Security consideration
-
Me think EXE (dll, lib) should not be on CodeProject. Me also think that if user X does indeed force people the run a virus, user X will be banned and thrown to the wolves as fast as you can vote 1. Also, never run an EXE if you are not certain what it does.
Watched code never compiles.
Maximilien wrote:
Also, never run an EXE if you are not certain what it does.
I wish more end users would do or that.
-
RichardBrock wrote:
Antivirus won't detect the break in
Why do you say that? Isn't Antivirus softwares supposed to flag the malicious programs? I personally run all demo applications in a virtual machine and if something goes wrong then I just get a copy from last backup. -Saurabh
AV is far from full proof. In the last month I have cleaned 4 machines that had the latest Norton or Endpoint installed with up to date virus definitions. These machines were full dozens of viruses / rootkits/ malware... Some of the viruses / rootkits were from 2008 and Norton still could not remove them.
John
-
AV is far from full proof. In the last month I have cleaned 4 machines that had the latest Norton or Endpoint installed with up to date virus definitions. These machines were full dozens of viruses / rootkits/ malware... Some of the viruses / rootkits were from 2008 and Norton still could not remove them.
John
Yes I am aware of that. But I was curious about the tone of the OP. It seems he thinks that demo applications cannot be detect Antivirus software for sure. But these days Antivirus softwares use hueristics and they might be able to detect such applications. -Saurabh
-
Yes I am aware of that. But I was curious about the tone of the OP. It seems he thinks that demo applications cannot be detect Antivirus software for sure. But these days Antivirus softwares use hueristics and they might be able to detect such applications. -Saurabh
My point is the Norton/Endpoint with its realtime scanner and hueristics obviously did not detect these viruses to let them install themselves in these machines.
John
-
My point is the Norton/Endpoint with its realtime scanner and hueristics obviously did not detect these viruses to let them install themselves in these machines.
John
-
Saurabh.Garg wrote:
Yes that is why I used "might be able to detect..." while OP said "wont be able to..."
Understand now. Agreed.
John
-
Your point is valid, the post was made on an understanding that antivirus software requires a known signature to detect viruses and trojans.
-
Think about this scenario - someone signs up to codeproject using a gmail address and an arbitrary username. The person then posts an article about a new MFC control, for example a pure win32 Ribbon control that does not require any .net components. The source code contains intentional omissions that make it impossible to compile because the real objective is to get as many people as possible to download the demo executable and run it. The executable installs a trojan or SSH tunnel giving the author full access to the victims computer, allowing for theft of source code, documents, emails etc. Antivirus won't detect the break in, a personal firewall might, I guess it depends on how good the author is at coding. My point is - perhaps there is a rather wide open back door via article demo's - and I am in no way suggesting that it's the responsibility of codeproject to police uploads, just merely raising the concern.
A user of Code Project would (presumably) be presumed to be a developer. If you're reading an article, then you should at least be able to understand the content of the article and at least be at a level with the language it's in that you understand the demo you're about to download. I don't run code before reading through it and at least understanding where it's going, even if I don't understand all the concepts present. I also know enough networking code to spot it. If I try and build it and it doesn't work, I'll invariably delete it and mark the rating of the article one lower than I would have had the demo code worked as described by the article. I don't think it's a security risk, and I'm pretty sure a report of an article that had malicious content would be treated seriously and quickly by the admins on the site.
-
Your point is valid, the post was made on an understanding that antivirus software requires a known signature to detect viruses and trojans.
I see, it makes sense. -Saurabh
-
Think about this scenario - someone signs up to codeproject using a gmail address and an arbitrary username. The person then posts an article about a new MFC control, for example a pure win32 Ribbon control that does not require any .net components. The source code contains intentional omissions that make it impossible to compile because the real objective is to get as many people as possible to download the demo executable and run it. The executable installs a trojan or SSH tunnel giving the author full access to the victims computer, allowing for theft of source code, documents, emails etc. Antivirus won't detect the break in, a personal firewall might, I guess it depends on how good the author is at coding. My point is - perhaps there is a rather wide open back door via article demo's - and I am in no way suggesting that it's the responsibility of codeproject to police uploads, just merely raising the concern.
- It's no different from any other .exe download, it will still be virus scanned by the users scanner. (And company firewall based scanners like we have). Obviously, the detection rate for new viruses is very poor for most checkers, they work on signatures, so if it's a know virus it will probably be found, if it's been custom written it's less likely, but this is completely the same as any other binary download from anywhere. 2) I would assume most CP users are above average in technical knowledge. Personally, I use the source code and build it myself. I rarely download the binaries, when I do, I'm careful with them, using virtual machines etc. If it doesn't build, I look for what's wrong, or post a message to the author, failure to build doesn't encourage me to download binaries (probably the opposite actually, I'm rarely at codeproject for binary downloads, it's usually because I want to know how to do something in code, I'm not interested in the binary) 3) Users will down vote articles where the source code doesn't build. It won't take very long for this to be noticed. In fact, It's possible the article would be removed before it even passed through the acceptance process. (You may not be aware, but new articles from non-gold members have to be approved by a gold member before they become public).
Simon
-
Don't download the demo. Only download and compile the source code: if it doesn't compile without errors the first time I usually delete the whole thing (and maybe post a note to the author. Maybe demos should be banned (how would that work?) or articles can't be posted until you've partcipated for 6 months or made 100 other posts or some other arbitrary measure of honesty.
