It is currently Mon Oct 21, 2019 11:31 pm

All times are UTC




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 100 posts ]  Go to page Previous  1, 2, 3, 4, 5, 6, 7  Next
Author Message
 Post subject:
PostPosted: Sun Feb 01, 2009 8:38 pm 
Offline

Joined: Sat May 20, 2006 5:30 am
Posts: 66
OK, you're right. If I don't trust the person, indeed I won't use the person's shard. But I think a point has been missed. Security matters in all parts of the system.

How many machines hosting UU servers were broken into? I don't know the answer, but I am aware of at least three incidents. In UU, a cracked server was relatively harmless for the player. Now think about code, whether it is the client executable, or Python, being downloaded to the player's computer from the server. Would you want to be running code from a compromised server?

The server operator checking the code up front is very important but it cannot be the only defense; it does not protect anyone if the client isn't getting what the person running the server intends. So client security matters even if the server operator and age creators are all trustworthy people. As I said, security also depends on being able to verify you actually received what was checked, tested, and accepted. At some point you have to trust people, but you shouldn't trust servers, they are computers and are incapable of being trustworthy.



I think it's a bit of a shame that people seem to think of security as some kind of struggle between client security and server security. Why are they at odds? Why would anyone feel the need to say, "I want server security at the cost of client security" or vice versa? The concern should be securing the whole system.

Until now, people have talked about addressing server security in various different ways, but the client is always left to fend for itself. If you don't think client security is worth anything, fine. But don't block those of us who do want client security. It is actually not difficult from the server's point of view to provide the necessary functionality for securing the client, and client security does not preclude the server from being able to control what the client runs under normal usage.

Under any kind of actual attack, your plan to force players to use your client, libraries, Python, whatever, does not even work. In the end, you cannot control what your attacker runs on his computer. All you can do is make sure normal users are using the right stuff, and you can make it more and more difficult for an attacker, but you cannot stop him that way. The only way that truly works to achieve server security is to validate all input from the client.

Once you accept that you cannot force an attacker to use your client, then you can actually set up the whole system in a way that provides the server control over what non-attackers are using while also providing what is necessary for client security instead of making it impossible. What is wrong with that goal?

It's perfectly fine for the server to expect a certain client, and to arrange for checks for it. What is not perfectly fine is denying me the ability to choose a client and code that I know is safe. So long as a server operator refuses to let me obtain a client and Python code in a way that verifies it is what he and I both intended me to have, that operator is denying me the ability to be safe, without gaining any true security himself. If you want to go that route, I won't visit your shard. However, it doesn't have to be that way for everyone. Let the rest of us secure our clients in peace.

- a'moaca'


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Feb 01, 2009 9:27 pm 
Offline
Obduction Backer

Joined: Tue May 09, 2006 10:13 pm
Posts: 3426
Location: Lost in the void
I agree with your last post. My point was that trying to wrestle away data distribution from the server side is IMO a dead end.

Anyway, we are now planning to include Python code checking as part of the GoMa age inspection process.

_________________
D'Lanor (ɹǝʇunч puǝƃǝן uɐqɹn)
Image
KI# 33949


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Feb 01, 2009 11:46 pm 
Offline

Joined: Wed May 17, 2006 11:30 pm
Posts: 1115
Interesting... and I agree, as much as I appreciate software like ULM, I would prefer a proper dataserver model. I am not sure how this would work technically though, since Cyan announced their intentions to run one. If that is the case, and if they include user ages as well (not too likely, I know), this discussion shall prove semi-moot.

If not, how would "we" (clients) connect to multiple dataservers? If you can pick & choose them, you'd make sure to pick only ones that has the "Checked & Approved by GoMa" seal and safety is mostly guaranteed.

Or does this discussion fall under the category "forget all you ever thought you knew about UU, this one is rebuilt from scratch"?


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Feb 02, 2009 12:52 am 
Offline

Joined: Wed Nov 08, 2006 10:20 pm
Posts: 303
Sophia wrote:
If not, how would "we" (clients) connect to multiple dataservers? If you can pick & choose them, you'd make sure to pick only ones that has the "Checked & Approved by GoMa" seal and safety is mostly guaranteed.


