Thread Tools Display Modes
08/01/17, 01:47 AM   #21
sirinsidiator
 
sirinsidiator's Avatar
AddOn Author - Click to view addons
Join Date: Apr 2014
Posts: 1,567
Originally Posted by Dolgubon View Post
Are the security risks purely because there is an exe file, or are some of the security risks also specific to Nirn Auction House? It does seem like say, Tamriel Trade Center has been available for a while, and I don't think I've heard of a lot of complaints about the security it has. How is it different? (Or is it in the exact same boat?)
I don't think there is any difference besides that one just flew under the radar and the other was spotted?
  Reply With Quote
08/01/17, 02:32 AM   #22
Sordrak
 
Sordrak's Avatar
AddOn Author - Click to view addons
Join Date: May 2017
Posts: 52
Originally Posted by sirinsidiator View Post
I don't think there is any difference besides that one just flew under the radar and the other was spotted?
I agree to a certain degree. I personally never heard of TTC before and I don't know who the author is.

Regarding Nirn Auction House:
I think the exe in this case is a bit more harmful. Even if you compile the source code yourself, the exe is capable of writing LUA code. I don't think TTC is capable of that (not sure, to be honest).

Furthermore, the author of Nirn Auction House seems to have made every possible mistake from the first release on. E.g. copying other authors' source code, deleting posts, ignoring facts, delivering an out of band updater which could install everything.

Maybe the TTC author seemed more trustworthy.
  Reply With Quote
08/01/17, 09:32 PM   #23
silvereyes
 
silvereyes's Avatar
AddOn Author - Click to view addons
Join Date: Aug 2015
Posts: 66
TTC isn't really any different, and quite frankly, I'm concerned about it as well, perhaps even more so.

The main difference this time around is that, while TTC serves to work with the in-game guild trader system, NAH seeks to subvert it with a true auction house. That gained it instant notoriety/infamy on the forums, and subsequently, a lot more scrutiny.

Is the author of TTC more trustworthy? I can't say, but TTC has a bundled auto-updater that has never been required to be taken down. IMO, that is a far more dangerous thing than simply an exe that writes lua. They even host the client and updater on their own site that is linked from their addon page, in case they are ever required to stop bundling them.
  Reply With Quote
08/02/17, 12:37 AM   #24
jpdouble69
Join Date: May 2015
Posts: 13
@Sordak
ESO Forums is the right place to discuss since it gets way more attention and is more user friendly - noone can delete your comments like it can be done in the addon comment section.

Glad you brought it up here too - i will never install an addon installing an exe-file on my PC. Thanks for the info!
  Reply With Quote
08/02/17, 12:46 AM   #25
Dolgubon
 
Dolgubon's Avatar
AddOn Author - Click to view addons
Join Date: Jan 2016
Posts: 408
Originally Posted by jpdouble69 View Post
@Sordak
ESO Forums is the right place to discuss since it gets way more attention and is more user friendly - noone can delete your comments like it can be done in the addon comment section.

Glad you brought it up here too - i will never install an addon installing an exe-file on my PC. Thanks for the info!
Comments on the ESO forums can be deleted if they go off topic, are rude, etc. Of course, they probably won't delete the comments based on the content. But the same can be said for the esoui forums here. While the site admins could delete comments I don't think they would delete them based on the content.
  Reply With Quote
08/05/17, 06:47 AM   #26
Baertram
Super Moderator
 
Baertram's Avatar
WoWInterface Super Mod
AddOn Author - Click to view addons
Join Date: Mar 2014
Posts: 4,913
I think they meant:
In the eso official forums only the mods are able to delete the comments. In the esoui forum addon's comments the author can delete the comments.
  Reply With Quote
08/07/17, 03:03 AM   #27
Sordrak
 
Sordrak's Avatar
AddOn Author - Click to view addons
Join Date: May 2017
Posts: 52
Originally Posted by jpdouble69 View Post
@Sordak
ESO Forums is the right place to discuss since it gets way more attention and is more user friendly - noone can delete your comments like it can be done in the addon comment section.

Glad you brought it up here too - i will never install an addon installing an exe-file on my PC. Thanks for the info!
Actually, I consider this to be the right place to discuss. Esoui makes the addons available, so they (admins) should care about what they host. Unfortunately, this kind of addon still seems to be considered to be fine as no actions (as far as i know) have been taken (and i don't consider spot checking of a decompiled binary as sufficient).
  Reply With Quote
08/09/17, 07:06 AM   #28
Nita_b2
Join Date: Jul 2017
Posts: 2
I just wanted to put my 2 cents in here regarding the suggestion to pop up a warning to users when they're about to install an addon from a still unknown author.
I am fairly computer literate, certainly enough to understand the discussion here. I can't however write nor decipher a single line of code.
From a user point of view, such a warning is useless. Imagine you're facing a ladder that looks like any other ladder in the world, yet somebody wrote "use at your own risk". There's no way for us "simple users" to make an educated decision about that because we cannot evaluate that risk, nor its potential consequences. The only purpose of such a warning is a waiver of liability for the esoui site. It's no real help for users.
Since ZOS will not interfere with allowing or prohibiting addons (other than via the API), the only "institution" who can make a decision here is... esoui.
If I understand correctly, NAH can be very dangerous... however noone as of now is able to tell if it actually IS dangerous, or not, or may become dangerous.
If you can't... who can ? The average ESO player ?
In my humble opinion, you guys at esoui should take a stance. I know, it's not easy, you're all benevolent and all. But the reality is, you're the only ones who can. And as such, you should...
  Reply With Quote
08/09/17, 07:33 AM   #29
Dolby
Every day I'm shuffling
 
