breakthrough products made by Lenovo.


This was definitely a cool one. If you were wondering, this is a makeup kiosk POS machine in Shenzhen.


I know it means point of sales, but i keep reading it as piece of shit...


Then you will enjoy learning about hardware Chinese character generators: https://en.wikipedia.org/wiki/Cangjie_input_method#Early_Can...

This one synthesized characters from geometric decomposition (and not a completely artificial one either, but Cangjie which is actually widely used to this day for computer text entry).

The stored data representation exactly matched the input form (perhaps not so surprising to users of ASCII).

Amazing stuff.


It seems Japanese to me. Nice..


Thing is that Japan has 3 systems they use, chinese characters, their own characters, and latin characters. Makes for one heck of a learning curve.


Its Chinese.


Agree that it's simultaneously fascinating and alarming.

Does anyone know what exactly this is?: http://vncroulette.com/images/176.64.166.110.jpg


It's in Swedish, looks like a status display for the post-combustion part (smoke cleaning) of some industrial process, maybe cement production?

The worst one I've found so far is this

http://vncroulette.com/images/85.117.223.103.jpg

which appears to be controls for a small hydropower plant, also in Sweden.

A few other bad ones I spotted include lots of industrial refrigerators, small scale wind power (mainly German), an oil futures trading platform, a fire & gas alarm system control, and someone's Outlook open with some customer complaint emails.

Edit: oh, and there was a Tesco checkout register (although closed).


http://vncroulette.com/images/90.16.192.69.jpg

This seems like a French hydroelectric plant :/


Looks like that one also has start/stop controls (yellow square buttons top, left of centre)...



> Trust Chemists & Druggists

Well, not any more I don't...


This one seems like bunch of tanks attached to a pressure gauge. http://vncroulette.com/images/96.1.27.254.jpg



The checking subsystem of a Chilean flour factory it seems.


Did you contact the owners of the hydropower? May be a good idea.


Be aware some of these images have dates from >1 year ago. It might have been fixed a while ago.


There is also a browser with someone's facebook open.


Did you contact them?


account's last post was in May 2015 unfortunately


try cranking it up to 110%


http://vncroulette.com/index.php?picture=87

"Please secure your VNC!"

EDIT: Also: http://vncroulette.com/index.php?picture=270

"Upgrade your VNC Server license in order to benefit from premium security features ..." "An anonymous user has connected. Number of connected users: 1"


The second one has also TeamViewer for, you know, extra security features.


http://vncroulette.com/index.php?picture=193

I'm glad this screen is sanitized regularly.


I've seen this in airport toilets before


For those who havn't seen Dan's talks before: https://www.youtube.com/watch?v=5cWck_xcH64


Some of the things he found would allow a malicious person to do some real damage, that part is terrifying. But it's also really funny, so I'll go with that.


As the Germans call it, schadenfreude.


Weeeeell, if somebody turned of the cooling of a warehouse full of shrimp, that would be kind of funny (except for the poor people who live downwind and have to cope with the smell...).

If somebody turned off the backup power supply of a hospital, that would be slightly less funny.

(Full disclosure: I am a native German speaker, so the concept of Schadenfreude is quite familiar... even though I try to refrain from enjoying others' misfortunes, unless they were really, really asking for it, for example by hooking up their shrimp warehouse's climate system to the Internet without even password protection...)


Amazing. Terrifying.


Really enjoyed this talk.

Horrifying, though.


What unfortunate timing for this poor guy who is now forever captured having dissapointed his client: http://vncroulette.com/images/14.97.72.37.jpg



"is a fake SQL injection error page" https://twitter.com/1x0123/status/713879106614636545


is fake error generated in the php we are runing , we have so many hacking attempts like this , & even our site don't have a SQL database is runing on flat files as a server ! thanks for your point


Oh =)


How terribly ironic.


Hah, a SQL error. SQL injection vulnerable?


Oh God, haha. I also have that reflex of putting 's everywhere in URLs. I've found lots of surprises, but not many, to be honest. Not even 0.1% of times I've tried.


Sounds like a good idea for a chrome extension


Found a big honkin' list of patients, with names, dates of birth and addresses: http://i.imgur.com/VYRgP20.jpg (image has information redacted).

If we want to raise awareness of this issue, this might be an appropriate use of "won't somebody please think of the children".


http://vncroulette.com/images/194.218.45.214.jpg this one is rather interesting.


