[ Reply | Next | Previous | Up ]
From: (///\ ulTRÅX \\\/)
Date: 05 Feb 1999
Time: 22:09:40
Remote Name: 209.240.200.45
Group: alt.discuss.webtv.hacking Date: Wed, Jan 27, 1999, 11:17am From: ulTRAX@webtv.net (///\ ulTRÅX \\\/) KEY QUESTION
Permit me to ramble. With WTV, if you eliminate direct access to WTV URLs, you eliminate the ability for someone to use the WTV box to hack the WTV Network. Cutting us off from direct access seems to be a top priority wi WTV. In fact at least 2 additional methods we use are slated for the chopping block come the next upgrade. I hate to get back into a discussion that what were once called Tricks and Secrets are, in fact, a form of WTV hacking. The only difference between the old T&S and what some of have been doing is that since the Tricks Breakin... we have had access to WTV URLs and commands that WTV never wanted us to see. They include the flashrom, disk, and customscript commands. For the first time these commands offer an ability not just to hack the browser, but to a certain extent hack the network. Yet, and here's the key quesion..... since it is the purpose of the browser to access WTV URLs.... how does WTV selectively manage to shut down certain areas of that browser [mail, etc] from doing what it once did? I assume that this is done in two ways... by either the server or the Client. In the case of using WTV URLs in mail.... we instantly get the pink link. This has to be from the Client. But, how does the server know the difference be a fetch request to go to wtv-home:/home that's coming from the any WTV page from being direct accessed with the same command... from "somewhere" else? If limiting access to WTV URLs can be done on the server side.... how is it done? The idea of a "trusted page" has come up (though the term does not come up in an Altavista search). That somehow the server must recognize where the request is coming from. If so, how would this be done? By referrer? Maybe this, too, works primarially through the Client... not the server. Maybe the server doesn't care as long as the file is there and the Client provides the correct IDs to access pages associated with our accounts. Just trying to get a discussion going.