Censorship

[Sordrak]

Hi guys

I would like to discuss an issue here on this site. Maybe I do not understand something correctly, but it seriously bothers me.

The issue I currently have is censorship. I've posted around 4 comments to an addon, which is quite a bit suspicious to say the least (i guess some of you already came across that addon). I've posted my doubts and brought up technical facts, which might be interesting for other users, as the addon might be a huge security thread (containing an exe and manipulating LUA code on the fly). Yet, all my comments are getting deleted pretty fast. As I never deleted any comments so far, I'm not aware if the author can directly delete a comment or if some admin interaction is involved.

Anyway, I think it is pretty concerning when such information, technical facts and warnings can easily be removed from an addon. Imho i consider this censorship and in this case it might even put users at risk who otherwise would have been more careful.

[Dolgubon]

Originally Posted by Sordrak Hi guys I would like to discuss an issue here on this site. Maybe I do not understand something correctly, but it seriously bothers me. The issue I currently have is censorship. I've posted around 4 comments to an addon, which is quite a bit suspicious to say the least (i guess some of you already came across that addon). I've posted my doubts and brought up technical facts, which might be interesting for other users, as the addon might be a huge security thread (containing an exe and manipulating LUA code on the fly). Yet, all my comments are getting deleted pretty fast. As I never deleted any comments so far, I'm not aware if the author can directly delete a comment or if some admin interaction is involved. Anyway, I think it is pretty concerning when such information, technical facts and warnings can easily be removed from an addon. Imho i consider this censorship and in this case it might even put users at risk who otherwise would have been more careful.

Yes, addon authors can delete comments. As an addon author yourself, you might have noticed that/you'd be able to check. I've actually done it myself before, (a comment that was quite clearly not related) but it's definitely not something that I have a habit of doing. I imagine the idea behind addon authors being able to delete comments on their own addons is that they are able to keep it on topic/related to the addon, and/or to prevent other players from being a nuisance. It would likely be a lot more work for the site admins to moderate the comments of every single addon. In general, I don't think addon authors abuse their power - there's many comments around the site that I'm sure the addon author would prefer did not exist. Generally though, they get buried pretty quickly, just because other people post comments.


I'd also like to point out that, while I did not see the actual comment, this short quote of yours:

Originally Posted by Sordrak blah-blah-blah

is likely something that I would say an author is completely within their rights to delete. (Of course, I admit I have no context on that. Maybe it was an ok comment) While pointing out security flaws is perfectly fine, you also need to consider how you point them out. I don't know for sure if the addon you are referring to is Nirn Auction House, but if it is, I'd also like to point out that quickly checking shows there are multiple other comments warning about security - so it seems likely that censorship was not the reason for deleting your comments.

.exes are a security risk, and I'm not going to say that they aren't. Depending on the specific addon you are referring to, the source code might be freely available. Additionally, the site has rules around .exes: "Executable files are not allowed, except for some very specific cases. We test and decompile all executable files that are submitted. In some cases we may ask for the source. This processes could take awhile." That said, I don't know how rigorous the testing they are put through is.

[Sordrak]

Originally Posted by Dolgubon Yes, addon authors can delete comments. As an addon author yourself, you might have noticed that/you'd be able to check. I've actually done it myself before, (a comment that was quite clearly not related) but it's definitely not something that I have a habit of doing. I imagine the idea behind addon authors being able to delete comments on their own addons is that they are able to keep it on topic/related to the addon, and/or to prevent other players from being a nuisance. It would likely be a lot more work for the site admins to moderate the comments of every single addon. In general, I don't think addon authors abuse their power - there's many comments around the site that I'm sure the addon author would prefer did not exist. Generally though, they get buried pretty quickly, just because other people post comments. I'd also like to point out that, while I did not see the actual comment, this short quote of yours: is likely something that I would say an author is completely within their rights to delete. (Of course, I admit I have no context on that. Maybe it was an ok comment) While pointing out security flaws is perfectly fine, you also need to consider how you point them out. I don't know for sure if the addon you are referring to is Nirn Auction House, but if it is, I'd also like to point out that quickly checking shows there are multiple other comments warning about security - so it seems likely that censorship was not the reason for deleting your comments. .exes are a security risk, and I'm not going to say that they aren't. Depending on the specific addon you are referring to, the source code might be freely available. Additionally, the site has rules around .exes: "Executable files are not allowed, except for some very specific cases. We test and decompile all executable files that are submitted. In some cases we may ask for the source. This processes could take awhile." That said, I don't know how rigorous the testing they are put through is.

Well, i agree with a few things and disagree with some of the things you wrote.

Let's start with the comment where i got quoted "blah-blah-blah". I never wrote that.


I must agree, that my words could have been friendlier (but it was quite a bit hard as i got pretty much too tired of people defending all of this without any arguments, respectively ignoring everything that has been said. I mean if someone really wants to run that addon, fine for me. I wouldn't. And everyone who wants to run it should know what the risks are. And there are quite a few.). Nonetheless, the post contains information and what I currently consider to be an issue in the comments there. There's simply a lot of censorship and as you said, comments are getting buried rather quickly which is another issue in case of this addon.

Another example:


Got one more at home in case you want to see that as well. Unfortunately, the original post, where I've explained a lot of things got deleted and I did not make a screenshot (i didn't thought about it being deleted).

Regarding the other comments: they are mostly surfacing. The discussing on the official forums do contain more details imho. I was posting the things i was concerned about in my first deleted post (and it did contain more information than the other posts on the comments). But there's no reason to write it all again, when it gets deleted anyway, so I simply referred to the official forum (well, there's some censorship there as well, but at least the author isn't capable of deleting posts directly...).

Regarding the .exe:
If you do not decompile the binaries you won't be able to determine if they have been built from that source. So a simple source code review won't be enough. Besides the source code shows that the local lua files are being regularly overwritten by the content delivered by the (closed source) web server (again, a review of that source won't help much).

And exactly such comments are being deleted. If you look on how the author is handling criticism and feedback in general (he mostly dodges, ignores or deletes such statements) this whole thing looks even worse.

Yet, when you look at the addon comments, you will miss out on many things.

I understand that the admins can't take control of everything, but this form of censorship is pretty bad. It should be possible to prevent authors to delete comments if they abuse that feature. If anything is wrong with this addon (e.g. malware) I consider the admins being responsible for the damage caused as well, as they a) allowed the addon b) prevented other users from being warned.

[Ayantir]

Hello,

Did you tried to politely contact author personally by private message ? What's his response ?

I do agree that the abuse of the delete button is a bad practice, and would suggest everyone to have a constructive discussion with tempered comments.
A deletion of a message is not a good thing except if it disclose some security breaches or shift to a subject which differs of the project itself.

Well, maybe try that you (both of you) should maybe reconsider your both words, maybe yours, maybe his, I don't know, because I didn't followed the whole thing but try to bring a more constructive discussion than the actual one sided (and even..) actual talk.

[Sordrak]

Originally Posted by Ayantir Hello, Did you tried to politely contact author personally by private message ? What's his response ? I do agree that the abuse of the delete button is a bad practice, and would suggest everyone to have a constructive discussion with tempered comments. A deletion of a message is not a good thing except if it disclose some security breaches or shift to a subject which differs of the project itself. Well, maybe try that you (both of you) should maybe reconsider your both words, maybe yours, maybe his, I don't know, because I didn't followed the whole thing but try to bring a more constructive discussion than the actual one sided (and even..) actual talk.

Well the author completely ignores all my comments, both on the official forum and here. I doubt a private message will make any sense, as my comments obviously aren't welcome. Furthermore, I consider the author not to be trustworthy in any way, due to his behavior.

He claims that everything is fine and no issue at all, which obviously isn't true. So instead of arguing I'm getting ignored or my posts are being deleted (there's not much to argue anyway, as you can't deny or argue about facts, they are what they are).

The author has been accused to have taken code of other authors without their consent. This has been claimed by another author on the official forum and here. Guess what, I can't find that comment here anymore.

And that's the issue in my opinion. If there's criticism or a risk associated with an addon, it should be possible to comment on that, regardless what the author claims.

This whole thing is shady as ****. Some comments are left there, and in the context they are, it can be interpreted as that everything is fine, and there aren't any arguments against the addon anymore (or way less, respectively only surfacing).

[Dolby]

Authors can delete comments on their own AddOns, they can't delete posts in our forums. Maybe I should at least put up a sign if an Author chooses to delete a comment saying the Author has deleted comments.

I havent recieved any info on copied code from other addons, I've looked at the source of the exe and it doesn't do anything malicious that I can tell. However maybe a thread should be created in "General Authoring Discussion" if more people want to discuss this AddOn and have concerns? I'll certainly keep it open as long as the majority of posters to the thread stay civil.

[Anceane]

Originally Posted by Dolby Authors can delete comments on their own AddOns, they can't delete posts in our forums. Maybe I should at least put up a sign if an Author chooses to delete a comment saying the Author has deleted comments. I havent recieved any info on copied code from other addons, I've looked at the source of the exe and it doesn't do anything malicious that I can tell. However maybe a thread should be created in "General Authoring Discussion" if more people want to discuss this AddOn and have concerns? I'll certainly keep it open as long as the majority of posters to the thread stay civil.

I remember a post from an author addon saying that most of the code was identical to TTC one from some parts. The author was also saying that it was not very fair to not even ask for consent to use a code, or to mention that this new addon was beeing made with help from ...

I was myself even suprised that no one reacted to this, and even more from you.

Actually the author deleted a lot more comments than Sordrak ones: most of the comments that were polite or not but pointing to the dangerous side of the addon were deleted.

If an addon is subject to controversy, as this one, may be you should have to take a stand on it.

[Sordrak]

Originally Posted by Dolby Authors can delete comments on their own AddOns, they can't delete posts in our forums. Maybe I should at least put up a sign if an Author chooses to delete a comment saying the Author has deleted comments. I havent recieved any info on copied code from other addons, I've looked at the source of the exe and it doesn't do anything malicious that I can tell. However maybe a thread should be created in "General Authoring Discussion" if more people want to discuss this AddOn and have concerns? I'll certainly keep it open as long as the majority of posters to the thread stay civil.

Hi Dolby,

Didn't I send the link to the thread in the official forum?
Well, you might read the following comment in that case:
https://forums.elderscrollsonline.co...omment_4359485

Eloheynu wrote: » I did, however, use the TTC serializer that Steven Chen wrote. I gave him credit in my addon info page for that part. I still can't find a single word on your addon page about credits. And also the serializer is NOT the only thing you copied from TTC. here is a list of your files in Git Constants.cs (direct copied from TTC, you can even find the commented out PriceTable related lines, file name is the same too) ESOBidEntry.cs (Original since TTC doesn't have it) ESOFilledOrderEntry.cs (Original since TTC doesn't have it) ESOItem.cs (copied from TTC with some modification, file name is the same too) ESOTradeAsset.cs (copied from TTC with some modification, file name is the same too) ESOTradeEntry.cs (copied from TTC with some modification, file name is the same too) ESOTradeInfo.cs (Original since TTC doesn't have it) HTTPService.cs (direct copied from TTC with no modification) PostTradeResult.cs (direct copied from TTC with no modification) RequestResult.cs (direct copied from TTC with no modification) ServerRegion.cs (direct copied from TTC with no modification) Util.cs (copied from TTC with just a bit modification, file name is the same too) WebClientEx.cs (direct copied from TTC with no modification) Form1.cs (copied from TTC, anything has to do with parsing and uploading are direct copy. You can even find the method for updating TTC's price table in it) Eloheynu wrote: » I debated writing my own, but I decided to package the beta up and send a PM to him to see if he approves. Haven't heard back yet You sent the PM after Phil posted negative feedback on the forum, NOT before or shortly after you package the beta up. To be honest you have plenty of time to ask for permissions during your development but you never done so. beta is never an excuse for cribbing other people's work (and even worse, 0 credit for it). Nirn auction house is not the first addon that uses TTC's material. But the main difference is, all other authors asked for my permission and I gave permission to all of them. I even told them how to use it and what to watch out for. Claiming something like this is original doesn't look right to me. And the attitude is what makes me angry.

The author's response:
https://forums.elderscrollsonline.co...omment_4360439

@cyx54tc No TOS is present or needed to be accepted when you use minion to download and run your plugin. Sorry if you think that protects your small enterprise and its private code from anyone else that's interested in making mods for ESO. And again my intention was never to copy your code. I did use general naming conventions, but generally, it's nice when a community standardize things. When new authors want to build addon's it's easy to integrate together. I'm almost done rewriting everything in the library. Just doing some final testing before I release a new beta version with many optimization already and improvements. The code will be up soon to view open source. -Elo

So, yes. The code simply has been taken. As far as I remember there are other accusations that code of other addons have been abused. Obviously, you can't find the TTC author's comment in the NAH comment section. Guess what... it has been deleted. You don't see any issues here?

I'm sorry, but I do not consider such an author as trustworthy who should throw around with exe files. And exactly such critique should be part of an addon's comment section or maybe as a bold red warning...

Back to your source code review:
-Do you agree that it simply doesn't matter what is present on github? What matters is what the binary file does and you have no idea what it does before decompiling / reverse engineer it. I really doubt at that point that the admins are doing this with every single release of the addon.
-So you consider it not malicious when an addon (respectively the exe) is capable of writing new lua code that hasn't been there before? You have no idea what will be written as it is under full control of the author's server.
See: https://github.com/evan-sctg/NirnAuc...uctionHouse.cs
Just as an example:

... this.TradeListPath = Path.Combine(this.AddonDirectory, "Trades.lua"); this.BidListPath = Path.Combine(this.AddonDirectory, "Bids.lua"); this.TrackedBidListPath = Path.Combine(this.AddonDirectory, "Tracked.lua"); ... { using (WebClient client = new WebClient()) { string TradeListContent = client.DownloadString(this.APIEndpoint + "/proc/tradelist"); File.WriteAllText(this.TradeListPath, TradeListContent); } ... string BidListContent = client.DownloadString(this.APIEndpoint + "/proc/bidlist/" + ActiveAccount); File.WriteAllText(this.BidListPath, BidListContent); ... string TrackedBidListContent = client.DownloadString(this.APIEndpoint + "/proc/mybidlist/" + ActiveAccount); File.WriteAllText(this.TrackedBidListPath, TrackedBidListContent); ...

If you take a look at the server's response:

HTTP/1.1 200 OK ... Content-Length: 17745 function NirnAuctionHouse:LoadTrades() ... end

But you might be right, a new thread might be good for this, if people want to discuss further on this instead on the issue regarding censorship.

edit: typos

[Dolby]

Originally Posted by Sordrak Hi Dolby, Didn't I send the link to the thread in the official forum? Well, you might read the following comment in that case: https://forums.elderscrollsonline.co...omment_4359485

You did, however I missed that comment. I have reached out to cyxui for more details on this matter. Thanks for pointing that out.

The author's response: https://forums.elderscrollsonline.co...omment_4360439

I agree this is very concerning. I am also going over all the posts that were deleted.

Back to your source code review: -Do you agree that it simply doesn't matter what is present on github? What matters is what the binary file does and you have no idea what it does before decompiling / reverse engineer it. I really doubt at that point that the admins are doing this with every single release of the addon.

Correct, what is in the exe is the most important and you are correct we don't decompile every release, we spot check. We do however always scan via virustotal always however that will only catch known signatures.

-So you consider it not malicious when an addon (respectively the exe) is capable of writing new lua code that hasn't been there before? You have no idea what will be written as it is under full control of the author's server.

I don't see it being able to download and execute an exe (this is why we rejected his update.exe), it writes lua. When I look at an exe I look more on how it could remote execute something like installing a key logger, etc. You're saying the author could re-write his AddOn and do something to users in game via said AddOn. That is also bad since we are not able to review the lua that is sent down. I think maybe he needs to change it so lua isn't written, it writes to some txt file and the AddOn reads the data from it?

[Sordrak]

Originally Posted by Dolby You did, however I missed that comment. I have reached out to cyxui for more details on this matter. Thanks for pointing that out. I agree this is a bit concerning. I am also going over all the posts that were deleted. Correct, what is in the exe is the most important and you are correct we don't decompile every release, we spot check. We do however always scan via virustotal always however that will only catch known signatures. I don't see it being able to download and execute an exe, it writes lua. When I look at an exe I look more on how it could remote execute something like installing a key logger, etc. You're saying the author could re-write his AddOn and do something to users in game via said AddOn. That is also bad since we are not able to review the lua that is sent down. I think maybe he needs to change it so lua isn't written, it writes to some txt file and the AddOn reads the data from it?

-A lot of things are very concerning. That is exactly my point. It might be legit, it might not. But simply ignoring the risks is wrong. And it should be mentioned at the addon's download page or at least in the comments (as mentioned earlier, it would be buried after too many comments and no one would read it). Yet, that won't happen as the other will delete such posts.

-Which means he just needs to be lucky to get some arbitrary binary (not build from the source) running on esoui users' PCs. I know that the effort to check all of this is high, too high indead. But i still consider this a security risk. And as you've said, AV software looks for a signature. It is easy to bypass an AV signature. (I won't repeat myself here, you should find more regarding this issue in at least the official eso forum thread)

-It only writes lua as far as i can tell (i actually only took a short peak at one of the .cs files, so no guarantees here from my side). I'm saying that currently the author is capable of running arbitrary lua code on the clients, yes. And yes, this is bad. He could run different code on different clients (e.g. depending on IP Or account name) and he could overwrite the same lua code afterwards and you wouldn't notice. In my opinion this is nothing an addon should be capable of. Your suggestion likely won't work. He uses the manipulated lua files as a "proxy" between the game and the exe. The game itself wouldn't be capable of reading .txt files, therefore he uses the lua files (incl. /reloadui) to transfer the data back from the exe to the client. Yet, he has full control over all the lua code. I currently do not see a solution to this issue.

edit: typos

[Shinni]

Originally Posted by Dolby That is also bad since we are not able to review the lua that is sent down. I think maybe he needs to change it so lua isn't written, it writes to some txt file and the AddOn reads the data from it?

Since eso's lua can't open other files, the only way to load data is to save them as lua code/tables and execute these files. However, the code doesn't have to be generated by the server, i.e. the server could send a json file which is then transformed to a lua table by the .exe. As the .exe is open source, we could see if the .exe is able to generate other lua code besides just tables.

edit: how does TTC handle this, given that there are reports that NirnAH uses the same code?

[Sordrak]

Originally Posted by Shinni Since eso's lua can't open other files, the only way to load data is to save them as lua code/tables and execute these files. However, the code doesn't have to be generated by the server, i.e. the server could send a json file which is then transformed to a lua table by the .exe. As the .exe is open source, we could see if the .exe is able to generate other lua code besides just tables.

I doubt that this easily works as there might be several methods to bypass to bypass such an implementation (besides the issue with the binary review stays the same). E.g. you would have to filter the whole json response properly, so that there are only "real" key / value pairs and functions / other code gets removed.

[Dolby]

Originally Posted by Shinni Since eso's lua can't open other files

Doh you're right, I forgot about that.

Originally Posted by Shinni , the only way to load data is to save them as lua code/tables and execute these files. However, the code doesn't have to be generated by the server, i.e. the server could send a json file which is then transformed to a lua table by the .exe. As the .exe is open source, we could see if the .exe is able to generate other lua code besides just tables.

That would be a decent way to handle it.

There are many other things to consider now though, waiting to hear back from cyxui to see if that issue was ever resolved. Also going over deleted comments and will likely contact the author soon about that and the security issues brought up here to see if a resolution can be found. If not then I think the AddOn will have to be pulled from our site until its redesigned. I just wanted to come up with some possible solutions.

Edit: Contacted Elo to get more information, will update when I get more info.

[sirinsidiator]

Tamriel Trade Center and all other addons that contain exe files are in no way different and pose the same risk as Nirn Auction House.
To be honest, I think it was a bad idea to allow addons with executables at all. Instead they should have been forced to use scripts (lua, js, php, python, whatever) to handle what they try to accomplish. The end users would have to install an interpreter on their machine, but at least that way it would be very hard to hide malicious code compared to when a precompiled binary is used.

Maybe for the future, you could add some sort of reputation system? New addon authors without a reputation are not allowed to upload binaries. And when someone tries to download an addon with a binary from someone with low reputation they get a big warning telling them that it might be very dangerous?

[Ayantir]

I do agree that a warning on addons with an embedded binary and not yet tagged as "popular" per example will not be too much.

After if .exe can lead to way worse things than the sandboxed lua environnement build by zos from a dev point of view, addons can (woops) delete your items and from a user point of view it could be worse than a system reinstall or worse, include some malicious library (follow me )

For dev reputation.. it'll maybe be a bit too much, as this process should be automatized.
Don't forget that a warning could lead to less downloads which is not a good thing too.

PS: I had spoken of a kind of convention / good practices when releasing addons, it has always being something in my mind, but we could do something (whith some external input) in order to give a nice message when creating a new addon.

PPS: I do agree that lua code downloaded from webserver is.. a newbie error. I don't want to blame our latest week-end coder but helping everyone and help them to understand why it's bad.

By the way if he wants to talk to some objective folks already considered as tyrants and evil coders, there is gitter

[Sordrak]

Originally Posted by Ayantir I do agree that a warning on addons with an embedded binary and not yet tagged as "popular" per example will not be too much. After if .exe can lead to way worse things than the sandboxed lua environnement build by zos from a dev point of view, addons can (woops) delete your items and from a user point of view it could be worse than a system reinstall or worse, include some malicious library (follow me ) For dev reputation.. it'll maybe be a bit too much, as this process should be automatized. Don't forget that a warning could lead to less downloads which is not a good thing too. PS: I had spoken of a kind of convention / good practices when releasing addons, it has always being something in my mind, but we could do something (whith some external input) in order to give a nice message when creating a new addon. PPS: I do agree that lua code downloaded from webserver is.. a newbie error. I don't want to blame our latest week-end coder but helping everyone and help them to understand why it's bad. By the way if he wants to talk to some objective folks already considered as tyrants and evil coders, there is gitter

Well, the author, if his identity isn't stolen and my assumptions are correct, is working as "developer" for a while now (10+ years). So I'm actually not sure if week-end coder or newbie error fits in. maybe it does and everything is a mistake on his side (with a lot of other mistakes as well). I guess all of this is pure speculation.

And again, writing a filter to ensure that no lua is directly served is difficult and shout be tested very well.

[Dolgubon]

Originally Posted by sirinsidiator Maybe for the future, you could add some sort of reputation system? New addon authors without a reputation are not allowed to upload binaries. And when someone tries to download an addon with a binary from someone with low reputation they get a big warning telling them that it might be very dangerous?

I think an automated reputation system would be a good idea. Probably the simplest implementation would be based on # of downloads.


Also, it seems like many of the complaints are that binaries could contain anything. Maybe a solution would be to completely disallow addon authors to upload binary files, and have the site admins get the source, and then compile it and upload it. I don't know much about compiling stuff though so that might not be feasible.


As for being able to write Lua code - that is definitely bad. Here's just a few things that could be done: Destroy all items, promote random (or specific) people to be a guild's GM, prevent grouping, crash the game, hinder PvP. Some of that is relatively contrived, but it's still probably not a good idea.

Originally Posted by Sordrak Well, i agree with a few things and disagree with some of the things you wrote. Let's start with the comment where i got quoted "blah-blah-blah". I never wrote that.

Sorry about that then, I was going off of the so-called 'quoted' text. Which does bring something up a bit with quoted text, that can be changed to be a bit malicious.

[Kyoma]

Depending on the enviroment it may not be a simple task to compile various source codes.

[silvereyes]

Realistically, I think there are only two options to protect users from abuse from this kind of addon:

• Add a warning label to any addons that contain executables or link to them.
• Disallow addons that contain executables or link to them.

I'm skeptical of the following options:

• Disallow addons that contain executables, but allow links to a separately hosted download. The exe still ends up running on people's systems, regardless.
• Allowing bundled interpreted language third-party programs (e.g. javascript, php, etc). Few users will bother, meaning few authors will choose to distribute code this way. They will just host an exe off-site instead.

[Dolgubon]

Are the security risks purely because there is an exe file, or are some of the security risks also specific to Nirn Auction House? It does seem like say, Tamriel Trade Center has been available for a while, and I don't think I've heard of a lot of complaints about the security it has. How is it different? (Or is it in the exact same boat?)