Post-KickStarter LiveCode - security issue fix?

Kevin Miller kevin at runrev.com
Wed Feb 27 14:35:39 EST 2013 

This is a common problem with high level languages and has always been
present not only in our platform, but in many others throughout history.
We do have various ideas about how to further improve code security in the
commercial edition and look forward to implementing those during the
restructure.

Kind regards,

Kevin

Kevin Miller ~ kevin at runrev.com ~ http://www.runrev.com/
LiveCode: Everyone can code




On 27/02/2013 18:08, "Lyn Teyla" <lyn.teyla at gmail.com> wrote:

>Hi all,
>
>It has been 3 years since my post to this list urging RunRev to fix the
>serious security issue where the scripts of password protected stacks and
>standalone apps can be fully viewed via memory dumps.
>
>This is because password protected scripts remain unencrypted in memory
>after compilation. That's right, no password is needed, the code is right
>there in memory.
>
>The issue was also lodged via the LiveCode Quality Control Center (LQCC)
>as report #8672:
>
>http://quality.runrev.com/show_bug.cgi?id=8672
>
>In September 2010, Mark Waddingham finally responded to the LQCC report,
>saying that the issue would be eliminated in 5.0 with the move to Unicode.
>
>He then marked the LQCC report as private.
>
>Alas, even after the move to Unicode, the issue remains unresolved.
>
>In September 2011, I requested for a RunRev response via the LQCC report,
>and received none.
>
>In August 2012, I once again requested for a response, and finally
>received a reply from "Your Quality Team", who said they did not have an
>expected target release for this fix yet.
>
>They then set the report to "Hibernating" mode, which sure doesn't sound
>good.
>
>It is now 2013. Post-KickStarter, RunRev will be implementing a revamp to
>LiveCode, while offering dual-licensing.
>
>Given that the main difference between the commercial version and the
>open source version is script security, this has become an issue of even
>greater importance.
>
>And yet, there has been no word about when this security issue will be
>fixed.
>
>The LQCC report remains "hibernated".
>
>So the question is, when exactly will this issue finally and actually be
>fixed?
>
>Also, if it still isn't fixed once dual-licensing is up and running, then
>what would be the point of releasing closed-source applications when the
>code is going to be right there in memory unencrypted, for thieves to
>steal?
>
>Does no one else think this is an important issue that needs to be
>addressed immediately?
>
>- Lyn
>
>
>
>
>_______________________________________________
>use-livecode mailing list
>use-livecode at lists.runrev.com
>Please visit this url to subscribe, unsubscribe and manage your
>subscription preferences:
>http://lists.runrev.com/mailman/listinfo/use-livecode

More information about the use-livecode mailing list