• 1
  • 2(current)
  • 3
  • 4
  • 5
  • 12
Addons that delete competitor's addons
#16
(2016-05-01, 21:24)primaeval Wrote: I don't think some fairly simple file access rules would be too hard to implement for the talented coders here.

If you could only install addons from here it would be as restrictive as Apple's walled garden.
I prefer the freedom of Android and their security model. I know its not bulletproof but it has more freedom.
Possibly not.
I can hope though.
Reply
#17
Quite frankly, I think it's a shame that people need to have their hands held so much these days and are apparently unable to think or find out information for themselves. Whilst I may briefly feel sorry for someone who's fully loaded box gets wiped by an updated malicious add-on, I can only think that this is poetic justice for buying the thing in the first place and wanting something for nothing.

Don't install anything from untrusted sources. This is the same (or it should be) no matter what OS you are running, or what you are thinking of installing on it.

@primaeval, how do you feel about Kodi's ability to load binary add-ons Huh
Learning Linux the hard way !!
Reply
#18
(2016-05-01, 21:35)black_eagle Wrote: Quite frankly, I think it's a shame that people need to have their hands held so much these days and are apparently unable to think or find out information for themselves. Whilst I may briefly feel sorry for someone who's fully loaded box gets wiped by an updated malicious add-on, I can only think that this is poetic justice for buying the thing in the first place and wanting something for nothing.

Don't install anything from untrusted sources. This is the same (or it should be) no matter what OS you are running, or what you are thinking of installing on it.

@primaeval, how do you feel about Kodi's ability to load binary add-ons Huh

If binary addons had some file access restrictions too I would be happy as can be.
Kodi still feels like Windows from the 90s where everything was open and free before people discovered viruses and trojans.
Or free love in the 60s before Aids came along.
Reply
#19
I still think the onus is on the user to vet their add-ons in much the same way as any other app they may wish to install. Caveat emptor or, in this digital age, downloader beware !!
Learning Linux the hard way !!
Reply
#20
So what you're effectively saying is kodi needs to be made more 'pirate-friendly'...
I have no problem at all with what people use it for, but does making it 'safe' to use any old crap from the internet really sound like the direction to go in?
Maybe there could be a publicity campaign to go with it...
Reply
#21
(2016-05-01, 21:49)black_eagle Wrote: I still think the onus is on the user to vet their add-ons in much the same way as any other app they may wish to install. Caveat emptor or, in this digital age, downloader beware !!

It is also easy enough for a top coder to slip up and accidentally delete the hard disk if he didn't change to the correct directory first.
Access restrictions aren't just to stop malicious code.
Reply
#22
(2016-05-01, 21:53)primaeval Wrote: It is also easy enough for a top coder to slip up and accidentally delete the hard disk if he didn't change to the correct directory first.
Access restrictions aren't just to stop malicious code.
It is?
Has it happened?
Do you have a scenario?
Reply
#23
(2016-05-01, 21:57)trogggy Wrote:
(2016-05-01, 21:53)primaeval Wrote: It is also easy enough for a top coder to slip up and accidentally delete the hard disk if he didn't change to the correct directory first.
Access restrictions aren't just to stop malicious code.
It is?
Has it happened?
Do you have a scenario?

I exaggerate for effect but it is not uncommon.

I realized I wrote some code that deleted a file that a user might have potentially spent a lot of time editing by accident the other day and quickly created a new release. Nothing malicious, just a logic mistake that would have got through a Kodi addon check. It could have been any file on the user's network.

Long time Unix admins will appreciate the access restrictions of their users.
Addons are really user programs of the Kodi OS.

I hope you know about how easy it is to hide malicious code.
Have you heard of the The International Obfuscated C Code Contest?
Only access restrictions will stop a world of pain.
Reply
#24
(2016-05-01, 22:06)primaeval Wrote: Only access restrictions will stop a world of pain.
Using computers like a grown-up generally works.
Reply
#25
See my post in that thread about a certain addon attempting to add an entry to the HOSTS file - it won't be successful unless Kodi is started with escalated privileges but it's concerning to see such code since it can be used for MITM attacks.

Some sort of sandboxed behaviour for addons is needed - chroot enviroment and jailed processes.
Reply
#26
(2016-05-01, 22:12)Paranoidjack Wrote: See my post in that thread about a certain addon attempting to add an entry to the HOSTS file - it won't be successful unless Kodi is started with escalated privileges but it's concerning to see such code since it can be used for MITM attacks.

Now Kodi has so many users who are not too technically sophisticated it must be tempting for the bad guys to think about using it for attacks.
Just write an addon with a few tempting hd sports links which grabs your passwords and sends them to the Russian mafia as part of the url base64 encoded with obfuscation.
Reply
#27
I've tried to convey the seriousness of running obfuscated code to the users in that subreddit but the majority of them don't really see what the problem is as long as they're receiving content for free.
Reply
#28
(2016-05-01, 22:24)Paranoidjack Wrote: I've tried to convey the seriousness of running obfuscated code to the users in that subreddit but the majority of them don't really see what the problem is as long as they're receiving content for free.

Do you know the easiest/best way to set up a restricted user account for Kodi that would limit some of the potential damage?
I use Linux/Android/Windows but Mac advice would be valuable too.
I mean as limited as possible but usable.
Reply
#29
Creating a restricted user with no read/write permissions apart from the directories Kodi needs to run would be the best way for every platform apart from Android - even still, it wouldn't be 100% effective.

I think the most important thing to do is never run Kodi as root or administrator.
Reply
#30
(2016-05-01, 19:27)primaeval Wrote:
(2016-05-01, 19:23)trogggy Wrote: It's happened before, it will no doubt happen again.

Simple solution - don't use add-ons coded by immature dicks.
Use ones from here or from somewhere / someone you trust.

Even the ones from here could hide something nasty. I think Kodi could do with more security for addons like Android's app separation.

That is the reason why YOU DON"T use 3rd party addons that are not approved here !

LOL That's like going to the whore house with out a condom ! LOL
One HTPC Windows 7 pro 64x running WMC with 2 HDhomeRun on Comcast 6 tuners with MCEbuddy
WD MyCloud 24TB over Netgear network | 6500 movies and 40,000+ TV Show episodes
Reply
  • 1
  • 2(current)
  • 3
  • 4
  • 5
  • 12

Logout Mark Read Team Forum Stats Members Help
Addons that delete competitor's addons2