Welcome to Doom9's Forum, THE in-place to be for everyone interested in DVD conversion. Before you start posting please read the forum rules. By posting to this forum you agree to abide by the rules. |
11th April 2007, 00:56 | #1 | Link |
Didée Fan
Join Date: Feb 2006
Location: Canada
Posts: 1,079
|
Ha ha ha.
What I meant to say is. When will Leak's Patch be put into every Drevilxxl and Clsid FFDshow build ? And does somebody look at all of these patches from people like leak and Dr Pizza to make sure they are clean and malware free ? I hope so ! lol. Or else some cracker might get it in their head to come and put a patch into FFDshow.
__________________
When I get tired during work with dvd stuff i think of River Tamm (Summer Glau's character). And the beauty that is Serenity. |
11th April 2007, 09:23 | #2 | Link | ||
ffdshow/AviSynth wrangler
Join Date: Feb 2003
Location: Austria
Posts: 2,441
|
Quote:
Quote:
Sure, you could compile everything on your own to cut out the builder, but unless you go over every line in the code (which is a tad massive in a project of this size) you still can't be 100% sure. Then again, at least I can assure you that I haven't put anything evil into my builds and that my build system is free of infectuous malware also... But yeah, I'd ultimately want my patch to get merged into ffdshow so I don't have to keep doing my own builds whenever something else is updated.
__________________
now playing: [artist] - [track] ([album]) |
||
12th April 2007, 02:10 | #3 | Link | |
Didée Fan
Join Date: Feb 2006
Location: Canada
Posts: 1,079
|
Quote:
What if somebody dropped a Rootkit in there. Then the firewall or antivirus or other protection would be potentially vulnerable and useless. And there is nobody to catch it because it's too much code. This is what the complaint is about Linux. That people are putting bad code into it. I'm at the mercy of each individual that will or has contributed code to FFDshow, as a user of the product I'm creating a potencial security risk. That risk is the undetectable root kit. Did you know that once a root kit gets on the pc your pretty well cracked and have to reformat. Ask the folks over at dslreports.com security forum if I'm right. Ha ha ha. I'm sorry. I'm probably talking out of my hat. Check out the thread I started there asking the question about rootkits. Link There's multiple anonymous contributors creating code for FFDshow that's not scrutinized for security risks. Even if somebody looked it all over there's still a risk: "Advocates of the Linux operating system claim that its security can be assured by the openness of its source code. They argue that the 'many eyes' looking at the Linux source code will quickly find any subversions. Ken Thompson, the original developer of the Unix operating system -- which heavily influenced Linux -- proved otherwise. He installed a back door in the binary code of Unix that automatically added his user name and password to every Unix system. When he revealed the secret 14 years later, Thompson explained, 'The moral is obvious. You can't trust code that you did not create yourself. No amount of source-level verification or scrutiny will protect you from using untrusted code.'" Link
__________________
When I get tired during work with dvd stuff i think of River Tamm (Summer Glau's character). And the beauty that is Serenity. Last edited by Jeremy Duncan; 12th April 2007 at 02:46. |
|
12th April 2007, 03:16 | #4 | Link | |
ангел смерти
Join Date: Nov 2004
Location: Lost
Posts: 9,558
|
Quote:
DFX just crashes my winamp and ffdshow, I don't know what the issue is there. Jeremy, We don't have to actively guard against rootkits and trojans because major changes are so rare and only made by trusted people. I read over every commit and most patches, even if I don't have much time or knowledge to offer suggestions, and it would be painfully obvious if someone tried to slip in something malicious, especially since they're so short. ffdshow doesn't use network code and COM/file/registry is pretty restricted; short of an attack against the video drivers that simultaneously did something legitimate I'm not sure how someone could hide new code in something as simple as ffdshow. It doesn't take anything like a full audit of the base code would - though we have to trust that the code inherited from milan is hack-free. I would hope anyone else who makes builds and commits also skims the patches as well. (Sure would be easier to have trac, to quickly skim svn diffs.) When it comes to 3rd party builds, well, there's no way anyone could verify that the build actually matches the posted patch. |
|
12th April 2007, 08:18 | #5 | Link | |
ffdshow/AviSynth wrangler
Join Date: Feb 2003
Location: Austria
Posts: 2,441
|
Quote:
But this is wildly offtopic - I'm not forcing anyone to use my ffdshow builds, I just put them up in the hope that a) someone finds them useful and b) reports bugs they find. The same goes for just about every other Open Source project...
__________________
now playing: [artist] - [track] ([album]) |
|
14th April 2007, 20:23 | #6 | Link | |
Didée Fan
Join Date: Feb 2006
Location: Canada
Posts: 1,079
|
Quote:
So is Leak and CLSID in agreement that the video drivers is the only potencial place a viral crack could enter FFDshow with the patches people build for it ? I've crippled one of my pc's so I can use FFDshow on it. It doesn't go online as a result of my using FFDshow. So if you kind people could help me put my fears to rest I would be able to put the PC back online.
