teambuilder - Guild Wars Forums

deathwearer · Jan 24, 2007, 04:00 PM // 16:00

Been sometime I consider using Teambuilder but I don't really trust these programs you download because keylogger and the like.

I know that some people use it, and what makes it different than any other program and what tells me that it is free of keylogger.

Fril Estelin · Jan 24, 2007, 05:26 PM // 17:26

Hi,

Well usually software security relies on either the program source being open and examined by specialists, or a lot of people using extensively the program and not reporting any strange behaviour. A keylogger in a program distributed to a wide audience would probably be reported at one point due to the 2nd point, unless the coders are really very clever. But be assured (and I know that this will probably not feel reassuring) that nowadays the threat is not in the "user world", but rather in the "corporate one" as hacking has become a full-fledge profession (so to say).

Technically, what can you do? Well first make sure you've got up-to-date antivirus (preferably a professional one, but free ones like AVG work well too) and firewall (on this topic, they usually filter incoming and not outgoing connections, a keylogger would do the latter so it's a bit useless). Then if you really want to be sure, use the program disconnected from the net (and even then you should check about phantom processes that would reconnect asap).

In the end, it's all about trust. A very complex and intricate notion that relies on a community looking at a program from different angle, specialists testing things on the program, and people getting sued if they do bad things (and some do get sued).

deathwearer · Jan 24, 2007, 06:02 PM // 18:02

So if I understand, you say that first this program is used by alot of people and nobody has reported strange behaviors of the program?

Also yes I know I have more to fear from corporation than an individual.

deathwearer · Jan 24, 2007, 06:02 PM // 18:02

Also, anywhere I can find the source code so I could compile it myself? I prefer that than anything else.

Fril Estelin · Jan 24, 2007, 06:29 PM // 18:29

Quote:

Originally Posted by deathwearer

Also, anywhere I can find the source code so I could compile it myself? I prefer that than anything else.

No, compiling it wouldn't help you, if there's keylogger code you'll simply compile it in the process. You need to study and analyze what the source code is actually doing, which requires specialist skills in general, and an awfull lot of time in the worst case. Or rely on the size of the general population, i.e. if there's a keylogger (or spyware, much more probable) someone is probably going to loose something because of that (probably not money, but still something important to him) and this may trigger suspicion to the soft, which in turn will bring attention of techies which will look at it more closely.

And about corporations, I wasn't saying that they are more dangerous than individuals (I wasn't clear), I was saying that they are actually the biggest targets of security threats (so it's a sort-of good news for individuals: hackers are mainly targetting those companies because this is where the real money is, and hackers want more money than fame nowadays...).

This is not exactly a science, sorry! But it can serve as a reminder that: 1) you should protect your computer/data (antivirus, firewall, antispyware); 2) you should back up important stuff; 3) never, ever get paranoid about these things, it is healthy to ask the question you asked, but be careful (human social effect: non-specialist people looking at this thread may start thinking that teambuilder is bad or malicious, which we don't know at all, just because of fear or misunderstanding).

Last, now that I've looked at the teambuilder website I can tell you more precisely:
1) that it is very probably safe, as it is programmed in Java (which itself has a very robust security model that would usually prevent sniffy things from running or make the life of hackers a little more difficult);
2) they mention on their Download page "This program was compiled and tested with great care, and thoroughly checked to be free of viruses." which is usually good sign (but no proof);
3) the source code is not available, but the .zip file you can download has .jar files that may have the bytecode which may be a good thing.

deathwearer · Jan 24, 2007, 06:45 PM // 18:45

Quote:

Originally Posted by Fril Estelin

No, compiling it wouldn't help you, if there's keylogger code you'll simply compile it in the process. You need to study and analyze what the source code is actually doing, which requires specialist skills in general, and an awfull lot of time in the worst case. Or rely on the size of the general population, i.e. if there's a keylogger (or spyware, much more probable) someone is probably going to loose something because of that (probably not money, but still something important to him) and this may trigger suspicion to the soft, which in turn will bring attention of techies which will look at it more closely.

And about corporations, I wasn't saying that they are more dangerous than individuals (I wasn't clear), I was saying that they are actually the biggest targets of security threats (so it's a sort-of good news for individuals: hackers are mainly targetting those companies because this is where the real money is, and hackers want more money than fame nowadays...).

This is not exactly a science, sorry! But it can serve as a reminder that: 1) you should protect your computer/data (antivirus, firewall, antispyware); 2) you should back up important stuff; 3) never, ever get paranoid about these things, it is healthy to ask the question you asked, but be careful (human social effect: non-specialist people looking at this thread may start thinking that teambuilder is bad or malicious, which we don't know at all, just because of fear or misunderstanding).

Last, now that I've looked at the teambuilder website I can tell you more precisely:
1) that it is very probably safe, as it is programmed in Java (which itself has a very robust security model that would usually prevent sniffy things from running or make the life of hackers a little more difficult);
2) they mention on their Download page "This program was compiled and tested with great care, and thoroughly checked to be free of viruses." which is usually good sign (but no proof);
3) the source code is not available, but the .zip file you can download has .jar files that may have the bytecode which may be a good thing.

I wans't clear myself also. Before I compile I would have study the code, since I'm a programmer that's a usual task.

