Secure PDAs

An anonymous reader writes "This article at LinuxDevices.com introduces a unique Linux-based 'secure PDA' co-developed by IBM and Consumer Direct Link, Inc. (CDL). The Paron MPC combines the functions of a PDA, Bluetooth wireless access, cellular telephone, and biometric fingerprint recognition, along with a security-oriented hardware/software architecture. The device is claimed to be the world's first handheld wireless device with built-in biometric user authentication. The Paron is based on an Intel StrongARM SA-1110 processor and uses a Linux 2.4.x kernel and provides a GUI environment and PDA app suite based on Trolltech's Qtopia and Opera's browser much like the Sharp Zaurus."

So other PDA's are palm...

But we give this one the finger?

Biometric security

[airrage]

We currently run biometric clocks for our timecard authorization, but in deploying this technology there is nothing terribly secure about it. For instance, a quick google will show you all the methods of defeating the fingerprint scan, and once a thief has this device, it's not much trouble to "dust" the last fingerprint, and create a good scan with illustrator. So remember, gotta wipe the sensor everytime!

Re:Biometric security

[meatspray]

actually the new IPAQ 5400 (due out soon) will have a fingerprint scanner on it. the strange thing is the sensor is only .5mm high, you have to swipe your finger across it.

there's a picture of it herehttp://www.brighthand.com/article/iPAQ_5400


Although this would proably leave a very small cross secion of the print behind, it shouldn't be enough to get a good capture of. (now the ones you leave on the sides and bottom. . . well that's another story)

Not-so-secure PDA

[kaosrain]

This may not be so secure after all, if it includes Bluetooth. Read here for more.

-Kaos

It's about time

[L.+VeGas]

I've been wanting a secure PDA for years. My Palm III is always saying things like "You don't think I'm too old, do you?" and "Those Pocket PC's sure look thin." I'm about ready to trade it in for a "trophy PDA".

never work

[TerryAtWork]

Bruce Schneier has handled this in his book
Secrets and Lies.

http://www.amazon.com/exec/obidos/tg/detail/-/04 71 253111/qid=1036775441/sr=8-1/ref=sr_8_1/102-248505 7-0576118?v=glance&s=books&n=507846

Biometrics is not ready for prime time. When they hack it, are you going to be isssued a new thumb?

Re:never work

[swillden]

Never work for what?

That's the question.

Biometrics are useful for some applications and not useful for others. As a mechanism for securing extremely sensitive data, they're only useful in extremely confined circumstances. As a key for casual protection of low-security data, they're excellent. As one of multiple factors used to protect moderately high-security data, they can also work well.

Blanket statements about any security technology are invariably false.

Re:never work

[fermion]

It has been a while since I have read that book, and I don't have it in front of me, but if i recall he realized that in Applied Cryptography he implied that properly vetted and implemented algorithms would imply security. In the fullness of time he realized that the view was naive. As such, S&L was written to convey the message that algorithms alone are insufficient. A secure system must consider users, application, the nature of the security threat, and the cost of breached security, As such, in general, all security methods fall short.

In this case, IBM tends to market to sophisticated markets. They tend to, and are increasingly, trying to serve the sophisticated market in new ways so as not to lose to MS, Dell, and others. Hopefully we will not see these devices everywhere, because, as you say, once a thumbprint is compromised it is always compromised. I honestly do not know if this is a useful tool, but i can imagine some applications where it could be.

On the other hand if MS did this, your point might be valid because then the technology would be shoe-horned into general use. For instance, if the validation was in the OS and IE, and the reader were on the keyboard, thousands of merchants might use the fingerprint for sole verification. This would create a large incentive to hack the system, which, a you point out, would only require the capture of the digital signature of the fingerprint, which is not a replaceable token.

