lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAA24eKuEkK0U2NuVRIYlKGfcKAAAAQAAAAfO7BZt/Q2kCUPd6JrS2mXwEAAAAA@pchandyman.com.au>
Date: Thu Feb  9 03:17:23 2006
From: full-disclosure2 at pchandyman.com.au (Greg)
Subject: Bluetooth Activesync - requesting test

OK this sounds screwy but if someone has the equipment, can you test and let
us all know please?

A PDA I was working on that had to be Activesync'd to one computer had the
PDA name "John" rather than the standard name that comes with the PDA.
Another PDA was already working Activesync. Both were over bluetooth
encrypted. The other one was named "Cheryl" just for info's sake. 

Anyway, "John" was a new PDA of exactly the same make and model as "Cheryl"
(Mortein syndrome) but what I didn't know and didn't look for, initially,
was that the computer had been set up by someone else to ONLY allow
connections from "Cheryl" and no other device and it was set in "non
discovery" mode, that is, no other bluetooth device supposed to be able to
find it. When I set John up, it autosync'd for 24 hours and stopped syncing
again. I went back and did a thorough look and found that "Cheryl" was the
only one allowed to connect bluetooth to the computer but "John" had,
anyway.

So this makes me wonder - and this is what I am asking help with - is it
possible that bluetooth pairing, connection in total and autosync are all at
risk if the same model PDA is used even though they are set up with
different PDA names and even if settings are correct and are NOT supposed to
allow connection from anything else? If it is, this is a worry.

Of course, the alternative is that I stuffed something up, I know but for
the life of me, I cant see what it is. If data is encrypted and only paired
devices that are NAMED are allowed to connect, I would have thought that
meant I shouldn't have been able to set the other PDA up but I did. 

Thanks for any info/help.

Greg.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