Welcome to Doom9's Forum, THE in-place to be for everyone interested in DVD conversion.

Before you start posting please read the forum rules. By posting to this forum you agree to abide by the rules.

 

Go Back   Doom9's Forum > Video Encoding > New and alternative video codecs

Reply
 
Thread Tools Search this Thread Display Modes
Old 11th April 2007, 00:56   #1  |  Link
Jeremy Duncan
Didée Fan
 
Jeremy Duncan's Avatar
 
Join Date: Feb 2006
Location: Canada
Posts: 1,079
Ha ha ha.

What I meant to say is.
When will Leak's Patch be put into every Drevilxxl and Clsid FFDshow build ?

And does somebody look at all of these patches from people like leak and Dr Pizza to make sure they are clean and malware free ?
I hope so ! lol.
Or else some cracker might get it in their head to come and put a patch into FFDshow.
__________________
When I get tired during work with dvd stuff i think of River Tamm (Summer Glau's character). And the beauty that is Serenity.
Jeremy Duncan is offline   Reply With Quote
Old 11th April 2007, 09:23   #2  |  Link
Leak
ffdshow/AviSynth wrangler
 
Leak's Avatar
 
Join Date: Feb 2003
Location: Austria
Posts: 2,441
Quote:
Originally Posted by Jeremy Duncan View Post
When will Leak's Patch be put into every Drevilxxl and Clsid FFDshow build ?
Soon, I hope - but there's still a kink or two to work out.

Quote:
And does somebody look at all of these patches from people like leak and Dr Pizza to make sure they are clean and malware free ?
I hope so ! lol.
Or else some cracker might get it in their head to come and put a patch into FFDshow.
Well, as with just about anything in computer science you can't prove the total absence of something (like bugs or malware) but only the presence.

Sure, you could compile everything on your own to cut out the builder, but unless you go over every line in the code (which is a tad massive in a project of this size) you still can't be 100% sure.

Then again, at least I can assure you that I haven't put anything evil into my builds and that my build system is free of infectuous malware also...

But yeah, I'd ultimately want my patch to get merged into ffdshow so I don't have to keep doing my own builds whenever something else is updated.
__________________
now playing: [artist] - [track] ([album])
Leak is offline   Reply With Quote
Old 12th April 2007, 02:10   #3  |  Link
Jeremy Duncan
Didée Fan
 
Jeremy Duncan's Avatar
 
Join Date: Feb 2006
Location: Canada
Posts: 1,079
Quote:
Originally Posted by Leak View Post
Well, as with just about anything in computer science you can't prove the total absence of something (like bugs or malware) but only the presence.

Sure, you could compile everything on your own to cut out the builder, but unless you go over every line in the code (which is a tad massive in a project of this size) you still can't be 100% sure.
Well, If nobody is keeping guard over the FFDshow project because there's too much code to look through.
What if somebody dropped a Rootkit in there.
Then the firewall or antivirus or other protection would be potentially vulnerable and useless.
And there is nobody to catch it because it's too much code.

This is what the complaint is about Linux.
That people are putting bad code into it.
I'm at the mercy of each individual that will or has contributed code to FFDshow, as a user of the product I'm creating a potencial security risk.
That risk is the undetectable root kit.
Did you know that once a root kit gets on the pc your pretty well cracked and have to reformat.

Ask the folks over at dslreports.com security forum if I'm right.

Ha ha ha.
I'm sorry. I'm probably talking out of my hat.

Check out the thread I started there asking the question about rootkits.
Link

There's multiple anonymous contributors creating code for FFDshow that's not scrutinized for security risks.
Even if somebody looked it all over there's still a risk:
"Advocates of the Linux operating system claim that its security can be assured by the openness of its source code. They argue that the 'many eyes' looking at the Linux source code will quickly find any subversions. Ken Thompson, the original developer of the Unix operating system -- which heavily influenced Linux -- proved otherwise. He installed a back door in the binary code of Unix that automatically added his user name and password to every Unix system. When he revealed the secret 14 years later, Thompson explained, 'The moral is obvious. You can't trust code that you did not create yourself. No amount of source-level verification or scrutiny will protect you from using untrusted code.'"
Link
__________________
When I get tired during work with dvd stuff i think of River Tamm (Summer Glau's character). And the beauty that is Serenity.

