Thread

Security issue (Sdk)

Security issue // Sdk

1  |  

baggis

Feb 20, 1999, 5:49am
Hi folks,

I've 'bumped' into the situation that the person I wrote a SDK bot for was
afraid starting it because the bot could send the privilege pwd ( or some
other information ) to me.

Hmmm... I thought... that is a problem... how can anyone using a SDK bot
trust the creator of it ? Guess they can't.... The bot is a program and
therefore it's capable of doing almost everthing.....

But, is there some way of convincing the user it's safe atleast when it
comes to the privilege pwd ?

Is there a controlmechanism in the universe-server that tracks SDK bots and
what citnum and pwd they use when logging in ?

/Baggis

baudwalker

Feb 20, 1999, 6:03am
Well any one can do anything but the 2.1 aw browser and I would think the
SDK would be the same (under normal circumstances) be as follows:-

Encrypted protocol: The network protocol used to exchange data between the
2.1 browser and the 2.1 servers has now been encrypted to improve the
security of the system.
<AW Help file>


[View Quote]

decastro@cable.a2000.nl (xelag)

Feb 20, 1999, 5:05pm
Baggis, I think yours is a real issue. More that one bot around
communicates with the maker's server: Hambots, Imabots. Mine would if
I knew how to. The bot maker can encryt whatever he wishes, there is
no control on that. And like any other program, the bot could contain
a virus or be a trojan.

I guess the same will have to apply as with any executable: you'll
have to trust the maker.

XelaG.

On Sat, 20 Feb 1999 08:49:36 +0100, "Baggis" <baggis at swipnet.se>
[View Quote] >Hi folks,
>
>I've 'bumped' into the situation that the person I wrote a SDK bot for was
>afraid starting it because the bot could send the privilege pwd ( or some
>other information ) to me.
>
>Hmmm... I thought... that is a problem... how can anyone using a SDK bot
>trust the creator of it ? Guess they can't.... The bot is a program and
>therefore it's capable of doing almost everthing.....
>
>But, is there some way of convincing the user it's safe atleast when it
>comes to the privilege pwd ?
>
>Is there a controlmechanism in the universe-server that tracks SDK bots and
>what citnum and pwd they use when logging in ?
>
>/Baggis
>
>

--
Xelagot 46ADB [Delph]
creator: XelaG
email: decastro at cable.a2000.nl

andras sarkozy

Feb 20, 1999, 6:26pm
I agree with you - if the user does not trust in you - don't use your program!!
Andras


[View Quote] > Baggis, I think yours is a real issue. More that one bot around
> communicates with the maker's server: Hambots, Imabots. Mine would if
> I knew how to. The bot maker can encryt whatever he wishes, there is
> no control on that. And like any other program, the bot could contain
> a virus or be a trojan.
>
> I guess the same will have to apply as with any executable: you'll
> have to trust the maker.
>
> XelaG.
>
> On Sat, 20 Feb 1999 08:49:36 +0100, "Baggis" <baggis at swipnet.se>
[View Quote]

roland vilett

Feb 21, 1999, 6:25am
Hi Baggis,

I think the concerns you raise are valid, however as others have pointed out
here, they apply to any program of any kind, from any person. The SDK
program might be stealing your privilege password, but for that matter it
might be installing viruses on your computer, reading your email, or
deleting files randomly. This is the risk you take every day whenever you
run any executable program. At some point you just have to trust that the
author is legit and isn't trying to screw you over. Either that, or you
just don't run the software.

I think it goes without saying that one should never, ever run any
executable program provided to you by someone who you don't know or don't
trust. This is just common sense. It seems like lately at least once a day
I receive an email from some random person containing and attached .exe file
and an invitation to "run this to see something funny" or something like
that. I am amazed that they think I actually would. Yeah, like I really
need to have Netbus installed on my computer. No thanks!

In short, there is no way to guarantee to this person that your program
isn't stealing their information. You just have to say "look, I'm sorry,
but you are going to have to trust me. If you don't trust me, don't run the
bot." You could conceivably provide the source code to them as
"proof"...but if they aren't a programmer that won't help them much.

To answer your question about what the universe server does, whenever an SDK
program starts, the server does log all the information it provides on
login, including owner number, privilege password, bot name, as well as the
IP address the bot is being run from. I'm not sure how exactly this would
help you in the case where you though that the program was stealing your
privilege password, though...

