While I was getting interested in Palm security, I started to think about other portable options. A USB Flash drive is a great way to keep data portable, but what if you lose the thing? A USB Flash drive would also need to be secured.

Flash drives are great. At the last trade show I worked at, my flash drive got used by others almost more than by me. We had a lot of people with laptops with varying degrees of access to the internet and their files back home. Naturally these files needed to be moved from this machine to that, along with digital photos, faxes, and other stuff. Fortunately my drive was really just a way for me to get files out of my camera into my computer and I didn’t have any really critical, sensitive, or personal stuff on it. But what if I had? What if I lost it? These things are incredibly handy, but they’re also very risky.

The ultimate solution is the BioStick - a biometric USB Flash Drive. It requires your thumprint to unlock and give you access. It can learn more than one print which is insurance against thumb loss, I guess. I want one. I have no real use for it, but I want it anyway. This thing is uber-cool and For $200 (for a reasonably sized one) it should be.

Assuming you already have a $30 drive that you aren’t going to replace, what are the options? Well some drives come with software already. My Cruzer drive from Sandisk came with CruzerLock, an encryption package, that seems like it would work fairly well. Except for two things: 1) The source is not open to peer review, which is heavily frowned upon by the serious-crypto crowd. With no chance to look at the source, how can you judge the quality of the system, and make sure there’s no back doors installed? What if it’s bad encryption?2) It doesn’t let you treat the thing like a drive. It opens a special window where you can open/access one file at a time. Not real flexible. In general I don’t trust what the drive companies are supplying for free. I know that in their shoes I would be far more worried about reliability (and a low return/problem rate) than quality of encryption. Besides, a separate solution helps provide more options if things go wrong.

The idea solution for this would have the following characteristics:

• It would be platform independant - you can get to the data on a Mac, PC or Linux box.
• It would not require special software or access on the host computer.
• It allows the drive to be used as a drive, with drag and drop ease.
• It doesn’t take a lot of space - no more than a megabyte.
• It has strong encryption.

So, does a system meeting these criteria exist? I don’t know, but I have found a few that are close:

TrueCrypt is an open-source encryption system that can be installed on a flash drive. It can create a file that can be mounted to look like a disk drive. The cool part is that you can have both the unencrypted and encrypted drives open at the same time. The not so cool parts are that it requires admin access, a windows computer, and the encrypted drive file is fixed size - you decide how big it will be when you make it, and it can’t be changed. Still, the system is free.

CertainKey Ecto is a browser-based solution that uses Java to encrypt files. I had trouble getting it to work, and my XP SP2 system didn’t like some of the content on the main page. My laptop tels me that my login is invalid. I’ll have to contact the developer and see what they say. Still, it is platform independant, and if I can test it and determine that it will encrypt a whole directory at once it might be the bomb. For $20.

BestCrypt Looks very similar to TrueCrypt in features, as does DriveCrypt, but both cost in the neighborhood of $60. I think at this point I like free better, but it will depend on how reliable TrueCrypt turns out to be. I have downloaded both, but neither have a really obvious analogue to Traveller Disk Setup, althought I haven’t yet read the docs ;-)

So far TrueCrypt provides the best functionality for me - I don’t work on Macs or Linux systems, so interoperability isn’t that critical. The admin access requirement may become a problem when my company moves to XP, but that’s a ways off. I do plan to check out Ecto a bit more, but that I cannot get it to work on one of my machines is troubling. With any of these systems, it’s really critical that they work with computers you haven’t had access to before - that’s half the reason for carrying a flash drive.

As part of my new computer and Palm security kick, I’ve decided to try PGP Mobile, PGP’s PDA encryption software. In my last post I talked a bit about making my Palm situation a bit more secure, and how could that be complete without secure email?

I tried the OpenPGP version I could find, but it was not really finished, and wasn’t very stable on my Palm T3. PGP makes their PGP Mobile edition which looked pretty good on their website, although they hadn’t responded to any of the questions sent by email. After doing what research I could, I learned that I should expect something a bit iffy. As it turns out, in the documentation that is included in the download (but NOT available to those who haven’t purchased) is a statement that the software hasn’t been tested with Palm OS5, and some features may not work. Yikes!!!

