Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'A warning on a new destructive 'company press release'' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
A warning on a new destructive 'company press release'
Authored by: CarlosD on May 13, '04 03:36:23PM

I do see that you made the effort to separate the issues more clearly. My comment was more directed at the Mac online press in general. I understand you had to react to the alarmist stories on other sites and all, and you did a good job of it, for which reason I hope(d) that you did not take offense to my comment. So, forgive me if I was not clear.

We may disagree on a few things:

I don't believe Intego merits a link to it's site, press release, or name, even. But I understand it is an editorial decision for you.

We also disagree on what is the threat that needs to be highlighted. Most sites are warning about AS.MS2004, or whatever it is called, and its evil methods. But variants are likely, under different names, with different methods, and maybe only partially caught by so-called virus barriers.

In short: rm, AppleScript, UNIX, and even Mac OS X do not matter here.

Power users know to beware of software from unknown sources. Newer users just need to be taught this as a part of the basics of using a computer. Applications execute. Mind their origins. This is as basic as: do not empty the trash if you trashed a file you wish to preserve. Or: do not edit and then select "save" when you don't wish to overwrite the original version of a file.

Apple needs to do nothing.

I strongly disagree with the idea that AppleScript needs to have a preference for its shell command activation. What would be the default? On? Then we have a supposed "security hole". Off? Many good, powerful, enabling scripts break. Prompts would confuse newer users, and make the technology far less useful. Would we do the same for 'getURL' or 'tell app "x" to launch'?

This would still not mitigate the *root cause* which is someone downloading an untrusted app and executing.

I also think there is a legitimate reason for read-only scripts. Some code may be copyrighted, proprietary, or, maybe an admin doesn't want users to see specific settings. There needs to be some confidence that code can remain in the hands of an administrator.

This inflames passion in me not because of zealotry -- the Mac has it vulnerabilities -- but because it points us in a futile, useless direction to address *true* threats.

A *true* threat is when:

1) You use a trusted application / tool / OS component

2) in a common-sense fashion or as-given / as-prescribed / normal configuration and then

3) your system is damaged, compromised, or mad vulnerable.

If someone uses Microsoft Outlook, as installed or reasonably configured, and merely clicks to read an email, and their system is compromised, *that* is a threat.

We need to focus on those as they come up for Mac OS X.



[ Reply to This | # ]
A warning on a new destructive 'company press release'
Authored by: davidbodonnell on May 13, '04 05:38:58PM

Very well said!



[ Reply to This | # ]