|
Seb Wizard
Joined: 14 Aug 2004 Posts: 1269
|
Posted: Wed Nov 14, 2007 2:31 am
Feature Ideas: Restricted / Trusted / Obfuscated modes for packages |
I don't know about the rest of you, but I don't like the idea of downloading code onto my computer from someone I don't trust that will have the same privileges that my logon has. This is one of the reasons I've only just started looking at the Package Library (given the fact that I know a package can currently wipe my computer, FTP my files off, possibly including my session database and packages, possibly just using %pass with a #URL such that it gets logged on someone's website, or something more advanced. Anyway, the possibilities are currently limitless.
I know that of course one should download a package first and then check it out to see what it does, but reading all the code in a big package may be tedious and not everyone may end up doing this. And with the OnLoad event now, the package could carry out the malicious activity before you've had the chance to look inside it.
I've been thinking about aspects of this for some time and so now I suggest some extra options that can be set for packages only via the GUI (thus eliminating the possibility that a trojan CMUD script would mark an untrusted package as trusted):
(a) Trusted package - this should be the default for packages created locally.
(b) Normal package - this should be the default for packages downloaded from the Package Library.
(c) Restricted package
(d) Obfuscated package - this would be independent of the previous 3 options - I'll explain later as it's pretty separate.
(a) a Trusted package would be able to do anything a package is currently able to do.
(b) a Normal package would be able to do anything except use #DDE and related functions, #COM and related functions, #CHARACTER, #PW, %pass and probably most things listed in the "Session" manual page, #FTP (when it is implemented), possibly #URL, #MSS, #LAUNCH, #PLUGIN (when it is implemented), #SCRIPT, possibly #EXEC - probably not as long as %pass and %char are not available to it, #SS, anything else you think is dangerous. I don't know what built-ins Lua has and whether any of those may be dangerous...
(c) a Restricted package would operate in a 'sandbox' and not be able to read or write to any setting outside of its own package in addition to the limits in (b). (This may be like Local modules? But it would apply to the whole package.)
Ideally, the list of restricted commands and functions would have a default like I have described but could be customized by the user on an individual package basis (or globally, or both - inherited like Preferences).
-----------
I know some people sell zScripts, so they may find Obfuscated packages useful. Others may just not know if, or when, their friends / group-mates may turn on them, or maybe not want every Tom, Dick and Harry getting their hands on all their hard work.
Obfuscated packages would either (a) only contain the compiled code wherever it is available, or (b) have a password to view, export or save as the package, or copy or move the settings to another package. Obfuscated packages should default to Restricted mode when installed for the first time, given that they are more difficult to analyse.
The idea of obfuscated packages is so that owners can maintain ownership of the source of their package and possibly, for example, implement some sort of time-bomb (in zScript code) where the package ceases working after X date (but causes no other damage!) Or a time-limit on packages could be implemented directly in CMUD, but that would still require code obfuscation. Another example is to add some zScript code to prevent someone you give a package to distributing the package to all their friends or posting it onto the internet. Again, perhaps that check could be integrated somehow into CMUD - although that might only work with registered users - but Zugg might like that idea.
People should still be able to read the compiled code to work out more or less what the package does and to verify that it doesn't do anything malicious or underhanded. Module properties should not be changeable, so that modules can be set to Local by the owner and thus not allow any changes to be made from outside the package.
Obfuscated packages should be flagged as such in the package library.
I realise that these suggestions are probably not something for this beta period or the public period that follows, and doing all of the suggestions might be a substantial job, but I have more or less listed the suggestions in the order they would need to be implemented, so doing the first couple might not be too much work and then others maybe can be considered later.
[Edit: Not sure if the Beta forum is more appropriate than the normal forum for this - move it if you want to - I didn't want to scare any newbies.] |
|
|
|
Tech GURU
Joined: 18 Oct 2000 Posts: 2733 Location: Atlanta, USA
|
Posted: Wed Nov 14, 2007 3:50 am |
In earlier discussions when packages and the library first came up Zugg did talk about the idea of have Public and Private packages; with the main idea for Private being for those who want share their packages with a select few or provide them for sale. The initial idea being is that much like open source software it's the visibility of the code that would ensure anything malicious was quickly removed. Of course, that was before the onLoad event.
The categories you have described would work well although I'm not convinced normal is absolutely required. From Zugg's perspective I think it would be easier to do Trusted and Restricted (with the later just having a scope check.) With that said you'd still want parsing rules around #EXEC etc commands to block them, and once you do that providing the Normal mode would be fairly simple.
As for Obfuscated I like the idea of it being password protected, i.e. you would need a password to copy/paste, export, see the Script Text, XML tab, and mask everything except the name in commands like #TRIGGER from the command line. I thought you could even take it one step further by having it downloaded each time you load up CMUD (if you already have access to it) to make it more secure. Of course if you had this options then that package would need it's underlying DB data encrypted. Alternatively you can put these options on a separate Commercial category.
This could tie in nicely with Zugg idea for a MyMUDs page and some other either for a package library. Also he could make Commercial packages only accessible from the library (i.e. author would upload then set the option there) and charge a small fee for hosting. It has the added benefit of providing an additional revenue stream for Zugg.