In actual practice, the email functions seem to work fine, the vault works ok, but the ability to encrypt a database is not supported. For myself I haven’t decided if that’s a reason to ask for a refund or not. I do think it incredibly unprofessional to sell software that isn’t compatible with the majority of target systems being sold without stating that fact pre-sale. Along with this complaint is one about the tapping random data process. At times the software will ask you tap the screen to produce random data. There are 5 or 6 segments of a bar graph that fill in to show progress. Here’s a tip – tap slowly, as it seems to be time rather than the number of taps that matters. Also, try to tap randomly. Last but not least, be patient – the first few times it asked me I gave up – the total lack of bars filling in convinced me that it was broken. This is a big hassle, and I would think plenty of random data could be had by having people draw on the screen rather than tap.

The way the software works is a copy-clipboard-paste kind of scheme. You access PGP’s encrypt, sign, decrypt, and verify functions via the command bar, which comes up when you do a command stroke. By clicking a small padlock icon, you can select which function you want. Once you select a function, you are taken to a screen where you choose the key, and complete the operation. Then you’re taken back to the window you came from. Given this approach, it’s likely that you will find a 1000 character limit on message size, as that’s the limit of the palm clipboard. It also means that attachments aren’t going to be encrypted. It worked fine with SnapperMail, the docs suggest MultiMail (now called VersaMail) and mention that the old “mail�? sync-only client won’t work.

The really cool part of this clipboard-style scheme is that you can encrypt basically anything that the software can cut & paste with. Notes in contacts and appointments, memos, pretty much anything I would guess. I encrypted a note on a contact with no trouble. It didn’t work with Documents to Go, but I recall reading that cut & past between apps doesn’t work with DtG. One thing to note is that encrypting even just a word or two balloons the size of the text to a minimum size, which I’m guessing would be the block size of the algorithm, but is several hundred characters. I may play with the different encryption algorithms (AES, CAST, IDEA and TripleDES) to see what effect that has. Another thing to note is that without the encrypt database function working, you can encrypt only text fields.

The vault is basically a memo space attached to a category. You can edit it on the PC (if you have PGP installed there) but it’s just plain text space - no fields. You can add categories though. I think I’ll stick with SplashID.

You cannot create keys on the palm. You can import them from a memo, or via hotsync using the included conduit and a desktop installation of PGP. This is nice in that if you accumulate a large collection of public keys it’s easy to get them into the Palm. It would be nice to create keys on the palm, however. Also missing is any way to get the key for someone when you don’t have it - i.e. there’s no key server functions. I suppose that for the Palms this was originally written for there wasn’t much thought about internet access, but it should be doable with today’s machines. Another possibility is to use WebPro to surf to the point where you can get the desired key as text (some people put them on their web pages), and then copy it into a memo, where it could then be imported into PGP. I don’t know if there is a public key search tool – my attempts to get to keyserver.pgp.com have failed using a browser.

I have not yet seriously tested this software, and given how rarely it is necessary to send encrypted or signed email it may be a while. But in the mean time this package seems to work mostly as advertised, although somewhat slowly. If you want PGP on a Palm, it’s the only game in town.

When your job is to learn things about other people, you naturally end up wondering about your own security.

As I wondered, I realized that I had been using the same password for just about everything, and I hadn’t changed passwords in years. Definitely not a good idea! So I started thinking about passwords, and that to get a really “strong�? password, one that defies guessing and will require a dictionary attack to crack, it really needs to be randomly chosen. So I figured I would find a random password generator, and use it to pick new passwords for things. A brief search turned up a few web based options, which I quickly discarded for obvious reasons, and a few more Palm based options.

While searching for “password generator�?, SplashID turned up. SplashID is the application I use to store all of my passwords and the like on my palm. It has a nice desktop component that eases heavy entry chores, and things are stored in encrypted form. It turns out that SplashID has a password generator built-in – I’d had no idea! So after a few minutes of bringing the SplashID database up to date, I chose new passwords for everything and began making the changes. I am always amazed at how long it takes to learn to type the new password instead of the old one ;-)

Well, changing passwords made me think about where they’re stored, and encryption. This made me think about privacy and security in general. I don’t mean to be paranoid, but it does make you think – especially when you start considering all the things that could be happening without your knowledge – and it’s easy to develop this strong feeling of nakedness. This can be a slippery slope, as there are many levels of security, ranging from stopping the curious (but only annoying the skilled) to stopping the skilled (and only annoying the government) to stopping or at least stalling the government. I figure I don’t have the energy or resources to stop the NSA, but I should be able to stall the average hacker.

First of all, what if I lost my PDA or it was stolen, or even just “borrowed�?? Ok, no problem, there are lots of lockout apps to take care of that risk. There is even the Security Update free from Palm that’s about as good as anything else. PDA Defense and others add some features (like encrypting the stuff on expansion cards), but basically do the same thing. This is the easiest threat to guard against.

