Forums » Community Projects

Can I Trust That Plugin?

May 17, 2015 Kierky link
Over the next few weeks I will attempt to review and make transparent what each and every plugin does, connects to, and stores about you (and others). Of course the final decision is up to you (of course) whether to use the plugins.

NOTE: The files may be changed by the authors over time, use the local links at the bottom of every review for the actual file I reviewed.

The List (in alphabetical order)

-- Catalog (Version 1.4) (author: Pizzasgood)
-- TargetLess/TouchLess (Version 1.7.15) (author: drazed/slime of [Itan])
-- TGFT_Utilities (Version 1.87/1.88, V1.85) (author: Lisa201 of [TGFT])

To do:

If there are any other plugins they would like me to check out, please leave a reply in this thread and I'll try to have it done within 48 hours.
May 18, 2015 RoboticMechanicalJeb link
TGFT_util. is a NO on my rating
Catalog, just like Trade Assistant, but it's great
Jun 01, 2015 TheRedSpy link
Instead of being retarded and scanning manually just publish a list of API functions to search for in a plugin and compare the functionality that the plugin is supposed to contain with the functionality of the key functions it has in the code.

Its going to stick out like a sore thumb if for instance if FlamboyanceHUD uses the givemoney function, why would it need to give me all your money if it finds /me honks in chat?

Plugins like Anyx that actually download code to be executed should be flagged 'do not use'. There is no way to know what the author is going to execute on your game client.
Jun 08, 2015 abortretryfail link
There's nothing retarded about auditing code manually.

I could implement the example you gave without the words "givemoney", "TheRedSpy" or "honks" being caught by a search.
Jun 09, 2015 TheRedSpy link
Correct, but you can't implement the example without using the API functions that give money or read text or the GKInterface() command referencing 'givemoney'. Which could all be flagged automatically.
Jun 09, 2015 smittens link
Good idea! You may want to add the date you reviewed the plugin too, to further help with knowing what version/state the plugin was in when you looked at it
Jun 11, 2015 abortretryfail link
Sure I can. I'm surprised you've never heard of obfuscated code, TRS.

...especially since of the guys who helped write the game had a thing for it...
Jun 12, 2015 TheRedSpy link
I sort of have, but I don't have a formal education in computer science remember, my formal education is in law which basically means I was formally instructed in how society ran 10 years ago with a view to continuing to run it this way today.

So I'm assuming that's where you write code that writes code.

You're never going to design a system that automatically reviews and guarantees safe code, but you can easily design one that clears it for most things.

To be honest you're making persuasive arguments that the plugin interface for vendetta is too permissive. There's too much fun to be had to make it more restrictive.

If you manually audit the code you're not going to find code obfuscations either though. So even if Kierky goes to all the effort to review it, he might have to say something like "I have no fucking idea what this group of functions does and I couldn't tell what it did when I executed it".

Makes it too complicated to control then you have to have all these stupid discussions about trusting your source.

Might as well just rule out as unsafe all plugins which are written cryptically. Which is where you can just look at the source code to ensure nothing is written poorly, run the automatic analysis and generate the list of functionality that a plugin uses and post that.

It gets to the point where maybe VO should have an actual plugin analyser tool that executes the code in its own little sandbox and outputs what functions it's going to execute. Couldn't you write just a normal lua application to execute the code and print that out? Therefore you'd know what the code did without ever having to execute it in the game client.
Jun 12, 2015 Pizzasgood link
Execution can be conditional. There would be no way to ensure that all functionality got tested.

But yeah, I do agree that you could easily identify most things with some simple grepping and just be very paranoid about anything that looks strange after a visual inspection, and you'd then be relatively secure. But not everybody is willing to put in that effort (or knows enough to do the visual inspection in the first place), so having third parties vouch for plugins is still a useful thing. Obviously to rely on that means you're trusting the third party to be honest and competent, but their vouchsafe still increases the odds that the plugin is actually safe compared to the odds if you only trust the plugin author.

My point is that just like with any other aspect of security, there is no one-size-fits-all solution. Everybody has a different perception of risk and a different level of risk-aversion. Some people install security systems in their houses and get big dogs as backup/deterrence. Nuclear facilities have multifactor authentication along with guards and numerous overlapping security systems. I have a baseball bat.
Jun 12, 2015 smittens link
Since I do have a formal education in Computer Science... as well as



a small correction; obfuscated code is simply code that is written to be unreadable (thanks for the perfect example ARF, the ol Garbage Truck). If you were clever & patient enough you'd be able to work out what it did eventually.

But TRS, what you're talking about is a different & legitimate concern; code downloaded & executed on the fly ("code that writes [& executes] code"). There is simply no way to know what that can do, but Kierky can (and maybe already has?) designate which plugins do this, leaving it as a red flag for players to decide on a case-by-case basis depending on how much they trust the author.
Jun 20, 2015 yodaofborg link
Can I trust that plugin? The answer is NO.

You could vet all of them today, and they could be bad tomorrow. For example: TCS can cause a memory leak in it's makefriends part, that causes clients to crash.

I use it, but that is my choice. And it's the choice of a new generation.

People will really have to use their own judgement when installing 3rd party stuff.
Jun 21, 2015 Kierky link
That's why at the bottom of every review, I provide a copy that I reviewed. Hosted on my own site.
Jun 25, 2015 csgno1 link
Obfuscation can rise to the level of art....