When your job is to learn things about other people, you naturally end up wondering about your own security.
As I wondered, I realized that I had been using the same password for just about everything, and I hadnâ??t changed passwords in years. Definitely not a good idea! So I started thinking about passwords, and that to get a really â??strongâ?? password, one that defies guessing and will require a dictionary attack to crack, it really needs to be randomly chosen. So I figured I would find a random password generator, and use it to pick new passwords for things. A brief search turned up a few web based options, which I quickly discarded for obvious reasons, and a few more Palm based options.
While searching for â??password generatorâ??, SplashID turned up. SplashID is the application I use to store all of my passwords and the like on my palm. It has a nice desktop component that eases heavy entry chores, and things are stored in encrypted form. It turns out that SplashID has a password generator built-in â?? Iâ??d had no idea! So after a few minutes of bringing the SplashID database up to date, I chose new passwords for everything and began making the changes. I am always amazed at how long it takes to learn to type the new password instead of the old one 😉
Well, changing passwords made me think about where theyâ??re stored, and encryption. This made me think about privacy and security in general. I donâ??t mean to be paranoid, but it does make you think â?? especially when you start considering all the things that could be happening without your knowledge â?? and itâ??s easy to develop this strong feeling of nakedness. This can be a slippery slope, as there are many levels of security, ranging from stopping the curious (but only annoying the skilled) to stopping the skilled (and only annoying the government) to stopping or at least stalling the government. I figure I donâ??t have the energy or resources to stop the NSA, but I should be able to stall the average hacker.
First of all, what if I lost my PDA or it was stolen, or even just â??borrowedâ??? Ok, no problem, there are lots of lockout apps to take care of that risk. There is even the Security Update free from Palm thatâ??s about as good as anything else. PDA Defense and others add some features (like encrypting the stuff on expansion cards), but basically do the same thing. This is the easiest threat to guard against.
Then thereâ??s all the passwords, special numbers, etc. that I have in SplashID. Again, no real challenge to get that covered, as there are scads of password database programs. It seems that just about anyone wanting to learn to write software for the Palm writes a password database and puts it on PalmGear.com for 5 bucks or so. Along with SplashID Iâ??ve tried Keyring, which is open-source, has very strong encryption, but lacks the desktop component. If you have no interest in putting the info on the desktop, or believe your desktop to be totally secure, you may not even need a password database.
So far, things are pretty secure against the really serious consequences, by which I mean wholesale loss of assets or identity, which leaves plain old privacy.
I would guess that most of us have PDAs because we work, and we sync our PDAs to our work computers. After all, much of the info in our PDAs is work related, and they really help us be more effective at work. But thereâ??s also personal stuff in there, and not all of itâ??s in the password database, right? The problem is that when we sync our data to the desktop itâ??s in the clear when it gets there. Anyone with a text editor can have a look â?? especially at the memos. If youâ??re using Outlook with Exchange Server you have some protection but are still exposed to the IT folks.
Itâ??s a challenge to secure this stuff because the majority of all Palm security products are designed around the idea that your PC is secure, and the main threat is against the Palm. This is true for situations where the sensitive data is coming from the organization, but what about personal privacy? It is more of a challenge to find a way to effectively protect the personal stuff in there.
Another scenario where it would be nice to keep the Palm data encrypted on the PC side is when youâ??re syncing to someone elseâ??s machine. For example, youâ??re visiting someone and want to install a nifty new app or move a lot of data onto your device. You sync with their machine to do so. Obviously you would set all the conduits to do nothing, but stillâ?¦
Ideally, there would be an application that would allow you to selectively encrypt records and/or databases on the Palm, combined with a hot-key activated app on the desktop to decrypt things. Until a passphrase is entered, itâ??s encrypted on the desktop. Since 99% of the data weâ??re talking about is stored as ASCII this shouldnâ??t be too difficult. In fact there are at least two programs that are doing it for memos. CryptoPad is a freeware solution; MemoSafe is an inexpensive commercial one. Both leave encrypted memos inaccessible on the PC, but have a basic tool for decrypting them there if necessary. Iâ??ve chosen CryptoPad simply because it makes the encrypted memos invisible on the desktop, which I think is an advantage. Tasks, contacts and appointments are still wide open. There used to be an app called ReadThis that would encrypt any field â?? at least I find references to it on the web. Alas it is no longer supported and the developer is unavailable. It would be nice if someone would write a replacement.
So by now I donâ??t have to worry about handing my palm to some else to use, or really crafty coworkers or less than ethical IT people. But there are still two areas where security is missing.
When I hotsync over a phone line or via the internet, lots of things are in the open. True, it probably takes a lot more sophistication to intercept what someone is sending over the net than it does to snoop some text files on a computer, but still the threat is there.
VPN provides a layer of security for all network traffic, and can be set up on PCs that have a always-on internet connection, which is a requirement for remote syncing anyway. This is the only way I can sync with work, so Iâ??m set. For a direct phone line sync there arenâ??t any options Iâ??m aware of, but most folks would probably consider that risk pretty minimal. In either case, a solution that encrypts on the palm and leaves it encrypted during a hotsync would be fine.
But even if you have a secure connection to sync with, my email doesnâ??t stop there. Off on the net it goes, though unknown systems and past unknown eyes. Here is where things get the most complicated, because you arenâ??t the recipient, and in some ways get the easiest, because lots of folks have already thought about this problem. Youâ??ve probably heard about PGP & OpenPGP, which are public-key encryption systems designed to provide email security. I wonâ??t go into the whole history of PGP, except to say thereâ??s a lot of stuff out there. Just not a lot of stuff for the Palm.
PGP Mobile exists, but it doesnâ??t seem to be well supported. Questions sent to PGP about it drew no response; questions posted on newsgroups drew little response and none really good. Itâ??s also very expensive for a Palm app – $65 for a subscription license. Iâ??ve decided to give it a try and hopefully theyâ??ll decide to send it to me soon â?? export laws require them to â??check me outâ?? before sending it.
There is an OpenPGP for the Palm, which is open source. Unfortunately it was last updated in the late 90â??s, and is less than stable on my OS5 T3. It also lacks any key management. While Iâ??m no security expert, I donâ??t think itâ??s intended for serious use â?? itâ??s more of a hobbyist thing. Iâ??m hoping someone will grab the source and update it for OS5. If I can put together a free build environment I might give it a try.
So how do I feel now that Iâ??ve got all this stuff in place? I have to say there are three things that have made me relax far more than the others. First was picking new, random passwords. Second was encrypting some of the memos I have. Third was putting a password on my Palm. The rest of it is nice, but stands a some chance of being shut off or removed in the future.