Then there’s all the passwords, special numbers, etc. that I have in SplashID. Again, no real challenge to get that covered, as there are scads of password database programs. It seems that just about anyone wanting to learn to write software for the Palm writes a password database and puts it on PalmGear.com for 5 bucks or so. Along with SplashID I’ve tried Keyring, which is open-source, has very strong encryption, but lacks the desktop component. If you have no interest in putting the info on the desktop, or believe your desktop to be totally secure, you may not even need a password database.

So far, things are pretty secure against the really serious consequences, by which I mean wholesale loss of assets or identity, which leaves plain old privacy.

I would guess that most of us have PDAs because we work, and we sync our PDAs to our work computers. After all, much of the info in our PDAs is work related, and they really help us be more effective at work. But there’s also personal stuff in there, and not all of it’s in the password database, right? The problem is that when we sync our data to the desktop it’s in the clear when it gets there. Anyone with a text editor can have a look – especially at the memos. If you’re using Outlook with Exchange Server you have some protection but are still exposed to the IT folks.

It’s a challenge to secure this stuff because the majority of all Palm security products are designed around the idea that your PC is secure, and the main threat is against the Palm. This is true for situations where the sensitive data is coming from the organization, but what about personal privacy? It is more of a challenge to find a way to effectively protect the personal stuff in there.

Another scenario where it would be nice to keep the Palm data encrypted on the PC side is when you’re syncing to someone else’s machine. For example, you’re visiting someone and want to install a nifty new app or move a lot of data onto your device. You sync with their machine to do so. Obviously you would set all the conduits to do nothing, but still…

Ideally, there would be an application that would allow you to selectively encrypt records and/or databases on the Palm, combined with a hot-key activated app on the desktop to decrypt things. Until a passphrase is entered, it’s encrypted on the desktop. Since 99% of the data we’re talking about is stored as ASCII this shouldn’t be too difficult. In fact there are at least two programs that are doing it for memos. CryptoPad is a freeware solution; MemoSafe is an inexpensive commercial one. Both leave encrypted memos inaccessible on the PC, but have a basic tool for decrypting them there if necessary. I’ve chosen CryptoPad simply because it makes the encrypted memos invisible on the desktop, which I think is an advantage. Tasks, contacts and appointments are still wide open. There used to be an app called ReadThis that would encrypt any field – at least I find references to it on the web. Alas it is no longer supported and the developer is unavailable. It would be nice if someone would write a replacement.

So by now I don’t have to worry about handing my palm to some else to use, or really crafty coworkers or less than ethical IT people. But there are still two areas where security is missing.

When I hotsync over a phone line or via the internet, lots of things are in the open. True, it probably takes a lot more sophistication to intercept what someone is sending over the net than it does to snoop some text files on a computer, but still the threat is there.

VPN provides a layer of security for all network traffic, and can be set up on PCs that have a always-on internet connection, which is a requirement for remote syncing anyway. This is the only way I can sync with work, so I’m set. For a direct phone line sync there aren’t any options I’m aware of, but most folks would probably consider that risk pretty minimal. In either case, a solution that encrypts on the palm and leaves it encrypted during a hotsync would be fine.

But even if you have a secure connection to sync with, my email doesn’t stop there. Off on the net it goes, though unknown systems and past unknown eyes. Here is where things get the most complicated, because you aren’t the recipient, and in some ways get the easiest, because lots of folks have already thought about this problem. You’ve probably heard about PGP & OpenPGP, which are public-key encryption systems designed to provide email security. I won’t go into the whole history of PGP, except to say there’s a lot of stuff out there. Just not a lot of stuff for the Palm.

PGP Mobile exists, but it doesn’t seem to be well supported. Questions sent to PGP about it drew no response; questions posted on newsgroups drew little response and none really good. It’s also very expensive for a Palm app - $65 for a subscription license. I’ve decided to give it a try and hopefully they’ll decide to send it to me soon – export laws require them to “check me out�? before sending it.

There is an OpenPGP for the Palm, which is open source. Unfortunately it was last updated in the late 90’s, and is less than stable on my OS5 T3. It also lacks any key management. While I’m no security expert, I don’t think it’s intended for serious use – it’s more of a hobbyist thing. I’m hoping someone will grab the source and update it for OS5. If I can put together a free build environment I might give it a try.

So how do I feel now that I’ve got all this stuff in place? I have to say there are three things that have made me relax far more than the others. First was picking new, random passwords. Second was encrypting some of the memos I have. Third was putting a password on my Palm. The rest of it is nice, but stands a some chance of being shut off or removed in the future.