[19171] in bugtraq
Re: Palm Pilot - How to view hidden files
daemon@ATHENA.MIT.EDU (Peter W)
Tue Feb 13 00:18:42 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20010212150948.A24954@usa.net>
Date: Mon, 12 Feb 2001 15:09:48 -0500
Reply-To: Peter W <peterw@USA.NET>
From: Peter W <peterw@USA.NET>
X-To: Paulo Cesar Breim <pbreim@CANALVIP.COM.BR>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <5.0.2.1.0.20010211171242.00a7b258@pop3.canalvip.com.br>; from
pbreim@CANALVIP.COM.BR on Sun, Feb 11, 2001 at 05:15:53PM -0300
On Sun, Feb 11, 2001 at 05:15:53PM -0300, Paulo Cesar Breim wrote:
> The software Tiny Sheet, present in all versions of Palm Pilot,
http://www.iambic.com/pilot/tinysheet3/
To clarify: it's not included with PalmOS; it's 3rd-party software.
> has a function called IMPORT file.
> Well when this function is use ALL FILES, including the hidden files
> protetex with password, can be imported to a Sheet.
The "private" flag in PalmOS is advisory only. As has been noted in previous
discussions (most notably L0pht/@stake's PalmOS password recovery discovery),
the Palm platform is not designed to be secure. Physical access means access
to all its data.[0] So there's not much new about Tiny Sheet apparently not
following the guidelines. It's just another example of the limitations in PalmOS.
If you want to protect data stored on a PalmOS device, encrypt it. Hmm, I'd
be interested to see some work on PalmOS memory attacks, e.g. after you've
run a crypto app, can you run another app that scours the device's memory
for information left behind, e.g., passphrases or decrypted keys?
-Peter
[0] Unless the device is "locked" and has 3rd-party security extensions
loaded that prevent non-destructive device resets.
