Re: AppleScript & HTML Again...
Re: AppleScript & HTML Again...
- Subject: Re: AppleScript & HTML Again...
- From: Michael Terry <email@hidden>
- Date: Fri, 26 Mar 2004 14:26:41 -0800
I see this thread is going to be on the year end top ten lists:
On Mar 26, 2004, at 7:55 AM, Nigel Smith wrote:
But -- horrible thought -- a web page could put that NastyApp on your
disk
for you, and then run it. Imagine a webpage which contained a
JavaScript to
open the location to download NastyApp and then, short time later,
opened
the location "open:/Users/xxx/Desktop/NastyApp". Yes, you would have to
guess the absolute location of the downloaded app, but that is
obscurity,
not security.
How could a a JavaScript download an application to someone's disk
without the user's intervention? This whole thread is a perpetuation of
jargon, buzzwords, and generalities about security with no
consideration given to how Missing Link actually works. Since I've
explained its capabilities a couple times now, I'm beginning to think
folks are willfully ignoring it.
I'm no JavaScript guru, but I reckon the above is easily done. Yes, the
hacker would have to get you to their web page (or email it), have to
guess
or get your username and guess your download location, and would
probably
have more success by emailing the script to a million people as an
attachment. But it *could* be done, and if it isn't it is because of
obscurity, not security.
Security is about trade-offs. It's a shame that some seem to think that
there are absolute rules about security but that's not true. I've
already pointed out in painstaking detail what would be required for
someone with malicious intent to take advantage of Missing Link. If I'm
wrong, show me where.
The bumper-sticker slogan "security through obscurity" isn't the clever
conversation-ender that some folks give it credit for. You have to use
your head--context matters. One's password on his root account is
security through obscurity, but it's the best thing going so far.
Maybe resisting my defense of Missing Link's security is a personal
thing. Alright, will you listen to long-time respected member of the
Mac community Bill Cheeseman? Peter Bunn cross-posted his announcement
to the Macscrpt mailing list, and Bill responded (possibly confusing
the two lists, since I didn't notice any discussion of security
concerns there):
The Big Cheese:
on 2004-03-25 1:06 PM, Peter Bunn at email@hidden wrote:
I'm not sure ML has a future, but I'm pleased at least one person
caught
my 'drift'.
I think you need to provide a simple and concrete description of what it
does, since some readers seem to have a misimpression on that score. The
security concerns that have been raised here are not justified, in my
view,
at least given where you were taking Missing Link a while ago.
If the user has control over whether the Web link can or cannot run a
script
on your computer, then it's pretty much in the user's control. And if
it can
only run a script that the user provides, then the user can write the
script
with whatever safeguards are desired.
Mike
_______________________________________________
applescript-users mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/applescript-users
Do not post admin requests to the list. They will be ignored.