You do not sell any products? You just do this out of the goodness of your
heart and rely on donations?
----- Original Message -----
From: "@stake Advisories" <[EMAIL PROTECTED]>
To: "Palm Developer Forum" <[EMAIL PROTECTED]>
Sent: Tuesday, March 06, 2001 10:25 AM
Subject: Re: @stake ridiculousness
>
> As a Palm developer you may think it is apples and oranges and that the
> device is not meant to be secure, but many users don't know this. This
> is why we references 2 news stories (there are many more) in the
> advisory that show that people are attempting to use the device for
> secure data storage. Advisories are meant to alert people to risks that
> they should take into account when using a particular technology so they
> can mitigate them. One mitigation technique is just being aware and
> perhaps changing behavior, another is to use 3rd party apps, another is
> to use a vendor supplied solution. There could be others.
>
> In your use of the Palm you may have already taken into account the fact
> that the power off password lock is only partially effective to protect
> data. The advisory is meant for the majority of users who are unaware
> of this. Even with 3rd party encryption apps a trojan keystroke logger
> could be inserted on the device to record encryption passwords. This
> could be done with the debugging vulnerability in under 30 seconds.
> Users and people designing applications that take advantage of the Palm
> need to be aware of this. Sure this is not a common or high risk for the
> average user but it shouldn't be ignored.
>
> @stake does not sell any products so it is hard to see how this is a
> sales pitch. We do mention some 3rd party encryption apps as examples
> for one way to help mitigate this risk. If anything this is a sales
> pitch for Palm OS 4.0 which will fix the problem.
>
> Chris Wysopal
> [EMAIL PROTECTED]
> Director of R&D
> @stake, Inc.
>
> Dave Lippincott wrote:
>
> >
> > Apples and oranges. NT is an OS intended to be secure, the Palm OS so
far
> > is not. The advisory is kind of like announcing your car could be
stolen,
> > taken for a joy ride, returned and you would never know valuable miles
have
> > been stolen. If you want a theft-proof car, you would equip it that
way. I
> > don't know anyone that considers the Palm secure without adding 3rd
party
> > software and/or accessories. The advisories begin to take on the tone
of a
> > sales pitch.
> >
> >
>
>
> --
> For information on using the Palm Developer Forums, or to unsubscribe,
please see http://www.palmos.com/dev/tech/support/forums/
--
For information on using the Palm Developer Forums, or to unsubscribe, please see
http://www.palmos.com/dev/tech/support/forums/
