With my most recent mobile application development projects in mind I must conclude that "mobile security" is overrated and too expensive.<br /><br />Companies spend too much resources on the security aspects in their mobile solutions without considering that the chain is not stronger than its weakest link. I am not saying that security is irrelevant. I am saying that security should be implemented at the most appropriate level with regards to each specific situation and requirement. Today it is more like: implement the most strict security level all the time and everywhere regardless of what is being protected and why. This is a waste of resources.<br /><br />Why invest a fortune in time and money to make the mobile solution safe as a nuclear bomb shelter using the latest biometrical products, strongest passwords and data/communication encrypted using the most complex algorithms if the information is not more vital for an outsider than your grocery list is? Or if the information is then stored and sent unencrypted across the public Internet from head quarters? If anyone really wanted to get at the information, wouldn't it be smarter to just then tap the head quarters than to go after the service technicians?<br /><br />Back to basic: let real requirements decide.

I agree with you that it is a bit strange to encrypt a complete device and than realize the only thing on it is a list of your friends and a lot of notes nobody will even understand.

I have the Hx4700 on review which is pretty good in this, you can decide what is encrypted and with what encryption algorithm. However, plugging it into activesync is a good way of extracting the data as well, and that is not blocked in any way.......

Biometrics sounds cool, encryption as well, but it is damn slow when you are in a hurry to make an appointment. I had turned them on, but i have turned them off one by one: It is such a drag to use (even on a 624Mhz machine!).

Jaap

Oh my God...suggesting rational thinking at the executive and policy level...what a radical approach.

Anyone see Dilbert this past weekend? Reminiscent of several camera threads here. Scott Adams must work in the industry..he is frighteningly accurate.

Anyone see Dilbert this past weekend? Reminiscent of several camera threads here. Scott Adams must work in the industry..he is frighteningly accurate.

That was exactly the first thing I thought of when reading Andy's post. :D For those who don't understand what we're talking about, here is the Dilbert from last Sunday (http://www.dilbert.com/comics/dilbert/archive/images/dilbert200411195094.jpg). ;)

Just because of my line of work I'm going to have to disagree with the general point.
I work for an HP reseller, and most of our business is done through government contracts. Lately we've been very frustrated with the direction mobile computing has been headed. Now this isn't an "average user" argument, but I'm sure there are a lot of industries that could benefit from an ultra secure mobile device without cameras and cell phone cabailities (or sometimes even wireless) built into it. I know of quite a few people that would invest a lot more in mobile tech if they were built with modular capabilities (like being able to physically remove bluetooth or wi-fi).

I just thought it was funny that Nuclear security was brought up, as the last order I put together was for a group working on particle accelerators. Someone working on gear like that needs a secure device (biometric, strong alpha numeric+). And not just application specific either. I would consider that individual's contact and calendar info to be very strict "need to know".
Even with what little info I deal with I have to use a 4 digit PIN on my poor old 3950. Having done so I actually do feel better about using it. The idea of losing it with all of my family and friends contact info is a little unsettling (and activesync doesnt bypass security, it holds it until the PIN is entered).
I agree with the sentiment Andy expressed "let real requirements decide", but I still feel all units should be built with the capabilities for total lock down.

Anyone see Dilbert this past weekend? Reminiscent of several camera threads here. Scott Adams must work in the industry..he is frighteningly accurate.

That was exactly the first thing I thought of when reading Andy's post. :D For those who don't understand what we're talking about, here is the Dilbert from last Sunday (http://www.dilbert.com/comics/dilbert/archive/images/dilbert200411195094.jpg). ;)

Very funny cartoon indeed. I was wondering whether to draw folks attention to it, but you beat me to it. :D

Yup, appropriate security is the ideal, but so many folks try to cover their butts by ticking every security option box when specifying systems. "It's not my fault. I ordered high security". :?

I just thought it was funny that Nuclear security was brought up, as the last order I put together was for a group working on particle accelerators. Someone working on gear like that needs a secure device (biometric, strong alpha numeric+). And not just application specific either. I would consider that individual's contact and calendar info to be very strict "need to know". I used to work in the nuclear industry, as well as in air traffic control systems as in safety critical stormflodding barriers (i'm a specialist in safety critical systems). I have a different opinion. It is outright paranoia striking there. You have to remember that data without context is nothing. And even then. 10 years ago we al used those idiotic filofaxes, that got stolen or lost at the most inconvenient times. Nobody cared then, nobody cares about them now.

