> I have a Palm m505 and a SERIAL (yes, not USB) hotsync cable. In > addition, I am using the standard OS4 password mechanism to "protect" my > data.
There's some issues with this, in fact. We can do any of the following: - Bypass the password altogether - Force a user to supply a password - interactively (breaks scripted syncronization) - stored in a file in ~/.pilot-link/ (potential for security holes, but can also be encoded with md5sum as well) - Just ignore it and tell the user to unset their password on the Palm. Some of us, myself included, see this password as a means implemented by Palm Computing, Inc. to "protect" the user's data, and protect data stored on the Palm, a copyright device using copyrighted means to store that data. Taking this further, bypassing the "password" mechanism (which in the past was trivial to bypass, and is still very much undocumented, and part of Palm's trademarked and copyrighted HotSync(r) protocol) could put pilot-link in a potential hitch from the our friends at the DMCA if we don't do this properly. I've kicked some ideas around with a few people and have come up with a design which I think will work, and which does not seem like a maliscious "bypass" of this password. We have to come across as "white hats" in this, not maliscious "hackers", otherwise we make things harder for us. > I also tried checking out a semi-recent version from cvs. I say > semi-recent because I tried to avoid any of the new automake changes > since the head didn't seem to work for me today (Nov 21). This also > gives the same error. What errors did you get from trying to build the latest cut of HEAD from the cvs? jpr and I have banged on it on a handful of machines and distributions, and the only one I know we have some issues with right now is Solaris/SunOS 5.8, but I'm working those out. Let's try to see what you may have found that stopped you from being able to build a working version. > I saw the Changlog entry about md5.c and the new password scheme, but > md5.c doesn't seem to be in the above tarball. It is in the head of the > repository, but like I said, I still get this error. I checked in those files in the interim as a placeholder for some local code I was testing here in my local tree. You can see an original email from my discovery of this md5 checksum of the password here: http://hcirisc.cs.binghamton.edu/pipermail/pilot-unix/2001-July/004238.html This is by no means conclusive evidence of being able to successfully pass/encode/send/accept this password hash from a user's perspective, but we now know how to at least begin addressing the problem. > Is there something I should be doing to specify the password to > pilot-link? Right now, nothing in the non-Windows space can sync with that OS4 password set, including pilot-link, Coldsync, gnome-pilot, JPilot, KPilot, and others. Judd (JPilot) and I talked for a little while about this, and in the testing process while we were chatting on irc, we managed to find a few flaws in their design, and there are currently three ways (on Windows) to bypass a "secured" palm or take a clean, cold-wiped Palm, and extract a user's data on a Windows machine which has been secured with a password. I'd rather not detail them here, but they're pretty trivial to implement. When I get a chance to clean up the stuff I'm working on this week in the top level of the tree, I'll try to toss out a design specification here to the list for what I believe will help us in implementing this into production for review. /d _______________________________________________ Pilot-unix mailing list [EMAIL PROTECTED] http://hcirisc.cs.binghamton.edu/mailman/listinfo/pilot-unix