Paul/Marc,
well this is the kind of feature that Nokia, should put into the base
product along with a data/file encryption option (kind of like the
Encrypting File System aka EFS feature in Windows 200/XP Pro/Vista).
With EFS selected files are automatically encrypted/decrypted by the
filesystem using keys that are specific to the logged in user.
Maybe the solution is to have a suite of security apps that can be
optionally enabled to allow the corporate user and his/her sysadmin to
achieve a higher level of security for the data on these devices. I
could foresee the following:
1. Stateful in/out firewall (already discussed on this list)
2. Remote device disable/wipe
3. File Encryption
4. SSL VPN client compatibility.
With respect to item 4 I can even think of one particular supplier's SSL
VPN concentrator product family to consider here for
integration/compatibility, the Nokia 50/60/100/500 s:
http://europe.nokia.com/A4153103
In fact the data sheet even mentions "mobile devices" access.
"Since deploying laptops to the bulk of
employees could be cost-prohibitive
especially in a small business environment,
Nokia SSL VPN offers support for a wide
range of remote devices from company
issued laptops to personal PCs *and
handheld devices*."
http://europe.nokia.com/NOKIA_BUSINESS_26/Europe/Products/Security_Products/Nokia_SSL_VPN/Nokia_50s/nokia_sslvpn_50s_datasheet_emea.pdf
Best Regards,
John Holmblad
marc zonzon wrote:
On 2/22/07, Paul Klapperich <[EMAIL PROTECTED]> wrote:
You could setup pubkey authentication on your home ssh server. Then you
could add a script to the device such that when it connects it runs
something like:
ssh -n -R2022:localhost:22
Good idea, as your ssh is an outbound connection the local firewall
may accept it. But your command is incomplete, we must have something
like:
ssh -n -R2022:localhost:22 [EMAIL PROTECTED] sleep 3600
and you must be sure that the public key of the nokia user is accepted by
[EMAIL PROTECTED]
It would be helpful to replace sleep by a script that warn you, then
sleep
Then on your local computer you could "ssh [EMAIL PROTECTED] -p2022" to
connect
into your device whenever it's on the internet, regardless of where it's
connected from. You could manually erase the data, something like:
for i in /home/user /media/mmc1 /media/mmc2; do
rm -rf $i
done
We can do like that but it might be frustrating when you miss the
connection, or when it is interrupted before you finish, ...
I think this can only be an add-on to the second option.
Another trick I've used--actually to update computer labs--is to keep a
script on your server, then have the device use scp to copy that
script from
the server and run it whenever it connects. In my case, the script was
simple. In your case the script would do nothing. To nuke your nokia,
replace it with one that erases stuff. This will get it the next time it
connects and wouldn't require you find know when the device connects.
That's fine we use the same "download at boot and execute" to keep our
clients up-to-date. We just need to find how the script can be
triggered when the tablet connect to internet (must not be difficult,
but I have not looked upon the tablet networking). Your emergency
script can of course erase sensible data but also add a startup
service in /etc/init.d that shutdown the tablet if some special action
(say use some key) is not triggered. Making the use of the tablet
impossible except for you without reflashing.
Better than scp you can download the script from an httpd server using
netcat, because outbound http connection on port 80 are always open on
any
access point your tablet may use.
Other options would include writing a lot file to your home machine
with the
IP connecting from. This could be used to track your device so you
might be
able help police recover it. Or you could delete important system
files and
your personal data to make the device worthless without a reflash.
Too complicated just mail a message when you connect "I'm connected
from ip n° xxx.xxx.xxx.xxx gateway xxx.xxx.xxx.xxx", if you have
traceroute you can even traceroute to a known point to help locate the
device. but I suppose it's of no use, some people complain that the
police is not even looking for their stolen child, what do you expect
for your tablet!
At this point I'm wondering if it is not an otion to put on our tablet
(at least when we are on the go), this "shut down if not
authenticated" service.
Of course the tablet policy forbid to authenticate as user before
loging in, because the second part of the boot process is done as
user. But why not put a simple query that the user must answer during
the first 5mn of connection? A startup script may popup a window and
shutdown the device if not answered. If you keep a ssh access to user
or root you have some emergency solution if ever you forget the
password.
Marc
_______________________________________________
maemo-developers mailing list
[email protected]
https://maemo.org/mailman/listinfo/maemo-developers
_______________________________________________
maemo-developers mailing list
[email protected]
https://maemo.org/mailman/listinfo/maemo-developers
