Hi Aaron- At 06:31 PM 11/24/2001 +0100, Aaron Ardiri wrote: > some people (like myself) encrypt code resources or data chunks. > providing the ability to "dump" the un-encrypted chunk using > such a tool makes it easier for "warez" guys to get around such > technologies :) but, they can do it without your tool (as, they > have demonstrated by cracking applications) :P
Agreed. However, the problem lies not with the software tools that exist, but the fact that current PDA platforms are NOT secure hardware devices. As we all know, one cannot have a secure application running on top of an insecure platform. The Palm hardware is not a secure hardware platform and shouldn't really be treated as one. Using any third-party encryption tools, protection mechanisms, etc. won't save you, unless the crypto keys or critical information is stored in a secure hardware device (or run in a secure environment like the IBM 4758 crypto coprocessor). The SD cards and Springboard modules is a good step, since the user can store credentials on the card and keep the card with them. I haven't seen this done, yet, though. Currently, the only thing protecting Palm developers is a thin veil of obscurity. The onus should really be placed on Palm to provide a mechanism to build secure applications. > um.. how could it be used in law enforcement? am i missing something? <and> >how does forensic acquisition have anything to do with a Palm device? <and> > i surely believe that if i was going to plan a crime i wouldn't use > my palm to document it (although, some people are stupid) - dont get > me wrong there :) Many criminal investigations now involve the use of PDAs. You wouldn't believe what people are using these devices for. The LAPD has encountered times where they needed to determine the Palm system password to help with a murder case. Government agencies (OSIs for Navy, Army, Air Force, FBI, CIA, NSA, etc.) all encounter Palm devices during investigations. If there wasn't such a need, I wouldn't have spent the time writing the tool.. I wish I could give more concrete examples, but those are left to the discretion of those directly involved. As PDAs become more mainstream and start being used outside of enterprise/corporate environments, people will begin to use them for all sorts of activities, and it helps to be ready. > i also believe i have the right to my own privacy. do you? I sure do. But this has nothing to do with the fact that a tool is available to image memory. You could argue that HotSync also violates my privacy. I protect my right by properly encrypting and protecting sensitive information. This cannot be done on a Palm device with any certainty by only using software, and as mentioned before, hardware will need to play a part in order to do so. > if you've ever dealt with troubleshooting a user's problem, you'll > find that you will never be able to replicate their environment as > they have it. users install a lot of things :) The message I was referring to can be found at: http://groups.yahoo.com/group/palm-dev-forum/message/55728) Keith Rollin and others show interest in a tool that creates an image to work with POSER. I think pdd is a step in this direction, which is one of the reasons it was created. > i dont think the issue is your product, but, its potential use. i could > bring up a number of arguments why my |HaCkMe| program (change hotsync > username dynamically) is valid - however, it was pointed out that the > main usage of such an application would be by warez communities to > get around registration systems. The potential use of a tool is not a valid argument. A hammer could be used to build a house or break a window. L0phtCrack (a popular Windows NT password audting tool) could be used by the administrator to test the strength of their user's password or by a malicious attacker to determine passwords. Another example: take the Unix equivilant of my tool, 'dd'. Is that considered a script kiddie tool? It does essentially the same thing as pdd, but in a desktop environment. Someone could boot a system up via floppy and grab the password hashes via dd. Sure, attackers can use dd but no one in their right mind would consider it a script kiddie tool or a malicious tool. > it depends how people see your product being used. the last thing > you want is to have other developers barking down your tree cause you > released an application that poses loss of income/threat to them.. Again, developers need to place blame on Palm to help play a part in creating a secure platform. The people who write tools are not to blame - the capabilities already exist. Security through obscurity never worked and it never will. Also, just so you don't feel that I'm barging in to the palm-dev list to stir things up, I've been involved in the Palm development community since 1997 (as The Grand Design, http://www.mindspring.com/~jgrand) and have worked closely with a few of the well-established third-party developers for the platform. I'm just not as active as I was in the past. Joe -- For information on using the Palm Developer Forums, or to unsubscribe, please see http://www.palmos.com/dev/tech/support/forums/
