It is currently Tue Dec 10, 2019 6:08 am

All times are UTC




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 100 posts ]  Go to page Previous  1, 2, 3, 4, 5 ... 7  Next
Author Message
 Post subject:
PostPosted: Sat Jan 31, 2009 6:58 am 
Offline

Joined: Sat May 20, 2006 5:30 am
Posts: 66
Python is a complete, general-purpose programming language. All the basic facilities the language provides for doing things will have to be there in Uru too. Also, the Python is obviously not confined to the game directory, as your KI pictures are not saved in the game directory but elsewhere. Furthermore, nothing says that any data being sent has to go a particular way that your firewall will catch. Not only do Windows firewalls, in my experience, typically allow a program access to all outgoing connections once you have allowed the program to access the internet, but even if your firewall allows only specific destination ports, what is stopping malicious code from using the same ports, or even the same protocol as the regular Uru traffic? How can a firewall defeat that?

Firewalls should never, for any application, be your primary line of defense. A firewall is a valuable piece of the security picture but if it is your sole piece of security, you are terribly at risk.

Please, security is not easy, and it is definitely not as easy as it's been made out to be. If you wish to rely on the community shunning new entrants, because they are previously unknown, or on the community saying "bad internet person!" after the fact, that is up to you. But I won't be using the system unless some additional, basic, security measures are implemented. What was adequate security for MOUL will not be when the system becomes open source.

The reason for that is simple: decent security ultimately depends on people keeping things secret. Private key material, usually. When you convert a system designed by one entity to be run by one trusted entity to a system run by multiple entities, with less well-established identity, security practices, etc., you have to allow that stuff which used to be kept secret will be much less so. Amateurs (and professionals!) running servers make mistakes, even if they are themselves not malicious. Mistakes let malicious people take advantage. This is why checking the code up front, testing, and community culture are, by themselves, never enough. Security also depends on being able to verify you actually received what was checked, tested, and accepted.

- a'moaca'


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sat Jan 31, 2009 9:05 am 
Offline

Joined: Sat Nov 11, 2006 2:28 am
Posts: 687
Location: Bevin Field Office - KI: 01350736
I don't know if it's possible to create - at least easily - some kind of delayed-trigger event in an Uru Age, which is what you'd need to get past the "firewall" of other players loading the Age and realizing something is up. (Edit: On second thought, silly me. Python could let you do this.)

Myself, I think it highly unlikely that there are many people who are "known" to the community who would do something like this - and, fair or not, I would be more hesitant to pick up an Age from somebody not known.

Possibly what could be done is this: Mappers should give their project files and people should compile them elsewhere. Naturally it'd be easy to do a bait-and-switch without checking, and all a malicious user would want is a number of infections from people, so you'd have to check by compiling and comparing before releasing the Age into the wild.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sat Jan 31, 2009 10:59 am 
Offline

Joined: Wed Nov 08, 2006 5:45 pm
Posts: 2553
a'moaca' wrote:
Python is a complete, general-purpose programming language. All the basic facilities the language provides for doing things will have to be there in Uru too. Also, the Python is obviously not confined to the game directory, as your KI pictures are not saved in the game directory but elsewhere.


(Emphasis added)

What you said is correct; however, socket communications are a separate Python module and are not part of the basic set of functions, and from what I understand, Uru has a pretty stripped-down version of Python.

Also, I may be mistaken, but I'm not sure Python is responsible for the KI images...

_________________
Nothing to see here, move along.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sat Jan 31, 2009 1:02 pm 
Offline

Joined: Sun May 21, 2006 11:51 am
Posts: 510
Herohtar wrote:
Also, I may be mistaken, but I'm not sure Python is responsible for the KI images...


Caputuring the Image ... No

Saving the image, and causing the call to the internal engine to capture the screen ... Yes

In a nutshell the image is a return to the python call from the internal engine, its up to python to save it


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sat Jan 31, 2009 5:09 pm 
Offline

Joined: Sat May 20, 2006 5:30 am
Posts: 66
Herohtar wrote:
a'moaca' wrote:
Python is a complete, general-purpose programming language. All the basic facilities the language provides for doing things will have to be there in Uru too. Also, the Python is obviously not confined to the game directory, as your KI pictures are not saved in the game directory but elsewhere.


(Emphasis added)

What you said is correct; however, socket communications are a separate Python module and are not part of the basic set of functions, and from what I understand, Uru has a pretty stripped-down version of Python.

