Re: [Audacity-devel] Module loading security - was Re: Plugin Warning on Load
A free multi-track audio editor and recorder
Brought to you by:
aosiniao
From: Steve t. F. <ste...@gm...> - 2014-01-31 02:04:01
|
Perhaps I'm being dumb, but how would a a malicious module get itself installed into the correct folder to be loaded by Audacity unless the user has put it there? If a module is clever enough to install itself into Audacity's modules folder without the user's consent, then surely it is clever enough to do its sinister work without the help of Audacity? If the user has given their consent to install the module, then why are we asking them again? I'd presume that a user would not download and install a module unless they believed it to be safe. If they believe it to be safe, then when nagged about using it they will say yes, so why nag them? Currently I get nagged each time Audacity 2.0.6 alpha is started, asking if I want to use Nyquist Workbench. Of course I do, that's why I installed it, but Nyquist Workbench does not work in Audacity 2.0.6 alpha, so what's the point of nagging? Steve On 31 January 2014 01:34, Martyn Shaw <mar...@gm...> wrote: > Hi Alec > > On 30/01/2014 22:48, Alec Burgess wrote: >> On 2014-01-30 05:32, Stephen G. Parry wrote: >>>>> The idea of the MD5 thing was not for us to maintain a list as such, but >>>>> that when a user authorises a module, for audacity to maybe store the >>>>> MD5 in such a way the module can't tamper with it. Then if the module is >>>>> replaced with anything malicious or updated without user consent, they >>>>> get a warning. Probably a lot of work for not much benefit though. >>>> OK, I see what you mean now. But as you say, probably not worth it at >>>> this time. > > ... > >> Latest Process Explorer v16.0 (Wed Jan 29) has integrated Virus Total to >> check MD5's for EXE's +DLL's against previously checked versions. My >> initial check of all running programs was extremely fast. Is there any >> way that Audacity could piggy-back on this? Maybe someone has already >> created something open-source in conjunction with Virus Total folks that >> could be used by other FOSS projects using plugin architecture. (eg >> GIMP/Inkscape /Blender) > > Would you like to do a bit or researching there and come back with a > proposal for Audacity to get MD5's on dlls? It's not really a > priority for us, just a thought on a thought. > > TTFN > Martyn > > ------------------------------------------------------------------------------ > WatchGuard Dimension instantly turns raw network data into actionable > security intelligence. It gives you real-time visual feedback on key > security issues and trends. Skip the complicated setup - simply import > a virtual appliance and go from zero to informed in seconds. > http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk > _______________________________________________ > audacity-devel mailing list > aud...@li... > https://lists.sourceforge.net/lists/listinfo/audacity-devel |