by Gangolf Haub » Mon Mar 22, 2010 8:32 pm
by neghafi » Mon Mar 22, 2010 8:47 pm
mvs wrote:Hi Neghafi,
For sure, I think I mentioned the open source idea somewhere earlier in the thread or on another thread. I dropped that idea (for now) just because the elves were very cautious of the technology being used to spam the site. So, I've plugged in various controls for them. For example, they can (simply by editing one page) ban a particular user from using the tool. They can (or I can) force an upgrade to patch a security hole.
As an open source tool, that minimal protection would be very easily set aside. Of course a motivated "hacker" could side-step things whether they have the source or not, but it shouldn't be incredibly easy for them.
Recently, the Elves have relaxed their earlier stance regarding this tool. For almost a year, it was kind of a "black market" tool anyway. But they saw that the world didn't come to an end, people are using it responsibly, and so it was okay to let the tool go on the front page. I appreciate their trust and understand why they move conservatively. Therefore, I wouldn't make the tool open source without serious consideration, in a way that allows them to preserve some of the protections currently programmed into the tool despite outside changes.
I'm looking into a Mac port via Silverlight, but it's just in the planning stages. Obviously, what the tool does isn't rocket science. In fact it started as a Python script that just took a day or two to make. So as a programmer yourself you could easily improve on it, even without the source.
All the best,
--Michael
by mvs » Mon Mar 29, 2010 8:43 pm
by mvs » Mon Mar 29, 2010 8:45 pm
neghafi wrote:mvs wrote:Hi Neghafi,
For sure, I think I mentioned the open source idea somewhere earlier in the thread or on another thread. I dropped that idea (for now) just because the elves were very cautious of the technology being used to spam the site. So, I've plugged in various controls for them. For example, they can (simply by editing one page) ban a particular user from using the tool. They can (or I can) force an upgrade to patch a security hole.
As an open source tool, that minimal protection would be very easily set aside. Of course a motivated "hacker" could side-step things whether they have the source or not, but it shouldn't be incredibly easy for them.
Recently, the Elves have relaxed their earlier stance regarding this tool. For almost a year, it was kind of a "black market" tool anyway. But they saw that the world didn't come to an end, people are using it responsibly, and so it was okay to let the tool go on the front page. I appreciate their trust and understand why they move conservatively. Therefore, I wouldn't make the tool open source without serious consideration, in a way that allows them to preserve some of the protections currently programmed into the tool despite outside changes.
I'm looking into a Mac port via Silverlight, but it's just in the planning stages. Obviously, what the tool does isn't rocket science. In fact it started as a Python script that just took a day or two to make. So as a programmer yourself you could easily improve on it, even without the source.
All the best,
--Michael
Now I'm sure you are a Pro programmer.
As you said there are several controls and I think it's good if admins would help to do some auth. an API or such
As a control (server based), username for bulk uploading must created at least 3 months and activated for a week (or something like that). This leads only ture people approved to do a mass upload and spammers are easly filtered. I don't think playing with IP is a good idea.
But as you know this doesn't mean to block hackers to do a DOS attack. As a hacker view be sure that if someone focus on this site. It would be easy to spam. I'm sure you know about proxy chaining or use of many usernames and other techniques hackers may use that is not the case
by neghafi » Wed Mar 31, 2010 3:29 pm
mvs wrote:Thanks, your knowledge on these matters is going beyond mine for sure, and that may come in handy at some point. It has to be easy for the Elves to use those server side controls. I think I've got a really easy system right now that required no server side programming. That is the thing...there is no one interested with access to SP server side code, so I can't go as far as I'd like.
by mvs » Wed Mar 31, 2010 5:11 pm
neghafi wrote:mvs wrote:Thanks, your knowledge on these matters is going beyond mine for sure, and that may come in handy at some point. It has to be easy for the Elves to use those server side controls. I think I've got a really easy system right now that required no server side programming. That is the thing...there is no one interested with access to SP server side code, so I can't go as far as I'd like.
Thanks for your kindly compliments. I thought your tool may be supported by admins. To tell the truth I'm not sure if server programing is more dangerous and client aut. client aut. is more easy to bypass by debugging and editing exe file (there are many cracknung tuts) sniffing is another way to try. so for an elite hacker it's not a prevention layer. and for script kiddies, a server side auth is more hard to analyse. That's all my points and admins may not want to support in anycase. I wish here we have a penetration tester as member to know about his/her viewpoints.
anyway thanks for sharing your tools
by Hotoven » Wed Mar 31, 2010 5:47 pm
by neghafi » Sun Apr 04, 2010 1:28 pm
mvs wrote:Hi you are 100% right, and see the situation with clarity. Indeed, should a motivated "spammer" upload too many pictures they can bat aside my client security in various ways, for example creating new user accounts, or yes, hacking the executable. At that point it will come down to the oft-used server tool of banning the offending IP address.
You know, if this amazing offer of server side support ever came up I would jump at it and recommend to throw away the bulk uploader and replace it with an actual server side solution for bulk uploads. That really would be the ideal picture. I only went down this client side road because I didn't see that forthcoming.
Really nice talking to you!
by visentin » Wed Aug 25, 2010 8:15 am
by mvs » Mon Oct 04, 2010 6:39 pm
by mvs » Mon Oct 04, 2010 11:51 pm
by mvs » Sat Jan 15, 2011 1:02 pm
by Josh Lewis » Sat Jan 15, 2011 8:40 pm
by Marco Marinescu » Tue Oct 11, 2011 1:22 pm
by visentin » Mon Apr 08, 2013 11:48 am
Users browsing this forum: No registered users and 0 guests