Path: utzoo!attcan!uunet!samsung!usc!apple!Apple.COM!lsr From: lsr@Apple.COM (Larry Rosenstein) Newsgroups: comp.sys.mac Subject: Re: On Location is BAD NEWS! Message-ID: <6803@internal.Apple.COM> Date: 20 Feb 90 18:13:41 GMT References: <17721.635313273@ics.uci.edu> Sender: usenet@Apple.COM Organization: Objects-R-Us, Apple Computer, Inc. Lines: 54 In article <17721.635313273@ics.uci.edu> truesdel@ICS.UCI.EDU (Scott Truesdell) writes: > "AppleShare volumes also present a curious problem: > [On Location] indexes don't respect AppleShare's > security features, so you can't prevent users from > finding text in folders they are not authorized to > read. On Technology plans a fix for a later version." The key word here is "indexes". On Location doesn't require that the actual documents be online to perform a search. All the data needed to do the search is in the index file. So if you provide people with an index of your hard disk (or private AppleShare folders) then they will be able to find all documents containing certain words. They still won't be able to view the contents of the documents, since the index only contains a signature of the document and not the actual contents. What the comment above means is that On Location doen't keep track of whether the user doing the search is allowed to access the found document. (I don't think that's its job either.) This could be considered a security problem if the title of a document (or whatever else On Location saves) is sensitive. If you care about people doing this kind of search, then you simply don't make the index available. The only potential problem is if On Location maintains a global index of a server by accumulating changes made by all users. I haven't played with it myself, by it seems that this would be only one way of using the program, and something that is easily avoidable. > to the networks. Staff have access. The AppleShare security features > ARE THERE FOR A REASON. We USE the security features. This does not represent a sercurity problem. The server manages all requests for data, and won't allow unauthorized users to access private files. It doesn't matter what software you run on the client machines. The worst security problems are still going to be someone gaining physical access to the the server or someone using a client machine that has the server mounted. In theory, someone can listen in on the network and grab packets, but that requires some technical knowledge. > considered available to the public. There is no concievable way to keep > an individule from bringing in a copy of On Location, letting it build > an index, then browse heretofor protected folders to their hearts This scenario isn't possible. The only way On Location can index private documents is if the indexing is done by a legitimate user. Larry Rosenstein, Apple Computer, Inc. Object Specialist Internet: lsr@Apple.com UUCP: {nsc, sun}!apple!lsr AppleLink: Rosenstein1