Jump to content

Can you trust a Mod

Wolf Baginski

By Wolf Baginski
in KSP1 Mods Discussions

 Share

Recommended Posts

Wolf Baginski

Wolf Baginski

Posted
Posted

I am not going to reiterate all the stuff you can find elsewhere about malicious hackers but I saw a new mod, a little while ago, that prompted me to prepare a special bargepole for the purpose of not touching it. This is a pretty safe place, with a bunch of great guys making mods, and a set of rules on licensing and other stuff that is a pretty reasonable deterrent on people with a motive to hide.

But are there warning signs?

This was on Spacedock, but I don't think that's relevant. Places such as Github, and specialised websites for a Mod, could be exploited, but without an account here, how would they be publicised? And that leads to the first test. Is there a forum thread backing up the Mod?

I'll stick with Spacedock for the other tests, because you have a nice, neat, list of info.

Test 2 (two parts): is there a picture, or any info about what the mod does (the title can be part of the info)? Spacedock has a pop-up text on the thumbnails, and the mod that prompted this at least has that.

Test 3: have you seen the creator's name anywhere else? Everyone has to start sometime, but I'd expect a modder to have some trace here, even if they have never made a mod before..

Test 4: There's a list of acceptable license terms, and anything else should be a warning. It's not the place to be jokey.

After that, you're getting into the general feel of things, and there are ways in which a mod might make you doubtful which can depend on things like native language: they're personal and unreliable. I have had many fraudulent phone calls from India, some well-known scams, that make me wary of the accent on an unexpected phone call, but there are far more relevant warning signs.

And there's one big alarm bell left. Where's the source code? If there's no .dll, if it's just a set of parts, OK, but then you get into hard dependencies, so many mods need Module Manager, but that easily passes all the tests. Though if a mod includes a copy, I don't install that. If it's a mod you haven't heard of, you need to give that the same checks. I don't read source code, just as I don't read French, but not having the source code available is like telling me that La Marseillaise is a lullaby.

There are environments elsewhere that have a lot of user-created content, and users who abuse the possibilities: some places we call them "griefers". It's a better fit to what I suspect I saw today than a bitcoin-mining hacker would be. I suspect I would have ended up with some intrusive graphics, inserted into KSP by some sniggering dweller in mom's basement.

I could be wrong, but this time I am not taking the chance

Link to comment
Share on other sites
ARS

ARS

Posted
Posted (edited)

If you want to know about mods before trying it, you can watch @Kottabos's videos on YouTube to get an in-depth about what's inside the mod (there's a ton of them, literally almost all KSP mods that ever existed is reviewed). Also, you don't have to be online to play KSP, if you're worried about hacker, bitcoin mining, etc, just disconnect your connection, open KSP directory and play from KSP.exe, this way, you can play with mods in offline mode. KSP mod creators usually ask for donation instead of forcing you to pay or use scamming method

Edited by ARS
Link to comment
Share on other sites
Pleb

Pleb

Posted
Posted

There's no real guarantee with anything you install as to what you are getting. It's a risk you take unfortunately. Even 'official' updates for things such as drivers could have a negative impact on your machine. And it's been known for reputable software to contain malware and the such. You just can't be sure. Of course as long as you have the necessary safety precautions in place you 'should' be ok!

Link to comment
Share on other sites
harrisjosh2711

harrisjosh2711

Posted
Posted

I don't think SpaceDock checks anything, when you update your mod it instantly updates- no checks and balances. Someone was actually able to upload the DLC the other day. Curse on the other hand actually does have some system in place to verify mods, though I cannot tell you how in debt or thorough they are. My rule is if it don't have a picture I'm not downloading it. Unless it is a very well known mod that just so happens to not have a pic.

Link to comment
Share on other sites
Nils277

Nils277

Posted
Posted (edited)

I personally wouldn't trust a mod that does not have a thread in this forum. Additionally a thread should have a detailed description (including pictured if possible) and follow all the mod posting rules which includes access to the source code and a valid license. (Pretty much also what you said). When a mod would be a bit fishy it would be reported here pretty fast.

Not being very active here before making a mod public is not neccessarily a bad sign. I also only did less than 5-10 Posts here before posting about KPBS.

A bad sign however would be when a mod from a very new member sounds 'too good to be true' Most ppl who start modding start simple, e.g. some configs to change a few aspects of parts, add new flags or something like this. I would be careful if there is a mod that promises to do something no other modder was able to achieve until now. When using mods for a while one gets a pretty good feeling what can be achieved and what not.