It's Swedish. Heading says "Main menu" and the boxes seem to be rooms marked "freezer" and "cooler/freezer" as well as "freeze house". Upper left you've got the outside temperature.


It's scary, like a SCADA cpanel.


It is. This one seems to be some kind of electrical station:

http://vncroulette.com/index.php?picture=10


That's from Telefonica. It could be related to cable TV.


Looks like these URLs are not permalinks. Yesterday, this URL was showing something with two electrical pylon icons and rather large numbers like 9,000 kWh. Today, it's changed to some TV thing like you said.


A personal class electric counter panel ?


Huvudmeny: Main Menu

Frysrum: Freezer

Maskinrum: Engine

Fryshus: Cold Storage


"Rum" is room, so maskinrum = engine room, etc.


We need to change the name of IoT to IoZ (Internet of Zombies) because most of them will end up as zombie in someones botnet.


Internet of someone else's things.


http://vncroulette.com/index.php?picture=7

The horn button on this one is tempting. Not "go commit a felony" tempting, but still.

http://vncroulette.com/index.php?picture=17

That one looks to have some root term open.


This isn't roulette. It's a slideshow.


this is not a honeypot is for research stuff & to bring a security awareness, please contact me at twitter.com/1x0123 if you found something should be remove from the site


http://vncroulette.com/index.php?picture=1%27

Poster above noted an implied SQL injection vulnerability in your site. Somewhat ironic, eh?



One moment, We are checking your browser to verify that you are not a bot.....

Couldn't get passed that.


I wonder how many installs date from before the facility was put online, or are online because someone plugged something in that acts as a router without anyone's knowledge.

Meaning that this happened over years, if not decades, because admin A left and admin B was not informed that some box somewhere is serving up something for the general internet net to see.


I see things that look alarmingly like industrial control. Who leaves wide open unpassworded VNC?


I can only guess it's people who think of their IP as a password. Like, who's going to guess the IP, right.


I have to ask, how does one come across such open servers? Do you just try common ports on random IP addresses until you find one that works?


There are only 4 billion IPV4 addresses. Just iterate port 5900 until you get a response, bam, VNC server.


Shodan has been keeping track of publicly accessible control systems for several years now and you can use the search engine to identify them. As a starting point check out: https://www.shodan.io/explore/category/industrial-control-sy...


Shodan.io is pretty good index of open ports on the internet


another, newer alternative is https://github.com/robertdavidgraham/masscan

note that doing this is a very good way to get angry letters from your ISP


Look up Zmap


> I see things that look alarmingly like industrial control. Who leaves wide open unpassworded VNC?

Apparently tons and tons of people!


This post is terrifying.


Considering how many are a readout, I'm imagining they're read-only and are a shortcut on some other desktop to check the temperature and pressure of their gizmos.

Honestly, read-only public makes sense for that. What do I care if somebody can see the position of my overhead crane?


This often happens accidentally.


Could be a research or decoy honeypot.


Sad and fascinating. Couldn't stop clicking. Way to go San Jose State, getting in there three times is an achievement.


I think we need some sort of awareness day for the general public to understand what internet security _really_ is. Whenever I see news reports, it's always cast as "hackers broke in to..." such and such. Yet if some brick-and-mortar business is robbed because the owner left the front door unlocked, people would rightfully put the onus mostly on the store owner.

EDIT: Wow. I'm being modded into the basement. When did Hacker News become so PC? Victim-blaming? Seriously? The VNC connections illustrated on this site are that way because of incompetence and ignorance. The reason there are no unlocked brick-and-mortar businesses is because it is due diligence to protect one's assets from not just criminals, but simple mischief.


> Wow. I'm being modded into the basement. When did Hacker News become so PC? Victim-blaming? Seriously?

It breaks the HN guidelines to do this in comments here, so please don't.

https://news.ycombinator.com/newsguidelines.html


Ah. Thanks for the link. I wasn't aware of that.

Will modify future behaviour :)


If only everyone would make it so easy :)


> Yet if some brick-and-mortar business is robbed because the owner left the front door unlocked, people would rightfully put the onus mostly on the store owner.

No, there were days when people did not even lock their cars and their houses (but maybe you are too young to have known that time where you live) because it was not expected that anyone would actually rob anything. Especially in communities where everyone knew everyone else. And if a robbery happened, the blame would still have been put on the thief, not the owner.


This is a sensible argument, but here is my counterpoint.

