www.ClassicTW.com :: View topic - TWXproxy Security Issue?

Promethius wrote:

I may be wrong so someone can correct me, but I think TWXProxy is inherently a risky application to run. Most of us run public encrypted scripts that could have the ability to delete and write files to any path. Since I am not a programmer by profession, my knowledge of security is limited to that of the average user, but it would seem possible to write a TWX script that would create malicious files in the background. I know I wrote a script that reads the SWATH config file, and it would have been fairly simple to rewrite the file unless it was locked by SWATH (which I doubt). I also have scripts that write, save, fire scripts based on specific needs.

I think that TWX should limit its file writes to the TWX folder/directory. I fail to see any good reason to allow it to write to any other areas.

An easy solution for some of us is to not run .cts files. Since I release public .cts files, that would be somewhat of a double standard in my being willing to release but not use .cts scripts. I won't release anything but the most basic scripts in anything but .cts since I have seen the .ts scripts changed, and with no attribution given (proAssetCheck.ts for instance) and claimed as original by the person that made the changes, or worse, bugs introduced into a script I wrote (I have enough bugs, don't need help adding more).

While I am writing a mini-novel for a post....

One thing I find missing is a script review on public scripts. Grimytrader.com is an excellent source for public files and has a rating system in use; however, it would be helpful if we knew why someone rated a script a 5.0 or a 3.0. I think if the site had something like:
Script: tbust.ts v1.0 Rated 5.0 by Promethius on March 17, 2008
Comment: Excellent planet busting script with no bugs found. Safe to run in hostile environment.

Or, whatever comment a person wanted to make in regard to why the script was rated as such. One problem I have ran into along with most who release public scripts, is that we never get feedback on a script, either good or bad.

Yeah, I need to try and contact RammaR on that.............

Ok, this has rambled and actually covered two different subjects. So shoot me... not any worse than last nights take a pod to fight at dock against a 400k figged enemy ship (long story on why the pod).

Author:	Promethius [ Mon Mar 17, 2008 12:52 pm ]
Post subject:	TWXproxy Security Issue?
I may be wrong so someone can correct me, but I think TWXProxy is inherently a risky application to run. Most of us run public encrypted scripts that could have the ability to delete and write files to any path. Since I am not a programmer by profession, my knowledge of security is limited to that of the average user, but it would seem possible to write a TWX script that would create malicious files in the background. I know I wrote a script that reads the SWATH config file, and it would have been fairly simple to rewrite the file unless it was locked by SWATH (which I doubt). I also have scripts that write, save, fire scripts based on specific needs. I think that TWX should limit its file writes to the TWX folder/directory. I fail to see any good reason to allow it to write to any other areas. An easy solution for some of us is to not run .cts files. Since I release public .cts files, that would be somewhat of a double standard in my being willing to release but not use .cts scripts. I won't release anything but the most basic scripts in anything but .cts since I have seen the .ts scripts changed, and with no attribution given (proAssetCheck.ts for instance) and claimed as original by the person that made the changes, or worse, bugs introduced into a script I wrote (I have enough bugs, don't need help adding more). While I am writing a mini-novel for a post.... One thing I find missing is a script review on public scripts. Grimytrader.com is an excellent source for public files and has a rating system in use; however, it would be helpful if we knew why someone rated a script a 5.0 or a 3.0. I think if the site had something like: Script: tbust.ts v1.0 Rated 5.0 by Promethius on March 17, 2008 Comment: Excellent planet busting script with no bugs found. Safe to run in hostile environment. Or, whatever comment a person wanted to make in regard to why the script was rated as such. One problem I have ran into along with most who release public scripts, is that we never get feedback on a script, either good or bad. Yeah, I need to try and contact RammaR on that............. Ok, this has rambled and actually covered two different subjects. So shoot me... not any worse than last nights take a pod to fight at dock against a 400k figged enemy ship (long story on why the pod).

