People have the expectation with the power off password locking mechanism
that someone would need to open up their Palm device in a hardware lab to
get the data off the device. What we are saying is the data can be removed
with a simple hotsync cable in a few minutes and leave no trace of attack.
This a much less expensive attack to perform. It requires no specialized
equipment and is very quick.
The reason most of our hend held device security research is done on the
Palm OS is its ubiquity. This is one of the rewards for being the most
popular platform or application. The popular platforms and applications
become the beneficiaries of free security research by the security
community. You need to look at our advisories in a positive way to see
this. Now Palm users are more aware of their enviroment and can mitigate
risks accordingly. Palm can now fix these problems as they are doing in
the next release of the Palm OS.
The users of other portable OSes are lulling themselves into a false sense
of security if they think their OS is any more secure relative to the Palm
OS based on our advisories. I would much rather use an OS that has
undergone public scrutiny and had problems published and fixed than one
that has an unknown security posture.
If a Windows NT laptop had its floppy and CDROM drives removed and had a
non-removeable hard drive it would be similar to the hardware security
posture of a Palm device. Now if @stake published an advisory showing that
the Windows NT logon password could be bypassed don't you think that would
be a worthy security issue? This is similar to what we are trying to point
out here.
Chris Wysopal
[EMAIL PROTECTED]
Director of R&D
@stake, Inc.
----- Original Message -----
From: "Brian Mathis" <[EMAIL PROTECTED]>
To: "Palm Developer Forum" <[EMAIL PROTECTED]>
Sent: Monday, March 05, 2001 2:36 PM
Subject: @stake ridiculousness
-----BEGIN PGP SIGNED MESSAGE-----
Am I the only one here getting fed up with @stake's ridiculous "security
advisories" on PalmOS?
Not that what they are saying isn't true, but is it really a "security
issue"? So far, everything they have brought up is the equivalent of
taking a hard drive out of a PC and sticking it in another one. Viola! Now
you have access to all the data on the drive. Where's the advisory on IDE,
or floppy disks?
How about the other handheld OSes? WinCE? Epoc? Maybe even cell phone
OSes? So what's the deal @stake? MS payrolling you guys to spread FUD
about Palm OS?
Waiting for the next @stake advisory about the pad of paper on my desk...
- --
Brian Mathis
Direct Edge
http://www.directedge.com
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1
iQEVAwUBOqPqtbGo2cj8O3o1AQE+mwf9G4MrGeTW9x6QOXGsLToDA0Ol/FDtkX/Z
GsAvtl6JKgjy1LYbA5n+ahziSD3tI0DDQLeW7G9TVib9w0IuFAuwK1jKZZXL3ZfP
XtnrjvN1vIR0N7WK7idiS50Vr3ZfD7+y/KWojWczSbLUcc/bd/4b+illdufOo8q3
oIb6TsC8tyfKhPTdKuFmwyFyti6YxxyU7249MGs3YDS4NiNjSi8vYT8Qy4xKK4Rj
uKTA6ogu0mt8S9nqvAN86gU9ZjtzsLWQav/hpKGuzVMq95s5KaRYICROPcsxYs7s
ZLXxiN1qKuXcwO0gZjXBxME1L9dWchnZ3zpWzuNF8sOOdknMQZmS8w==
=diLD
-----END PGP SIGNATURE-----
--
For information on using the Palm Developer Forums, or to unsubscribe,
please see http://www.palmos.com/dev/tech/support/forums/
--
For information on using the Palm Developer Forums, or to unsubscribe, please see
http://www.palmos.com/dev/tech/support/forums/
