BradBurke Posted July 12, 2021 Share Posted July 12, 2021 My company's IT department wants to review how secure AutoIT is before approving its use. Do you have any documentation that addresses any data that your company stores about user created scripts? How secure are your scripts that are compiled as executables? Are there any security concerns we need to be aware of while developing and running scripts. What secure data do the logs store? How do we know your source code is not transferring data behind the scenes? Has your software had any security audits? Anything else we should know about? Link to comment Share on other sites More sharing options...
Developers Jos Posted July 12, 2021 Developers Share Posted July 12, 2021 4 minutes ago, BradBurke said: Anything else we should know about? With all respect, but what are you expecting as answer to your dumped list of questions of which several are totally void? Did you do any research yourself before asking as many are asked before and answered. ... and to be honest: How much trust should one put in the creators answer anyways? Jos TheDcoder 1 SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past. Link to comment Share on other sites More sharing options...
Musashi Posted July 12, 2021 Share Posted July 12, 2021 @BradBurke Just out of curiosity, have you also sent this list of questions to, say, Microsoft, regarding the use of .Net development software. If so, I would be interested in the answer (if you ever received one). 33 minutes ago, BradBurke said: How secure are your scripts that are compiled as executables? Are there any security concerns we need to be aware of while developing and running scripts. AutoIt scripts compiled as .exe contain, in simple terms, a tokenized version of the source code, along with the appropriate AutoIt Interpreter itself. So you should never store e.g. passwords or other sensitive data in the source code. However, this is explicitly not a weakness of AutoIt, it was simply not designed for this purpose. 46 minutes ago, BradBurke said: How do we know your source code is not transferring data behind the scenes? You should be far more concerned about what data will be sent from your operating system behind the scenes . TheDcoder 1 "In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move." Link to comment Share on other sites More sharing options...
argumentum Posted July 13, 2021 Share Posted July 13, 2021 6 hours ago, BradBurke said: Anything else we should know about? lol, anyone that can not answer these questions by him/her self, should not be doing that job, as THAT is not the way to get those answers. There. A free lesson. ( Do click like -or HaHa- if you get to read this ) TheDcoder and FrancescoDiMuro 2 Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting. Link to comment Share on other sites More sharing options...
spudw2k Posted July 13, 2021 Share Posted July 13, 2021 (edited) 13 minutes ago, argumentum said: ( Do click like -or HaHa- if you get to read this ) Soliciting likes? @BradBurke From my experience and knowledge, AutoIt won't do anything it isn't told to. So as far as how safe and secure is it, all depends on the script author. Edited July 13, 2021 by spudw2k argumentum 1 Spoiler Things I've Made: Always On Top Tool ◊ AU History ◊ Deck of Cards ◊ HideIt ◊ ICU ◊ Icon Freezer ◊ Ipod Ejector ◊ Junos Configuration Explorer ◊ Link Downloader ◊ MD5 Folder Enumerator ◊ PassGen ◊ Ping Tool ◊ Quick NIC ◊ Read OCR ◊ RemoteIT ◊ SchTasksGui ◊ SpyCam ◊ System Scan Report Tool ◊ System UpTime ◊ Transparency Machine ◊ VMWare ESX Builder Misc Code Snippets: ADODB Example ◊ CheckHover ◊ Detect SafeMode ◊ DynEnumArray ◊ GetNetStatData ◊ HashArray ◊ IsBetweenDates ◊ Local Admins ◊ Make Choice ◊ Recursive File List ◊ Remove Sizebox Style ◊ Retrieve PNPDeviceID ◊ Retrieve SysListView32 Contents ◊ Set IE Homepage ◊ Tickle Expired Password ◊ Transpose Array Projects: Drive Space Usage GUI ◊ LEDkIT ◊ Plasma_kIt ◊ Scan Engine Builder ◊ SpeeDBurner ◊ SubnetCalc Cool Stuff: AutoItObject UDF ◊ Extract Icon From Proc ◊ GuiCtrlFontRotate ◊ Hex Edit Funcs ◊ Run binary ◊ Service_UDF Link to comment Share on other sites More sharing options...
Somerset Posted July 13, 2021 Share Posted July 13, 2021 Lots of people here are just programmers for the fun of it, or a hobby as another way of stating it. There are professionals and experts in the field of programming over many types of of languages. If this were a professional company the people in charge would shake your hand, and show you the door as you quickly as you entered. Who are you? What company do you work for? What position do you hold in relation to the company? etc. Musashi 1 Link to comment Share on other sites More sharing options...
Musashi Posted July 13, 2021 Share Posted July 13, 2021 2 hours ago, Somerset said: Who are you? What company do you work for? What position do you hold in relation to the company? I'm really curious to see if these questions will be answered . My assumptions : Option 1 : An assistant (f,m,d), who has been tasked by its IT department to take a deeper look at AutoIt. Since it takes some effort to research the answers himself, he simply threw a list of questions into the room. Option 2: 'Just' a normal member who wants to appear important (and save some time as well). Option 3 (low probability) : The CEO of a global company who wants to use AutoIt for a new world-changing software product . "In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move." Link to comment Share on other sites More sharing options...
TheDcoder Posted July 17, 2021 Share Posted July 17, 2021 On 7/13/2021 at 2:40 AM, Musashi said: So you should never store e.g. passwords or other sensitive data in the source code. However, this is explicitly not a weakness of AutoIt, it was simply not designed for this purpose. This applies for all code, anything you store in your program can be easily extracted and decrypted... even big companies which specialize in anti-tampering technology fail. This is a fundamental flaw which arises from the fact that you want the machine to know the secret but not the user, in other words, you can't have your cake and eat it too Xandy and Musashi 1 1 EasyCodeIt - A cross-platform AutoIt implementation - Fund the development! (GitHub will double your donations for a limited time) DcodingTheWeb Forum - Follow for updates and Join for discussion Link to comment Share on other sites More sharing options...
JockoDundee Posted July 19, 2021 Share Posted July 19, 2021 On 7/12/2021 at 1:21 PM, BradBurke said: How do we know your source code is not transferring data behind the scenes? If only there was multi-threading TheDcoder 1 Code hard, but don’t hard code... Link to comment Share on other sites More sharing options...
argumentum Posted July 29, 2021 Share Posted July 29, 2021 On 7/12/2021 at 11:19 PM, argumentum said: ( Do click like -or HaHa- if you get to read this ) There. The OP did not login yet. Vote for me, "argumentum for moderator 2021". I'd close these type of thread because I'm mean and ... meh. PS: I would not like to be a moderator. I'd kill'em all. PS2: A big thank you to the moderation team. I would live with heartburn doing your job. TheDcoder 1 Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now