Worry about the security of images


(Joia Crenca) #1

I like the ability to post images, but wonder how secure it is. Basically, can someone use malware in a posted image to take down EVE forum participants’ computers at will? Anti-virus protection is deployed on my computer, but as I’ve found, there’s still a window of vulnerability to ‘the latest’ thing.


(Austin Blythe) #2

It’s actually possible to use images to gain the IP addresses of people who view them.


(Steve Ronuken) #3

While it’s possible to gather IPs in this fashion, it’s not possible to tie those IPs to specific users in anything other than a trivial case. (a single user has viewed the post. so they’re the IP you see accessing the picture)

As to the original question:

The answer is ‘yes, but it’s really not likely’. As long as you keep your browser up to date, the chance of someone using a zero-day vulnerability to compromise a PC via a games forum is tiny. Zero-days are worth a fair chunk of money. One which can take out a PC via an image being viewed on the web would be worth a fortune.


(SIEGE RED) #4

That’s massively naive. How long have you played EVE? :slight_smile: I can recall the original forums with spidering for statistical analysis of ip blocks in order to catch patterns as well as individual people :stuck_out_tongue: And yeah, some of us should remember past incidents of non-EVE groups sticking their heads in things. Also, infection through image display has not exactly been unique or precious fortune since W32/Perrun in 2002.

Look, people can debate this until they see blue in the face, but there’s two simple things that apply here:

  1. Users need the ability to disable images completely. Simple common practice and common sense.

  2. Never underestimate CCP’s customers. Completely different ballgame.

Never try to comfort humans with statistics. Take them serious, be ahead of the curve, adhere to best practices. The rest is community communications between CCP and its customers, regardless of whether ■■■■ happens or does not happen. CSM is no part of any of that.


(Buoytender Bob) #5

Could we have an official CCP response/statemet to this thread?


(Heera-o Helugo) #6

Wow. You do not internet much, it seems. Keep your anti-virus up to date and regularly scan your computer. Freakn Facebook and google track everything you do as it is. Take some basic security steps if your that afraid.


(Armark Bether) #7

Am not CCP, but this is just as secure as any other internet page containing links, and “images” are either images hosted by the forum (idk if this is the case on this specific forum), in this case they are 100% harmless, or links to image hosting websites, so the risk is the same as any other website containing links. I’m waaaaaay more concerned about the NY Times having (according to adblock) more than 40 ads on their homepage. Some malicious ads contain potentially harmful content that does not require to click on them to do harm.

Also, if you wanted to propagate a malware, would you really target the forums of a game with 50k population during the good days ? Why not 4chan, reddit, stackoverflow, whatever actually has a big population and more lenient moderation ?


(78 Aster) #8

https://www.sophos.com/en-us/press-office/press-releases/2002/06/va_perrun.aspx

Jpg files can contain viruses, yes… so, drive by download but, you are at the same risk as you would be anywhere else on the internet. Also they seem to be outdated and links are still more dangerous. Speaking of links, that link is of Sophos anti virus, a do from 2002 about what to do with AV evolution in order to deal with the new strain.


(Linus Gorp) #9

That’s basic security for “makes you feel better”, not for “actually does anything”.
AV software is the single largest attack vector there is. If anything, they make it much easier to compromise a pc, along with introducing a whole lot of other crap you don’t want to deal with.


(FlipMoe Squad) #10

meh, get my ip…hit a virtual fort knox…best to try for a smaller fish. I’m okay with it.

Bouncing prying forehead off concrete discourages computer dumbdumbs…virtual concussions suck I would imagine.


(Armark Bether) #11

No offense, but even if it would be a cardboard castle, there’s nothing of value in it, so why bother ?

I’ve been working in a business that relied pretty heavily on servers, and they were scanned multiple times from multiple places every single day. Never had a serious attack though, even without any fancy security measures, just good ol’ SELinux. Why hit some individual or even small businesses when big companies have so many attack vectors and hold much more valuable data ?


(FlipMoe Squad) #12

Identity theft would be an issue I imagine, but I’m no expert. As an individual, not a business perspective.