07/31/17, 03:22 AM | #1 |
Censorship
Hi guys
I would like to discuss an issue here on this site. Maybe I do not understand something correctly, but it seriously bothers me. The issue I currently have is censorship. I've posted around 4 comments to an addon, which is quite a bit suspicious to say the least (i guess some of you already came across that addon). I've posted my doubts and brought up technical facts, which might be interesting for other users, as the addon might be a huge security thread (containing an exe and manipulating LUA code on the fly). Yet, all my comments are getting deleted pretty fast. As I never deleted any comments so far, I'm not aware if the author can directly delete a comment or if some admin interaction is involved. Anyway, I think it is pretty concerning when such information, technical facts and warnings can easily be removed from an addon. Imho i consider this censorship and in this case it might even put users at risk who otherwise would have been more careful. |
|
07/31/17, 04:02 AM | #2 | ||
I'd also like to point out that, while I did not see the actual comment, this short quote of yours:
.exes are a security risk, and I'm not going to say that they aren't. Depending on the specific addon you are referring to, the source code might be freely available. Additionally, the site has rules around .exes: "Executable files are not allowed, except for some very specific cases. We test and decompile all executable files that are submitted. In some cases we may ask for the source. This processes could take awhile." That said, I don't know how rigorous the testing they are put through is. Last edited by Dolgubon : 07/31/17 at 04:10 AM. |
|||
07/31/17, 04:36 AM | #3 | |
Let's start with the comment where i got quoted "blah-blah-blah". I never wrote that. I must agree, that my words could have been friendlier (but it was quite a bit hard as i got pretty much too tired of people defending all of this without any arguments, respectively ignoring everything that has been said. I mean if someone really wants to run that addon, fine for me. I wouldn't. And everyone who wants to run it should know what the risks are. And there are quite a few.). Nonetheless, the post contains information and what I currently consider to be an issue in the comments there. There's simply a lot of censorship and as you said, comments are getting buried rather quickly which is another issue in case of this addon. Another example: Got one more at home in case you want to see that as well. Unfortunately, the original post, where I've explained a lot of things got deleted and I did not make a screenshot (i didn't thought about it being deleted). Regarding the other comments: they are mostly surfacing. The discussing on the official forums do contain more details imho. I was posting the things i was concerned about in my first deleted post (and it did contain more information than the other posts on the comments). But there's no reason to write it all again, when it gets deleted anyway, so I simply referred to the official forum (well, there's some censorship there as well, but at least the author isn't capable of deleting posts directly...). Regarding the .exe: If you do not decompile the binaries you won't be able to determine if they have been built from that source. So a simple source code review won't be enough. Besides the source code shows that the local lua files are being regularly overwritten by the content delivered by the (closed source) web server (again, a review of that source won't help much). And exactly such comments are being deleted. If you look on how the author is handling criticism and feedback in general (he mostly dodges, ignores or deletes such statements) this whole thing looks even worse. Yet, when you look at the addon comments, you will miss out on many things. I understand that the admins can't take control of everything, but this form of censorship is pretty bad. It should be possible to prevent authors to delete comments if they abuse that feature. If anything is wrong with this addon (e.g. malware) I consider the admins being responsible for the damage caused as well, as they a) allowed the addon b) prevented other users from being warned. |
||
07/31/17, 05:38 AM | #4 |
Hello,
Did you tried to politely contact author personally by private message ? What's his response ? I do agree that the abuse of the delete button is a bad practice, and would suggest everyone to have a constructive discussion with tempered comments. A deletion of a message is not a good thing except if it disclose some security breaches or shift to a subject which differs of the project itself. Well, maybe try that you (both of you) should maybe reconsider your both words, maybe yours, maybe his, I don't know, because I didn't followed the whole thing but try to bring a more constructive discussion than the actual one sided (and even..) actual talk. |
|
07/31/17, 05:52 AM | #5 | |
He claims that everything is fine and no issue at all, which obviously isn't true. So instead of arguing I'm getting ignored or my posts are being deleted (there's not much to argue anyway, as you can't deny or argue about facts, they are what they are). The author has been accused to have taken code of other authors without their consent. This has been claimed by another author on the official forum and here. Guess what, I can't find that comment here anymore. And that's the issue in my opinion. If there's criticism or a risk associated with an addon, it should be possible to comment on that, regardless what the author claims. This whole thing is shady as ****. Some comments are left there, and in the context they are, it can be interpreted as that everything is fine, and there aren't any arguments against the addon anymore (or way less, respectively only surfacing). |
||
07/31/17, 06:28 AM | #6 |
Authors can delete comments on their own AddOns, they can't delete posts in our forums. Maybe I should at least put up a sign if an Author chooses to delete a comment saying the Author has deleted comments.