Dolby's Avatar
Premium Member
WoWInterface Admin
Join Date: Feb 2004
Posts: 1,276
We scan all exe's uploaded with virustotal along with our automated clamscan, we also spot check decompile them in a sandbox and compare with the provided source. We make sure the exe's can not update themselves or execute other exe's, etc.

So the issue here is that this exe can write lua, so it can possibly write AddOns or Modify on the fly from the servers API. Some one could possibly compromise that server and at worst make the exe write an AddOn that could possibly delete your items? It can do whatever the ESO AddOn API allows it to do. So the risk is limited to what the ESO AddOn API will allow.

The author has had many successful releases so far, has updated code and re-written things when asked. We are keeping a close eye on this project and will pull it if need be. We even alerted ZOS of this project.

With that said I agree its a good idea to have a warning on any AddOn that we allow that has an included exe because we could miss something harmful, we are human. We don't normally allow them only if the author asks and provides source and does not have a way to update the exe remotely.

Last edited by Dolby : 08/09/17 at 08:11 AM. Reason: updated to make sure to add risk of any exe
  Reply With Quote
08/09/17, 07:58 AM   #30
Sordrak
 
Sordrak's Avatar
AddOn Author - Click to view addons
Join Date: May 2017
Posts: 52
Originally Posted by Dolby View Post
We scan all exe's uploaded with virustotal along with our automated clamscan, we also spot check decompile them in a sandbox and compare with the provided source. We make sure the exe's can not update themselves or execute other exe's, etc.

So the issue here is that this exe can write lua, so it can possibly write AddOns or Modify on the fly from the servers API. Some one could possibly compromise that server and at worst make the exe write an AddOn that could possibly delete your items? It can do whatever the ESO AddOn API allows it to do. So the risk is limited to what the ESO AddOn API will allow.

The author has had many successful releases so far, has updated code and re-written things when asked. We are keeping a close eye on this project and will pull it if need be. We even alerted ZOS of this project.

With that said I agree its a good idea to have a warning on any AddOn that we allow that has an included exe. We don't normally allow them only if the author asks and provides source and does not have a way to update the exe remotely.
I guess I'll have to repeat myself again.

Scanning the exe with virustotal and clamav is mostly useless, as it will only detect known signatures. It isn't difficult to bypass this. If someone wants to attack the esoui users he certainly wouldn't spread already known malware (bypassing the signature checks of something known is already enough). This check gives only a complete false sense of security. And that's all it is.

Regarding the spot checks: you might miss malware and different levels. either you may not check the release or the malware might be obscured.

Both of the things above are giving only a false sense of security in my opinion.

Regarding the lua part. Yes, you're mostly restricted to the limited API (if you do not find any vulnerability to "break out" of it, but i guess that's another topic). Still you can cause harm in many different ways. I guess it's up to the creativity of a potential attacker and I'm not sure if your assessment here is correct. I mean an attacker most likely wouldn't be able to get your ebanking data but most likely could make you bankrupt in game, which actually using such an addon isn't worth.

In this case (including the author's behavior) I do not consider putting a warning on the addon site to be enough.
  Reply With Quote
08/09/17, 08:01 AM   #31
Dolby
Every day I'm shuffling
 
Dolby's Avatar
Premium Member
WoWInterface Admin
Join Date: Feb 2004
Posts: 1,276
Not sure why you need to repeat yourself. What I said does not negate anything you have said... you are correct on most points and I disagree on others.

There is a risk with any exe and I agree, we could miss something. However we do allow it if the author gives out the source, is needed for the addon to work, etc.

Last edited by Dolby : 08/09/17 at 08:10 AM.
  Reply With Quote
08/09/17, 08:14 AM   #32
Sordrak
 
Sordrak's Avatar
AddOn Author - Click to view addons
Join Date: May 2017
Posts: 52
Originally Posted by Dolby View Post
Not sure why you need to repeat yourself. What I said does not negate anything you have said...
Imho it does, or it simply gives a false sense of security.

It sounds like "we're doing a) and b) and therefore everything is fine" while it isn't. It looks like a justification to allow such addons while the justification is simply flawed.

To be more accurate would help, E.g.:
"We do a) and b) and we know it can be easily bypassed, but we ignore that risk, so we believe you can ignore it as well" would be more appropriate and leaves the decision to the reader (or at least forces the user to think about the meaning of it before making a decision). The way you wrote it, it could simply mean: "everything is fine, they check it and are certain it isn't an issue. so there's no risk for me", which is wrong and might lead to a decision, which might be a different one knowing more about the situation.

At least that kind of text is what I would prefer, if the addon stays available.
  Reply With Quote

ESOUI » Site Forums » Site help, bugs, suggestions/questions » Censorship

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off