Haha, probably a bit of both.
richmond62 wrote: ↑Sun Jan 19, 2025 8:58 am
1. Does it not seem to have been spotted (& acted on) in the last 20 years?
The engine is a product of it's time. For example, any modern IDE which is capable of making changes to files on disk (outside the project files you are directly editing), will always prompt you with an "Are you sure you want to allow this" type warning.
The LCC / OXT IDE is different from most as it can be modified inside of itself to do/be whatever you want. In that respect it's a bit unique. Although this is brilliant for us, and gives us the flexibility to tweak it how we want - it does that regardless of what change you want to make. (malicious changes included).
richmond62 wrote: ↑Sun Jan 19, 2025 8:58 am
2. Have people 'over there' been merrily opening everyone's stacks for years without "a condom"?
Yes, although Klaus does elude to it here that he takes some precautions, they are not nearly enough to stop any malicious script getting through alone. He mentions he's been using that method for 20+ years - I think the "security through obscurity" comes to mind. The fact that it's all so niche, isn't seen as a target for something that can be readily exploited easily - that's probably the reason it's not been done.
Doesn't mean we should stick our heads in the sand and ignore it. In fact, quite the opposite.
Now, you are going to think I'm on my mac-bashing trip again here - but hear me out.
On Windows and Linux, if you want to make a change to the files in the IDE, you have to edit things with elevated permissions. This puts up the box asking for permissions (UAC prompt on Windows, Authentication on Linux).
On MacOS though, because you can install (drag) the application to any folder (one that might be writable, like your desktop or home folder), you have permissions to edit these ".livecodescript" files easily. (it inherits the permissions from the parent folder, meaning they are writable).
Given then that ANY program can edit the .livecodescript file (such as "home.livecodescript") as they are just text files, ANYTHING could be tacked onto that file and saved on MacOS without the user's knowledge. (I've just done this with an innocuous looking applescript on MacOS 14 as a proof of concept). I can add whatever destructive shell command or IDE function (recursively destroying stacks in the IDE if I want) without so much as a popup appearing.
So, I think it's better that the IDE on MacOS be placed in /Applications (Sorry: /System/Applications - as mentioned with Apple's hidden directory mask changes) - but having these directories 'world-writable' which are executable by the IDE is just asking for problems in the modern age of people looking to exploit things.
Perhaps I'm worrying, but if the OXT IDE ever gains wider use, it can easily become a vehicle for malware delivery really simply. What's the old saying.. "it takes 10 years to get a good reputation, 10 minutes to get a bad one". Once it gets thought of as a PUP (Potentially unwanted program), then that's the end of the engine and IDE as we know it.
As I say, preventing these files being user writable without explicitly asking for permissions would be a step towards that on MacOS, as they are in Linux and Windows - if you don't install to a location that is writable by any process of course.
)
But that's the point, you shouldn't have to trust (or take the gamble) that there's nothing nasty in stacks.
- But this remains a way to run script with the "Suppress messages" turned on, as you can see.
