Lua lobby?

[AF]

Git for windows just has a poor selection of UIs and new users think it works identically to SVN but better then get confused because nobody bundled a basic primer on things or just used command line commands to demonstrate.

And the mingw32 setup I can agree with totally.

[aegis]

Aegis, we already have that issue with lobbies and native AIs, and there are plenty fo people who've thought of malicious lua widgets. A malicious mod is already possible and yet it hasn't arose, and if someone did abuse sockets then they'd need to distribute the mod and we could easily get around that. Just look at The registered ones attempt to nuke a mod using his models without his permission.

Also you don't know hat a developer will use sockets for, you may be pleasantly surprised, but I'd rather we didn't have to run innovation by a central authority and enforce technical limitations to get there.

I've personally used lua sockets in two cool spring projects.

that doesn't make me want to give untrusted peer-to-peer maps/content the ability to port-scan my network and localhost and exploit services behind my NAT without me even knowing

that's very possible with lobby and AI as well, but I don't get new lobby/AI from the host every time I join a battle. the injection vector here is much more applicable.

I'm completely in support of lua sockets. I just want reasonable access restrictions so I know they will *never* access servers (especially localhost and LAN, but not limited to that) without my explicit permission+knowledge on a per widget/server basis.

I think it would be reasonable for a game dev shipping their game with the engine to include a whitelist or some other provision with the engine which lua couldn't modify to allow their services to work without impairing the user experience.

[AF]

There may be a need for port scanning, discovery? E.g. I'd want to be able to port scan to detect LAN servers instances of Uberserver or SpringSL, localhost especially if the chosen developer hasn't decided to use lualobby and has opted for a native app, e.g. Zero-K lobby and wants a loopback to feed events

[jK]

E.g. I'd want to be able to port scan to detect LAN servers instances of Uberserver or SpringSL

You don't use port scanning to do so, in LANs you can use Multicast/Broadcast.

[AF]

And if the LAN server is a custom one built using Lua lobby? Or the router has multicast support turned off? IIRC TASSERVER and its progeny don't implement any of those.

[jK]

Or the router has multicast support turned off?

You `never` can deactivate LAN multicast only WAN one.

IIRC TASSERVER and its progeny don't implement any of those.

Their problem. (I assume there will be very fast patches for them once the engine checks multicast addr.)

[aegis]

it's fine to implement advanced network protocol. I've never said this is wrong or bad.

I really don't feel comfortable with ANY arbitrary network connections made from lualand unless permission is given in some form... especially if connections are made from peer-downloaded maps/mods.

a whitelist could be given for services related to a standalone spring game you were installing.

port scanning to implement network functionality is a terrible hack and there's usually a far better way.

[smoth]

feeling very UAC there aegis..

[aegis]

It doesn't need to prompt every time like UAC. it can have whitelists shipping with the engine distribution, and prompt *once* for a widget or connection target.

We just need *some* form of reliable access control able to guarantee it won't facilitate a backdoor into your local/trusted network.

No UAC, no virus scanner, no firewall, and other people choosing what runs on your computer = really really bad. That's what this would be without a form of user control.

[Licho]

Meh, should have gone unity. There people dont try to babysit content devs.

You should realize engine is not the end product. Its the tool for content devs. Game devs make sure their product is safe.
If such feature exists, it should be optional and only enabled if content devs want it enabled (to assist security goal of game developer not to force game developer to beg engine devs for whitelist change or other exceptions).

[Cheesecan]

Meh well Licho if you are against it that means the biggest game is against it which means it should not be done. Unless Spring is being developed for spring devs alone now.

If the solution is too complex for the players then it shouldn't be implemented because draconian security will chase away the few players left.

Obviously some compromise solution needs to be reached instead of forcing something on content devs.

[Tobi]

Meh, should have gone unity. There people dont try to babysit content devs.

You should realize engine is not the end product. Its the tool for content devs. Game devs make sure their product is safe.
If such feature exists, it should be optional and only enabled if content devs want it enabled (to assist security goal of game developer not to force game developer to beg engine devs for whitelist change or other exceptions).

Completely wrong.

People don't try to babysit content devs here, people try to protect users against completely trivial exploits. IMHO engine devs have as much a responsibility here as game devs and lobby devs, in particular since no game devs are producing their own builds of the engine (in other words: how the heck should they make sure their product is safe if the engine contains a big gaping hole and they have no way to close it.)

Whitelist of host + port is a decent solution for now (whitelist does not imply hard coded), much better than relying on bits of TASServer protocol.

Another solution worth discussing is for the engine to call a game-only Lua call-in that gets to decide whether a connection is allowed (so it can pop up a dialog or check a white list or so). This would open a big can of worms though as map Lua runs in the same Lua state as game Lua, and can easily hijack the state and override the call-in.

