The Song Fight Bulletin Board

Joel Spolsky is somewhat of a software development guru, like him or hate him, he's written a ton about how to make your developers happy so they can do good work. He founded Frog Creek Software a few years ago, and one product they created is CoPilot, which allows anyone to connect to a friend or family member's computer remotely to help fix something, for a few bucks. Just seems like a cool solution and requires no installation, supports Macs and Windows.

This sounds like a great idea -- any comments on the security aspects of the system? (This question is directed to all you techy wonks on the boards -- not just Roymond!)

I might have my 'rents install this widget!

That looks handy, Roymond, thanks. I used to use Apple Remote Desktop to help out my Mom, but the version I had of it doesn't work with OS X 10.4, and the upgrade seemed kinda pricey. This seems like a cost-effective option considering I only erratically need something like this, and only for short periods of time. Also I like that it's cross platform, and the setup seems much simpler than VNC.

They say they use 128-bit SSL encryption, anti-m.

Lunkhead wrote: They say they use 128-bit SSL encryption, anti-m.

Er, yes. I read that. "But is it safe?"

I'm assuming the answer is "yes," but are there any potential security pitfalls, even with beefy encryption?

I'm asking, because I'm not an expert... and this is guaranteed to be the first concern of anyone I try to convince to use this ap.

My impression is that many supposedly secure systems are, in the end, vulnerable to hacks...but I am not tech savvy enough to understand the levels of risk. I know it's unlikely that someone will decode the 128 bit encryption itself... but howsabout the invite key system, etc?

If anyone has any thoughts or comments, I'd appreciate it.

there's a dozen of these on the market these days.

and they all require something to be installed, even if it's not the usual downloaded-and-clink binary installer.

anti-m wrote:

Lunkhead wrote: They say they use 128-bit SSL encryption, anti-m.

Er, yes. I read that. "But is it safe?"

I'm assuming the answer is "yes," but are there any potential security pitfalls, even with beefy encryption?

I'm asking, because I'm not an expert... and this is guaranteed to be the first concern of anyone I try to convince to use this ap.

My impression is that many supposedly secure systems are, in the end, vulnerable to hacks...but I am not tech savvy enough to understand the levels of risk. I know it's unlikely that someone will decode the 128 bit encryption itself... but howsabout the invite key system, etc?

If anyone has any thoughts or comments, I'd appreciate it.

none of them are safe to leave running. use it for as long as you need it and then erase it.

It sounds fairly safe to me, as I think the assumption is that you'll be coordinating with the person you're helping when you're going to help them.

So if the person you're helping gets an invite out of the blue with no prior notice from you, that ought to be a red flag.

An attacker would have to know when you're going to communicate the invite key to the person you're helping in order to try to send them a bad key. If you coordinate with the person and tell them that you're going to dictate the key to them over the phone, that would make it harder for someone to impersonate you (especially if the person you're calling has caller ID, which can be faked, true, but that takes more work).

They say that their client software communicates through their servers, so someone could try to impersonate their servers. That's where the SSL certificates would be useful, as someone would have to try to somehow hijack their certificates in order to properly impersonate their servers.

If your communication with their server is encrypted, that means that data and passwords going over the line should be safe from attackers.

Basically it looks like this would be most vulnerable to social engineering rather than technical hacking, and even the risk of social engineering can be minimized if you're very careful about how you deal with the person you're helping.

blue wrote:none of them are safe to leave running. use it for as long as you need it and then erase it.

Right. There's a checkbox to delete this program when your session is over, which seems convenient.

Ok! Thanks! That's the tech savvy I was looking for. This definitely looks like a useful ap.

--Em