Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
IshKebab 3 months ago

If you can get remote control to work that would be amazing. I assume that's impossible with current browser APIs though. A real pain point of Google Meet.

atoav 3 months ago | parent [-]

I too yearn for the day where my parents webbrowser can run Win+R and delete their System32 directory after they clicked "Ok" on a prompt whose message they wouldn't be able to tell me if I paid them a billion Euros for it.

IshKebab 3 months ago | parent [-]

It can already do that. The prompt just says "Click here to download".

atoav 3 months ago | parent [-]

So you say we need a easily accessible RCE-API to make this even simpler?

IshKebab 3 months ago | parent [-]

I will ignore your dumb reductionist take...

The problem with doing it via downloads or plugins is that it's OS and maybe browser specific (have fun making your plugin for Firefox on Windows, Chrome on Mac, etc.), and also it's extra friction.

The reason I want to remote control someone's computer is because talking them through the actions is too tedious. The last thing I want to do is talk them through downloading and installing some browser plugin first.

Security & scamming is obviously a concern but let's not pretend it is impossible to solve. People thought the full screen API shouldn't be done because of security concerns, but that's laughable now.

As an initial step they could at least support showing a "laser pointer" on other people's screens so you can say "click here" instead of "up a bit, no... go back.. no third from the bottom, yeah that one". That has zero security implications.

atoav 3 months ago | parent [-]

My 'dumb reductionist take' is me trying to tease out (with a little bit of humor) how you imagine this absolute security nightmare to be implemented in a way that wouldn't result in abuse of apocalyptic proportions. I mean maybe you had something ingenious in mind here, but then I'd like to hear it in detail instead of handweaving and arguing "there are other bad things so let's make it worse by 10 magnitudes".

So now without the humor: How would you design the system to prevent abuse, remote code execution and such? Because if that part isn't clear that idea should probably be shelved.

IshKebab 3 months ago | parent [-]

I would probably do it the same way any other dangerous operations are protected: make people type confirmation in (e.g. how you delete repos on GitHub), require you to manually add websites to a whitelist (e.g. how screen sharing for apps already works on Mac, or how some permissions work on Android). You can use heuristics to provide a more onerous confirmation for suspicious sites, exactly how running executables works on Windows.

Other security measures you could do:

1. Throttle events to the speed that a human could do them, so you can't instantly open a terminal and paste code in.

2. Require additional confirmation to sent events to specific applications, like the terminal, or explorer or whatever.

3. Only allow control of apps that are already open. That would be better than nothing.

There are probably other things I haven't thought of.

Anyway the point is the danger is only two clicks away already. This isn't a risk that isn't already there, it just makes the tech less annoying.

atoav 3 months ago | parent [-]

Thank you, that sounds somewhat reasonable, but I am still not entirely convinced that the added attack surface is really worth it..