One of the beautiful things about using SmartPhones like the iPhone, or my Android-based Droid is that I can now access my computer from literally anywhere, and I don’t even need to carry a notebook computer to do it.
Of course, that’s one of the ugly things too; being connected all the time means either that you let your work take over your life or you create rules to prevent that.
There are a few things that my Droid isn’t able to do for me without some help, though, and since they’re among the most important and common things I do, like checking to-do items in Outlook and taking notes that end up in that software, I rely on remote control software to get me logged into my Exchange server.
And yesterday I ripped LogMeIn out of my server and my Droid, because it presents a security risk that just doesn’t need to be there.
Let me start by saying that this disappointed me tremendously. LogMeIn is pretty darned good at remote control, and even has a free version. It works across platforms (Mac, PC, Linux, whatever) and is without a doubt the simplest way for people who need occasional remote control abilities to get things set up.
But yesterday I discovered that when I use LogMeIn my screen and mouse come to life. Meaning that if someone happens to be in my office my previously locked-down computer becomes open and available to them because I’ve logged in using LogMeIn.
And that’s not OK. It should be the least of my security worries, of course, and it is. I’m not actually worried about anyone with physical access to my computer doing bad things, and I have nothing on there that I need to hide. BUT LOGMEIN OPENING UP YOUR COMPUTER THIS WAY MAKES NO SENSE.
When I have my laptop and a WiFi signal and need to get at the computers in my office, I use software built right into Windows to access them. I can even do it from an Apple Macintosh. And that software, Remote Desktop, is no more difficult to use than LogMeIn, takes only a little bit longer to get set up, and when I log into my computer remotely IT LOCKS OUT ANYONE WHO MIGHT BE AT THE COMPUTER AND IT SHUTS OFF THE SCREEN, KEYBOARD, AND MOUSE.
And yes, I have software on my Droid that works with Remote Desktop.
So Why Use LogMeIn?
This is the part of the piece where I’m supposed to present a counterargument and tell you that LogMeIn may not be much easier to set up, but that the slight advantage is worth something. And I suppose that’s true if you really don’t have the wherewithal to pull Remote Desktop together. But that’s just not good enough; if you’re going to use advanced business tools and pay for data plans on SmartPhones you also need to take a couple of other steps from time to time. And if you really can’t figure it out, call us at The Computer Answer Guy or PC-VIP and we’ll get you running.
Leaving big security holes open isn’t an option. LogMeIn may sound great, but the hole I noticed yesterday is too big to ignore.
LogMeIn reminds me of a line from Jurassic Park: Just Because Your Can Doesn’t Mean You Should.
Hey Jeff — You raise a valid security concern, one we (LogMeIn) actually considered when developing our Ignition for Android product and the LogMeIn hosts. Did you try our Screen Blanking and Keyboard Locking features in the Ignition settings? Both were designed to address the scenario you’ve discussed. See the security section w/in this user guide: http://community.logmein.com/logmein/attachments/logmein/GettingStarted/2/1/LogMeIn_Ignition_UserGuide_Android.pdf. I’ve also cut and pasted the relevant excerpt below. Let us know if this was not explicitly clear or didn’t actual work as advertised. Either or both are valuable feedback as we refine the beta in advance of GA. Thanks in advance.
Relevant excerpt from the User Guide:
Blank the host display and/or lock the host keyboard to protect your information during remote control.
You can only change this setting during an active remote session.
1. On the main remote control screen, tap the Gear (Settings) icon.
The Settings page is displayed.
2. Slide Screen Blanking to On.
The host computer’s monitor will be blank during the remote session. Anyone sitting at the remote location
will see a blank screen. Your actions will remain unobserved.
3. Slide Lock Keyboard to On.
The host computer’s keyboard will be locked during the remote session. Anyone sitting at the remote location
will be unable to use the host keyboard.
4. Tap Done.
If you do not want to be notified each time you use Screen Blanking or Lock Keyboard, slide the Screen Blanking
and Keyboard Lock options to Off in the Notifications section.
Craig, thanks for taking the time. Seriously.
I was vaguely aware that LogMeIn could be tweeked as you point out. And I’m a big fan of people taking responsibility for their own “stuff”, so if this was a software review blog or if my point was to have conducted a software review I would have A) dug in until I found the correct settings and B) made those changes. And as I had major experience doing exactly that kind of thing at IYM Software Review back in the day I’m confident your baby would have been cooed over in a way more to your liking.
But at Answer Guy Central we practice a different kind of pragmatism. Good or bad, right or wrong, the assumption is that our readers are so overstressed by the goings-on in their business lives that they need to have things explained to them a lot more directly and simply than that. In this case, simple means “Holy Toledo, I downloaded and installed a piece of software and opened up a big security hole and didn’t know it”.