Of course it's up to Zugg to say how feasible this is. It would definitely be something for after the first 2.xx public release and depending on where Zugg puts the mapper rewrite it may even be a 3.xx release thing. |
|
_________________ Asati di tempari! |
|
|
|
Caled Sorcerer
Joined: 21 Oct 2000 Posts: 821 Location: Australia
|
Posted: Wed Nov 14, 2007 6:59 am |
In my opinion, the most important feature of the package library, is the pending private "area."
If I decide I wish to create a clan on my mud with a particular pvp purpose (as I am doing at the moment) I would love to have a set of scripts available only to members of that clan. I will offer a decent curing system to members, various group fighting scripts, and whatever else I can think of. Sharing scripts globally is fine and all - its basically like the finished scripts forum on steroids.
But the private area can really change the way this sort of thing works, AND at the same time give more people reason to buy CMUD. Most of the people from my mud use zmud. A handful have CMUD licences, and only a couple actually use CMUD. For people that already have zmud working well for them, what does CMUD really have to offer? Of the people I know that I play the game with, I am one of the better zscripters, yet when you lot go on about some of the new features (threading comes to mind) I start thinking about football . The people who manage to build working curing systems around #IF, #VAR and #ALA are not going to upgrade to CMUD because it took them long enough to get zmud working, let alone try and port it all to a new client. If it isn't broke, don't fix it >.>
On the other hand, a friend supplying them with a working system, installed with a mouse click, updated with a mouse click - thats a reason to buy CMUD over every other client on the market. But it hinges on the private area of the package library being implemented. There is no chance I am giving my proper system to everyone, and I'm not alone in this.
The obfuscated script is an interesting idea. Larkin may well be interested in this one, and could probably comment on it. |
|
_________________ Athlon 64 3200+
Win XP Pro x64 |
|
|
|
Seb Wizard
Joined: 14 Aug 2004 Posts: 1269
|
Posted: Wed Nov 14, 2007 11:51 am |
Yes, clans may like to share their scripts, but without the obfuscated mode, there is a danger of 'spies' secretly allied to another clan, or clan members leaving a clan and joining another and taking the scripts they received with them (I imagine).
|
|
|
|
Guinn Wizard
Joined: 03 Mar 2001 Posts: 1127 Location: London
|
Posted: Wed Nov 14, 2007 12:02 pm |
I like the idea of having trusted and restricted packages.
I know if I downloaded some of Larkin's systems (not implying for a moment that he'd make anything harmful - only that I imagine they're some of the more complex available) then I'd probably not go through absolutely every trigger and alias, so to be able to run it knowing the only thing it could alter was itself would be a comfort. |
|
_________________ CMUD Pro, Windows Vista x64
Core2 Q6600, 4GB RAM, GeForce 8800GT
Because you need it for text... ;) |
|
|
|
Zugg MASTER
Joined: 25 Sep 2000 Posts: 23379 Location: Colorado, USA
|
Posted: Wed Nov 14, 2007 6:09 pm |
First, nothing like this will happen for the 2.x release. As Tech mentioned, some of it might fit with the MyMUDs project, which will also tie into the idea of private areas for script sharing.
However, in general, this stuff is very hard to do. For example, just look at the idea of "restricted" packages...sure, I can prevent "dangerous" commands, like DDE and COM stuff. But what about a script that just does something like this:
#TRIGGER {Zugg enters the room} {remove all;drop all;quit}
There is absolutely no way to prevent that kind of stuff in the package...it's just normal text sent to the MUD. So there isn't *any* way to really prevent a package from doing something harmful. The only way to prevent this kind of stuff is to allow people to actually see your script. But if someone can see it, then they can copy it.
Password protection doesn't help. All someone needs to do is post the password to the net. You need an entire "copy protection" system with license keys, etc. And that's a whole area that I don't want to get into.
Your point about the onLoad event is a good one though. I think I'll add a File/View option to the Package Editor that will load a package for viewing, but will *not* call onLoad or initialize any variables (not perform a #reset). Then you'll be able to safely view a package that you don't trust.
The analogy that I use for CMUD Packages is buying Delphi Components from a 3rd party vendor (or Visual Basic components, etc). I never buy any component from a 3rd party that doesn't come with full source code. And the vast majority of developers provide this. This allows me to recompile the components myself (like if I upgrade Delphi), or to tweak them myself, or even fix bugs myself.
What's to stop me from just posting all of this 3rd party source code to the Internet? Or maybe I could just modify the source code and then resell it as my own product? Of course it isn't legal. But mostly nobody does this. That's because I want to buy my components from a company that is going to give me support. I want to be able to ask questions, report bugs, get updates, etc. These 3rd party components can do *anything* to my computer. Delphi doesn't have any sort of safe "sand box" mode. And I'm probably not going to look at every line of source code looking for problems. I protect myself by only buying from reputable vendors that I can trust. Sure, I might be able to find it for free somewhere on the net, but whoever posted it might have added their own backdoor to the code, so I'm never going to trust that.
CMUD Packages are very similar. People are going to buy packages from people like Larkin (I'm using Larkin as an example of someone who might sell scripts, but I don't really know if he does or not) because he provides support and updates for his product. He is a reputable "vendor". He has a reputation to protect and isn't going to put a backdoor into his scripts, because someone would eventually find it and then his reputation would be ruined. Since he can keep track of who buys his scripts, he can limit who gets support. If someone gives a copy of Larkin's scripts to a friend, that friend isn't going to be able to get support. And in a way, this is good free advertising because if that friend likes the scripts and eventually wants support, he might buy his own copy.
