Hacker News new | past | comments | ask | show | jobs | submit login
Remote access giant AnyDesk resets passwords and revokes certificates after hack (techcrunch.com)
97 points by impish9208 7 months ago | hide | past | favorite | 52 comments



> AnyDesk spokesperson Matthew Caldwell did not respond to an email from TechCrunch. CrowdStrike, which is working with AnyDesk to remediate the cyberattack, declined to answer TechCrunch’s questions when reached Monday.

> AnyDesk did not respond to questions asking if any customer data was accessed, though the company said in its statement that there is “no evidence that any end-user systems have been affected.”

> “We can confirm that the situation is under control and it is safe to use AnyDesk,” AnyDesk said. “Please ensure that you are using the latest version, with the new code signing certificate”.

Mmm. If I were an AnyDesk customer I'd definitively want more details on what actually happened before I used their software again.


>AnyDesk did not respond to questions asking if any customer data was accessed, though the company said in its statement that there is “no evidence that any end-user systems have been affected.”

In my experience, this answer is equivalent to "Yes, customer data was accessed".

If it wasn't, they'd say something like "We have no reason to believe customer data was accessed", instead of trying to shift the focus to whether or not end-user systems were caught up in the blast radius.


Sad that what we white wash with the label "PR" or sometimes a hair worse "spin" is actually misrepresentation and dishonesty which is so pervasive (and therefore actually horrible) in corporate culture that it is totally normalized. I don't care if every country in the world does it, it is not okay to deceive, twist, and spin things.


"mislead the focus" should be a valid and common way to describe this kind of thing.


It's the total imbalance of power.



If (huge if!) those screen shots are legit, then Anydesk was storing passwords in cleartext or equivalent; many of them are far too random to be bruteforced so quickly.

The last one, where both the domain name and password start with QR, makes me think the screenshots might actually be legit.


>In light of this breach, AnyDesk customers must take proactive steps to protect their accounts and data. Password changes alone are insufficient.

Go figure :)


Seen on Breach Forums onion site as well ...


The vagueness of end-user is also a little concerning, are they using it in sense a lot of corporate it folks do to mean employees, or are they implying their customers are their end users.


I understand Crowdstrike not talking about their client (as much as I hate their agent).

But that "new code signing certificate" smells very bad. I would nuke anything signed by them ASAP.


> I'd definitively want more details on what actually happened before I used their software again.

You’re probably not in their target demographic to begin with, if you ask such questions.


Do you know any cross platform (Linux,windows) similar tool that is as easy and traverse firewall well? I can host a server if needed.

I often use vnc myself but for end user it is way too hard to install.


Apache Guacamole may be what you are looking for

"Apache Guacamole is a free and open-source, cross-platform, clientless remote desktop gateway maintained by the Apache Software Foundation. It allows users to control remote computers or virtual machines via a web browser, and allows administrators to dictate how and whether users can connect using an extensible authentication and authorization system."

https://en.wikipedia.org/wiki/Apache_Guacamole


RustDesk is often mentioned as an open source alternative.

It has a bunch of weird code smells that make me a bit hesitant to use it for supporting family members, but it seems to work well from what I read from others?

I use Teamviewer quite regularly, but that has some issues with Wayland. Free for personal use, but closed source with no self-hosting capabilities.


I've used TeamViewer, then AnyDesk and now RustDesk. TeamViewer and AnyDesk are both German companies.

RustDesk works really well and is fast. I switched from TeamViewer because they wanted money. I switched from AnyDesk because it gave me more problems with disconnecting, has the worst UI of the three and sometimes my screen would be a minute or more behind what the host was seeing.



Wow, I wouldn’t touch that with a 100 foot pole.


> TeamViewer and AnyDesk are both German companies.

Can I ask why you mentioned this? It stands out.


Because I happened to know it. They often make great stuff.



There's a lot of "just make it work" code in there. A "customer said software didn't work in China because of a missing cert, now importing cert on startup and it works" kind of deal.