Connecting to multiple dataservers is really a trivial issue. Especially if we're using something like a distributed dataserver system (Like BitTorrent).

And the "Checked and approved" system could be as simple as a webpage (RSS feed, XML document, whatever) with a list of ages and file hashes. If an age is in the whitelist, and if the hash matches the listed hash, then that (version of that) age is approved by whomever's list you are subscribed to. You could also subscribe to multiple list providers, so you would allow "Cyan ages", "GoMa ages", "GoW ages" and "GoC ages", but not any other ages, including "Anarchic ages" or "In-Development ages". Or you could even maintain your own list of ages you want to allow, so if you are developing an age, you can add it to your personal whitelist.

As for security, it needs to apply both ways. When using a client/server architecture, you should always distrust the data coming from either end. Sanity check everything, both on the server and the client, to ensure there are no faults in the data (malicious or otherwise).

_________________
Avatar: Anaerin
Ki: 118686


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Feb 02, 2009 2:07 am 
Offline

Joined: Tue May 09, 2006 7:48 pm
Posts: 100
D'Lanor wrote:
I agree with cjkelly1. Let's just try to get things working as they are first. That should be difficult enough as it is.

I believe I was misunderstood. I said "In my opinion, the main thing is that we do not want to ignore security until later." We need to work on security (as well as new ages and new features) at the outset. Remember, with OSMO we will not have Cyan handling security, so we need to make sure that, in our excitement of having multiplayer Uru, that we do not forget to do it ourselves.

I do not believe getting things working as they were will be very difficult. It worked when Cyan was running it, and I do not think they are intending to release non-working code. If they were going to do that, then they could have simply removed items which might have licensing issues and released the code, with big holes in it. It is my thought that the reason we do not have code yet is because Cyan really wants to release working code that we can actually use.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Feb 02, 2009 3:41 am 
Offline
Obduction Backer

Joined: Mon May 15, 2006 10:02 pm
Posts: 2266
Location: Tigard, OR
cjkelly1 wrote:
Remember, with OSMO we will not have Cyan handling security, so we need to make sure that, in our excitement of having multiplayer Uru, that we do not forget to do it ourselves.

This is the key point - along with an understanding that it is easier to do security when you have an endpoint that is considered trusted (Cyan). In OSMO, it will be more difficult.

_________________
MOULa KI: 26838 | Prologue Videos | Visit rel.to to explore Myst, Uru, and D'ni communities!
Click here for social/game profiles


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Feb 02, 2009 9:37 pm 
Offline
Obduction Backer

Joined: Tue May 09, 2006 10:13 pm
Posts: 3426
Location: Lost in the void
cjkelly1 wrote:
I believe I was misunderstood. I said "In my opinion, the main thing is that we do not want to ignore security until later."

Sorry, I skimmed over your post and read the opposite. My apologies. :oops:

Note to self: do not participate in discussions when in a hurry. *goes back into lurking mode*

_________________
D'Lanor (ɹǝʇunч puǝƃǝן uɐqɹn)
Image
KI# 33949


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Tue Feb 03, 2009 12:03 am 
Offline

Joined: Fri May 19, 2006 4:35 pm
Posts: 137
D'Lanor wrote:
cjkelly1 wrote:
I believe I was misunderstood. I said "In my opinion, the main thing is that we do not want to ignore security until later."

Sorry, I skimmed over your post and read the opposite. My apologies. :oops:

Note to self: do not participate in discussions when in a hurry. *goes back into lurking mode*


Not too often the D'L is wrong about things, wish I could say the same for myself.

In fact Sophia has written "L" & "R" on my bedroom slippers :)


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Tue Feb 03, 2009 2:16 am 
Offline
Obduction Backer

Joined: Wed May 10, 2006 2:16 am
Posts: 167
Location: Fort Worth, Texas, USA
I agree with the sentiment that security must be top of mind. Security is job one. :-) The end goal IMHO is to build a system that users trust enough to use, both client and server. We will not have the luxury of trusting Cyan to watch out for us anymore, so like cj says we must "do it ourselves".