Such situation rely on mutual trust, and only work on small scales (village, loose neighborhood). On the Internet, there are billions of people that live close by.

I think the main discrepancy is that people really do not understand either that the Internet connect them to everyone or how vast the world really is.


there were days when people did not even lock their cars and their houses

These are still are such days. There still are thousands of communities, even in California, where you can get away with this. The difference is not time but population density. There was probably never a time when you could leave your home unlocked and unguarded in urban cities.


Roman poets and everyday people's curses demonstrate the need for security two millennia ago, even.


>>The difference is not time but population density. There was probably never a time when you could leave your home unlocked and unguarded in urban cities.

There was and not so long ago (e.g. 40 years ago in Portugal or Poland. Probably many other countries). So I would change your statement:

The difference is not time but population density and specially politics/religion.


What did those people have that was worth stealing ? Plates, spoons and linen.



In Geneva or Zurich, it was until very recently. Even now you probably will get away with it (not recommended, though).


I'm 46, and yes I remember those days. In fact I live in Canada, and in my neighbourhood it is not uncommon for people to leave their doors unlocked. But if I lived in a different neighbourhood with a high crime rate, my doors would not only be locked, but probably bolted and an alarm system would be set every time I left the building.

The burden and responsibility to protect my home is mine. This isn't an either/or as to who to blame, it's a both/and. So back to the link. If you have a high-value service like an electrical grid, or dam, or nuclear plant that is open to the Internet (the most crime-ridden neighbourhood on the planet), do you really honesty think the media's typical response of "hackers broke in to..." is the correct narrative?


> do you really honesty think the media's typical response of "hackers broke in to..." is the correct narrative?

Of course it isn't, but when did media stop at that ? Link baits and ad revenue are more tempting then integrity.

Freedom of press, monetization and responsibility - pick two.


I pick number four: education. Which goes back to my point, that we need some sort of public awareness day on what Internet security _really_ is, or something - I don't really care what it is - to change the narrative. Otherwise we're going to have some huge disaster to some major infrastructure because of an unprotected remote connection like the article shows, and the company that committed it will likely cover up the cause.


People make well-meaning assumptions about security. For example, most of the oscilloscopes that we use at work have remote access turned on with a trivial password (the scopes themselves run windows, and have a VNC server installed [1]).

If you go read Tektronix's instructions - their screenshots show "no authentication" selected.

This itself isn't really an issue, since the networks that we're connecting these to are isolated, inbound-only lab networks. We know that. Our lab admins know that. The network security guys know that. There are exceptions filed for the IPs of these devices.

However, if someone ever -changed- that network configuration and opened it up to the rest of the corporate network (or for some terrible reason, the internet), those scopes would be just as ripe for takedown as the stuff shown in TFA.

It just takes that small network change to enable something -else- to access the WWW (code download for security updates, anyone?) that exposes our other items on the network. In fact, I can think of several reasons why someone might expose a VNC:

1. Actual remote control -within- a facility, but probably in the deployment guide says "use a secure network"

2. Someone wrote a cool Web GUI to "modernize" something, and used VNC (undocumented and poorly-configured) to pull off what they pulled off

3. Someone exposed a subnet to the internet to enable remote access for something -else- which was probably properly-secured, but happened to -also- expose the thing hosting the VNC server.

[1] http://www.tek.com/support/faqs/how-do-you-set-vnc-dpo7000-d...


I live in one of the largest cities in Finland, and I routinely see people leave their bicycles unlocked in the town center, because bike theft is so rare that most people don't worry about it, or only take minimal precautions.

Meanwhile, in my tiny town in the States bike theft was basically the single most common form of crime, and I know of one house I would walk by every week that would openly have as many as half-a-dozen stolen bikes displayed for sale in their front yard.


About 4000 bikes were stolen in Helsinki ([0], pop. 600k) in 2014. This is about the same number as in the city I live in (Germany, around the same population), where I'd never leave a bike unlocked, and where bike theft is considered a problem. Though I am sure there are places where it's much worse, and conversely that it's much better in other cities in Finland.

[0] http://www.helsinkitimes.fi/finland/finland-news/domestic/10...


In Japan street crime is very low but both bicycles and umbrellas are 'borrowed' on a routine basis. Kind of like an informal bike sharing system. Consequently most bicycles are of the $80 made in China variety.


Here in Canberra Australia I would regularly come back to my bike to find new marks in the plastic around my chain where somebody had tried to cut through. Your chain has to go through both wheels if you have quick release on the front, and you can't leave any clip on lights or your water bottle or it will be gone.

