Re: AppleScript & HTML Again...
Re: AppleScript & HTML Again...
- Subject: Re: AppleScript & HTML Again...
- From: "John C. Welch" <email@hidden>
- Date: Mon, 29 Mar 2004 06:50:58 -0600
On 3/29/04 2:29 AM, "Michael Terry" <email@hidden> wrote:
>
On Mar 28, 2004, at 9:53 PM, John C. Welch wrote:
>
>
> <sigh>..I *DID*...two minutes of html and I had a web site that opens
>
> iCal
>
> on my machine. If I wanted to, I could have javascripted it to open
>
> every
>
> single application in a default location on my machine and there'd be
>
> nothing I could do to stop it short of shutting down my browser.
>
>
>
> If I were to recode it to use common defaults, then I could probably
>
> affect
>
> more machines than just mine.
>
>
>
>
So, you finally proved the security risk I already described on this
>
thread dozens of posts ago. Yep, there's a theoretical possibility that
>
someone could try to trick you into opening a web page that launches
>
applications on your computer.
>
That would be how a web attack works. They're all the rage on the windows
side of the house, I'd rather not see them get popular here.
>
Anyway, the great thing about Missing Link is that its security
>
features ramp up to the level the user is comfortable with. I might
>
pick the default security because--in the limited time I have for
>
thinking about security--this issue is not a priority to me. On the
>
other hand, you could go ahead and change the url protocol to something
>
random, and there's nothing any bad guy could do to you. It's a win/win
>
situation, people!
Until a clown with a packet sniffer susses out your protocol name.
>
Really?
>
>
1) There's no way for you to know whether Peter is using a custom url
>
protocol. If he is, there's nothing the cracker can do, period.
Packet sniffer...PWN3D.
>
>
2) Almost any other cracker activity in the world would be more fun and
>
more rewarding than trying to exploit Missing Link into launching
>
applications. Actually, I suspect that a cracker would rather emerge
>
from the depths of his dark lair--strewn with empty Red Bulls and
>
half-eaten cheese pizzas--and shoot hoops at the local park than put up
>
a web page trying to catch Missing Link users unawares; needless to
>
say, any activity forcing a cracker out into the daylight must be
>
unrewarding indeed.
Um...if it causes a bunch of arrogant yayhoo macmacs to scream and whine,
that's what they want. Noteriety.
>
>
3) Crackers usually are noted for cracking, not tricking. Virus and
>
trojan writers trick, but crackers crack. They like to deface web pages
>
and leave comments on people's hard drives so the victims know they've
>
been cracked. They break into your machine and have their way with it.
>
If all you had to do to be a cracker were keep on opening things the
>
user doesn't want you to, the web's porn site administrators are the
>
world's most successful crackers.
Actually, a porn storm is a pretty decent example of a DOS attack. It keeps
you from using your web browser in the way you want. If you use ML to open
ever application in the Apple defaults on a machine, then that's a DOS
attack, and a pretty good one.
>
>
So far, you've not shown any hint that it might be possible to own a
>
machine because it is running Missing Link. This possibly stems from
>
the fact that's it's not possible.
Nonsense. You prove to me that there is no possible way to do it. See you in
a decade.
john
--
"Cluster bombing from B-52s is very, very accurate. The bombs are guaranteed
to always hit the ground."
USAF Ammo Troop.
_______________________________________________
applescript-users mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/applescript-users
Do not post admin requests to the list. They will be ignored.