Also thank for telling me it was coded in Java, I couldn't see it anywhere since the FAQ is only german and this is not a language I talk. Just by that I feel more secure, and even tho that Java is suppose to be hack free as Sun claim all the time, I always feel that someone will finaly find a way since everything can be hacked today.

But anyway, thank for your precious information and your tought.

Fril Estelin · Jan 24, 2007, 07:17 PM // 19:17

Quote:

Originally Posted by deathwearer

and even tho that Java is suppose to be hack free as Sun claim all the time, I always feel that someone will finaly find a way since everything can be hacked today.

There are Java worms and viruses, and without a doubt spywares. Any programming language, software framework or security product can be compromised or bypassed. The only difference is how much it costs to do so, and it costs more with Java (btw, if you download the zip file, you see .jar files and you know it's Java, .jar is a .zip with a few additional features and this is very often used to package Java application files together; and you can decompile them though this may not give you very readable code and more importantly very meaningful code). I'm 90% sure that if you contact the guy German programming teambuilder and you are very nice (possibly show him that you're not trying to scam him and sign an NDA), he'll give you the code for inspection. Who knows, there may be GWguru-ers programming in Java that may want to inspect the code and possibly improve it

deathwearer · Jan 24, 2007, 07:28 PM // 19:28

Java's not my favorite language of all time but I'v work enought with it so I could take an eye on it. I'll try to contact the developper to see if it is possible to get in touch with the source code. I'll download it anyway and install it. As for the Jar files I won't decompile it since it might not give me something readable and it is illegal to do so.

Fril Estelin · Jan 24, 2007, 07:36 PM // 19:36

Quote:

Originally Posted by deathwearer

I won't decompile it since it might not give me something readable and it is illegal to do so.

Actually I'm not sure about that bit. It may be illegal in certain countries, or illegal to own a decompiler but still legal to decompile (say if you create your own decompiler

or you've got a professional contract with Sun enabling you to do so). Anyway, probably not useful unless you've got a lot of time, energy and will

.

If you found something or didn't find anything, please don't forget to share this with us

.

P.S.: Java is a really great language, probably difficult when coming from procedural programming (e.g. C, C++) because strongly OO, but still a fantastic language, augmented by huge APIs.

deathwearer · Jan 24, 2007, 07:42 PM // 19:42

For the moment my program watching my net trafic didn't see anything comming out of teambuilder or anything that shouldn't be interacting with the net for now.

And yes decompiling is against the lisence

You are, however, not allowed to:

* reverse-engineer, decompile or modify this software.

Also, is there a website where there is a list of build that you can download for teambuilder?

Jan 24, 2007, 04:00 PM // 16:00	#1
deathwearer Krytan Explorer Join Date: May 2005 Location: Canada/Quebec Guild: Silentum Altum Profession: E/Mo	teambuilder Been sometime I consider using Teambuilder but I don't really trust these programs you download because keylogger and the like. I know that some people use it, and what makes it different than any other program and what tells me that it is free of keylogger.

Jan 24, 2007, 05:26 PM // 17:26	#2
Fril Estelin So Serious... Join Date: Jan 2007 Location: London Guild: Nerfs Are [WHAK] Profession: E/	Hi, Well usually software security relies on either the program source being open and examined by specialists, or a lot of people using extensively the program and not reporting any strange behaviour. A keylogger in a program distributed to a wide audience would probably be reported at one point due to the 2nd point, unless the coders are really very clever. But be assured (and I know that this will probably not feel reassuring) that nowadays the threat is not in the "user world", but rather in the "corporate one" as hacking has become a full-fledge profession (so to say). Technically, what can you do? Well first make sure you've got up-to-date antivirus (preferably a professional one, but free ones like AVG work well too) and firewall (on this topic, they usually filter incoming and not outgoing connections, a keylogger would do the latter so it's a bit useless). Then if you really want to be sure, use the program disconnected from the net (and even then you should check about phantom processes that would reconnect asap). In the end, it's all about trust. A very complex and intricate notion that relies on a community looking at a program from different angle, specialists testing things on the program, and people getting sued if they do bad things (and some do get sued).

Jan 24, 2007, 06:02 PM // 18:02	#3
deathwearer Krytan Explorer Join Date: May 2005 Location: Canada/Quebec Guild: Silentum Altum Profession: E/Mo	So if I understand, you say that first this program is used by alot of people and nobody has reported strange behaviors of the program? Also yes I know I have more to fear from corporation than an individual.

Jan 24, 2007, 07:28 PM // 19:28	#8
deathwearer Krytan Explorer Join Date: May 2005 Location: Canada/Quebec Guild: Silentum Altum Profession: E/Mo	Java's not my favorite language of all time but I'v work enought with it so I could take an eye on it. I'll try to contact the developper to see if it is possible to get in touch with the source code. I'll download it anyway and install it. As for the Jar files I won't decompile it since it might not give me something readable and it is illegal to do so.

Jan 24, 2007, 07:42 PM // 19:42	#10
deathwearer Krytan Explorer Join Date: May 2005 Location: Canada/Quebec Guild: Silentum Altum Profession: E/Mo	For the moment my program watching my net trafic didn't see anything comming out of teambuilder or anything that shouldn't be interacting with the net for now. And yes decompiling is against the lisence You are, however, not allowed to: * reverse-engineer, decompile or modify this software. Also, is there a website where there is a list of build that you can download for teambuilder?