[ale] palm pilots and unattended PCs

Keith R. Watson keith.watson at gtri.gatech.edu
Fri Sep 15 08:58:48 EDT 2000


At 10:27 PM 9/14/2000 -0400, you wrote:
>Wandered Inn writes:
>  > hirsch at zapmedia.com wrote:
>  > >
>  > > I just read this article in comp.risks.  It points out that you can
>  > > still sync your palm, even if your NT machine is locked and password
>  > > protected.  I bet thet Linux has the same problem, though I haven't
>  > > tested it.  It's an interesting security whole.
>  > >
>  > > Does anyone know of a "secure xlock" which will not only keep users
>  > > out of your X session, but also lock the various ports?  It sounds
>  > > like a somewhat tricky problem.
>  >
>  > I guess it depends on what you're using to sync your pilot with.  I'm
>  > using jpilot.  If the package is not running, which I don't leave it up,
>  > pushing the sync button does nothing, because there's nothing talking to
>  > the cradle.
>
>Sure.  Even if it is up, I don't think it monitors the port unless you
>have pushed the sync button in jpilot.
>
>But if you use gnome-pim, if runs a daemon that monitors the serial
>port, so all you have to do is push the sync button on your pilot.
>IMHO, that's the right way for a pilot manager to behave.  But there
>is this small security problem.
>
>--Michael

Hi all,

It would seem to me this is like complaining that I can telnet into a Linux 
box with no user id or password required even when I'm not logged on the 
console. Has it ever occurred to anyone to implement security on the 
process just like we do for all the other processes running on the system? 
The fault is not with the keyboard lock not working but with a 
service/daemon running that accepts service requests without any 
authentication or authorization.

keith
-------------

Keith R. Watson                        GTRI/AIST
Systems Support Specialist III         Georgia Institute of Technology
keith.watson at gtri.gatech.edu           Atlanta, GA  30332-0816
404-894-0836
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list