is there a best anti-viral program for Revolution?

MisterX b.xavier at internet.lu
Thu May 26 11:53:20 EDT 2005 

Al, Richard, Rev

In terms of security, if rev wasn't built with a sandbox mode to
start with, it's futile to debate this. Some things may be innaccessible
but there's always a way... 

Typing paswords in the clear for one... A JOKE for any security aware
professional IT person! You can add hash this and encode that and ssh and
secure it after. But it will be like windows... patch after patch.

im wont forward much info on the subject - for professional and security
ethical reasons. Just trust me that rev has little security clearance in my
professional opinion. It may encrypt which is the basics of safe keeping but
if i spend a day in secure mode your disk stands no chance.

This was part of a plan i had for RunRev which Kevin didn't seem too
interested in getting. I know he gets lots of suggestions but mine weren't
cacamini suggestions - they were regarding the whole engine and i've tried
to convince even Scott about quality = security but my words are usually
misinterpreted. It's frustrating to see that we're still not anywhere in
this respect. I resent the feeling that i couldn't help improve these "bad
qualities" in their great product but seeing things how they go and with
much ignorance regarding the runrev build process and structure, it wouldn't
have helped IMOHO. 

Now, to be really safe:

- You need a frontscript - trap all writing handlers and find the bad
ones... It will be annoying though... Make rev slower... Or just insure
secure mode is on right?

Security starts first with the Software you run that any of us send over the
maillist. How many of you actually put yourself in securemode before opening
a url stack in the message box? 

How many of us did know about secure mode? I dont remember seeing it! ;)

BUT, and this is where it gets funny, Im the stack programmer and i decide
when to change the secure mode, so all your files are mine aren't they now?

Can security be cascaded through objects? Hum... Interesting...

cheers
Xavier
http://monsieurx.com

> -----Original Message-----
> From: use-revolution-bounces at lists.runrev.com 
> [mailto:use-revolution-bounces at lists.runrev.com] On Behalf Of 
> Alejandro Tejada
> Sent: Thursday, May 26, 2005 17:12
> To: use-revolution at lists.runrev.com
> Subject: Re: is there a best anti-viral program for Revolution?
> 
> on Wed, 25 May 2005
> Richard Gaskin wrote:
> 
> AT>> "I could open any stack by dragging and droping over an 
> executable 
> AT>> file.
> AT>> Verified with many standalones build with RR and MC.
> AT>> Some standalones even let me copy a jpg file in the hard 
> disk and 
> AT>> open it in windows explorer."
> 
> RG> What does that mean?  By what user actions?
> 
> here is a recipe:
> 1- create a stack
> 2- put an image in the stack
> 2- in a preOpenStack handler or
> an openCard handler or a startup handler, within the stack 
> script or the card script put a handler like this:
> 
> on preopenStack
>   select img 1
>   export jpeg to file "copiedpicture.jpg"
>   answer "OpenCard handler says: I copied to you hard disk a 
> picture named copiedpicture.jpg... look for it"
> end preOpenStack
> 
> on openCard
>   select img 1
>   export jpeg to file "copiedpicture.jpg"
>   answer "OpenCard handler says: I copied to you hard disk a 
> picture named copiedpicture.jpg... look for it"
> end openCard
> 
> on startup
>   select img 1
>   export jpeg to file "copiedpicture.jpg"
>   answer "StartUp handler says: I copied to you hard disk a 
> picture named copiedpicture.jpg... look for it"
> end startup
> 
> Save the stack.
> 
> 4- Now, drag and drop this stack over an executable. (Not 
> double click on the stack) In Windows, in many executables 
> downloaded from this mail list, i read the
> warning: 
> I copied to you hard disk a picture named 
> copiedpicture.jpg... look for it
> 
> Think that instead an image, you could copy an *.exe from a 
> custom property and being able to run it.
> 
> AT>> Please try to reproduce this bug by yourself, but this time, 
> AT>> instead of trying to copy a jpg file to the hard disk, 
> try to copy 
> AT>> an *.exe and run it. If my memory does not fail, this 
> was possible 
> AT>> using a preOpenstack handler...
> 
> Read this message thread:
> 
> <http://lists.runrev.com/pipermail/use-revolution/2005-January
> /049846.html>
> 
> RG> While this is an interesting issue, I couldn't
> find
> RG> where in that bug report it mentions saving files to disk while 
> RG> secureMode is turned on.
> RG> What did I overlook?
> 
> i read the title of the message "best anti-viral program for 
> Revolution" and thought that the possibility of copying a 
> file without user intervention is a gate for virus-like activity.
> 
> By default, the engine does not load in "securemode".
> in my understanding, "securemode" is a global property like 
> "selectgroupedcontrols" with the difference that after being 
> set to true, it could not be changed back to false. In 
> Dreamcard, i'm sure, it's set at startup from the preferences stack. 
> 
> Securemode limits a lot. Look at this message from december last year.
> 
> <http://lists.runrev.com/pipermail/use-revolution/2004-Decembe
> r/048611.html>
> 
> No one answer, so then i believed that i was the only one 
> using securemode...
> 
> This was my question then:
> -----------------------------------
> How many of you had used the secure mode?
> 
> When a RR player or standalone is using the securemode a 
> stack could not write a text file to disk or change the 
> registry (all these restrictions are fine), but when i try to 
> put text in the clipboard, to paste in another document the 
> clipboard is always empty!?!?!?. 
> 
> I've tried this code, and many variations without success:
> 
> set the clipboarddata to localVariableZXC
> 
> I'll like to be wrong about this, and that even in secure 
> mode, i could put data on the clipboard to paste in a text 
> editor, like Wordpad, but in my side this is not possible or 
> maybe i'm using the wrong code.
> 
> Could you test this on your side?
> ----------------------------------------
> 
> Will you test this on your side?
> Are you able to put data in the clipboard while secureMode is 
> set to true?
> 
> Thanks in advance.
> 
> al
> 
> Visit my site:
> http://www.geocities.com/capellan2000/
> 
> 
> 		
> __________________________________
> Yahoo! Mail Mobile
> Take Yahoo! Mail with you! Check email on your mobile phone. 
> http://mobile.yahoo.com/learn/mail
> _______________________________________________
> use-revolution mailing list
> use-revolution at lists.runrev.com
> http://lists.runrev.com/mailman/listinfo/use-revolution
>

More information about the use-livecode mailing list