Last edited by Jeremy Duncan; 12th April 2007 at 02:46.
Jeremy Duncan is offline   Reply With Quote
Old 12th April 2007, 03:16   #4  |  Link
foxyshadis
ангел смерти
 
foxyshadis's Avatar
 
Join Date: Nov 2004
Location: Lost
Posts: 9,558
Quote:
Originally Posted by chros View Post
@Kado: first, thanks for testing...

It's a very good idea!
Or a better one (if it's possible): this setting can be apply to every plugin simultaniously ...
Wrong order of operations, imho. Keep the mixer before the Winamp plugin filter always, then you can downmix if necessary without affecting the plugins. The mixer is your mono/dual/multichannel switch. And yeah, I'm having a hard time finding info on how the plugin interface changed between 2 and 5.3.

DFX just crashes my winamp and ffdshow, I don't know what the issue is there.

Jeremy,
We don't have to actively guard against rootkits and trojans because major changes are so rare and only made by trusted people. I read over every commit and most patches, even if I don't have much time or knowledge to offer suggestions, and it would be painfully obvious if someone tried to slip in something malicious, especially since they're so short. ffdshow doesn't use network code and COM/file/registry is pretty restricted; short of an attack against the video drivers that simultaneously did something legitimate I'm not sure how someone could hide new code in something as simple as ffdshow. It doesn't take anything like a full audit of the base code would - though we have to trust that the code inherited from milan is hack-free. I would hope anyone else who makes builds and commits also skims the patches as well. (Sure would be easier to have trac, to quickly skim svn diffs.)

When it comes to 3rd party builds, well, there's no way anyone could verify that the build actually matches the posted patch.
foxyshadis is offline   Reply With Quote
Old 12th April 2007, 08:18   #5  |  Link
Leak
ffdshow/AviSynth wrangler
 
Leak's Avatar
 
Join Date: Feb 2003
Location: Austria
Posts: 2,441
Quote:
Originally Posted by Jeremy Duncan View Post
This is what the complaint is about Linux.
That people are putting bad code into it.
Well, at least with Windows we *know* that people are putting bad code into it, but we can't fix that due to lack of source code...

But this is wildly offtopic - I'm not forcing anyone to use my ffdshow builds, I just put them up in the hope that a) someone finds them useful and b) reports bugs they find. The same goes for just about every other Open Source project...
__________________
now playing: [artist] - [track] ([album])
Leak is offline   Reply With Quote
Old 14th April 2007, 20:23   #6  |  Link
Jeremy Duncan
Didée Fan
 
Jeremy Duncan's Avatar
 
Join Date: Feb 2006
Location: Canada
Posts: 1,079
Quote:
Originally Posted by foxyshadis View Post
Jeremy,
We don't have to actively guard against rootkits and trojans because major changes are so rare and only made by trusted people. I read over every commit and most patches, even if I don't have much time or knowledge to offer suggestions, and it would be painfully obvious if someone tried to slip in something malicious, especially since they're so short. ffdshow doesn't use network code and COM/file/registry is pretty restricted; short of an attack against the video drivers that simultaneously did something legitimate I'm not sure how someone could hide new code in something as simple as ffdshow. It doesn't take anything like a full audit of the base code would - though we have to trust that the code inherited from milan is hack-free. I would hope anyone else who makes builds and commits also skims the patches as well. (Sure would be easier to have trac, to quickly skim svn diffs.)

When it comes to 3rd party builds, well, there's no way anyone could verify that the build actually matches the posted patch.
So your saying you don't need to know security routines in order to spot potencially malicious code, because FFDshow is inherantly safe as the registry is guarded and there's only one potencial entry point for bugs and viruses. And the bug/virus would need to run non-malicious code as well as malicious code in order for the crack to work.

