Mail Bag
Mail Bag
| Tuesday, December 16, 1997 |
Date: Mon, 15 Dec 1997 12:04:03 -0500
From: Thomas Winzig
Subject: Mailbag response
What Murf failed to mention is that the majority of viruses or "bad programs" do things that are not detectable immediately. Consider a Quake2 dll that looks for data and sends it to me via email while you're playing Q2 on the net.
Consider time-released viruses or time-released malicious code that won't actually go into effect until some date. All of a sudden, everyone playing that popular "X" mod goes down on April fool's day...
There are plenty of good reasons for projects like OpenQuake.
-thomas
(aka William Wallace)
Date: Mon, 15 Dec 1997 12:04:18 -0500
From: _Quinn
Subject: Mailbag: Quake2DLL Security Issues
Murph wrote:
>I suspect its all a moot point anyway. How many executable programs did you download today off the Net, unzip & then run? I bet there was at least one! And that one program could have been something malicious (pretending to be something useful) that blew away your hard drive.
Matter of fact, the last executable I pulled from the net was q2test, from id's site...
>Somehow - I dont think a malicious DLL is going to get too far around the net before it's been detected and taken away. No-one will ever trust that author again and problem solved.
That's assuming you know who wrote it. But, consider the three thousand people who download it before word propogates out... they're out of luck. They're not going to want to try out new mods as much -- and while I'm pretty sure we can trust id not to drop malicous code into the point release, or the Thunderwalker CTF team not to, the smaller, newer teams -- that no one's heard of, that no one trusts ( see your last point ) get screwed.
>The point here is that the first time you ever run a new program, you are placing a trust in the author of said program. You dont know what the hell a new program is going to do before you run it and have a look.
>Lets suppose I sent you a program attached to this email that claimed to be a "written from scratch" openGL driver for 3dfx that had a 50% speed increase over the current miniport. I'd bet you would run it - if for no other reason than curiosity and the hope that such a claim might possibly be true! When you run it, BOOM, I got ya. But now you know not to pass this program around because it killed your system.
Ever considered logic bombs? A malicous DLL doesn't necessarily have to destroy your system at run-time. And "BOOM" is generally NOT an acceptable thing to happen -- most everyone would prefer not to back up their HD every time before they run something off the net, so most people I know don't download random executables -- they only get them from trusted sites, usually corporations.
>This is the same for any new program you download of the Net, whether it be a graphics driver, Quake2 DLL or some other type of program.
Yes, but most people are used to Quake mods being totally safe, and so they won't be as careful about it.
>Anyway, just my 2c worth to show that people already place a large amount of trust in software authors by downloading and running stuff off the Net right now. Some new mechanism for verification of Quake2 DLLs seems pointless to me.
>Murf
It's about trust in the Quake community. We would all like to be able to trust every mod author, but that's just not the case, and it's reckless. You could trust Quake 1 mods not to screw up your system, but that's not true for Quake 2 DLLs. OpenQuake, with its mission to advance Quake as a user-extensible platform, is trying to bring some more trust to the process.
Speaking of verified mods, we expect to have verified three mods by the week's end.
_Quinn
OpenQuake General Manager
http://www.openquake.org
mailto:tmiller@haverford.edu