The fact that an event/appointment takes place with a certain agenda does not make it a breach of security. Just to see what it said on the days i worked there, i looked it up. It is so cryptic that without thourough knowledge of the system, you can't make heads or tails of it. After 5 years i myself can only understand half of it, although it used to make a lot of sense at the time. Most of the time it is "meeting with so and so regarding pressure valve controller x-z-u" or "safety test of controller y in area DECO". No deep technical details, an agenda or small notes at most. 99% of these locations were in secured area's anyway, so no need to keep it secret. Because if you knew that things were going to happen, you could not do anything anyway. Collegues at my company could read those appointments as well (that is what groupware is for). That is the daily practice of life.

Encrypting contacts is just outright idiotic. The fact that i know/have access to certain people has absolutely no value. Most key players in those industries/research facilities have familiar names and faces. Almost everybody knows them. Most people are in the company phone-directory anyway, or can be easily found by calling the front-desk of the company. If you steal my mobile phone you not only get the same information, but also get to see when i called them and for how long! That is perhaps more interesting. But nobody even thinks of encryping a mobile phone because it is so irritating when i have to call somebody.

I do say there is some jobs where encryption of this information could be vital. Basically that is the group of operational officers of intelligence services, where names and dates are considered classified. But i think it is plain wrong to make this the standard for the 99,9% of the rest of the world. In business sometimes there are some specific files that should be encrypted (like strategies or new product idea's etc.), but that can easily be solved by other means then biometric equipment.....

Jaap

I do agree that some people do go overboard, but I still believe tools need to be in place for whatever level of security one might need.

Filofaxes are one thing, and PPC's are a totally different kind of beast entirely. A single piece of info by itself probably isnt very valuable, but someone's calendar for the year, with tons of notes or docs or spreadsheets, with a couple memos and some email, and now you're looking at a mass of info. Most wont be able to make heads or tails of it, but some industrious few might, and thats the rub. You're not guarding against Joe Public, but the few that might gain some knowledge.

For example, part of our sales team was in high panic about a month ago when one of our VP's accidentally left his ipaq at a vendor conference. It was full of sales info, and manufacturer contacts, plus a few pricing sheets for Govt. contracts. Exactly the wrong info to give away for free at conference where competitors would be. As this guy was "very important" he couldn't be bothered to use anything to secure his PDA.

I think Biometrics are the perfect solution for mobile computing. The 5550 has become an invaluable unit for sales, as you just have to swipe a finger over a strip. Tell someone they have to enter a strong alphanumeric with a stylus and their eyes glaze over. In my line of sales, we wont sell as many 4700's as we did 5550's for that very reason. Convenience.

Some people go overboard on security, but we should be making it easier for dumb people to use (like self important VP's). We shouldn't be removing tools. I see that as a step backwards.

IIt was full of sales info, and manufacturer contacts, plus a few pricing sheets for Govt. contracts. Exactly the wrong info to give away for free at conference where competitors would be.

Someone enlighten me as I don't use a password on my PPC and haven't played with the biometric ones. I supposed that the biometric reader essentially replaces the PIN/Password screen.

Does this protection on a PPC secure the files on and SD or CF card, or just access to the device as a whole? I understood that I could typically just take the flash card out and throw it in a reader. That's where I expect the execs file were anyway, except for the contacts. I understand there are third party options to encrypt removable media, but the standard stuff doesn't do any of that. right?

Jvan and JickBah - good points all around.

I do think biometric fingerprint readers should be integrated into all laptops, handhelds, and smartphones. That way, if you need it, it's there. If you don't, then no big deal.

Yes the Biometric replaces the pin screen when you start the PPC up. Its a little finicky, but it works pretty well.

For older PPC's you will need to get some third party solution to secure the info on a card, but the 4700 comes with some pretty decent tools to encrypt the unit, its rom, and a memory card. Might be overkill for some, and a little too rudimentary for others, but its a step in the right direction. It just kinda sucks that it doesnt have a Fingerprint reader. Our sales department is very anxiously awaiting the HX2700 here in the states.

