[16942] in bugtraq
PalmOS password recovery
daemon@ATHENA.MIT.EDU (Nate Amsden)
Thu Sep 28 12:57:24 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <39D35EF5.8CCD296A@graphon.com>
Date: Thu, 28 Sep 2000 08:08:37 -0700
Reply-To: Nate Amsden <natea@GRAPHON.COM>
From: Nate Amsden <natea@GRAPHON.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
[disclamer: my comments do not represent that of any company or
individuals other then myself.]
I just read the advisory from @stake and was shocked. I wondered why
they considered this worthy of a "advisory" there has been a well known
program called "No Security"[1] that with a click of your stylus you can
wipe the password off the palm device(in my case a Handspring visor
deluxe) without any loss of data.
in addition you can use a 3rd party program to synch the pilot, say
Jpilot[2](which i use on linux) and it retrieves all "private" records
and does not bother to protect them, also it unmarks the private flag.
the private record security is a joke, it always has been. sure the
information in the advisiory is nice and technical but you don't need to
jump through hoops to get to the private data. must be a slow day for
@stake.
[1] http://www.geocities.com/SiliconValley/Cable/5206/nosecurity102.zip
[2] http://jpilot.linuxave.net/
have a good one!
nate
--
Nate Amsden
System Administrator
Graphon
http://www.graphon.com