So is Leak and CLSID in agreement that the video drivers is the only potencial place a viral crack could enter FFDshow with the patches people build for it ?

I've crippled one of my pc's so I can use FFDshow on it.
It doesn't go online as a result of my using FFDshow.
So if you kind people could help me put my fears to rest I would be able to put the PC back online.
__________________
When I get tired during work with dvd stuff i think of River Tamm (Summer Glau's character). And the beauty that is Serenity.
Jeremy Duncan is offline   Reply With Quote
Old 14th April 2007, 20:46   #7  |  Link
Leak
ffdshow/AviSynth wrangler
 
Leak's Avatar
 
Join Date: Feb 2003
Location: Austria
Posts: 2,441
Quote:
Originally Posted by Jeremy Duncan View Post
So if you kind people could help me put my fears to rest I would be able to put the PC back online.
Sorry, but I just fail to see the connection between ffdshow on one end and general internet-paranoia on the other end, nor do I see how this is the correct forum to discuss it.

np: Contriva - Before (Separate Chambers)
__________________
now playing: [artist] - [track] ([album])

Last edited by Leak; 15th April 2007 at 08:42.
Leak is offline   Reply With Quote
Old 14th April 2007, 23:16   #8  |  Link
Dr Pizza
Registered User
 
Dr Pizza's Avatar
 
Join Date: Feb 2007
Posts: 65
If you think the software could be malicious, you shouldn't have installed it at all.
Dr Pizza is offline   Reply With Quote
Old 15th April 2007, 02:42   #9  |  Link
Ryokurin
Registered User
 
Join Date: Sep 2002
Posts: 92
Quote:
Originally Posted by Jeremy Duncan View Post
I've crippled one of my pc's so I can use FFDshow on it.
It doesn't go online as a result of my using FFDshow.
So if you kind people could help me put my fears to rest I would be able to put the PC back online.
I don't want to sound snooty, but maybe you just shouldn't use any open sourced software at all. Hell, even closed can have a backdoor that you don't know about. Besides, if security is so paramount for you then you would know the best security is a machine off the network by itself.
Ryokurin is offline   Reply With Quote
Old 15th April 2007, 23:28   #10  |  Link
Jeremy Duncan
Didée Fan
 
Jeremy Duncan's Avatar
 
Join Date: Feb 2006
Location: Canada
Posts: 1,079
Quote:
Originally Posted by Dr Pizza View Post
If you think the software could be malicious, you shouldn't have installed it at all.
Well. I thank you all for at least being obvious in your contempt for my clearly stated question.
I'll be quiet now.

__________________
When I get tired during work with dvd stuff i think of River Tamm (Summer Glau's character). And the beauty that is Serenity.
Jeremy Duncan is offline   Reply With Quote
Old 18th April 2007, 21:21   #11  |  Link
foxyshadis
ангел смерти
 
foxyshadis's Avatar
 
Join Date: Nov 2004
Location: Lost
Posts: 9,558
Quote:
Originally Posted by Jeremy Duncan View Post
So your saying you don't need to know security routines in order to spot potencially malicious code, because FFDshow is inherantly safe as the registry is guarded and there's only one potencial entry point for bugs and viruses. And the bug/virus would need to run non-malicious code as well as malicious code in order for the crack to work.

So is Leak and CLSID in agreement that the video drivers is the only potencial place a viral crack could enter FFDshow with the patches people build for it ?

I've crippled one of my pc's so I can use FFDshow on it.
It doesn't go online as a result of my using FFDshow.
So if you kind people could help me put my fears to rest I would be able to put the PC back online.
If you're really worried about secure code, you need to have a code audit done by a security researcher. (Along with MPC and anything else in the chain.) Ffdshow has crashes, and any crash may be a potentially exploitable hole by someone with enough time and skill. It's impossible to know beforehand which are dangerous and which are benign. On the other hand, as far as I know no one has ever tried to actively target ffdshow. (I'd be much more worried about games and browsers than ffdshow.) The best we can say, as non-security professionals, is that there are no obvious attack vectors.

