Re: AppleScript & HTML Again...
Re: AppleScript & HTML Again...
- Subject: Re: AppleScript & HTML Again...
- From: Michael Terry <email@hidden>
- Date: Mon, 29 Mar 2004 00:29:44 -0800
On Mar 28, 2004, at 9:53 PM, John C. Welch wrote:
<sigh>..I *DID*...two minutes of html and I had a web site that opens
iCal
on my machine. If I wanted to, I could have javascripted it to open
every
single application in a default location on my machine and there'd be
nothing I could do to stop it short of shutting down my browser.
If I were to recode it to use common defaults, then I could probably
affect
more machines than just mine.
So, you finally proved the security risk I already described on this
thread dozens of posts ago. Yep, there's a theoretical possibility that
someone could try to trick you into opening a web page that launches
applications on your computer.
Now let's try to understand if we should care about that possibility:
Although you don't seem to see it this way, security, just like
anything else, is a matter of risk versus reward. People will tend to
balance their lives such that their attention to security maximizes
their productivity and happiness. This will usually be far, far less
attention than a system administrator pays security, for good reason.
Luckily, people are smart, and they make pretty good guesses about the
amount of time they need to spend thinking about security.
Another thing to note about people is that they have extremely limited
free time. If it weren't for the necessity of security, hardly anyone
would ever think about it. In fact, you'd be surprised how few people
find security interesting as a topic all by itself. Even my super
boring friends rarely bring it up.
OK, I kind of drifted there. Anyway, back on task. Someone could trick
you into downloading an interface (HTML page) to Missing Link which
would have the undesirable effect (worst case scenario) of launching a
lot of applications on your computer. This is so incredibly unlikely as
to be hard for the human mind to grasp its unlikeliness. I've already
explained in this thread what would be necessary at minimum, and I
won't bother to repeat it. However, I will make a comparison that I
hope implies its unlikeliness. Right now, this very day, all across the
world, there are internet helper applications just waiting to be
exploited by our bad guy's malfeasance. Someone could write a
JavaScript embedded in a page which, when activated, continuously
downloaded all manner of tiny (or not tiny) files to the victims' disk,
thereby causing the appropriate helper apps to open them. Yet, for some
incredible reason, crackers haven't pounced on this gold mine of
crackery. At least, it's never happened to me, and I've never heard of
this proposed exploit happening to anyone else.
Anyway, the great thing about Missing Link is that its security
features ramp up to the level the user is comfortable with. I might
pick the default security because--in the limited time I have for
thinking about security--this issue is not a priority to me. On the
other hand, you could go ahead and change the url protocol to something
random, and there's nothing any bad guy could do to you. It's a win/win
situation, people!
Now, let's go back to the beginning, and see what you said that touched
off this sub-thread.
On Mar 24, 2004, at 5:08 PM, John C. Welch wrote:
The more oblique answer is that HTML, Javascript and AppleScript may
be
more accessible to a 'typical' user... but this may not be the case.
Beyond that, I always thought it would be cool to go to a home page
(or a
bookmarked page) and have all kinda local functionality.
And so would the first cracker that figured out you had this
application
running.
This is an ominous and cryptic quote, but also ambiguous. It does give
the strong impression, though, that 1) you are in sure and certain
danger if you run Missing Link, 2) that Missing Link is such an easy
and rewarding target, a cracker wouldn't hesitate to attack your
machine, and 3) your machine can easily be owned by running Missing
Link.
Really?
1) There's no way for you to know whether Peter is using a custom url
protocol. If he is, there's nothing the cracker can do, period.
2) Almost any other cracker activity in the world would be more fun and
more rewarding than trying to exploit Missing Link into launching
applications. Actually, I suspect that a cracker would rather emerge
from the depths of his dark lair--strewn with empty Red Bulls and
half-eaten cheese pizzas--and shoot hoops at the local park than put up
a web page trying to catch Missing Link users unawares; needless to
say, any activity forcing a cracker out into the daylight must be
unrewarding indeed.
3) Crackers usually are noted for cracking, not tricking. Virus and
trojan writers trick, but crackers crack. They like to deface web pages
and leave comments on people's hard drives so the victims know they've
been cracked. They break into your machine and have their way with it.
If all you had to do to be a cracker were keep on opening things the
user doesn't want you to, the web's porn site administrators are the
world's most successful crackers.
So far, you've not shown any hint that it might be possible to own a
machine because it is running Missing Link. This possibly stems from
the fact that's it's not possible.
Your drive-by character assassination on Missing Link was completely
unwarranted. The spirit of the comment has been so thoroughly refuted
that you aren't even trying to defend it anymore, but instead are
trying to kick the ball through goal posts you've moved to a new
location on the field. Your claims against Missing Link have grown more
and more modest as you've been hemmed in, inch by inch, until now, at
the last, you've come up with an exploit so minor it's like a penny on
the sidewalk, not even worth a glance from a cracker. Actually, that
simile understates its sheer inconsequence. Given the impediments, it's
more like diving for a penny in an underwater cave even though you
gravely suspect that no one's dropped a penny there.
Mike
_______________________________________________
applescript-users mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/applescript-users
Do not post admin requests to the list. They will be ignored.