[Tfug] Why would *anyone* leave a door open?

Bexley Hall bexley401 at yahoo.com
Sun Aug 30 11:30:14 MST 2009


Hi John,

--- On Sat, 8/29/09, John Gruenenfelder <johng at as.arizona.edu> wrote:

> >> I find this to be a useful setup.  I can keep all my
> >> important data on the encrypted filesystem and be relatively 
> >> sure about its safety.   Having only my
> >
> >Why not keep it on your PDA?  And just configure it
> >not to be "backed up" when you resync with your machine?

[Actually, if it is encrypted on the PDA, you could probably
*let* it be resync'ed with your PC without fear of having
a second "tamperable" copy?]

> That's... a good question.  There's even a FOSS Palm
> OS app that performs
> exactly this function.  It keeps your user/pass combos
> inside an encrypted vault on your PDA.
> 
> I guess the only reason I can give is security.  For
> example, when you first
> run the FOSS SSH client it displays several dialog boxes in
> a row about the lack of security in several parts of the

Wait -- is this the "data vault" application on the PDA?
Why are you talking about ssh here (or have I dropped part 
of the thread)?

> implementation.  In the end, the main
> reason for the poor security is lack of processing power
> (on devices at the time the SSH client was written, that is).
> 
> So, I assume that likely relates to other apps that use
> crypto algorithms in

It could be part of the library to which the application is linked.
E.g., use gets() in a NetBSD application and you'll get a runtime
warning that gets() isn't safe...

> some way as well.  Of course, that's just a blind
> assumption on my part and I
> could be completely off.  For starters, the SSH client
> has to en/decrypt a lot
> more data and at a much faster rate than the data vault
> app.

Ah, (maybe this is where my confusion arises) so the data vault
is using the same library as the ssh client.  And, your concern
is that those parts of the library may have been "compromised"
in order to make the ssh (different application) perform
"tolerably" and you fear the data vault is inheriting this
set of compromises (?)
 
> I suppose I should see if I can't dig around and locate
> that program.  If I'm
> lucky it will be hosted on SourceForge like (ahem) certain
> other Palm OS programs.  :)

Gee, I wonder *which*?  ;-)

> And easier to find, you see...

Yeah, there is an advantage to moving things to a public
repository.  I liken it to my neighbor who introduces his
wife as "his brain" -- he lets *her* remember all the
stuff that he would tend to forget!  :>

Or, like Ruth Gordon's line in Harold & Maude where she
throws the "charm" Harold has given her "away" and, in
response to his chagrin, says "That way I'll always know 
where it is!"


      




More information about the tfug mailing list