If you use defense in depth, potential vulnerabilities shouldn't keep you up at night because their scope would be so limited. And for the truly paranoid, the only systems that should have any network access at all are cloneable virtual servers.

I'll split this side discussion off soon.
foxyshadis is offline   Reply With Quote
Old 19th April 2007, 01:08   #12  |  Link
Jeremy Duncan
Didée Fan
 
Jeremy Duncan's Avatar
 
Join Date: Feb 2006
Location: Canada
Posts: 1,079
Quote:
Originally Posted by foxyshadis View Post
If you're really worried about secure code, you need to have a code audit done by a security researcher. (Along with MPC and anything else in the chain.) Ffdshow has crashes, and any crash may be a potentially exploitable hole by someone with enough time and skill. It's impossible to know beforehand which are dangerous and which are benign. On the other hand, as far as I know no one has ever tried to actively target ffdshow. (I'd be much more worried about games and browsers than ffdshow.) The best we can say, as non-security professionals, is that there are no obvious attack vectors.

If you use defense in depth, potential vulnerabilities shouldn't keep you up at night because their scope would be so limited. And for the truly paranoid, the only systems that should have any network access at all are cloneable virtual servers.

I'll split this side discussion off soon.
I saw on theinquirer.net that a product that acts like FFDshow was aimed at dvd enthusiasts and it turned out to be viral.
The people who did this would like to add their stuff to FFDshow too I bet. Same demographic.

I asked somebody about this, and they said that adding code to FFDshow is treated like adding videos to Youtube. It's a free for all. After all, you said yourself nobody checks each patch and welcomes patches from virtual strangers happily. Just like youtube.
When Milan ran FFDshow, did he run it like Youtube too ?

I am speaking freely in the belief I can without being flamed.
I hope I'm not offending anybody.
__________________
When I get tired during work with dvd stuff i think of River Tamm (Summer Glau's character). And the beauty that is Serenity.
Jeremy Duncan is offline   Reply With Quote
Old 19th April 2007, 04:38   #13  |  Link
foxyshadis
ангел смерти
 
foxyshadis's Avatar
 
Join Date: Nov 2004
Location: Lost
Posts: 9,558
Still talking about two different things. First, something that was likely a fork of ffdshow with a viral patch (or not even that, maybe just a virus called ffdshow.zip.exe, I can't find any articles about ffdshow at the inq so I don't know) demonstates the binary problem: when you download an ffdshow instead of compiling it yourself, it can have anything in it and it's impossible to tell, it doesn't have to bear any relation to the purported source code. Anyone can upload a file to their own server and call it ffdshow, whether it is or not. We don't sign our binaries and even if we did, no one would ever bother to verify them (except a very few people who are more likely to compile it themselves), since it's expensive or a big pain, so downloading directly from sourceforge is the simplest way of ensuring no tampering. If someone broke into one of our accounts then it's possible they could upload a bad binary until someone found it - though there are also many larger targets on sf to hijack.

As for adding to the source repository, it's not open to all - only project admins can update the svn, and you, I, and anyone else can see the changes they made. (I did say I check each patch, btw, if only after the fact. The ones that come from the internet at large are vetted by those who upload them to SVN.) So far no one has tried anything malicious, and if it truly was a freeforall, projects would be getting overrun by viruses the way wiki gets overrun by spam and defacings, but they don't. It's basic peer review. I'm sure Milan also used his judgement to be sure patches were safe as well as working, since he was a good programmer, though he's not around to ask now.

