From the makers of Outlook, IE and Active-X : Terrarium

From: David Mohring (heretic@heretic.ihug.co.nz)
Date: 02/07/02


From: heretic@heretic.ihug.co.nz (David Mohring)
Date: Thu, 7 Feb 2002 12:21:22 +0000 (UTC)

If ever you needed proof that Microsoft hasn't a clue in terms of
systems security, you need look no further than their lastest
DOT NET "training tool" - Terrarium.

Quoteing the recent .NET show
http://msdn.microsoft.com/theshow/
+Terrarium is a multiplayer ecosystem game developed using the .NET
+Framework. Developers can create their own creatures and add them into the
+game on their own client machine. Teleporters on each client transfer the
+creatures between clients in the Terrarium peer-to-peer (P2P) network.
+Through the experience of programming these "creatures," the participating
+developers gain familiarity with the new development models presented in
+.NET, and how to construct code using Visual Studio .NET.

I saw a demonstration of Terrarium last year. With limited
distribution as a demonstration and testing tool for the sandboxing
in DOT NET it was a very good idea. But as what seems to happen with
all such good ideas at Microsoft, the Marketing section get hold
of it an say "This is a great feature to sell DOT NET to the
developers". So it gets released to the general public ( or at
least those willing to have or forge a Microsoft passport ).

And so ...
"Microsoft game is a code-eating battle"
http://zdnet.com.com/2100-1104-830680.html
Which includes the unforgettable phrase "Terrarium is not a virus,
says Microsoft".

Here is a google page to Microsoft's gotdotnet site, which includes
cached versions of the following pages.
http://www.google.com/search?q=+site:www.gotdotnet.com+Terrarium

The FAQ makes interesting reading.
http://www.gotdotnet.com/terrarium/docs/initialsetup/faq.aspx

What raised the hairs on the back of my neck was the was the italicized
statement of the install page.
http://www.gotdotnet.com/terrarium/download/
+Install Terrarium
+
+Note You must be a local administrator or power user on the computer to
+install and run the Terrarium.
             ^^^^^^^^^^^^^^^^^
I can understand the need to install as local administrator or power user,
but why has Microsoft completely failed to learn by now that it is not a
good idea to run such a service under Local-system or administrator
privileges.

See Apache Vs IIS
http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2792860,00.html
And the views of
http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2809071,00.html

Microsoft recent history of providing "sandboxed" enviroments is abismal
and even the best professional programmers cannot guarantee that such
a complex system as the DOT NET common runtime environment will be
vulnerability free.

IMO it is only a matter of time before either the code in one of the
"critters" manages to "break the glass" and escape into the system or a
flaw is discovered in the peer to peer server vulnerable to true worm
infestation. At least if the service/application is running with normal
user privilege it would somewhat limit the damage the script could do.

If the management at Microsoft choose to go ahead and relase Terrarium
in a form that requires it run with such high privileges, or worse
still consider running such an application on Win9x/ME, then it shows
that the recent statements about Microsoft's recent converion
over the concerns about security issues in its products is nothing
but pure marketing bull____.

David Mohring - "Dot NET, Got Root, Not NET, Bit Rot"



Relevant Pages

  • From the makers of Outlook, IE and Active-X : Terrarium
    ... DOT NET "training tool" - Terrarium. ... Developers can create their own creatures and add them into the ... all such good ideas at Microsoft, ...
    (comp.security.misc)
  • generic arithmetic (or the lack thereof)
    ... I love the dot net framework. ... generics, or in some other way allow arithmetic in generics without a ... microsoft today is dominant in most areas of computing. ... floating point arithmetic is slow in the dot net framework. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Compiling to Unix
    ... > do it for Vfp9 or maybe vfp10. ... Microsoft wants total control. ... Microsoft make dot net? ...
    (microsoft.public.fox.programmer.exchange)