Author: Uri Blass
Date: 03:15:59 06/30/04
Go up one level in this thread
On June 29, 2004 at 18:23:10, Dann Corbit wrote: >On June 29, 2004 at 15:13:07, Uri Blass wrote: > >>On June 29, 2004 at 14:22:48, Dann Corbit wrote: >> >>>On June 28, 2004 at 20:59:09, Angrim wrote: >>> >>>>On June 28, 2004 at 20:37:00, Dann Corbit wrote: >>>> >>>>>On June 28, 2004 at 19:50:19, Peter Berger wrote: >>>>> >>>>>>But I am really quite sure that potential crashes of your movei chess program >>>>>>don't fall into this category for various reasons. I can imagine an attack >>>>>>against Movei running on a chessserver - but how is this threat going to be >>>>>>worked on to threaten someone's computer? >>>>> >>>>>Very simple. Write a rogue engine that sends the overrun to any opponent named >>>>>"movei*" >>>> >>>>no chess server that I have used has the option for one player to >>>>send an arbitrary string of character to the oponent and pretend that >>>>it is a chessboard. >>> >>>Have you actually examined all the source code for FICS? >>>How about the source code for ChessMaster online? >>>And for all the other online chess systems? >>> >>>The chances for an exploit are not high. But if one does exist, then the damage >>>could be tremendous. It is not difficult to code defensively, and it is a very >>>good habit to cultivate. >>> >>>> Which is what your suggestion would require. >>>>Now a chess server coder could possibly add such an attack, assuming >>>>that your interface program didn't do any sanity checking, but that >>>>is taking paranoia pretty far. >>> >>>There are literally thousands of virus and worm attacks. Some nitwits seem to >>>spend all their waking hours looking for, and finding, exploits. I am guessing >>>that one could be found if enough effort were put into it. Would you like to be >>>responsible for a literal billion dollars in damage when 15 minutes of code >>>review could have totally prevented it? >> >>I still consider if to put movei back in Leo's page >> >>The question is also what is the probability that viruses will use some free >>engine when they probably can use some commercial engine that is used by more >>people. > >Since a large number of people have already downloaded it, putting it back is >probably not of any real impact. There probably is an exploit, if array >overwrites are possible, but it is not likely that someone will bother writing >one. Of course, it could happen, but it is not an imminient danger from a >probability standpoint. Exploits are far more likely to occur with programs >where millions of people have them already. I think a logical course is to give >Leo a new one when you have added corrections that prevent simple attacks. In >the meantime, whether you take it down or leave it up is up to you. I decided that I let Leo to put movei back on his site and I sent him an email about it. Uri
This page took 0 seconds to execute
Last modified: Thu, 15 Apr 21 08:11:13 -0700
Current Computer Chess Club Forums at Talkchess. This site by Sean Mintz.