[alexmathew]

I actually thought of this poll when VC published this opinion by Alan regarding Web-based Organizers.
http://www.visorcentral.com/page/0-4-75-1-4.htm
Alan and I went back and forth about Palm OS and Web security and thought of doing a Poll. A most recent news article about the Palm Os security being compromised:
http://www.visorcentral.com/page/0-2-891-2.htm
makes this poll interesting I think.

[jsmits]

Referring to the article on http://www.visorcentral.com/page/0-2-891-2.htm.

I ran across some programmer's comments about this a couple of weeks ago, and could not remember the URL. Through DejaNews I found it again. I already am happy to use the DST and Battery Panel apps from this programmer.

NoSecurity can remove the password, when the Palm is accessible. No big help if you forgot the password.

http://www.geocities.com/SiliconVall...nosecurity.htm

The following apps are of a disturbing nature:

ForgetPass: You simply hotsync it to a password protected Palm and then it is open...

http://www.interlog.com/~tcharron/palm/ForgetPass.html

Sword: Indian (i.e. from India) software to provide better security, but can also hack a lost&found Palm. You could find it on PalmGear, looking for "sword", but then you get 170 hits... The PalmGear link is:

http://www.palmgear.com/software/sho...32&prodID=6333

The direct URL is:

http://www.palmix.itil.com/newpalmix...sword_home.htm

The full thread of the DejaNews link was:

http://groups.google.com/groups?hl=e...9977#980639977

The article from @stake that James referred to gives hints of good protection software. http://www.atstake.com/research/advi.../a030101-1.txt

I did not think it was a big issue, as I was already sceptic about the Palm protection. Just for all of you who did think they were secure: YOU ARE NOT... ;-)

All the best,

Joost Smits

[VTL]

I keep my really important data (i.e., credit card numbers, etc.) in a separate application, "Secret" which seems to work pretty well. It's supposed to have pretty strong encryption.

I also have the password lockout setup, but I very rarely enable the feature. It's too much of a pain to input even a short password every time I turn on my Visor, given how much I use it. I basically only use it if my Visor is someplace arguably insecure and unattended - for example, if I'm travelling and leave it in a hotel room while I go out to dinner. That almost never happens, however - I'm useless without my external visor brain, so I don't leave it behind often.

[bookrats]

Originally posted by VTL
I keep my really important data (i.e., credit card numbers, etc.) in a separate application, "Secret" which seems to work pretty well

I use Secret! too, for the same reasons and for the same types of data -- and after reading about this security problem with the PalmOS, I'm very glad I'm doing this.

I also use a password lock-out program -- Commander Lite -- which activates after the Visor has been off for an hour. I figure it's basically to keep the less knowledgable thief from accessing data on the Visor.

The other vunerability I've thought of: anyone getting a hold of my Backup Springboard Module basically "gets past" the CL login password. And I do take the backup module with me on the road.

So -- good encryption software (and a decent password) seems about the only real solution.

PS Anyone know if Commander Lite is subject to the same PalmOS security hole that the the Palm's Lockout security is vulnerable too? I assume so; but I know that CL's encoded password is NOT backed up to the PC during HotSyncs. A cold boot means having to re-enter the password into CL.

[Hoser_back_home]

Originally posted by VTL
I also have the password lockout setup, but I very rarely enable the feature. It's too much of a pain to input even a short password every time I turn on my Visor, given how much I use it.

i have PadlockPlus which allows you to assign letters to the buttons on your visor (including an 'OK' key). That's a possibility of up to 6 letters (or 5 and an enter key).

I have a password of less than 6 characters and an enter key. Somebody finding my Visor can sit there all day trying every combination of 1 letter, 2 letter, 3 letter, 4 letter, and 5 letter passwords before they get through. I think that's enough security for the stuff I keep on my visor.

Nothing as secret as CC numbers, but i like to think that I have all my friends' trust that their personal info will not be 'given away'.

[teksurfer]

I also don't keep any CC #'s on my visor, but I do have a lot of work docs and passwords that I really would not like to become private knowledge. Is there any software that you could recommend knowingly (ie experienced/ used) to be secure for the whole pda if not an app? I'm currently demo-ing PDAbomb. Any opinions of this program?

[SpeakerCoach]

I use PDABomb to protect data on my VPL and I am very happy with the application.

[Hoser_back_home]

my concern with alot of the security software out there is the inability to sync to my PC. I know, another security problem, but i have a bunch of website passwords and stuff and if i had to hard reset my visor, poof! they're all gone if the database isn't backed up to the PC.

another problem is upgrade-ability. what if i change my PDA or even more OS? How do i transfer all my data from a proprietary database format that's been backed up onto my PC to another appliction or OS?

[bookrats]

Originally posted by Hoser_in_USA
my concern with alot of the security software out there is the inability to sync to my PC. I know, another security problem, but i have a bunch of website passwords and stuff and if i had to hard reset my visor, poof! they're all gone if the database isn't backed up to the PC.

another problem is upgrade-ability. what if i change my PDA or even more OS? How do i transfer all my data from a proprietary database format that's been backed up onto my PC to another appliction or OS?

I've thought of these potential problems, too; they're some of the reasons I use Secret!. In particular:

1) Secret! database backed up every time I hotsync.

2) Has PC application for editing and managing encrypted
information on PC. Even if Visor is toasted or I
switch to something else (God forbid), I still
have the data available to me on the PC.

3) It has a simple memo-style interface for reading
and editting encrypted info (along with a Find command
once you're securely in Secret!). While I can see
the advantages of a more database-like interface,
the free form style of Secret! gives me more flexibility
for the information I enter, and (if I ever want to
switch to another app, or to another type of PDA)
makes the move much easier.

[wendellbell]

What @Stake has found is, to me, disturbing, and since the VDX doesn't seem to be upgradeable in a major way, the Palm OS 4 fix won't be our solution. So, we need software.
BUT...PDA Bomb, which is advertised to close the developer backdoor, says, in its manual, that it isn't to be used with a Visor with a module in the Springboard slot. JotLoc, for me, has been an unmitigated disaster, and still is as of this AM. CIC's program only works with Palm OS 3.3 or higher.
I'm using Padlock Plus, combined with JAWZ Memo to encrypt the stuff that I want to keep really private, like CC #'s. But Padlock Plus is just a fancy way of accessing and using the underlying Palm Security app, which we now know is no good (and I've lost the timer on it by going from original Hackmaster 0.9 to XMaster (which otherwise is a good upgrade)). And it looks like the developer has left the product sit for quite a while.
For now, it looks like PDA Bomb is just halfway there, and nobody else has anything for the Visor side. Is it really THAT hard to come up with something that combines Padlock Plus's ease of use, with something more secure than the underlying Plam OS 3.1H security, with a closing of the developer backdoor (and maybe with selective encryption by some secure encryption algorithm)--AND that works on Visors, particularly with modules in place? If such a program was stable (my JotLoc experience has made me very wary of security apps), I, for one, would sure be up toward the head of the line, credit card in hand...

[sdoersam]

Originally posted by wendellbell
BUT...PDA Bomb, which is advertised to close the developer backdoor, says, in its manual, that it isn't to be used with a Visor with a module in the Springboard slot.

Actually, according to the Read Me file, it doesn't say you can't have a module in the spring board slot, it just says: "Also, this version of PDABomb is not compatible with the Handspring Visor flash memory springboards." Now, wether this means that you can't have a Flash module in the slot, or you can't run the app from the Spring board slot or encrypt apps on the springboard slot, is another question. I have sent an e-mail to Asynchrony to get clarification on this. I will post when I get an answer.

As another option, I am looking at Jawz DataGator. While it doesn't close the developer backdoor, it does encrypt the data on the Visor, so even if someone pulled the data off of the Visor, they still have to go through the process of breaking the encryption. Not a failsafe, but certainly more hassle than most people are willing to go through to get your data. I checked through their manual and verified that even if their program is disabled (It runs as a Hack) the data stays encrypted unless you go through their uninstall directions. Just thought I'd share.

[mszatny]

I use Teallock and EWallet

MS

[sdoersam]

I received a response from PDABomb on the Springboard issue. With a Springboard inserted, PDABomb 1.0 has problems powering on or off. They expect to have this problem fixed in version 1.1. They also invited me to help test their next release (Due out soon) to help make sure they got this problem fixed. I took them up on the offer. NDA keeps me from discussing it, but I would recommend purchasing PDABomb now at their introductory price as it will be going up to $29.95 with the new release. Point release upgrades are free. This is what I have done. Very nice product. I'll give more details after the release.

[YBYSAIAH]

I'm currently using OnlyMe 2.15 which also has some problems with springboards and changing batteries (at least for me). I don't think it closes the developer's back door either. PDABomb may be the way to go IF they get all of the Visor-specific issues ironed out.

[AlexMav]

I heard rumors that Springboard module with custom welcome application (GPS module for example) passes through standard security application on the locked device when you insert/remove module. Is it true?

[alexmathew]

After trying several locking utilities (lockme etc), I have found the ONE - Gridlock! Using a grid of squares, it makes entering a password easy! go get it! Its Free!
http://www.palmtracker.com/moreinfo.fcgi?id=2422
bye
am

[bookrats]

Originally posted by alexmathew
After trying several locking utilities (lockme etc), I have found the ONE - Gridlock! Using a grid of squares, it makes entering a password easy! go get it! Its Free!
http://www.palmtracker.com/moreinfo.fcgi?id=2422
bye
am

I tried this for a day, but have gone back to Commander Lite. I like the interface very much -- easier than entering a password -- but on my Visor Deluxe, it would start every few minutes or so, instead of the 1 hour time power off period I'd configured it to wait. It also didn't handle Datebook4 silent alarms very well.

If they get some of the bugs out of it (and have an option requiring the boxes to be checked off in a specific order), I'd take a second look at it.

[alexmathew]

I dont have problems with a 1 hour setting - I personally chose a 5 minute setting - since it is so easy to unlock (I mean enter the password ofcourse :-)

Datebook alarms sound fine for me - what specific problem are you having - something I can duplicate?

Bye
AM