Jump to content
cctv_down_under

Opinions on www.logmein.com Thomas?

Recommended Posts

I have been using this for a while and it is much simpler than VNC, becasue it takes litterally 30 seconds to set up and allows me to group my remote sites together as well as send invites to manufactorers to log in, it seems fast and very simple becasue of the web interface, I just wanted to know if anyone knows how secure it is.

 

 

It really is sisimple, point your person to the website, get them to use your log in and then ask them to click the "add computer button" it maps thier IP and follows it (even dynamic) and all you have to do is click the icon to connect, the firts time it loads a small amount of software but thats it and it can be tuned on and off so easily.

 

I am using the free version

 

http://www.logmein.com

Share this post


Link to post
Share on other sites

I've used logmein several times to help people out (non-cctv related)...

 

It uses 256 bit SSL encryption all the time, and you can require a second login on the target computer before gaining access, so it's quite secure...

 

The nicest parts are

 

1) Free

2) Very easy web-based use, essentially no setup involved

3) Encrypted

Share this post


Link to post
Share on other sites

I dont like the idea of my PC's user name (and pass) being in a web based Database. Not to mention them having access to all my files .. i tried it before and removed it very quick. Web based does not mean easier, is just as quick to install Ultra VNC and less likely to have any Browser based (Java, Flash, etc) Registry issues; which do occur.

 

You still have to install something on your PC. Now you are essentially running a server open to the web and ready for attacks, and using a default HTTP port - port 80 (also port 443) .. basically it is not safe at all.

 

May as well install MSN IM and Ares as well

 

That said, unless you change the VNC port from the default 5900 that is also open to attacks .. but port 80 is just asking for trouble.

Share this post


Link to post
Share on other sites

Where do you get the notion that your PC's info is on a web database? It looks to me like logmein accesses the normal login screen of your computer, under the control of your computer, as if you required login on your own PC. At no time do you have to give logmein your personal PC login information, you only tell it to require login at the PC level--in addition to the first login into the program.

 

So now explain to me how you have remote web access to cameras through a product like Geo or Video Insight if you don't have a server sitting on the computer listening on multiple open ports? Is that safer than logmein?

Share this post


Link to post
Share on other sites

You fill that info in when you setup the program, it is all sent to their web server/site, from what I could tell (may be wrong but still it is suspicious).

 

Geo isn't software that allows you to control the entire PC, its very limited.

There are ports required open for remote video, but you can change them, and should. No information is ever "sent" to Geo, and nobody can just access your desktop or files without installing additional software on the Geo PC first.

 

So yes safer. Check the open connections with Logmein when you get a chance .. . but that said, nothing connected to the internet is really 100% safe. It does help though if you turn off most of the windows default services and use Port filtering so other ports cant be used.

 

Once again though, if they dont let you change port 80,

it is just asking for problems. I didn't see an option for that.

 

Also, the fact that it is browser based is another turn off.

Share this post


Link to post
Share on other sites

I have been using Logmein since about 3 years now. I support all my software customers using logmein. Believe me it has saved me a lot of miles on my truck. As fas as security is concerned my customer don't bother much, neither do I have any hangs ups... At the end of the day both are happy..

Share this post


Link to post
Share on other sites

Logmein doesn't listen on port 80. You can blackhole 80 all you want and logmein will work fine. I have port 80 forwarded to my webserver, which is a completely different machine.

I checked my config and it's listening on 2002 right now. I'm not sure if that's static or randomly assigned, but it sure isn't common and it's >1024.

 

The concept is not that it turns your machine into a webserver at all. It establishes a session to the logmein server from your machine. That's how it hooks you back to the client when you log in through the web UI.

 

Logmein is SSL, dual password protected (account and machine), and even has a lockout policy. It's not insecure.

 

Rory, what does it being web based have to do with anything anyway?

Share this post


Link to post
Share on other sites

It uses port 80 .. by default .. Port 80 is opened by it as a web server. And browser based is just asking for problems.

 

Open up a program that checks which ports are being used, and you will see Logmein's server which is installed on your PC .. using port 80.

Edited by Guest

Share this post


Link to post
Share on other sites
Doesn't Geo use port 80 as well?

