[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [coldsync-hackers] [PEG-T415] update
- To: <coldsync-hackers at lusars dot net>
- Subject: Re: [coldsync-hackers] [PEG-T415] update
- From: "David A. Desrosiers" <hacker at gnu-designs dot com>
- Date: Fri, 8 Mar 2002 13:53:44 -0800 (PST)
- In-Reply-To: <200203081908.g28J8gs11890@ns3.safety.net>
- Reply-To: coldsync-hackers at lusars dot net
- Sender: owner-coldsync-hackers at lusars dot net
> Interestingly -- I reset the Clie and reentered the password and now
> it's being sent. I double-checked to make sure the password was in place
> before the reset.
Welcome to the soup. Implementing a "fix" to allow the Palm to sync
to the desktop when a password is set is a slightly sticky issue as far as
legality is concerned. There's a few ways to provide this functionality.
I've tossed out a brief roadmap of ideas before on the pilot-unix list (for
pilot-link again, but still applicable here):
1. Ignore the relevant SLP packet(s) that contain the hash
completely, as if no password was ever set. Dangerous idea.
2. Interactively prompt the user at sync time to enter the password
a. Breaks network sync, since you won't be at the same
machine that's being used to sync.
b. Daemon mode presents a problem when sync'ing.
3. Have the user enter the password once at initial configuration
time, hash that, and store it in ~/.coldsyncrc file.
a. Storing the raw hash itself makes exploits possible
b. Storing a hash of the hash is better, but still prone to
exploits and hijacking.
4. Replace HotSync.prc on the Palm with one which handles access to
the data itself, without using HotSync. You can then bind
"NewSync.prc" to the cradle button as well.
The fear here is that the "Right Thing(tm)" is done, and that we
(Coldsync team, pilot-link team, J-Pilot, yada yada) come across as
"whitehats" and not as maliscious hackers or crackers. We must surpass whayt
Palm tried to do, or at least match their intentions regarding securing the
user's data, and making sure we don't look as though we're trying to bypass
their means and methods.
Remember, our friend DMCA is breathing closely behind us...
OS5 presents even more potential problems, with RSA (which,
thankfully is documented) and certificates being passed between apps on the
Palm and between the Palm and desktop.
[dd]
--
This message was sent through the coldsync-hackers mailing list. To remove
yourself from this mailing list, send a message to majordomo@thedotin.net
with the words "unsubscribe coldsync-hackers" in the message body. For more
information on Coldsync, send mail to coldsync-hackers-owner@thedotin.net.