It is currently Tue Aug 20, 2019 11:50 am

All times are UTC




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 100 posts ]  Go to page 1, 2, 3, 4, 5 ... 7  Next
Author Message
PostPosted: Wed Jan 28, 2009 6:15 pm 
Offline

Joined: Fri Sep 08, 2006 1:57 am
Posts: 1331

_________________
Want to learn more about the D'ni? Look here:


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Jan 28, 2009 6:39 pm 
Offline
Obduction Backer

Joined: Fri Oct 06, 2006 4:58 pm
Posts: 2022
Location: The Netherlands
Well, if everything will be open-source, including the changes from fans, then there's nothing to worry, because the developers can check that there's nothing harmful in the code. Just like you can safely install a program like Mozilla Firefox (just to name something).

_________________
|


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Jan 28, 2009 7:59 pm 
Offline

Joined: Thu May 11, 2006 5:22 pm
Posts: 1810
Location: California
Ooooh… Lord Chaos has a point.

Erick, having the source code does not really remove the problem. As I see it someone like GoW could know what is in the source they are using. But, would they know what is in the source I’m using or any shard but theirs? If the networked servers making up a shard are remote and GoW (or whoever) only sees the working copies of the age files, it could be a problem. Someone would have to look at Python scripts in each new age to prevent a Trojan.

Ages will have Python scripts. Python can open ports, serial, TCP, UDP, IP, etc. (http://docs.python.org/3.0/genindex-O.html Reference). Whether they can do that inside the MOUL client I’m not sure. I would bet one could. If so, I suspect it would be reasonably easy to add a Trojan to an age. AV software is not likely to catch a program you have already OK’d to connect to the net. One could hope whatever the Trojan pulls through is caught. But GoMa will be checking and testing ages. So, there is at least that layer of protection.

It may be possible to setup a Trojan shard just as Trojan web sites are setup. Fortunately it will be far more complicated an effort. Since a fake age would have to get past the GoMa testing, setting up a fake shard would be about the only way. Some type of control over which shards are listed here, at GoW, or wherever the list is kept would reduce the possibilities of Trojan shards. Because if an independent shard operator decided to add a standalone Trojan shard, I doubt anyone would know there was a problem until it was too late. So, letting shards on the list is where to control it.


I think it unlikely to be a problem. But it should be part of the age testing. Passing that testing should be part of the criteria to allow an age on any responsible shard.

So, as I see it, the direct answer to Chaos’ question is security is likely going to be handled by GoMa, shard operators and each of us in how we choose a shard.

_________________
Nalates - GoC - 418 - MOULa I: Nal KI#00 083 543, MOULa II: KI#00 583 875Nalates 111451 - Second Life: Nalates Urriah


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Jan 28, 2009 9:24 pm 
Offline
Former MystOnline Moderator

Joined: Fri Nov 10, 2006 3:05 pm
Posts: 4193
Location: 56°2'26", -3°20'28"

_________________
Mac - MOULagain KI# 00004289
In the interests of the environment, this post has been constructed entirely from recycled electrons.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Jan 28, 2009 9:39 pm 
Offline
Obduction Backer

Joined: Tue May 09, 2006 6:23 pm
Posts: 4589
Location: Dutch mountains


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Jan 28, 2009 9:41 pm 
Offline

Joined: Tue Mar 20, 2007 6:48 pm
Posts: 746

_________________
Frisky Badger
Guild of Maintainers
My opinions are my own and not necessarily those of the Guild of Maintainers.
KI# 00140468


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Jan 28, 2009 11:10 pm 
Offline

Joined: Fri Aug 04, 2006 5:08 am
Posts: 1991
Location: Greenville, SC
Python scrips are hosted in a private instance in MOUL. You could easily disable anything in the host that's insecure that Cyan hasn't already disabled. Do that and as long as you get your client from a reputable source you won't have any problems.

_________________
Can you withstand the gaze of the Eye of Eternity?


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Jan 28, 2009 11:14 pm 
Offline

Joined: Sat Jun 16, 2007 3:23 am
Posts: 58

_________________
(KI #266567).


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Jan 28, 2009 11:56 pm 
Offline

Joined: Tue May 09, 2006 12:33 am
Posts: 1182
Location: British Columbia, Canada


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Thu Jan 29, 2009 12:19 am 
Offline
Obduction Backer

Joined: Tue May 09, 2006 6:23 pm
Posts: 4589
Location: Dutch mountains


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Thu Jan 29, 2009 1:20 am 
Offline

Joined: Fri Oct 13, 2006 6:00 pm
Posts: 4094


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Thu Jan 29, 2009 2:20 am 
Offline
Obduction Backer

Joined: Wed Dec 13, 2006 9:48 am
Posts: 216


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Thu Jan 29, 2009 2:54 am 
Offline

Joined: Fri Nov 10, 2006 6:05 am
Posts: 152

_________________
quahog42 | theclam | lazugod


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Thu Jan 29, 2009 9:45 pm 
Offline
Obduction Backer

Joined: Fri Nov 10, 2006 7:41 am
Posts: 33
Location: Aachen, Germany
Mozilla unfortunately is not a very good example. It has lots of bugs and only very timely response by the developers prevent the worst consequences. And it is not really Firefox itself which has the problems but the openness of Javascript which when allowed to run can have all sorts of unforeseen side effects. As another example any Web application which interfaces to a database has potential problems with SQL injection if the web interface is not very carefully written. In that way MO with Python as user scripting language is sort of similar. It will take a lot of careful code examination to prevent potentially dangerous things to happen. I don't have much experience with Python, if it is similar to the Java (as in NOT Javascript) sandbox which by design secures file and network access then there may be hope.

_________________
272 924


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Thu Jan 29, 2009 11:05 pm 
Offline

Joined: Thu May 11, 2006 5:22 pm
Posts: 1810
Location: California

_________________
Nalates - GoC - 418 - MOULa I: Nal KI#00 083 543, MOULa II: KI#00 583 875Nalates 111451 - Second Life: Nalates Urriah


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 100 posts ]  Go to page 1, 2, 3, 4, 5 ... 7  Next

All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to: