Results 1 to 5 of 5
  1.    #1  
    This seems so major and obvious, that I've got to believe it's not a security hole, but rather the result of a setting I've overlooked. Here's what I'm talking about:

    I recently had my T600 replaced by Palm with a refurbished unit in order to fix the notorious "Dead Speaker" problem. Upon receiving the new unit, I immediately hotsynced it with my PC to upload my data from Palm Desktop into the unit. The data in Desktop was protected by a password for opening the application and for viewing private records. So, surely, I reasoned, I would be prompted for a password, either on my PC or on the Treo, in order to load this protected data onto a new device. Nope. No password check at all. In fact, all the data, private and otherwise, was loaded onto the new device without any request for password at all. When I powered the new device on and off, it was no longer password protected: all private records were easily visible. Furthermore, later in the day when I launched Palm Desktop again, I saw that that too was no longer password protected.

    So, it seems to me from this experience that all you need in order to view someone's private password-protected data is to hotsync a brand-new (or recently firmware-updated) device with a PC hosting PalmDesktop and - Voila! - you have free access to all data that was previously password protected.

    This seems way too stupid to be true. Someone please point out the obvious thing that I'm missing here!!!
  2. #2  
    Not really as big a deal as you think. On your PC, your private data is not encrypted. Anyone with physical access to your machine can copy your personal data to removable media and then hack into it later with any hex tool.

    If someone has physical access to your machine, it is a whole lot easier and cheaper to steal your data with $10 USB jump drive than to buy a new Treo. The key is to control physical access to your machine with a locked door and good security practices.

    David
  3. #3  
    In a personal environment this means nothing, pretty much.

    In a corporate environment this means everything. With today's outrageous security-consciousness (way overdone, IMHO - and pretty amazing at some sites), if any Security Guy gets a whiff of this it will be death to any procurement until it is fixed.
  4. #4  
    Quote Originally Posted by djs_tx
    If someone has physical access to your machine, it is a whole lot easier and cheaper to steal your data with $10 USB jump drive than to buy a new Treo. The key is to control physical access to your machine with a locked door and good security practices.

    David
    Agree. It would probably be quicker just to disconnect the PC and walk away with it. Concentrate on physical access to the PC itself first.
    Me = Nokia 5170/Palm III > Kyocera 6035 > Treo 600 > Treo 650 > Treo 700p > Treo 755p > Treo Pro > Palm Pre

    Wife = Treo 600 > Treo 650 > Treo 755p > Palm Centro > Palm Pixi
  5. #5  
    The lack of security on the "private" records in Palms is why I bought Passwords Plus from Dataviz. Desktop app anbd Plam (Treo) app. Encrypted, etc and integrates seamlessly with sync. There are lots of others uincluding some free ones. I don't configure each record - I just have bodies of text with various private items.

Posting Permissions