Let me reply to this one first: On Sun, Nov 29, 2009 at 5:40 PM, qMax <[email protected]> wrote:
> Thanks for hints! > > On 29 ноя, 22:15, Silicon Dragon <[email protected]> wrote: > > First of all, it is very well possible to do all of the malicious actions > > even *without* bots. > > We have managed to reverse-engineer parts of the wave<->web protocoll, > and > > are able to read full wave contents of all public waves. See > > archive.waverz.com for implementation. > I miss the way this was implemented. > > Documentation for the JS version can be found in wave<https://wave.google.com/wave/#restored:wave:googlewave.com!w%252BtHD6EunBB>; sample<http://antimatter15.com/misc/wave/waveread-alpha4.html?googlewave.com!w+Ze3l0mj0A>; also see the other waves from antimatter15. This basically acts as a full web client, and retrieves the wave data in JSON; and converts it into HTML (non-trivial). But the point of interest here is the method: using firefox + firebug, you can reverse-engineer arbitrary parts of the proto, including wave creation, blip submission, etc. Not really sure if impersonation can be achieved by this way -so a backup solution would probably restore blip content only, but not the date, and author of the blip. > > Second, using that, it's fairly trivial to do full backups of wave data, > > which can be restored to a new wave. > And can you please point out to the way of restoring content? > Or there's only method if it was backuped? > > There is no known implementation for that, but feel free to hack around ;) > > Third, you can build trust networks by using the Google groups > > solution<http://archive.waverz.com/googlewave.com!w+VJoH3a3CK/_>, > Great! > The feature with google groups seems working, with pecularities > though. > > Let me know, if you run into problems, maybe we can work around it? > > along with WaveNotify< > http://archive.waverz.com/googlewave.com!w+uOcHp3yOA/>(for > > e-mail notifications). Until permission checks are implemented, this > > is the best way to keep malicious intents out of your group's waves. > > > Fourth, using a protector bot, and a known blacklist (remember: wave > invites > > are still a precious commodity), it's fairly trivial to restore all edits > > done by malicious bots, or users. > Full-featured bot warfare requires more complicated things. > A participant can easily remove protecting bot (either readonlie, or > blacklisted-bouncie before he bounces malicious user) > And thus needed at least two guard-bots to put them back when > protecting bots removed (and put each other as well, thus at least 2). > And neither of bot can store their setup (blacklist, guidelist) in > contentblips or datadocuments, > because they are insecurely accessible, and more advanced warbot may > have a time to remove that setup. > Thus, yet another bot required to store these configs elsewhere in > datastore maybe, > and coordinate protecting and guarding bots :) > That's appear to be somewhat tricky thing :) > And of courcse, all warbots can easy change app-id to be missed in > blacklists. > > This reminds me of Primer <http://www.imdb.com/title/tt0390384/>: *Aaron: You know that story, about how NASA spent millions of dollars developing this pen that writes in Zero G? Did you ever read that? * *Abe: Yeah. * *Aaron: You know how the Russians solved the problem? * *Abe: Yeah, they used a pencil. * *Aaron: Right. A normal wooden pencil. It just seems like Philip takes the NASA route almost every time. * So: no. For one, full featured bot-wars would probably utilise native clients, as described very above; so even removing "bots" is out. Should this occur, before access control is in place (that would motivate the wave team! :) ) I think instead of a bot-war, traffic would probably just broke into invite-only groups, with the trust-networks above. Once AC is in place, I think most of these will be a non-issue. -SDr -- You received this message because you are subscribed to the Google Groups "Google Wave API" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-wave-api?hl=en.
