• Articles by category
• Projects
• Recent Changes

• Submit your applet
• Review applets
• Upload File

• All articles

Selected categories:

• Physics
• Electronics
• Bioinformatics
• Biology
• Barcodes
• Astronomy, geography
• Communication
• Mathematics
• Statistics
• Programming
• Games

• Forum and issue tracker
• Help on editing
• Contact

   New articles (RSS)

What we can do for security, we do

Ultrastudio.org implements the following security support:

[Edit]Server security

• Automatic daily server scans for newly discovered security weaknesses (GoDaddy service), should also detect malware if any.
• Both server and database are confined with SELinux.
• All passwords used for site administration are created with true random number generator, do not waste your youth trying dictionary attack.
• Server firewall blocks all ports apart web pages server ports, send-only mail port for password recovery and one high range management port that works with currently unbreakable (in this setup) RSA authentication. The applet cannot try arbitrary talk with the server as the server would not listen.

[Edit]Wiki security

• Mandatory SSL for logins and account management.
• Edit requests are restricted to the true browsers. Arbitrary user program cannot make an edit unless it simulates the browser very precisely.
• No JavaScript and actually no HTML of any kind is allowed in the user input. Places like upload form fields as well as code and edit comments are also all checked, stripping HTML away.
• As a usual Wiki practice, there is a centralized list of recent changes. The change will be seen immediately regardless of where in the site it has been made.
• Maintainers can instantly roll back all changes from the same IP in one action.

[Edit]Plugins and scripting

• While the Ultrastudio.org uses JavaScript in various places to create more user friendly interface, the site stays usable (and applets runnable) with JavaScript disabled. If you have security concerns, please just turn it off.
• No Java applet on this site is allowed to run without you explicitly launching it.
• No any other plugins are used on this site.

[Edit]Applet build system

• Build system does not allow to pass any binary file unchanged. Pictures are slightly modified, making sure they are true pictures.
• Applets are build from the source, stripping all signatures. No applet on this site runs under the rights of the signed applet. Restrictions for unsigned applets are "draconian".
• Jar manifest is not preserved.
• Call of non standard Java classes (sun.* and similar) is not allowed, denying compilation of such code.
• Object/embed tag is generated by Wiki. It is not possible to specify options requiring specific version of Java virtual machine or anything the like.
• Compiler sets required class version to 1.5, blocking old Java virtual machines with known security issues. That way it enforces user to install the newer versions. We do not host any Java runtimes on our side. If you do not trust the links (respected), please go to www.java.com/en/download/ yourself.
• Compiler checks every called method in the system library against the access control list in the database. Attempts to access the web or file system, class loaders as well as attempts to foul everything by using reflection will be reported, and reviewer will see this immediately.

[Edit]Code reviews and testing

• To count a review as complete, at least one person must look into all source code of the applet. As the reviewing pages are currently not very active, usually the maintainer does.
• Only applet that has passed the initial open source code review is approved for test runs.
• Only applet that has passed the test runs is approved for running in production pages.
• No applet, never, is accepted in already compiled form (.class or .jar). Such files also cannot be bundled with source code as they are binary files and will be detected as such.
• Server is maintained by people with over ten years of Java programming experience and university courses on system security.

[Edit]Disclaimer

• As written in disclaimer, you are free from any responsibilities of that the previously defined malicious applet, launched through our main workflow, can do to our rack server machine (both hardware and software). Just for the peace of your mind as we think this is absolutely unlikely to happen.

[Edit]Social factors and history

• No any kind of malware has ever been found in the applets we review.
• This is not unexpected as "Free-Open Source malware" is highly uncommon, in comparison to all other possible malware.

Let us known if we can do anything more.