Login Manager

t3st3r t3st3r at mail.ru
Fri Aug 10 21:57:15 CEST 2007

Shakthi Kannan wrote:
> Hi,
> This is w.r.t. having a login manager for OpenMoko.
> I am not sure how other PDA phones implement login access, but, in the
> Nokia 6210 classic, even without the SIM card, it simply allows access
> to the phone, organizer applications, and data. So, if the phone is
> lost, valuable information will be stolen, which is something
> end-users don't like.
So far, virtually no phones protect USER data well enough.Actually, 
proprietary phones are doing some job at protecting their firmwares from 
hacking and pretty powerful protection in operator locking part, etc.And 
er, virtually no protection of user data.While locks, etc are encrypted 
and heavily checksummed\signed, user's data are stored as is.So anyone 
with physical access to phone can quite easily dump your private data if 
they' really want to.Basically this can be done by just over wires.At 
very most ("uncooperative" boot loader, etc), they have to use JTAG or 
desolder flash IC.Not a great deal for pros.So, once you lost the phone 
you have no reasons to feel your data too secure.They are not secure.

And user's "phone code" often implemented in very lame manner - usually 
it is trivial to remove it or dump it's value.So, no, if you your lost 
phone, phonecode will rather cause it to be removed and phone never 
returned to you.While fair people will be effectively prevented from 
contacting you.So this can even work against phone owner.

I can see two different approaches here.

1) You care about your data and do not care too much about phone is 
returned to you.
The real way to protect all user data from unauthorized use in quite 
powerful manner is to use file system encryption.This will make all 
things protected.Phone book, calendar, notes and all your files.This 
costs though. Filesystem will be slower and due to heavy CPU use battery 
will exhaust faster. Everything has it's price, privacy too.

If someone is willing to implement this ever, there is funny hint, just 
invented by me: long password is pain in the ass to type at boot 
time.And short password is easy to bruteforce. So, you can store long 
encryption key in SIM as phone number and name in SIM address 
book.Access to SIM is protected by short PIN which is hard to brute 
since you only have 3 attempts to go and SIM is pretty secure thing 
:).So user have to enter just short PIN but this will cause powerful 
encryption key to become accessible from SIM's address book.And those 
who do not know pin will not have access to this key since SIM cards are 
refusing address book access without entering proper PIN code IIRC.

This can make data pretty secure.But... evil persons will just erase all 
this and reload "factory" flash image so they can use the phone.Good 
persons will be prevented from contacting you up to some degree since 
phone gives no access to address book.Idea with displaying your contact 
info on boot splash\password request screen can help though.

2) You do care about phone return and do not care too much about 
unauthorised data access.
Then another approach can be good: phone should allow all access to all 
data as usually, any SIM should be OK, etc.Recommended setting is no PIN 
and no phonecode.But it should silently send it's coordinates to let's 
say, e-mail to your mailbox or SMSes to a "friendly" number(your second 
phone number or friend, etc).SMSes will also expose bad guy's phone 
number to you (your friend, etc).So, bad guys can use phone and access 
all your data.But it will silently track them a bit so you can return 
your phone easily.Actually there should be no restrictions in data 
access or features.Otherwise phone will be reflashed by evil people and 
tracking will be stopped so your chances to find your phone will become 
pretty low (IMEI tracking is proven to be quite ineffective since not 
each and every operator on the planet does this and they're cooperate 
poorly enough). Well this will leave all or some data accessible to bad 
guys.Tracking their location and new SIM's phone number in exchange.

I see no effective way to combine these 2 different goals.One is 
prevents access to data but this will enforce bad guys to do full 
reflashing.Killing your (unusable) data but getting working (usable) 
phone.Another approach makes guys to believe phone is not defends itself 
and not secured.While it really silently tracks evildoers.

> I read this page:
> http://wiki.openmoko.org/wiki/My_Account
> I put together few points on the login manager:
> http://shakthimaan.com/downloads/openmoko/docs/login-manager.pdf
> I am not sure if I have missed any user scenarios.
> Thoughts/suggestions/feedback appreciated. Just replace .pdf to .odt
> in the above to get the OpenOffice document.
> If login access has already been addressed in OpenMoko, please let me
> know. I hope this is clarified before mass market.
> Thanks,
> Shakthi

More information about the community mailing list