As a Palm developer you may think it is apples and oranges and that the
device is not meant to be secure, but many users don't know this. This
is why we references 2 news stories (there are many more) in the
advisory that show that people are attempting to use the device for
secure data storage. Advisories are meant to alert people to risks that
they should take into account when using a particular technology so they
can mitigate them. One mitigation technique is just being aware and
perhaps changing behavior, another is to use 3rd party apps, another is
to use a vendor supplied solution. There could be others.
In your use of the Palm you may have already taken into account the fact
that the power off password lock is only partially effective to protect
data. The advisory is meant for the majority of users who are unaware
of this. Even with 3rd party encryption apps a trojan keystroke logger
could be inserted on the device to record encryption passwords. This
could be done with the debugging vulnerability in under 30 seconds.
Users and people designing applications that take advantage of the Palm
need to be aware of this. Sure this is not a common or high risk for the
average user but it shouldn't be ignored.
@stake does not sell any products so it is hard to see how this is a
sales pitch. We do mention some 3rd party encryption apps as examples
for one way to help mitigate this risk. If anything this is a sales
pitch for Palm OS 4.0 which will fix the problem.
Chris Wysopal
[EMAIL PROTECTED]
Director of R&D
@stake, Inc.
Dave Lippincott wrote:
>
> Apples and oranges. NT is an OS intended to be secure, the Palm OS so far
> is not. The advisory is kind of like announcing your car could be stolen,
> taken for a joy ride, returned and you would never know valuable miles have
> been stolen. If you want a theft-proof car, you would equip it that way. I
> don't know anyone that considers the Palm secure without adding 3rd party
> software and/or accessories. The advisories begin to take on the tone of a
> sales pitch.
>
>
--
For information on using the Palm Developer Forums, or to unsubscribe, please see
http://www.palmos.com/dev/tech/support/forums/
