Slashdot Mirror
Secure PDAs
An anonymous reader writes "This article at LinuxDevices.com introduces a unique Linux-based 'secure PDA' co-developed by IBM and Consumer Direct Link, Inc. (CDL). The Paron MPC combines the functions of a PDA, Bluetooth wireless access, cellular telephone, and biometric fingerprint recognition, along with a security-oriented hardware/software architecture. The device is claimed to be the world's first handheld wireless device with built-in biometric user authentication. The Paron is based on an Intel StrongARM SA-1110 processor and uses a Linux 2.4.x kernel and provides a GUI environment and PDA app suite based on Trolltech's Qtopia and Opera's browser much like the Sharp Zaurus."
Instead, it's linux-based. Neat-o.
The true hypocrite is the one who ceases to perceive his deception, the one who lies with sincerity. ~André Gide
Bruce Schneier has handled this in his book
4 71 253111/qid=1036775441/sr=8-1/ref=sr_8_1/102-248505 7-0576118?v=glance&s=books&n=507846
Secrets and Lies.
http://www.amazon.com/exec/obidos/tg/detail/-/0
Biometrics is not ready for prime time. When they hack it, are you going to be isssued a new thumb?
It's Christmas everyday with BitTorrent.
No PDA is really secure. The encryption and such will always be hackable.
The only true method of keeping confidential information safe is to keep it under lock and key, or in the possesion of a concerned person all the time.
Secure PDA is an oxymoron.
Saskboy's blog is good. 9 out of 10 dentists agree.
If microsoft did "biometric user identification", we'd be screaming bloody 1984. Instead, it's linux-based. Neat-o.
There's plenty of automatic-MS-bashing that goes on here, and plenty of automatic-MS-bashing-bashing. But if you look at the facts and stick to the numbers, it's not very farfetched to assume Microsoft is always trying to screw us somehow.
Look at Palladium, with which they will entrench DRM on every desktop. Look at Word's closed and obfuscated binary file format. Look at all their OEM tricks, and EULA abuse, their fake Switch ads and their systematic abuse of power.
Their strategy (whose final step is most assuredly "PROFIT !!") has been to fuck consumers and users as much as they can get away with and rob their pockets of change. Next to a Finnish hobbyist's OS, they look pretty bad.
But what do I know. I'm just looking for anonymous gay sex.
Passport
.Net
The only true method of keeping confidential information safe is to keep it under lock and key, or in the possesion of a concerned person all the time.
Very true, but it's not going to stop the problem that PDA are potentially the largest outgoing 'leak' of information for companies and organisations. They contain so much valuable data...
One interesting product that is well worth a close look is Utimaco's SafeGuard PDA solution.
For one thing the pinpad screen, swaps the numbers around when you want to unlock the device. So even if you watch your neighboor use his fingers pattern when he unlocks his PocketPC, it won't help you. The product also has a lot of other interesting features...
The only true method of keeping confidential information safe is to keep it under lock and key, or in the possesion of a concerned person all the time.
Secure PDA is an oxymoron.
No person is truly secure. Those in power are always corruptable.
Security, when it comes down to it, is simply the challenge making the price of breaking in greater than the beneift of breaking in.
If a crook has a 1% chance of being caught and sentenced for one year for breaking into my home, and we value his year of freedom at $50,000, he had had better get more than $500 from breaking in or the risk isn't worth the gain.
Most criminals (and hackers) don't think in these terms directly, but there is, AFAIK, an pseudo-concious awareness of it. ('course, the whole bit is thrown when non-cash values, like Thrill or Political Activism are factored in...)
The concern about Bluetooth is mainly focussed on devices that are shipped with security disabled. In addition, the device would have to provide a service (such as the ability to make a phone call) for that service to be abused. Most major manufacturers ship with security enabled and I doubt whether the PDA exports any services either.
Funny- the "risk assessment" of fingerprints includes using a severed fingertip or a genetic clone of the registered finger. I'd say that if somebody cuts your finger off you have more to worry about than the security of your PDA.
"The defense of freedom requires the advance of freedom" - George W Bush
It must have a digital sig of your fingerprint stored on the PDA and I would want this protected more than any of the data it's trying to secure.
;), sound like new a business idea.
Does anyone think this can be hacked off the pda. If a digital copy was released to the net you would have to get new fingerprints made.
biometric system, or fingerprint system has not been broken already ? Kind of funny calling somthing the size of a double deck of cards secure. You think laptops walk off easily. The bottom line is physical access always compromises logical security. Maybe we could add a MissionImpossible self destruct option :)
errr....umm...*whooosh* *whoosh* Is this thing on ?
Most of the people who will find/steal any PDA won't even know what to do with the information on it, secure or not it just won't matter to them, clear-mem and voila "brand new" PDA.
And why save important/sensitive information on PDA (so easy to loose one) a person with enough knowledge will be able to get the info out with or without encryption.. and any other guy, just won't know what the hell to do with that sensitive info.. probably won't even know that this is sensitive information. So why bother?
Best thing, don't save any important data on PDAs..
Ugh. This article describes exactly how you shouldn't use biometric authentication.
Instead of swiping a badge through a reader, the employee would place his/her thumb on the Paron's small fingerprint recognition screen, and a wirelessly connected server would read the fingerprint, identify the person, and grant access if a match is found between the person making the request and the data in the server.
Uh, this is just using the fingerprint as a password to authenticate the user. Dumb dumb dumb. If they really are doing this, then anybody who can get the user's fingerprint can get access. What they should be doing:
Instead of swiping a badge through a reader, the employee would place his/her thumb on the Paron's small fingerprint recogniction screen to activate the embedded crypto processor. The processor would then use the employee's private key to authenticate to a wirelessly connected server.
Why is this different? For one, the actual authentication to the building is being done with a private key. Private keys are much easier to replace if compromised. Most people also don't routinely leave copies of their private keys on everything they touch.
Second, the fingerprint is only being used to activate the crypto processor. It only needs to be valid from the fingerprint sensor into the bowels of the PDA. But more importantly, it's not good for much. All it does is allow the crypto processor to be activated. An adversary still needs to first steal the PDA itself and then defeat the fingerprint sensor. And then they can only use the public key until it's revoked.
But trusting a wireless device to send the server the fingerprint is just plain silly. That's worse than a cleartext password. It's like authenticating on the username alone. Hopefully, this device doesn't actually work this way and the article is just simplifying for the reader.