A few years ago I watched a junky go from bike to bike in a bike rack testing each lock to see if it would open easily. Right in plain view of everybody. When I confronted him he launched into some long and carefully rehearsed sob story about how his friend told him to come and get his bike but didn't know which one it was.


I actually accidentally left my bike beside a busy street last night here in Seoul unlocked. I went back and got it today (Sunday night) and not a single person had touched it.

I don't think that it's population density as much as the shared culture of the place you live. I would have totally blamed myself if my bike wasn't there today, and I think it would be stupid to blame anyone else.


Density, shared culture, and perhaps a functioning social services. Thus there is less of a incentive for petty crime, as basic needs are covered via less risky means.


I wouldn't leave my bike unlocked in Helsinki. Just last year my bike was stolen near the Parliament house (Kiasma) even though it was locked to the stand.


You most likely do not live in Helsinki or anywhere near so called "pk-seutu".


Meanwhile in Jyvaskyla on the JAMK student facebook page :

"Hi everyone, my bike is stolen last week. If you see it anywhere please text me! Thanks !"


> No, there were days when people did not even lock their cars and their houses

That must have been an extremely long time ago: http://www.ancientresource.com/lots/roman/romankeys_locks.ht...


Just because locks have existed for thousands of years doesn't mean they are used everywhere. When I lived on the countryside in Australia we didn't lock the doors. That's not "an extremely long time ago" ;)


> When I lived on the countryside in Australia we didn't lock the doors.

Well of course you don't; the robbers die while still crossing the perilous deserts and/or trying to avoid lethal wildlife.


> That must have been an extremely long time ago: http://www.ancientresource.com/lots/roman/romankeys_locks.ht....

Nope. I can tell there are still people alive these days who remember that this was still the case in most places of Western Europe.


Most often people had nothing to steal and often couldn't afford good locks anyway. When the last of my grandparents 13 kids left the house and they actually started to have enough money to buy nice stuff, they also bought and used a lock.


> people did not even lock their cars and their houses

when you have nothing worth stealing, it is not worth investing in security


While I agree with the sentiment for physical objects it doesn't apply to things connected to the Internet. An old "smart" TV may have no resale value whatsoever but that doesn't mean it has no value from an attacker's perspective.

From the attacker's perspective something like a connected smart TV has extremely high value as a mechanism for further penetrating a network. Black boxes that no one can login to under normal circumstances are the perfect secret strongholds to maintain a persistent presence on any given network.


These days still exist. And nearby some people even leave their keys on the cars. However, in a city, you just can't do it. Too many risks and people barely know each other.

Now comes the Internet. It's a huge giga-city. Expect robbery, larceny, hacking, and more.


Not only that, it's a huge, almost anonymous city...


That not locking the door stuff was simply because back then people didn't fetish objects, and also because they were too poor to have anything worth stealing. Rich people always made sure their stuff was protected (from the poor).


But do we blame Google when their robot indexes some completely unprotected webpage that the host owner didn't mean to be public but haven't did anything to claim so?


This is more a feature of location than time. There are still locations where unlocked doors are the norm.

FWIW, crime rates have been monotonically decreasing for a long time.


> I think we need some sort of awareness day for the general public to understand what internet security _really_ is.

Nope. This would never work. People don't understand how much of it works. Taking a day out of the year to explain / re-explain isn't going to do a single thing. Instead you need to make computer classes mandatory in K-12 and get people educated on how they work so they can understand the issues.

Take a topic you know absolutely nothing about. Let's say it's aerospace. Now every year we have an aerospace day to try and explain to you how various types of fan and jet engines work. You certainly wouldn't expect everyone to be able to handle fixing one after that one day, do you? Same with internet security.

> owner left the front door unlocked, people would rightfully put the onus mostly on the store owner.

So just because the store owner does something stupid you think most people would consider it his fault? That's...that's horrible. Yeah he possibly could have prevented it (though you don't actually know that as they could have broken in anyway; people don't just go up to stores at night to randomly test doors then go home).


I taught high-school computer science. I taught about how the internet works, password security, encryption as well as programming.

I once had a lad declare that GitHub was stupid, because it locked out our IP for 5 minutes after the class tried to login to their accounts with at least half of them forgetting the strong passwords I insisted they use.

I watched a girl log into her vps by running her finger across the top row of her keyboard. When I insisted she change her password, she ran her finger across the keyboard in the opposite direction.

