Re: AW: Mac OS 9 Idle Lock Bug

[diz () CAFES NET (Mike Eldridge)]

On Fri, 29 Oct 1999, Flothow, Sebastian wrote:
> > It's possible to set up the
> > Finder so that, if the current user goes idle, the screen will be
> > locked.  A simple dialog box is displayed stating that the system has
> > been idle for too long and a password must be entered.
> >
> > You have two options.  Click OK and enter the password to return to
> > your session or click OK and click Log Out. It's possible to seize
> > control of Mac OS under certain conditions by clicking Log Out.
>
> so you can log out the current user and quit all apps without having to
> enter a password? i think this is the real security flaw, not apps which ask
> wether you want to save changes.

I don't think you are fully understanding the nature of the security flaw.
If there are any such applications open that ask if you would like to save
changes, hitting the "cancel" option on such applications will abort the
logout and the screen lock will no longer be active, returning you to the
user's session, allowing you access to all of the user's files, data, etc,
etc.

If, for any reason, you rely on the hyped security features of MacOS 9 and
do have important data that you would not like others to have access to,
you have a real problem on your hand, as anyone following the process
outlined in the original posting will gain access to the user's files and
any applications they have open that were not closed in the logout
process.

So, the current solution is to close all applications when locking your
session so that it is not possible to circumvent the logout process.

I'm sure Apple will have a fix ready for this as soon as humanly possible
since they are touting the security benefits of MacOS 9.  In my opinion,
the option to logout should be removed altogether, as you should have to
supply the password to logout anyway.

> > Some applications have the "feature" of asking you if you're sure that
> > you want to quit.  For example, if connected to a UNIX host using
> > NiftyTelnetSSH, it will ask you if you're sure you want to disconnect
> > when the application quits.  Other applications with unsaved data will
> > ask if you want to save changes.  Most of these dialog boxes have OK
> > and Cancel or Yes, No and Cancel for options.  Hitting Cancel at any
> > of these "are you use" dialog boxes will stop the logout process and
> > return you to the current session.
>
> which is useful if you hit quit and you actually don't want to quit (i know,
> this is for silly lusers, but they exist). to quit an app without asking,
> there had to be another event, which current apps wouldn't support.

I find closing confirmations extremely useful, as anyone could
accidentally close a document they are working on.  But yes, to close an
application without asking, there would have to be another event or you
would have to have the OS simply kill the process and forget cleanly
exiting the application.

> > Now, being primarily a UNIX user that also uses Mac OS for graphics
> > and Web page design, I realize that relying on Mac OS for physical
> > security is about as silly as relying on the Windows 95 password
> > "protected" screensaver for security.  I just figured that I'd point
> > out this small issue because the Mac OS 9 ads seem to be pushing the
> > added security benefits of upgrading to Mac OS 9 and its voiceprint
> > password protection.
>
> well, it seems /this/ kind of protection doesn't work. however, if you shut
> down the mac, you'll have to log in when booting.

Again, you are not understanding the issue with the flaw, please read what
I have written above.

Mike Eldridge

-----------------------------------------------------
Save the whales.  Feed the hungry.  Free the mallocs.