[supersheep]

This feels unethical to me.

I've just seen a VNC session on a machine running some PLC software (I've flagged it). There could be god knows what running open VNC sessions in here, and it feels unethical to expose this in an easy-to-exploit way without making a best-efforts attempt to contact the operator.

I've seen a few VNC desktops that now have Paint open (or similar) with messages informing people that they have an open VNC server, but altruism is unlikely to be the norm.

It's a cool idea and it's really well done, but I do wish it was anonymised - no display of the host or port the VNC server is running on, just the screen. (I realise this might be useless in some cases where the screenshot lists the server's FQDN.)

[moyix]

It has already had good effects though. Noticing that lots of the VNC servers were named QEMU, someone has prodded the QEMU developers [1] to change the default when you use the -vnc option so that it does not listen on all interfaces by default.

[1] http://lists.nongnu.org/archive/html/qemu-devel/2014-12/msg0...

[Alupis]

> This feels unethical to me.

Not really. The site operator has done nothing that has not already been done before, and it's little more than a basic nmap scan for services (which anyone can do).

It might be considered unethical that a PLC system is using VNC with no password.

There's also an awful lot of CirrOS systems in there, which tell you the default username and password, alongside a kind note saying the default user has full sudo privileges and you can just sudo into full root. The particularly bad thing about CirrOS is they are almost all running on OpenStack and other cloud providers, whom should know better.

[supersheep]

> The site operator has done nothing that has not already been done before, and it's little more than a basic nmap scan for services (which anyone can do).

I realise this. Which is why I carefully phrased the objection as "easy-to-exploit". You and I may think the phrase "basic nmap scan" is simple, but it opens the door to lots of people who don't know what that sentence means but can easily click a link in their browser and be directly connected to an exploitable host (I don't like the phrase 'script kiddie' but I think that conveys what I mean).

> It might be considered unethical that a PLC system is using VNC with no password.

It might. It might also be more properly called incompetence. But that's orthogonal to providing an easy way to exploit such a system and not notifying the operator, which I feel is "more unethical" if such a concept exists.

There are ways to do this if the intent was to highlight how many people run open VNC server (as I'm guessing is implied by calling the site Srsly?)

1) Don't publish the server's hostname and port.

2) Attempt to notify the operator.

3) Publish screenshots only.

By publishing the connection details, this turned something that could have been interesting and done some public good into something that I feel is dangerous and fairly exploitative.

[Alupis]

Shodan has existed for years and does practically the same thing (enumerates services, etc), but to a far greater extent.

This year at Defcon there was a great talk about masscan and scanning the entire internet (they enumerated a lot of open VNC's right onstage during the talk).

> Attempt to notify the operator.

How? If it's just some IP address, there's little you can do other than login and leave a text file open telling them they have an open VNC (that would surely get my attention).

The argument that a site like this should not exist because someone may exploit it just doesn't hold up. It's like saying we shouldn't post the IP addresses online of open mail relays, or open dns resolvers... which we (the "white-hat" community) did not... until it was discovered they were already posted online. Someone will do it...

If a vendor is so incompetent as-to put an important PLC on the internet, let alone with a completely open VNC, that vendor should be shamed. If we build a list like this site has done, perhaps we can strongly encourage folks to not do this anymore.

Heck, I'd love a search feature to be implemented on the site so I can double check I have no open VNC's on any of my IP's...

[supersheep]

> Shodan has existed for years and does practically the same thing (enumerates services, etc), but to a far greater extent.

Good point. But it's not laser-focused on a single thing and making that thing as easy as possible (I can just click on an image and be connected to the server!)

> How?

For some hosts it will be impossible. For others, it may be obvious or at least feasible; the company's name may be in the FQDN, the server may give a name in the VNC response that could be used, and if you're feeling grey-hat you could poke around and see what it does and who may own it.

> The argument that a site like this should not exist because someone may exploit it just doesn't hold up

I didn't say it shouldn't exist - just that some minimum form of self-censorship is the ethical course of action.

> Someone will do it...

Of course. But not everyone will make it this easy and accessible.

And I can appreciate the spirit in which this is done, if the "Hail Eris!" text on the page didn't make it obvious :) Being able to flag stuff is the concession, assuming it really does remove it from rotation.

[cryptoz]

> Not really. The site operator has done nothing that has not already been done before, and it's little more than a basic nmap scan for services (which anyone can do).

Merely because something is easy, or common, does not make it ethical. In fact, I think those factors should be entirety unrelated to ethics.

Theft has been done before. Theft is easy to do. Therefore, it's ethical to steal. This seems to be the logic you're following... Correct me if I'm wrong?

[grkvlt]

Agree, one session had obviously just had 'rm -rf /' run on it. Now, if you leave a root shell open to the Internet you're kind of asking for it, but this is like posting a list of GPS locations of cars with the keys in the ignition up on a notice board for car thieves...

[BillFranklin]

Because it is unethical. Giving this ability to 100,000s of people (even for the short time before this site is taken down) is the wrong way to highlight the faults in VNC.

E.g. We should tell people that guns are dangerous, but we shouldn't highlight this by giving guns to children -- someone is going to get to hurt.

[ValdikSS]

https://srsly.de/image?id=185.60.72.89-5900-vnc