[ale] palm pilots and unattended PCs
hirsch at zapmedia.com
hirsch at zapmedia.com
Fri Sep 15 10:11:10 EDT 2000
Keith R. Watson writes:
> At 10:27 PM 9/14/2000 -0400, you wrote:
> >Wandered Inn writes:
> > > hirsch at zapmedia.com wrote:
> > > >
> > > > I just read this article in comp.risks. It points out that you can
> > > > still sync your palm, even if your NT machine is locked and password
> > > > protected. I bet thet Linux has the same problem, though I haven't
> > > > tested it. It's an interesting security whole.
> > > >
> > > > Does anyone know of a "secure xlock" which will not only keep users
> > > > out of your X session, but also lock the various ports? It sounds
> > > > like a somewhat tricky problem.
> > >
> > > I guess it depends on what you're using to sync your pilot with. I'm
> > > using jpilot. If the package is not running, which I don't leave it up,
> > > pushing the sync button does nothing, because there's nothing talking to
> > > the cradle.
> >
> >Sure. Even if it is up, I don't think it monitors the port unless you
> >have pushed the sync button in jpilot.
> >
> >But if you use gnome-pim, if runs a daemon that monitors the serial
> >port, so all you have to do is push the sync button on your pilot.
> >IMHO, that's the right way for a pilot manager to behave. But there
> >is this small security problem.
> >
> >--Michael
>
> Hi all,
>
> It would seem to me this is like complaining that I can telnet into a Linux
> box with no user id or password required even when I'm not logged on the
> console. Has it ever occurred to anyone to implement security on the
> process just like we do for all the other processes running on the system?
> The fault is not with the keyboard lock not working but with a
> service/daemon running that accepts service requests without any
> authentication or authorization.
I disagree. When I plug a keyboard, monitor, or mouse into my machine
it doesn't require authentication or authorization. But if I lock my
screen they are all disabled. Similarly, I don't use and
authentication or authorization on the wires going to my speaker or
microphone, but (in most modern distributions) a user other than me
can't access them. (This used to not be the case and it was a major
security whole. I remember the joy of making my advisors computer
"flush the toilet" from another Sun workstation. If he had had a
microphone I could have listened to all his conversations.)
In a system like GNOME, any external appliance tied fundamentally to a
login should be disabled when the login is disabled (say, by locking
the screen).
--
------------------------
Michael D. Hirsch, Ph.D.
Software Developer
zapmedia.com
Phone: 678-420-2722 FAX: 678-420-5839
email: michael.hirsch at zapmedia.com Web: http://www.zapmedia.com
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list