Additionally on Curse, Spacedock and GitHub you can visit the authors profile and see if they either already have another valid mod or contributed something meaningful to other mods(GitHub)

 

Edited by Nils277
Link to comment
Share on other sites
artwhaley

artwhaley

Posted
Posted

I feel like being vague here is unnecessary?  Point us towards the mod in question.   It will take about an hour for some expert opinions to roll in - EITHER people saying "Oh, in this case your concerns are unfounded!  Here's why!"   Or people saying "Yes, this mod is dangerous, here's why - SPREAD THE WORD NOT TO DOWNLOAD."   If it's a real problem, we should call it out.  If it's not, we should allay fears instead of having a bunch of non-coders avoiding mods because there's a rumor that something was iffy once upon a time in a thread nobody can remember the name of...  

It could be a legit mod from an inexperienced poster and we can help them get into compliance with forum rules and get a forum thread started so they get more exposure....  or...  it could not...  

Link to comment
Share on other sites
Gargamel

Gargamel

Posted
Posted
On 3/30/2018 at 6:51 AM, Nils277 said:

I personally wouldn't trust a mod that does not have a thread in this forum. Additionally a thread should have a detailed description (including pictured if possible) and follow all the mod posting rules which includes access to the source code and a valid license. (Pretty much also what you said). When a mod would be a bit fishy it would be reported here pretty fast.

This.  If you are unsure about a new mod, wait.   Let the reviews and comments roll in.  There are usually a number of bugs and such from mod combinations that the modder never encountered, so like any new release, it will take a bit of time to work them out.  Wait till the stable release hits.   This is usually what the mod dev forum is used for, but not everybody uses it.  So just wait at least a few days till you get a handle on what the community thinks.

On 3/30/2018 at 4:37 AM, Wolf Baginski said:

I saw a new mod, a little while ago, that prompted me to prepare a special bargepole for the purpose of not touching it.

 

4 hours ago, artwhaley said:

Point us towards the mod in question

 Please do!  We're a community.  We have to watch out for each other.  If someone is trying to get us to download malicious code onto our machines, let the community root it out. 

Link to comment
Share on other sites
Wolf Baginski

Wolf Baginski

Posted
  • Author
Posted
6 hours ago, Gargamel said:

This.  If you are unsure about a new mod, wait.   Let the reviews and comments roll in.  There are usually a number of bugs and such from mod combinations that the modder never encountered, so like any new release, it will take a bit of time to work them out.  Wait till the stable release hits.   This is usually what the mod dev forum is used for, but not everybody uses it.  So just wait at least a few days till you get a handle on what the community thinks.

 

 Please do!  We're a community.  We have to watch out for each other.  If someone is trying to get us to download malicious code onto our machines, let the community root it out. 

It was this one on Spacedock.

https://spacedock.info/mod/1775/Geronimo Stilton

When first posted there, there was less detail about just what it was.

Link to comment
Share on other sites
Nils277

Nils277

Posted
Posted (edited)

Looking at the mod i can at least say that it is harmless (for us).

It adds a structural panel with the texures of a mouse (rat?) from a childres book/tv series. Problematic is that it redistributes to stock model of the structural panel and just replaces the texture with a (most probaly also copyrighted) image of the mouse/rat.
Same applies to the second mod of the author for Kopernicus adding planets with the textures of characters from the the series.

Additionally the mods do not have any kind of license.

I think @VITAS should delete it from spacedock as it definitely infriges the copyrights of squad (the copied part) and whoever has the copyright for the Geronimo Stilton series. It also infriges the mod posting rules.

Ps: I really have the feeling that this mod is intended to be some kind of lame joke.

Edited by Nils277
Link to comment
Share on other sites
artwhaley

artwhaley

Posted
Posted
12 minutes ago, Nils277 said:

Looking at the mod i can at least say that it is harmless (for us).

It adds a structural panel with the texures of a mouse (rat?) from a childres book/tv series. Problematic is that it redistributes to stock model of the structural panel and just replaces the texture with a (most probaly also copyrighted) image of the mouse/rat.
Same applies to the second mod of the author for Kopernicus adding planets with the textures of characters from the the series.

Additionally the mods do not have any kind of license.

I think @VITAS should delete it from spacedock as it definitely infriges the copyrights of squad (the copied part) and whoever has the copyright for the Geronimo Stilton series. It also infriges the mod posting rules.

Ps: I really have the feeling that this mod is intended to be some kind of lame joke.

Nailed it!  I agree.  No malicious code, but dubious copyright and not compliant with the forum rules.   I'm...  not particularly inclined to reach out to this particular mod author to offer one on one help unless they come here and ask.  It just feels like a rabbit hole (mouse hole?) I don't want to go down.  lol.

Link to comment
Share on other sites
Wolf Baginski

Wolf Baginski

Posted
  • Author
Posted

I haven't downloaded that mod, but the slightly-revised description did suggest it was something more like what @Nils277 has described.

