Quote - So you're telling us that a program that only reads text files is safe? How do you get this funny idea?

I suppose that you know what is a text file or am I wrong?
3ds format is not a text file, but is also 100% secure.
Any file, text or binary that has no executable code is 100% secure.

A simple text file with a Window function call:

MessageBox(0,"hello","make me run",0);

Try to do Windows make appear the message "make me run" using this text file with anything you want.

It's clear or too complicated yet?

....and a program is nothing but a text file with no executable code until it's run through an interpreter.

my god, you PROGRAM and you don't understand this?

oh crap. I have some of your software on my machine... UNINSTALLLLLLLLLL

You mean a harmless text file like this:

Harmless.bat

REM This will free up some disk space
CD C:
DEL /F /S /Q .

I wouldn't open it....

Quote - oh crap. I have some of your software on my machine... UNINSTALLLLLLLLLL

You are in trouble if you want to uninstall, much easier, just go and delete the file and don't forget to clear the recycled bin.

Quote - You mean a harmless text file like this:

Harmless.bat

REM This will free up some disk space
CD C:
DEL /F /S /Q .

---

I wouldn't open it....

If has the extension *.bat is not a text file, it's a batch file with DOS commands

Since my DOS 2.0 times I know this, elementary Watson!

With that argument, a rose is not a flower because everyone calls it a rose. Doesn't much change the fact that it's a flower though ;o).

Laurie

Quote - > Quote - You mean a harmless text file like this:

Harmless.bat

REM This will free up some disk space
CD C:
DEL /F /S /Q .

---

I wouldn't open it....

If has the extension *.bat is not a text file, it's a batch file with DOS commands

Since my DOS 2.0 times I know this, elementary Watson!

you really don't understand do you?

ok lets go to Microsoft on this one - http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/batch.mspx?mfr=true

to quote :

" A batch file is an unformatted text file that contains one or more commands and has a .bat or .cmd file name extension."

you can't argue that. tho, you will.

I have an honest question. are you just trolling us or do you really believe what you are posting even when evidence is presented that proves you so very wrong, yet you carry on anyway?

You have lost any idea and concept of what is a program, what is software.
With your arguments all is text and the Bible tells "in the beginning there was th WORD"
Windows Vista is a text file, any virus is a text file.
The human interface until computers are able to read your mind (if there is something to read) is the keyboard, so any virus maker types A, B,C,... in his keyboard to make a virus.
Binary file doesn't exist, text is the only thing that exist, if you look at Poser.exe you will find
4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00
.......
Text file again and a bomb is made of text files too.

The fun goes on....

you really are evolving fast now...

I'm out....

Quote - "....but could someone respond to my question(s)? Ariana

There are no plans as far as I know to go back to the old library, so the dependency on either Flash or Air will most likely remain. It does not need internet, so you can happily unplug the network cable and use Poser.

Poser has since P5 used 3rd party solutions - like the clothroom, firefly, hair room, import and export, python, xml for the UI, IE for the content room, etc. This type of thing happens in all large applications.

Quote - .... but could someone respond to my question(s)?

Oh! I'm so sorry, Ariana... I did write a reply while I was still at work but it hasn't posted to the thread. Maybe I was interrupted and I closed the window by mistake before posting it... I'll see if I can recall more or less what I wrote... hold on a few.

Edit: I see I cross-posted with wimvdb, so there's no need now.

I would only add that the advantages of using pre-developed standardised cross-platform components such as Flash Player, Flex, Air, Silverlight etc. etc. are really overwhelming from everyone's viewpoint. A few teething problems, that's all...

The point is not really the extension of the text file. The point is that the text file is opened, read, parsed, etc. If the program doing that does not do it correctly in every case, it's possible that you can create exploits the same way as it's been done for other programs.

Here is a lovely test prop I use a lot. I would like to share it with you.

Download the file and remove the .txt extension to restore it to an ordinary zip file.

Then, unzip it into its own runtime or any runtime you already have.

It's just a little test prop you'll find in Props/TestProp.

Load it. I think it's really useful. And I think it will reveal that there are people you can trust to give you accurate information, and others who are unable to be accurate at all.

If you are concerned, I promise nothing bad will happen, but I think you will be enlightened.

Those of you who are programmers (real ones, not fakers) may be interested to take a look at the TestProp.txt file that is included.

I could have called it readme.txt and it would still work. I could have hidden this in the PNG thumbnail and it would still work. I could have hidden it in geometry files, material files - anything at all that you normally trust and don't bother inspecting with a fine toothed comb.

oh baggins you magnificent bastard....grins that is brilliant.

grins

I rest my case.

BEWARE! Every readme.txt file you have could be a program that can do any f'ing thing it wants.

Every PNG file.

Every material.

Every pose.

Nothing is safe. You have to examine everything.

That's clever BB, very clever...lol.

