 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Nieminen Juha wrote:
>
> I was looking through Ken's links and ended up in this page:
> http://www.io.com/~wwagner/pov.html
>
> I would want to seriously warn about this #exec patch (specially
> because povray 3.5 might include it).
>
> Povray is currently quite safe to use. You can download a .pov file and
> render it with povray and the only harm it can do is to create an image
> file. It just can't do anything else. You can safely render a 10000 lines
> long pov file without having to worry about what does it contain.
>
The concern is of course not without cause. But the inclusion of file i/o
statement has already rendered this argument untrue. Yes, the #exec command
would facilitate writing malicious scripts, but the potential is already there.
Anyway, there are a thousand and one ways for the average Windows user to get
screwed (no, I mean figuratively speaing). Given all these options, is it really
likely that someone would specifically target the POV users?
I personally would like to have this functionality, since it is a very flexible
feature.
Margus
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Tue, 19 Oct 1999 11:54:39 -0700, Ken <tyl### [at] pacbell net> wrote:
>If any of those infamous POV-Ray Bulgarian hackers hear about this we
>are all doomed !!!
>
>Hi Peter :)
Hi Ken :)
AFAIK I am the only Bulgarian who is using POV (after my friend
Stephan quit using it in favor of ASP programming yuck!). And you Ken
are the last person/AI to worry about. We've tried, God knows we've
tried, but the Ken secure grid is unbreakable (it were those darn
lasers that blew Ian's bum off the rail).
Peter Popov
ICQ: 15002700
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Nieminen Juha wrote in message <380c362a@news.povray.org>...
> I was looking through Ken's links and ended up in this page:
>http://www.io.com/~wwagner/pov.html
>
> I would want to seriously warn about this #exec patch (specially
>because povray 3.5 might include it).
>
> Povray is currently quite safe to use. You can download a .pov file and
>render it with povray and the only harm it can do is to create an image
>file. It just can't do anything else. You can safely render a 10000 lines
>long pov file without having to worry about what does it contain.
Along these lines, it *is* possible to write a POV-Ray virus that infects
POV scene files. However, as things stand right now, the incredible disk
thrashing that would occur as the virus tries to find files to infect would
clue anyone in to what is happening.
Mark
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
You are joking, right? 8^] I mean disk thrashing can be a way of life if
the file(s) parse a great deal or otherwise use extensive amounts of memory,
as many must know.
Bob
Mark Wagner <mar### [at] gtenet> wrote in message
news:380d52d2@news.povray.org...
>
> Nieminen Juha wrote in message <380c362a@news.povray.org>...
> > I was looking through Ken's links and ended up in this page:
> >http://www.io.com/~wwagner/pov.html
> >
> > I would want to seriously warn about this #exec patch (specially
> >because povray 3.5 might include it).
> >
> > Povray is currently quite safe to use. You can download a .pov file and
> >render it with povray and the only harm it can do is to create an image
> >file. It just can't do anything else. You can safely render a 10000 lines
> >long pov file without having to worry about what does it contain.
>
>
> Along these lines, it *is* possible to write a POV-Ray virus that infects
> POV scene files. However, as things stand right now, the incredible disk
> thrashing that would occur as the virus tries to find files to infect
would
> clue anyone in to what is happening.
>
> Mark
>
>
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
And on Windows NT it's worse. I just got a new NT box placed in my office.
After booting into NT, and without even attempting to log-in, just booting, it
went crazy. After coming up with the NT log-in thingie, it then went into over
5-10 minutes of just constant disk thrashing. And that was with me not doing
anything.
omniVERSE wrote:
> You are joking, right? 8^] I mean disk thrashing can be a way of life if
> the file(s) parse a great deal or otherwise use extensive amounts of memory,
> as many must know.
>
> Bob
>
> Mark Wagner <mar### [at] gtenet> wrote in message
> news:380d52d2@news.povray.org...
> >
> >
> > Along these lines, it *is* possible to write a POV-Ray virus that infects
> > POV scene files. However, as things stand right now, the incredible disk
> > thrashing that would occur as the virus tries to find files to infect
> would
> > clue anyone in to what is happening.
> >
> > Mark
> >
> >
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Nieminen Juha wrote:
>
> With #system/#exec it may be a good idea what I suggested earlier: you
> have to specify a command line switch to enable it.
>
A command line switch wouldn't do. Somebody already mentioned that you'd
probably put that in an inifile and forget about it. Prompting with every
POV-session would be better I think (as with the file-saving). I don't know if
this is as easy on all platforms.
Remco
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Margus Ramst wrote:
>
>
> The concern is of course not without cause. But the inclusion of file i/o
> statement has already rendered this argument untrue. Yes, the #exec command
> would facilitate writing malicious scripts, but the potential is already there.
> Anyway, there are a thousand and one ways for the average Windows user to get
> screwed (no, I mean figuratively speaing). Given all these options, is it really
> likely that someone would specifically target the POV users?
> I personally would like to have this functionality, since it is a very flexible
> feature.
>
> Margus
There are of course those outcasts that hate POV enough to target only that
group ;)
But seriously: it would be a great way to bypass all security measures because
there is no virus scanner yet that scans pov-scripts.
I hadn't thought of the possibility before, but Nieminen had a point here. As
with the macro-viruses: it sounds silly until it happens to you.
Remco
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Remco de Korte <rem### [at] xs4allnl> wrote:
: A command line switch wouldn't do. Somebody already mentioned that you'd
: probably put that in an inifile and forget about it.
I mentioned it myself. Of course it's not perfect, but at least it's better
than nothing.
At least if you try to render a scene downloaded from a strange place,
you can check that it will not do any system calls nor file writings before
you render it.
: Prompting with every
: POV-session would be better I think (as with the file-saving). I don't know if
: this is as easy on all platforms.
It's very difficult to achieve this kind of prompting with ANSI C.
It also would be extremely tedious if you would need to answer to a
prompt every time you render your own scene.
--
main(i,_){for(_?--i,main(i+2,"FhhQHFIJD|FQTITFN]zRFHhhTBFHhhTBFysdB"[i]
):5;i&&_>1;printf("%s",_-70?_&1?"[]":" ":(_=0,"\n")),_/=2);} /*- Warp -*/
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Speaking about it... I have been thinking about a povray virus, but I
haven't yet figured out how to do it.
I mean a virus that will attach itself to all .pov-files it finds every time
an infected pov-file is rendered (of course it would be extremely easy
to detect and to disinfect; just watch the beginnin/end of the pov files and
remove the extra code from there, but that doesn't matter in this case because
the intention of the virus is not to make harm).
With povray itself it may be impossible, but I was also thinking that it
could be a povwin virus which could use some features of the windows
version (like codemax macros). But I haven't discovered any way yet.
Does anyone have any idea (Ron?).
--
main(i,_){for(_?--i,main(i+2,"FhhQHFIJD|FQTITFN]zRFHhhTBFHhhTBFysdB"[i]
):5;i&&_>1;printf("%s",_-70?_&1?"[]":" ":(_=0,"\n")),_/=2);} /*- Warp -*/
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
The fact that the possibility of a malicious file is very small, that
doesn't mean that we shouldn't take into account some security issues.
Let's do it before something happens. It's better than doing it afterwards.
--
main(i,_){for(_?--i,main(i+2,"FhhQHFIJD|FQTITFN]zRFHhhTBFHhhTBFysdB"[i]
):5;i&&_>1;printf("%s",_-70?_&1?"[]":" ":(_=0,"\n")),_/=2);} /*- Warp -*/
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