For a while it used `sed` to disable Wayland on Linux in a way that only applies to Gnome (specifically on Ubuntu and a few other distros). The code also has a bunch of other exec()s with several commands piped into each other to parse the output.

None of it seems ill-intended, but it's code I would straight reject if I would be tasked to review it.


It's not the first quality Chinese software.


Somewhat cross-platform (I mostly use Windows)... I use Tailscale (or just wireguard) and RDP. RDP works great on Windows and is gaining more support in Linux. VNC works as a fallback, but is slow compared to RDP.

Not free, but I was using Remotix until they got bought out by Acronis who haven't really done much but increase the price and rebrand it (really long name "Acronis Cyber Protect Connect"). It does work on Linux and MacOS but I always found the performance to be lacking and the UI is workable but not great.


If you like selfhosted, then MeshCentral is what you should be looking at.

If you want a cloud thingy and it's just for personal, chrome remote desktop is decent enough.

If you need this to be highly performant (like accessing a crunchy 3d modeling rig from your ipad, or remote gaming) then Parsec is the best.


MeshCentral is great, just migrated all my rustdesk setup to it.

I mostly use it for family remote support and things tho, performance isn't amazing but it's plenty good.

Also supports things like relaying over an agent, hardware key authentication, file browsing. It's a little wonky in spots but overall it's such a great piece of software.


TeamViewer is slow and expensive, but it does work well. IIRC they have Linux support now, but not 100% sure.


I was using TeamViewer on Linux fairly extensively over a decade ago, and I don't really recall having issues with it. I haven't used it much recently.


Teamviewer is a no brainer, cross platform, to handle my retired dad's computer on the other side of the country and/or customer's screens on the other side of the world.


Teamviewer hasn't worked for me in years. At some point it started to claim I was using it for commercial purposes, and even after convincing support that this wasn't the case, I've never been able to maintain a connection for longer than a minute since.


Pretty much will refuse to work if you have a static IP Is they claim that's commercial.


I gave up on it for the same reason. Kept getting flagged for commercial use when all I used it for was ham radio stuff and helping my parents.

Sounds like a shakedown to me.


TeamViewer has horrible security history though.


I use SimpleHelp; it's a self-hosted Java server and clients have to install an app; works on Windows and Mac and Linux. It's over port 80+443. Not FOSS.


Steam Link is tailored for gaming, but it works great for remote access. Performance is excellent and it has clients for all major platforms.


Look up aspia


Tailscale.


Suppose I have a computer at home I want to be able to access from anywhere in the world. I can pay a host, a vpn, something like aws or resort to proprietary solutions like teamviwer or similar options. I don't want to resort to any of these alternatives. I want something that is both open source and that I don't have to pay for. The only solution I could find was tor (or maybe i2p) which has its own downsides: high latency, low bandwidth and requires special tools. Is there any possibility I'm not considering?


Any reason why you can't run a VPN server in your home environment? I run wireguard and OpenVPN at home on my router. I don't pay for static IPs but they rarely ever actually change.


dynamic dns to the rescue


Get yourself a box with OPNsense and run wireguard on it. It requires some working in, but it is a big liberation after a while.


What do you use to for remote desktop once in the LAN?


Well, I don't have the need for Remote Desktop. I use SSH, Linux Shells, Bash, Byobu, or my web servers running at home and serving stuff through the browser. I have two Remote Windows Laptops that I administer with the standard Windows Remote Desktop.


I use zerotier. tailscale is another one. But there is a middleman.

I can access the computer remotely without opening a port.


I've turned to RustDesk since last week, and so far so good. It's open source and if you self-host the rendezvous server, it's effectively free.



Yikes. Thanks for that!


You could setup a wireguard server at home. An overlay network like tailscale or nebula is another option.


Have you considered Tailscape + Remote Desktop (Windows) or Screen Sharing (Mac)?


Get a router that has a VPN, or put a VPN box behind the router and port forward


I thought that was just a tool used by India-based scammers to access old people's computers.


and I was just about to recommend AnyDesk to my employer after having had several bad experiences with TeamViewer in the past




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: