Archived from groups: comp.sys.palmtops.pilot (More info?)
I've been a little leery of putting really sensitive information like
passwords and credit card numbers in my PDA, even encrypted, for fear
that it might get lost or stolen while traveling. There are a number of
encryption products out there -- does anyone have any feeling for how
secure or insecure they might be, which have known security weaknesses,
or which might be particularly good or bad? For really sensitive data,
I'd want something that would be pretty resistant to even a skilled,
determined, and patient hacker.
Roy Lewallen
Archived from groups: comp.sys.palmtops.pilot (More info?)
In article <11g6qe712kfpf10@corp.supernews.com>, w7el@eznec.com says...
> I've been a little leery of putting really sensitive information like
> passwords and credit card numbers in my PDA, even encrypted, for fear
> that it might get lost or stolen while traveling. There are a number of
> encryption products out there -- does anyone have any feeling for how
> secure or insecure they might be, which have known security weaknesses,
> or which might be particularly good or bad? For really sensitive data,
> I'd want something that would be pretty resistant to even a skilled,
> determined, and patient hacker.
>
> Roy Lewallen
>
<http://www.palmblvd.com/articles/2004/6/2004-6-2-Learn-the-Basics.html>
A nice article on the subject, with recommendations.
--
Jim Anderson
( 8(|) To email me just pull my_finger
Archived from groups: comp.sys.palmtops.pilot (More info?)
Roy Lewallen <w7el@eznec.com> wrote in news:11g6qe712kfpf10
@corp.supernews.com:
> I've been a little leery of putting really sensitive information like
> passwords and credit card numbers in my PDA, even encrypted, for fear
> that it might get lost or stolen while traveling. There are a number of
> encryption products out there -- does anyone have any feeling for how
> secure or insecure they might be, which have known security weaknesses,
> or which might be particularly good or bad? For really sensitive data,
> I'd want something that would be pretty resistant to even a skilled,
> determined, and patient hacker.
I've used two, Passwords Plus and Keyring. Keyring is freeware, and I
would still be using it if I hadn't got Passwords+ free from Handango
during one of their promotions. The only advantage it has is a desktop
component, which allows cutting and pasting of passwords on the fly on
the PC. Both are secure enough, but their security, like all encryption
software, depends on use of a strong password. I have no qualms about
using either for all my data, because even a determined attacker would
take a long, long time to break the encryption. Essentially, a brute-
force attack on the password is the only way to break it, and if you use
a reasonably long password with random characters, it isn't worth the
effort. If your password is 'wordpass', then you data obviously isn't
very secure. Password selection for a Palm is a compromise between
security and the ability to enter it using graffiti in a reasonable time.
--
Regards,
Stan
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." B. Franklin
Archived from groups: comp.sys.palmtops.pilot (More info?)
It is alleged that Roy Lewallen claimed:
> I've been a little leery of putting really sensitive information like
> passwords and credit card numbers in my PDA, even encrypted, for fear
> that it might get lost or stolen while traveling. There are a number of
> encryption products out there -- does anyone have any feeling for how
> secure or insecure they might be, which have known security weaknesses,
> or which might be particularly good or bad? For really sensitive data,
> I'd want something that would be pretty resistant to even a skilled,
> determined, and patient hacker.
The native "security" setting only hides the info from prying eyes, it
does not encrypt the data. To do that, you will need an actual
encryption setup. There are several.
I use DataShield, by Ultrasoft. From their website:
| DataShield uses the Rijndael algorithm, adopted by the National
| Institute of Standards and Technology to be the new AES standard for
| cryptography. AES provides strong encryption with extremely secure
| protection against cryptanalysis. Visit http://www.nist.gov for more
| information.
|
| When you lock DataShield, nobody can access your encrypted data without
| your password — not even the software engineers at Ultrasoft.
--
Jeffrey Kaplan www.gordol.org
The from userid is killfiled Send personal mail to gordol
"You are there my old friend?" "Yes." "They will never make it out
alive. Unless... You see my Keeper will awaken any second, and it will
alert the others, and my only hope will die, and I will die soon after.
They do not take betrayal lightly." (Emperor Mollari and G'Kar, (17
years in the future), B5 "War Without End, Pt 2" )
Archived from groups: comp.sys.palmtops.pilot (More info?)
There is this program (forgot the name) where after a few incorrect password
attempts, the PalmPDA will do a hard reset (erase all information) from
itself. I believe this program if installed on a phone PalmOS PDA like a
Treo 600 will also erase itself if it receives a certain SMS message. You
can find this program easily on PalmGear
"Roy Lewallen" <w7el@eznec.com> wrote in message
news:11g6qe712kfpf10@corp.supernews.com...
> I've been a little leery of putting really sensitive information like
> passwords and credit card numbers in my PDA, even encrypted, for fear
> that it might get lost or stolen while traveling. There are a number of
> encryption products out there -- does anyone have any feeling for how
> secure or insecure they might be, which have known security weaknesses,
> or which might be particularly good or bad? For really sensitive data,
> I'd want something that would be pretty resistant to even a skilled,
> determined, and patient hacker.
>
> Roy Lewallen
Archived from groups: comp.sys.palmtops.pilot (More info?)
Harry Eugene Ly wrote:
>
> There is this program (forgot the name) where after a few incorrect password
> attempts, the PalmPDA will do a hard reset (erase all information) from
> itself. I believe this program if installed on a phone PalmOS PDA like a
> Treo 600 will also erase itself if it receives a certain SMS message. You
> can find this program easily on PalmGear
PDA Defense Professional.
While it sounds like a great idea, ever had someone, like a nephew,
play with your PDA? A few attempts at logging in and POOF! Your
data's gone.
No thanks! <g>
Notan
Archived from groups: comp.sys.palmtops.pilot (More info?)
Roy Lewallen wrote:
>
> I've been a little leery of putting really sensitive information like
> passwords and credit card numbers in my PDA, even encrypted, for fear
> that it might get lost or stolen while traveling. There are a number of
> encryption products out there -- does anyone have any feeling for how
> secure or insecure they might be, which have known security weaknesses,
> or which might be particularly good or bad? For really sensitive data,
> I'd want something that would be pretty resistant to even a skilled,
> determined, and patient hacker.
Have a look at Xforcer (http://toysoft.ca/xforcer.html).
Notan
Archived from groups: comp.sys.palmtops.pilot (More info?)
Thanks to all for the responses. Feeling confident in the security of
the offered products, I downloaded trial versions of several programs.
My life would be easier if I could simply encrypt and decrypt a .txt
file on my Zire's SD card containing all the data I want to encrypt,
rather than having to enter it all into various databases, which most of
the applications require. I found only one product which would do that,
mEncryptor by Toysoft. Worked fine.
Except for one problem. After encrypting the text file, I took a look at
the SD card on my computer with a hex editor, to make sure no remnants
of the original file were left on the card. To my horror, I found that
the original file hadn't been overwritten, just "deleted"(*). So the
entire original text was still there on the card, readily available to
anyone with a hex editor or similar readily available simple tool.
It's worries about just that kind of thing which makes me shy of putting
sensitive data on my PDA and which prompted me to post the query in the
first place. It doesn't matter how wonderfully strong an encryption
method is used -- if it's sloppily implemented, it's not secure. (Of
course, if it's sloppily used -- with poorly crafted passwords for
example -- it's also not secure. But at least the user has control over
that.) Some flaws aren't so obvious and easy to find as failure to
overwrite the unencrypted text -- careless handling of passwords by the
program, for example, can also make an otherwise strongly encrypted file
easy to crack.
Weaknesses in programs used for PC data encryption seem to get found,
reported, and fixed pretty regularly. But I haven't seen anything
similar about PDA encryption software. And I doubt it's because it's all
secure and without weaknesses -- not to say gaping holes. I'm afraid a
lot of folks are living in a fool's paradise.
(*) As anyone even casually interested in security should know, deleting
a file in a FAT system like a memory card doesn't remove, erase, or
modify the file's data in any way. All it does is change the first
letter of the filename in the FAT directory to indicate that the space
is available for re-use. A deleted file can easily be viewed, copied, or
undeleted, intact.
Roy Lewallen
Archived from groups: comp.sys.palmtops.pilot (More info?)
Roy Lewallen wrote:
>
> <snip>
Just out of curiosity, what'd you think of Xforcer.
Am I, also, "living in a fool's paradise?" <g>
Notan
Archived from groups: comp.sys.palmtops.pilot (More info?)
Notan wrote:
>
> Just out of curiosity, what'd you think of Xforcer.
I didn't try it. It's not what I was looking for -- I only need to
encrypt a small amount of data and don't feel the need to lock the whole
device.
> Am I, also, "living in a fool's paradise?" <g>
Probably. It's by the same company as mEnforcer, and in communications
with them it appears they don't realize that deleting a file leaves the
data intact. This indicates to me a level of knowledge way below what's
required for developing a security product. I'd be worried about what
other flaws -- glaring or subtle -- the program might have.
