TGS wrote:Security should never be a reason to exclude functionality. If security is an issue, place warnings all over the place. Promote proactive defense rather than excluding functionality to prevent future abuse. As was posted before. a chrooted environment. Virtualized environment. Sandboxed environment. Even an appropriate firewall are all methods to protect yourself proactively. Furthermore at the end of the day we're talking about scripts. Mods. Things a person has to download and enable. It is no different from most lazy malware in that the user has to essentially infect themselves. Given that short of encoding the scripts, the code will be visible thus can be scrutinized there is unlikely to ever be a situation where malicious code can be hidden within a script for any length of time. If you are accepting scripts from unreliable sources then you carry the burden of risk. Regardless of what functionality Josh exposes to the language.
I'm a fan of personal responsibility.
Even so, you are asking an awful lot of gamers who might be older, or quite young, or not computer-savvy for whatever reason. Yes, people "ought" to apply at least basic protections... but LT should not be designed to be an easy vector for attacks. There is no possible way the publicity that LT would get for being easy to hijack for malicious intent could be anything but bad.
I don't believe the enhancement to LT's gameplay (beyond the single-player stuff that is its focus) could justify the horrible PR that LT would get if it was actually designed to be easy to trojanize. Somebody who just wanted to play a game is not going to appreciate being told, "It's your fault; you should have protected yourself better from this game."
Most games by nature cannot be trojanized to use your term. I've been around the gaming scene for over twenty years and out of the thousands of games I've played over that time I would say maybe 4 had the capacity for danger in the form of a trojan. Maybe 10 had the capacity of any real danger through scripting. In every single one of those cases the danger was very easily mitigated or avoided by simply being reasonably careful.
What I would say is that regardless of how intelligent or computer savvy you are, if you don't know what x script/program/code will do. Do not use it. We should never limit the depth or capacity of the game due to the potential ignorance of its players. In my experience though, most who know little about scripts probably aren't going to use them at all. Minecraft is a good example of this. People who aren't very good or knowledgeable will not use mods because most of them require some technical knowledge. Unless of course they include mod loaders or installers. In which case there are several other attack vectors before the game is even considered.
As far as it being "easy" to hack. LTSL could expose every facet of C++ to the user. It could be completely weaponized in the form of virus/trojans/adware/malware/etc and it will NEVER be easy. Nor would it even be practical. Even if it were, the fault would not fall on LT or Josh. It would fall on the users themselves. Microsoft doesn't get blamed for the countless vulnerabilities in their OS (generally speaking of course). Most software vendors do not get blamed for faults in their software that allow exploitation. There is rarely any reason to blame anyone except those who create the malicious actions/code/scripts etc. If it isn't them that is blamed, the user is blamed.
The closest thing I could see happening to cause Josh/LT any dramas in terms of it's scripting language being exploited would be someone using the scripting language to execute arbitrary OS-level code that is malicious, which would not be Josh's fault.
Anyway all of this is somewhat off-topic as the OP was not talking about this lol.