Re: [coldsync-hackers] m500: cannot coldsync

[Andrew Arensburger <arensb+CShackers@ooblick.com>]

On Sat, Sep 22, 2001 at 03:52:22PM -0700, David A. Desrosiers wrote:
> 	Judd and I proved this, both with JPilot (his project) and the Palm
> Desktop itself under Windows. If you replace the files on the desktop side
> with versions which are 400 bytes (in the example of Windows) instead of the
> hash-containing 416-byte files, and then sync your cleanly wiped Palm to
> that desktop, you can then retrieve the data that resides on it in your
> Palm.

	Leaving aside the issue of how effective this "protection" is,
I'm trying to figure out what this design was intended to achieve.
	Perhaps this is intended for forward-compatibility with a
future version of PalmOS, which will require the desktop to
authenticate itself with a password?
	Other than that, I'm drawing a blank.

> If you take someone else's 416-byte hash-containing files, and
> overwrite those on the Palm desktop, and sync with the UserID of that data
> (spelled right) on a cleanly wiped Palm, you then get the data on your Palm,
> and the hash is transported as well. Nasty.

	This aspect doesn't strike me as being quite as bad: the
assumption here appears to be that it's hard to steal files from
someone else's desktop (or at least harder than reading the password
from the Palm). I would guess that Windows is more secure than PalmOS,
which sounds reasonable.

> 	Likewise, with JPilot, the same case applies if you remove the files
> which contain this "My UserID is:" value. We tested it on both platforms,
> and it works that way. Palm makes the assertion that a desktop with valid
> data, and a Palm with nothing at all on it, including the lack of a UserID,
> is a new user who has accidentally wiped their palm, but asserts that user
> to be the VALID owner of the desktop data. Yes, when you sync, you get the
> "Select a Username" dialog.

	This sounds like a reasonable assumption. With ColdSync, this
is a special case.

> > 	Agreed. I don't know about anyone else, but I don't want to break
> > or bypass security; I just want to sync my stuff.
> 
> 	We concur. Let's come up with a mechanism which we can both use,
> yours with ColdSync, and mine with pilot-link.

	So far, I'm leaning toward putting the password (or its md5
hash) in a separate file, and possibly requiring it to have the
appropriate mode bits unset.
	Of course, inevitably someone's dumbass sysadmin will chmod
775 /, which means that /homes/, /homes/arensb/, /homes/arensb/.palm/,
and /homes/arensb/.palm/password can be replaced. It'll be necessary
to override the protection check in cases like these. Of course, if an
attacker can replace ~/.palm/password, he can also replace the config
file and tell it to ignore the insecure permissions, so the Right
Thing would appear to be to make this option settable only from the
command line. That doesn't buy you much, but it's something.
	Though if your machine's been 0wn3d in this way, presumably
you have bigger problems.

	Hacker Barbie says, "Security is hard! Let's work on the
embedded Perl interpreter!"

-- 
Andrew Arensburger                      This message *does* represent the
arensb@ooblick.com                      views of ooblick.com
	   Tomorrow is another day, but it'll suck, too...
This message was sent through the coldsync-hackers mailing list.  To remove
yourself from this mailing list, send a message to majordomo@thedotin.net
with the words "unsubscribe coldsync-hackers" in the message body.  For more
information on Coldsync, send mail to coldsync-hackers-owner@thedotin.net.