I havent recieved any info on copied code from other addons, I've looked at the source of the exe and it doesn't do anything malicious that I can tell. However maybe a thread should be created in "General Authoring Discussion" if more people want to discuss this AddOn and have concerns? I'll certainly keep it open as long as the majority of posters to the thread stay civil. Last edited by Dolby : 07/31/17 at 06:34 AM. |
|
07/31/17, 06:47 AM | #7 | |
I was myself even suprised that no one reacted to this, and even more from you. Actually the author deleted a lot more comments than Sordrak ones: most of the comments that were polite or not but pointing to the dangerous side of the addon were deleted. If an addon is subject to controversy, as this one, may be you should have to take a stand on it. |
||
07/31/17, 07:00 AM | #8 | |||||
Didn't I send the link to the thread in the official forum? Well, you might read the following comment in that case: https://forums.elderscrollsonline.co...omment_4359485
https://forums.elderscrollsonline.co...omment_4360439
I'm sorry, but I do not consider such an author as trustworthy who should throw around with exe files. And exactly such critique should be part of an addon's comment section or maybe as a bold red warning... Back to your source code review: -Do you agree that it simply doesn't matter what is present on github? What matters is what the binary file does and you have no idea what it does before decompiling / reverse engineer it. I really doubt at that point that the admins are doing this with every single release of the addon. -So you consider it not malicious when an addon (respectively the exe) is capable of writing new lua code that hasn't been there before? You have no idea what will be written as it is under full control of the author's server. See: https://github.com/evan-sctg/NirnAuc...uctionHouse.cs Just as an example:
edit: typos Last edited by Sordrak : 07/31/17 at 07:17 AM. |
||||||
07/31/17, 07:40 AM | #9 | ||||
Last edited by Dolby : 07/31/17 at 07:47 AM. |
|||||
07/31/17, 07:51 AM | #10 | |
-Which means he just needs to be lucky to get some arbitrary binary (not build from the source) running on esoui users' PCs. I know that the effort to check all of this is high, too high indead. But i still consider this a security risk. And as you've said, AV software looks for a signature. It is easy to bypass an AV signature. (I won't repeat myself here, you should find more regarding this issue in at least the official eso forum thread) -It only writes lua as far as i can tell (i actually only took a short peak at one of the .cs files, so no guarantees here from my side). I'm saying that currently the author is capable of running arbitrary lua code on the clients, yes. And yes, this is bad. He could run different code on different clients (e.g. depending on IP Or account name) and he could overwrite the same lua code afterwards and you wouldn't notice. In my opinion this is nothing an addon should be capable of. Your suggestion likely won't work. He uses the manipulated lua files as a "proxy" between the game and the exe. The game itself wouldn't be capable of reading .txt files, therefore he uses the lua files (incl. /reloadui) to transfer the data back from the exe to the client. Yet, he has full control over all the lua code. I currently do not see a solution to this issue. edit: typos Last edited by Sordrak : 07/31/17 at 07:53 AM. |
||
07/31/17, 10:01 AM | #11 | |
|
edit: how does TTC handle this, given that there are reports that NirnAH uses the same code? Last edited by Shinni : 07/31/17 at 10:22 AM. |
|
07/31/17, 10:05 AM | #12 | |
|
||
07/31/17, 10:09 AM | #13 | |
Doh you're right, I forgot about that.
