Secure PDAs

An anonymous reader writes "This article at LinuxDevices.com introduces a unique Linux-based 'secure PDA' co-developed by IBM and Consumer Direct Link, Inc. (CDL). The Paron MPC combines the functions of a PDA, Bluetooth wireless access, cellular telephone, and biometric fingerprint recognition, along with a security-oriented hardware/software architecture. The device is claimed to be the world's first handheld wireless device with built-in biometric user authentication. The Paron is based on an Intel StrongARM SA-1110 processor and uses a Linux 2.4.x kernel and provides a GUI environment and PDA app suite based on Trolltech's Qtopia and Opera's browser much like the Sharp Zaurus."

So other PDA's are palm...

But we give this one the finger?

Biometric security

[airrage]

We currently run biometric clocks for our timecard authorization, but in deploying this technology there is nothing terribly secure about it. For instance, a quick google will show you all the methods of defeating the fingerprint scan, and once a thief has this device, it's not much trouble to "dust" the last fingerprint, and create a good scan with illustrator. So remember, gotta wipe the sensor everytime!

Re:Biometric security

[orthogonal]

So remember, gotta wipe the sensor everytime!


Oh, trust me! I wipe my sensor everytime.

Re:Biometric security

[Cap'n+Canuck]

What you really want, then, is a combination retina/voice/DNA scanner/analyzer. Still defeatable, but not as easy.

Re:Biometric security

[meatspray]

actually the new IPAQ 5400 (due out soon) will have a fingerprint scanner on it. the strange thing is the sensor is only .5mm high, you have to swipe your finger across it.

there's a picture of it herehttp://www.brighthand.com/article/iPAQ_5400


Although this would proably leave a very small cross secion of the print behind, it shouldn't be enough to get a good capture of. (now the ones you leave on the sides and bottom. . . well that's another story)

Re:Biometric security

[MrFredBloggs]

Well, either that or a fingerprint reader where your print is read 'in the air', not when pressed against a glass square.

Re:Biometric security

[jkitchel]

It's not THAT easy. Take anything you find on the internet at face value. Just because someone says that they have done it, doesn't mean that you can just walk off of the street and do it. The materials are readily available, but the process is an extreme pain in the a$$. Even, then you aren't guarnteed that it will work. Also, the fingerprint reader shown on the device is of capacitance type. It measures the dielectric properties of the finger placed on the reader.

Dusting the fingerprint is easy. Lifting the fingerprint and getting enough points is harder. Getting a clear image from the lifted print is harder still. "Creating a good scan with illustrator" is also not easy and will not get you by a capacitance fingerprint reader. There have to be ridges on whatever fingerprint that you place on the capacitance scanner, meaning the finger (or fake) need to be 3D.

The moral: it's a lot harder than everyone thinks. Don't trivialize it. Biometric applications may not be ready for wide scale applications, but they definitely have the potential. The hurdle will be educating people so that they can tell the truth from the fluff.

secure PDA

that means it won't copy music files, and Microsoft can track your usage, right?

damn newspeak

I put my PDA in a safe.

[packeteer]

In a safe not even Microsoft can get to it.

Re:I put my PDA in a safe.

[Kenja]

You fool!

Microsoft knows all and sees all. If you know hte combination, then they know it as well.

All hail the Gates keeper, master of our soul.

Re:I put my PDA in a safe.

Let me guess.. the combo is 12345. Do you need to open an airlock too?

Sounds like a sweet little machine

[PhysicsGenius]

The alpha RAS functionality and double-bonded PDI factors show that this PDA is meant for VIPs but the inclusion of GNU/Linux shows they are hip to the TCO.

But I really can't take their claims of security seriously. Elementary entropy considerations can be used to show that no system employing Bluetooth can be 100% secure regardless of the use of buzzword-friendly "biometrics".

Re:Sounds like a sweet little machine

[Jack+Wagner]

Bogus.

This thing can never be secure for one reason.

Have a look at the Bluetooth spec. The Bluetooth data transfer rate is on the order of Olog(n) and any generic scanner which can be picked up at WalMart can be modded to read data at Olog(n/2).

This means you can connect up any old PC running Gnu/RedHat via the serial port to the scanner and suck the data right in. Sourceforge has several open source programs which capture data from scanners which could be used.

Doesn't anyone do any research on this stuff before making it public?

Warmest regards,
--Jack

Re:Sounds like a sweet little machine

[CableModemSniper]

Come on release the script you used to generate that post under the GPL. Software wants to be free! What did you use? Perl, Python? Something cooler?

BioMetric User Identification

[mumblestheclown]

If microsoft did "biometric user identification", we'd be screaming bloody 1984.

Instead, it's linux-based. Neat-o.

The true hypocrite is the one who ceases to perceive his deception, the one who lies with sincerity. ~André Gide

Re:BioMetric User Identification

[foistboinder]

If microsoft did "biometric user identification", we'd be screaming bloody 1984. Instead, it's linux-based. Neat-o.

That's because Microsoft will likely want to control the "biometric user identification" information in some way (like keeping it in a centralized DB that they control and requiring net access to use biometric ID).

Re:BioMetric User Identification

[mumblestheclown]

"If MS did biometric authentication you can bet they'd store all our info in a central database somewhere."

And since when did slashdot become a place for slippery-slope knee-jerk microsoft bashing? ...

Oh, wait..

Re:BioMetric User Identification

[dizco]

If microsoft did "biometric user identification", we'd be screaming bloody 1984.

Instead, it's linux-based. Neat-o.

Firstly, i don't know who this "we" is. But I wouldn't be screaming anything at a microsoft version of this, other than "neat-o". Assuming it was the same thing - a biometric security device. You use your fingerprint instead of a password. If the MS version had you using your fingerprint instead of an implant in the back of your neck that tracked your every move, sure. I'd be screaming bloody 1984. If my implant let me, that is.

Re:BioMetric User Identification

[Abnormal+Coward]

they most likely go for adding the data to your .net passport :).

Re:BioMetric User Identification

Ooer, a fancy quote. He must really know what he's talking about. Or at least he owns a book of quotations.

Personally, I think Linux is "neat-o" because it gives you the freedom to inspect and modify the code. If they coded something into it that sent my biometric info back to HQ, or did something else sneaky, I could just take that bit of the code out. If the code itself is closed-source, in that case I would just modify the kernel.

Free software makes 1984 scenarios impossible. That's what "Freedom" is about. Just like free societies makes the real 1984 impossible.

Why do we take nuclear weapons away from dictators but let democratic societies keep them? Because it's much harder to abuse power in a democratic society, where power is diffused. Same with software, on a lesser scale.

Re:BioMetric User Identification

[Bas_Wijnen]

The difference is Microsoft would probably implement it as: "store your fingerprint on our server, use the network to let us check if it is correct".

I don't particularly like Microsoft and I think I have good reason for it. But if they would implement some security feature that would actually give the security to the user, without having them intervening, then you will not hear me complain.

This device seems nice, keeping its data to itself (and of course to its owner). Some comments say it doesn't work. They're probably right. But there's nothing 1984 about it.

Button Pushing

[overshoot]

Dang. That thing sounds like it was designed to send up every /. keyboard in the world out for cleaning.

Not-so-secure PDA

[kaosrain]

This may not be so secure after all, if it includes Bluetooth. Read here for more.

-Kaos

Re:Not-so-secure PDA

[virtigex]

The concern about Bluetooth is mainly focussed on devices that are shipped with security disabled. In addition, the device would have to provide a service (such as the ability to make a phone call) for that service to be abused. Most major manufacturers ship with security enabled and I doubt whether the PDA exports any services either.

Re:Not-so-secure PDA

[Gothmolly]

It's IPSec over Bluetooth.

Re:Not-so-secure PDA

[spif]

If you read the specs, it says it uses an encrypted VPN over the Bluetooth air interface. So they're not relying on Bluetooth's native "security".

It's about time

[L.+VeGas]

I've been wanting a secure PDA for years. My Palm III is always saying things like "You don't think I'm too old, do you?" and "Those Pocket PC's sure look thin." I'm about ready to trade it in for a "trophy PDA".

Re:It's about time

[jonabbey]

I sent my old Palm IIIe to pasture, and stepped up to a hot young Sony Clié SJ30. 8 times the memory, quadruple the resolution, 65,000 available colors, MemoryStick slot, Jog Wheel.. $250 bucks without cradle.

And I don't feel one bit guilty about it.

never work

[TerryAtWork]

Bruce Schneier has handled this in his book
Secrets and Lies.

http://www.amazon.com/exec/obidos/tg/detail/-/04 71 253111/qid=1036775441/sr=8-1/ref=sr_8_1/102-248505 7-0576118?v=glance&s=books&n=507846

Biometrics is not ready for prime time. When they hack it, are you going to be isssued a new thumb?

Re:never work

No my thumprint is based on a 168 bit prime number and I change it often. My disposable contacts encrypt my retina scan and the key changes with the contacts. And my DNA mutates every 30 days! I'm secure but I seem to be growing a strange appendage that talks to me. It seems to be very pro microsoft, MPAA,RIAA and republican. It must die!

Re:never work

> Biometrics is not ready for prime time. When they hack it, are you going to be isssued a new thumb?

Well maybe as a secret key it will not work.
But as the public part of a public-key system, it might work just fine.
It is up to the service provider in that case to create a secret-key that goes with your thumb.

Re:never work

[dr_dank]

Well, you've got nine other fingers as well as ten toes. If you get hacked that many times, there's not much else that anyone can do.

Re:never work

[swillden]

Never work for what?

That's the question.

Biometrics are useful for some applications and not useful for others. As a mechanism for securing extremely sensitive data, they're only useful in extremely confined circumstances. As a key for casual protection of low-security data, they're excellent. As one of multiple factors used to protect moderately high-security data, they can also work well.

Blanket statements about any security technology are invariably false.

Re:never work

[fermion]

It has been a while since I have read that book, and I don't have it in front of me, but if i recall he realized that in Applied Cryptography he implied that properly vetted and implemented algorithms would imply security. In the fullness of time he realized that the view was naive. As such, S&L was written to convey the message that algorithms alone are insufficient. A secure system must consider users, application, the nature of the security threat, and the cost of breached security, As such, in general, all security methods fall short.

In this case, IBM tends to market to sophisticated markets. They tend to, and are increasingly, trying to serve the sophisticated market in new ways so as not to lose to MS, Dell, and others. Hopefully we will not see these devices everywhere, because, as you say, once a thumbprint is compromised it is always compromised. I honestly do not know if this is a useful tool, but i can imagine some applications where it could be.

On the other hand if MS did this, your point might be valid because then the technology would be shoe-horned into general use. For instance, if the validation was in the OS and IE, and the reader were on the keyboard, thousands of merchants might use the fingerprint for sole verification. This would create a large incentive to hack the system, which, a you point out, would only require the capture of the digital signature of the fingerprint, which is not a replaceable token.

Re:never work

It seems to be very pro ... MPAA,RIAA and republican.

Pro {MP,RI}AA and Republican? Look again at Fritz and Berman... Democrats have always been great friends of the entertainment industry.

Re:never work

[haystor]

I use 10 digit biometric security. Just try to take my PDA...

Bare Bones has a secure Personal Analog Device

[burgburgburg]

Bare Bones re-released their announcement about their entry into the PDA market with their new Personal Analog Device, or PAD. The Bare Bones PAD uses the strong content encryption algorithm known as "Chicken Scratch" which renders the input unreadable to all except the PAD's rightful owner, without relying on the cumbersome key-and-passphrase systems of existing encryption technologies. There are two configurations available, the PAD 150 and the PAD 300. The PAD 150 has storage for 150 pages of data. The 300 doubles that.

Wot no CDMA?

[smammon]

I was real excited about the device - Linux, Security, Phone - wow! But I guess they only intend it for the European/Asian markets as it's only GSM. Pitty.

Re:Wot no CDMA?

