Web-Dedicated Metacard

Ken Ray kray at sonsothunder.com
Mon Dec 23 17:00:11 EST 2002


Andu,

> Like what kind of safety measures, a warning that the script (like any
> script) *could* do this and that to the data on the hard drive if
executed?
> As to Shockwave it never asks me if it's ok to load this or that moving
> thing once I have the plugin installed. Java also, it just displays that
> stupid running text in my browser without any questions.

Yes... IN YOUR BROWSER.... that's the key. They can do anything they want in
your browser, but Shockwave and Java can't do anything to the files on your
hard disk (other than potentially write cookies) without your knowledge and
a whole bunch of security protocols in place (signature files, etc.).

> What I'm trying to say is that there is a difference between legitimate
> security concerns and constant fear or the illusion of security. If there
> is fear then not using the computer on a public network is the best
> solution for sanity, the illusion of security is worse then no security at
> all.

These are legitimate security concerns. For example, suppose Shockwave had
the ability to delete files on your hard disk. And that if you went to a
site that had a Shockwave plugin, when it loaded, it could wipe out these
files. It would be a legitimate security concern and you'd want to have some
protection. Luckily for us, this doesn't happen. However in the player-based
scenario that is being painted here, the Player is an application that can
play MC/Rev content that is downloaded automatically from a web page. This
would kick off the Player application, and, if not secured properly, could
cause problems on your hard drive.

If you click on a ".doc" file link on a web page it will download and
automatically launch Word. Since Word has macros, this *should* be a
security concern of Microsoft's. Now suppose this link is in an "onload"
event. Merely going to that page will download the doc file and launch Word.
The same thing would happen to a web page that has an "onload" that points
to an MC/Rev file that will play in the Player. What's being proposed here
is a responsible security concern, IMHO.


Ken Ray
Sons of Thunder Software
Email: kray at sonsothunder.com
Web Site: http://www.sonsothunder.com/




More information about the metacard mailing list