Return to “Scripting & Modding”

Re: LTSL - pipes & sockets ?

#16
If there is the functionality of making operating system calls from inside LTSL ( similar to a System() call in c++ or exec() in c ), or calls to external scripts (such as python) it should be trivially easy to setup some simple LTSL networking functionality. Multiplayer would still be a giant hassle since you would have to do all the synchronization stuff from scratch, but getting networking into the game should be simple with external calls. The question then is if that will be possible. Im sure Josh could implement external script calls in an hour or two, but I dont know if he would want to, since it would open up such a huge possibility for abuse. All we would need would be one script kiddy to put out some malicious mods ( and lets be honest it would probably be me ) to turn off the entire community from modding.

Re: LTSL - pipes & sockets ?

#18
Im with katorone, you dont need external function calls from LTSL, you just need a handful of functions in LTSL.

Also a externally called function would also need to be able to network, as it has to be written in LTSL, or h would need to implement calls to general purpose precompiled libaries (dll's or the linux equicalent).
Which would create much more concerns than simple scripts which everyone can read and reverse engineer

Re: LTSL - pipes & sockets ?

#19
TGS wrote:Though that being said, one thing I would be curious on. Is how well LT would run in a virtualized environment. I actually virtualize my primary workstation as well as several older gaming platforms. So the simple truth is even if LTSL had significant function exposure and could be exploited in a way that could bring great harm to your computer, you could easily isolate it within a VM when trying scripts. Proactive defensive and all that. I have a number of malware testbeds that I run things in for this reason.
Security should never be a reason to exclude functionality. If security is an issue, place warnings all over the place. Promote proactive defense rather than excluding functionality to prevent future abuse. As was posted before. a chrooted environment. Virtualized environment. Sandboxed environment. Even an appropriate firewall are all methods to protect yourself proactively. Furthermore at the end of the day we're talking about scripts. Mods. Things a person has to download and enable. It is no different from most lazy malware in that the user has to essentially infect themselves. Given that short of encoding the scripts, the code will be visible thus can be scrutinized there is unlikely to ever be a situation where malicious code can be hidden within a script for any length of time. If you are accepting scripts from unreliable sources then you carry the burden of risk. Regardless of what functionality Josh exposes to the language.

Re: LTSL - pipes & sockets ?

#20
TGS wrote:Security should never be a reason to exclude functionality. If security is an issue, place warnings all over the place. Promote proactive defense rather than excluding functionality to prevent future abuse. As was posted before. a chrooted environment. Virtualized environment. Sandboxed environment. Even an appropriate firewall are all methods to protect yourself proactively. Furthermore at the end of the day we're talking about scripts. Mods. Things a person has to download and enable. It is no different from most lazy malware in that the user has to essentially infect themselves. Given that short of encoding the scripts, the code will be visible thus can be scrutinized there is unlikely to ever be a situation where malicious code can be hidden within a script for any length of time. If you are accepting scripts from unreliable sources then you carry the burden of risk. Regardless of what functionality Josh exposes to the language.
I'm a fan of personal responsibility.

Even so, you are asking an awful lot of gamers who might be older, or quite young, or not computer-savvy for whatever reason. Yes, people "ought" to apply at least basic protections... but LT should not be designed to be an easy vector for attacks. There is no possible way the publicity that LT would get for being easy to hijack for malicious intent could be anything but bad.

I don't believe the enhancement to LT's gameplay (beyond the single-player stuff that is its focus) could justify the horrible PR that LT would get if it was actually designed to be easy to trojanize. Somebody who just wanted to play a game is not going to appreciate being told, "It's your fault; you should have protected yourself better from this game."

Re: LTSL - pipes & sockets ?

#22
A mod design requirement + mod loader integration would also come handy.

You would have to announce in your manifest that you want to use sockets.

If you dont announce it in your manifest, you dont have socket access.

The mod loader would then inform the player about mods which use network access.

Maybe you could even toggle it on a per-mod basis.


We could extend this to other functionalities too.
editinf other scripts (adding lines to the ship spawn code for example) and similar functionalities

In extreme form one could toggle access per announcement line.

Allow editing of ship_spawn.ltsl
allow editing of targetting.ltsl
Disallow socket access etc.

Re: LTSL - pipes & sockets ?

#23
Flatfingers wrote:
TGS wrote:Security should never be a reason to exclude functionality. If security is an issue, place warnings all over the place. Promote proactive defense rather than excluding functionality to prevent future abuse. As was posted before. a chrooted environment. Virtualized environment. Sandboxed environment. Even an appropriate firewall are all methods to protect yourself proactively. Furthermore at the end of the day we're talking about scripts. Mods. Things a person has to download and enable. It is no different from most lazy malware in that the user has to essentially infect themselves. Given that short of encoding the scripts, the code will be visible thus can be scrutinized there is unlikely to ever be a situation where malicious code can be hidden within a script for any length of time. If you are accepting scripts from unreliable sources then you carry the burden of risk. Regardless of what functionality Josh exposes to the language.
I'm a fan of personal responsibility.