[AnonymousComrade]

From their web site: GSM/GPRS (900/1800 and 900/1900). Last time I checked, GSM 1900 was available in most of North America, and GSM 900 in Korea. Who else uses CDMA?

Re:Wot no CDMA?

[dingman]

I guess the GSM phone I use every day in the US midwest must be "only intend it for the European/Asian markets" as well. How odd.

As any security conscious agency can tell you...

[saskboy]

No PDA is really secure. The encryption and such will always be hackable.
The only true method of keeping confidential information safe is to keep it under lock and key, or in the possesion of a concerned person all the time.

Secure PDA is an oxymoron.

First, but only for a few weeks

[Matey-O]

HP/Compaq has been touting fingerprint security on it's upcoming High-end iPAQ for a few months now...

you must admit

[Faggot]

If microsoft did "biometric user identification", we'd be screaming bloody 1984. Instead, it's linux-based. Neat-o.

There's plenty of automatic-MS-bashing that goes on here, and plenty of automatic-MS-bashing-bashing. But if you look at the facts and stick to the numbers, it's not very farfetched to assume Microsoft is always trying to screw us somehow.

Look at Palladium, with which they will entrench DRM on every desktop. Look at Word's closed and obfuscated binary file format. Look at all their OEM tricks, and EULA abuse, their fake Switch ads and their systematic abuse of power.

Their strategy (whose final step is most assuredly "PROFIT !!") has been to fuck consumers and users as much as they can get away with and rob their pockets of change. Next to a Finnish hobbyist's OS, they look pretty bad.

Re:you must admit

aye, the strongest selling point I have found when trying to discretly sell mac's to co-workers are to point out all of microsofts many atrocious grevances. Usually just pointing out every single time they are going to make an illegal copy of a microsoft product (not a hard thing to do, since most people have a oem everything) they quickly get the point.

Re:you must admit

[gtaluvit]

First off, off topic. But, might I ask why Microsoft has no right to make Word use a closed, binary format? Its their program after all. Their strategy SHOULD be profit. No company will survive if they aren't making a profit (excluding non-profits of course). The way they make their profit is by making some of the best software out there. You can claim all day long that Linux is FAR superior to Windows, but in terms of Joe Everyday user, Windows is just that much easier, and MacOS is a breeze. Microsoft has had some shady practices in terms of their EULAs on occasion. But there's nothing that says they have to include Netscape just like Coke doesn't need to sell a six pack with a bottle of Pepsi. If OEM's don't like that, then by a FULL license instead of an OEM one and they can do whatever they want.

So, if Microsoft sees a demand for DRM (from copyright holders, not users, but if they don't do it, someone else will) then they should try to be the first on the market to push it. Security of content is a inconvenience for us but don't blame Micorsoft, blame the people making a demand for it.

BTW, I use Debian.

Re:you must admit

[rmayes100]

It's funny on zdnet a few days ago they had an article about what Palladium brings to the user and they had several use-case scenarios...in every case I couldn't help but wonder why anyone would want it on their computer. It seems like it's entire purpose is to protect someone's bottom line be it the software manufacturer, or some record label etc.

Looks fairly similiar to the Zaurus SL-5500

[pheph]

which I picked up fairly recently and is exactly what I've been looking for in a PDA (with OpenZaurus its even better). However:

this machine does not feature the slide out keyboard, and while it is quite small on the zaurus, I'd say I use it about half the time (hey, you ever get drunk and try to use graffiti? ;) )

the machine [looks] very large! Like a Jornada or something! ;)

I'd rather see 802.11b than bluetooth...

If you disagree, don't post anonymously :)

Re:Looks fairly similiar to the Zaurus SL-5500

[mirko]

you ever get drunk and try to use graffiti?

Yes, accidentally : I was testing my Zaurus Wine management program!

Re:Looks fairly similiar to the Zaurus SL-5500

I disagree.

Re:Looks fairly similiar to the Zaurus SL-5500

Me too.

Re:Looks fairly similiar to the Zaurus SL-5500

you ever get drunk and try to use graffiti?