My point is, the "basic" Python is enough to get you where you need to go, because it is a regular old programming language. I fully believe that the absence of a pre-provided socket library does not prevent the use of sockets. And what is "stripped-down" Python? Absence of libraries does not make the language stop being Turing-complete.

Also, you are thinking too narrowly about possible attack vectors. Unfortunately, discussing them in more detail is against the forum rules, as we are definitely getting into the realm of exploits, and not just of Uru.

- a'moaca'


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sat Jan 31, 2009 5:15 pm 
Offline
Obduction Backer

Joined: Tue May 09, 2006 10:13 pm
Posts: 3426
Location: Lost in the void
When I read the title of this topic I thought it was another one about protecting the vault from malicious players. That it could be the other way around never crossed my mind.

But I don't know... writing an Uru age seems a terribly complicated and ineffective way to install malware on somebody's system. I'm sure there are more user friendly malware construction kits out there for the kiddies who are interested in such activities.

Besides if I am going to run a shard I will personally check each age for unwanted code, if only to protect my vault integrity. I would expect any sensible shard admin to do the same.

_________________
D'Lanor (ɹǝʇunч puǝƃǝן uɐqɹn)
Image
KI# 33949


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sat Jan 31, 2009 9:43 pm 
Offline

Joined: Sat Nov 11, 2006 2:28 am
Posts: 687
Location: Bevin Field Office - KI: 01350736
D'Lanor wrote:
But I don't know... writing an Uru age seems a terribly complicated and ineffective way to install malware on somebody's system.

Just the encouragement a malicious user needs. It doesn't have to be "malware" - you could easily have it do some other terrible thing, like corrupting, wiping, or stealing the player's information, and that might not even be picked up by AV software. There's also the possibility of installing a more conventional trojan or virus.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Feb 01, 2009 5:02 am 
Offline

Joined: Wed May 10, 2006 3:12 pm
Posts: 2190
Location: Houston
Mountain out of a Mole Hill.

Why worry about something (embedding a virus) that only .01% of the coders involved in Uru could manage? And that any decent virus scanner could defeat.

The majority of that .01% are registered members of one or more Age Creation Groups after all. :roll: :lol:

Quote:
It doesn't have to be "malware" - you could easily have it do some other terrible thing, like corrupting, wiping, or stealing the player's information, and that might not even be picked up by AV software.


Er.......you just described four years of Until Uru. :lol:

Not saying it wasn't horrible. bad, and wrong of the parties involved stretching all the way back to the original beta, but Uru survived it. Give or take a few rough edges people will manage to live through the idiots while folks close the loopholes on the shards that want those loopholes closed.

_________________
Waymet


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Feb 01, 2009 6:53 am 
Offline
Obduction Backer

Joined: Sat Nov 18, 2006 7:22 pm
Posts: 243
Don't not much on the subject, but I do believe that we are far more likely to get malware from being online, then getting some in OSMO. To say it's a issue for OSMO is just stating the obvious as with an other online activity. Just going to this very site could get us a virus if someone decided to hack it and with a lot less effort then the malware-age method. All you can do is protect yourself the best you can and hope nothing happens.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Feb 01, 2009 8:12 am 
Offline

Joined: Tue May 09, 2006 7:48 pm
Posts: 100
In my opinion, the main thing is that we do not want to ignore security until later. It is not as exciting as creating new ages and adding new features, and you will probably not get many accolades from the community for improving security, but we need to keep it in mind, and work on it as soon as we have source. I do not believe that ignoring it and hoping for the best is a very prudent plan.

As far as the .01% theory goes, I am not a very good programmer, and I can do many nasty and interesting things with Python, without any additional modules, and without the user or any pesky virus scanner knowing. If I can do it, then almost anybody else can, as well.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Feb 01, 2009 10:06 am 
Offline

Joined: Sat Apr 14, 2007 9:51 pm
Posts: 265
I guess the most hinges on the python "os" module. If Plasma has that (or the module can somehow be added via data-server) it can execute any system command. Say a shard owner added a socket module to that you'd be able to, say, open a URL, download an exe, run the exe.