 

By Default .. but you should change that.

Besides, Geo's server isn't open to control the PC.

 

IMO nobody should be using browser based apps anymore, unless that is all there is .. a browser based app still must install on the user's PC no matter what they claim, and hence you are better off installing the client app due to security limitations and compatibility issues with todays browsers.

Share this post


Link to post
Share on other sites

Rory, I was just curious... have you ever bought anything online before? Done online banking?

 

Sure everything has risks... but 128 bit encryption is hard to break... especially during an hour long remote session on a computer. I would say you probably have nothing to worry about. What you really should worry about more is the database holding any information that can be comprimised. I've seen that once, but I've never seen anyone break 128 bit encryption.

Share this post


Link to post
Share on other sites
Rory, I was just curious... have you ever bought anything online before? Done online banking?

 

Sure everything has risks... but 128 bit encryption is hard to break... especially during an hour long remote session on a computer. I would say you probably have nothing to worry about. What you really should worry about more is the database holding any information that can be comprimised. I've seen that once, but I've never seen anyone break 128 bit encryption.

 

It doesnt matter what someone else is doing, the point is the port is there and open .. we're talking security systems here, not personal PCs. Regardless, someone asked and thats my opinion. My biggest issue is that it is browser based. They can take it or leave it.

Share this post


Link to post
Share on other sites

FYI: Logmein does NOT use port 80. The output from a netstat query for any Logmein connections shows port 80 is not listening (I was going to post it but I can't post URLs and the server doesn't like the addresses in the output). The only listening port is the default connection port, which is 2002 on this machine. There is also an active secure connection to a logmein server (which is how the app works to begin with).

 

An internal nmap fingerprint port scan of my machine (running logmein) doesn't even show port 80 open for anything. I do not have any firewall software running, and I have not changed any of the default logmein settings.

 

Rory, I can appreciate your paranoia about having a web server running on a machine, but you're mistaken about how logmein works. It seems like you've made a leap of faith that since you use a browser to connect to a target machine, the machine must be listening on 80. The fact is that the reason logmein is so popular is that it does not require any special forwarding. The client maintains a secure connection to a logmein server. If the client side app were as straightforward and insecure as you imply, inbound connections would be dropped by firewalls that do not have the port explicitly forwarded and the program simply would not work on any secure network or routed home network.

 

I'm certainly not trying to persaude you here. I prefer to use proper ACLs to secure outside connections to my servers, in fact. As a network admin I just don't see a need to dissuade others from using the product citing inaccurate information about how it works. Your opinions about web-based applications aside, using a secure connection to remotely access a machine with logmein is perfectly safe.

Share this post


Link to post
Share on other sites

You must have a different copy of logmein .. it installed on my computer, just as i would download a client program, then when i checked open connections, it was logmein with port 80. Whether it uses that port for listening or not, it certainly uses it.

Share this post


Link to post
Share on other sites

The logmein home site has several "white papers" available, one of which discusses security issues at length, and the exact way that logmein works.

 

https://secure.logmein.com/wp_lmi_security.pdf

 

I believe samjade is correct.. if I understand, logmein establishes a connection with the logmein hosting service, so it is not acting as a server on the local machine, it is not listening on any ports--it has an active connection with a computer at logmein's facility.

 

I don't think both of you can be either right or wrong at the same time... so I will take it on as my personal mission to find out the definitive answer about port 80...

 

To be continued...

Share this post


Link to post
Share on other sites

There has to be a server, whether it uses port 80 or not ... otherwise you cant connect to it. Anyway ..i wouldn't use it, regardless of any security issues. Its bad marketing if you ask me .. whats the point of it being browser based?? Why not provide the user with a direct download link? It HAS to install on your PC regardless, only difference is the browser initiates the download instead of clicking on a link.

Share this post


Link to post
Share on other sites

I guess the point would be that I could use any computer anywhere in the world that has internet access, and has either IE or FF, and connect to a remote computer, without needing to have any software preloaded. At most the browser might load a plugin, just like it loads media player plugins, or adobe plugins. I wouldn't have to carry media with VNC on it... or go to a website so I could download, then install, then configure it...