Tychotics: take us back to the moon "Life, for ever dying to be born afresh, for ever young and eager, will presently stand upon this earth as upon a footstool, and stretch out its realm amidst the stars." H. G. Wells
digital man wrote:
Maybe demos should be banned (how would that work?)
By only having demos that are built by a trusted third party. A lot of work for the hamsters, though.
I wanna be a eunuchs developer! Pass me a bread knife!
-
Think about this scenario - someone signs up to codeproject using a gmail address and an arbitrary username. The person then posts an article about a new MFC control, for example a pure win32 Ribbon control that does not require any .net components. The source code contains intentional omissions that make it impossible to compile because the real objective is to get as many people as possible to download the demo executable and run it. The executable installs a trojan or SSH tunnel giving the author full access to the victims computer, allowing for theft of source code, documents, emails etc. Antivirus won't detect the break in, a personal firewall might, I guess it depends on how good the author is at coding. My point is - perhaps there is a rather wide open back door via article demo's - and I am in no way suggesting that it's the responsibility of codeproject to police uploads, just merely raising the concern.
This is an issue for any executable (and many non-executable) downloads on the internet, and is precisely the reason we do not allow downloads that do not contain source code. I've also see anti-virus software complain about demo downloads from CodeProject - not because the code contained a trojan, but because a trojan contained the code!
cheers, Chris Maunder The Code Project | Co-founder Microsoft C++ MVP
-
Think about this scenario - someone signs up to codeproject using a gmail address and an arbitrary username. The person then posts an article about a new MFC control, for example a pure win32 Ribbon control that does not require any .net components. The source code contains intentional omissions that make it impossible to compile because the real objective is to get as many people as possible to download the demo executable and run it. The executable installs a trojan or SSH tunnel giving the author full access to the victims computer, allowing for theft of source code, documents, emails etc. Antivirus won't detect the break in, a personal firewall might, I guess it depends on how good the author is at coding. My point is - perhaps there is a rather wide open back door via article demo's - and I am in no way suggesting that it's the responsibility of codeproject to police uploads, just merely raising the concern.
If someone were to ever try this, I bet the next CP contest would be to develop a botnet that would bury this guy so deep that the next three generations of his family wouldn't even be able to use a computer for as much as googling "When is this going to end?"
Brad Deja Moo - When you feel like you've heard the same bull before.
-
The best security is your own common sense. If a user is a very new member (none or very few posts, short membership and directly one article), it already is a "warning". Most things or article contents are quite difficult to follow just with a demo-app without the needed source, so if the source code doesn't compile... I just ignore the app.
Regards. -------- M.D.V. ;) If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about? Help me to understand what I'm saying, and I'll explain it better to you Rating helpfull answers is nice, but saying thanks can be even nicer.
Nelek wrote:
The best security is your own common sense.
Then we are so totally screwed...
Christopher Duncan
www.PracticalUSA.com
Author of The Career Programmer and Unite the Tribes
Copywriting Services -
This is an issue for any executable (and many non-executable) downloads on the internet, and is precisely the reason we do not allow downloads that do not contain source code. I've also see anti-virus software complain about demo downloads from CodeProject - not because the code contained a trojan, but because a trojan contained the code!
cheers, Chris Maunder The Code Project | Co-founder Microsoft C++ MVP
...and the dog merrily chases his tail.
Christopher Duncan
www.PracticalUSA.com
Author of The Career Programmer and Unite the Tribes
Copywriting Services -
My point is the Norton/Endpoint with its realtime scanner and hueristics obviously did not detect these viruses to let them install themselves in these machines.
John
-
If someone were to ever try this, I bet the next CP contest would be to develop a botnet that would bury this guy so deep that the next three generations of his family wouldn't even be able to use a computer for as much as googling "When is this going to end?"
Brad Deja Moo - When you feel like you've heard the same bull before.
:laugh: :laugh: :thumbsup:
Regards. -------- M.D.V. ;) If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about? Help me to understand what I'm saying, and I'll explain it better to you Rating helpfull answers is nice, but saying thanks can be even nicer.
-
It's not my choice. For the one laptop that is under my control we have an exclusive contract to use Endpoint. The others were home users.
John
-
digital man wrote:
Maybe demos should be banned (how would that work?)
By only having demos that are built by a trusted third party. A lot of work for the hamsters, though.
I wanna be a eunuchs developer! Pass me a bread knife!
Ah, bit like Escrow, perhaps? Not bad: I suppose it could be a paid service that would earn CP some more gazillions and would certainly weed out some of the more, how can I put it... not terribly well thought out articles.
Tychotics: take us back to the moon "Life, for ever dying to be born afresh, for ever young and eager, will presently stand upon this earth as upon a footstool, and stretch out its realm amidst the stars." H. G. Wells
-
A user of Code Project would (presumably) be presumed to be a developer. If you're reading an article, then you should at least be able to understand the content of the article and at least be at a level with the language it's in that you understand the demo you're about to download. I don't run code before reading through it and at least understanding where it's going, even if I don't understand all the concepts present. I also know enough networking code to spot it. If I try and build it and it doesn't work, I'll invariably delete it and mark the rating of the article one lower than I would have had the demo code worked as described by the article. I don't think it's a security risk, and I'm pretty sure a report of an article that had malicious content would be treated seriously and quickly by the admins on the site.
hammerstein05 wrote:
I don't think it's a security risk, and I'm pretty sure a report of an article that had malicious content would be treated seriously and quickly by the admins on the site.
What if you were the first to review the code?
John