__________________
When I get tired during work with dvd stuff i think of River Tamm (Summer Glau's character). And the beauty that is Serenity. |
|
14th April 2007, 20:46 | #7 | Link | |
ffdshow/AviSynth wrangler
Join Date: Feb 2003
Location: Austria
Posts: 2,441
|
Quote:
np: Contriva - Before (Separate Chambers)
__________________
now playing: [artist] - [track] ([album]) Last edited by Leak; 15th April 2007 at 08:42. |
|
15th April 2007, 02:42 | #9 | Link |
Registered User
Join Date: Sep 2002
Posts: 92
|
I don't want to sound snooty, but maybe you just shouldn't use any open sourced software at all. Hell, even closed can have a backdoor that you don't know about. Besides, if security is so paramount for you then you would know the best security is a machine off the network by itself.
|
15th April 2007, 23:28 | #10 | Link | |
Didée Fan
Join Date: Feb 2006
Location: Canada
Posts: 1,079
|
Quote:
I'll be quiet now.
__________________
When I get tired during work with dvd stuff i think of River Tamm (Summer Glau's character). And the beauty that is Serenity. |
|
18th April 2007, 21:21 | #11 | Link | |
ангел смерти
Join Date: Nov 2004
Location: Lost
Posts: 9,558
|
Quote:
If you use defense in depth, potential vulnerabilities shouldn't keep you up at night because their scope would be so limited. And for the truly paranoid, the only systems that should have any network access at all are cloneable virtual servers. I'll split this side discussion off soon. |
|
19th April 2007, 01:08 | #12 | Link | |
Didée Fan
Join Date: Feb 2006
Location: Canada
Posts: 1,079
|
Quote:
The people who did this would like to add their stuff to FFDshow too I bet. Same demographic. I asked somebody about this, and they said that adding code to FFDshow is treated like adding videos to Youtube. It's a free for all. After all, you said yourself nobody checks each patch and welcomes patches from virtual strangers happily. Just like youtube. When Milan ran FFDshow, did he run it like Youtube too ? I am speaking freely in the belief I can without being flamed. I hope I'm not offending anybody.
__________________
When I get tired during work with dvd stuff i think of River Tamm (Summer Glau's character). And the beauty that is Serenity. |
|
19th April 2007, 04:38 | #13 | Link |
ангел смерти
Join Date: Nov 2004
Location: Lost
Posts: 9,558
|
Still talking about two different things. First, something that was likely a fork of ffdshow with a viral patch (or not even that, maybe just a virus called ffdshow.zip.exe, I can't find any articles about ffdshow at the inq so I don't know) demonstates the binary problem: when you download an ffdshow instead of compiling it yourself, it can have anything in it and it's impossible to tell, it doesn't have to bear any relation to the purported source code. Anyone can upload a file to their own server and call it ffdshow, whether it is or not. We don't sign our binaries and even if we did, no one would ever bother to verify them (except a very few people who are more likely to compile it themselves), since it's expensive or a big pain, so downloading directly from sourceforge is the simplest way of ensuring no tampering. If someone broke into one of our accounts then it's possible they could upload a bad binary until someone found it - though there are also many larger targets on sf to hijack.
As for adding to the source repository, it's not open to all - only project admins can update the svn, and you, I, and anyone else can see the changes they made. (I did say I check each patch, btw, if only after the fact. The ones that come from the internet at large are vetted by those who upload them to SVN.) So far no one has tried anything malicious, and if it truly was a freeforall, projects would be getting overrun by viruses the way wiki gets overrun by spam and defacings, but they don't. It's basic peer review. I'm sure Milan also used his judgement to be sure patches were safe as well as working, since he was a good programmer, though he's not around to ask now. I'm not flaming you because I think this is an important issue to be aware of with the state of the internet now, but at the same time it's a risk you have to manage the way you do every other risk in life. |
19th April 2007, 05:20 | #14 | Link | |
Didée Fan
Join Date: Feb 2006
Location: Canada
Posts: 1,079
|
Quote:
__________________
When I get tired during work with dvd stuff i think of River Tamm (Summer Glau's character). And the beauty that is Serenity. |
|
20th April 2007, 01:39 | #16 | Link |
Didée Fan
Join Date: Feb 2006
Location: Canada
Posts: 1,079
|
9
Firefox Thunderbird Media Player Classic FFDshow Avisynth iTunes WMP 11 Nvidia Video Codec I.E for some Media I have more installed, but they aren't for Me. Edit. I also use some tools for maintenance.
__________________
When I get tired during work with dvd stuff i think of River Tamm (Summer Glau's character). And the beauty that is Serenity. |
20th April 2007, 03:35 | #17 | Link | |
likes to tinker
Join Date: Jan 2004
Location: girt by sea
Posts: 635
|
Quote:
Cheerio |
|
20th April 2007, 06:46 | #19 | Link |
likes to tinker
Join Date: Jan 2004
Location: girt by sea
Posts: 635
|
Thanks. Will go to this one (from a search) "ffdshow tryouts project: Discussion & Development" http://forum.doom9.org/showthread.ph...ficial+ffdshow
|
Thread Tools | Search this Thread |
Display Modes | |
|
|