Validation/protection needed

remus

Could be a bit tricky, as everything in ruby is just plain text, so anything that another ruby can look for can be seen by a person. Perhaps if all the rubies were .rbs instead, but then youd lose a large proportion of the learning materials available to new coders

A tricky problem indeed.

remus

I wouldnt think youve got much cause to worry, especially if you know the source of your ruby.

azuby

The check for script modification could be done using simple checksums - MD5. All in all you need a script validating the validation script

azuby

mattg

Modelhead you worry too much. That's why you've lost all your hair!

kwistenbiebel

I don't know zip about coding, but maybe Google could implement some sort of malware ('mal code'?) detector for ruby plugins in SU7. Some sort of routine that warns you whenever 'possible' harmful code is about to be compiled...

It could work like the 'No script' blocker add-on for Firefox, a system that lets the user decide to give permission to run this or that particular code...

Don't know if this makes sense, I am completely code ignorant, besides some stuff we had to do in high school in Basic and TurboPascal ...

RickW

Basically, there are two bad things that could happen with a malware ruby:

1. Mess up your model (either by adding rogue geometry or deleting everything and saving/closing the file)
2. Hard drive attacks:

a. Install a virus/trojan/other payload
b. Collect personal information
c. Destroy files
The problem with trying to block either of these things from happening is that it would also prevent legitimate scripts from working. For example, Windowizer would be flagged for creating "rogue" geometry and PageExIm would be flagged for hard drive access.

The best protection is to know your source, but I understand the concern. Todd and I have been thinking about what we can do at Smustard (for more than just security issues), and one option is server-based plugins. We're exploring other options as well, but it takes time to make these things happen. Meanwhile, if you get a script and wonder if it is "harmless", just post it and one of us ruby guys will look at it.

juju

Fortunately Smustard has the MySmustard plugin to help one track updates to their scripts, to me this already works like a validation system of sorts, kinda moot as a pure validation system for Smustard ATM since you get the scripts from Smustard in the first place.

It's the idea that counts, a master data register of the scripts out there and SU checks it (MD5 checksums verification on the server database would help) everytime it starts up, maybe even report new scripts and analyse them in a kind of SAFE MODE before running them.

I suppose it doesn't help people much that use SU offline, thus some kind of encrypted database file (with the MD5 checksums) distributed with SU for validation purposes would probably help as well. Should be easily updatable and probably wouldn't be a space hog.