It is currently Mon Aug 19, 2019 9:37 am

All times are UTC




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 100 posts ]  Go to page Previous  1, 2, 3, 4, 5, 6, 7  Next
Author Message
 Post subject:
PostPosted: Mon Apr 20, 2009 10:18 pm 
Offline
Obduction Backer

Joined: Tue Oct 03, 2006 3:25 am
Posts: 869
Open source is (like any other choice) a curse and a blessing, security-wise.

The curse part is that, because the source is publicly available, you don't need sophisticated tools to attack it. You just read the source and look for holes.

The blessing part is, in the long run, this is WAY more secure. Only a small percentage of people reading the source are out to cause harm. The vast majority are there to use and improve it. And the obvious weaknesses get shored up very quickly.

But the general principle is a security term popularly called "security through obscurity," the hope that by keeping something secret you can keep it safe. That's an amazingly popular fiction, a principle that only barely works with three or four people, and works terribly with several thousand. What's the old phrase? "Three can keep a secret, if two are dead."

The reality of the situation is, every place you depend on a secret, is a place where your security is vulnerable. You can't eliminate all secrets from security, but the fewer of them you depend on, the better. Everywhere you think something is secret, you tend to have "trust." And if the secret gets out, your "trust" lets bad people do bad things.

The first several months of the open source release will see a little bit of attacking and a LOT of security updating, that's just the nature of the thing. But once the first wave dies down, we'll have a very solid system, at least as solid as any other MMO out there, and probably moreso.

_________________
"I visited Esher's lab and all I got was this lousy t-shirt."
VidRoth -- KI#50637


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Tue Apr 21, 2009 4:42 am 
Offline

Joined: Wed May 10, 2006 3:12 pm
Posts: 2190
Location: Houston
My only worry is that in the short term we will have a spat of UbiBeta silly scripting from people trying to prove a point.

From everything I understand MOUL updated a lot of the easy routes that were popular back then but there are still openings. A lot of the short term answers all involve better fan based game administration then UU had with, a couple people acting as ResEng's, atleast one good DBA per shard, someone able enough to take a Shard down for Maintenance before it crashes.

Really in truly I don't expect there to be anything as spectacular as UbiBeta was for silly scripting fun but as a matter of principal I worry about a few diehard traditionalists that still hang around. As long as it's fun I don't think to many will care one way or the other where the fun came from, but I am glad we have MOUL instead of UbiUru.

_________________
Waymet


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Sep 07, 2009 6:30 pm 
Offline

Joined: Tue Feb 05, 2008 6:11 pm
Posts: 1969
Location: Land of Confusion

_________________
When You have eliminated all other possibilities What ever is left must be the solution

E=mc2
Energy = Milk x Coffee Squared


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Tue Sep 08, 2009 12:51 am 
Offline

Joined: Thu May 11, 2006 5:22 pm
Posts: 1810
Location: California

_________________
Nalates - GoC - 418 - MOULa I: Nal KI#00 083 543, MOULa II: KI#00 583 875Nalates 111451 - Second Life: Nalates Urriah


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Tue Sep 08, 2009 1:40 am 
Offline

Joined: Tue May 09, 2006 12:33 am
Posts: 1182
Location: British Columbia, Canada
As some examples of open-source programs which seem to have the security aspect handled quite well include , , , and pretty much the entire Linux kernel.

The thing about open-source is not that it is less vulnerable, but when vulnerabilities are pointed out they are often fixed within a day or two. Whereas proprietary software can knowingly leave issues unpatched for years (and actively pursue legal action against those who point out such issues) :roll:


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Tue Sep 08, 2009 3:48 am 
Offline

Joined: Wed May 20, 2009 5:22 am
Posts: 16
Location: On Call (Roaming)
It will all just boil down to sound and fury in the end.

Paradox is right, while I wouldn't rank the Uru Fan Programmer base as able to fix a major problem in a day or two (There just aren't enough programmers here with that kind of time.) I would however think a game ruining bug could be diagnosed and worked around until there is time to fix it.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Tue Sep 08, 2009 4:07 am 
Offline

Joined: Tue Feb 05, 2008 6:11 pm
Posts: 1969
Location: Land of Confusion

_________________
When You have eliminated all other possibilities What ever is left must be the solution

E=mc2
Energy = Milk x Coffee Squared


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Sep 09, 2009 5:42 pm 
Offline

Joined: Thu May 11, 2006 5:22 pm
Posts: 1810
Location: California

_________________
Nalates - GoC - 418 - MOULa I: Nal KI#00 083 543, MOULa II: KI#00 583 875Nalates 111451 - Second Life: Nalates Urriah


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Fri Feb 19, 2010 1:39 am 
Offline
Obduction Backer

Joined: Wed May 31, 2006 4:09 am
Posts: 20
I am really glad that this discussion steered away from viruses (or other malicious code) in Python files. First of all, while the Python distributed with ages is fairly obscured, it can be unobscured and read, so any funny business will be apparent to anyone who bothers to look. A GoMa check is all that's needed, really. Additionally, the worst a Python file can do, even if malicious code gets through, is fill up the hard drive with random junk. This can be easily avoided (if it isn't already) by hooking the Python "open file" function with some sort of check.

Python (as found in MOUL) cannot sneakily open sockets. The socket functionality in Python is provided by a compiled DLL (on windows) that is not present in MOUL. This functionality cannot be replicated in pure Python, as it needs to be bound directly to operating system calls. The only way an age could use sockets would be if it installed a DLL to the MOUL directory, which no age has any right to do. It would raise a red flag immediately.

Ages are not a concern here.

The client and server security is, but the code we end up getting will not be any more or less secure than the same code that Cyan ran. Just because there may be multiple servers running does not change that. Just make sure you trust where your code is coming from, and who operates the server, and it'll be just as secure as before. We could even implement a simple key system so you can verify you're actually connecting to the server you think you are, really simply, and there may already be such a system in place.

It's really the same situation as browsing the web with Firefox. Do you trust the Mozilla Foundation? Do you trust the HTTP server? Do you trust the web site author? One of these is open-source, the other often is as well, and the last is usually some stranger. We browse anyway.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Fri Feb 19, 2010 2:08 am 
Offline
Obduction Backer

Joined: Tue May 09, 2006 4:33 pm
Posts: 878
Location: Jurupa Valley, CA USA

_________________
MOULa KI #32712

MOUL KI #35129
D'mala KI #74265
Gehn KI #10113


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Fri Feb 19, 2010 6:19 pm 
Offline
Obduction Backer

Joined: Wed May 31, 2006 4:09 am
Posts: 20


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Fri Feb 19, 2010 6:56 pm 
Offline

Joined: Thu May 11, 2006 5:22 pm
Posts: 1810
Location: California

_________________
Nalates - GoC - 418 - MOULa I: Nal KI#00 083 543, MOULa II: KI#00 583 875Nalates 111451 - Second Life: Nalates Urriah


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Fri Feb 19, 2010 9:01 pm 
Offline

Joined: Fri Feb 19, 2010 5:04 pm
Posts: 115
Location: England


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Fri Feb 19, 2010 9:57 pm 
Offline
Obduction Backer

Joined: Thu Jun 08, 2006 7:01 pm
Posts: 1890

_________________
Andrew Plotkin -- Seltani founding member


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sat Feb 20, 2010 11:41 am 
Offline

Joined: Fri Feb 19, 2010 5:04 pm
Posts: 115
Location: England


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 100 posts ]  Go to page Previous  1, 2, 3, 4, 5, 6, 7  Next

All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to: