Post-KickStarter LiveCode - security issue fix?
Richmond
richmondmathewson at gmail.com
Wed Feb 27 13:15:19 EST 2013
On 02/27/2013 08:08 PM, Lyn Teyla wrote:
> Hi all,
>
> It has been 3 years since my post to this list urging RunRev to fix the serious security issue where the scripts of password protected stacks and standalone apps can be fully viewed via memory dumps.
>
> This is because password protected scripts remain unencrypted in memory after compilation. That's right, no password is needed, the code is right there in memory.
>
> The issue was also lodged via the LiveCode Quality Control Center (LQCC) as report #8672:
>
> http://quality.runrev.com/show_bug.cgi?id=8672
>
> In September 2010, Mark Waddingham finally responded to the LQCC report, saying that the issue would be eliminated in 5.0 with the move to Unicode.
>
> He then marked the LQCC report as private.
>
> Alas, even after the move to Unicode, the issue remains unresolved.
>
> In September 2011, I requested for a RunRev response via the LQCC report, and received none.
>
> In August 2012, I once again requested for a response, and finally received a reply from "Your Quality Team", who said they did not have an expected target release for this fix yet.
>
> They then set the report to "Hibernating" mode, which sure doesn't sound good.
>
> It is now 2013. Post-KickStarter, RunRev will be implementing a revamp to LiveCode, while offering dual-licensing.
>
> Given that the main difference between the commercial version and the open source version is script security, this has become an issue of even greater importance.
>
> And yet, there has been no word about when this security issue will be fixed.
>
> The LQCC report remains "hibernated".
>
> So the question is, when exactly will this issue finally and actually be fixed?
>
> Also, if it still isn't fixed once dual-licensing is up and running, then what would be the point of releasing closed-source applications when the code is going to be right there in memory unencrypted, for thieves to steal?
>
> Does no one else think this is an important issue that needs to be addressed immediately?
>
> - Lyn
>
>
>
Yes, I do think this is an important issue which should have been
addressed donkey's ages ago.
There are several 'old chestnuts' sitting around in the big reports that
have been overlooked overlong, and they DO need to be sorted out
very, very quickly indeed, and, ideally, before the feeding-frenzy /
group love-fest of the Open Source version sweeps our attention away
from these problems.
If I pay for the Commercial version, from now on, the main difference
between it and the Open Source variant will be that
I can keep my secrets to myself. If all that it takes is a memory dump,
there is no real reason to buy the commercial version.
---------------------
HOWEVER; you may find that this problem has been addressed, silently,
RunRev do seem to have that tendency.
Of course, now they are going all 'Open' they are going to have to be
OPEN about things like that as well as their OS code.
Richmond.
More information about the use-livecode
mailing list