<a href="http://story.news.yahoo.com/news?tmpl=story&cid=581&ncid=581&e=1&u=/nm/20030802/tc_nm/tech_handhelds_dc">http://story.news.yahoo.com/news?tmpl=story&cid=581&ncid=581&e=1&u=/nm/20030802/tc_nm/tech_handhelds_dc</a><br /><br />There have been a number of news articles over the past few days spurred by comments at DefCon last week. "Don't put any secure information on your PocketPC or your Palm," Glancey warned after a speech on the subject at DefCon, the largest annual computer security conference in the world. "They don't have any security features built in," he said."<br /><br />They go on to speak of specific vulnerabilities in the PalmOS but don't really mention anything about the Pocket PC. I'm not sure how much of Glancey's comments are real and how much is sensationalist. Pocket PCs don't have any encryption built in, and if that is what he is referring to, it is a fair statement. To my knowledge though, you can't just sniff out a Pocket PC on your LAN and suck all of the information off of it. If you have a PIN on your Pocket PC, you can't even dock it with your PC and get the data via ActiveSync unless you know the PIN.<br /><br /><img src="http://www.pocketpcthoughts.com/images/hansberry/2003/20030601-security.gif" /><br /><br />A PIN is a good security measure, especially the one on the Pocket PC. Time increases exponentially between guesses so after 15 guesses, you are having to wait 7-8 minutes before you can make another guess. After 24 guesses, you are having to wait <i>days</i> between guesses. Given there are 10,000 possible combinations using just a simple 4 digit PIN, unless you do something stupid like make it your year of birth, chances of someone getting your 4 digit PIN in 24 guesses are 1 in 417. Given it takes days to get there, I'll take those odds. It isn't like I have the nuclear launch codes or anything. If you have the strong alphanumeric PIN, it is close to impossible to guess.<br /><br />Still, you need to encrypt <i>some</i> data. I keep my encrypted data in <a href="http://www.handango.com/brainstore/PlatformProductDetail.jsp?siteId=311&productId=9440">Ilium Software's eWallet</a> for a few reasons. First, my PIN isn't always active. For convenience sake, I keep my PIN set to activate at one hour. Another reason is my eWallet file is synchronized to my PC, then my domain file shares and backed up on tape. I want to make sure that data is secure through all of those transmissions and on the various forms of media it is stored on. You can also use applications like <a href="http://www.handango.com/brainstore/PlatformProductDetail.jsp?siteId=311&productId=11118">Resco's File Explorer</a> to encrypt specific files. For seamless encryption, you can use apps like <a href="http://www.handango.com/brainstore/PlatformProductDetail.jsp?siteId=311&productId=12315">Softwinter's Sentry 2020 for Pocket PC</a>, which encrypts and decrypts on the fly as you use documents.<br /><br />I think it is a bit chicken little to say you shouldn't put any confidential information on your Pocket PC, but you do need to take measures to ensure the data is safe, just as you do on your PC and corporate servers.<br /><br />There are some other security related threads <a href="http://www.pocketpcthoughts.com/forums/viewtopic.php?t=1499">from June 2002</a> and <a href="http://www.pocketpcthoughts.com/forums/viewtopic.php?t=3387">September 2002</a>. <i>(All product links are affiliate links)</i>

And don't forget that iPaq with the thumbprint scanner. I would think that would fall uder the realm of a security feature. I suspect the author based his entire speech on the lack of security in Palm, and then assumed that Pocket PCs would be similar.

I always figured my Pocket PC doesn't have any more damaging material on it than my wallet. I treat it somewhat like my wallet. I don't leave it laying around loose, it goes in my pocket, I keep track of it. Beyond that I do use e-wallet to secure the extra sensitive stuff.

I think that you should be forced to wait only if the code was wrong. Imagine entering the right code on your PPC after someone tried to enter the wrong PIN hand having to wait days for it to unlock :roll:

I think that you should be forced to wait only if the code was wrong. Imagine entering the right code on your PPC after someone tried to enter the wrong PIN hand having to wait days for it to unlock :roll: The delay is almost nothing after the first 3-4 guesses. If you are into guess #5, I suspect you aren't the real owner. :wink: If someone did mess your PPC up the way you say, I'd be inclinded to do a hard reset and just restore.

While I will agree, there's no built in Encryption, it is very easy to add that. Sometimes your PPC comes with it (RescoFileExplorer comes with the iPaq 5555 and possibly other iPaqs). I also use the fingerprint scanner. I ahve had folks who are not me try to scan their print and it works like it should (although not to the erasure point). I tried F-Secure but it gave me problems when I was powering on. Sometimes I would not be able to access iTask when I was having these problems. Uninstalling it alleviated that. I currently use Resco to encrypt some files. I don't keep my CC info on ANY computer except the banks unless it's encrypted to the hilt. I do not keep the CC info on my PPC either.

Given there are 10,000 possible combinations using just a simple 4 digit PIN, unless you do something stupid like make it your year of birth, chances of someone getting your 4 digit PIN in 24 guesses are 1 in 417.

Whoop guess I better change my PIN... ;)

i don't know about other backup solutions, but the in ROM backup solutions int he Asus and the Jornada sucked. If you hard reset and restore, your PIN does nto get restored. So it's no longer secure. HOwever, I do realize Pocket Backup and other solutions do offer a encrypted backup... just commenting on the older ppcs. The only sensitive info i have is in eWallet anyway...

And of course storing confidential data in ROM or on storage card has to be a big no-no.

Indeed. I have a flash card that I carry project files on. At the moment it's not where it should be...

So if anyone happens across a slick little silver compact flash reader with a cf card in it... email me or something... just be sure not to examine anything stored on it! There are things on there that are going to change the world.

I never worry about encryption or PIN. I don't even have a PIN set up. I used to, but not anymore as it's too much a hassle to input every time.

"But Bjorn! That's not very secure! What about your data?" you cry.

Well, says Bjorn. I don't keep any data on the bloody thing. There is not one single phone number, Email address, bank number, credit card number, or even so much as my cell phone number on it. I'm paranoid about security, and I want to keep my data safe. I store it in the most secure and best encrypted data storage facility you can get: My Head.

If I do lose my PPC [not bloody likely, as I'm very careful with it] I won't have to worry about losing any valuable data. I won't have to change my email or notify any of my friends. I don't have to call the credit card company.. I don't worry about a single thing.

Well, says Bjorn. I don't keep any data on the bloody thing. There is not one single phone number, Email address, bank number, credit card number, or even so much as my cell phone number on it. I'm paranoid about security, and I want to keep my data safe. I store it in the most secure and best encrypted data storage facility you can get: My Head.
Uhm... what do you have a Pocket PC for? I am impressed you have all of that memorized. At best, I have a few dozen email addresses memorized, some phone numbers and two credit cards. My other 500 contacts, 150+ eWallet cards, ~50 lists and various tidbits of my important info though I haven't bothered to memorize. :D

I use it mainly for Ebook reading, note taking, doodling, picture viewing, games, the occasional alarm, appointments, unit conversion, on the fly spreadsheet editing.. that sort of thing. I know it's not secure, so I treat it as such. If it's data I don't want anyone to have access to other then me, I don't store it on my PPC.

Usually, I'm very conscious about my PPC. But it's easy to lose track for a moment. What about a radio frequency tag that would allow you to track it down with another device? I don't know what would be required here, but I suspect companies that might check out a number of these on a given shift, etc., might want to be able to find them should they get misplaced.