There are many other things to consider now though, waiting to hear back from cyxui to see if that issue was ever resolved. Also going over deleted comments and will likely contact the author soon about that and the security issues brought up here to see if a resolution can be found. If not then I think the AddOn will have to be pulled from our site until its redesigned. I just wanted to come up with some possible solutions. Edit: Contacted Elo to get more information, will update when I get more info. Last edited by Dolby : 07/31/17 at 10:37 AM. |
||
07/31/17, 10:55 AM | #14 |
Tamriel Trade Center and all other addons that contain exe files are in no way different and pose the same risk as Nirn Auction House.
To be honest, I think it was a bad idea to allow addons with executables at all. Instead they should have been forced to use scripts (lua, js, php, python, whatever) to handle what they try to accomplish. The end users would have to install an interpreter on their machine, but at least that way it would be very hard to hide malicious code compared to when a precompiled binary is used. Maybe for the future, you could add some sort of reputation system? New addon authors without a reputation are not allowed to upload binaries. And when someone tries to download an addon with a binary from someone with low reputation they get a big warning telling them that it might be very dangerous? |
|
07/31/17, 01:48 PM | #15 |
I do agree that a warning on addons with an embedded binary and not yet tagged as "popular" per example will not be too much.
After if .exe can lead to way worse things than the sandboxed lua environnement build by zos from a dev point of view, addons can (woops) delete your items and from a user point of view it could be worse than a system reinstall or worse, include some malicious library (follow me ) For dev reputation.. it'll maybe be a bit too much, as this process should be automatized. Don't forget that a warning could lead to less downloads which is not a good thing too. PS: I had spoken of a kind of convention / good practices when releasing addons, it has always being something in my mind, but we could do something (whith some external input) in order to give a nice message when creating a new addon. PPS: I do agree that lua code downloaded from webserver is.. a newbie error. I don't want to blame our latest week-end coder but helping everyone and help them to understand why it's bad. By the way if he wants to talk to some objective folks already considered as tyrants and evil coders, there is gitter |
|
07/31/17, 02:17 PM | #16 | |
And again, writing a filter to ensure that no lua is directly served is difficult and shout be tested very well. |
||
07/31/17, 02:31 PM | #17 | ||
Also, it seems like many of the complaints are that binaries could contain anything. Maybe a solution would be to completely disallow addon authors to upload binary files, and have the site admins get the source, and then compile it and upload it. I don't know much about compiling stuff though so that might not be feasible. As for being able to write Lua code - that is definitely bad. Here's just a few things that could be done: Destroy all items, promote random (or specific) people to be a guild's GM, prevent grouping, crash the game, hinder PvP. Some of that is relatively contrived, but it's still probably not a good idea.
Sorry about that then, I was going off of the so-called 'quoted' text. Which does bring something up a bit with quoted text, that can be changed to be a bit malicious. |
|||
07/31/17, 03:16 PM | #18 |
|
Depending on the enviroment it may not be a simple task to compile various source codes.
|
07/31/17, 04:42 PM | #19 |
Realistically, I think there are only two options to protect users from abuse from this kind of addon:
I'm skeptical of the following options:
|
|
07/31/17, 06:25 PM | #20 |
Are the security risks purely because there is an exe file, or are some of the security risks also specific to Nirn Auction House? It does seem like say, Tamriel Trade Center has been available for a while, and I don't think I've heard of a lot of complaints about the security it has. How is it different? (Or is it in the exact same boat?)
|
|
ESOUI » Site Forums » Site help, bugs, suggestions/questions » Censorship |
«
Previous Thread
|
Next Thread
»
|
Thread Tools | |
Display Modes | |
|
|