Many people know and understand basic security, they just don't care. They think they have nothing of worth losing, and so don't need to be secure. Even after I explained to the student that their vps could be used to mine bitcoin, fetch pornographic material or send out phishing emails, their attitude was very much - meh!

I'm all for educating people on these issues, but the true way to protect them from their own stupidity is to ensure that it is impossible for them to start up a vnc server without enforcing a strong password. Security by design will be even more important as iot becomes more prevalent.

tl;dr - You can't rely on users to protect themselves.


> I'm all for educating people on these issues, but the true way to protect them from their own stupidity is to ensure that it is impossible for them to start up a vnc server without enforcing a strong password.

What is a 'strong password'? Minimum 12 characters, 2 symbols, 2 caps, 2 lower case? "1!qQaAzX2@wWsSxX" fits (and exceeds) those requirements.

Trying to enforce strong passwords doesn't work; people just make up new insecure passwords.


Five random english words (100000^5) is stronger than 12 random printable ASCII characters (95^12). It's more memorable, too.

User-hurting policies like "Thou shalt have at least 2 symbols in thine password" are partly to blame.


You want to be careful that you don't end up with "five random english words (4000^5)", though.

And it's hard to enforce people not using phrases.


> Take a topic you know absolutely nothing about. Let's say it's aerospace. Now every year we have an aerospace day to try and explain to you how various types of fan and jet engines work. You certainly wouldn't expect everyone to be able to handle fixing one after that one day, do you? Same with internet security.

People don't interact with jet engines, but they do interact with planes. And they're lectured about airplane safty evey single time they get in a plane. So this might actually be an argument in favor of educating people about internet security.

Bottom line: please don't overuse analogies. They don't prove anything.

Edit: simplify


People also don't interact with security on their computer pretty much ever but they do interact with their computer / the internet. Seems like a perfect analogy to me.


> Now every year we have an aerospace day to try and explain to you how various types of fan and jet engines work. You certainly wouldn't expect everyone to be able to handle fixing one after that one day, do you? Same with internet security.

Actually, I'd expect a lot of increase in awareness of what the relevant issues are. No, I wouldn't expect someone exposed to aerospace day to be able to fix a jet engine. But they're much more likely to know what problems commonly occur and who can fix them.


School District policies and (ultimately) curriculum are driven by public opinion. How can a public demand better if they are not able to understand the issue?


It's a nice thought, but I suspect it to work as well as "safe electrical circuits" day would. The internet security equivalent is that companies are selling completely unsafe circuitry with live wires exposed, and we should mount an education campaign to teach people how to cover up the live wires. I suspect once the hardware/software industry matures, we'll see insurance companies become involved and there will be strict regulation around what is and is not safe.


The latest episode of ATP[0] had a section at the end about people roaming in the neighborhood checking car doors to see if any cars was unlocked and steal stuff when hiting the jackpot.

The owner of the car can blame himself for forgeting to lock the car, the insurance won't blame anyone but won't pay for reparation, the justice system puts the blame on the thief but would not do much about it if it's petty.

And of course if it was a bank leaving bags of notes on an unlocked cabinet in the entrance, people would go bat-shit about irresponsible behavior on the banks side.

I feel that's how it would go for the online world as well.


Pretty sure theft is still theft, even if the door was unlocked. Of course negligence can make it your fault, but even if you find a million dollars on the street - legally - it's not yours.


Sure, but when Target, LinkedIn, et. al. are hacked, why don't people blame them for poor security practices? It's always the "hacker's" fault. Sure, it's wrong to exploit those weaknesses, but so is robbing an unlocked store. The hacker (robber) is still wrong, but only in the physical world do people put some blame on the "hackee" (store).


This blame is shared.

When I get robbed: the robber hurt me, and I failed to protect myself. Failing to protect myself is not a social problem.

When my bank gets robbed: the robber hurt me and the bank, and the bank failed to protect me. The robber is at fault, and the bank is at fault for breaking it's promise to me. That's a social problem.


Sure, but when Target, LinkedIn, et. al. are hacked, why don't people blame them for poor security practices?

Security is hard. Blaming the victim of a hack is pointless because usually you have no idea whether they did something wrong or if they were the target of a particularly clever attacker.


Maybe when the victim isnt a billionaire organization that is true.

In the case of these large corps being hacked, they are 100% responsible, and most of them we do know how they got hacked; its usually through very humdrum (if organized) means.


