Open Source Security Concerns

a'moaca' · **Joined:** Sat May 20, 2006 5:30 am **Posts:** 66

OK, you're right. If I don't trust the person, indeed I won't use the person's shard. But I think a point has been missed. Security matters in all parts of the system.

How many machines hosting UU servers were broken into? I don't know the answer, but I am aware of at least three incidents. In UU, a cracked server was relatively harmless for the player. Now think about code, whether it is the client executable, or Python, being downloaded to the player's computer from the server. Would you want to be running code from a compromised server?

The server operator checking the code up front is very important but it cannot be the only defense; it does not protect anyone if the client isn't getting what the person running the server intends. So client security matters even if the server operator and age creators are all trustworthy people. As I said, security also depends on being able to verify you actually received what was checked, tested, and accepted. At some point you have to trust people, but you shouldn't trust servers, they are computers and are incapable of being trustworthy.

I think it's a bit of a shame that people seem to think of security as some kind of struggle between client security and server security. Why are they at odds? Why would anyone feel the need to say, "I want server security at the cost of client security" or vice versa? The concern should be securing the whole system.

Until now, people have talked about addressing server security in various different ways, but the client is always left to fend for itself. If you don't think client security is worth anything, fine. But don't block those of us who do want client security. It is actually not difficult from the server's point of view to provide the necessary functionality for securing the client, and client security does not preclude the server from being able to control what the client runs under normal usage.

Under any kind of actual attack, your plan to force players to use your client, libraries, Python, whatever, does not even work. In the end, you cannot control what your attacker runs on his computer. All you can do is make sure normal users are using the right stuff, and you can make it more and more difficult for an attacker, but you cannot stop him that way. The only way that truly works to achieve server security is to validate all input from the client.

Once you accept that you cannot force an attacker to use your client, then you can actually set up the whole system in a way that provides the server control over what non-attackers are using while also providing what is necessary for client security instead of making it impossible. What is wrong with that goal?

It's perfectly fine for the server to expect a certain client, and to arrange for checks for it. What is not perfectly fine is denying me the ability to choose a client and code that I know is safe. So long as a server operator refuses to let me obtain a client and Python code in a way that verifies it is what he and I both intended me to have, that operator is denying me the ability to be safe, without gaining any true security himself. If you want to go that route, I won't visit your shard. However, it doesn't have to be that way for everyone. Let the rest of us secure our clients in peace.

- a'moaca'

D'Lanor · **Posted:** Sun Feb 01, 2009 9:27 pm

I agree with your last post. My point was that trying to wrestle away data distribution from the server side is IMO a dead end.

Anyway, we are now planning to include Python code checking as part of the GoMa age inspection process.

Sophia · **Joined:** Wed May 17, 2006 11:30 pm **Posts:** 1116

Interesting... and I agree, as much as I appreciate software like ULM, I would prefer a proper dataserver model. I am not sure how this would work technically though, since Cyan announced their intentions to run one. If that is the case, and if they include user ages as well (not too likely, I know), this discussion shall prove semi-moot.

If not, how would "we" (clients) connect to multiple dataservers? If you can pick & choose them, you'd make sure to pick only ones that has the "Checked & Approved by GoMa" seal and safety is mostly guaranteed.

Or does this discussion fall under the category "forget all you ever thought you knew about UU, this one is rebuilt from scratch"?

Anaerin · **Joined:** Wed Nov 08, 2006 10:20 pm **Posts:** 303

Sophia wrote:

If not, how would "we" (clients) connect to multiple dataservers? If you can pick & choose them, you'd make sure to pick only ones that has the "Checked & Approved by GoMa" seal and safety is mostly guaranteed.

Connecting to multiple dataservers is really a trivial issue. Especially if we're using something like a distributed dataserver system (Like BitTorrent).

And the "Checked and approved" system could be as simple as a webpage (RSS feed, XML document, whatever) with a list of ages and file hashes. If an age is in the whitelist, and if the hash matches the listed hash, then that (version of that) age is approved by whomever's list you are subscribed to. You could also subscribe to multiple list providers, so you would allow "Cyan ages", "GoMa ages", "GoW ages" and "GoC ages", but not any other ages, including "Anarchic ages" or "In-Development ages". Or you could even maintain your own list of ages you want to allow, so if you are developing an age, you can add it to your personal whitelist.

As for security, it needs to apply both ways. When using a client/server architecture, you should always distrust the data coming from either end. Sanity check everything, both on the server and the client, to ensure there are no faults in the data (malicious or otherwise).

cjkelly1 · **Joined:** Tue May 09, 2006 7:48 pm **Posts:** 100

D'Lanor wrote:

I agree with cjkelly1. Let's just try to get things working as they are first. That should be difficult enough as it is.

I believe I was misunderstood. I said "In my opinion, the main thing is that we do not want to ignore security until later." We need to work on security (as well as new ages and new features) at the outset. Remember, with OSMO we will not have Cyan handling security, so we need to make sure that, in our excitement of having multiplayer Uru, that we do not forget to do it ourselves.