I always loose my sylus on my handera when i get drunk. I don't want to even count how many styluses I have replaced.

link

[IndependentVik]

Here's a link for the lazy.

Secure?? how?

[carlmenezes]

How does the fact that it uses Biometrics make it secure? We all know that biometrics can be defeated rather easily. So what's the point? fingerprinting is easy to defeat. So are voice prints and eye scans. So someone please tell me how exactly this is more secure than the average linux PDA?

Re:Secure?? how?

[cheezedawg]

Funny- the "risk assessment" of fingerprints includes using a severed fingertip or a genetic clone of the registered finger. I'd say that if somebody cuts your finger off you have more to worry about than the security of your PDA.

Re:Secure?? how?

[swillden]

fingerprinting is easy to defeat.

Okay, e-mail me an image of my fingerprint. I don't care which, any of them will do. Right now, please.

I agree that biometrics are just moderately low-security passwords except in tightly-controlled environments (e.g. an armed guard checks your finger closely before allowing you to place it on the sensor), but they have the advantage that they're fantastically simple to use, which makes it reasonable to use authentication where you would otherwise use none.

For example, the CDA device has most of the standard PIM applications fingerprint-protected. It would be a real pain in the butt to have to enter a password every time I wanted to check my calendar, but it's quite reasonable to place my thumb on the scanner for a fraction of a second. Actually, I'd like to see a small enhancement so that rather than tapping on an app and then putting a finger on the scanner, I'd prefer to just place a finger on the scanner and have the device start a different app depending on which finger I use -- app selection *and* authentication in one step!

Further, biometrics have the advantage that, from the average user's point of view, they're not shareable. The inability of users to give their fingerprints to someone else goes a long way to ensuring that access to systems won't be passed around.

Biometrics are not, generally-speaking, good tools for strong security, but they *do* have exceptionally useful security characteristics that can be used to enhance security, when applied appropriately.

Re:Secure?? how?

[jhines0042]

Got locks on the doors of your house? Ever seen a locksmith work?

Locks only keep honest people honest.

Biometrics just another kind of lock. Sure it can be defeated. Does that mean that your diary is still safe from your brother/sister? Probably.

Re:Secure?? how?

[carlmenezes]

Sure, biometrics have advantages. My point is that you cannot call biometrics secure. You forget one thing - when people tout something as secure, that usually means it will keep your information from getting into the wrong hands.
As far as defeating the fingerprint scanner, for the starting point, you need the fingerprint of the owner. Now unless you hold the PDA with gloves all the time, or wipe it off regularly, chances are a little dusting will get the fingerprints off the PDA itself. So what's the point of locking something and keeping the key next to it? Once you have the fingerprint, it's been shown that a fingerprint scanner can be defeated by a dummy rubberised finger with your fingerprint embedded in it.
I agree, biometrics is a novel idea in security. I do not agree that it is ready for primetime and that it is ready to be touted as a secure system.

Re:Secure?? how?

[tomhudson]

I'd prefer to just place a finger on the scanner and have the device start a different app depending on which finger I use -- app selection *and* authentication in one step!</quote>

I guess you would call this app-get (apologies to debian linux)

Actually, this sounds much more useful - better patent the idea right away!!!

And we all know which member to use for all your pr0n!

Re:Secure?? how?

[swillden]

My point is that you cannot call biometrics secure. You forget one thing - when people tout something as secure, that usually means it will keep your information from getting into the wrong hands.

You forget one thing: When people tout something as secure, with no qualifications, explanations as to what the term means in this context or other waffling, you can be pretty sure they have no idea what security is.

I recall one time few years back I recommended that an in-house application be developed in C++, rather than in Java (for a variety of good engineering reasons). The project manager looked at me, nodding knowingly and said "Right, because Java isn't secure."

Now unless you hold the PDA with gloves all the time, or wipe it off regularly, chances are a little dusting will get the fingerprints off the PDA itself. So what's the point of locking something and keeping the key next to it?

Because (a) the alternative is to use *no* security whatsoever, (b) the number of people in the world who could successfully get that fingerprint off of the scanner and use it is tiny and (c) the odds that you'll actually get enough detail off of that lifted print to fool a 500 dpi electrical-conductivity scanner are also very slim.