100% responsible? The hackers that hacked them have no blame whatsoever?


Sure, but when you find plain text passwords or unencrypted credit card info (two of the basics of starting ANY business), victim blaming seems warranted.


I just ran across credit card information that appears to come from someone running a facebook scam :-(


I think it's even worse than leaving the front door unlocked, it's more akin to leaving it open.


These analogies are all bad. There is no door, no lock or any other kind of security.


There can be a door, but there is arguably no burglary or theft.

1. You drive to a random address(es), accessible from the public premises (IP). 2. You knock on the door (TCP SYN). 3. Someone comes and opens it for you (TCP SYN+ACK). 4. You ask what's here (VNC handshake). 5. You're told it's a power plant or doctor's office or whatever (VNC frame data). 6. Sometimes the replies aren't fun, sometimes it's really weird - some pal seems to be willing to control a nuclear reactor for you, no questions asked. 7. You blog about your experience, including a conversation transcript.

It could be wrong to publicly announce (step 7) that there's a weird person in there (with full address details) that can do anything for you, as this can put others in danger. It's ethically unclear: it requires a human review and judgment (a robot can't tell if it's weird, so if data collection is fully automatic and unsupervised it becomes complicated), and even for humans it's probably not completely wrong to disclose, if done responsibly.

But just driving by and knocking on the random doors asking what's there - it would be really weird to me if we'd say this is anything wrong with this.


"Blame" is a complicated concept entangled with morality that a lot of people have conflicting and illogical opinions about.

I think that unless you want to start conversation about what "blame" is, it's safer to use words describing strict logical causation instead. Unlike "blame", causation is objective and doesn't depend on morality.


I didn't use the word "blame" :/


Stuff should be secure by default. No default passwords. No open by default. Temporary dialing down of security should reset itself to secure mode by itself after a short time. Etc.


And their insurance wouldn't cover them if they didn't lock the door.


That just isn't true. In fact, your homeowners insurance will cover your belongings even if they're in your unlocked car when they're stolen.

Most home burglaries involve breaking a window or kicking in a door, which is why people say "locks just keep an honest man honest".


Must depends on jurisdictions then.


It depends on your policy.

I can't remember what it's called but my insurance polcy has a clause that I have to do what a "reasonable" person would do to secure my belongings.


Reasonable people don't have their doors locked all the time. Maybe they should, but mistakes and oversights happen

Edit: After some additional research, people on message boards pointed out that many home invasions are done with lock-pick kits, or the burglar breaks a window and unlocks the door. Homes are often broken into without any damage to the lock or door, so the insurance company would never even know if you locked the door or not. It just doesn't come up in the investigation.


Pretty sure people have had insurance claims refused in the UK because there was no visible sign of forced entry.


They will ask you if your door was locked. Sure, you could lie, but that's also insurance fraud.

I also never leave my house unlocked, even when I'm inside.


Isn't that victim-blaming?


Or is it called "educating"?


Do you have teenage children? :)


Downvoted you because of that edit.


I don't understand what was so downvotable about my edit.


Complaining about downvotes is usually frowned upon, as are phrases like "when did HN become so PC".


Yes, just had someone send me the link to the HN Guidelines https://news.ycombinator.com/newsguidelines.html

Makes sense. I will conduct myself differently in the future. Cheers :)


Anyone want to turn the mic up at the ongoing lecture at the University of Connecticut?

http://vncroulette.com/index.php?picture=429


One of these ip addresses where still reachable. Seems to be an desk computer taking order for pharmaceuticals, I could see a clerk write a persons name, what he ordered, everything!

Just awful! I tried to figure out what company it was and how I how to reach them, but nope, couldn't find anything..

This is why I just want to hide under a rock, since it is obvious that a lot of people doesn't know how to protect the data they have collected about me.


i guess you know my feeling, you just found a reachable ip ? i get like 100 online machines every fucking single day! how bad it could be bro?


Lots of humans are Chinese.



It's fascinating.


TIL:

Many UIs for industrial control systems are very simple.

Ubuntu is more prevalent than I would have imagined.


I don't think Ubuntu and Linux desktops prevalence in open VNCs is indicative of prevalence. They definitely seem to be over-reprensented in the various exemples I've seen of publicly accessible VNC servers, I would be curious to know why.

Maybe there are more users on Linux who know how to setup a VNC server or maybe some popular VNC package has bad security defaults ?


