Our university may prohibit our use of RadioDJ; need input

[xanaftp]

Hello Marius.

Feel free to move this where appropriate on the forum. We run a radio station on a university campus. The security team is starting to get really skeptical of RadioDJ, given its history of reported malware (false positive or not). They blocked my ability to download RadioDJ updates.

We as a small student run radio station cannot afford to pay hundreds/thousands for a replacement system (which would also entail many hours of additional development time to incorporate). Is there a way you could explain from a security perspective why RadioDJ is safe, despite the antivirus claims? The general synposes on the forum will not suffice for the security team; they need evidence this software, in fact, has no malware and is safe to use. For example, why don't you modify the code and use something that would not trip antiviruses? Why do you use obscure code for a free program? And why don't you sign the program? Otherwise, they may prevent us from using it.

Your help is greatly appreciated.

[wbtcpip]

If i was you i will stay away from the antivirus programs that report false positive on RadioDj. They are really dangerous and bad wrote antivirus, stay safe only using Windows Defender.

[KJ6EO]

I don't know which Antivirus Programs were reporting false positives on RDJ.  We use AVG Free here and we've never had a problem of it reporting a false positive on RDJ.  On this particular Server, AVG Free was installed before we installed RDJ.  AVG Free gave it a SNIFF Test but didn't report anything.   

[Calypso]

If i was you i will stay away from the antivirus programs that report false positive on RadioDj. They are really dangerous and bad wrote antivirus, stay safe only using Windows Defender.

Windows Defender is one of the worst solutions to rely upon when it comes to antivirus. It has come (second) to last in a lot of well known tests, and misses quite some percentage of real viruses.

Also, amongst the antivirus programs that reported RDJ as malware in the past was Trend Micro, I don't think that is a bad wrote antivirus or do you have other information?

[FreerunMedia]

I noticed that sometimes an antivirus prevents a program to start because, and here it comes "It wasn't downloaded that much". Strange rules but you can try to not place it on the C drive.

[stevewa]

@xanaftp
it is wonderful that your university IT department is so aware. 

so far the only responses are saying don't use this anti-virus product, etc, which doesn't help you.


let's address the risk assessment.

in case you didn't know, here is the link to the virus scan report: https://www.virustotal.com/#/file/e1ddc1b1d029c2aa53c3a6e4deb9919787f927a6eb4a3357f41ccce621d4a27f/detection

only 4 out of 67 products rated this a threat. that is a very low percentage of virus detection. so low, it is not even statistically important. that means the file is not really a virus. if there really was a virus, the percentage of detection would be at least 75%. of course, i know how university IT departments think, and they like to flex their muscle, even thought they are usually idiots.

as Marius says on the sticky thread about false virus notifications, scanners don't like obfuscated code, so they flag it as a virus. i can't speak for Marius, but he probably hides some of his code, so that other software engineers can't reverse engineer his work and steal it.

also, he probably doesn't sign his software with a digital certificate, because that costs money, and his program is currently free, so who is going to pay for the code signature?

your Uni IT are probably "REALLY" worried about is this "virus" infecting other computer on the campus network.

so get your faculty adviser to piss up the chain of command, to the department chairs, the vice presidents, etc etc, and tell IT, that if they are worried about a possible infection, just put your RadioDJ computers in a virtual lan configuration, where they can't talk to any other computers on the LAN, and but they can still have access to the internet, etc.

It so simple and would take about 30 minutes to implement, and your student organization can even sign a contract/waiver with them that absolves them of needing to provide any support of your computer equipment. that way, there is no way your RadioDJ computer's can infect any other computers on the network. problem is solved!

[Calypso]

@xanaftp
it is wonderful that your university IT department is so aware. 

so far the only responses are saying don't use this anti-virus product, etc, which doesn't help you.


let's address the risk assessment.

You can "laugh" about it, but in the real world this is a true problem. System maintainers nowadays have to maintain lots of systems with lots of software, and at the same time are confronted with lots of threads that come upon the network and their systems. It's common practice to only allow software from a trusted source. And if you got a piece of software from a .ro site, without signage, and that also has triggered a number of virus scanners, that's not a good basis for a trusted source.

Your suggestion of asking managers to allow the network to be quarantined is asking for problems IMHO; normally managers are triggered by "possible virus" or "security" and won't allow anything. Also putting the computer into quarantine for me means real quarantine, and that would be the same as "don't put that computer on the network". That's a cheaper and easier solution, but normally you want your RadioDJ system to be connected to the internet.

With 20 years of experience in system maintenance, also for very large organisations, I always tried to find some kind of solution, but after being confronted with several security issues because I allowed a solution, I'm very anctious - and I know most system administrators are.

[xanaftp]

Thank you everyone for your insight. It is true, the IT don't care about false positives... they will always argue, and have argued, if the code is causing false positives, Marius should modify the code. They also seem skeptical by the fact this is a free program, yet it is still closed source, and further is not signed. Depending on how much it would cost to sign it, I may be able to help contribute towards that... keeping RadioDJ is crucial for us, and they said at some point RadioDJ may stop running all together on university computers because it is not signed.

RadioDJ has to stay on the network... we run a complex echosystem at this radio station involving a Node.js server that remotes into both RadioDJ instances via REST to manage onair programming and also the calendar/metadata and crash detection. The Node application runs on a separate CentOS 7 server as it is the most efficient OS to do so. But RadioDJ does not run on CentOS 7, so it needs to be on separate Windows systems.

[stevewa]

your campus IT department would / (should) know how to segment a virtual lan, to enable you to run RadioDJ in an isolated vlan, and have routes, even vpn tunnels to communicate with your node.js box, all without threatening the security of the larger campus lan.

but you can't always get what you want.

