Network Access

Announcements and discussion regarding any projects related to Cyan Worlds' Plasma Engine including (but not limited to) CyanWorlds.com Engine, Drizzle, OfflineKI, PyPRP, and libHSPlasma.

Re: Network Access

Postby nathan2055 » Mon Nov 29, 2010 4:31 pm

Exactly! In fact, it could be made so that if someone forgets this, and Dustin is sent the package, and he finds something, he could see it as a warning.
Image
Currently an official representative of the Guild of Writers.
Nathan2055 (01307567) on MO:ULagain - NAL2055 (00071382) on The Deep Island Shard
Community Nexus Project
User avatar
nathan2055
 
Posts: 440
Joined: Sat Oct 16, 2010 9:10 pm

Re: Network Access

Postby Lontahv » Mon Nov 29, 2010 5:18 pm

I think if an age writer wants an age to have network access, the age should have access to the network (if the computer is connected to the internet). I think it's artistically disrespectful to say: "I'll take your age, however, I'm going to disable this part of it and enjoy the rest." If someone wants to avoid ages that connect to the network, they can choose not to link to those ages. Drizzle, IMO, shouldn't have the power to break ages by telling what dependencies can and can't be downloaded. Have you ever had YUM or apt-get tell you that "sorry, but you'll just have to limp along without OpenAL because we think it's unsuitable for you"? No, that distribution software doesn't abuse you like that. I think Drizzle should not expect everyone to be stupid. Just pop a message up BEFORE linking to the age for the first time (it's easy, it's just a yes/no box). This box can explain the risks involved. Constantly annoying an end-user that "You're computer is at risk of infection" is just as annoying as a pop-behind ad for a virus sweeper. :P
Currently getting some ink on my hands over at the Guild Of Ink-Makers (PyPRP2).
User avatar
Lontahv
Councilor of Artistic Direction
 
Posts: 1331
Joined: Wed Oct 03, 2007 2:09 pm

Re: Network Access

Postby diafero » Tue Nov 30, 2010 12:34 pm

Unfortunately, Lohntahv, all the in-game kinds of warnings I suggested were shot down by our IC keepers for breaking immersion, or something ;-) . And I partially understand them. Being able to globally configure this outside of the games is a good idea, IMHO. Of course, constantly warning about a security risk if you once made the decision to install that package is not. A simple dependency of the age to that package (with a clear message that a dependency is installed, when it is - just like the package manager example you used) would be the best solution, IMHO.
I attached a simple patch to only warn users that did not explicitly install the package - but last time I tried, Dustin wouldn't want it in Drizzle.

In reply to Chacal's questions: Indeed, all of this is possible with the network access package. However, since Python can run arbitrary code even without it, it could - for example - have a somehow encoded form of an executable within the Python source, write that to disc, execute it - and then let that executable do the network access. Or it could use the ftp.exe shipped with Windows. So, network access does not open principally new possibilities, it just makes them easier to use for good and for bad.
Attachments
0001-don-t-annoy-users-that-want-the-network-access.patch.zip
(900 Bytes) Downloaded 214 times
I prefer e-mails to "diafero arcor de" (after adding the at and the dot) over PMs.

"Many people's horizon is a circle with a radius of zero. They call it their point of view."

Deep Island Shard | Offline KI
diafero
Deep Island Admin
 
Posts: 2966
Joined: Mon May 05, 2008 5:50 am
Location: Germany

Re: Network Access

Postby ddb174 » Wed Dec 01, 2010 11:27 am

D'Lanor wrote:Yes, an age could download and execute code with this package. That is what Drizzle means when it speaks of a security risk.

However, it is easy to spot an age which uses this package, which btw consists of (or at least should consist of) modules already present in any standard Python installation (but not in the default Uru Python distribution). The Python code of such an age would show import statements for the modules from the network access package.
The question is, who should do be doing the police work of checking this? Should this burden rest on the shoulders of those who distribute fan ages? I believe that is where Dustin's concern comes in. I would not be surprised though if Dustin already scans for this and is flashing a warning sign only to tell us that we should not hold him responsible just in case something slips by him.

IMO an age builder who is making use of network access should notify the distributor (Drizzle, shard admins or Pahts assemblers) of this when the age is submitted for release. It may also be a good idea to have a wiki page with a list of ages using the network access package, explaining what they are using it for.

Yes, I scan new Ages for a number of things, network access being one of them. (Creating code on the fly being another one of them, which isn't necessarily bad, but it is sometimes suspicious so I like to take a look.) That's a good idea to keep a list of what Ages are trying to get network access, so I've put it up here: http://dusty.homeunix.net/wiki/UAM/Ages/NetworkActiveAges. Thanks for the idea! While it is technically possible for an Age to try to do something like have a binary stored in the Python code, I try to find such things. It is possible for it to slip by though, so if anyone notices such a thing, please report it to me immediately, as it may be malicious! And then I can investigate further: the nice part about this kind of problem, is that one can sit down and pour over it if one is in doubt, and figure out if it is doing something bad or not, so it is not as big of a problem. (Whereas if it has network access, you can never be sure it's not malicious. That is: you can affirm it but not refute it, for those who know topological logics.)
ddb174
 
Posts: 928
Joined: Thu Apr 10, 2008 7:28 pm

Previous

Return to Plasma Development

Who is online

Users browsing this forum: No registered users and 33 guests