A version of this post originally appeared on Tedium, a twice-weekly newsletter that hunts for the end of the long tail.
It’s not every day that I get to tell a story about a type of technology that was recently in the news for macabre reasons, but then again, it’s not often that water supplies get hacked using screen sharing technology, which is something that literally happened in Oldsmar, Florida recently, when a panel that controls city’s the water treatment system was modified to increase the amount of sodium hydroxide.
It was caught quickly—but still, scary stuff.
At the center of the debate is a tool that is perhaps at the peak of its cultural importance, but that naturally comes with inherent security concerns: The remote viewer application, which is incredibly useful when, y’know, people are remote, as is quite common right now. But it comes with complications, as seen in a certain community’s water treatment system.
And as you might guess, the evolution of remote desktop access technology goes back pretty far. How far back? Well, at first, you didn’t need a GUI.
“One conclusion that we may all have to come to is that connection with the network may force us toward a more standard way of handling terminals and their character streams in our monitors and terminal control hardware.”
— A passage from an early Request for Comments document, dating to 1971, that proposes the creation of an official protocol for Telnet, a key networking technology for accessing remote machines through a command-line interface. While not exactly the same as the modern-day remote viewers with graphical interfaces, many of the same strategies still apply today, with a primary difference being that modern remote viewers tend to be more platform-independent, allowing users to connect between different types of operating systems with a single tool.
No Windows, no problem: Remote access software dates back to the DOS days
Remote access has been a theme of computer software for decades—all the way back from the early days when people would access mainframe networks on dumb terminals. But the idea of connecting to a computer as if it’s in the room and having full access to it still feels a bit like magic to some users, despite the fact that we’ve been doing it for decades.
A key tool in the history of remote access software is Carbon Copy, an offering that allowed users to access remote computers from a distance and control them as if they were in the room. First offered in the mid-1980s, the software, initially produced by Meridian Technologies, used a trick to stay resident in memory in DOS, allowing remote users to call in and manage a computer over the phone line.
An ad for Carbon Copy Plus that promoted the fact you could work with two computers with just a single copy of the software. Get ready to mail some floppies. Image: Google Books
Carbon Copy, which received a glowing, in-depth profile in InfoWorld the next year, was seen as an early leader in the market, with other tools such as Norton’s pcANYWHERE first emerging around the same period. In these early days before the internet was commonplace, these platforms worked over standard modems, and required people to call into the remote machine.
Ironically for a product called Carbon Copy, the tool had problems with piracy. At one point in its history, Meridian Technologies had a bounty program in which it called on software users to turn in their colleagues for using unauthorized copies of Carbon Copy, a name that literally evokes cloning things.
“We are really going as far as we can to support the product, and all we’re asking in return is that people play fair with us,” the firm’s Charles Jones told PC Magazine. “Unfortunately, the world being what it is, I fully expect we will be paying several people $2,500.”
The promise of having remote access to more powerful computers was extremely tantalizing, especially so when a GUI was attached. In a 1988 article in InfoWorld, the Mac-based remote access tool Timbuktu, which worked over local networks and modems alike, was sold to users as a way to use more powerful computers on more modest hardware. (No color, though; them’s the breaks.)
“For about the price of an SE, you can use a Mac II chassis,” said Reese Jones of the company Farallon, which had acquired Timbuktu maker WOS Data Systems at the time.
Of course, this technology evolved over time and didn’t stay still; soon, tools like pcANYWHERE made the leap from DOS to Windows, and remote access tools increasingly became platform-independent, making machines easier to manage outside of the office.
The result is that remote access is a key part of the utility toolset for IT teams far and wide. But is it by no means a perfect tool.
The macOS-based app Screens.
Five common types of remote-access software you’ll likely run into today
Chrome Remote Desktop. Much of Google’s sales pitch in the modern day comes down to, “if you have a web browser, you can access this.” And this translates really well to Chrome Remote Desktop, which has been around for a decade and is perhaps the easiest way to remotely access computers on the market. GoToMyPC. Around since 1998, the tool found great success around the turn of the 21st century because of its focus on ease of use, and found use among remote workers decades before it became the cool thing to do. Apple Screen Sharing. While Apple has long offered a robust Remote Desktop application, it is generally overkill for normal users; for the rest of us, MacOS’ built-in Screen Sharing tool more than does the job, while Screens offers a decent third-party alternative. Remote Desktop Services. Microsoft also offers an internal screens sharing tool in the form of Remote Desktop Services, which has a lineage that dates all the way back to Windows NT Server 4.0 a quarter century ago. TeamViewer. This is the one that got the folks in Florida into trouble. A widely used tool for sharing screens that is typically used by IT teams for technical support and remote management, it has gained popularity in recent years for its flexibility and ease of use.
