Author: Dann Corbit
Date: 15:23:10 06/29/04
Go up one level in this thread
On June 29, 2004 at 15:13:07, Uri Blass wrote: >On June 29, 2004 at 14:22:48, Dann Corbit wrote: > >>On June 28, 2004 at 20:59:09, Angrim wrote: >> >>>On June 28, 2004 at 20:37:00, Dann Corbit wrote: >>> >>>>On June 28, 2004 at 19:50:19, Peter Berger wrote: >>>> >>>>>But I am really quite sure that potential crashes of your movei chess program >>>>>don't fall into this category for various reasons. I can imagine an attack >>>>>against Movei running on a chessserver - but how is this threat going to be >>>>>worked on to threaten someone's computer? >>>> >>>>Very simple. Write a rogue engine that sends the overrun to any opponent named >>>>"movei*" >>> >>>no chess server that I have used has the option for one player to >>>send an arbitrary string of character to the oponent and pretend that >>>it is a chessboard. >> >>Have you actually examined all the source code for FICS? >>How about the source code for ChessMaster online? >>And for all the other online chess systems? >> >>The chances for an exploit are not high. But if one does exist, then the damage >>could be tremendous. It is not difficult to code defensively, and it is a very >>good habit to cultivate. >> >>> Which is what your suggestion would require. >>>Now a chess server coder could possibly add such an attack, assuming >>>that your interface program didn't do any sanity checking, but that >>>is taking paranoia pretty far. >> >>There are literally thousands of virus and worm attacks. Some nitwits seem to >>spend all their waking hours looking for, and finding, exploits. I am guessing >>that one could be found if enough effort were put into it. Would you like to be >>responsible for a literal billion dollars in damage when 15 minutes of code >>review could have totally prevented it? > >I still consider if to put movei back in Leo's page > >The question is also what is the probability that viruses will use some free >engine when they probably can use some commercial engine that is used by more >people. Since a large number of people have already downloaded it, putting it back is probably not of any real impact. There probably is an exploit, if array overwrites are possible, but it is not likely that someone will bother writing one. Of course, it could happen, but it is not an imminient danger from a probability standpoint. Exploits are far more likely to occur with programs where millions of people have them already. I think a logical course is to give Leo a new one when you have added corrections that prevent simple attacks. In the meantime, whether you take it down or leave it up is up to you.
This page took 0 seconds to execute
Last modified: Thu, 15 Apr 21 08:11:13 -0700
Current Computer Chess Club Forums at Talkchess. This site by Sean Mintz.