Testing programs from the internet

[terminator]

Since I caught something nasty by email a while back, I've shied from running unknown executables. Say you went to tester.site and downloaded engine.rar with engine.exe compressed. After scanning it with a virus checker, is there a way to unpack engine.exe so that the files are in the folder as if they were installed? My explanation is not so good but I hope someone understands what I'm saying.

[Sylwy]

Since I caught something nasty by email a while back, I've shied from running unknown executables. Say you went to tester.site and downloaded engine.rar with engine.exe compressed. After scanning it with a virus checker, is there a way to unpack engine.exe so that the files are in the folder as if they were installed? My explanation is not so good but I hope someone understands what I'm saying.

Of course yes:
- unpack the. exe with an unpacker;
-put manually the.exe in the folder produced by the installer or by manual installation.
Any problem !

Regards,
Silvian

[Mike S.]

After scanning it with a virus checker, is there a way to unpack engine.exe so that the files are in the folder as if they were installed?

Yes, and in most cases that is the installation anyway, at the same time. In other words, almost all chess engines distributed via internet, only need to be unpacked to the location where the user wants to store them.

Usually, only 'bigger' software, for example interfaces with file associations, user directories etc., require installation routines.

I use a resident virus shield which (I hope! ) does the checks you mention, automatically. I cannot remember that I ever got a virus warning for a downloaded chess engine. But of course it is not wrong to be more cautiuos, in case of doubt.

Web pages and internet related files are other possible targets for malware, and that includes chess sites. For example, in the old CCC where the email addresses of the members were stored in the postings, each (a security nightmare), once 'BadTrans' striked and distributed itself per email from any member's computer he could infect, to any other member's computer the email address it had found of, in the browser cache...

[cyberfish]

could be a bit of an overkill for testing chess engines but..

Don't run any executable that you did'nt compile yourself. In other words, always download and examine the source, then compile the executable from the source yourself. As for closed-source engines... you will have to trust the author, as s/he doesn't want you to know what s/he is making your computer do (by running his/her executable).

This is like running Windows. You will never know what Microsoft is doing with your computer.

[Mike S.]

Don't run any executable that you did'nt compile yourself.

This seems really an overkill and is impractical:

1. Only few from all downloadable engines come with sources.
2. Only few from all computer chess users, -testers etc. are programmers and/or know how to use a compiler. Maybe it's not that difficult to learn, but I am computer chess fan, not programming/compiling fan.

Also, I prefer that experienced compiling experts compile an engine I use, not myself.

Some commercial engines are distributed via Internet.

I think scanning the executables with the antivirus software the user trusts, should be enough. In addition to that, it may be adviseable not to run a new release immediatly, but to wait 2 or 3 days, if someone is very cautious. Because if there are such problems with it, it would most probably be mentioned in a message board. In other words:

1. wait
2. scan
3. good luck

But as mentioned, I do not remember that an engine I downloaded (since 1999!) ever contained a virus. Some websites and emails did. Again, to avoid misunderstandings: Anybody should use antivirus software, the best with resident (permanent) virus protection. But the potential danger from typical, serious chess engines is IMO not big. By "serious" I mean, also use common sense where you download from (what site that is etc.). Which does NOT mean that known serious sites are always safe!

[cyberfish]

There are viruses that cannot be caught by anti-viruses. What if, someone downloads the source of crafty, and add several lines at the beginning of main (where program execution starts) that scans your harddrive for your credit card number, and sends it via the internet to somewhere else in the background? And then he would compile it, and release it, calling it a compilation of crafty. It is impossible for anti-viruses to catch this, since they go by pattern recognition. This kind of things cannot be in their virus database, and worse still, it runs like the normal crafty.

It is worse still for closed-source engines. For instance, if Rybka (just because it's the only commercial engine I can think right of the top of my head) includes code that collect your personal data, and send it back, would you have noticed it? That is what I meant when I say you have to trust the author. Because, by running closed-sourced programs, you are entitling the author to do anything with your computer (and he/she doesn't want you to know what is done). To me that sounds a little scary.

As for difficulty of compilation, programs come with their own compilation scripts. All you need to do is install a compiler (just like any other program), and run the script.

[Mike S.]

Does that mean you only use programs you have the source of, and have compiled them yourself?! I think your approach is not realistic. Software needs to be ready to run, maybe except programmer's stuff. Have you ever been in a computer store or software shop? What do they sell, source codes or executeables?

Also, someone like me wouldn't even be sure if a source is ok. Maybe I would compile the virus which infects me afterwards, myself and not even know it

You need to understand that 99.995% of all computer users are NOT computer experts, -freaks, -nerds, -programmers etc.

What if you want a car, do you buy the parts and assemble them yourself, to be sure it's safe to use...?

I think I found my balance between security and comfort.

Famous last words

[cyberfish]

Does that mean you only use programs you have the source of, and have compiled them yourself?! I think your approach is not realistic.

That is certainly realistic. Take, for example, Gentoo Linux. Everything is open source, and all the programs are compiled on the user's machine. There is nothing unrealistic about that, just that it takes ~5 hrs to install (and the resulting system is FAST).

Note that I am not saying this is what I do. I found my balance between security and comfort somewhere between those end points, too. I am only saying what you should do if you don't want any risk (on a mission critical computer perhaps). On my own machine, I run only open source software (I just don't compile them myself), however. I have a second machine with Windows just for playing games, but all the serious work is done on the Linux one (and I store no confidential data on the Windows one). I am aware that I am a bit on the paranoid side, but it works for me =).

Also, someone like me wouldn't even be sure if a source is ok. Maybe I would compile the virus which infects me afterwards, myself and not even know it

That is a good point... But if the program is open source, someone else would have looked at it for you (provided it has sufficient interest).

I have never read the Linux source myself too, but I feel more secure with it because I know thousands do everyday.

You need to understand that 99.995% of all computer users are NOT computer experts, -freaks, -nerds, -programmers etc.

I guess it's a cultural thing =).

[cyberfish]

But the potential danger from typical, serious chess engines is IMO not big. By "serious" I mean, also use common sense where you download from (what site that is etc.). Which does NOT mean that known serious sites are always safe!

How about something like MY engine?
http://cyberfish.wecheer.com/Brainless

would you trust the executable that I put up there? =)

Several people have already asked me questions regarding how to compile it, so apparently not everyone took the executable.