I'm not flaming you because I think this is an important issue to be aware of with the state of the internet now, but at the same time it's a risk you have to manage the way you do every other risk in life.
foxyshadis is offline   Reply With Quote
Old 19th April 2007, 05:20   #14  |  Link
Jeremy Duncan
Didée Fan
 
Jeremy Duncan's Avatar
 
Join Date: Feb 2006
Location: Canada
Posts: 1,079
Quote:
Originally Posted by foxyshadis View Post
Still talking about two different things. First, something that was likely a fork of ffdshow with a viral patch (or not even that, maybe just a virus called ffdshow.zip.exe, I can't find any articles about ffdshow at the inq so I don't know) demonstates the binary problem: when you download an ffdshow instead of compiling it yourself, it can have anything in it and it's impossible to tell, it doesn't have to bear any relation to the purported source code. Anyone can upload a file to their own server and call it ffdshow, whether it is or not. We don't sign our binaries and even if we did, no one would ever bother to verify them (except a very few people who are more likely to compile it themselves), since it's expensive or a big pain, so downloading directly from sourceforge is the simplest way of ensuring no tampering. If someone broke into one of our accounts then it's possible they could upload a bad binary until someone found it - though there are also many larger targets on sf to hijack.

As for adding to the source repository, it's not open to all - only project admins can update the svn, and you, I, and anyone else can see the changes they made. (I did say I check each patch, btw, if only after the fact. The ones that come from the internet at large are vetted by those who upload them to SVN.) So far no one has tried anything malicious, and if it truly was a freeforall, projects would be getting overrun by viruses the way wiki gets overrun by spam and defacings, but they don't. It's basic peer review. I'm sure Milan also used his judgement to be sure patches were safe as well as working, since he was a good programmer, though he's not around to ask now.

I'm not flaming you because I think this is an important issue to be aware of with the state of the internet now, but at the same time it's a risk you have to manage the way you do every other risk in life.
Good to know. Thanks for all your replies and patience. I feel safe enough to use FFDshow and keep the pc online too now that I'm better informed.
__________________
When I get tired during work with dvd stuff i think of River Tamm (Summer Glau's character). And the beauty that is Serenity.
Jeremy Duncan is offline   Reply With Quote
Old 19th April 2007, 06:43   #15  |  Link
Keepitsimple
Registered User
 
Join Date: Jan 2007
Posts: 57
How many programs do you use Jeremy? I ask because ffdshow feels like one of the most safe programs on my computer.
Keepitsimple is offline   Reply With Quote
Old 20th April 2007, 01:39   #16  |  Link
Jeremy Duncan
Didée Fan
 
Jeremy Duncan's Avatar
 
Join Date: Feb 2006
Location: Canada
Posts: 1,079
9

Firefox
Thunderbird
Media Player Classic
FFDshow
Avisynth
iTunes
WMP 11
Nvidia Video Codec
I.E for some Media

I have more installed, but they aren't for Me.
Edit. I also use some tools for maintenance.
__________________
When I get tired during work with dvd stuff i think of River Tamm (Summer Glau's character). And the beauty that is Serenity.
Jeremy Duncan is offline   Reply With Quote
Old 20th April 2007, 03:35   #17  |  Link
halsboss
likes to tinker
 
Join Date: Jan 2004
Location: girt by sea
Posts: 635
Quote:
Originally Posted by Leak View Post
Soon, I hope - but there's still a kink or two to work out
...
But yeah, I'd ultimately want my patch to get merged into ffdshow so I don't have to keep doing my own builds whenever something else is updated.
Now I'm interested... can you point me to a link which describes the patch ? Went to Leak's home page but couldn't spot it there.
Cheerio
halsboss is offline   Reply With Quote
Old 20th April 2007, 06:08   #18  |  Link
foxyshadis
ангел смерти
 
foxyshadis's Avatar
 
Join Date: Nov 2004
Location: Lost
Posts: 9,558
Quote:
Originally Posted by halsboss View Post
Now I'm interested... can you point me to a link which describes the patch ? Went to Leak's home page but couldn't spot it there.
Cheerio
That was pulled from the official ffdshow thread and I didn't edit it out, sorry. See the last few pages of the discussion thread for links to his patch and builds.
foxyshadis is offline   Reply With Quote
Old 20th April 2007, 06:46   #19  |  Link
halsboss
likes to tinker
 
Join Date: Jan 2004
Location: girt by sea
Posts: 635
Thanks. Will go to this one (from a search) "ffdshow tryouts project: Discussion & Development" http://forum.doom9.org/showthread.ph...ficial+ffdshow
halsboss is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 11:46.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.