Even so, you are asking an awful lot of gamers who might be older, or quite young, or not computer-savvy for whatever reason. Yes, people "ought" to apply at least basic protections... but LT should not be designed to be an easy vector for attacks. There is no possible way the publicity that LT would get for being easy to hijack for malicious intent could be anything but bad.

I don't believe the enhancement to LT's gameplay (beyond the single-player stuff that is its focus) could justify the horrible PR that LT would get if it was actually designed to be easy to trojanize. Somebody who just wanted to play a game is not going to appreciate being told, "It's your fault; you should have protected yourself better from this game."
Most games by nature cannot be trojanized to use your term. I've been around the gaming scene for over twenty years and out of the thousands of games I've played over that time I would say maybe 4 had the capacity for danger in the form of a trojan. Maybe 10 had the capacity of any real danger through scripting. In every single one of those cases the danger was very easily mitigated or avoided by simply being reasonably careful.

What I would say is that regardless of how intelligent or computer savvy you are, if you don't know what x script/program/code will do. Do not use it. We should never limit the depth or capacity of the game due to the potential ignorance of its players. In my experience though, most who know little about scripts probably aren't going to use them at all. Minecraft is a good example of this. People who aren't very good or knowledgeable will not use mods because most of them require some technical knowledge. Unless of course they include mod loaders or installers. In which case there are several other attack vectors before the game is even considered.

As far as it being "easy" to hack. LTSL could expose every facet of C++ to the user. It could be completely weaponized in the form of virus/trojans/adware/malware/etc and it will NEVER be easy. Nor would it even be practical. Even if it were, the fault would not fall on LT or Josh. It would fall on the users themselves. Microsoft doesn't get blamed for the countless vulnerabilities in their OS (generally speaking of course). Most software vendors do not get blamed for faults in their software that allow exploitation. There is rarely any reason to blame anyone except those who create the malicious actions/code/scripts etc. If it isn't them that is blamed, the user is blamed.

The closest thing I could see happening to cause Josh/LT any dramas in terms of it's scripting language being exploited would be someone using the scripting language to execute arbitrary OS-level code that is malicious, which would not be Josh's fault.

Anyway all of this is somewhat off-topic as the OP was not talking about this lol.

Re: LTSL - pipes & sockets ?

#24
On a more positive note, if we were to have socket access and there was some practical mod loader/community mod moderation, the game is opened up to the entire internet. You want to watch football in a ingame browser window? you got it! You want to have your system generator create gas clouds using the current bitcoin price as the seed value? You got it! Everything from effective multiplayer to dynamic worlds, changing as news events happen in the real world.


All hype aside, networking is probably a LT2.0 feature. Next February after Josh has had time to get bored of rolling around in money and starts feeling the itch to code, maybe then we will see network capability.

Re: LTSL - pipes & sockets ?

#25
Josh Parnell wrote:I may implement something that automatically marks mods using web / network functions as 'high risk' / 'requires network access' so that users know if a given mod is going to be trying to download or send stuff over a network
Sockets confirmed! Rejoice! :clap: :clap: :thumbup:
Beware of he who would deny you access to information, for in his heart he dreams himself your master.

Re: LTSL - pipes & sockets ?

#26
Katorone wrote:
Josh Parnell wrote:I may implement something that automatically marks mods using web / network functions as 'high risk' / 'requires network access' so that users know if a given mod is going to be trying to download or send stuff over a network
Sockets confirmed! Rejoice! :clap: :clap: :thumbup:
:o

Guess the rest o the MP mod is the easy stuff then. Rock on. :thumbup:
Image
Early Spring - 1055: Well, I made it to Boatmurdered, and my initial impressions can be set forth in three words: What. The. F*ck.

Re: LTSL - pipes & sockets ?

#29
thesilverspanch wrote:... You want to watch football in a ingame browser window? you got it! ...
Ah good. I was re-reading this thread to see if that had been answered before I opened a new one.

I was thinking about in game videos (for tutorials initially) which led me to wanting to ask could we stream video in game? which is sill a question in its own merit, but if not, then at least using a html5 compliant "in game" browser would do the job. :D

Thinking on, same could be used for apps built by non programmers using 3rd party dev tools (construct2 springs to mind) that then could be hooked into LT. Which leads to another question - going against normal browser behavior - would the in-game browser be able to get data to LT from an externally hosted web page within the browser? I don't want to assume so at this stage. And does this open up any issues along the security concerns.
LTP Fleet Battles on Youtube

Re: LTSL - pipes & sockets ?

#30
I just want to point out other security concerns for those reading. If LT mods have unrestricted file access and/or network access, then a malicious script may also:
  • upload files to the internet. Think /etc/passwd for *nix users or ssh keys for any platform. Or even your documents & photos.
  • probe open ports on PC.
  • tunnel/proxy internet connections to PC, bypassing your router's firewall, and allows an attacker to poke directly at ports on your LAN.
  • delete/corrupt files owned by you. or system files if you play LT with an admin account.
As said before, if you can't read the LTSL in a mod, then don't run it.

FYI.

Online Now

Users browsing this forum: No registered users and 1 guest

cron