_________________
"Look he cries when I hit him with his stupid umbrella. I can't believe he made these incredible promises of wonderful new umbrellas. Cry umbrella man! Cry!" - CyanBill


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Thu Feb 05, 2009 8:01 am 
Offline

Joined: Sat Nov 11, 2006 2:28 am
Posts: 687
Location: Bevin Field Office - KI: 01350736
MustardJeep wrote:
Quote:
It doesn't have to be "malware" - you could easily have it do some other terrible thing, like corrupting, wiping, or stealing the player's information, and that might not even be picked up by AV software.


Er.......you just described four years of Until Uru. :lol:

I feel vindicated since I didn't have any forewarning :lol: It does seem fairly obvious though.

Onward, security soldiers!

BTW, there seems to be an assumption in some corners that an AV scanner is going to scan Python scripts coming into Uru...I don't see it. A good AV suite these days will be packaged with a network traffic scanner, but I don't even know if that would do the trick, especially if the goal is something that's not going to set off a flag in the AV's heuristics like stealing user profile data. Main thing would be preventing users from running arbitrary scripts (which afaik has never been possible for obvious reasons!) + testing out new content before rolling it out.

/me leaves the dead horse alone, now.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Apr 13, 2009 2:13 pm 
Offline

Joined: Tue Feb 05, 2008 6:11 pm
Posts: 1969
Location: Land of Confusion
What about the way they keep the ULM and the UAM secure can you use the same method they use to prevent malicious software from being downloaded?

_________________
When You have eliminated all other possibilities What ever is left must be the solution

E=mc2
Energy = Milk x Coffee Squared


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Tue Apr 14, 2009 11:07 pm 
Offline

Joined: Sat May 20, 2006 5:30 am
Posts: 66
Well, in short, ULM and UAM have the same security issues. They are not inherently more secure. The major difference is that the code is downloaded separately, so you are able to double-check the integrity using a checksum from a separate source or something, or inspect the files yourself for safety.

If you don't do that after a download and before starting up the game, ULM and UAM are really not secure either.

But I should point out, this is really no less secure than any other downloading of unsigned applications which you do not double-check. It is exactly the same, except your anti-virus will help you even less.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Apr 15, 2009 6:04 am 
Offline

Joined: Tue Feb 05, 2008 6:11 pm
Posts: 1969
Location: Land of Confusion
So unless I read into this whole thing wrong, open source is basically the honor system.

One thing just came to mind Advertising Which can be a double edges sword, Im not that familiar with all this tech stuff but I do know that if the site is advertised and is safe and securer you are more likely to get a larger number of clientèle interested in Uru live and therefor more revenues, some Good advertising for Cyan, and possibly increased interest in the other products Cyan is working on developing.

However the other edge to this sword is that some might see this "safe and secure site" as a challenge and that being the first to compromising it would give them that feeling of accomplishment that some one gets for being "the first"

_________________
When You have eliminated all other possibilities What ever is left must be the solution

E=mc2
Energy = Milk x Coffee Squared


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Apr 20, 2009 8:50 pm 
Offline

Joined: Wed May 10, 2006 3:12 pm
Posts: 2190
Location: Houston
Quote:
open source is basically the honor system


Pretty much.

The theory behind Open Source, and it's been proven in numerous OS projects is that you trust one source, and that source since it is open constantly has the bugs and other issues resolved. That's the theory anyway; As far as it goes for Uru Cyan is the only 100% trusted source. 8)

_________________
Waymet


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Apr 20, 2009 9:30 pm 
Offline

Joined: Thu May 11, 2006 5:22 pm
Posts: 1812
Location: California
MJ, I'm not sure I would call it the honor system... however, that is pretty accurate, but...

With the source available anyone can examine it. Therefore trust is not really an issue for open source because it is full disclosure. With a number of people using it the whistle-blower factor goes up. Many of us think OS software is more secure and safe then many commercial products.

_________________
Nalates - GoC - 418 - MOULa I: Nal KI#00 083 543, MOULa II: KI#00 583 875Nalates 111451 - Second Life: Nalates Urriah
Guild of Cartographers Image


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 100 posts ]  Go to page Previous  1, 2, 3, 4, 5, 6, 7  Next

All times are UTC


Who is online

Users browsing this forum: SEMrush [Bot] and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to: