[missing-sync-palmos-talk] Separate WiFi conduit settings?

[David A. Desrosiers]

> Also, the mark space website mentions somewhere that the network sync has 
> security issues.  Can anyone elaborate on this a little, since there's a 
> pretty wide spectrum?

 	Their implementation, which follows the Palmsource implementation 
(which has the same issue), sends the information, records, authentication 
and such in the clear, across the "wire" (or wireless, as it were).

 	We've got an SSL + zlib implementation staged for delivery which 
doesn't suffer from these sorts of issues on these platforms (it's also 
about 20-25% faster, but doesn't have support from conduit vendors.. yet).

 	It should be simple for MarkSpace to add something similar, with the 
proper libraries and code from a suitably licensed and compatible project.

> Is it the standard "all your data is sent in the clear" problem?

 	Yes.

> Is it "susceptible to man-in-the-middle"? Is it "anyone who can guess your 
> palm's name can connect to the daemon and read your files"?

 	Yes, we've verified this about 2-3 years ago, including several 
other methods by which data can be "hijacked" from a remote Palm user, if 
you have Network HotSync enabled on a machine reachable from the public 
Internet.

> Is it "anyone can connect to the daemon without knowing anything and do 
> bad things"?  Just trying to get a feeling for how much I'm opening myself 
> up to by enabling this.

 	It is trivially-simple to secure and lock down, presuming you know 
the IP address that you will be using to talk to the machine from. Just use 
your standard firewall rules to restrict the proper ports from all addresses 
except the one you will be using. This is exactly how we do it with our 
Network HotSync Kiosk project to protect the user's data during transfer in 
public "hotspot" locations.

d.