[Date Prev][Date Next][Thread Prev][Thread Next]
[Search]
[Date Index]
[Thread Index]
Re: [MacPerl] unmounting from macperl
At 8:24 AM -0500 on 12/9/96, Chris Nandor wrote:
}At 19:06 12/6/96, ??? wrote:
}>On Fri, 6 Dec 1996, Clinton MacDonald wrote:
}>> AppleScript is a marvelous and robust scripting language for driving
}>> applications (including the Finder) on your own desktop. Matthias is
}>> working to incorporate AppleScript into MacPerl for that reason.
}>
}>To introduce security holes onto people Macintoshii ;-)
}
}I don't see how anyone could crack any of my MacPerl or AppleScript scripts
}on my Mac through the web to do anything evil. I am much more worried
}about the risks posed by my Solaris programs, for one simple reason:
}command line interface. Now, true, the MacPerl interpreter accepts text
}commands, but only from within a script or app ... you can't write [rm *.*]
}or [MacPerl -e 'unlink "Macintosh HD:System Folder"'] and have it do
}anything meaningful. You need to get inside the app. AppleScript is even
}more difficult to crack, because you have to compile your script first.
}Now, it is possible to write a script that erases your hard drive and make
}it publically accessible, but that would not be a security hole caused by
}AppleScript or MacPerl any more than it would be the fault of your car
}alarm if you left the car unlocked with keys in the ignition ...
Actually, there are a couple of different ways I know that Applescript
could be a major security hole, but unlike our friendly purveyor of
paranoia, I'll say more than just "Think about it". First, someone could
be running Peter Lewis' Script Daemon. It's always hung on my Macintosh
the times I've tried it, but it presumably runs on some subset of Macs, and
it gives, effectively, a superuser level command line interface on a Mac.
The other way is a suggestion made a year or so ago to implement an
"ascrpt:" pseudo URL, with imbedded Applescripts in Web pages that would
run on the client machine. The same thing was proprosed for Usertalk (and
may still be implemented in Frontier), and I believe I've even seen people
propose csh: and perl: URL's. The security holes here are not hard to
imagine ("Click here to make a major change in your life!").
But I agree, you damn well better worry more about Solaris than your Mac,
especially if you're running known security holes like sendmail < 8.8.4.
CGI's on a Web page written in Perl are much less of a problem.
}
}>> *JavaScript*...now that might be a security risk, but I think the people
}>> at Sun (and Netscape) are trying to eliminate those features as rapidly as
}>> possible.
}>
}>Colour me doubtful on that count. If anything they've work towards the
}>exact opposite.
}
}This is a side issue, but I know of no existing JavaScript security hole of
}any significance.
There have been several holes found in Netscape's implementation of
JavaScript, and CERT <http://www.cert.org> recommends keeping it shut off.
I always do. You should be able to track down the details at CERT's web
site.
}
}Fighting paranoia where it exists ...
A little paranoia is healthy, but unfortunately, when it comes to security,
the non-experts always seem to be worried about the wrong things...
}
}#================================================================
}perl -e 'srand();if(rand>.5){$i=0;foreach(@ARGV){@$i=split(//);$z
}[$i]=0;foreach(@$i){$s[$i][$z[$i]]=$_;$z[$i]++;}$i++;}foreach(@s)
}{foreach(@$_) {print}print" ";$_++}}else{print(join(" ", @ARGV))}
}print"\n"' McClellan Clan Motto: Think On
}
}Chris Nandor pudge@pobox.com
}PGP Key 0xB76E72AD http://pudge.net/
--------
Paul J. Schinder
NASA Goddard Space Flight Center
Code 693
Greenbelt, MD 20770
schinder@pjstoaster.pg.md.us