Jed, thanks for the clear words. Your work is very precious.
Am Freitag, 29. November 2019 11:20:07 UTC+1 schrieb Jed Carty: > > Stefan, > > In that setup there isn't any problem or anything to worry about. > > The problem is the pattern of installing something on a persons computer > that has potential to expose them to risk without explaining that to them. > I have gotten a lot of pressure to make Bob listen on 0.0.0.0 as a default > so people don't have to change it themselves and the response when I > pointed out that was a very bad idea for people who didn't understand what > that meant was something to the effect of 'that is their problem' or 'most > people don't know what it means so why should they worry about it?' > > Quite literally the first request I got about the BobSaver was 'can we > make it listen on something other than localhost', which is asking 'can we > make this let other computers save files on our computer?' > > While in one persons special instance it may not be a bad idea, in general > that is a terrible idea. That was requested BEFORE any requests or > questions about security. > > So we have a system that I have been very careful to ensure that its > default configuration is as safe as something that functions can be and no > one has to worry. But there are easily accessible settings that can change > that. People like to play with settings and see what happens, someone may > be poking the settings and stumble over how they could just change this > 127.0.0.1 to 0.0.0.0 in the configuration and suddenly they can do more, > but unless they have the warning about what that means they have no reason > to be cautious. > > Despite the software being safe when configured in the way set as default, > someone can easily modify the configuration once they have it and expose > everything on their computer to all of Starbucks. So I have it set up to be > a safe as possible and give a big warning about the risks of changing the > settings, then what they decide is up to them and not my responsibility. > > As I have said before, you are not the target audience of BobEXE, I put > all the configuration options in and documented them so that you can modify > them to your hearts content, but by knowing what '120.0.0.1:8080' means > and being able to use 'bbs-script' in a sentence you show you have the > background to know what you are risking when you use things and can make a > properly informed decision about it. > > For this you know what you are doing and can take care of yourself, I am > worried about the people who don't have the > time/experience/knowledge/money/interest/whatever to get the background > required to know what you know about it. > > Social engineering is very easy in cases like this, it would be very easy > to offer help to someone that involved opening Bob or the saver component > up to 0.0.0.0 on a public network. I want to give them the best chance I > can to understand what that means. Including the documentation and saying > that they should read it first isn't going to help, I have rather explicit > documentation about configuration and still people who should know better > ignore it and ask me questions that are directly answered, so people who > don't know to ask questions are not going to see it. > -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/b77d5e73-db07-4615-9cb6-2340024e2fc9%40googlegroups.com.