All that is needed to implement this is a private area of the Package Library where Larkin can control the access list. When someone buys the scripts, they are added to the access control list for Larkin's area in the library. They can download the scripts and get updates, perhaps even view online documentation of some sort. But once they download the script, they can look at it, learn how it works, tweak it to fit their own needs, etc. Just like I do with 3rd party component source code.
If it's a clan, then you set the access control so that only trusted members of the clan can get the scripts. Again, there is nothing to stop them from sending the scripts to someone else, but that's why you only give access to trusted members. The clan that I belong to already has a private Wiki area for trusted members so a new member of the clan can't access it. And they are already posting zMUD scripts to this area for the high-level clan members. But there is nothing stopping them from leaving the clan and taking the scripts with them. There is no sure-fire way to prevent this.
Finally, remember that the Package Library is tied to the zuggsoft.com Forum accounts. There are not any "anonymous" accounts. So you don't get any anonymous packages in the library. If someone posts a package that does damage to a computer, or to a person's MUD character, then that person gets banned from the package library, which also means getting banned from the forums. Since their identify is known, they could even get banned from their Zuggsoft Store account, preventing them from getting their license key or future updates. Most people are not going to risk this. And that is why the Package Library already has a Comments and Rating section for each package. You can look to see how popular a package is, and how highly it is rated. That can help you determine what is more likely to be safe. I doubt malicious scripts would last very long...some people *are* going to look at every line of the script and report if there is something suspicious with it.
So, I'm not convinced that we need more than this, nor that it's even possible to provide more than this. As with any copy protection, there will always be a way around anything that I code. CMUD and zScript are complex...no matter how I would try to protect it so that the package could only alter it's own code, someone would find some way around it. And most useful packages *need* to be able to create variables within your session window and stuff like that. |
|
|
|
Larkin Wizard
Joined: 25 Mar 2003 Posts: 1113 Location: USA
|
Posted: Wed Nov 14, 2007 7:57 pm |
Yes, I do sell scripts and I have for years now. It works exactly as you described, Zugg. I don't put in backdoors or cheats because I have a reputation to consider. People don't generally give away my scripts because they paid for them and don't want to devalue their own investment. The few who do give them away, however, I don't worry about because it can be a form of advertising and there's really nothing I can do about the rogues who use my scripts except not provide them with support.
Having private packages, however, would give us a channel for distributing updates to those who paid for access to the scripts without having to e-mail out one or more .pkg files and give instructions on where to save them, how to load them, etc. We'd just need a way to tie their character to their forum handle (a simple in-game message can take care of that verification, which is what I use now for getting someone's e-mail address), and for some people that means signing up for these forums just to get access to the Package Library... |
|
|
|
Caled Sorcerer
Joined: 21 Oct 2000 Posts: 821 Location: Australia
|
Posted: Wed Nov 14, 2007 8:16 pm |
I looked at Acropolis a few days ago, Larkin (it being an open download from your site these days) and was pretty impressed with the completeness of the whole idea. You've put a lot of thought into it, and it occurred to me that at the price it is, if I went and played Lusternia I'd probably buy it with a contract as well, rather than doing my own from scratch.
I guess it comes down to how well you price a good product. |
|
_________________ Athlon 64 3200+
Win XP Pro x64 |
|
|
|
Zugg MASTER
Joined: 25 Sep 2000 Posts: 23379 Location: Colorado, USA
|
Posted: Wed Nov 14, 2007 9:02 pm |
One of the things that will be interesting about tying together the MyMUDs.com project with the Package Library is that the MyMUDs database will already know which MUDs are being played. Remember that MyMUDs is storing your session info on the Zuggsoft server (along with your packages). So, while the password info is totally encrypted and cannot be accessed by anyone, the name of the MUD and the player's character name is available.
So, imagine the possibility that when I create a session on Lusternia and store it on MyMUDs, the MyMUDs site can now tell you that "here are the packages available for Lusternia...". So it could automatically show a list of packages, including Larkin's packages. It might even be possible to set up a system via PayPal where package writers can get paid easily through a "Buy this package" button on MyMUDs.
Anyway, lots of possibilities for this. Which is why it's not happening until after the holidays ;)
BTW: Thanks for the info on your scripts Larkin. Glad to hear it's working how I'd expect it. I think it's a very good model and attitude for selling packages. |
|
|
|
Larkin Wizard
Joined: 25 Mar 2003 Posts: 1113 Location: USA
|
Posted: Wed Nov 14, 2007 9:14 pm |
If I could use PayPal to sell scripts, I'd be ecstatic! Heh. (Don't worry. I'm not expecting the feature any day soon.) From selling my scripts for in-game credits, I've managed to earn over $5,000 worth of stuff, which is important because I'm forbidden to spend any money on "virtual stuff" in my games. It's "bad enough" that I spend so many hours playing the games and writing the scripts.