[Marius]

And if you got a piece of software from a .ro site...

When this domain was registered it required even an ID copy to be sent to the ROTLD (which is the Romanian TLD authority) and also if you make now a WHOIS on this domain you will see that is registered to a US company: https://rotld.ro/whois/?domain=radiodj.ro, not to talk about the price, i could buy at least 5 .com domains for this price at that time. Also how do you trust more for example a .com domain, since you can buy it almost anonymously (using paypal, bitcoins etc)? Amazing...

My answer to this is the same as on the other topic which was closed, it's your decision to use it or not, i really don't know what answers do you expect on forums.

[Calypso]

When this domain was registered it required even an ID copy to be sent to the ROTLD (which is the Romanian TLD authority) and also if you make now a WHOIS on this domain you will see that is registered to a US company: https://rotld.ro/whois/?domain=radiodj.ro, not to talk about the price, i could buy at least 5 .com domains for this price at that time. Also how do you trust more for example a .com domain, since you can buy it almost anonymously (using paypal, bitcoins etc)? Amazing...

My answer to this is the same as on the other topic which was closed, it's your decision to use it or not, i really don't know what answers do you expect on forums.

In the Western world domains from Eastern countries aren't trusted in the same way as Western domains are - this has to do with politics and willingness to go after things like copyright claims. It's not my opinion, only what I see around me and in commercial organisations. Look at what happened to Kaspersky: the slightest suspicion of the software leads to an (IMHO very stupid) reaction of banning products from Kaspersky by governments and companies.

I don't know why you explicitly take this part out of the discussion - I'm just mentioning things that the system administrators of the university may have taken into their consideration. A false positive alone normally doesn't upset system administrators, it's the whole context that usually lead to such a statement. So it's not always easy to solve it; you can't just change 1 thing and expect it to be OK for them.

[ghm72]

I've used RadioDJ for just over 7 and a half years and I could tell your university IT guys that the program is 100% safe... I wouldn't have allowed it anywhere near any of my computers If I'd thought for one minute it was dodgy but its ISN'T

Even sites like Software informer say the software is OK too http://www.radiodj.ro/awards/software-informer-award.html

There's just no convincing these people at times, I guess I should learn how to become an IT guy, I'd be much better at it than some of these so called "Professional" IT guys....

[neutralhills]

I wish you luck. The PHBs at the university have probably been brainwashed away from unsigned code and free software by asshat reps from companies like MS, Oracle, etc. I saw a lot of it back in the day when I was a network admin at a community college. We regularly caught hell for using FreeBSD so extensively in the I.T. department. I am gobsmacked that they simply haven't put you on a separate network segment as that would alleviate 99% of the concern, tells me you're dealing with less experienced admins.

Here are some links from a project I helped create and that ended this summer:

[ Google slideshow ]  [ Our old support site ]

It was a school/community project and there was not a single issue with security or infections over three years despite being used in 7 schools with hundreds of students having access. When the project ended, it was done in by politics (doofus new principal at the main school), not the RadioDJ software which always performed flawlessly.

Please feel free to share the links if they will help demonstrate that the software is successfully being used elsewhere in education.

Sean McCormick
MCSA, MCSE, MCT, CTT+, LPIC 2, CTT+, A+, Network+, Server+, CCNA

[xanaftp]

Thank you everyone for your input on the forum. Again I apologize for my delay in replying.

@Marius: The questions I asked in the first post on my thread are the answers I need in order to convince the security team to allow us to run this software: "why don't you modify the code and use something that would not trip antiviruses? Why do you use obscure code for a free program? And why don't you sign the program?" In regards to signing the program, cost was brought up in the thread, which is a fair variable, but not something they will accept as an excuse, since many other free programs are properly signed.

And I appreciate everyone telling me that the program is safe. But just saying that isn't going to convince them. They will probably need evidence from reputable sources such as licensed security teams (I don't know if Software Informer is comprised of a licensed security team).

@stinga for the time being, I can get updates via off campus. However, if what they say is true, non-signed code will eventually not run at all on any University computers with the new security policies they are planning for the future. Therefore, at that point, it wouldn't even matter where I get the updates from... the program won't run unless Marius gets it signed. And sticking with old versions wouldn't work in this case either, since the old RadioDJs are also not signed and therefore also wouldn't run anymore.

@neutralhills I'll bring up the suggestion of network isolation with them. But it is very unlikely they're going to be willing to do it so that we can run RadioDJ simply because RadioDJ is not signed. The fact it's not signed raises red flags for them because unsigned programs can, at any point, be unknowingly infected with viruses, either at the time of download or at any point in time down the road during its use. Add on the fact RadioDJ trips some antiviruses (false positives or not, it doesn't matter as they think the code should be modified so as to not trip antiviruses if it is doing so), and I really don't think they can be convinced unless RadioDJ gets digitally signed and stops tripping antiviruses (or at the very least, proof can be provided that it is impossible for RadioDJ to not trip antiviruses without it breaking in functionality).

We may be forced to abandon RadioDJ if it doesn't get signed, which really sucks because I don't want to have to abandon the application and my support for it when things can be done about it. Plus, we can't afford another automation system at this time, so that may potentially be the demise of the radio station (or at least 24/7 operation of it).

I do hope at the very least the paid version of RadioDJ will be signed. If it is, that would be wonders for us at the station, assuming it's affordable of course.

[stevewa]

Then rent a windows server off campus with a remote access program into the server, run RadioDJ there, do all your admin thru the remote access, i.e. TeamViewer, and get it done. If your university and your department doesn't have any leverage against the cyber security retards, then what are you even doing working there?