Cruisers Forum
 


Join CruisersForum Today

Reply
 
Thread Tools Search this Thread Rate Thread Display Modes
Old 24-10-2019, 03:49   #1
Registered User
 
JohnGC's Avatar

Join Date: Mar 2018
Location: SW UK
Boat: ETAP32s
Posts: 28
Verified Super Clean Code

Hi,

The first bullet point on OpenCPN website's about page; https://opencpn.org/OpenCPN/info/about.html

is this, "Verified Super Clean Code".

There are plenty of opinions and books on the subject of "clean code" but I'm not aware that there is a formal standard as such.

What does it mean in the context of OpenCPN? And how is it "verified"?

I'm interested because I've been asked to give a talk on OpenCPN (I'm an enthusiastic user) and I'd like to discuss OpenCPN's fitness for purpose. The main argument in favour is the active nature of OpenCPN's development, the number of satisfied users and the swift fixes to bugs. But I'd also like to explore whatever is behind the verified super clean code claim.

Many thanks,

John
__________________

JohnGC is offline   Reply With Quote
Old 24-10-2019, 05:21   #2
Marine Service Provider
 
bdbcat's Avatar

Join Date: Mar 2008
Posts: 5,960
Re: Verified Super Clean Code

John...


In our context, this means that the code has been checked and verified by:
https://www.virustotal.com


From the Wikipedia:
"VirusTotal aggregates many antivirus products and online scan engines[4][5] to check for viruses that the user's own antivirus may have missed, or to verify against any false positives.[6] Files up to 550 MB can be uploaded to the website, or sent via email (max. 32MB). Anti-virus software vendors can receive copies of files that were flagged by other scans but passed by their own engine, to help improve their software and, by extension, VirusTotal's own capability. Users can also scan suspect URLs and search through the VirusTotal dataset. VirusTotal for dynamic analysis of malware uses Cuckoo sandbox.[7] VirusTotal was selected by PC World as one of the best 100 products of 2007.[8]"


Thanks for supporting OpenCPN.
If you send us details on your talk, perhaps we can make a news item about for the website...


Dave
__________________

bdbcat is offline   Reply With Quote
Old 24-10-2019, 05:41   #3
Registered User
 
JohnGC's Avatar

Join Date: Mar 2018
Location: SW UK
Boat: ETAP32s
Posts: 28
Re: Verified Super Clean Code

Hi Dave,

Thanks for the quick reply.

What you say makes sense and I'd been thinking along different lines. To an embedded programmer such as myself, "clean code" is a bit of a catch all phrase for clearly written, tested, version controlled and documented code. Often it includes a "style" standard.

For OpenCPN "clean" means free of malware; also a very good thing!

The talk isn't until February 2020, it will only be 15 minutes introduction to OpenCPN plus a hands-on demo table during the tea-breaks.

Cheers,

John
JohnGC is offline   Reply With Quote
Old 24-10-2019, 06:11   #4
Registered User

Join Date: Jul 2010
Location: Kalamata, Greece
Boat: Amel Sharki
Posts: 2,089
Re: Verified Super Clean Code

Quote:
Originally Posted by bdbcat View Post
John...
In our context, this means that the code has been checked and verified by:
https://www.virustotal.com
From the Wikipedia:
"VirusTotal aggregates many antivirus products and online scan engines[4][5] to check for viruses that the user's own antivirus may have missed, or to verify against any false positives.[6] Files up to 550 MB can be uploaded to the website, or sent via email (max. 32MB). Anti-virus software vendors can receive copies of files that were flagged by other scans but passed by their own engine, to help improve their software and, by extension, VirusTotal's own capability. Users can also scan suspect URLs and search through the VirusTotal dataset. VirusTotal for dynamic analysis of malware uses Cuckoo sandbox.[7] VirusTotal was selected by PC World as one of the best 100 products of 2007.[8]"
Thanks for supporting OpenCPN.
If you send us details on your talk, perhaps we can make a news item about for the website...
Dave
This statement is extremly misleading!
OpenCPN might connect by itself to the internet and can be infected with malware without knowledge of the user. VirusTotal might have been a nice product in 2007 (see above) but now we are in 2019! Wake up guys and stopp dreaming. Depending which type of operating system OpenCPN is running it is an open hole with several weak points like dead code, memory leaks and other things. Connected to the internet and running OpenCPN your computer might be captured!
CarCode is offline   Reply With Quote
Old 24-10-2019, 06:38   #5
Registered User
 
transmitterdan's Avatar

Join Date: Oct 2011
Boat: Valiant 42
Posts: 6,053
Re: Verified Super Clean Code

Quote:
Originally Posted by CarCode View Post
This statement is extremly misleading!
OpenCPN might connect by itself to the internet and can be infected with malware without knowledge of the user. VirusTotal might have been a nice product in 2007 (see above) but now we are in 2019! Wake up guys and stopp dreaming. Depending which type of operating system OpenCPN is running it is an open hole with several weak points like dead code, memory leaks and other things. Connected to the internet and running OpenCPN your computer might be captured!
The code is open source and you can easily read it therefore you should be able to point to a specific example of such vulnerability. More importantly if you find such vulnerability you can submit a correction to github.

But I already know you have found no such vulnerability because you have not made any attempt to offer a solution to the github source code.
transmitterdan is offline   Reply With Quote
Old 24-10-2019, 17:51   #6
Registered User
 
boat_alexandra's Avatar

Join Date: Aug 2009
Location: charleston
Boat: bristol 27
Posts: 3,608
Re: Verified Super Clean Code

I would look for anywhere opencpn downloads code then executes it, such as upgrading the software. Do any plugins do this? It would be possible to use man in middle attack here maybe.
boat_alexandra is offline   Reply With Quote
Old 24-10-2019, 18:25   #7
Registered User
 
transmitterdan's Avatar

Join Date: Oct 2011
Boat: Valiant 42
Posts: 6,053
Re: Verified Super Clean Code

Quote:
Originally Posted by boat_alexandra View Post
I would look for anywhere opencpn downloads code then executes it, such as upgrading the software. Do any plugins do this? It would be possible to use man in middle attack here maybe.
The simplest vector would be a malicious DLL placed in the plugins folder. It would be possible to convince O to load and execute a malicious DLL. But O doesn’t have a plugin downloader/installer.
transmitterdan is offline   Reply With Quote
Old 25-10-2019, 15:24   #8
Registered User

Join Date: Mar 2011
Posts: 121
Re: Verified Super Clean Code

Given that OpenCPN is an “open” system, meaning that it accepts unverified data from many sources, I don’t think anyone could assert that OpenCPN is “secure”.

In addition to it’s ability to load a plugin which may or may not be “safe”, it accepts data from freely downloaded charts, icons, NMEA inputs any of which could be crafted to exploit vulnerabilities such as buffer overflows etc.

I doubt if anyone has developed a threat model, implemented mitigations or adopted secure coding standards, let alone undertake penetration testing for OpenCPN.
stevead is offline   Reply With Quote
Old 25-10-2019, 23:46   #9
Registered User

Join Date: Jul 2010
Location: Kalamata, Greece
Boat: Amel Sharki
Posts: 2,089
Re: Verified Super Clean Code

Quote:
Originally Posted by stevead View Post
Given that OpenCPN is an “open” system, meaning that it accepts unverified data from many sources, I don’t think anyone could assert that OpenCPN is “secure”.

In addition to it’s ability to load a plugin which may or may not be “safe”, it accepts data from freely downloaded charts, icons, NMEA inputs any of which could be crafted to exploit vulnerabilities such as buffer overflows etc.

I doubt if anyone has developed a threat model, implemented mitigations or adopted secure coding standards, let alone undertake penetration testing for OpenCPN.
Correct!
The only way to be secure don't connect to an internet network while running OpenCPN.
__________________

CarCode is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Advertise Here


All times are GMT -7. The time now is 16:04.


Google+
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
Social Knowledge Networks
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2020, vBulletin Solutions, Inc.

ShowCase vBulletin Plugins by Drive Thru Online, Inc.