Really looking forward to MyMUDs.com and advances in the Package Library now. With the cool constructs in CMUD, such as packages and events, that allow us to build more modular systems, the possibilities are growing in leaps and bounds. |
|
|
|
Seb Wizard
Joined: 14 Aug 2004 Posts: 1269
|
Posted: Wed Nov 14, 2007 9:28 pm |
Zugg wrote: |
But what about a script that just does something like this:
#TRIGGER {Zugg enters the room} {remove all;drop all;quit}
There is absolutely no way to prevent that kind of stuff in the package...it's just normal text sent to the MUD. So there isn't *any* way to really prevent a package from doing something harmful. |
Well for a start there is a difference between the worst that can happen via some trigger abuse (losing all your equipment and maybe dying) and damage to your computer or password stealing. They are really on a different level. But there is actually a way to stop even your example. Restricted packages shouldn't be able to send stuff to the mud either, except directly through an alias, macro, send link or button (where the context is already the mud window, where the action was caused by the user: not via a trigger). For example, I have very few triggers or alarms that automatically send stuff to the mud and almost all of those are just for fun stuff.
Zugg wrote: |
The only way to prevent this kind of stuff is to allow people to actually see your script. But if someone can see it, then they can copy it. |
Well, this is not necessarily a suggestion, but it can be made difficult to copy it: e.g. only allowing them to see the script in a way where they can't select any of the text or copy it to the clipboard, etc. So if they wanted to copy it they would either need to take a screenshot and OCR it or copy it out by hand. Or my original suggestion of only showing the compiled code.
Zugg wrote: |
Password protection doesn't help. All someone needs to do is post the password to the net. You need an entire "copy protection" system with license keys, etc. And that's a whole area that I don't want to get into. |
You missed my point with password protection, although perhaps someone else was suggesting password protection in the form you understood. My suggestion was the password would only be needed to unlock the package for full editing, exporting, copying and viewing of the source. A password would not be needed for using the package. Although, of course, there could be two passwords, like in Excel.
Zugg wrote: |
The analogy that I use for CMUD Packages is buying Delphi Components from a 3rd party vendor (or Visual Basic components, etc). I never buy any component from a 3rd party that doesn't come with full source code. And the vast majority of developers provide this. This allows me to recompile the components myself (like if I upgrade Delphi), or to tweak them myself, or even fix bugs myself.
What's to stop me from just posting all of this 3rd party source code to the Internet? Or maybe I could just modify the source code and then resell it as my own product? Of course it isn't legal. But mostly nobody does this. That's because I want to buy my components from a company that is going to give me support. I want to be able to ask questions, report bugs, get updates, etc. These 3rd party components can do *anything* to my computer. Delphi doesn't have any sort of safe "sand box" mode. And I'm probably not going to look at every line of source code looking for problems. I protect myself by only buying from reputable vendors that I can trust. Sure, I might be able to find it for free somewhere on the net, but whoever posted it might have added their own backdoor to the code, so I'm never going to trust that.
CMUD Packages are very similar. People are going to buy packages from people like Larkin (I'm using Larkin as an example of someone who might sell scripts, but I don't really know if he does or not) because he provides support and updates for his product. He is a reputable "vendor". He has a reputation to protect and isn't going to put a backdoor into his scripts, because someone would eventually find it and then his reputation would be ruined. Since he can keep track of who buys his scripts, he can limit who gets support. If someone gives a copy of Larkin's scripts to a friend, that friend isn't going to be able to get support. And in a way, this is good free advertising because if that friend likes the scripts and eventually wants support, he might buy his own copy. |
Your analogy only really works for people who sell their scripts though. As you say, they have a reputation to protect so they can continue selling their scripts. Someone who gives away their code has less to lose. Especially if they don't use your package library to distribute their code. Also, you have nothing to gain to by sharing code you have bought on the internet. Instead it just damages your reputation. With MUD client scripts that are not purchased, I suspect most people assume there is no copyright, nothing to stop them doing what they want with them, and they can score points with their mates by giving them these scripts. Remember that you are running a business. MUD players are playing a game and many will do anything they can to get ahead (well in business too) and some don't mind cheating to do it (as long as they aren't caught). People who think nothing of stealing from someone in the game are probably not going to mind stealing scripts either.
Zugg wrote: |
All that is needed to implement this is a private area of the Package Library where Larkin can control the access list. When someone buys the scripts, they are added to the access control list for Larkin's area in the library. They can download the scripts and get updates, perhaps even view online documentation of some sort. But once they download the script, they can look at it, learn how it works, tweak it to fit their own needs, etc. Just like I do with 3rd party component source code.
If it's a clan, then you set the access control so that only trusted members of the clan can get the scripts. Again, there is nothing to stop them from sending the scripts to someone else, but that's why you only give access to trusted members. The clan that I belong to already has a private Wiki area for trusted members so a new member of the clan can't access it. And they are already posting zMUD scripts to this area for the high-level clan members. But there is nothing stopping them from leaving the clan and taking the scripts with them. There is no sure-fire way to prevent this. |
Well, what I'm saying is that there could be a sure-fire way to prevent this. I have suggested two, but I'll repeat one of them in a different way: if when you downloaded a package from the package library it was permanently stamped with the forum account that downloaded it, (a) there would be a way of tracking who is distributing the packages if you manage to get hold of a copy, (b) there could be something in CMUD that will only allow a package to be loaded or read on a computer that knows the forum login and password that the package was downloaded with. If XML export, and copying / moving to other packages was also restricted then redistributing the code would be difficult even if the source was visible. If it was not visible, it would, of course, be virtually impossible without distributing your forum login details.