I do not believe getting things working as they were will be very difficult. It worked when Cyan was running it, and I do not think they are intending to release non-working code. If they were going to do that, then they could have simply removed items which might have licensing issues and released the code, with big holes in it. It is my thought that the reason we do not have code yet is because Cyan really wants to release working code that we can actually use.

Marten · **Posted:** Mon Feb 02, 2009 3:41 am

cjkelly1 wrote:

Remember, with OSMO we will not have Cyan handling security, so we need to make sure that, in our excitement of having multiplayer Uru, that we do not forget to do it ourselves.

This is the key point - along with an understanding that it is easier to do security when you have an endpoint that is considered trusted (Cyan). In OSMO, it will be more difficult.

D'Lanor · **Posted:** Mon Feb 02, 2009 9:37 pm

cjkelly1 wrote:

I believe I was misunderstood. I said "In my opinion, the main thing is that we do not want to ignore security until later."

Sorry, I skimmed over your post and read the opposite. My apologies. :oops:

Note to self: do not participate in discussions when in a hurry. *goes back into lurking mode*

Murray · **Joined:** Fri May 19, 2006 4:35 pm **Posts:** 137

D'Lanor wrote:

cjkelly1 wrote:

I believe I was misunderstood. I said "In my opinion, the main thing is that we do not want to ignore security until later."

Sorry, I skimmed over your post and read the opposite. My apologies. :oops:

Note to self: do not participate in discussions when in a hurry. *goes back into lurking mode*

Not too often the D'L is wrong about things, wish I could say the same for myself.

In fact Sophia has written "L" & "R" on my bedroom slippers

A'lan · **Posted:** Tue Feb 03, 2009 2:16 am

I agree with the sentiment that security must be top of mind. Security is job one. :-)

The end goal IMHO is to build a system that users trust enough to use, both client and server. We will not have the luxury of trusting Cyan to watch out for us anymore, so like cj says we must "do it ourselves".

Ed Oscuro · **Posted:** Thu Feb 05, 2009 8:01 am

MustardJeep wrote:

Quote:

It doesn't have to be "malware" - you could easily have it do some other terrible thing, like corrupting, wiping, or stealing the player's information, and that might not even be picked up by AV software.

Er.......you just described four years of Until Uru. :lol:

I feel vindicated since I didn't have any forewarning :lol:

It does seem fairly obvious though.

Onward, security soldiers!

BTW, there seems to be an assumption in some corners that an AV scanner is going to scan Python scripts coming into Uru...I don't see it. A good AV suite these days will be packaged with a network traffic scanner, but I don't even know if that would do the trick, especially if the goal is something that's not going to set off a flag in the AV's heuristics like stealing user profile data. Main thing would be preventing users from running arbitrary scripts (which afaik has never been possible for obvious reasons!) + testing out new content before rolling it out.

/me leaves the dead horse alone, now.

Karkadann · **Posted:** Mon Apr 13, 2009 2:13 pm

What about the way they keep the ULM and the UAM secure can you use the same method they use to prevent malicious software from being downloaded?

a'moaca' · **Joined:** Sat May 20, 2006 5:30 am **Posts:** 66

Well, in short, ULM and UAM have the same security issues. They are not inherently more secure. The major difference is that the code is downloaded separately, so you are able to double-check the integrity using a checksum from a separate source or something, or inspect the files yourself for safety.

If you don't do that after a download and before starting up the game, ULM and UAM are really not secure either.

But I should point out, this is really no less secure than any other downloading of unsigned applications which you do not double-check. It is exactly the same, except your anti-virus will help you even less.

Karkadann · **Posted:** Wed Apr 15, 2009 6:04 am

So unless I read into this whole thing wrong, open source is basically the honor system.

One thing just came to mind Advertising Which can be a double edges sword, Im not that familiar with all this tech stuff but I do know that if the site is advertised and is safe and securer you are more likely to get a larger number of clientèle interested in Uru live and therefor more revenues, some Good advertising for Cyan, and possibly increased interest in the other products Cyan is working on developing.

However the other edge to this sword is that some might see this "safe and secure site" as a challenge and that being the first to compromising it would give them that feeling of accomplishment that some one gets for being "the first"

MustardJeep · **Posted:** Mon Apr 20, 2009 8:50 pm

Quote:

open source is basically the honor system

Pretty much.

The theory behind Open Source, and it's been proven in numerous OS projects is that you trust one source, and that source since it is open constantly has the bugs and other issues resolved. That's the theory anyway; As far as it goes for Uru Cyan is the only 100% trusted source.

Nalates · **Posted:** Mon Apr 20, 2009 9:30 pm

MJ, I'm not sure I would call it the honor system... however, that is pretty accurate, but...

With the source available anyone can examine it. Therefore trust is not really an issue for open source because it is full disclosure. With a number of people using it the whistle-blower factor goes up. Many of us think OS software is more secure and safe then many commercial products.

Open Source Security Concerns

Who is online