PDA

View Full Version : New OD tools seems dangerous



rwhunt99
01-31-2018, 06:20 AM
I'm not a programmer or anything, but it seems to me that the new OD tools is setting up for hackers to come in and hack your computer, by allowing you to download directly into LW 2018 with out any protection or antiviral scanning? Maybe I'm wrong, just want to get someone who knows , their opinions. Providing hackers the SDK and then assuming there are no malicious people out there is not safe.

gar26lw
01-31-2018, 06:24 AM
sponsored by the foundry? kidding ;)

i dunno, possibly but i am sure oliver is a stand up guy.

01-31-2018, 06:55 AM
Luddites will be Luddites.

If any of us are worth hacking, we've been hacked.

This kind of 'old' thinking is why LW can't move along or become a modern app: everyone wants it to be like "the old one".

Change is afoot.


DON'T USE IT AND YOU WILL BE FINE. No need to warn the rest of us with such paranoia.

Robert

gar26lw
01-31-2018, 07:16 AM
i guess so but at least there are people using lw right now and sure, some don’t like too much change. still good to have them.

allabulle
01-31-2018, 08:49 AM
I don't worry too much about any potential threat of the OD Tools. But in certain environments I can understand it could raise questions. Perhaps a better phrasing, specially a more cautious title, and probably a direct e-mail to the always responsive and open Oliver could satisfy your concerns way better than this thread.

And yet, Robert, come on: it's a question. And he's asking a valid point with arguments. We can answer perfectly well, calmly, without shouting, and avoiding references to paranoia to deflect an attack that wasn't there to begin with. Sure we can. :-)

It could be useful to know how the exchange of information from LightWave to the internet and back is dealt with, or the inner workings of such communications. And to be able to understand the possible threats and safeguards. Even to improve it. Why not? And yes, meanwhile one can use it or not. As a question and not a 'warning' works fine. Isn't it?

rwhunt99
01-31-2018, 08:57 AM
This is not about Oliver, I'm sure he is, this is about the way for hackers to get into your system and perform commands without your ability to control them. As I mentioned, I'm not a programmer and I would hope there are safeguards in place to prevent that kind of thing happening, but in today's environment, it isn't healthy to assume anything

oliverhotz
01-31-2018, 09:05 AM
This is not about Oliver, I'm sure he is, this is about the way for hackers to get into your system and perform commands without your ability to control them.

I totally understand this. Here's whats going on, just so that it might shed some light.

when you use the "instant download feature", the zip of the content, is downloaded to your machine, unzipped, and loaded... (scenes, objects,image, and plugins - for plugins, its a special case, as they only get added, NOT run - due to security concerns by myself even). The only security that you can really have in such case, is to make sure the content is curated. Thats why when you upload something, you dont see it right away. Thats because one of the admins will have to approve it, and with that, I mean checking the content. Once it is deemed safe, it should be approved and everyone should be able to see it themselves.

So essentially, these are the security safeguards in place.

1) the user has to be logged in (registerred) (easy to get around I guess)
2) the content will be checked by one of the admins before it is actually seen by others (not really something you could get around, and hopefully we'll catch malicious things)
3) you'd have to explicitely click on something to download, nothing is downloaded by "default"

So in the end, is this 100% secure, probably not, but I am hoping with #2 we would be able to get most of it. To be perfectly honest, the nature of something like this, I dont know how else you could make it more secure, but of course, we are open to any ideas if they can be achieved.

rwhunt99
01-31-2018, 09:06 AM
Sorry, I thought I was asking an intelligent question, and you can safely ignore it and keep your head in the sand. I want to use it, but I want safely approved plugins, is that too much to ask? As the ignorant rush to use technology they don't fully understand, they get burned because they assume too much. Just like the use of those Fitbits have exposed far too much information to the enemy all the way down to soldiers names and where they are at any time and where installations are. Dumb unprotected use of technology is putting us in dangerous situations.

rwhunt99
01-31-2018, 09:11 AM
Thanks Oliver, perhaps I should have checked with you first, but I hope you understand it was/is a concern. I was curious how could we protect ourselves. I thought, from the way it was described in your announcement, it went directly into your system while you were live in app. This is good information I appreciate it!

RebelHill
01-31-2018, 09:12 AM
I want safely approved plugins, is that too much to ask?

Quid custodis custodit?

oliverhotz
01-31-2018, 09:12 AM
Thanks Oliver, perhaps I should have checked with you first, but I hope you understand it was/is a concern. I was curious how could we protect ourselves. I thought, from the way it was described in your announcement, it went directly into your system while you were live in app. This is good information I appreciate it!

I totally get your concern, and I share it, but yes.. content is being evaluated/approved BEFORE it gets posted on ODROOT.

raymondtrace
01-31-2018, 09:17 AM
...with out any protection or antiviral scanning?

Why are you not using antiviral scanning (or why are you using a malware detection program that does not monitor downloads or changes to the filesystem)?

Providing hackers an SDK is no more dangerous than providing hackers the ability to run javascript in a browser.

