> I have a Palm m505 and a SERIAL (yes, not USB) hotsync cable. In
> addition, I am using the standard OS4 password mechanism to "protect" my
> data.
There's some issues with this, in fact. We can do any of the
following:
- Bypass the password altogether
- Force a user to supply a password
- interactively (breaks scripted syncronization)
- stored in a file in ~/.pilot-link/ (potential for security
holes, but can also be encoded with md5sum as well)
- Just ignore it and tell the user to unset their password on the
Palm.
Some of us, myself included, see this password as a means
implemented by Palm Computing, Inc. to "protect" the user's data, and
protect data stored on the Palm, a copyright device using copyrighted means
to store that data. Taking this further, bypassing the "password" mechanism
(which in the past was trivial to bypass, and is still very much
undocumented, and part of Palm's trademarked and copyrighted HotSync(r)
protocol) could put pilot-link in a potential hitch from the our friends at
the DMCA if we don't do this properly.
I've kicked some ideas around with a few people and have come up
with a design which I think will work, and which does not seem like a
maliscious "bypass" of this password. We have to come across as "white hats"
in this, not maliscious "hackers", otherwise we make things harder for us.
> I also tried checking out a semi-recent version from cvs. I say
> semi-recent because I tried to avoid any of the new automake changes
> since the head didn't seem to work for me today (Nov 21). This also
> gives the same error.
What errors did you get from trying to build the latest cut of HEAD
from the cvs? jpr and I have banged on it on a handful of machines and
distributions, and the only one I know we have some issues with right now is
Solaris/SunOS 5.8, but I'm working those out. Let's try to see what you may
have found that stopped you from being able to build a working version.
> I saw the Changlog entry about md5.c and the new password scheme, but
> md5.c doesn't seem to be in the above tarball. It is in the head of the
> repository, but like I said, I still get this error.
I checked in those files in the interim as a placeholder for some
local code I was testing here in my local tree. You can see an original
email from my discovery of this md5 checksum of the password here:
http://hcirisc.cs.binghamton.edu/pipermail/pilot-unix/2001-July/004238.html
This is by no means conclusive evidence of being able to
successfully pass/encode/send/accept this password hash from a user's
perspective, but we now know how to at least begin addressing the problem.
> Is there something I should be doing to specify the password to
> pilot-link?
Right now, nothing in the non-Windows space can sync with that OS4
password set, including pilot-link, Coldsync, gnome-pilot, JPilot, KPilot,
and others. Judd (JPilot) and I talked for a little while about this, and in
the testing process while we were chatting on irc, we managed to find a few
flaws in their design, and there are currently three ways (on Windows) to
bypass a "secured" palm or take a clean, cold-wiped Palm, and extract a
user's data on a Windows machine which has been secured with a password. I'd
rather not detail them here, but they're pretty trivial to implement.
When I get a chance to clean up the stuff I'm working on this week
in the top level of the tree, I'll try to toss out a design specification
here to the list for what I believe will help us in implementing this into
production for review.
/d
_______________________________________________
Pilot-unix mailing list
[EMAIL PROTECTED]
http://hcirisc.cs.binghamton.edu/mailman/listinfo/pilot-unix
