bcarter@claven.idbsu.edu (04/10/91)
Greetings, The script posted by mike@pyrite.SOM.CWRU.Edu (Michael Kerner) to prevent HyperCard virus attacks has several problems. First of all, it doesn't pass any set messages that DON'T have script in the params, thereby disabling every other use of the set command. Secondly, it gives a false sense of security since any such handler anywhere can be bypassed by a simple statement of the form: send "set whatever to whatever" to HyperCard Using the send ... to HyperCard format bypasses all intermediate handlers. Bruce Carter, Courseware Development Coordinator Lab: (208) 385-1859 Faculty Development Lab - Room 213 Office: (208) 385-1250 Simplot/Micron Technology Center CompuServe ID: 76666,511 Boise State University CREN (BITNET): duscarte@idbsu 1910 University Drive Internet: duscarte@idbsu.idbsu.edu Boise, ID 83725 --> Preferred: bcarter@claven.idbsu.edu
mike@pyrite.SOM.CWRU.Edu (Michael Kerner) (04/12/91)
Unfortunately, Bruce, if the script is going to spread, it has to get past the scripts in the HOME card of HC. Passing the message directly to HC does not bypass the HOME scripts. Mike Mac Admin WSOM CSG CWRU mike@pyrite.som.cwru.edu
bcarter@claven.idbsu.edu (04/16/91)
>Unfortunately, Bruce, if the script is going to spread, it has to get >past the scripts in the HOME card of HC. Passing the message directly >to HC does not bypass the HOME scripts. > >Mike >Mac Admin >WSOM CSG >CWRU >mike@pyrite.som.cwru.edu Of course sending to HyperCard bypasses the Home stack scripts, which you could have easily verified if you had bothered to check. Here is a simple example. There is a handler called "xy" in the stack script of the Home stacks of both version 1 and 2 of HyperCard. Execute the following handler from a button, or execute the statements individually from the message box. on mouseUp xy send "xy" to HyperCard end mouseUp The first xy executes the xy handler in the Home stack (which gives you an updating mouseLoc in the message box). Click to exit the xy handler. The send executes and you get a "Can't understand xy" message because HyperCard doesn't know what to do with the "xy" message. The handler is in the Home stack and has been bypassed by the send. Or here is a more directly related example. Put the following in your Home stack. on set answer "Tried to use set" end set This should prevent any set from being executed. It is easily bypassed by using the send format. Bruce Carter, Courseware Development Coordinator Lab: (208) 385-1859 Faculty Development Lab - Room 213 Office: (208) 385-1250 Simplot/Micron Technology Center CompuServe ID: 76666,511 Boise State University CREN (BITNET): duscarte@idbsu 1910 University Drive Internet: duscarte@idbsu.idbsu.edu Boise, ID 83725 --> Preferred: bcarter@claven.idbsu.edu ===============================================================================
FXJWK@ALASKA (Jo Knox - UAF Academic Computing) (04/17/91)
> mike@pyrite.SOM.CWRU.Edu (Michael Kerner) writes: > Unfortunately, Bruce, if the script is going to spread, it has to get > past the scripts in the HOME card of HC. Passing the message directly > to HC does not bypass the HOME scripts. Untrue---sending the command to HyperCard DOES bypass the normal HyperCard message inheritance path! (Course, I know nothing about 2.0...) jo
F8DY@VAX5.CIT.CORNELL.EDU (04/17/91)
mike@pyrite.SOM.CWRU.Edu (Michael Kerner) writes: > Unfortunately, Bruce, if the script is going to spread, it has to get > past the scripts in the HOME card of HC. Passing the message directly > to HC does not bypass the HOME scripts. A direct quote from Hypertalk Reference stack (2.0): "If you send a message directly to Hypercard, you ensure that no other objects will handle the message." This includes the Home stack script, no matter what kind of HyperGatekeeper you've installed in your Home stack. Not only could the virus spread to your home stack, it could then spread to any other stack w/o warning from your "on set" script. _____________________________________________ | / \ / \ | | / You can't fight | | Mark Pilgrim \ | | | in here -- this |\_______/| | | \_____| is the WAR ROOM! |// \\| f8dy@cornella. |_____/ | (from Doctor /// \\\ cit.cornell.edu | | Strangelove) /// \\\ | \_______________/// \\\_______________/ My thoughts may not be my own, but they're certainly not my employer's.