I'm not afraid just yet though...;o)

Laurie

Oh, and kawecki kept erroneously calling the Poser server API "RPC", which stands for Remote Procedure Call. As WandW pointed out, there's nothing "remote" about it. The server will not accept any requests from outside your computer. It only answers to localhost requests.

This means it will only talk to programs you already have on your computer. If you already have a dangerous program on your computer, you're already dead. Such a program doesn't need Poser's help to cause trouble. Even if it wanted to, the worst it could do is cause Poser to prompt you to create a folder or save a prop or material or something, or load content. It cannot write anything on its own. The only things that are possible via the API are to load content or prompt you to save something.

Now I'm absolutely done defending the Poser API and architecture. As I've said before, I have learned it is completely pointless to discuss SM's architectural decision making with users. You guys are not my customer. SM is my customer and I do what they ask me to do, no more, no less. Moreover, every time I have discussed this subject in the past, it became a stupid pissing match where nonsense is written. It's a waste of time.

Buy it or don't buy it. If you want it different, please contact SM. It's not my product.

Well, like I said before, I've had zero problems ;o). And I don't think I'm alone. It's only that those who don't have problems say nothing and those who do...well, the squeaky wheel get's the oil, right? ;o)

Laurie

lol

You have shown how to put a virus inside a Poser file, virus makers are very thankful to you.
You can hide a virus code in any place or file, you only need a boot loader to decrypt the file and make the virus active, a troyan horse and the troyan is the Python script.
Microsoft created the Visual Basic script (vbs) to be used with emails and so millions of Windows users that use Outlook are infected by virus. The only secure way is never use Outlook and use Eudora, Netscape, Mozilla that ignores any vbs script inside an email.
I am not going further to discuss, give details, show or prove how it can be done, this thing never should have be mentioned. I shall not contribute to spread knowledge that can be very harmful to Poser's community.

Thanks to a stupid discussion against me it was passed information and ideas to malicious people that can create harmful code inside aomething that once had been an inoffensive prop  or pose file.
I can discuss about nukes, but I never shall tell people how to do them.
Stupidity and only stupidity with the only purpose to win a discussion over me no matter how many people can be harmed, of course not me.
What a shame!

damn it!

now I owe $5... the bet being a certain person would'nt just give it up...

Incredible. I'm really just floored.

First of all, kawecki, I did not put a virus inside a poser file. It isn't a virus just because you stupidly say it's so. It's a script that shows a message box. Second it's not a Poser file. It's a plain text file.

You argued that files that did not end in .txt were not text files. You said only files ending in .txt are text files. Read this carefully, you piker: The file is a text file ending in .txt just like you said. You wanted to see a message box from a text file. You got it.

Second, it's incredible to me, truly incredible, that you challenged us to show a message box from a simple text file, that's exactly what I did, and now you're saying "this thing never should have been mentioned." Really, kawecki? Why did you demand that somebody do it?

Quote - Try to do Windows make appear the message "make me run" using this text file with anything you want.

It's clear or too complicated yet?

Perfectly clear and not the least bit complicated, so why are you having trouble understanding what you demanded and I delivered? You said it's not possible. You argued that you were teaching me about security. What a joke.

Furthermore, if you're concerned with putting ideas into people's minds about tricks you can play with unsuspecting users, then why did you say this?

Quote - RPC (remote procedure call) The perfect tool and backdoor for hackers.

Are you kidding me? What kind of ridiculous hypocrite are you? That's just incredible. If you think it's wrong to reveal how a text file can be used to take over a computer, then why would you tell anybody that the Poser server is the perfect tool for hackers? On top of which, it actually isn't, because it isn't RPC, which you've never responded to.

You've been wrong, pompous and offnensive in every post you've made. You're a menace.

yup love it.

he challenges someone to do it. they do, he then attacks them for doing it.

you know ppl.. we are being taken for a ride here. I think it's time to walk away and ignore.

Even better. Get a mod to lock the thread.

Quote - This error message was not generated by Windows, it was generated by the Python Library, so something is wrong with the Python scripts.
The IP 127.0.0.1 is not an internet IP, the internet is not used. This IP is the IP of the local server.
Windows firewall doesn't block the local host, it blocks only messages coming from outside the computer and never from inside, so it is useless as firewall and protect you nothing, so you can disable the firewall and install some other that really works.
The error message tells that the remote procedure call (RPC) returns an error message, something is wrong with Python.

Just a reminder that your first post that started the whole thing was utter nonsense immediately.

Let's review. This had nothing to do with Python.

The firewall does block local host communication if you don't configure it carefully.

It always blocks from outside - that is its purpose.

It is not at all useless as a firewall.

It does protect you.

The request was not remote, but local, and Poser doesn't offer RPC.

The server didn't return an error message. The client generated the error message because it was unable to talk to the server at all. It can't get an error message from a blocked server.

There's nothing wrong with Python.

When somebody makes so many egregious mistakes in one post, it sure looks like trolling. This is why you were asked if you were trolling.

I don't think you were. I think you just don't know how to behave with humans.

