on Sat, 15 Sep 2001 12:24:23 +0100 David Bovill at
<[EMAIL PROTECTED]> wrote
\
>
> The only thing that is encrypted is the stack script - but you can always
> use this as a container to store your log - there is no reason why not (and
> my understanding is that it is fairly secure - maybe not a good place to
> store your credit card details - but still pretty difficult to crack without
> low level tools).
>
>> on Fri, 14 Sep 2001 18:29:39 -1000 Sivakatirswami <[EMAIL PROTECTED]> wrote
>>
>> Question... if the stack is encrypted with a password, would the the FTP log
>> in access info be unreadable? how secure would it be...really?
>
>
A script encrypted with a password in entirely unreadable by a text editor.
When running in MC, access to all scripts are restricted without the
passkey. However anything else is accessible, including custom properties.
You can "set" a script with another script, but the user who runs it will
run into the ten-line limitation if running the starter kit. But if you
"set" a script without the "on handlername" or "function functionname"
headers that show a script then you can use the script as a general
container.
As for *how* secure the passkey is -- I believe that the MC readme refers to
it as a rather weak form of encryption. I know that Scott says if you forget
a password you can send your stack to him and get it removed for a fee. If
Scott considers the encryption to be weak, I'd say that it may well be. But
on the face of it the level of encryption should be daunting enough to make
most people shy away from trying to guess an "unguessable" password.
But only Scott -- or a hacker -- would be able to tell you "how" secure your
log or scripts would be.
The "ask password" encryption is reductive. I rather suspect that the stack
password encryption is as well, but the form is different. The "ask
password" is interesting, though. Used in a script you could do something
like this:
ask password "Please enter your clearance code"
if it is not "nm7?._Y~@IO,=|FsVO" then exit mouseup
The interesting thing is that in order to get this, the user would have to
type in "today and tomorrow".
So even if someone has the ability to "see" a script, they may not be able
to run the script as it stands without the password. Reversing the password
would have to be a major pain I'm sure. Because the encryption is reductive,
you might never be able to get the intended original back again.
The cryptography placed into MC is interesting -- but I'm pretty sure Scott
will never tell (right?).
Hmmm. Thinking. How to make the stack password even *more* secure? Try using
a script on a substack as a container and encoding the substack with an "ask
password" (on preopenstack) as well as a stack password (that is different
from the mainstack's password). The user would not even be able to open the
substack without the password, and then they would have to face the prospect
of a stack password to access a script.
I'd venture to say that for ordinary users, you'd be pretty safe this way.
Again, fascinating subject. I wish I had a bit more time to play with it.
Cheers,
Raymond
Archives: http://www.mail-archive.com/metacard@lists.runrev.com/
Info: http://www.xworlds.com/metacard/mailinglist.htm
Please send bug reports to <[EMAIL PROTECTED]>, not this list.
