[DGD] Re: Net Security

Logic logic at logic.net
Tue Mar 17 22:19:38 CET 1998 

(Yes, I said I'd only post once about this, but hey, I lied. Btw, in case
anyone misreads me, I'm really playing devil's advocate here; it's not an
incredibly driving concern for me, but I find these kinds of discussions
interesting. ;-)

On Tue, 17 Mar 1998, Felix A. Croes wrote:
> Now you can be absolutely sure that whatever is being done with DGD, it
> will not affect your machine other than by taking a certain amount of
> disk space, memory, CPU time and network bandwidth.

Good point. Quotas, ulimits, and traffic shaping can cover all of those
nicely. While this argues well against a default of having networking
functionality active, it doesn't speak to the idea of making it a
run/compile-time option for the administrator.

However, I remember hearing your arguments from a long time ago on the
topic of configurable language modifications (I believe the argument was
the option of having a huge set of compile time options like 3.2.1 and
MudOS to define how you wanted the language to work, which essentially
killed the ability to take code from one server and have it work
unmodified on another), so I won't press this issue -too- loudly. ;-)

Maybe a "contrib" module which is simply part of the distribution proper? 
It's there if you want it, and it's got that "official" (ie. 
semi-supported) feel to it. It also would have a warning stamped on it of
the potential problems that the system could cause.

> With DGD, it is also a matter of responsibility.  I provide software
> that can be configured in such a way that there is <no way> to exceed
> certain known limitations.

No argument here; there must always be a safe(!) configuration which
provides a limited set of functionality, and an associated level of risk.
But note the "configured in such a way"...:-)

> and really, it is up to me to determine what DGD does or does not
> provide.

Absolutely. And of course, it is up to the users to lobby you for change.
;-) This point pretty much sums it up, though...it's really your code, and
if you're uncomfortable about an addition, it's always going to be your
call.

> As DGD is a successful commercial product, the distinction is not
> unimportant.

This puts a whole other spin on the argument; you as the developer
definitely have a responsibility to your customers to provide a securely
configured product. However, I'll mention that "configured" thing
again...;-)

For curiosity's sake, are the majority of your commercial customers using
DGD for producing games or groupware apps, or are they using it as a
general language platform? (Most of me is actually hoping the latter,
although I'm expecting the former...)

Any really creative uses you've seen so far (either commercial or
ordinary use), aside from the standard "cool" apps (lpmoo, etc)?

> Now you are letting your rhetoric get the better of you (compare "find
> me another language..." with "most other languages" below).

It was 2:00 am. I claim insufficient sleep. ;-)

> I find it curious that you consider the administrators who would accept
> the risk posed by a programmable environment with outgoing connections
> the more capable.

Not really; I consider them forewarned of the risks involved. Capability
isn't really a concern of mine; only the administrator can make a
judgement about their ability to juggle the security issues involved in
something like this.

Also, the security concerns of networking primitives in LPC are very minor
in some development situations; an interactive groupware application (such
as a traditional mud) certainly has its concerns due to the level of
programmability that individual users are granted. Using LPC to develop
simple network services, however, without any kind of interactive "login"
scheme, lowers the risks considerably. In this type of application, the
functionality is a boon, with little to no risk (unless your entire system
is compromised, in which case you have worse problems than your DGD web
server being tinkered with ;-).

> As for the incapable administrators, I believe I give them sufficient
 allowing them to misconfigure it :)

Heh. :-)

-- 
  _ ____ ____________________________________________________________________
 / /___/\__                                                                  \
/  \   \ \/\  logic at logic.net                                                 \
\   \   \  /  http://www.logic.net/~logic/                                    /
 \___\___\/__________________________________________________________________/






List config page:  http://list.imaginary.com/mailman/listinfo/dgd

More information about the DGD mailing list