Friday 25 February 2011

More features, but possibly controversial

As you'll probably note, there's now a RPGMaker Trans "latest version" thingy at the top of the page, in preparation for a launch soon. Hopefully I'll be able to make the style look a bit better at some point, but that's not important presently.

The latest version part is a little scheme I've cooked up to try and minimise support headaches for me. I have my suspicions that some problems that people had with older versions of RPGMaker Trans was because they used outdated versions. Hence new versions of RPGMaker Trans will check to see if updates are available by looking up this blog - this is one of the other advantages of moving off Hongfire. If an update is available, then RPGMaker Trans will notify the user and will not run until the update is applied. Or as far as that is possible; in practice a user can get around this by simply deleting or editing the configuration file, or blocking RPGMaker Trans with a firewall. There will also be a clause in the RPGMaker Trans license which means that users are only authorised to run the latest version of RPGMaker Trans, so hopefully ethical people will heed the new rules.

On the subject of license changes, I've redone the redistribution clause. The new clause actually works from a legal point of view (the old one did not specify the license that people with a redistributed copy should use, and so did not work), but also there is a requirement to get permission from me first. This is mainly so that I can have a list of people to e-mail updates to, again to minimise support headaches.

... Actually, when I say support headaches, I also mean "serious security flaws". There is a concerning attack vector in older versions of RPGMaker Trans, given it's usage case. Potentially,  it is possible to create a game which can execute pretty much any code when fed through RPGMaker Trans; this could be of concern to unauthorised translations when the creator really strenuously objects, but also if there's just some malicious person wanting to expand a botnet or something. Whilst I've got the solution to this hole planned out and nearly implemented, I think it's wise to get some form of centralisation so I can get updates out in a timely fashion, in case there's some other problem.

And for reference, I'm not being spiteful and making up this security hole because I object to other people sharing the present version of RPGMaker Trans, despite my request not to. I'm not going to be disclosing the problem quite yet (as it would be irresponsible of me to do so when users have no way of fixing the problem), but there will be a full disclosure of the problem once the new version is out.

EDIT: As an addendum, patch files can also be used to exploit the flaw (thanks for the question, Matt). I mentioned game files simply because there is a translation project going on which I'm pretty certain isn't approved of by the creators, and so I think this is perhaps the more likely place for the attack to happen from.

4 comments:

  1. Can a patch be used to exploit the flaw? I would be less worried about malicious game files than malicious patches. After all I am already running an exe from the game developer.

    Pertaining to the license, if support headaches are the main worry, why not just put a notice that no support will be provided to users of an outdated version.

    ReplyDelete
  2. Thanks for the question. I've updated the post with some extra info, but yes, patch files can use the same exploit. I'll also point out that the exploit is actually quite nasty in that it would likely fly under most AV products, and that it would only take effect on running the game through RPGMaker Trans. And as certain groups do not want their games distributed out of Japan, it really could be a concern.

    On the license/auto updating front: the real problem is that I have no real way of checking what version someone is running, so support headaches can still ensue regardless of what I say. The license/auto updating is just a very strong prod to encourage people to use the latest version.

    ReplyDelete
  3. The auto updating I understand. Perhaps a pop-up message any time the program is run with auto update turned off that says to get the latest version before reporting problems.

    ReplyDelete
  4. Unfortunately, RPGMaker Trans uses a text-based interface at the moment, so pop-ups are impossible. I've just finished implementing what I described in the post, so when a new version is detected by RPGMaker Trans it refuses to run. It is easily circumventable for someone annoyed by it (block with firewall / delete config file), and given the license changes I'll stick with this method for now. If there's some huge public outcry when it gets released, I may reconsider the feature.

    ReplyDelete

Note: only a member of this blog may post a comment.