 

If you're ALWAYS at your work computer, or ALWAYS carry around your laptop that has VNC on it, then there's no problem connecting to a remote system. Otherwise, I like the ability, if ever needed, to be able to go to my PC on any browser available.

 

I can move to 10 different computers at work if I wanted, and by simply opening a browser, and going to the logmein site and logging in, I can access my home computer. I'd say that's a pretty good marketing idea.

 

But whatever, it's obvious you've made up your mind...

Share this post


Link to post
Share on other sites

I didnt try the client side .. is it ActiveX or Java?

If its ActiveX,. well actually if its any plugin, most Web Cafe's normally restrict the installation of those, as you have to install it on the PC even if it is an ActiveX, it is still installing. If its Java, and the Browser doesnt have the latest or same Plugin for that, you have to install it .. again. When you get to the PC somewhere in the world, and you goto login but find the browser has issues ... what will you tell your client then? If you are travelling that much, and you're a tech with clients who's PCs you maintain, im certain you would have a laptop at least?

 

Like i said, in the old days it wasnt such a problem, though with the added security protection even IE is throwing in there by default, it "could" be an issue. Ive used Travel Agent software that only runs in IE, 100%, uses Flash, Java, and ActiveX .. the users played alot of online flash games, well one of them somehow corrupted the registry flash setting so the Travel Agency software did not work anymore .. had to basically recreate a key in the registry for it to work again .. thats just one example.

 

Just install MojoPac on a USB Jump Drive .. install your remote view software on that .. Ultra VNC .. etc .. and carry it in your pocket ...

 

Anyway, at the least they could also provide a client program, not just browser based.

 

BTW, UltraVNC has a Java Viewer.

 

Bottom line is to use what works best for you and your clients.

Rory

Share this post


Link to post
Share on other sites

Actually... SSL is port 443 by default. Although, it really doesn't matter what port it is... if it has 128bit SSL on it, you're safe.

 

The whole point for a web based application, beit a shopping cart, itunes, logmein, etc. is that it doesn't tie you down to 1 or 2 computers. It will allow you to do it from any computer via the browser. Otherwise, everyone would just run TightVNC or something else that is Client/Server based.

Share this post


Link to post
Share on other sites
Actually... SSL is port 443 by default. Although, it really doesn't matter what port it is... if it has 128bit SSL on it, you're safe.

 

I didnt mention YOU'RE .. how safe the client feels is up to them.

im talking about a port open on the Security System.

Share this post


Link to post
Share on other sites

The whole point for a web based application, beit a shopping cart, itunes, logmein, etc. is that it doesn't tie you down to 1 or 2 computers. It will allow you to do it from any computer via the browser. Otherwise, everyone would just run TightVNC or something else that is Client/Server based.

 

Thats all fine and dandy, and that ability has been around for years.

But did you read my post on the problems with browser based applications as the current web browsers, remote cafes/computers, and users are concerned?

 

Anyone that makes a half decent client based app can easily make a browser based app, so that is nothing new, been there done that, but the companies that are out there marketing only browser based apps need to realize the flaws with their environment.

Share this post


Link to post
Share on other sites

The whole point for a web based application, beit a shopping cart, itunes, logmein, etc. is that it doesn't tie you down to 1 or 2 computers. It will allow you to do it from any computer via the browser. Otherwise, everyone would just run TightVNC or something else that is Client/Server based.

 

Thats all fine and dandy, and that ability has been around for years.

But did you read my post on the problems with browser based applications as the current web browsers, remote cafes/computers, and users are concerned?

 

Anyone that makes a half decent client based app can easily make a browser based app, so that is nothing new, been there done that, but the companies that are out there marketing only browser based apps need to realize the flaws with their environment.

 

I did read your post, and as someone who has developed web applications for over 7 years now, I can tell you that you are only partially on point.

 

Any open port is potentially a security hole, that is true-- but at the same time, if you shut down every single port to the security system it would sever it completely from your clients as well. After all you could not have remote access for end users viewing their feeds remotely without an open port....

 

As long as you setup your infrastructure correctly, you can pretty much stop every attacker (short of an organized DDOS attack).