The particular problem I saw shouldn't exist with a locking program,
unless there's some way of getting at the device's non-volatile memory
when it's powered down, or unless some of the data to be encrypted is on
a removable card. If either of those is true, I'd look carefully for
remnants of unencrypted data if I were you.
Roy Lewallen
Archived from groups: comp.sys.palmtops.pilot (More info?)
Correction:
Roy Lewallen wrote:
>. . .
> Probably. It's by the same company as mEnforcer, . . .
I meant mEncryptor.
Roy Lewallen
Archived from groups: comp.sys.palmtops.pilot (More info?)
Roy Lewallen wrote:
>
> Notan wrote:
> >
> > Just out of curiosity, what'd you think of Xforcer.
>
> I didn't try it. It's not what I was looking for -- I only need to
> encrypt a small amount of data and don't feel the need to lock the whole
> device.
>
> > Am I, also, "living in a fool's paradise?" <g>
>
> Probably. It's by the same company as mEnforcer, and in communications
> with them it appears they don't realize that deleting a file leaves the
> data intact. This indicates to me a level of knowledge way below what's
> required for developing a security product. I'd be worried about what
> other flaws -- glaring or subtle -- the program might have.
>
> The particular problem I saw shouldn't exist with a locking program,
> unless there's some way of getting at the device's non-volatile memory
> when it's powered down, or unless some of the data to be encrypted is on
> a removable card. If either of those is true, I'd look carefully for
> remnants of unencrypted data if I were you.
Just a note: You *don't* have to lock the entire device.
Notan
Archived from groups: comp.sys.palmtops.pilot (More info?)
In article news:<11g6qe712kfpf10@corp.supernews.com>, Roy Lewallen wrote:
> There are a number of encryption products out there -- does anyone
> have any feeling for how secure or insecure they might be ...
This question keeps coming up ... and it's very difficult to answer without
carrying out a fairly rigorous examination of the packages available (and
there are a lot of them ...).
A lot depends on *what* you want to encrypt, and how you want to use the
data. Some people (like you) just want to encrypt a few short pieces of
text data, while others want to encrypt whole databases or (say)
spreadsheets. There's a big difference in ease of programming between
writing a little application that manages an encrypted text file and
decrypts it on the fly for display and/or editing, and something that
allows encryption to be used with other apps -- the former is much easier
to do, and so much easier to do well.
> For really sensitive data, I'd want something that would be pretty
> resistant to even a skilled, determined, and patient hacker.
It's really difficult to make a meaningful assessment of the strength of
applications of this type, as the risk depends so much on what the
application does and the way in which it used ... and there are so many
applications, many of which don't advertise exactly how they work.
If you lose your Palm and someone else gets hold of it they can attack it
in several different ways.
They can try to use the security app itself to read your data. The app
probably protects the data with a key derived from some password, which an
attacker would have to guess. The problem here is to choose a password that
is not easy to guess. Entering a password with Graffiti is hard enough that
an attacker will probably not have the patience to try very many passwords
before giving up -- but you should choose as long and as complicated a
password as you can bear the thought of entering each time you want to
access your data.
If the attacker knows the security app you use, and has been able to
determine what sort of encryption it uses and in what format the encrypted
data are stored, then he can try to guess the key. This generally means
trying keys in turn until decryption of the data produces a result that
"looks right". This sort of key-search attack may just try all possible key
values, or may try all possible passwords and derive keys from them (unless
the password is very long there will be fewer passwords than possible keys,
so the password-based search may be much quicker).
This sort of attack could be carried out on the Palm itself (by loading a
key-cracker program onto the Palm) or on a PC. Modern PCs are fast enough
that password-cracking programs can find a result quite quickly (from a few
minutes to a few weeks, depending on the speed of the PC and the complexity
of the password) ... but someone would have to have written a cracker
program specifically to crack keys or passwords for the security app you
were using in order to carry out this sort of attack.
Have a look at the GNU Keyring app for Palm - the comments there about
security and crypto are quite informative. I haven't used the app itself,
so I can't recommend it, but it seems to be the sort of thing you're
looking for -- and the website has some interesting discussion of its
weaknesses, andthe weaknesses of this sort of app in general.
http://gnukeyring.sourceforge.net/index.html
Cheers,
Daniel.
There are 11 identified and unidentified users. To see the list of identified users, Click here.
Please mind
You are about to answer a thread that has been inactive for more than 6 months.
If you still wish to proceed, please ensure that your posting is original and does not duplicate or overlap any prior responses to this thread.
