• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag
 

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: protecting passwords in properties
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: protecting passwords in properties

  • Subject: Re: protecting passwords in properties
  • From: Axel Luttgens <email@hidden>
  • Date: Fri, 21 Mar 2008 23:59:18 +0100
Le 21 mars 08 à 17:04, Vince Angeloni a écrit : 
Axel,

Yes, it will contain the encrypted password and the passkey, but if the passkey is generated entirely with script, wouldn't that script be obscured by making the app "run only"? I was thinking that I could use something like:

set passkey to ""
set passkeySource to "asdfghjkl"
set passkey to text item 2 of passkeySource & text item 5 of passkeySource & item 3 of passkeySource ... etc ...

and since this is presumably made inaccessible by "run only", I thought this would be "safe". 

Hey Vince,

Well, just open your script, compiled as "run only", with a text editor, or look at it with command "strings" for example: odds are great that "asdfghjkl" will just bounce as a very interesting piece of text to investigate further... ;-)
(depending on how the script was saved, perhaps would it be needed to look at a file's resource fork instead of its data fork; but that's not a big deal for a potential "hacker").
The fact is that every string constant is saved as is in a compiled script.

So, with the above example, perhaps would it be safer to reverse the logics, with something like:
set dummy to "a"
set bizarre to "s"
[...]
set gosh to "l"
set passkey to dummy & bizarre & [...] & gosh
possibly with taking care to intersperse the various statements througout the whole script.

But then come the various tools for decompiling compiled applescripts...

More generally, as soon as keys have to be stored in a programmatic way, the security nightmare begins.
Just have a look at the DRM business: in spite of their millions (billions) of bucks, there has always been a cracker able to derive the key, as well as to devise the way to make use of it...


However, this may be a moot point since I am liking your idea of configuring sudo to allow use of the "shutdown" command by all users. That *would* be a lot simpler and not put my admin password at risk! I did not know that you could do this.

I think that would be the way to go. Now I just have to find out how... (I have a few unix books I can look at...)


There are also:
man sudo
man sudoers
which should provide (almost) all needed info. Of course, the usual caveats apply: do not provide more rights than the intended ones!

HTH,
Axel

_______________________________________________
Do not post admin requests to the list. They will be ignored.
AppleScript-Users mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
Archives: http://lists.apple.com/archives/applescript-users

This email sent to email@hidden
References: 
 >Re: Re: protecting passwords in properties (From: Vince Angeloni <email@hidden>)

  • Prev by Date: Re: reading a file in an applescript
  • Next by Date: Re: reading a file in an applescript.
  • Previous by thread: Re: Re: protecting passwords in properties
  • Next by thread: Re: protecting passwords in properties
  • Index(es):
    • Date
    • Thread