The problems are:
*Preventing that a script affects the user's own computer.
*Wether it does or not, preventing the infected computer from affects other net users, them (the other) having no viable way of stopping it.
*Preventing the antivirus companies from having to mention Messanger Plus! in their virus descriptions.
quote:
Originally posted by FoboldFKY
Anyway, as for the concerns about security, that's always a problem. I mean, what was said about OnFileRecieve would be a huge problem... but I try to look at it like this: if someone really wanted to install a trojan on your system, they wouldn't even need to use Messenger.
I completely agree, but a worm or trojan can use Messenger w/Plus! scripting as a transport. Once it arrives, it might install itself.
I won't like a Kitro-variant worm that works like that. The worst about the Kitro worm was that it sent you 315KB messages to your Hotmail inbox, containing the virus. If I had 1MB used up in my Inbox, it only took 3 messages to fill it up, rejecting almost any other new message, particularly if it had an attachment. If my boss wished me to send a 300K spreadsheet he simply couldn't via e-mail. I use that account for both, work and home. It is no option for me to "get another account".
I'd like to emphasize that by saying that unexperienced users just open up attachments without taking care. Once their computers get infected, they won't notice it.
quote:
Personally, I believe a good solution would be to implement these OnFileRecieved events, but place options in Plus! to disable them being called.
I like the idea. What about if used together with:
quote:
However, in this system, no plugin can run itself in any way; the user must explicity enable each and every plugin weather it be one that runs and then terminates (eg: displays a dialog and quits) or runs in the background (listening for events).
... which translates to "I believe a good solution would be to implement these OnFileRecieved events, but place options in Plus! to disable them being called, having them disabled by default."
As in the security world is said: The safest configuration out-of-the-box.
quote:
Of course, the capability of a script to change the program's settings so it CAN run at any time is a problem...
My opinion is to go ahead with scripting. A little trick to make sure that scripts can't be run directly would be to XOR them against a number, just so that they can ONLY be run via Plus.
You make a couple of good points here being the first the most dangerous, IMHO.
As far as I can think, the second one wouldn't be so much of a problem, because if Plus isn't loaded, the script won't run, and if it is, the script should (would?) behave the same way when run from Plus or from any other process. I'm thinking on a script having no coding limits. If it wants to access the hard disk, so be it, just don't allow it to use Plus! for turning it into a worm.
I think Patchou will have several opinions from both users point of view and technical issues. This will sure help him make a good decision when the time comes. I'm glad.
Octavio.
Script? did I hear script?