Further, if I were to find your biometrically-protected PDA I wouldn't bother with the fingerprint crap at all, I'd just get break into the device as a whole and steal your data right out of where its stored.

The key is to understand precisely what security the biometric authentication does and does not give you and to decide whether that fits the needs of your application. "Is it secure?" is a meaningless question without a defined threat model.

Re:Secure?? how?

[seaan]

If you read the article, you will see that CDL had the CDL-82 hardware encryption chip, which was built-in to the unit. I don't know how good the chip is, but it sounds like there is more to their security claims than just the biometric scanner.

The CDL website makes vagues claims that their security chip is FIPS 140 rated, but I have not been able to find it. For that matter, it is not clear that the Paron MPC is actually built using the CDL-82, or some variant of it.

TRUE biometric security

[Kozz]

If you really want to talk about PDA security, here's one palm device that's damned secure.

Re:TRUE biometric security

[JUSTONEMORELATTE]

And here's another one!
--

NSA working on secure BlackBerry

[joehoya]

The press release mentions the potential to work with NSA (although they wrote National Security Administration not Agency) for other applications of this device. While this is possible, the device would only work for Unclassified applications unless very substatially modified. Also, NSA is already working with RIM to develop a secure BlackBerry for UNCLASS applications.

my electronic wallet

[nege]

How cool would it be to have it as your credit card too? I have heard of cell phones that work like a credit card (hold up the cell to a coke machine for example to get some caffeine). WOuld this be secure enough to do that sort of transaction? It would be really nice to have an all in one wallet / phone/ portable PC solution. (I know this article isnt about a phone, but hey, why not!)

Re:my electronic wallet

[karlm]

There are several different authentication/encryption schemes for GSM cell phones. The most secure of which require a work factor of somewhere in the neighborhood of 2^40 to 2^44 to crack. That translates (the last simulations I did were on a PII 350 using an unoptimized RC6 implementation in C) into cracking time being measured in weeks. (Almost definately less than half a year.) Cellphones aren't really secure enough to ue as wallets.

Really what you want are cryptographic certificates with at least 1024-bit (preferably 2048-bit) signature keys if you're going to be buying stuff. These "secure" PDAs don't really offer much over regular PDAs (with IPSEC-enabled bluetooth) for use as digital wallets. It all depends on the wallet software on the PDA.

I think I may have read something about a faster way to break the GSM crypto, but 2^40 to 2^44 are the estimates for Ross Andersen's original attack, IIRC.

Re:Yeah, but -

[John+Harrison]

the button layot in non-optimal for games.

No SD/MMC or CF slots...

[Erik_]

Interestingly this device doesn't seem to have a SecureDigital/MMC or CompactFlash slots.

Too late for this guy!

[bstadil]

Sony Clie 'proves' identity theft

San Jose police have broken up an alleged identity theft crime ring using search warrants to seize and examine the suspects' PDAs.

According to the New York Times the alleged ringleader had the names of more than 20 victims along with their social security, bank account and credit card numbers and other personal information stored on his Sony Clie handheld device.

Included in the To Do list were tasks such as picking up materials at the local office supply store to make fake cheques.

A police spokesman said that it was difficult for the suspect to deny that the Clie was his, as it had his parents' details stored in it under the name 'Mom and Dad'.

If Microsoft use biometric user ID ...

[burgburgburg]

They'd store the information in an insecure online database where they would combine it with all of your financial and medical records that they had "collected" from machines whose security they were "adjusting", and they'd use the information at your trial when they proved that you illegally listened to content for which you were not authorized.

Dammit

You are right, I could have done that a lot better. OK, I will work harder.

Two simple words:

[burgburgburg]

Passport
.Net

True, but PDA will exist (Utimaco SafeGuard PDA)

[Erik_]

The only true method of keeping confidential information safe is to keep it under lock and key, or in the possesion of a concerned person all the time.
Very true, but it's not going to stop the problem that PDA are potentially the largest outgoing 'leak' of information for companies and organisations. They contain so much valuable data...