Filofaxes are one thing, and PPC's are a totally different kind of beast entirely. A single piece of info by itself probably isnt very valuable, but someone's calendar for the year, with tons of notes or docs or spreadsheets, with a couple memos and some email, and now you're looking at a mass of info. Most wont be able to make heads or tails of it, but some industrious few might, and thats the rub.And you think that an average filofax did not contain this kind of info? A standard Activesyn relation removes all appointments that are older than two weeks and removes all tasks that are completed. A filofax, or worse a normal agenda, contains ALL appointments in a year and it is an extreme hassle to remove them. The filofaxes i have seen from collegues and my manager contained just that information you mentioned, up to complete extracts from building schematics of plants, security layouts, cost-ratio's and strategic marketing plans. It was all nicely printed by our secretary and put into the filofax. Just because it comes in handy when you are in a meeting to have that info in one place.

I agree it is absurd, but nobody seems to care. Why? Because it is extremely complex to make a pile of paper secure and it is extremely comfortable to have all that info in one place. These things do get lost and get stolen as well. Also in very inconvenient places.

But when somebody puts this info on an electronic device (laptop/PDA whatever), somebody starts to shouts that it should be encrypted. Although it sometimes is a very valid call to reason, one should remind oneself that the people before that just took the same info with them on paper. I completely agree that it is no excuse to keep doing a fundamentaly wrong thing, but i see a lot of overkill hapening here because it could prevent something that we did not worry about when it was just paper.For older PPC's you will need to get some third party solution to secure the info on a card, but the 4700 comes with some pretty decent tools to encrypt the unit, its rom, and a memory card.One of the shining examples is the protection for the Hx4700. It sounds great in principle: encrypted databases for contacts, calander etc.. However, why encrypt it when you can block access to the device altogether. A very simple but extremely effective way. The fact that the lock keeps active even after a hard reset is brilliant. I agree one should look at the external cards, but encrypting data that is volatile is a performance killer (it takes about 30 seconds to boot a locked Hx4700), while achieving almost nothing in effective protection. I seriously considered removing the protection altogether. Besides this, when i put in my cable, it syncs without asking for a password! The standard implementation does block this.....

Jaap

Ok, excellent points on the filofaxes, and I do agree with most of the points you're making, I just see an argument like that headed towards some dangerous conclusions. (Like bean counters saying we could save money if we got rid of integrated security solutions).

Most of the business we do with companies, any hard copy of information (personal or lab related) isn't allowed off ground. A Palm or PPC is though. Coupled with the fact that I dont hear very stories of people leaving year long agendas and cost analysis in the backs of cabs. And ideally a filofax should be shredded once past usefulness, but Outlook just archives data, and is still some where to be looked up. In fact even with archiving (which is usually a choice you have to set up, not the norm for Outlook) I can still see apointments from last year.

As for security, I dont know if I'm doing anything different, but if I set up an Activesync connection with a computer, it asks me to put in my PIN and then gives me the OPTION of remembering my PIN upon future syncs. If I don't enter the PIN I have no Pass-through abilities, and I cant see anything on the device from the host computer.

Really I would just like to see more simplicity, and this is where I like biometrics. Just have a configuration tool that encrypts the data on the whole device and storage card, that is activated by a finger print scan. Done. I think something like this would be of most benefit to technophobes that still need some level of security.

And ideally a filofax should be shredded once past usefulness, but Outlook just archives data, and is still some where to be looked up. In fact even with archiving (which is usually a choice you have to set up, not the norm for Outlook) I can still see apointments from last year.Standard settings for Activesync are that after two weeks the appointment is removed from the mobile device.As for security, I dont know if I'm doing anything different, but if I set up an Activesync connection with a computer, it asks me to put in my PIN and then gives me the OPTION of remembering my PIN upon future syncs. If I don't enter the PIN I have no Pass-through abilities, and I cant see anything on the device from the host computer.True, but unfortunatly the security software on the Hx4700 does not do that. It just ignores the part of Activesync having to authorize. I did not get asked anything......

Jaap