FG is used via the internet, which has quite some nasty people and actors. Is FGU designed with this mind? Will it be periodically pentested?

FG is used via the internet, which has quite some nasty people and actors. Is FGU designed with this mind? Will it be periodically pentested?

What businesses tell you how they do security?

What businesses tell you how they do security?

Quite a few actually. Even Zoom found out you can't do without some security sanitation. The FG software is on my machine, so I am an interested party. I don't need the gritty details, but something about periodic audits and a generic statement of coding practises would be appreciated.

I'm curious as to what you would do with such information? If they say "yes", how does that change things? Or would that then just trigger more questions about further details? I've seen those questionnaires before, but that's on 6-figure software deals, not on $150 one-off purchase.

My players and I are tech savy enough to take some measures on our own. But mostly I hope for a resounding "yes of course". And if not, I hope my asking will the the start of that answer. If the customer doen't ask for it, chances are worse that they do provide it. Especially in a small growing company it's better to be asked early than late. Fixing is a lot harder than prevention.

I don't know where the post is, but Doug has made a statement about this before (if someone is interested enough, they should be able to dig through search results and find it). If I remember correctly, he stated that they did take active security measures and they they also have a third-party security firm that does regular audits on their systems.

Yeah I remember fliping AGES AGO they had some trouble with the website getting DOSs and attempts of hacking. The website was taken down (by Smiteworks (FG) if I remeber right) Nothing was taken but it pissed everyone off (servers down etc). They then went HARDCORE security overhaul.
This was ages ago. This also might be what LordEntrails is recalling

I believe this (https://www.fantasygrounds.com/forums/showthread.php?47942-Data-Breach-Gaming-Sites-Affected&p=426411&viewfull=1#post426411) was the post mentioned by LordEntrails.

Quite a few actually. Even Zoom found out you can't do without some security sanitation. The FG software is on my machine, so I am an interested party. I don't need the gritty details, but something about periodic audits and a generic statement of coding practises would be appreciated.

You've read Zooms security Whitepaper then?
It doesnt tell you diddly squat.

You've read Zooms security Whitepaper then?
It doesnt tell you diddly squat.

I’m not a Zoom user, it was but an example. But if I was, I would have taken a look. The post (https://www.fantasygrounds.com/forums/showthread.php?47942-Data-Breach-Gaming-Sites-Affected&p=426411&viewfull=1#post426411) about the server security helps quite a bit to assure me Smiteworks is taking security seriously. Something in this line about FG on people’s computers and I’m a happy bunny. It can probably be a lot shorter since no payment details are involved. But it is a hole in my computer’s outer shell, so I am interested.


I believe this (https://www.fantasygrounds.com/forums/showthread.php?47942-Data-Breach-Gaming-Sites-Affected&p=426411&viewfull=1#post426411) was the post mentioned by LordEntrails.
Thanks, that helps.

I'd love to hear this as well.
I'm glad to hear the site should be secure, but I'm much more worried about running a public-facing server on my personal computer with an open port (if using LAN connection).
Hearing an official statement that considerations are being made for this fairly large risk would be reassuring.

AFAIK, all the OS feature in the lua sandbox were disabled for instance, which kind of show they're at least a bit security aware. Also FG is ran with user privileges, which limits the attack reach. But indeed, if there were an overflow of some kind in the used libraries (i think We can assume they use high level langage and don't reinvent the standard C lib from scratch), an attacker targeting it Could possibly perform malevolent stuff. However, I believe the direct connection issue disappears with the cloud lobby.

But i am no FGU developer so my Word is just a former's pentester view ;]. Also pardon my strange english, i'm a frog ^^. Have a good day

As mentioned, the LUA implementation doesn't have any of the OS accessible features enabled - see here: https://fantasygroundsunity.atlassian.net/wiki/spaces/FGU/pages/4128914/Ruleset+-+Scripting#General-Lua-Programming

Also, any connection to the GM on port 1802 doesn't have any rights to upload or control code. The only code available is that loaded by the GM (ruleset and extensions) when they loaded their campaign. All of this code is the FG LUA linked above. The *worst* that could happen is that someone tries to do denial of service by flooding port 1802 - with either a bunch of crap, or simulating a FG player client and doing a bunch of stuff (roll dice again and again, etc.).

FGC can only write XML and Mask PNGs to the file system and cannot delete anything.
Im not sure if FGU can also write images to the file system.
There is very few things that the cGM client is allowed to do and even less for the player.

Thanks @_haplo__, @Trenloe and @damned. That helps quite a bit.