One interesting product that is well worth a close look is Utimaco's SafeGuard PDA solution.

For one thing the pinpad screen, swaps the numbers around when you want to unlock the device. So even if you watch your neighboor use his fingers pattern when he unlocks his PocketPC, it won't help you. The product also has a lot of other interesting features...

letter to ed.

[nege]

Dear Senior Taco,

Can we please change the handheld story picture to at least a palm V, which is dead sexxy?

Thanks
nege

Re:letter to ed.

[nege]

Metamoderation here i come...

Re:As any security conscious agency can tell you..

so you think a 256 bit encrypted message is more vulnerable than some person. i think my dentist drill and bag of small pointy things would disagree.

Re:As any security conscious agency can tell you..

[Planesdragon]

The only true method of keeping confidential information safe is to keep it under lock and key, or in the possesion of a concerned person all the time.

Secure PDA is an oxymoron.

No person is truly secure. Those in power are always corruptable.

Security, when it comes down to it, is simply the challenge making the price of breaking in greater than the beneift of breaking in.

If a crook has a 1% chance of being caught and sentenced for one year for breaking into my home, and we value his year of freedom at $50,000, he had had better get more than $500 from breaking in or the risk isn't worth the gain.

Most criminals (and hackers) don't think in these terms directly, but there is, AFAIK, an pseudo-concious awareness of it. ('course, the whole bit is thrown when non-cash values, like Thrill or Political Activism are factored in...)

Music to my ears

[SomeOtherGuy]

How many statements like these before Bill and the gang in Redmond realize that they are "not alone" anymore.

CDL selected Linux because "it is an open source and open platform," said Dr. Cuong Do, CDL's chief executive officer.

Price & Availability

[temp7890]

Anyone know the price of this device, and whether it is available for average geeks... I mean consumers... yet?

Sla$hca$h

[Lispy]

If you would have told me two years ago that i would see this at slashdot i wouldn't have believed you. Well, in the end we're all in it for the moeny, heh?? ;-)

take care,
Lispy

Cool but what about my current needs..

[Aaton]

I love my Zaurus but I have to say I still need to carry my Visor since nobody has put out a good One Time Password (S/KEY) mannager tool like Strip. Yes there is ZSafe but it just holds passwords. To generate a S/KEY you need another peice of software like LEP-Gen

Having Biometrics is neat-o but I need tools that work with what I have already have in place. I need to generate my S/KEY on my laptop when/if my Visor dies (can we say PalmOS Emulator). No what happens in you Biometric PDA dies, hope they will provide software and readers I can uses on my laptop or workstation for those days that PDA just doesn't want to work.

wonderful!

[borgdows]

I can't wait for a Palladium PDA! ^^

silly

[tps12]

Too bad that fingerprints aren't really unique. Security should be based on vigorous math proofs, not old wives' tales. Even if they were, someone could always just steal the thing out of your coat pocket. Better to keep your important data in a large, immobile computer.

Digital copy of your fingerprint stored?

[nycview]

It must have a digital sig of your fingerprint stored on the PDA and I would want this protected more than any of the data it's trying to secure.

Does anyone think this can be hacked off the pda. If a digital copy was released to the net you would have to get new fingerprints made. ;), sound like new a business idea.

Re:Digital copy of your fingerprint stored?

ever heard of one way hashing? why do you think that unices keep the password file readable to the world?

The main idea is that the hash function is good enough that no to hashes are the same with different input parameters.

i see no danger in having a digitized hashed version of my thumb on a portable like this.

err and which

[Archfeld]

biometric system, or fingerprint system has not been broken already ? Kind of funny calling somthing the size of a double deck of cards secure. You think laptops walk off easily. The bottom line is physical access always compromises logical security. Maybe we could add a MissionImpossible self destruct option :)

Why why why?

[cyberben]

Most of the people who will find/steal any PDA won't even know what to do with the information on it, secure or not it just won't matter to them, clear-mem and voila "brand new" PDA.