Zugg wrote: |
Finally, remember that the Package Library is tied to the zuggsoft.com Forum accounts. There are not any "anonymous" accounts. So you don't get any anonymous packages in the library. If someone posts a package that does damage to a computer, or to a person's MUD character, then that person gets banned from the package library, which also means getting banned from the forums. Since their identify is known, they could even get banned from their Zuggsoft Store account, preventing them from getting their license key or future updates. Most people are not going to risk this. And that is why the Package Library already has a Comments and Rating section for each package. You can look to see how popular a package is, and how highly it is rated. That can help you determine what is more likely to be safe. I doubt malicious scripts would last very long...some people *are* going to look at every line of the script and report if there is something suspicious with it.
So, I'm not convinced that we need more than this, nor that it's even possible to provide more than this. As with any copy protection, there will always be a way around anything that I code. CMUD and zScript are complex...no matter how I would try to protect it so that the package could only alter it's own code, someone would find some way around it. And most useful packages *need* to be able to create variables within your session window and stuff like that. |
That's a good point. Do users have to agree to some agreement when they first upload a package? Blah, blah... 'will not upload any malicious code', blah, blah. 'Understand that the penalties for doing so may include...' blah, blah and blah. Also, maybe users should have to agree with something they download packages (not updates though): 'I recognize the copyright of the owners work and will not try and pass it off as my own without permission.' And if the poster checked a no-redistribute box when uploading it: 'I will not redistribute the package to others without permission from the creator.' Or something vaguely similar - just a few lines so people read it and realise they do have some moral obligations, even if they then choose to ignore them. |
|
|
|
Zugg MASTER
Joined: 25 Sep 2000 Posts: 23379 Location: Colorado, USA
|
Posted: Wed Nov 14, 2007 11:06 pm |
Quote: |
I have suggested two, but I'll repeat one of them in a different way: if when you downloaded a package from the package library it was permanently stamped with the forum account that downloaded it, (a) there would be a way of tracking who is distributing the packages if you manage to get hold of a copy, (b) there could be something in CMUD that will only allow a package to be loaded or read on a computer that knows the forum login and password that the package was downloaded with |
But actually *doing* this is nearly impossible. Obviously CMUD needs to be able to load local packages. Remember that these are SQLite database files. So imagine that a package downloaded from the Package Library adds some sort of forum username "stamp" to the package. What's stopping someone from just opening the SQLite database in some database tool and removing the stamp?
The stamp couldn't be this simple then. It would have to be some sort of key for decrypting the database, so that the rest of the database was unusable without this stamp. But since CMUD itself would need to know how to decrypt the database, then someone could just disassemble CMUD to figure out the decryption method. Hackers love this stuff...put up a wall for them and they love the challenge of making a hole in it. If they can decrypt DVDs, and event the "new" HD discs (blr-ray, hd-dvd) then they can certainly figure out anything that I do. I can't even protect my own software from hackers who want to use it for free.
All we would end up with is some mediocre system that worked for most people, but didn't actually work for those really bad people that you are most worried about. It would just give you a false sense of security.
Making the script harder to copy by disabling the XML import/export and making the editor display readonly and non-selectable is closer to something that might be possible. Again, it's not going to stop those bad people who really want your script, but it's probably as good as any fancy encryption system. The vast majority of people are not going to manually copy everything setting by setting. And that still allows the script to be visible to look for malicious code.
CMUD was never designed to store the compiled code. I don't want to get into version control situations where someone has saved some old code version. I often make changes in the compiled code for various optimizations and it would be a nightmare if I had to support previous compiled code versions. So I really don't want to do that.
Quote: |
My suggestion was the password would only be needed to unlock the package for full editing, exporting, copying and viewing of the source |
That's still the same problem. What if someone posts this password to a web site. Then everyone with that package can get the password to edit/export/copy etc.
Quote: |
Do users have to agree to some agreement when they first upload a package? |
Not yet, but I'm sure I'll have to come up with something.
Quote: |
Restricted packages shouldn't be able to send stuff to the mud either |
Sorry, but I just had to laugh at that. You are quickly getting to the point where Restricted packages would be completely worthless. And I've already had enough problems with spending a huge effort to implement something that nobody ever uses.
I'm not sure I understand your distinction between an alias and trigger. They could easily create an alias for a common MUD command that would do the same thing. So it's not just triggers you need to block. You'd have to block the package from sending *any* text to the MUD at all.
But seriously, I'm actually more worried about the MUD abuse than I am of computer abuse. If someone does damage to my computer via a script, that can have some seriously legal consequences. But doing something bad to your MUD character would be easier, and since it's "just a game," it wouldn't be something that you could do anything about legally. It's just the kind of abuse that people would love to do and then laugh at. Like in the old days when people abused holes in TinTin triggers. And I know a *lot* of people who would be *really* upset if they lost everything their MUD character had. Especially since some people pay real money for some special in-game eq.
No, I stand by my opinion that the only way to sure a script is safe is to make it openly readable by anyone. People who are paranoid would just download scripts with high download and rating counts. Anyone posting malicious code will know that the code is readable and that someone is bound to discover the malicious code pretty quickly and then they get their account banned. It's just like Open Source...the chance of malicious code is small because it would be seen by someone and dealt with. As I said, there *are* people who would spend time to look at every line of code.