Some interesting metadata:

The dates on the screenshots range from 31 December 2015 to 5 March 2016, with many at either the beginning or end of February.

The computer name of the hacker doing this also appears to be "want.some.vodka".

http://vncroulette.com/index.php?picture=439


pretty sure that's the name of the computer not the person login into the computer.


This reminds me of a program I once wrote when I first learnt SQL, a sort of randomizing port scanner that would just try random combinations of hosts and ports and store its results into a database.

Later, I added stuff like attempting AXFR zone transfers, which was interesting, and I came across some university that apparently had no firewalls in place whatsoever.

I found a few devices with open telnet ports, mostly printers. I remember clearly the thrill I felt when I realized I could make this printer refuse any print jobs or remove jobs from its queue.

I also found a few devices I had no clue about. The latter where the ones I found most fascinating, although I never took the trouble to research what those devices might have been. I suspect, though, that nowadays there must be a whole lot more of such devices around, with IoT and all that.

(My scanner never looked at VNC or RDP, though... This site makes me wish I had thought of that.)


https://www.dropbox.com/s/eusw515pxqzu8sk/Screenshot%202016-...

OK, this looks like a system that really shouldn't have a security flaw like this


http://vncroulette.com/index.php?picture=536

"Upgrade your VNC server license in order to benefit from premium security features and performance enhancements."


Scary, here is a screenshot showing very sensitive patient information from practicefusion. Just because VNC is open, doesn't give you the right to show everybody in the world. I'm torn about this site.

* Removed the link to the screenshot


I cannot seem to connect to any of them? Are they all still supposed to be open on port 5900?


Tried to telnet on port 5900 of three or four of them, one was definitely still open.


The fourth one it shows me appears to be a medical records database. Wowzerz


The xray machine is good: http://vncroulette.com/index.php?picture=502

(I'm obsessed with this)


i wouldn't be of surprised if something so simple was the "hack" that affected water treatment plants in various articles on HN last couple of weeks.



What is that green thing on top?


The round bit? That's a heavy tarp, it's put over fermenters with biomass (pigs poop or similar), as the biomass ferments the tarp balloons up, due to the generated gas. The gas can be extracted later and used in power plants.


I dunno but it's not moving very quickly.


yum sewage treatment plant


Ok this is really bad -- one of the machines/images is showing a practice fusion terminal with PII revealed -- a huge HIPAA violation.


Some of these seem old. I saw one that looked like some kind of industrial status dashboard but the date/time displayed on it was from 2015.


Even though most of these probably have read only access, the fact that its even there shows that the person that set it up didn't have security on their mind. Sure you may not be able to do anything via VNC, but what about other attack vectors on these services? Are they updated, is the os up to date, is it using easy usernames/passwords so you can ssh in for example?


This is really bad software design. Unreal. The person who put it on those SCADA machines are long gone. Now what?


I'm seeing someone's checking account. Maybe even a banking system. Not logging into that!


Well, this made me do a sweep on my servers to make sure I didn't have VNC running. Tag as PSA!


In case anyone is wondering there are 540 images before it loops back to the first image.


Late to the party and a noob. Can someone explain a bit about what this is all about?


VNC Server is an application that allows you to have remote access to my PC. Once installed you can use any other PC (or a phone/tablet) that has the client VNC software installed to connect to it and remotely login as if you were sitting in front of it. VNCRoulette is a site that is scanning for these servers on the Internet, logging in, and taking a screenshot of the desktop. VNC can be secure with an extra logon password, but a lot of systems and users don't bother. It's this vulnerabiltiy that VNCroulette is exploiting. Most of the PCs it's connecting to are 'read only' so the remote access can only see the desktop and not interact with it, but a good many are read/write with no restrictions.


Whoa! Thanks! Shouldn't these also be notified of the vulnerability? Some of the screen shots look sensitive information.


I appreciate the effort to imporve security awareness, but is such a website legal?


Think of it this way. Is browsing to a random HTTP address via IP on the internet and then screencapping the picture produced on your browser legal?

Then using a VNC client in the same way would fall under the same legal purview. I think as long as there is no interaction to carry out functions, attempt password/username combos, then it's fairgame.


A prosecutor armed with the CFAA would probably disagree with you.

Browsing to an address with your browser is like checking to see whether a shop on main street is open right now. Attempting to connect to a an address with VNC is more akin to walking around the back of a house and checking if the rear door is locked or not.


Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: