Is there a way to disable SexScripts new "internet" functions without blocking the entire program from the net via firewall/antivirus?

By that I mean, still being able to download/upload scripts, but not letting scripts send images to a server, compose and send emails, etc.

If not, can I request this as a toggle-like "settings" feature? I'm sure many would find this a good security precaution!

I don't know. Benevolent script will have "internet" in their tag, and won't work without it. Malevolent script can not be stopped by such a switch with full certainty.

As a temporary measure, use external tools.

I would agree with Doti, the internet tag should alert you not to use a script that links to the internet.

Doti is very good at checking scripts when they are verifyed so from a secuitity point the key is probably not to download scripts before they are verified but a simple text search in the script for "sendImage" should highlight if one got through and obviously if you notice anything amiss with any script please report it so no one else gets caught out

To my knowledge the only scripts to date that email or send any images are tagged with "internet" and very clearly state that images are taken and what happens with them, the internet is crucial to these scripts so if thats not your thing they can easily be avoided - we have a lot of scripts to try in here so should not limit you much

_________________
Liz

You can't take something off the Internet - it's like taking pee out of a pool.
https://play-clan.site profile: Liz

I still think this is an important issue to consider, with SS including more and more internet functions that it didn't before as well as becoming more and more widely known (yay!). I agree that right now there is no real cause for alarm, but that might not always be the case.

With most internet-connected programs, if you trust the company/programmers to do the right thing, that's normally the only call to make. In SS's case, though, there's an extra issue that even if you totally trust the program itself, literally *anyone* can make a script and post it, and the only way to know if said script contains internet features is to either trust the right tags have been added (if it is downloaded from this site) or to check the script by hand (and thus "spoil" it) yourself.

I might be more cynical than some folks, but I don't think it's impossible that someone might at some point code a malicious/deceptive/"troll" script using the email or webcam functions newly added to SS. We're a small community now, but that may (and hopefully will) change; just because I trust Doti, doesn't mean I trust every single person who will ever writes an SS script!

In thinking more about solutions, what I'd suggest is either:
1) When SS loads a script, it already checks for errors, doesn't it? If so, have it also check for any internet commands in the script and if any are found, popup a box asking "This script connects to the internet. Allow it? Yes/No". Thus, if I was expecting this (say, I'm playing a script that's clearly designed for emailing someone) I'd say yes, sure. If there were no internet tags or reason to suspect it would be needed, I'd be warned something was odd and could check into it or contact the author.
*or*
2) My first suggestion: simply add a configuration setting option to SS that lets the user toggle "allow scripts to connect to the internet?" on/off.

The more I think about it, the more I lean towards (1) as more helpful and useful, yet it might be more intrusive than (2).

Yes, blocking SS at the user end with a firewall, etc. works, but is far from ideal, requiring manually toggling exceptions on and off when playing a script you trust or testing one you don't.

Some more thoughts...



The more I think about it the more I agree with you about this, it is probably something worth being careful about



I think an option 3 may be better? If the script does not have Internet in setInfos() but finds and internet commands in the script it will flag up an error and will not run - that way it would not get in the way but still provide a safegard?

My other (greater) concern would be people downloading scripts making small changes and then uploading them. With the complexity of the bigger scripts like SubControl it would be relatively easy for someone to put a change in that would expose a subs user code. I like the whole idea of how easy anyone is able to update scripts (thats how I got started in here ) but it would also be good with some of these big scripts to be able to have a checksum system to verify a script has not been changed - at least without warning the end user? On scripts with a checksum, only the logged in author can update the saved checksum for a script? Don't know how hard this would be for Doti to implement but I think it would be worth looking at some ideas around this as simply knowing if a script uses the internet may not prove good enough for security?

_________________
Liz

You can't take something off the Internet - it's like taking pee out of a pool.
https://play-clan.site profile: Liz

Just to follow on from that, there appears to be a few websites looking at google that give some examples on creating checksums in javascript e.g. http://codepen.io/ImagineProgramming/storydump/checksum-algorithms-in-javascript-checksum-js-engine if that helps Doti

_________________
Liz

You can't take something off the Internet - it's like taking pee out of a pool.
https://play-clan.site profile: Liz

If something change, the script won't be "validated". Consider it then as any software you'll find anywhere.

Yes good point

_________________
Liz

You can't take something off the Internet - it's like taking pee out of a pool.
https://play-clan.site profile: Liz