So we need to find the write compromise between making the code readable, but making it hard to copy. |
|
|
|
Vijilante SubAdmin
Joined: 18 Nov 2001 Posts: 5182
|
Posted: Wed Nov 14, 2007 11:49 pm |
One post in these forums is about all it would take to have a package cleaned up. I am pretty sure that all the Guru's have the ability to delete any package on the library, and the Guru's manage to pop in and out almost like clockwork nearly every hour. So all it takes is 1 person finding it and a very small amount of time.
At some point I would probably like to distribute a package or 3 and be compensated for some of them. If you think about how many scripts I have just given away, hours spent writing and debugging scripts for muds I don't play, you will realize that it probably doesn't matter to me much if someone doesn't give me whatever compensation I ask for. Larkin's reality makes a good showing of exactly the philosophy Zugg is approaching this with. It is the right way to do it. |
|
_________________ The only good questions are the ones we have never answered before.
Search the Forums |
|
|
|
Seb Wizard
Joined: 14 Aug 2004 Posts: 1269
|
Posted: Thu Nov 15, 2007 1:10 am |
Zugg wrote: |
Quote: |
I have suggested two, but I'll repeat one of them in a different way: if when you downloaded a package from the package library it was permanently stamped with the forum account that downloaded it, (a) there would be a way of tracking who is distributing the packages if you manage to get hold of a copy, (b) there could be something in CMUD that will only allow a package to be loaded or read on a computer that knows the forum login and password that the package was downloaded with |
But actually *doing* this is nearly impossible. Obviously CMUD needs to be able to load local packages. Remember that these are SQLite database files. So imagine that a package downloaded from the Package Library adds some sort of forum username "stamp" to the package. What's stopping someone from just opening the SQLite database in some database tool and removing the stamp?
The stamp couldn't be this simple then. It would have to be some sort of key for decrypting the database, so that the rest of the database was unusable without this stamp. But since CMUD itself would need to know how to decrypt the database, then someone could just disassemble CMUD to figure out the decryption method. Hackers love this stuff...put up a wall for them and they love the challenge of making a hole in it. If they can decrypt DVDs, and event the "new" HD discs (blr-ray, hd-dvd) then they can certainly figure out anything that I do. I can't even protect my own software from hackers who want to use it for free.
All we would end up with is some mediocre system that worked for most people, but didn't actually work for those really bad people that you are most worried about. It would just give you a false sense of security. |
SQLite files can be password protected with OK encryption right out of the box. Yes, it will be crackable, but I doubt anyone would go to the trouble for a CMUD package. So, actually, this is very little work. The sense of security is only false if it is claimed to be uncrackable.
Zugg wrote: |
Making the script harder to copy by disabling the XML import/export and making the editor display readonly and non-selectable is closer to something that might be possible. Again, it's not going to stop those bad people who really want your script, but it's probably as good as any fancy encryption system. The vast majority of people are not going to manually copy everything setting by setting. And that still allows the script to be visible to look for malicious code. |
I agree that this may be sufficient.
Zugg wrote: |
CMUD was never designed to store the compiled code. I don't want to get into version control situations where someone has saved some old code version. I often make changes in the compiled code for various optimizations and it would be a nightmare if I had to support previous compiled code versions. So I really don't want to do that. |
Oh, I thought that the compiled code was already stored in packages. So every time you load a package, the settings will need recompiling? Doesn't that slow everything down?
Zugg wrote: |
Quote: |
My suggestion was the password would only be needed to unlock the package for full editing, exporting, copying and viewing of the source |
That's still the same problem. What if someone posts this password to a web site. Then everyone with that package can get the password to edit/export/copy etc. |
No, it's not really, because you never need to give the password out to anyone, and therefore there is about 0 chance of it ending up on a web site (unless someone uses a truth drug on you or something).
Zugg wrote: |
Quote: |
Restricted packages shouldn't be able to send stuff to the mud either |
Sorry, but I just had to laugh at that. You are quickly getting to the point where Restricted packages would be completely worthless. |
Well, that's why I suggested 3 levels of security, with perhaps some customization available either globally or on a package. But, actually, if I can have lots of settings that don't send anything to the mud with triggers and we assume that these settings are useful (they are) then you see that packages can be useful that don't send stuff to the MUD. One example is a package to get the CMUD mapper working on a given MUD.
Zugg wrote: |
I'm not sure I understand your distinction between an alias and trigger. They could easily create an alias for a common MUD command that would do the same thing. So it's not just triggers you need to block. You'd have to block the package from sending *any* text to the MUD at all. |
Well, that is a possibility I thought of. But I decided that the risk of this was small as it would be difficult for someone to exploit this for their own benefit (although they might anyway just for a laugh).