mike@pyrite.SOM.CWRU.Edu (Michael Kerner) (04/19/91)
You know, I've been doubting my own infallibility for the past few days since Bruce posted the "sorry, but it won't work", so I tried to send set and the params directly to HC, only it isn't happening, guys. Now I really would like to put this whole thing to rest, so try it: Try to send the set command directly to HC and change the script of a stack. I have yet to be able to do it. In other words, the theory is, of course correct, but it ain't working in practice, and I'm out of ideas, so please, all ye doubters, try it and then send me your scripts because all I'm getting are error messages with no results. Don't send me your ideas, I want working, syntactically correct scripts. If they work for me I'll withdraw my previous comments. Until then, please prove me wrong. Mikey. Mac Admin WSOM CSG CWRU mike@pyrite.som.cwru.edu
bcarter@claven.idbsu.edu (04/19/91)
Greetings, >You know, I've been doubting my own infallibility for the past few >days since Bruce posted the "sorry, but it won't work", so I tried to >send set and the params directly to HC, only it isn't happening, guys. >Now I really would like to put this whole thing to rest, so try it: >Try to send the set command directly to HC and change the script of a >stack. I have yet to be able to do it. In other words, the theory >is, of course correct, but it ain't working in practice, and I'm out >of ideas, so please, all ye doubters, try it and then send me your >scripts because all I'm getting are error messages with no results. >Don't send me your ideas, I want working, syntactically correct >scripts. If they work for me I'll withdraw my previous comments. >Until then, please prove me wrong. > >Mikey. >Mac Admin >WSOM CSG >CWRU >mike@pyrite.som.cwru.edu Ah, here is your problem, using the params with set doesn't work. In fact, if you check "the paramCount" for set you'll find out that it is 0. This has never worked in a way that I consider correct in any version of HyperCard. What you're proving is that using set with the params doesn't work, not that the set handler in the Home stack is catching things. You have to send an explicit message (which is what a virus would be doing anyway). Do the following in a button: on mouseUp send "set the script of this stack to Virus!" to HyperCard end mouseUp This will bypass your set handler and zero the script of the current stack (make sure it is one you don't care about, or copy the stack script somewhere first) and put the single word "Virus!" in its place. You could just as easily set it to the contents of a variable or field which actually contained a virus. To show how set doesn't work right with the params, try the following to intercept set commands: on set answer the paramCount answer "Set params are:" && the params end set The paramCount will be 0 and the params will contain only the set command itself. Apple explains all this with some comments about the difference between commands and keywords. Personally, I think it is a bug, or at least an anomoly. Bruce Carter, Courseware Development Coordinator Lab: (208) 385-1859 Faculty Development Lab - Room 213 Office: (208) 385-1250 Simplot/Micron Technology Center CompuServe ID: 76666,511 Boise State University CREN (BITNET): duscarte@idbsu 1910 University Drive Internet: duscarte@idbsu.idbsu.edu Boise, ID 83725 --> Preferred: bcarter@claven.idbsu.edu ===============================================================================
FXJWK@ALASKA.BITNET (Jo Knox - UAF Academic Computing) (04/20/91)
mike@pyrite.SOM.CWRU.Edu (Michael Kerner) writes: > Try to send the set command directly to HC and change the script of a > stack. I have yet to be able to do it. In other words, the theory > is, of course correct, but it ain't working in practice, and I'm out > of ideas, so please, all ye doubters, try it and then send me your > scripts because all I'm getting are error messages with no results. > Don't send me your ideas, I want working, syntactically correct > scripts. If they work for me I'll withdraw my previous comments. > Until then, please prove me wrong. Here ya go; I did test before calling you wrong; I have your script included as script for my Home stack, with the addition of an Else/Pass Set for conditions the script doesn't care about (sets other than script). In another stack, I have something which sets the stack script: on mouseUp put -, --just pretend the "-," is a continuation character (option l) "on idle" & return & "show message" & return & "end idle" & return -, into it set the script of this stack to it send "set the script of this stack to it" to HyperCard end mouseUp Your script in the Home stack certainly does catch the first, but not the second.... (in HyperCard 1.2.5...) jo
fwb@pollux.tmc.edu (Fred Brehm) (04/22/91)
mike@pyrite.SOM.CWRU.Edu (Michael Kerner) writes: >Try to send the set command directly to HC and change the script of a >stack. I have yet to be able to do it. >... try it and then send me your >scripts because all I'm getting are error messages with no results. >Don't send me your ideas, I want working, syntactically correct >scripts. If they work for me I'll withdraw my previous comments. >Until then, please prove me wrong. Using HC 2.0v2, in an empty stack, put the "set catcher" into the stack script, then make a button with: on mouseUp put script of this stack into s put return & "--" && the date && the time after s -- this set should be caught by the set catcher set script of this stack to s put return & "-- Sorry, Mikey." after s -- this command won't be caught. send "set script of this stack to s" to HyperCard answer script of this stack -- just to see it end mouseUp Fred - -- Frederic W. Brehm Siemens Corporate Research Princeton, NJ fwb@demon.siemens.com -or- ...!princeton!siemens!demon!fwb