And why save important/sensitive information on PDA (so easy to loose one) a person with enough knowledge will be able to get the info out with or without encryption.. and any other guy, just won't know what the hell to do with that sensitive info.. probably won't even know that this is sensitive information. So why bother?

Best thing, don't save any important data on PDAs..

Paron MPC's

Imagine a Beowolf Cluster of THESE!!!

Re:Yeah, but -

[Gudlyf]

I may not run Doom II, but is it just me or are the button labels on that PDA the same as a Playstation 2?

SIMPUTER !!!

Just found out this
Buy Simputer at:
http://www.ncoretech.com/simputer/index.html

OT: Nuclear Weapons

[RAMMS+EIN]

``Why do we take nuclear weapons away from dictators but let democratic societies keep them? Because it's much harder to abuse power in a democratic society, where power is diffused.''
Wrong. ``We'' take nuclear weapons away from dictators because ``we'' are strong and they are weak, and we want it to stay that way. Or actually, I don't think ``we'' take away nuclear weapons from anyone, for the fact that they have them makes them powerful enough that they can say ``keep your hands of or else...''

It's not like we take China's nuclear weapons away, although few would call it a democratic society. Pakistan is a military dictatorship, yet I haven't heard of any attempts to take their nuclear weapons away. Of course, that might be me.

Sorry to point this out here. This is not a personal attack. It's the truth. Sadly.

I sure hope this description is a bad one

[BeBoxer]

Ugh. This article describes exactly how you shouldn't use biometric authentication.


Instead of swiping a badge through a reader, the employee would place his/her thumb on the Paron's small fingerprint recognition screen, and a wirelessly connected server would read the fingerprint, identify the person, and grant access if a match is found between the person making the request and the data in the server.


Uh, this is just using the fingerprint as a password to authenticate the user. Dumb dumb dumb. If they really are doing this, then anybody who can get the user's fingerprint can get access. What they should be doing:


Instead of swiping a badge through a reader, the employee would place his/her thumb on the Paron's small fingerprint recogniction screen to activate the embedded crypto processor. The processor would then use the employee's private key to authenticate to a wirelessly connected server.


Why is this different? For one, the actual authentication to the building is being done with a private key. Private keys are much easier to replace if compromised. Most people also don't routinely leave copies of their private keys on everything they touch.

Second, the fingerprint is only being used to activate the crypto processor. It only needs to be valid from the fingerprint sensor into the bowels of the PDA. But more importantly, it's not good for much. All it does is allow the crypto processor to be activated. An adversary still needs to first steal the PDA itself and then defeat the fingerprint sensor. And then they can only use the public key until it's revoked.

But trusting a wireless device to send the server the fingerprint is just plain silly. That's worse than a cleartext password. It's like authenticating on the username alone. Hopefully, this device doesn't actually work this way and the article is just simplifying for the reader.

DUMB (Sc0re:5, Crazy)

Use fingerprint from the PDA surface !!!! This is like leaving key with the lock :-D

Re:DUMB (Sc0re:5, Crazy)

[OscarMyers]

If your really skilled. In other words you lift the fingerprint and redesing something to press into it. The amature theif won't be able to do much, anyways if your really paranoid you can simply whipe your PDA clean whenever you set it down or put it in your pocket.

DUMB !! DUMB !! DUMB

Use fingerprint from the PDA surface !!!! This is like leaving the key with the lock :-D

OR ???

Use fingerprint from the PDA surface !!!! This is like leaving the key with the lock :-D

hmmm...

biometrics is overrated, although it hinders the thief apprentice.

Not for everyone

What that article doesn't mention, is that this device is not for the common hax0r types (like the zaurus) and is purpose-built for the "vertical market" aka big-business. The only way anyone will get their hands on this device is if their company has a need for it (ie, building access control, process flow, etc.)

It's a cool device, but it's not for everyone.

Last Post!

[alpg]

Destiny is a good thing to accept when it's going your way. When it isn't,
don't call it destiny; call it injustice, treachery, or simple bad luck.
-- Joseph Heller, "God Knows"

- this post brought to you by the Automated Last Post Generator...