Re: [coldsync-hackers] m500: cannot coldsync

["David A. Desrosiers" <hacker@gnu-designs.com>]

> 	You make it sound as if even a well-behaved program could
> accidentally sync, simply by not being aware of the fact that password
> protection exists.

	Judd and I proved this, both with JPilot (his project) and the Palm
Desktop itself under Windows. If you replace the files on the desktop side
with versions which are 400 bytes (in the example of Windows) instead of the
hash-containing 416-byte files, and then sync your cleanly wiped Palm to
that desktop, you can then retrieve the data that resides on it in your
Palm. If you take someone else's 416-byte hash-containing files, and
overwrite those on the Palm desktop, and sync with the UserID of that data
(spelled right) on a cleanly wiped Palm, you then get the data on your Palm,
and the hash is transported as well. Nasty.

	Likewise, with JPilot, the same case applies if you remove the files
which contain this "My UserID is:" value. We tested it on both platforms,
and it works that way. Palm makes the assertion that a desktop with valid
data, and a Palm with nothing at all on it, including the lack of a UserID,
is a new user who has accidentally wiped their palm, but asserts that user
to be the VALID owner of the desktop data. Yes, when you sync, you get the
"Select a Username" dialog.

> 	Agreed. I don't know about anyone else, but I don't want to break
> or bypass security; I just want to sync my stuff.

	We concur. Let's come up with a mechanism which we can both use,
yours with ColdSync, and mine with pilot-link.



/d


This message was sent through the coldsync-hackers mailing list.  To remove
yourself from this mailing list, send a message to majordomo@thedotin.net
with the words "unsubscribe coldsync-hackers" in the message body.  For more
information on Coldsync, send mail to coldsync-hackers-owner@thedotin.net.