Post-KickStarter LiveCode - security issue fix?

Lyn Teyla lyn.teyla at gmail.com
Thu Feb 28 03:10:14 EST 2013 

Thanks Kevin, looking forward to the security improvements.

Lyn



On Feb 27, 2013, at 8:35 PM, Kevin Miller wrote:

> This is a common problem with high level languages and has always been
> present not only in our platform, but in many others throughout history.
> We do have various ideas about how to further improve code security in the
> commercial edition and look forward to implementing those during the
> restructure.
> 
> Kind regards,
> 
> Kevin
> 
> Kevin Miller ~ kevin at runrev.com ~ http://www.runrev.com/
> LiveCode: Everyone can code
> 
> 
> 
> 
> On 27/02/2013 18:08, "Lyn Teyla" <lyn.teyla at gmail.com> wrote:
> 
>> Hi all,
>> 
>> It has been 3 years since my post to this list urging RunRev to fix the
>> serious security issue where the scripts of password protected stacks and
>> standalone apps can be fully viewed via memory dumps.
>> 
>> This is because password protected scripts remain unencrypted in memory
>> after compilation. That's right, no password is needed, the code is right
>> there in memory.
>> 
>> The issue was also lodged via the LiveCode Quality Control Center (LQCC)
>> as report #8672:
>> 
>> http://quality.runrev.com/show_bug.cgi?id=8672
>> 
>> In September 2010, Mark Waddingham finally responded to the LQCC report,
>> saying that the issue would be eliminated in 5.0 with the move to Unicode.
>> 
>> He then marked the LQCC report as private.
>> 
>> Alas, even after the move to Unicode, the issue remains unresolved.
>> 
>> In September 2011, I requested for a RunRev response via the LQCC report,
>> and received none.
>> 
>> In August 2012, I once again requested for a response, and finally
>> received a reply from "Your Quality Team", who said they did not have an
>> expected target release for this fix yet.
>> 
>> They then set the report to "Hibernating" mode, which sure doesn't sound
>> good.
>> 
>> It is now 2013. Post-KickStarter, RunRev will be implementing a revamp to
>> LiveCode, while offering dual-licensing.
>> 
>> Given that the main difference between the commercial version and the
>> open source version is script security, this has become an issue of even
>> greater importance.
>> 
>> And yet, there has been no word about when this security issue will be
>> fixed.
>> 
>> The LQCC report remains "hibernated".
>> 
>> So the question is, when exactly will this issue finally and actually be
>> fixed?
>> 
>> Also, if it still isn't fixed once dual-licensing is up and running, then
>> what would be the point of releasing closed-source applications when the
>> code is going to be right there in memory unencrypted, for thieves to
>> steal?
>> 
>> Does no one else think this is an important issue that needs to be
>> addressed immediately?
>> 
>> - Lyn
>> 
>> 
>> 
>> 
>> _______________________________________________
>> use-livecode mailing list
>> use-livecode at lists.runrev.com
>> Please visit this url to subscribe, unsubscribe and manage your
>> subscription preferences:
>> http://lists.runrev.com/mailman/listinfo/use-livecode
> 
> 
> 
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode

More information about the use-livecode mailing list