Author:	Singularity [ Mon Mar 17, 2008 3:16 pm ]
Post subject:	Re: TWXproxy Security Issue?
Quote: I think that TWX should limit its file writes to the TWX folder/directory. I fail to see any good reason to allow it to write to any other areas. I routinely read and write files outside of my twxproxy dir. Most of my in-game files are written directly to c:\, as it's easier to find them that way. I would hate to force one person's convention down the throats of every other user. Just disabling one's ability to write outside of the twxproxy dir wouldn't be enough, I could write a script to write an alternate version of twxproxy.exe (or any other program like twxc or whatever) that would then enable me to write to any other directory... perhaps with a latent command when the program is reloaded, then force the app to crash so they'd have to reload the program. There are no protections sufficient enough to stop someone both intelligent and malevolent. Never run scripts from someone you don't trust, and never run them in an environment where they haven't been previously tested and never run them if they're written by someone that's on another team in the same game you're in. I once wrote a script that warped a player around, turned all corp planets personal, turned all figs personal, left the corp then cby'd... but only if they were on an enemy corp. Fortunately for them they never ran the script... Short story made long... don't run a .CTS file unless you inherently trust the person and their motives. Most people will not make a purely malevolent script public, of course, but that doesn't mean there aren't easter eggs hidden in the code. That's why I make all of my public scripts open source... removes that concern. As for getting feedback... only way I've managed that problem is to develop a small group of players as testers. Then you can control the process better and educate them on what data they need to collect.

Author:	Zarkahn [ Wed Mar 19, 2008 4:07 pm ]
Post subject:	Re: TWXproxy Security Issue?
Darn and i thought i was bad for locking the private ones so they didn't get spread out... thats down right evil Dyn... lol... u meanie

Author:	Thrawn [ Thu Mar 20, 2008 4:28 pm ]
Post subject:	Re: TWXproxy Security Issue?
Promethius wrote: I may be wrong so someone can correct me, but I think TWXProxy is inherently a risky application to run. Most of us run public encrypted scripts that could have the ability to delete and write files to any path. Since I am not a programmer by profession, my knowledge of security is limited to that of the average user, but it would seem possible to write a TWX script that would create malicious files in the background. I know I wrote a script that reads the SWATH config file, and it would have been fairly simple to rewrite the file unless it was locked by SWATH (which I doubt). I also have scripts that write, save, fire scripts based on specific needs. I think that TWX should limit its file writes to the TWX folder/directory. I fail to see any good reason to allow it to write to any other areas. An easy solution for some of us is to not run .cts files. Since I release public .cts files, that would be somewhat of a double standard in my being willing to release but not use .cts scripts. I won't release anything but the most basic scripts in anything but .cts since I have seen the .ts scripts changed, and with no attribution given (proAssetCheck.ts for instance) and claimed as original by the person that made the changes, or worse, bugs introduced into a script I wrote (I have enough bugs, don't need help adding more). While I am writing a mini-novel for a post.... One thing I find missing is a script review on public scripts. Grimytrader.com is an excellent source for public files and has a rating system in use; however, it would be helpful if we knew why someone rated a script a 5.0 or a 3.0. I think if the site had something like: Script: tbust.ts v1.0 Rated 5.0 by Promethius on March 17, 2008 Comment: Excellent planet busting script with no bugs found. Safe to run in hostile environment. Or, whatever comment a person wanted to make in regard to why the script was rated as such. One problem I have ran into along with most who release public scripts, is that we never get feedback on a script, either good or bad. Yeah, I need to try and contact RammaR on that............. Ok, this has rambled and actually covered two different subjects. So shoot me... not any worse than last nights take a pod to fight at dock against a 400k figged enemy ship (long story on why the pod). I have to agree with this. I don't like any application writing anywhere except in the application's directory. As far as your rating idea, I'd have no issues posting information on our site about the scripts or authors. It would be good knowledge to pass on to those new to scripts and would help to releave any tension or uncertainty to the validity of the script.

Author:	Darklighter [ Mon Sep 22, 2008 12:25 pm ]
Post subject:	Re: TWXproxy Security Issue?
Perhaps the solution lies (as it often does) in having a few options that can be turned on and off from within TWXproxy that are not changeable from within a script. That way, you can set the security level you are comfortable with.

www.ClassicTW.com https://mail.black-squirrel.com/

TWXproxy Security Issue? https://mail.black-squirrel.com/viewtopic.php?f=15&t=20427	Page 1 of 1

Author:	Kaus [ Mon Sep 22, 2008 10:00 pm ]
Post subject:	Re: TWXproxy Security Issue?
As a FYI "XP Professional" (cant speak for Vista, though i would imagine Vista Business) has the ability to limit any program runtime abilities to a specific folder. Problem being is if your logged in like I am as Admin (i.e you set up your XP to have only one user) when you installed the application you gave it superuser rights. However if your sufficently paranoid you can makes a user account within XP that doesnt have full admin rights. After you have done that its as simple as setting permissions on the folder. http://www.download.com/ProcessGuard/30 ... 33974.html Process Guard Might work to Or http://www.microsoft.com/windows/downlo ... fault.mspx http://www.vmware.com/products/server/ <-is free Virtual PC would prevent any issues with a cts as worst case scenario they destroy the virtual environment.

Page 1 of 1	All times are UTC - 5 hours
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/