Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!cs.utexas.edu!sun-barr!decwrl!shelby!meldal@ithink.Stanford.EDU
From: meldal@ithink.Stanford.EDU (Sigurd Meldal)
Newsgroups: comp.sys.mac
Subject: Re: On Location is BAD NEWS!
Message-ID: <35@ithink.stanford.edu>
Date: 19 Feb 90 04:11:08 GMT
References: <17721.635313273@ics.uci.edu>
Sender: meldal@ithink.STANFORD.EDU (Sigurd Meldal)
Organization: Stanford University
Lines: 43

In article <17721.635313273@ics.uci.edu> truesdel@ICS.UCI.EDU (Scott Truesdell) writes:
>
>Mitch Kapor's new venture sounded like a neat hack.
>Then I read something in MacWorld, March, 1990, MacWorld News, page
>119, right under Mitch's picture that chilled my blood. I quote:
>
>	"AppleShare volumes also present a curious problem:
>	[On Location] indexes don't respect AppleShare's
>	security features, so you can't prevent users from
>	finding text in folders they are not authorized to
>	read. On Technology plans a fix for a later version."
>
>Gee, THANKS, Mitch. You have just stolen an important amount of
>functionality that I HAVE PAID FOR. You have added another layer of
>complexity to my job. You are denying me of something that is
>rightfully mine. HOW DARE YOU?!?!?

If Kapor can do it, then others can also. One should always treat
files on net servers as more-or-less publicly accessible. Do you
really think none of your students is clever enough to figure this one
out for herself? Particularly for a low-security world like Apple's.
Material that you cannot afford to let the world know should be kept
on floppies, or encrypted in some way.

E.g. confidential letters can be kept on servers, if their becoming
public is no more than a nuisance. Exams and similar material whose
public availability would spell disaster should ALWAYS be kept off the
net, be it UNIX or MacOS based.

>Gee, THANKS, MacWorld. Thanks for blabbing this disasterous situation
>out in front of the whole world for anyone to see. Why don't you just
>publish the source code to a couple of viruses while you're at it!?

The dissemination of information about security problems always poses
a problem. By making the problem known you got the opportunity to take
remedial steps. Would you be so sure that none of your students (or
other unscrupulous users) would get to know it independently?

>I am NOT a happy camper tonight  :-(

Understandable.

-- Sigurd Meldal