Bare Bones has a secure Personal Analog Device

[burgburgburg]

Bare Bones re-released their announcement about their entry into the PDA market with their new Personal Analog Device, or PAD. The Bare Bones PAD uses the strong content encryption algorithm known as "Chicken Scratch" which renders the input unreadable to all except the PAD's rightful owner, without relying on the cumbersome key-and-passphrase systems of existing encryption technologies. There are two configurations available, the PAD 150 and the PAD 300. The PAD 150 has storage for 150 pages of data. The 300 doubles that.

you must admit

[Faggot]

If microsoft did "biometric user identification", we'd be screaming bloody 1984. Instead, it's linux-based. Neat-o.

There's plenty of automatic-MS-bashing that goes on here, and plenty of automatic-MS-bashing-bashing. But if you look at the facts and stick to the numbers, it's not very farfetched to assume Microsoft is always trying to screw us somehow.

Look at Palladium, with which they will entrench DRM on every desktop. Look at Word's closed and obfuscated binary file format. Look at all their OEM tricks, and EULA abuse, their fake Switch ads and their systematic abuse of power.

Their strategy (whose final step is most assuredly "PROFIT !!") has been to fuck consumers and users as much as they can get away with and rob their pockets of change. Next to a Finnish hobbyist's OS, they look pretty bad.

Looks fairly similiar to the Zaurus SL-5500

[pheph]

which I picked up fairly recently and is exactly what I've been looking for in a PDA (with OpenZaurus its even better). However:

this machine does not feature the slide out keyboard, and while it is quite small on the zaurus, I'd say I use it about half the time (hey, you ever get drunk and try to use graffiti? ;) )

the machine [looks] very large! Like a Jornada or something! ;)

I'd rather see 802.11b than bluetooth...

If you disagree, don't post anonymously :)

Secure?? how?

[carlmenezes]

How does the fact that it uses Biometrics make it secure? We all know that biometrics can be defeated rather easily. So what's the point? fingerprinting is easy to defeat. So are voice prints and eye scans. So someone please tell me how exactly this is more secure than the average linux PDA?

Re:Secure?? how?

[swillden]

fingerprinting is easy to defeat.

Okay, e-mail me an image of my fingerprint. I don't care which, any of them will do. Right now, please.

I agree that biometrics are just moderately low-security passwords except in tightly-controlled environments (e.g. an armed guard checks your finger closely before allowing you to place it on the sensor), but they have the advantage that they're fantastically simple to use, which makes it reasonable to use authentication where you would otherwise use none.

For example, the CDA device has most of the standard PIM applications fingerprint-protected. It would be a real pain in the butt to have to enter a password every time I wanted to check my calendar, but it's quite reasonable to place my thumb on the scanner for a fraction of a second. Actually, I'd like to see a small enhancement so that rather than tapping on an app and then putting a finger on the scanner, I'd prefer to just place a finger on the scanner and have the device start a different app depending on which finger I use -- app selection *and* authentication in one step!

Further, biometrics have the advantage that, from the average user's point of view, they're not shareable. The inability of users to give their fingerprints to someone else goes a long way to ensuring that access to systems won't be passed around.

Biometrics are not, generally-speaking, good tools for strong security, but they *do* have exceptionally useful security characteristics that can be used to enhance security, when applied appropriately.

TRUE biometric security

[Kozz]

If you really want to talk about PDA security, here's one palm device that's damned secure.

Re:TRUE biometric security

[JUSTONEMORELATTE]

And here's another one!
--

NSA working on secure BlackBerry

[joehoya]

The press release mentions the potential to work with NSA (although they wrote National Security Administration not Agency) for other applications of this device. While this is possible, the device would only work for Unclassified applications unless very substatially modified. Also, NSA is already working with RIM to develop a secure BlackBerry for UNCLASS applications.

Too late for this guy!

[bstadil]

Sony Clie 'proves' identity theft

San Jose police have broken up an alleged identity theft crime ring using search warrants to seize and examine the suspects' PDAs.

According to the New York Times the alleged ringleader had the names of more than 20 victims along with their social security, bank account and credit card numbers and other personal information stored on his Sony Clie handheld device.

Included in the To Do list were tasks such as picking up materials at the local office supply store to make fake cheques.

A police spokesman said that it was difficult for the suspect to deny that the Clie was his, as it had his parents' details stored in it under the name 'Mom and Dad'.