PDA

View Full Version : Remote streaming with Palm/Treo 700p: security questions



dperrigan
2006-10-02, 09:25
Hi there. I've been been using my two Squeezeboxes for about 6 months now and LOVE them. Thank you to all the developers and all the forum posters out there.

I just purchased a Palm/Treo 700p and have set up remote streaming and remote access to my home computer's (Win XP Pro) SlimServer website. I'm doing this by forwarding port 9000 on my router (wrt54g). I'm using SlimServer user/password and also blocking requests except for the IP of my smartphone (which hasn't seemed to change over the last few days so I'm assuming it's "mostly static").

My question is: how secure is this? Has anyone tried to hack a system configured as such? I've read the few posts suggesting ssh, but I'm not sure if that can be set up on a palm 700p.

Anyone have any suggestions? Thanks in advance!

Dan

Mark Lanctot
2006-10-02, 10:21
A Google search shows no exploits for port 9000, but that doesn't mean there aren't any or won't be any in the future.

Your PC will currently be listening on port 9000 for all requests. If an attacker can figure out that this is SlimServer, he can maybe start your player up at 4 AM. :-)

That's not to say there's no security risk. New exploits are being developed all the time and SlimServer is not designed as a secure server for use over the Internet. SSH is.

If you don't want to use SSH but wish to avoid someone playing around with your SlimServer, you may want to set a user name/password in Server Settings - Security. You can then access the stream at http://username:password@<SlimServer IP>:9000/stream.mp3

dperrigan
2006-10-02, 10:36
Thanks, Mark. I'm already using the username:password and the IP blocking. I'm wondering if that's safe enough. Also, does anyone know if ssh or something like it can run from a palm?

Thanks,
Dan

stinkingpig
2006-10-02, 10:55
On 10/2/06, dperrigan <
dperrigan.2f2a4n1159810801 (AT) no-mx (DOT) forums.slimdevices.com> wrote:
>
>
> Thanks, Mark. I'm already using the username:password and the IP
> blocking. I'm wondering if that's safe enough. Also, does anyone know
> if ssh or something like it can run from a palm?
>
> Thanks,
> Dan
>
>

"Safe enough" depends entirely on the threat surface, which depends entirely
on the likely attackers. You're probably fine, unless:

1) you run with a very clever and motivated crew with a bent towards
practical jokes.
2) some security researcher figures out and publishes an automated attack
against slimserver's username and password function.
--
"I spent all me tin with the ladies drinking gin,
So across the Western ocean I must wander" -- traditional

pfarrell
2006-10-02, 11:01
dperrigan wrote:
> Thanks, Mark. I'm already using the username:password and the IP
> blocking. I'm wondering if that's safe enough. Also, does anyone know
> if ssh or something like it can run from a palm?

Google for ssh and palm yields
http://www.sealiesoftware.com/pssh/
pssh is a free, open-source SSH 2 client for Palm OS 5.

--
Pat
http://www.pfarrell.com/music/slimserver/slimsoftware.html

Mark Lanctot
2006-10-02, 11:42
Thanks, Mark. I'm already using the username:password and the IP blocking. I'm wondering if that's safe enough.

That's as safe as you're going to get without SSH.

Whether it's safe enough, see stinkingpig's second point.

dperrigan
2006-10-04, 05:42
Thanks again to everyone. I've been looking into ssh (with not much luck so far). Are there any other Squeezebox users out there with a Palm 700p? I'm curious as to how you're using it (if at all).

Dan

rme
2006-10-04, 06:21
I have the 650p treo and use it to access the web interface to control the sb that powers my outdoor speakers. See attached for a handheld skin that I modified for useability/speed of navigation on the treo.

Also, I sometimes stream from myip.dyndns.com:9000\stream.mp3 to my treo using pockettunes though not that often.

I only use the slimserver based security (username/password, no ip restrictions as my treo ip address always changes) for that streaming as pssh is rather difficult to use.

In pockettunes, you can setup a url favorite to username:password@youripaddress:9000\stream.mp3. Setup bitrate limiting on your player on slimserver to 64k or 96k. However, you can only stream your harddrive music, not any internet radio streams through your slimserver. For some reason, internet radio does not use bitrate limiting.

dperrigan
2006-10-04, 07:48
Thanks, rme. I tried the TreoHandheld skin but it must not like the 700p version of Blazer -- all I get is a blank screen. The standard Handheld skin works fine, though, as well as PocketTunes for streaming.

Dan