@toolforger said:
A JVM that loads images typically doesn't run with Administrator privileges, system JVM or not, so that's not the scenario.
A zombie herder is after your CPU cycles and network bandwidth, and wants to persist beyond log-off; user privilege is enough for both.
Grabbing Administrator rights is just just a means to an end for them, to increase the infection's half-life. Definitely not top priority.
Who is *them*? Again, the only app that this JVM can ever run is the SDK.. No code from the web or anythng else can just use this JDK to execute.. Its not installed in the system. The code would have to search for it and if it can search your disk already you are ***ed anyway.
Yes code from the web can be run. The dev just downloads some nice free artwork for use in his project; the image happens to have malicious payload.
Seems to me I'm stating the obvious here.
Sorry, your convoluted post made it hard for me as a non-native speaker to get the content. The BMP/JPG issue just allows to execute code due to a flaw in how they are parsed or crash your application. But that code you talk about would have to exist on your computer. The code doesn't exist (its not the hackers app) and crashing your app with a broken jpg... Well, not exactly something to worry about. Happens all the time w/o them being rigged ^^
You didn’t understand what I said, so (a) it’s the messenger who’s to blame for that and (b) you argue that there’s no problem, based on your current understanding.
Seems like communication doesn’t work, and trying to overcome that obstacle ends with a huge frustration and waste of time.
I’ll know better in the future.
(Speaking of waste of time: what’s up with the AppState docs? Nothing has been happening there for weeks - is it finally rejected, does it need work, is it already fine and on its way to the repos? I have to admit that I have given up hope that anything useful is ever coming out of that.)
A post with lots of words and no content but a slight hint at your world view, in best toolforger tradition. Awesome. So boys and girls: What toolforger says is that if you put a virus in your application it will be distributed along with it. Can you believe it? Obviously you should check your assets and libraries for viruses. In any case theres no way this compromises the user if your application is clean which was my whole point from the beginning. Thanks for not explaining what you said even though I apologized and explained why I didn’t understand it and even blamed myself instead of you. If you at least would describe how the JPG can contain native code for 6 platforms supported by java or anything else about it but – nothing. QED, you will always think I’m a “hopeless case” so I will join you in the communication stop from now on as I am getting pretty bored by this.
Well including the JDK in the JME-SDK seems like a pretty feature for developers like me. I don’t know how expensive the new administrative tasks would be but I can imagine that the whole build process for all platforms can be done by a shell-command (or something like that). I don’t know how critical the update-problems and sdk-jdk-version issues are. In my case I never had that problem.
In conclusion: Yeah. I think this is cool.
Just a short opinion to the second feature:
What would be really awesome is combining the jre and the game so that it feels like a complete runnable application without further dependencies (hell I could name like a dozen people who like gaming but never understood why java is NOT the devil).
@ceiphren said:
Well including the JDK in the JME-SDK seems like a pretty feature for developers like me. I don't know how expensive the new administrative tasks would be but I can imagine that the whole build process for all platforms can be done by a shell-command (or something like that).
Yeah.. I was thinking about a streamlined process to extract the needed JDK packages from the windows / linux / osx installers for java directly somehow.. But that requires resource hacking tools at least for the windows exe file.. Might be possible though.. But in the end it'd be a pretty seldom event (the packaging) and only needed for releases or critical bug fixes in the JDK. If needed the JDK updates could also be pushed though the update center.
@shirkit: Hehe As said you can already make that happen for windows by modifying the launch4j creation process if you really want to If you come to make any extensions to the ant desktop deployment build files for this I’ll be happy to see if and how they can be integrated.
@normen said:
What toolforger says is that if you put a virus in your application it will be distributed along with it.
Ah I see.
I was thinking just about game dev machines getting infected, not about redistributing malware in applications. I think both scenarios are relevant, I just overlooked the second one and failed to clarify what scenario I was talking about.
No surprise that none of us could make much sense to the other.
I agree that rolling out jME updates whenever the JRE has a security upgrade should take care of problems on application developer machines.
I guess at least some application developers will need something similar.
Some games display user-supplied images (e.g. avatar images in a multi-player game); if one user happens to use a payload-ridden image, that's going to affect all players in the same game - scary.
I'm leaving out all the ad-hominem stuff. It's not leading anywhere, and I suppose most people aren't interested in how we bring out the worst in each other anyway. At least both Normen and me try to de-escalate. Not often enough - I'm awfully sorry about that.
Oh, one last thing: Zombie herders aren't interested in infecting 6 different Java platforms. At present, most are entirely happy to infect just Windows - everything else has too little market share to be worth the effort.
Or, in the case of Android, is indeed too varied to present itself as a target.
So, I still need packaged versions of the JDK for windows 32 and 64 bit according to the description in the first thread. Ofc ideally also for linux, OSX I can do myself. If anyone would be so kind and help out with that it’d be much appreciated. Just one or two volunteers This is your chance to get your malware into jME
I found out that the description only packages the JRE. You have to package the whole JDK folder actually, but pack200 the rt.jar in the jre folder… I have to test some stuff with this, still it would be cool to have some first builds for windows etc. too.
So it seems the netbeans installer doesn’t support bundled JDKs for OSX yet… I am working on a workaround for that… For now I compiled an installer with wezrules windows JDK, if somebody could try it, that would be awesome: Dropbox - Error
Install it (best in another folder than your original SDK) and then check the folder contents, there should be a “jdk” folder and the etc/jmonkeyplatform.conf should point at that. Check if it runs and if it actually runs on the bundled JDK.
Note this install uses your RC2 settings folder, so best don’t configure too much stuff in it Also don’t update it, even if it tells you about updates.
I usually like new ideas, but I’m not really ok with this one.
I personally use openjdk7, in linux community it’s not a irrelevant which jdk are you using.
My guess is that jme will be shipped with oracle jdk, so it’s not ideal for me, or some other foss users out there.
I didn’t downvoted because i think i don’t like it because it’s just new idea, and I didn’t try it, maybe it will have more benefits than losses.
@ivokosir said:
I usually like new ideas, but I'm not really ok with this one.
I personally use openjdk7, in linux community it's not a irrelevant which jdk are you using.
My guess is that jme will be shipped with oracle jdk, so it's not ideal for me, or some other foss users out there.
I didn't downvoted because i think i don't like it because it's just new idea, and I didn't try it, maybe it will have more benefits than losses.
If you use OpenJDK for other things thats fine, the JDK doesn't install globally also as said, you can configure the SDK to use any other JDK as well. This is also to *solve* some of the issues that Linux users experience. If you don't have to globally install the JDK that works with jME thats a plus for many linux users.
@wezrule: Thanks, I meant a “jdk” folder, sorry. But for some reason the name “jmonkeyplatformBundleSDK” is being used which is completely bogus oO… Anyway, thanks again, this helps a lot. If you could just quickly make sure the “jdk” folder is actually the jdk root (with a bin, lib and jre folder among other things inside).
Edit: D’oh, thats your install folder… Wonder why it doesn’t see the jdk? Whats inside?
Ok, thing’s are not looking good on my end. Installed and run it. I have the same issue as @wezrul
I can’t open any project (say’s ? missing plugin). Maybe bugged out somehow with my list of plugins (doubt it), or maybe it’s just cause the JDK is missing idk (it always disables all my plugins after no JDK is found at the specified path).
The main problem is that the JDK folder is an invalid jdk, it’s just not a valid JDK (take a look yourself)
As said you can already make that happen for windows by modifying the launch4j creation process if you really want to 