Zugg wrote: |
So we need to find the write compromise between making the code readable, but making it hard to copy. |
Agreed. These are all just ideas (not even, necessarily, suggestions). I thought it would be useful to have this discussion relatively early on so that it can be in the back of your mind if you make any changes to packages / scope, etc. or when you get onto the MyMUDs.com project. It occurred to me that with MyMUDs, these protected packages may be such that they are never actually saved on your computer but downloaded into memory only (like you said would be possible with CMUDLite). With the other export and no-select restrictions already mentioned and no physical database file to crack, that would be fairly secure, not to mention being impossible to redistribute just by simply e-mailing a file. I wouldn't expect NSA level security, but something to prevent casual copying unlimited times is the idea. |
|
|
|
Zugg MASTER
Joined: 25 Sep 2000 Posts: 23379 Location: Colorado, USA
|
Posted: Thu Nov 15, 2007 2:08 am |
Quote: |
So every time you load a package, the settings will need recompiling? Doesn't that slow everything down? |
Slightly. The first time you use any setting (alias, trigger, etc) it compiles. You can see this in the debugger. It's sort of like the just-in-time compilers used in Java. Since they are only compiled as needed, the time isn't very noticeable. As a comparison, the Compile+Execution time in CMUD is about the same as the Parse+Execution time in zMUD. So the first time you use a command, it's about the same as in zMUD. The second time it's already compiled, so then it's faster.
Quote: |
with MyMUDs, these protected packages may be such that they are never actually saved on your computer but downloaded into memory only |
That's definitely something I'm thinking about. For CMUDLite it would be nice if it worked without writing stuff to disk, and that implies some sort of in-memory-only packages. Also, I already plan some encryption just to protect data across the net, and also to ensure that CMUDLite can only run packages stored on the MyMUDs server, and not some other server.
Quote: |
SQLite files can be password protected with OK encryption right out of the box |
Even in v2.8? Or is that another v3 SQLite feature? |
|
|
|
Seb Wizard
Joined: 14 Aug 2004 Posts: 1269
|
Posted: Thu Nov 15, 2007 4:12 am |
Zugg wrote: |
Quote: |
SQLite files can be password protected with OK encryption right out of the box |
Even in v2.8? Or is that another v3 SQLite feature? |
Hmm, looks like I was wrong. I swore that when I tried to open cmudhelp.db the first time with a SQLite3 GUI it asked for a password and some searching earlier had made it look like the RC4 encryption algorithm was used. But now it appears that there is no encryption available in any free version of SQLite that is available from SQLite. I think I slightly misunderstood the post I found before. There is a free, sourceforge version of SQLite and I'm now pretty sure this is one that offers RC4 encryption (since the page I found before was on their forums):
Quote: |
System.Data.SQLite is an enhanced version of the original SQLite database engine. It is a complete drop-in replacement for the original sqlite3.dll (you can even rename it to sqlite3.dll). |
The maker(s) of SQLite offer a pro version of SQLite with AES encryption, but it is pricy at $2000: http://www.hwaci.com/sw/sqlite/prosupport.html
If one uses find in page for "encryption" on http://www.sqlite.org/cvstrac/wiki?p=SqliteWrappers you will find several other options, notably this one:
DISQLite3: The fully embedded, no-DLL SQLite3 solution for Delphi (D4, D5, D6, D7, D2005, D2006, D2007) with full text search and encryption support. DISQLite3 compiles with Delphi standard / personal and does NOT require sqlite3.dll. It provides the complete SQLite3 API, is regularly updated, very small, well documented, tightly integrated, and carefully optimized. As a result, DISQLite3 outperforms sqlite3.dll up to 50% for common operations. Free personal edition. Commercial edition: Euro 90,00 without, Euro 270,00 with sources
Another free version listed on that page is http://home.wanadoo.nl/iherweij/
And another commercial one ($99) I found that is not listed is SQLiteE: http://software.techrepublic.com.com/download.aspx?docid=324790
Not sure if ZeosLib will work with any of these though. So if you went down this road you might need to change to DISQLite3. |
|
|
|
Taz GURU
Joined: 28 Sep 2000 Posts: 1395 Location: United Kingdom
|
Posted: Thu Nov 15, 2007 4:25 am |
Seb wrote: |
DISQLite3: The fully embedded, no-DLL SQLite3 solution for Delphi (D4, D5, D6, D7, D2005, D2006, D2007) with full text search and encryption support. DISQLite3 compiles with Delphi standard / personal and does NOT require sqlite3.dll. It provides the complete SQLite3 API, is regularly updated, very small, well documented, tightly integrated, and carefully optimized. As a result, DISQLite3 outperforms sqlite3.dll up to 50% for common operations. |
I wonder how much that will tempt Zugg to buy when he reads it. |
|
_________________ Taz :) |
|
|
|
Zugg MASTER
Joined: 25 Sep 2000 Posts: 23379 Location: Colorado, USA
|
Posted: Thu Nov 15, 2007 5:34 pm |
Not very tempting actually. I've got too much code invested in ZeosLib, and ZeosLib allows me to work with almost *any* database. And this is useful when I start doing projects like MyMUDs.com that will be MySQL based.
Also, I prefer ZeosLib because it *does* use the DLL files. So if there is a bug in SQLite.DLL, I can just install a new DLL. We ran into this early in the CMUD 2.x beta testing when we discovered a better DLL that didn't have debugging enabled. Of course, going from SQLite 2.8 to 3.0 requires more than a DLL change, but once I update ZeosLib, then I should be able to handle future updates to SQLite 3.x much more easily.
The "DISQLite3 outperforms sqlite3.dll up to 50% for common operations" is kind of interesting, but right now CMUD only uses SQLite directly when writing the database updates to the PKG file every 60 seconds, and this isn't very slow. So it's not like this would be a huge performance boost for normal CMUD operations.