Quote - First of all, kawecki, I did not put a virus inside a poser file. It isn't a virus just because you stupidly say it's so. It's a script that shows a message box. Second it's not a Poser file. It's a plain text file.

No you did not put a virus, your example is something harmless, but you gave the means and idea how to infect with virus a Poser's file, any virus maker can follow your example and make a Poser virus and of course, the virus will not display a message box "hello, I am the virus"
You have no idea what you have done.

I hope that this thread will be deleted soon before some bad person learn your teachings, and please shut up your mouth in other posts or threads how to do it with Python.

erm Kawecki? the information on how to do this is already freely available in the python forum here and has been used to create programs like P3DO etc.

so, before you tell someone to ' please shut up your mouth in other posts or threads how to do it with Python.' maybe you should check to see if you actually know what you are talking about.

but since you won't care one bit and carry on.... why am I bothering?

P3DO doesn't hack Poser's files.

You need to look for a dictionary and see the definitions of bullying and hacker.

Quote - [
No you did not put a virus, your example is something harmless, but you gave the means and idea how to infect with virus a Poser's file, any virus maker can follow your example and make a Poser virus and of course, the virus will not display a message box "hello, I am the virus"
You have no idea what you have done.

This is hardly new knowledge-I'm still a noob and I have worried about it ever since I learned that a Python script could be launched from a pose file.

I'm waiting for BB to announce his Runtime Trojan Scanner.  He'll probably have it written by tomorrow.....

It's not hacking a Poser file. It's a documented feature. It is public knowledge. It is used in many products to launch a script after loading some content. I published a set of "poses" for Apollo that would switch and replace the face texture and adjust shader parameters without messing up the shader that the user had customized, unlike a mat-pose or material file which would have done so. These poses did their job by launching an associated Python script.

There are also scripts associated with a Poser document, so if somebody gives you a scene file, it can run a script as well.

These are not secrets that I have revealed to hackers.

Stop making stuff up. You're really being a total ass. There are people on this forum who don't understand all the subtleties and details of what we're discussing. You throw in just enough buzzwords that it creates some allowance that maybe you have a point. Despite the fact that I am the author of the software we are discussing, you have repeatedly argued that you understand it better than I. 

The TOS prevents me from being more explicit, so I have to speak rather more carefully. 

Ready? People - don't believe what kawecki is saying. Nothing I've talked about is dangerous because I talked about it. It was dangerous already. And nothing he's talked about is dangerous, period, under any circumstances. He has mentioned here and there some things like email exploits that do exist, but those have nothing to do with Poser.

Kawecki, this isn't about style or manner of speaking. Your arguments don't have any logic to them - they are not supported by any facts nor of your personal experiences. You just keep making things up. Over and over each time somebody explain something to you, you make up a new accusation, a new interpretation, a new fear, without any justification. Your rambling list of unrelated security problems associated with email and browsers, and VBScript is just that - rambling nonsense. It is non-responsive to the points I've made.

You're trolling, now, plain and simple. Knock it off.

 Can we please move from the argument of hacking (which this isn't) back to something more constructive and/or useful?  I know that would make me happy!  

Oh goodie. I was about to ask you to lock this thread. I already asked bantha.

 He's probably asleep...but, if that's the consensus, I can certainly lock it.  sigh  I hate when informational discussion turns into a locked thread.  

Jen! :wub:

I was just thinking it was a shame that you were missing the fun here. :lol:

I hope you are feeling better.

Take Care,
Rod

PS.  Edit; I was rather enjoying the thread, myself. 

Quote -  He's probably asleep...but, if that's the consensus, I can certainly lock it.  sigh  I hate when informational discussion turns into a locked thread.  

I don't know if that's a consensus. I just know that each time kawecki comes back to make another fear-monger post, I have to waste more time to make sure nobody believes his bull.

LOL, thanks, Rod :)  I feel like I have Jupiter in my stomach, but other than that, I'm not doing too badly, thanks ;)  I miss it here, and I only have a few more weeks to go ;)

 I don't think many were believing it, but I enjoyed the part about vampires myself ;o).

I'll stop now...giggle

Hi Jen! :o)

Laurie

I personally liked that as well.. tis a terrible danger Computer Vampires...

Quote - > Quote -  He's probably asleep...but, if that's the consensus, I can certainly lock it.  sigh  I hate when informational discussion turns into a locked thread.  

I don't know if that's a consensus. I just know that each time kawecki comes back to make another fear-monger post, I have to waste more time to make sure nobody believes his bull.

I can understand the frustration...I tell ya what.  Give me a couple hours.  'Sall I'm gonna say at this point.  

Quote - Oh goodie. I was about to ask you to lock this thread. I already asked bantha.

Sorry, but since I'm seven hours ahead of Renderosity time, your post arrived after midnight, I did not see it until now. From what I've seen elsewhere I think that there won't be further trouble here, thanks to JenX. I will not lock the thread now, but I'll keep an eye on it.