Re: AppleScript & HTML Again...
Re: AppleScript & HTML Again...
- Subject: Re: AppleScript & HTML Again...
- From: "John C. Welch" <email@hidden>
- Date: Thu, 25 Mar 2004 18:34:22 -0600
On 3/25/04 4:35 PM, "Michael Terry" <email@hidden> wrote:
>
On Mar 25, 2004, at 2:10 PM, John C. Welch wrote:
>
>
> It's an unsecured application that can connect an executable
>
> applescript to
>
> a URL on HTML...that makes it vulnerable.
>
>
>
> I don't *care* what the target is. I can't see the source and verify
>
> it's
>
> safety, or lack thereof for myself. Ergo the risk is unacceptable.
>
>
>
>
I use applications all the time whose source I can't see, and so do
>
you, so that's a red herring. The question is whether using Missing
>
Link the way the developer suggests poses an unreasonable security
>
risk. Please walk me through the process where someone installs Missing
>
Link, then becomes the victim of a security breach. I want a specific,
>
real world scenario, so that everyone following along at home can judge
>
for themselves whether the risk you deem unreasonable is unreasonable
>
for them.
Actually, it's not. The release notes don't say a word about what, if any
considerations were given to security. For a network application, that's
critical. There's no way to set any sort of prefs to lock down access, or
require any sort of authentication.
So the entire thing is a "trust me" application, with no way to verify this
is a good idea or not.
I could live without the source code access if the application notes
indicated what steps were taken / considerations given to security. There
are none. If the develoepr were well known, then that would be another way
for me to determine security issues. But none of this is true. So I'm
supposed to blindly trust that an application designed to allow remote
execution of AppleScripts via a totally insecure method is "okay"?
I don't think so.
As far as "using it the way the developer intends", well, that's not why
it's called "cracking". You don't use it the way it's intended. You pervert
the application to do bad things. I'm pretty sure that MS never intended for
VBA to be used as the most effective viral infection vector ever seen in the
computing world, and I imagine if used as the developer intended, it's not.
But that's not the issue. Maybe, if the developer would address what seems
to me to be very obvious concerns, then mine would be set at ease.
john
--
"There is only one tactical principle which is not subject to change. It is
to use the means at hand to inflict the maximum amount of wound, death, and
destruction on the enemy in the minimum amount of time."
- General George S. Patton, Jr.
_______________________________________________
applescript-users mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/applescript-users
Do not post admin requests to the list. They will be ignored.