Also, money is tight right now, so 270.00 Euros is a bit much. Especially since I still have other components that I still need to pay for Delphi 2007 updates, and I still have an expensive update to Armadillo to do soon.
Still, thanks for posting the links. I'm not sure I'll ever find these again buried in this thread, but it's possible that it might be tempting in the future to play with that, especially since it has encryption support. |
|
|
|
Caled Sorcerer
Joined: 21 Oct 2000 Posts: 821 Location: Australia
|
Posted: Thu Nov 15, 2007 7:30 pm |
Is there an initial discussion about MyMuds.com, somewhere? I don't seem to be able to find one, but everyone else seems to know what you're talking about already.
|
|
_________________ Athlon 64 3200+
Win XP Pro x64 |
|
|
|
Tech GURU
Joined: 18 Oct 2000 Posts: 2733 Location: Atlanta, USA
|
Posted: Thu Nov 15, 2007 8:10 pm |
Here's the link you're looking for. It's like a pre-New Years letter from Zugg.
|
|
_________________ Asati di tempari! |
|
|
|
Seb Wizard
Joined: 14 Aug 2004 Posts: 1269
|
Posted: Fri Nov 16, 2007 1:49 am |
Zugg wrote: |
Still, thanks for posting the links. I'm not sure I'll ever find these again buried in this thread, but it's possible that it might be tempting in the future to play with that, especially since it has encryption support. |
If you ever want to find them again, search for "mymuds.com" with the Forum search. There are only two threads that come up for now, so it should be obvious. (Caled, it's not difficult to find!) You just need to associate database encryption with mymuds.com in your memory. Of course, soon there will probably be a proliferation of the phrase in the forums and it won't work. Well +sqlite +encryption will probably work.
I take it that the free projects aren't suitable because they don't have specific Delphi support? You can't use a C/C++ dll or something? (Some of them have drop-in replacements for sqlite3.dll. Hmm, I wonder if ZeosLib will talk to one of these drop-in replacements? Or does ZeosLib bypass sqliteX.dll and talk directly to the database? It does, doesn't it?) |
|
|
|
Zugg MASTER
Joined: 25 Sep 2000 Posts: 23379 Location: Colorado, USA
|
Posted: Fri Nov 16, 2007 2:34 am |
No, ZeosLib talks to the SQLite.DLL. So if they have a drop-in replacement, then it might work (well, once I upgrade ZeosLib to handle v3). Not sure how the encryption would be enabled...maybe that's a specific SQL statement or something?
Delphi has a very specific API for doing databases. The databases need to tie into this API so that Delphi "data aware" controls work properly. ZeosLib is a layer between the raw database DLLs and the Delphi database API architecture. So when I'm using ZeosLib, the actual database details are transparent to my Delphi code. I just use SQL statements directly, and I just need to worry about slight differences between SQL constructs for various databases.
So I couldn't use any of the free projects...I need that Delphi database API support. I also don't want to give up ZeosLib because it's one of the very few components that works perfectly with absolutely no changes on my part. I've never had to fix any bug in ZeosLib. |
|
|
|
Seb Wizard
Joined: 14 Aug 2004 Posts: 1269
|
Posted: Fri Nov 16, 2007 3:24 am |
Zugg wrote: |
No, ZeosLib talks to the SQLite.DLL. So if they have a drop-in replacement, then it might work (well, once I upgrade ZeosLib to handle v3). Not sure how the encryption would be enabled...maybe that's a specific SQL statement or something?
Delphi has a very specific API for doing databases. The databases need to tie into this API so that Delphi "data aware" controls work properly. ZeosLib is a layer between the raw database DLLs and the Delphi database API architecture. |
Ah, OK. I'm not sure either how the encryption would be enabled and whether it even could be using ZeosLib or even if it could whether you would still be able to access the database afterwards. I guess the best way to find out is to test it.
Zugg wrote: |
So I couldn't use any of the free projects...I need that Delphi database API support. I also don't want to give up ZeosLib because it's one of the very few components that works perfectly with absolutely no changes on my part. I've never had to fix any bug in ZeosLib. |
I can understand that, although that doesn't mean ZeosLib doesn't have any bugs. Here is one I happened to come across (written in 2006 so maybe fixed now):
Quote: |
Re: SQLite Admin from orbmu2k.de
It's a nice program but be aware of that SQLite Admin uses the Delphi ZeosLib which incorrectly stores strings encoded as the current ANSI code page instead of UTF-8.
SQLiteSpy stores strings correctly. |
|
|
|
|
Caled Sorcerer
Joined: 21 Oct 2000 Posts: 821 Location: Australia
|
Posted: Fri Nov 16, 2007 8:28 am |
Seb wrote: |
Caled, it's not difficult to find!) |
I just did a search for mymuds and got nothing. I now assume the search field up there doesn't include the forum as well, which seems odd to me, but it probably makes sense for some business-related site design purpose. |
|
_________________ Athlon 64 3200+
Win XP Pro x64 |
|
|
|
Fang Xianfu GURU
Joined: 26 Jan 2004 Posts: 5155 Location: United Kingdom
|
Posted: Fri Nov 16, 2007 4:02 pm |
This discussion comes up every couple of days, Caled - remove the safe search option from the URL and it'll start working. Or you can use the search option from the Site menu at the top.
|
|
|
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|