-Roland

[View Quote]

baggis

Feb 21, 1999, 12:29pm
Hi Roland,

Tnx for your answer :)

I'm very well aware of the risks with running unknown executables as I'm a
professional software developer since 12 years :)))

But as being a person not having English as my first language it might
appear that I have less knowledge about things than I actually have due to
my way of expressing myself ;-)

[View Quote] ...... snip ............

>
>To answer your question about what the universe server does, whenever an
SDK
>program starts, the server does log all the information it provides on
>login, including owner number, privilege password, bot name, as well as the
>IP address the bot is being run from. I'm not sure how exactly this would
>help you in the case where you though that the program was stealing your
>privilege password, though...


What I meant by this is if some bot was designed to steal the privilege pwd
and the citnum and the designer of the 'pwd-stealer' started to use the
stolen pwd and citnum to login ( in order to run bots that do other nasty
stuff that 'he' doesn't want to be trackable or to gain access to restricted
worlds ) with, would it fire some kind of alarm in the universe server
because of same citnum and pwd used to login two or more bots from different
IP-addresses ( in the case the real holder of the citnum and pwd also runs
some bot )

Puhhh... was heavy... hope I made me understandable :)

/Baggis

edward sumerfield

Feb 21, 1999, 2:22pm
There are three security environments that address these issues today.

1. The program is restricted to run in an environment that protects the
operator. An example of this would be Java applets. There is no way that a Java
applet can write to your hard disk.

2. Signed code. This is Microsoft's mechanism for authentication and all it
really does is prove that the program you are running is written by the author
and has not been changed or replaced. Many Active X controls you download over
the net bring up a warning message (if you have you security setting on medium
or above) that asks if you really want to install and run this program.

3. Open source has become a very reliable way of ensuring that code is good.
However this only works with people who understand the code they are reading.

The bottom line is that the industry does not have a foolproof way of ensuring
security. I say all this just to further support Ronald's points.

Baggis, I had no idea that English was not your first language.

[View Quote] > Hi Roland,
>
> Tnx for your answer :)
>
> I'm very well aware of the risks with running unknown executables as I'm a
> professional software developer since 12 years :)))
>
> But as being a person not having English as my first language it might
> appear that I have less knowledge about things than I actually have due to
> my way of expressing myself ;-)
>
[View Quote]

baggis

Feb 21, 1999, 3:45pm
Hehe, Edward and Roland

I appreciate you taking your time and writing these nice answers :))) They
are indeed informative.

But my primary question is what I wrote in my previous posting, what happens
in the universe server if there are made attempts to run two or more bots
using the same citnum and pwd from different IP-addresses ?

... snip ....

>Baggis, I had no idea that English was not your first language.


I take that as a compliment :)

/Baggis

roland vilett

Feb 21, 1999, 5:28pm
Hi Baggis,

okay thanks for re-stating your question. The answer is...nothing happens.
It is merely logged. The case you describe is quite common and can occur
legitimately all the time.

Of course, everything is logged - so if it does turn out later that someone
has stolen and abused a password or a privilege password, it's pretty easy
to go back through the server log and figure out precisely who did what, and
when.

-Roland


[View Quote]

canopus

Feb 23, 1999, 12:53pm
An SDK bot program dials up ActiveWorlds--the buyer knows that, and counts on
ActiveWorlds to be virus-free. But how can the buyer be sure that every bot
programmer's machine is virus-free, and hasn't been taken over by Netbus or
BackOrifice? Downloading a bot program once is risky enough. If AW citizens
start thinking that bot programs regularly dial up the programmer's machine for
supervision of bot behavior or automatic downloads, they're going to shy away
from bots.

[View Quote] > Baggis, I think yours is a real issue. More that one bot around
> communicates with the maker's server: Hambots, Imabots. Mine would if
> I knew how to. The bot maker can encryt whatever he wishes, there is
> no control on that. And like any other program, the bot could contain
> a virus or be a trojan.
>
> I guess the same will have to apply as with any executable: you'll
> have to trust the maker.
>
> XelaG.
>
> On Sat, 20 Feb 1999 08:49:36 +0100, "Baggis" <baggis at swipnet.se>
[View Quote]

roland vilett

Feb 23, 1999, 5:43pm
Again, this is true, and again, the answer is - there is no way to be
absolutely sure. But I still don't see how this is somehow different for
bot programs. The same issues apply to any software from anyone that you
ever run on your computer.

-Roland

[View Quote]

1  |  
Awportals.com is a privately held community resource website dedicated to Active Worlds.
Copyright (c) Mark Randall 2006 - 2022. All Rights Reserved.
Awportals.com   ·   ProLibraries Live   ·   Twitter   ·   LinkedIn