There are all sorts of slightly dubious flag images out there for KSP, and I've used a few that strict copyright enforcement would block. If a copyright-holder finds something, they have to react. Even if they think it's no big deal. I hope we can keep things gentle on this sort of issue.

Anyway, I think my list of general warning-signs still holds, though I am a little embarrassed how trivial this instance is.

Link to comment
Share on other sites
linuxgurugamer

linuxgurugamer

Posted
Posted
7 minutes ago, Wolf Baginski said:

I haven't downloaded that mod, but the slightly-revised description did suggest it was something more like what @Nils277 has described.

There are all sorts of slightly dubious flag images out there for KSP, and I've used a few that strict copyright enforcement would block. If a copyright-holder finds something, they have to react. Even if they think it's no big deal. I hope we can keep things gentle on this sort of issue.

Anyway, I think my list of general warning-signs still holds, though I am a little embarrassed how trivial this instance is.

Its a good list of stuff to follow, especially for someone new to using mods.

Spacedock doesn’t do any review, but mods can be deleted if necessary.

Right now, pinging @VITAS is a good way

Link to comment
Share on other sites
i_like_kerbals

i_like_kerbals

Posted
Posted (edited)

i have used mods on tons of games and even made some mods of my own (GTA IV and V via scripthook) and I seriously doubt anyone is trying to use a game to access your pc... i dont hack but id imagine there are much better ways to attack someone's pc like getting them to click a link on a website... games dont run in admin mode and modding a game should never require admin access, i guess it is possible but it is such a niche community to attack... the idiots on facebook are the ones they target

Edited by i_like_kerbals
Link to comment
Share on other sites
sstabeler

sstabeler

Posted
Posted

I can think of a couple of things:

1. the kind of people who would visit 4chan might see it as funny to intentionally break someone's game (these, fortunately, are usually relatively harmless (I say usually as there's nothing to stop a malicious mod from overwriting other mod's files which would be harder to fix.

2. There's not actually anything preventing a mod from accessing code from the internet. (for instance, while it isn't malicious, the kerbalX mod can download craft files from KerbalX. Pretty much the exact code would work to download a virus. Hence why caution is warranted.

Link to comment
Share on other sites
Nils277

Nils277

Posted
Posted (edited)

@i_like_kerbals although the there are not a lot of targets for KSP modding it can be still be profitable to make a "bad" mod, especially if someone just wants to make a joke and break someones game or even worse, like @sstabeler said. It does not need a lot of effort to do that. I just tried it out and it is indeed possible for a KSP plugin to read, write and change files outside of the KSP directory (e.g. in your documents folder) downloading a file to a hidden place and replacing one of the shortcuts on the desktop or elsewhere to run the downladed program is a trivial task. Or send your private data e.g. from your pictures folder to someone. Thats why it is important that every mod with a plugin should also reveal its source code.

Edited by Nils277
Link to comment
Share on other sites
i_like_kerbals

i_like_kerbals

Posted
Posted (edited)
8 hours ago, Nils277 said:

@i_like_kerbals although the there are not a lot of targets for KSP modding it can be still be profitable to make a "bad" mod, especially if someone just wants to make a joke and break someones game or even worse, like @sstabeler said. It does not need a lot of effort to do that. I just tried it out and it is indeed possible for a KSP plugin to read, write and change files outside of the KSP directory (e.g. in your documents folder) downloading a file to a hidden place and replacing one of the shortcuts on the desktop or elsewhere to run the downladed program is a trivial task. Or send your private data e.g. from your pictures folder to someone. Thats why it is important that every mod with a plugin should also reveal its source code.

well if these mods are written in c# you can look at the source code in the dll yourself... you can use a program like ilspy... then just search for the httprequests or socket code and yeah if the script is running off .net then yeah you have access to windows... i still wouldnt worry about too much about black hat modders lol

 

even obfuscated code can be figured out with patience

Edited by i_like_kerbals
Link to comment
Share on other sites
artwhaley

artwhaley

Posted
Posted

You could also hide a crypto miner in a mod, conceivably.  While we're brainstorming the 'what could go wrong?'  

And you're right.. .you CAN peek around inside a compiled piece of software...  but...  I just don't know of anyone who's taking the time to do so with KSP mods!      

Link to comment
Share on other sites
Nils277

Nils277

Posted
Posted

@i_like_kerbals yeah i might be a bit over-cautious when it comes to security. Many of my collegues do research of the security in IoT, Industry 5.0 and the the like. And they talk a lot about what security flaws there are, and how (often) they are used already. This might make a bit sensitive to that topic :wink:

Link to comment
Share on other sites
This thread is quite old. Please consider starting a new thread rather than reviving this one.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...