Concern is understandable with the ODRoot web page ( https://www.origamidigital.com/lwNews/#page3 ). Before downloading, you must check "I will use this software responsibly and acknowledge the risks" but there is no further description or explanation of risk. Further, the FAQ provides questionable instruction:
"My virus software flags the application.exe ... Ignore the false flag and allow access, please remember to allow your firewall"

There are privacy concerns that could be addressed by analyzing the traffic produced by this program but it is highly unlikely that anything from OD is "dangerous". Oliver has trust. ODRoot is what NewTek should have already done.

oliverhotz
01-31-2018, 09:26 AM
Why are you not using antiviral scanning (or why are you using a malware detection program that does not monitor downloads or changes to the filesystem)?

Concern is understandable with the ODRoot web page ( https://www.origamidigital.com/lwNews/#page3 ). Before downloading, you must check "I will use this software responsibly and acknowledge the risks" but there is no further description or explanation of risk. Further, the FAQ provides questionable instruction:
"My virus software flags the application.exe ... Ignore the false flag and allow access, please remember to allow your firewall"



This is something that could, and will be better explained. Thanks for pointing that out. We'll add some of the points i mentioned above to the FAQ.

Regarding an antiviral scanning or anything like that: Its always good for the user to do that, as as mentioned, since you are downloading content first (a zip), that then gets extracted (more files).. they should all be scanned automatically by your installed protection/antivirus scanner.

So in that regard, its you are doing the same thing when you download any files off of the web, but with the added benefit, that in this case, its additionally curated by a 3rd party (us and our admins)

01-31-2018, 10:43 AM
Good day,
(This is Robert under the work id)
Ya know, I get to see people making dumb use of technology daily. I get to see tech guys get hacked and they've no idea why.
Cybersecurity for normal folks is virtually non-existent. It has been that way for a while. When big companies spending millions or billions on security still get hacked, its mostly hopeful that our firewalls and the like will do their jobs.

Stay diligent, sure, but don't be surprised if all of your due diligence is for naught. For this, no panic mode is needed.


Kudos to others for having made the case much more eloquently than I on this point.

Sensei
01-31-2018, 11:15 AM
The all applications and operating systems (especially on smartphones), which automatically update, are vulnerable.
Hacker can intercept router and replace new update file by special prepared executable which will be installed on your computer/smartphone by autoupdating code in application already installed on machine (and with permissions).

OnlineRender
01-31-2018, 12:43 PM
@sensei Yeah you would just play middle man ... here are the submission upload allowed mime types

https://image.prntscr.com/image/7EHZVET-STizMmLfnSEdXQ.png

These are uploaded off-site/with cpanel hosting virus protection scanning the folder directory, which is why you get a slight hit in upload time...

all uploads are curated and manually added , same with user logins...


the blunt irony is , we will host scripts and plugins created by the community , do you physically read *if-possible* all the code every time you install a LightWave plugin?
the only professional advice I would give is , if you are worried don't click the link...

jwiede
01-31-2018, 03:10 PM
3) you'd have to explicitely click on something to download, nothing is downloaded by "default"

Oliver, one thing that might be useful is to allow the user to set a local "malware scan cmd" to be run (if desired) against any downloads. This is a fairly common option among download accelerators, and isn't terribly difficult to implement. Just provide a few "replacement tokens" like '%f=filename, %p=path', and let the user specify the shell command line to run (after replacing the tokens with proper real info).

oliverhotz
01-31-2018, 03:20 PM
Oliver, one thing that might be useful is to allow the user to set a local "malware scan cmd" to be run (if desired) against any downloads. This is a fairly common option among download accelerators, and isn't terribly difficult to implement. Just provide a few "replacement tokens" like '%f=filename, %p=path', and let the user specify the shell command line to run (after replacing the tokens with proper real info).

should not really be necessarily for anyone running some sort of protection. That should happen automatically with the persons protection software.

jwiede
01-31-2018, 03:52 PM
should not really be necessarily for anyone running some sort of protection. That should happen automatically with the persons protection software.

Depends on the package (and user). When doing operations (3D work, dev work, etc.) that generate lots of new files, having anti-malware packages' "active file scanning" turned on can potentially impact performance, so many will pause or disable it when doing such work. Having the option to automatically run a checker (via CLI) against downloaded files is still quite useful.

Sensei
01-31-2018, 04:08 PM
Antivirus/anti-malware can only detect widely known treats. Custom made virus can remain undetected forever. Especially if it's doing something which is not expected to do by virus (and doesn't do what is expected by typical virus).

f.e. old-school virus was scanning entire disk, and modifying the all executables (attaching to them),
heuristics can find that something is scanning the all files,
user will be warned about unsuspected event.
Unknown treat is identified.
File is send to antivirus developers for further investigation,
and description of virus is added to database,
it's released to people using antivirus.

oliverhotz
01-31-2018, 04:56 PM
This discussion is quickly turning into "This is what you should do if you connect to the internet"

jwiede
01-31-2018, 07:06 PM
This discussion is quickly turning into "This is what you should do if you connect to the internet"

Well, I was trying to avoid that by focusing on a specific workflow modification. In any case, suggestion made.

oliverhotz
01-31-2018, 07:32 PM
Well, I was trying to avoid that by focusing on a specific workflow modification. In any case, suggestion made.

Thanks, Its appreciated Jon