Hey, I know that Uru isn't "like those other opensource games" but in other opensource multi-player games (mostly action) I've gone to servers with pretty evil admins. Hey, you can assume the age-writer's going to be writing the malware it's more likely the server admin. :P

The most likely situation in my mind would be a badly rewritten KI or whatnot that opens huge loopholes. No one would be intentionally adding these but other users WOULD exploit them. For instance if you had a way to save marker-missions that did it by file-structure in the Uru folder you might have a KI command like
Code:
/loadlocalmarkers myfavoritemissions/hard_games/jumping_maddness.mmf
(marker mission file... just something I made up right now) however, if this was done wrong (pretty easy to do wrong) you could type
Code:
/loadlocalmarkers C://file.txt
to open a different file outside there Uru folder.

Now, this in itself isn't a problem in itself but if you start adding inter-client marker-game-opening you run into some major issues. This is just a very simple example of how things can go sour when people aren't *extra* careful when coding new stuff in.

The same goes for the client code. Since this is an online game we're going to be working on writing bad code not only causes bugs but could cause vast security flaws. I for one don't have any plans to set my firewall to block UruExplorer.exe so It's important that people care enough to not sloppily and quickly implement things.

I'm thinking more and more we should abandon the ol' get-the-client-executable-from-the-data-server approach. Rather, have an official build that comes with the installer. This official build should work with most servers. There will be however different servers which will require you to get a different build (but this hopefully will be pretty rare and the people running the different stuff will be reputable and they're a rather large bunch--think Alcugs).

_________________
Guild of Writers Councilor
PyPRP2 Developer
Plasma Hacker


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Feb 01, 2009 1:52 pm 
Offline
Obduction Backer

Joined: Tue May 09, 2006 10:13 pm
Posts: 3426
Location: Lost in the void
Lontahv wrote:
I'm thinking more and more we should abandon the ol' get-the-client-executable-from-the-data-server approach.

I am way into the other camp: get-EVERYTHING-client-related-from-dataserver and dataserver-MUST-BE-picked-by-shard. It is the only way to ensure vault integrity. When I ran an UU shard I had my share of restoring vault settings gone bad. And that was with everybody using the same global version.

As has been discussed on the GoW forums the data driven model on which Uru was founded makes the client practically god. A shard runs a much greater security risk than the clients. So I believe that, while neither should be neglected, shard security should have priority over client security.

I agree with cjkelly1. Let's just try to get things working as they are first. That should be difficult enough as it is.

_________________
D'Lanor (ɹǝʇunч puǝƃǝן uɐqɹn)
Image
KI# 33949


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Feb 01, 2009 4:38 pm 
Offline

Joined: Sat Apr 14, 2007 9:51 pm
Posts: 265
If security is not going to be considered for now... getting everything from the DataServer will make stuff run sweetly. :D

_________________
Guild of Writers Councilor
PyPRP2 Developer
Plasma Hacker


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Feb 01, 2009 5:51 pm 
Offline

Joined: Sat May 20, 2006 5:30 am
Posts: 66
D'Lanor wrote:
A shard runs a much greater security risk than the clients. So I believe that, while neither should be neglected, shard security should have priority over client security.

I disagree. D'Lanor, do you think every Uru player has a dedicated machine for Uru? How many Uru players do you suppose have other stuff on their computers? How many have valuable personal information? How many do their taxes on the same computer? How many have important work for their livelihoods, thesis work, etc. on the same computer?

While you are probably right that it easier to hurt the server, I think you have to consider that the cost of harm for the client is much, much greater. I cannot see how people's livelihoods or personal information, or time spent reinstalling or whatever, can be less important than a pile of data for a game -- a hobby, a pastime. I do not think your hobby is more valuable than your players' RL data.

- a'moaca'

PS The way to secure the server is totally different than securing the client, and you should know yourself that trying to force the client's computer to run a given thing doesn't work except on people you don't need securing from.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Feb 01, 2009 6:51 pm 
Offline
Obduction Backer

Joined: Tue May 09, 2006 10:13 pm
Posts: 3426
Location: Lost in the void
So then we disagree. The way I see it, it's a tough world out there. It is the same with an age / "evil admin shard" as with any piece of software / internet site. If you don't trust it, don't use it.

Still I believe a maintainer stamp of approval would be a big help in helping users decide whether an age can be trusted or not.

_________________
D'Lanor (ɹǝʇunч puǝƃǝן uɐqɹn)
Image
KI# 33949


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 100 posts ]  Go to page Previous  1, 2, 3, 4, 5 ... 7  Next

All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to: