16
Discussions / Re: There's a Java-based virus on the loose in Minecraft modding (Fracturizer)
« on: June 13, 2023, 05:15:07 AM »
Looks like it sticks static initializers into some classes but I'm not sure if those classes are fixed (so it wouldn't do anything to a Starsector mod) or if it has dynamic logic for that.
The problem is that you're adding an administration barrier to the whole thing and requiring anybody trying to publish anything to the public to apply for a cert, no matter how small or experimental. Otherwise you'll quickly end up with end users wanting access to unsigned content and thus disabling the cert check.
Also if you're storing a private key on your computer that you use to sign your mod then a virus that takes that into account (obviously not this one) could just use that key to sign the infected version. Or infect it while you're developing and when you decide to publish and sign the package the virus is already in there.
The need for certificates to be issued by the developer certainly introduces a small barrier to entry, but it would only be needed for publishing a mod; for private development of mods you'd obviously provide a developer=true bypass of the certification check.
The problem is that you're adding an administration barrier to the whole thing and requiring anybody trying to publish anything to the public to apply for a cert, no matter how small or experimental. Otherwise you'll quickly end up with end users wanting access to unsigned content and thus disabling the cert check.
Also if you're storing a private key on your computer that you use to sign your mod then a virus that takes that into account (obviously not this one) could just use that key to sign the infected version. Or infect it while you're developing and when you decide to publish and sign the package the virus is already in there.