JP> MaxTF's Machine Lock provides at least a start to server-side machine security.
Machine Lock cannot go far enough and is too easily defeated to be used as a real security measure.
*All* of its features to disable imterrupt, restart and so on are easily defeated by: 1 . Pulling the power plug 2. Holding down the shift key 3. Reapplying power to disable loading. 4. Removing the Machine Lock extension from the Extensions folder. 5. Rebooting the mac in the normal way.
ANY Mac user with basic experience knows to attempt this method to bypass extension-type lockouts. Again, I stand by my original statements that security measures must be built-into the OS rather than tacked on as applications to be truly effective. Another way of defeating this method involves booting the CPU from another disk with an operating system, and then mounting the "locked-out" disk for attack.
1. REAL security measures include the ability to totally protect files and directories from reading, listing as being written to, linked to, or otherwise modified. Other than the permissions within AppleShare, there is no method within the MacOS to do this other than locking and hiding files. Locking can be undone from the Finder on a local machine, and hiding can be undone with many utilities. Therefore, disabling control of the screen and keyboard I/O are used to prevent access to the Finder. If files are not encrypted then they are accessible by defeating the lockout as I described above, and plainly readible.
If file/directory permissions, access control lists, and in-process encryption, were implemented INTO THE O/S, the system would be MUCH MORE SECURE from this type of an attack. Attempting to tack it on via an application is a doomed proposition which further complicates other OS operations such as file recovery in the event of a crash.
2. REAL security proviodes means to restrict program execution of system processes by their owner and also limits monitoring of such processes so that data is not revealed by "sniffing" the system.
The MacOS does NOT implement the concept of process ownership and is therefore susceptible to attacks designed to tap into or hi-jack running processes. Fortunately not many people currently know how to do this, but tools for learning about the processes running on a CPU and what data is involved in their operation do exist and can be used to break system security.
--- Daniel O'Leary, Sysop KloneZone Mac - A TeleFinder 5.5 Mac/Windows BBS 10036 North Suttonwood, Fort Forth TX USA 76108 (817)367-2558 (Voice) (817)367-2712 (Dial-in) 1:130/1015(Fido) klonezone.tfnet.org (TFNet) kzpwrmac.cyberhighway.net (Internet) http://kzpwrmac.cyberhighway.net (WWW)
