Maybe I will just include a link to the app instead if you really are having that big of a cow over it.

Ooooohhh.. I suspected as much. But was too lazy to look.

I concur, you should investigate whether Apple will allow you to redistribute that.

Like I said don't have a cow!!!!!!! I will just update my installer package to only include a link.

My god, If you want I will sit and figure out how to do it without apple's application, but don't you think that everybody would feel safer it was from apple.

This has absolutely nothing to do with that. This has everything to do with you risking legal action by including software from Apple without learning if you're allowd to do it. Frankly, I don't think we really care if you get sued.

If you don't care, then why exactly are you posting about it?

Because this site tries to be a professional site.
Morally we are obligated to try and take the high road.

Fixed....Now there is just a "Read Before Install.rtf" file in my installer that explains how to get it and why.

That's not a cow. Now THIS is a cow. mmm cow....

The question of the legality of redistributing Apple software is an issue that I would have thought experienced programmers would be familiar with. Appearing to take credit for the function of Apple software just rubbed me the wrong way. Lifting the whole displaysleep routine verbatim from macgeekery without attribution also seems wrong (unless you happen to be the person that posted there originally, in which case I apologize for the insinuation). Note that the submitter at macgeekery referenced the widget the code was based on. I'm not a security expert but I have to wonder if polling every two seconds just for a world-readable file in a given folder with a set name containing a plain text password provides any real security. Plus, the displaysleep function doesn't completely lock out keystrokes and mouse clicks, another reason why this method doesn't provide real security. But despite these objections, I would have stayed out of this thread if it weren't for the fact that this app is up on versiontracker and other sites.

What worries me is that a few posts ago, after boldly declaring how easy it would be to make a startup item to implement the key idea (this to a person worried that a 254 character password was not secure enough), you had to be told by someone else that a startup item could be disabled simply be booting in "safe mode". I'm worried that maybe despite having picked up how to do few things, you don't yet know enough to realize that there are things you may not know. This is important because one of the greatest dangers in using any security measure is not knowing its limitations and using it incorrectly. Sort of like Apple implying a while back that a FileVault account would take longer than the age of the universe to crack, while leaving the password in plain text in a swap file on the hard drive.

Sorry, I know this seems harsh, but there have been over a thousand downloads already. I hope you understand the responsibility that goes with promising to provide someone with a security product in this day and age. Do you consider yourself to be enough of a security expert to provide such a product? If it was just tinkering in a forum thread, or wasn't about security, or even if you were pushing it as a gimmick / gadget / toy rather than a "security" key, I might have only thought about commenting, but actually refrained from posting.

Going the other way, I see there is one user on versiontracker that has been locked out of their computer for four days (maybe a week or more if there hasn't been any private correspondence) after running this app, suggesting the level of support might be inadequate.

For the record, I am not a programmer, security expert or associated with anyone making a competing product. Just a concerned member of the Mac community responding to something I personally see as reckless.

OK, noted. And, also, dis-regarded.

Like I said, my app at one point DID disable "single-usermode, etc" all by itself. But the concern was that no one really trusts that sort of thing (messing with important system files), so I thought that I should let Apple's app take care of that. So, when you read "that my app does it", you are actually reading a comment from before (when my app DID do it all by itself).

Also, do you think that you could actually use a machine without the monitor turned on? I don't think you are that good.

As for the versiontracker user, I am not responsible for people who do not follow directions.

Whatever!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!

Actually, that's unfortunate, I think, but fine. I was actually posting mainly for the benefit of others who might be reading this thread, especially since you plugged your app from here. I wanted to make sure that it was understood that some people (ok, maybe just me) had reservations about this app since it doesn't offer much in the way of security over what is built in to the system, and relying on it might lead to a false sense of security.

That's exactly what I mean. If 'displaysleep' is the only thing in effect, and it allows mouse-clicks and keystrokes through, how do you know that doesn't allow enough wiggle room to bypass the block? Just because you can't think of a way, don't assume that it can't be done - what if it turns out to be really easy? If you are underestimating what you don't know and make promises of security, you may be placing people's data at risk. Just today, you advised someone to do something that would have resulted in their "admin" password being hard coded in plain text in an AppleScript. Experienced AppleScripters would be well aware of this problem. I'm giving you the benefit of the doubt and assuming you did that out of ignorance of the danger, rather than knowingly being cavalier with somebody else's security.

Again, important information for those that may be reading this thread.

But to your credit, you did try to help the person who was locked out of their computer for a week. However, as you acknowleged, the instructions you initially gave contained an error - a command intended to be executed with "root" privileges in "single-user" mode, contained a typo. A harmless typo, as it turned out, but yikes! And why are you using 'rm -Rf' to remove a file? Sure, it should work but the '-R' in particular is not necessary, and you are introducing an unneccessary risk - one misplaced space and... I don't think that someone that understands the 'rm' command, appreciates the need for care when working with "root" privileges, and respects the person who they are advising would choose to use that particular form of the command in that situation.

Anyway, honestly, it's nothing personal. I saw some red flags, and sounded the alarm. I think for the purposes of this thread, I have said enough.

Yeah, I understand. But, seriously what are you running a background check on me or something. The typo was explained in that I assume everyone knows that launchdaemons end in ".plist". I use "-Rf" as habit. It is my catch-all way of using "rm". I always use it, that way it doesn't matter if it is a file or directory.

I never made promises of security.

For an applescript noob, I thought the keychain scripting might be a little too much. I personally make sure that all my apps use the keychain to retrieve passwords. But, that might have been overwhelming to someone who has never done that before.

I think it is a very bad idea to use the "-R" option by habit, even when it isn't needed. As biovizier has pointed out, it vastly increases the catastrophic consequences of an inadvertent extra space or other typo.

I'm not sure what you meant by this - although I haven't looked into the details, it seems that the utility you are providing is intended as a security measure. I think biovizier's main point was that you ought to be hugely more careful (to the point of paranoia) when providing a program whose focus is security.

UUUUGHHHHH!

Dude, I do not make typos when I am messing around with the command line. I read, re-read, and then re-re-read all my commands. I do not hit the enter key until I am ready.

Of course, it is intended for security. But, there is no promise made about no one ever being able to hack it.

As I state in one of the comments on versiontracker, All someone has to do is change the RAM configuration to override it. No way around that one.