Re: AppleScript & HTML Again...
Re: AppleScript & HTML Again...
- Subject: Re: AppleScript & HTML Again...
- From: BJ Terry <email@hidden>
- Date: Sun, 28 Mar 2004 22:07:54 -0800
On Mar 28, 2004, at 8:33 PM, John C. Welch wrote:
On 3/28/04 10:21 PM, "Gary (Lists)" <email@hidden> wrote:
John C. Welch wrote [3/28/04 2:18 PM]:
You can make two assumptions here...one, that they'll use the default
protocol name as specified in the documentation, and two, that
there's a
large number of users won't change their hard drive name from the
default.
Oy!
John Welch, your stories are not about Missing Link at all, but about
stupid
people. That, unfortunately, none of us can help.
So, in the case of completely ridiculous people, given statistically
improbable events all coming to bear on the same moron, I agree with
John
Welch -- there is nothing that can be done to prevent stupid people
from
being stupid.
And that is not a security issue. It's a hiring issue.
Excuse me?
That's not being stupid. That's following the documentation.
While it isn't (necessarily) stupid to leave the protocol name as is,
and to leave your hard drive name as is, it would be stupid to have
applications on your computer that automatically do something bad any
time they start up (and it would be stupid to trust applications
e-mailed to you, as in the previous example). Offhand, I can't think of
any applications that do anything bad when sent an open event, but
perhaps you have tons of these on your computer. Sure, a web page could
have a javascript that opens all the applications on my computer, if I
have Missing Link installed, but that will be hardly more than a
nuisance. Probably about as annoying as web pages opening my CD tray on
my PC. I'm sure I could deal with it, and remember never to go to that
web site again. If someone sent me an application that harmed my
computer with the intent to subvert it using Missing Link, it would be
subverted as soon as I manually sent it an open event with my mouse.
Do you change
ever single default setting on everything you use? Of course not.
There's no
reason, barring a non-existant security warning, to change the
protocol. In
any event, that's security by obscurity, and *anyone* with a clue will
tell
you, that's not secure at all. That's blind luck.
Security through obscurity refers specifically to cryptographic
algorithms. If something is acting as a password, as it is in this
case, then it isn't subject to the same rules that a cryptographic
algorithm is. Security through obscurity doesn't work with algorithms
because one can break them by reverse engineering the executable, or
using statistical analysis techniques on the output of the algorithm.
My password/protocol name is secure because I'm the only person who
knows it. If I changed my protocol name to JHKSFkdalDS3129, no one
would ever, ever, ever, ever, ever be able to guess it. Nor would they
be able to attack it with brute force. Why? Because I don't leave my
web browser pointed at websites barraging it with attempts to link to
various URLs like a:/Applications/iCal, b:/Applications/iCal. They only
way a hacker could ever find out my protocol name is to either hack
into my system, reading my preferences, or to physically sit at my
computer and check it. I'm not worried about either of those
situations.
I fail to understand this visceral refusal to acknowlege that while a
really
good idea, the current implementation of Missing Link has real security
issues. Is the Mac community THAT bizarrely in denial as to think that
changing a protocol name makes you immune?
john
There is no reason to believe that changing a protocol name doesn't
make one immune. I know that protocols that aren't present on my system
are simply ignored by my web browser. I know also that no one knows the
protocol I use for Missing Link. Thus, no one can use the protocol to
open applications on my computer. Quod Erat Demonstrandum
BJ
_______________________________________________
applescript-users mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/applescript-users
Do not post admin requests to the list. They will be ignored.