>
>As most people on this list i downloaded and tested the portal of
>Sivakatirswami.
>That's a great job !
>Until now, the "computer based training" solutions where based on java (cf
>toolbook) or shockwave or flash. It was difficult to program and/or heavy to
>download.
>Sivakatirswami's solution is light, powerful and elegant.
>
>But we have now to consider the security...
>
>A *.mc app can do anything : destroy all the data of a computer, use a
>computer to destroy all the data on a network, ...
I think it is up to the developer to make sure he limits access to the server by
clients
as for the other end you better trust the developer for not making you download
malicious stacks or dont do it at all.
>
>We have to protect our customers against :
>- downloading a utility and misusing it
in what way?
>- downloading a bugged and dangerous mc file
Then you don't trust the developer at all; how about a buggd and dangerrous .mc file
which is signed?
>- downloading some mc-based virus
Like what?
>
>I can think of 2 kind of solutions :
>
>1) solution based on signature
>The programmer put his signature in his runtime and in his stacks. When
>opening a stack, the runtime checks if the stack has the right signature.
>The process could be a "compress+encrypt" function built in the engine and a
>"decompress+decrypt" function build in the runtime.
>
>2) solution based on limiting the runtime
>The Navigator, MSIE or javascript have some internal limitations to forbid
>writing on the user's disk.
>Would it be possible to have in metatalk some internal flag forbiding a
>runtime to write on the user's disk but in the folder where the runtime is ?
>
>
>
>
>
>Archives: http://www.mail-archive.com/metacard%40lists.best.com/
>Info: http://www.xworlds.com/metacard/mailinglist.htm
>Please send bug reports to <[EMAIL PROTECTED]>, not this list.
>
>.
Regards, Andu
_______________________
[EMAIL PROTECTED]
Archives: http://www.mail-archive.com/metacard%40lists.best.com/
Info: http://www.xworlds.com/metacard/mailinglist.htm
Please send bug reports to <[EMAIL PROTECTED]>, not this list.