The year that the RFB (remote framebuffer) protocol was first publicly released. The technology, developed at England’s Olivetti Research Laboratory in the ’90s, came to life thanks to interesting roots—it was first used as an interface that allowed a peripheral to connect to an ATM operating system. This unusually specific use case eventually evolved into something with an unusually broad use case: the basis for VNC (virtual network computing), perhaps the most broadly used open standard for remote viewers to this day. The research lab, at one point acquired by AT&T, was later the basis for its own company, RealVNC, in 2002.
The problem with remote access is that it is way too easy to misuse
You probably didn’t expect this story offering the basics of Remote Desktop technology to take a detour into a popular politician’s teenage years, but that’s the timeline we live in.
And in that timeline, a couple of years ago, onetime presidential candidate Beto O’Rourke made an announcement that he was once a hacker. Kind of.
See, he was once a member of the Cult of the Dead Cow (cDc, but not like the CDC), a decades-old group known for its work in the hacking scene, though in that role O’Rourke did more creative writing than actual hacking. (I promise, that’s not a slight; cDc was a DIY media group just as much as it was a hacking collective.)
It should be noted that many cDc members not named Beto O’Rourke also went on to respectable careers—lead member Mudge, birth name Peiter Zatko, once worked at DARPA and is now the head of security for Twitter.
Before Beto gave it a fresh shot of mainstream attention, the group was best known for creating one of the best-remembered hacking tools of the past 30 years—Back Orifice, a remote access tool that represented a “backdoor” tool that gave users full access to a Windows user’s computer. (The name, as you may have deduced, is a dirty joke that references Microsoft.) The tool, first announced at the DEFCON event in 1998, came to life as a way to encourage Microsoft to take security more seriously.
And when Microsoft failed to take it seriously enough, they released an upgraded version that was even more sophisticated. What made the tools dangerous was not simply that they could exploit computers; what made them dangerous was that it lowered the barrier of entry for hacking to those who didn’t know what they were doing.
The strange thing is, though, when broken down, Back Orifice is not that dissimilar to more modern remote administration tools, which also offer in-depth access to end-user machines.
The difference is the context, as well as the approach to security. Today’s remote access (usually, water treatment facilities notwithstanding) is highly secure, and allows administrators to manage highly sophisticated systems remotely. Many of our machines can be managed just like the Trojan-hacked Windows 98 machines of yore. The difference is that, rather than relying on the cloak-and-dagger approach, they do it through secure means.
Tools such as TeamViewer are incredibly common in the information technology space as a result. But they come with challenges, especially as security modernizes.
A good example of this is actually Symantec’s pcAnywhere, which found its security turned into a joke about nine years ago, when its source code had been stolen and released on The Pirate Bay after the hacker failed to extort money out of the company. The pcAnywhere software, which dated to the mid-1980s, was soon taken off the market entirely.
Remote access is something that can be easily exploited in the wrong hands, especially with poor security protocols.
“Many businesses use remote desktop to facilitate network access for remote employees over the Internet. But by granting such access, these businesses have made it much more likely they’ll be targeted and hacked,” says Matt Ahrens, the head of the security team at the cyber insurance firm Coalition, in a 2018 post for DarkReading.
Of course, given this risk, much remote software works on strengthening the moat so the access is in limited hands. Which is why the incident at the water treatment plant in Florida is basically the perfect example of what not to do with remote desktop access.
TeamViewer with the default password? Ending use of a high-access tool without actually removing it? Absolutely not the way you’d want to manage remote software that handles something as sensitive as a community’s water supply. Which is, of course, how it was set up.
The increase in attacks over RDP-based clients in the past year, according to the security firm ESET. The problem, says the company, is that, because people are more remote now than they were a year ago, that cyberattackers are taking advantage of that fact to wreak havoc. So, if you’re not using VNC for anything, you may want to turn it off.
Remote access software is an incredibly useful thing in the right hands—I personally use it to manage access to my server as needed—but the wrong hands make it a potentially dangerous proposition.
It’s just like, if I were in a coffee shop, it would be a bad idea to leave my laptop open for a couple of hours while I go to the movies.
But unlike going to a coffee shop and going to the movies, remote access is something very desirable right now because of the way it expands reach.
It’s unfortunate that many people were introduced to its potential in a really dark, really bizarre way, because when broken down, a tool that allows people to manage mission-critical systems from the safety of their home is something we should be encouraging right now.
(The problem is, when those mission-critical systems are being managed, they need individual logins and tight security measures.)
In the years to come, there will most assuredly be books and oral histories written about what happened in Florida, the sheer folly of leaving remote access open with so little focus on security. But it should not be a knock on remote access, which was a super-novel concept back in the mid-’80s and is still pretty awesome today as it has improved along with GUIs and network access.
Really, it’s a knock on the fact that, all these years later, we suck at security when we should be good at it. The cDc warned us.