 

It is true that some "Cafe's" restrict some plugin's that are sometimes required to run a web application. But the fact that you have accessibility PRETTY MUCH ANYWHERE is reason enough for web based applications to be around. There is also a new method using flash and scripting that allows the flash plugin (that is largely installed a majority of the computers) that does everything that Java and ActiveX do, but without a lot of the version conflicts. But that is still a few years off from mainstream.

 

Companies the market only browser-based applications are niche companies, but many are very successful nonetheless. The reason being is that many companies have employees that are frequently out of the office and need to update their CRM's, BOM's, etc. or let's not forget the beauty of being able to check your webmail while you're at the inlaws house for Thanksgiving. All are completely web-based apps, and all have open ports, and they all have their place.

 

I actually prefer web based applications because I program in .Net and web based extensibility is quite a bit more robust from an interface end and also from a data end. Not to mention I can recompile on the fly when I want to add/edit/delete features. But hey, to each their own.

Share this post


Link to post
Share on other sites
There has to be a server, whether it uses port 80 or not ... otherwise you cant connect to it.

 

This is what I was trying to debunk in my last post. There is no server. There is no security risk. The target client connects TO a secure server. The source (requesting) client connects to that same server. That server is a logmein server; a "middleman".

 

When you use logmein from one machine 1 to remote control machine 2, you are not making a direct connection to machine 2. You're connecting to a logmein server to which machine 2 is already securely connected. Logmein does the handshaking for you, and you're in.

 

The connections look like this:

Source -> Logmein <- Target

 

Not this:

Source -> Target

or

Source -> Logmein -> Target

 

Programs like VNC that require explicit port forwards are less secure than this connection method. The middleman approach adopted by Logmein does not require port forwards. As I mentioned before, if there was a server, there would have to be forwards. There are no forward requirements because there is no server hosting open ports on the target machine.

Share this post


Link to post
Share on other sites

I did read your post, and as someone who has developed web applications for over 7 years now ...

11 Years myself

 

As long as you setup your infrastructure correctly, you can pretty much stop every attacker (short of an organized DDOS attack).

If you think so ..

 

It is true that some "Cafe's" restrict some plugin's that are sometimes required to run a web application. But the fact that you have accessibility PRETTY MUCH ANYWHERE is reason enough for web based applications to be around. There is also a new method using flash and scripting that allows the flash plugin (that is largely installed a majority of the computers) that does everything that Java and ActiveX do, but without a lot of the version conflicts. But that is still a few years off from mainstream.

I can tell you never left the office and actually used someone elses computer

 

Companies the market only browser-based applications are niche companies, but many are very successful nonetheless. The reason being is that many companies have employees that are frequently out of the office and need to update their CRM's, BOM's, etc. or let's not forget the beauty of being able to check your webmail while you're at the inlaws house for Thanksgiving. All are completely web-based apps, and all have open ports, and they all have their place.

We are not talking web based apps here like asp and asp.net

Edited by Guest

Share this post


Link to post
Share on other sites
There has to be a server, whether it uses port 80 or not ... otherwise you cant connect to it.

 

This is what I was trying to debunk in my last post. There is no server. There is no security risk. The target client connects TO a secure server. The source (requesting) client connects to that same server. That server is a logmein server; a "middleman".

 

When you use logmein from one machine 1 to remote control machine 2, you are not making a direct connection to machine 2. You're connecting to a logmein server to which machine 2 is already securely connected. Logmein does the handshaking for you, and you're in.

 

The connections look like this:

Source -> Logmein <- Target

 

Not this:

Source -> Target

or

Source -> Logmein -> Target

 

Programs like VNC that require explicit port forwards are less secure than this connection method. The middleman approach adopted by Logmein does not require port forwards. As I mentioned before, if there was a server, there would have to be forwards. There are no forward requirements because there is no server hosting open ports on the target machine.

 

 

When the client connects do they get the persons Full Desktop like VNC?

Or is this only file sharing?

 

BTW this clears it up more, thanks.

Wonder if thomas is actually watching this thread since the question was originally addressed to him ..

Edited by Guest

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×