[smoth]

in other words: how the heck should they make sure their product is safe if the engine contains a big gaping hole and they have no way to close it.

They, if capable make patch and fix hole for all rather than just themself..

[Licho]

Tobi completely trivial like what?

ZK has no local widgets by default (you must enable it in adv. settings ingame and agree that you are expert) and we cherry pick the best maps as "featured" which is what autohosts normally host..

We are responsible for the gadgets, widgets, engine, maps and lobby they use. How would people be affected by some exploit?

Seems irrational to me.. though what aegis proposes is ok if you can specify it on mod level or engine setting level (we deploy engine settings too).
(Btw I was against lua cotnent in maps)

[Tobi]

Tobi completely trivial like what?

Make map with Lua that does <insert something malicious> using it's unlimited access to LAN, WAN and (read) access to disk, and host it.

We are responsible for the gadgets, widgets, engine, maps and lobby they use. How would people be affected by some exploit?

ZK is a special case, most content devs don't control the whole infrastructure.
(and I have my doubts whether all code inserted into this supposedly closed system is reviewed beforehand...)

As a sidenote, this argument is also based on the assumption that all devs can be trusted at all times. We've seen in the past that this assumption isn't generally valid.

Seems irrational to me.. though what aegis proposes is ok if you can specify it on mod level or engine setting level (we deploy engine settings too).
(Btw I was against lua cotnent in maps)

How can it ever be irrational to choose not to add a potential huge security issue?


Sidenote about git being hard because it isn't SVN: github offers RW access to git repositories using SVN protocol.

[Forboding Angel]

TBH I'm with Licho here. Evo doesn't even process user side widgets at all. You can put whatever you want in there, but that isn't going to make VFS pay attention to it. Edit: Gundam does the same thing.

I am responsible for the lobby, settings app, maps, widgets, gadgets, units, engine version, etc that my players use. Not you.

I control the whole infrastructure. Don't say most. What you mean to say is "*A".

The real issue here is that the engine devs want to release spring as though it is some sort of platform, and the game devs want to use it as the tool it should be.

In the mean time, content devs get bent over the sink and fucked because the engine devs refuse to realize that spring is a tool, not an end user platform.

Edit: Wrote Aegis, meant Licho

[Licho]

Tobi, whole engine is huge security risk.

No end user reads all the code and its much easier to hide something there than in map lua widgets..

Why should he trust engine and not a game or map?

Besides I believe that attacking through spring would be really stupid and mostly worthless.. Yeah you could read some local stuff - If you are skilled and know details of the engine ...
Your attempt would be discovered very quickly because lots of tech savvy people exist in spring.

Nowadays most hacks are done en masse by automated tools that use common exploits to create botfarms.

Personalized hacks are only used if you hold something really valuable - we don't, nobody cares.

So the attack would have to come from existing spring player to another spring player and probably for personal reasons.
To do it there would certainly be easier ways than risking full exposure by creating malicious map and trying to get your "target" to play it before its discovered.

[Tobi]

What you mean to say is "*A".

What I mean to say is "most". If I meant to say *A I had said *A.

Anyway, care to explain how a whitelist doesn't allow you to do the things you want to do?

(In particular if you control the whole infrastructure, so -per definition- also the whitelist.)

Tobi, whole engine is huge security risk.

Yes, I know, and it is not a convincing argument to consciously add even more problems.

Besides I believe that attacking through spring would be really stupid and mostly worthless.. Yeah you could read some local stuff - If you are skilled and know details of the engine ...
Your attempt would be discovered very quickly because lots of tech savvy people exist in spring.

Nowadays most hacks are done en masse by automated tools that use common exploits to create botfarms.

Personalized hacks are only used if you hold something really valuable - we don't, nobody cares.

So the attack would have to come from existing spring player to another spring player and probably for personal reasons.
To do it there would certainly be easier ways than risking full exposure by creating malicious map and trying to get your "target" to play it before its discovered.

Yes, I totally agree it would be retarded to attack Spring in this manner, and I do not expect it to happen (at least not from outside), but still I do not consider this a good argument to intentionally lower the barrier to such attacks.

So, to restate the start of this post: care to explain how a whitelist doesn't allow you to do the things you want to do and full, unlimited, network access is a must for game developers?

[Cheesecan]

Personalized hacks are only used if you hold something really valuable - we don't, nobody cares.

Protection from obscurity? Isn't the purpose of developing an engine over so many years to make something that could grow? If we just wanted to keep regulars all development could have stopped in 2006. Should design spring for 500,000 players not 500.

[Licho]

So, to restate the start of this post: care to explain how a whitelist doesn't allow you to do the things you want to do and full, unlimited, network access is a must for game developers?

Whitelist is ok IF we (ZK team) can set up defaults for the players.
Otherwise it solves nothing, either it means each plaeyr will be spammed or it means we have to wait long time for engine devs to change and release modified engine.