[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [coldsync-hackers] m500: cannot coldsync
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> In the past, the system password has been used only to protect the Palm
> through the human interface (the front panel). The fact that you're
> seeing this error appears to mean that Palm has apparently fixed this
> problem.
I've written my results on this discovery back in July. Previous
versions of the PalmOS used a password scheme which was decodable (recall
the @stake advisories which were floating all around), and some would say,
vulnerable. Since Palm received quite a bit of bad press about that, they
changed it, but stil got it somewhat wrong. Please see my original post on
pilot-unix, found here:
http://hcirisc.cs.binghamton.edu/pipermail/pilot-unix/2001-July/004238.html
..where I describe the reverse engineering of the PalmOS4 password
and discuss several vulnerabilities in this approach. The problem with this
is that if we "bypass" this and allow users to sync anyway, we could be
putting ourselves in a legal tangle, as possibly stated in the DMCA:
- --
`(3) As used in this subsection--
`(A) to `circumvent a technological protection measure' means to
descramble a scrambled work, to decrypt an encrypted work, or
otherwise to avoid, bypass, remove, deactivate, or impair a
technological protection measure, without the authority of the
copyright owner; and
`(B) a technological protection measure `effectively controls access
to a work' if the measure, in the ordinary course of its
operation, requires the application of information, or a
process or a treatment, with the authority of the copyright
owner, to gain access to the work.
- --
..and of course there is a design approach around this. When a
password is set on the device, you can require that the user enter their
password at a shunted password prompt, which will then store an md5 of that
entered password, compare it to the 16 bytes passed in the frame, and if it
matches, you're ok, and if not, don't sync. The approach to storing this, of
course, is definately not to store the hash itself in a the .rc file, but
rather store a combination hash of the Palm UserID and DeviceID or
something, along with the password. To truly be secure, you'd rewrite the
md5 each time it was sync'd with a combination hash of LastSyncTIme and
UserID or some such, so it is always changing, and someone who picked up
your .rc file could not "have" your password.
In any case, you can also ignore the frame, and skip over it, but
that could get ugly. Passworded Palm devices which could be sync'd anyway,
despite having a password set. I can see that being a politically ugly
battle with Palm.
In PalmOS5, who's architecture is still being discussed on a private
mailing list, there's talk of "hardening" this even more. If we make it
appear "easy" to get around, they'll lock it down tighter than we can deal
with, and require that Hotsync Manager be running to sync, which will have
all the password handling code (like it does now). If we come across as
"white hats" in this, showing that we're trying to help them maintain a
secure environment, then we're on their good side. Just a tip.
/d
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/
iD8DBQE7rPNZkRQERnB1rkoRAi/tAJkB8941BZwAEpBleD9YXBvbdGX4vACfXP4c
gxCIgyCu5FBHvw4a90Uk4lU=
=yeVl
-----END PGP SIGNATURE-----
This message was sent through the coldsync-hackers mailing list. To remove
yourself from this mailing list, send a message to majordomo@thedotin.net
with the words "unsubscribe coldsync-hackers" in the message body. For more
information on Coldsync, send mail to coldsync-hackers-owner@thedotin.net.