PDA Security, the Next Big Hurdle for IT?

Jack writes "ITO published an article on a new secure PDA requested by the NSA. 'General Dynamics inked an $18 million contract with the secretive National Security Agency to design and develop a secure mobile personal assistant for defense workers. The PDA will integrate all types of communications including voice, data and web.'" In related news palmtops writes "Insecure Magazine has a great and in-depth article written by Seth Fogie, the VP of Airscanner.com, about Pocket PC security. His summary of PDA attacks states: 'These devices are easy to smuggle into a business and can be used to propagate an attack against network devices. Don't make the mistake of assuming is a PDA is a simple data keeper. As the cliche' goes... it is how you use it that matters.'"

Re:just another ploy

[KiloByte]

While such views are usually dismissed as conspiracy theories, I wouldn't laugh that fast. My dad (in the times when 286 were the hot new stuff) talked to an author of AV software, who admitted to releasing several viruses.
This was in the times where most software of that kind was written by one-man companies. Now, in the days when AV is a major industry, are you going to bet that no virus authors are employeed by those who benefit the most from virii?

Re:This is necessary stuff

[rlp]

I just got a (cheap) Zaurus 5500. I've got a wireless router for my wife's laptop, but didn't want to use WPA and the (much) less secure WEP on the same network. So I connected a cheap wireless B PCI card to one of my PC's. Set-up the wireless card in ad-hoc mode on a different channel (well away from the G channel). I then fire-walled all ports on the card except one, and connected and rigged a proxy server listening on that port. I then set up the proxy to NOT access the local LAN.

Bottom line - I can use the Zaurus to access the Web from anywhere in (and around) the house, but my LAN is inaccessible via the wireless B network.

Future of PDA...

[hlh_nospam]

I was happy when the pager business finally died. That reduced the number of gizmos that I was carrying around on a daily basis from 4 to 3; the cellphone features became advanced (and cheap) enough to obsolete the pager completely. At one time, I thought that I would probably snarf up the PDA/phone combo, but I haven't yet found one that I really want to buy -- the price/performance just isn't there yet. When the PDA/cellphone combination gets cheap enough (and full-featured enough), then I envision reducing my current gizmo count to 2.

As for the laptop, it looks like that will be around for a while. At this point, the PDA just doesn't have the display or input capability to make it the all-in-one personal computing tool. In order for a PDA-sized device to displace the laptop, the I/O needs to get way more advanced, something on the order of a combination ocular/cochlear implant and voice (or better yet, thought ) recognition.

What are the security folks gonna do when the day comes that you can look at a document and issue a thought-command " copy "? I'm guessing that will be the end of paper documents; to be replaced entirely by electronic (and encrypted) communications for all purposes, including money.

My best hacking devices...

[Maljin+Jolt]

Just walking around with the pockets full of computers makes the task done: iPaq 3970 ($100) with Linux, Jornada 690 ($50) with NetBSD. Plus some equipment: 2G CF microdrive and wifi/ethernet CF/pcmcia makes a real computer of both. They have 100x more resources than double mainframe I admined just 22 years ago.

However, a "secure PDA" by NSA standards somewhat tells me it must have a backdoor of some kind...

Palm OS 6 Cobalt

[samalone]

It's a shame that no Palm OS 6 Cobalt devices have actually made it to market, because PalmSource has done a lot right in that version of the Palm OS to provide a sound security model.

Not only does the OS provide for digital signing of code, it provides secure databases where only signed applications can access the data. You can control which databases are synchronized to the desktop, and even which applications can access screen buffers (to prevent screen-scraping).

Hopefully either Palm OS 6 Cobalt or its Linux-based successors will make it into actual devices soon. It would be a huge step toward powerful, secure PDAs.

Convergence is a compromise

[hey!]

Well, you can never tell. Even smart people routinely lose lots of money on predicitons like this.

I've done every combination of laptop, pda, phone, and converged device, and none of them are perfect. As I get older, I like fussing with stuff less and less, and value simple functionality more and more. I don't really want PDA functions intruding on my phone -- what I'd appreciate a large, well laid out hardware dial pad. I don't want to fuss with multi-level menus on a tiny phone screen. Making all the stuff they want to cram into a phone work inevitably inflates it into a PDA. And a PDA/phone is inevitably awkward. I know, I use one. It's too big and the persnickity to be a decent phone, it's an OK PDA, but after experimenting with it I don't really want to enter lots of text so I'd prefer a larger screen and no hardware keyboard at all; the overall device could be thinner and smaller and have a larger screen and better battery life.

I also carry a laptop. The thing is the laptop is not something you want to haul out in a restaurant when a meeting alarm goes off. You don't even want the have the laptop there. So that means you need a PDA or a phone with PDA functions.

What we really need are three different devices, a phone, a pda and a laptop, each designed to be as simple and task appropriate as possible and which work together effortlessly without creating security problems. But getting things to work together in a way that is convenient and makes sense to a user seems to be the hardest thing there is for companies to achieve. Virtually no technological barrier cannot be overcome, but usability -- that seems to be beyond what we can expect. I think it is because design is so much harder than technology.

Consequently convergence is naturally easier for companies to achieve than making devices work together. It's a simple problem of technology: squeezing enough features into a given formfactor. And on top of it, you don't have to worry about interoperability standards.

Look at what convergence is giving us: awkward phones with lots of persnickity buttons, or even worse larger PDAs designed to view and edit spreadsheets and other things that you'd always rather go to a laptop for.

In my ideal non-converged but interoperable world. a phone would be just a phone with basic phone number lookup. A PDA would be the size of the old palm M500 series but, say =10mm thick and with a battery life measured in weeks. I wouldn't worry about the utility belt look (not that I would in any case) because it'd be rugged enough to keep in my pants pocket and small enough that I'd hardly know it was th. I'd use the PDA for maintaining the phone # database and other PIM functions, as well as simple forms entry and other appropriate applications where mobility trumps entry ease (MP3s). I'd also like to run presentations off the PDA to a projector or a computer. The laptop would come out for any editing tasks. All three devices would interoperate securely and autodiscover any changes without my need to fuss with "hotsynch" or "activesync". Better no abstractions than leaky ones.