Re: Hacking the Mac via AppleScript
Re: Hacking the Mac via AppleScript
- Subject: Re: Hacking the Mac via AppleScript
- From: "Roger Howard" <email@hidden>
- Date: Mon, 17 Sep 2001 16:53:34 -0700
Well, from the sounds of the previous post there is NOTHING new - of course we can do all sorts of nasty things in carefully setup circumstances, but I think this is a valid thread to explore what (if anything) can be done in default/safe configurations. To date I've yet to see a real exploit that doesn't count on all sorts of givens and non-defaults.
Of course if you have guest access enabled, program sharing via IP enabled, and no firewalling issues between the systems then you can do SOME nasty stuff, even with plain vanilla AppleScript on the victims machine... but this is, as far as anyone has ever shown, as secure as it can be without completely removing the functionality which would severely limit AppleScript.
We have a right to explore this subject, and have and should continue to. I am far more concerned with AppleScript on OSX in this respect as it is a new foundation with a legacy system (AppleScript, etc.) bolted on so it may not be as tightly integrated or seamless as it first appears at some layers. But unless the first poster (Sameer) can tell us what he means by "hacking the Mac via AppleScript" I am not terribly concerned - all the functionality is well documented, this is nothing new, he's simply managed to send a few remote events with a machine that he's likely rigged (through permissions and program linking) to enable what he wanted to prove could be done (and which we all already knew). This is not hacking... if you can execute remote events on a Mac that does NOT have program linking on, or a Mac whcih you do not have permissions for - whether its via a direct connection or through sending a script through email (a la the Outlook exploits) - THEN I'm concerned.
Sameer, speak up - you tantalized us but nothing you describe is worrisome on the face of it, or what anyone would reasonably label "hacking".
Roger Howard
Digital Media Specialist
The J. Paul Getty Museum
email@hidden
310.440.6908
>
>> email@hidden >>>
IMHO:
Nothing constructive is to be gained (especially now) by demonstrating
and perfecting techniques "script kiddies" could then use (if it is even
possible to do so) to break into remote Macs. I hope this thread dies
quickly.
~Phi