Re: [MiNT] Security again

[joska@nuts.edu (Jo Even Skarstein)]

On Wed, 17 Nov 1999 18:44:27 +0100 (CET), Konrad M. Kokoszkiewicz wrote:

> Which is quite unfortunate, when we come across a problem of a choice
> between compatibility with the single-user, single-tasking DR-DOS (TOS)
> and the features expected from a multiuser, multitasking MiNT.

OK, so we have the choice between making MiNT a bit more secure from attacks
but killing many popular TSRs, and keeping compatibility at the cost of
risking an attack which will almost certainly never occur. Tough question... ;-)

> > There can be programs which are no TSRs, but insert some useful information
> > into the jar
>
> For example, which one is such a program (except N.AES, which is
> F_OS_SPECIAL and does not count here).

DHST-servers announce their presence with a cookie. To do this they must
ofcourse be able to create a cookie that's available for others and they
must also be able to remove it when they terminate. And then you have the
slightly popular BubbleGEM and the BubbleHelp server... Stic also use a
cookie IIRC.

I don't like the cookie-jar implementation myself, but it's a fact that many
does (or don't care). Some people even puts pointers to data and code in
applications in their cookies, apparently without thinking about what happens
when some client calls code in an application which doesn't exist anymore...
Two horrible examples of this is Stic and Keywatch.


/*
** Jo Even Skarstein    http://www.stud.ntnu.no/~josk/
**
**    beer - maria mckee - atari falcon - babylon 5
*/