In other words . . . why do users have to enable security? Why not have them find the disable settings?
Logmein is great, I think that Jeff is not looking at logmein from all possible uses. I have Logmein installed on over a hundred client’s computers. I enjoy being able to jump on a pc and work with the client, have the client feel safe as they watch me work with them to solve their issues. I do have some computers being used at Kiosk’s where I would not want the public to see what I am doing while I am fixing that are set to blanc the screen automatically (Logmein Central), and others that I blanc on demand. I do not consider this a security risk, rather you must understand the product
Andrew, I appreciate your thoughts, and sure, what you said last is correct; “you must understand the product”. Ultimately, that’s true of any software.
Problem is, people don’t, and won’t.
My point about LogMeIn had nothing to do with its functionality, although let’s be honest … it’s far from unique; there are a couple of dozen alternative that do the job just as well. You like LogMeIn? Cool.
But because these guys have been in this business for as long as they have, they should have known better; the correct default state for a machine being accessed remotely is screen blanked/mouse and keyboard disabled. And no matter how much you like the LogMeIn product, to say this isn’t a security issue is naive; of course it is. If that screen comes to life and the mouse and keyboard are accessible just because the machine is being used remotely, then the machine is open to whomever happens to be walking by.
From your article: “if you’re going to use advanced business tools and pay for data plans on SmartPhones you also need to take a couple of other steps from time to time”
From your response to Craig: “the assumption is that our readers are so overstressed by the goings-on in their business lives that they need to have things explained to them a lot more directly and simply than that”
My argument: The type of person that correctly falls under your stated assumption appears to be in some conflict with the type of person who -actually- follows your own initial suggestion above.
In other words, I agree with you that people that actively use VNC applications -should- take a couple of “extra steps”, and I would adamantly declare that simple security precaution is one of these fundamental steps, especially for business users. However, the assumption in your response to Craig is flavored with either an apologist stance for users that would ignore such steps, or a rationalization for the fact that your original article does not mention the available security options -at all-.
As you say, “people don’t, and won’t”. Then they shouldn’t be using VNC for serious business in the first place. It is not a solution to provide applications or suggestions that coddle ignorance by default.
You may be one of my favorite people ever. These words—my words—are problematic:
My argument: The type of person that correctly falls under your stated assumption appears to be in some conflict with the type of person who -actually- follows your own initial suggestion above.
What you’re saying is actually where I come from in all things, which makes me a bit too obtuse for many peoples’ tastes. I.E., “this is a problem and there’s no good fix because . . . “.
I spent about two decades talking about this by comparing computers to televisions.What I would say is that computers created as many problems as they solved because they went beyond Power/Volume/Channel control. Of COURSE they do, but . . . isn’t that a problem for many (most of?) the people who buy them?
SmartPhones are better because the Apps model is simple enough for people who don’t want to understand file structures and such; the functions are simple and linear and you don’t have to understand your SmartPhone to get things done. This is particularly true in iPhones, and less but certainly still acceptably so in Android devices. BUT BECAUSE OF THAT, I believe good App developers are more obligated than ever to make the way things work perfectly, from the get-go. And LogMeIn’s choice to make screen blanking an option instead of the defult was . . . the opposite of that.
Thoughts?
I’m going to go with Jeff on this one. Regardless of the VNC method employed it goes without saying that the end user is ultimately responsible for making sure the software is configured appropriately. That said, when did good software development become the coddling of ignorance? Back when seat belts were the be all and end all of automotive safety one would have to rapidly pump the brakes during abrupt stops order to keep from entering into a skid. Are we to consider the invention of ABS as the coddling of ignorance as well? Ironically this whole debate is academic for me being as I can’t even get screen blanking to work properly. Oh it blanks my screen just fine. The problem is that the required DPMS drivers also break my LCD brightness controls – a common problem when installing on a laptop as I’ve discovered. Generally I don’t complain about the occasional technical difficulty but I think this one is well worth mentioning.
I’ve been using Logmein for about 4 years now. In that time I’ve had it installed on an HP, a Toshiba and 2 Dell models. Installing the necessary drivers for the screen blanking feature had the exact same detrimental effect on all four laptops over that 4-year period. Now that I actually NEED screen blanking this issue has become a real problem for me. One need only Google the words “logmein screen brightness control” to see that this problem is not only incredibly widespread but that it’s gone unaddressed for several years. It really is a shame because I’ve been very happy with Logmein in nearly all other respects.
I’m guessing that your name is less than real, but I’m happy to see that you agree with my point: half-baked software is … half-baked.
Some time has passed and I now find myself perfectly happy using the remote control software built into Google Chrome and calling it a day but … it’s a pity.