I read an article today that just left me shaking my head. It was an article by Rob Pegoraro called <a href="http://www.washingtonpost.com/wp-dyn/articles/A1659-2003May16.html">No Passport Out of Password Prison</a> and talks about how Microsoft's Passport won't save us from the plethora of passwords we now have for various online sites. Keep in mind the last time I read one of his articles I wrote a <a href="http://www.pocketpcthoughts.com/articles.php?action=expand,5971">mini book</a> on it. Something about his stuff just throws me off of the deep end sometimes. :roll: Based on that previous article, it is pretty clear Rob uses a Palm, which is fine. Whatever works for you best. Hey, I use a Symbian 60 Nokia 3650 cell phone and love every minute of it.<br /><br /><img src="http://www.pocketpcthoughts.com/images/hansberry/2003/20030601-security.gif" /><br /><br />So how does Rob keep his data secure? "The second is to store your passwords someplace where you can look them up. That's what I did: After forgetting my bank-card PIN -- one of the most embarrassing forms of forgetfulness possible in the modern world -- I typed those digits, along with every other password I could remember, into a text file and encrypted it with the Pretty Good Privacy program. That's worked well for me . . . except when I've had to go home to log in to a site."<br /><br />Huh? Come on. Sure that data is secure but in a text file? Use <a href="http://www.iliumsoft.com">eWallet</a> or a comparable product. I have over 280 cards in my personal eWallet file and a whole bunch more in my work eWallet file. 8O I couldn't imagine that in a text file, and the eWallet file is portable. I also work with people that have half of this lesson correct. They keep all of their data with them on their PDA... in a Notes/Memo application. AAARRRGGGHHHH! You might as well keep passwords on post-it notes around your monitor or write your PIN number on your ATM card.<!><br /><br />Then there was <a href="http://www.infoworld.com/article/03/05/23/21secadvise_1.html">this article</a> that talked about professional hackers that hacked to gain sensitive data from corporate systems so they could turn around and blackmail the company. How sophisticated are these hackers? Not very. They don't have to be. They steal from morons, which is much easier to do. That is what I would do.<br /><br />"The Russian hackers referenced in the Post articles [<i>see articles <a href="http://www.washingtonpost.com/ac2/wp-dyn/A2619-2003May17?language=printer">here</a>, <a href="http://www.washingtonpost.com/ac2/wp-dyn/A7774-2003May18?language=printer">here</a> and <a href="http://www.washingtonpost.com/ac2/wp-dyn/A12984-2003May19?language=printer">here</a></i>] said that the first thing they always tried when breaking into a computer system was to use the default passwords, and that most of the time they worked. After that, they tried known and proven vulnerabilities within Windows, and that worked the rest of the time. More obscure attacks were rarely needed, mainly because so many companies yielded to their first two tactics so easily." Double AAAARRRRGGGGHHH!!!!<br /><br />All people need to do is be sensible. Keep passwords secure and throw some numbers and symbols in them so dictionary attacks don't work, keep them with you in an encrypted format and stay up to date on security fixes. Did you know that two of the most wide spread security issues on the internet (Code Red and Slammer) exploited bugs that Microsoft had patched no less than 6 months before the attacks began? Oh, and do you run Microsoft's SQL Server? Is your default password for the "sa" account still blank? Just go shoot yourself now. ;)<br /><br />Personally, I keep my critical info in eWallet, encrypt the data with eWallet's 128 bit security, then lock that behind the Pocket PCs power-on security. Am I 100% safe? No, there is no such thing. However, the effort required to get at my data is too high for most thieves. Thieves are smarter than that. The guy behind me might just be a moron. :D Are <b><i>you</i></b> behind me?

Huh? Come on. Sure that data is secure but in a text file? Use eWallet (http://www.iliumsoft.com) or a comparable product. I have over 280 cards in my personal eWallet file and a whole bunch more in my work eWallet file. 8O I couldn't imagine that in a text file, and the eWallet file is portable.

Maybe the reporter doesn't have as many passwords as you do. If it works for him, why criticize that? He has encrypted it, after all.

I also work with people that have half of this lesson correct. They keep all of their data with them on their PDA... in a Notes/Memo application. AAARRRGGGHHHH! You might as well keep passwords on post-it notes around your monitor or write your PIN number on your ATM card.<!>
Let's keep the exaggeration down to moderate levels :-) If your PDA is password protected, you're pretty safe. Sure, someone could take your PDA before the password timed out, but it's not like the data is as visible as the Post-It notes.

Let's assume somebody got ahold of your unlocked PDA. They'd still have to look through your files to find the passwords. While that's certainly possible, it's not really something I'd worry about.

For example, before I got eWallet, I used to have records for each credit card provider I had in Contacts. On the Notes page, I'd save the credit card numbers for that provider (as most providers want that number if you contact them). I never had a problem with that set up.

Steve

I tend to not put much in the way of valuable info on my Axim because I find most solutions, like encrypting a txt file to cumbersome. I need a solution that is fast and nearly invisible so to speak or I won't end up using it.

Glisson

Huh? Come on. Sure that data is secure but in a text file? Use eWallet (http://www.iliumsoft.com) or a comparable product. I have over 280 cards in my personal eWallet file and a whole bunch more in my work eWallet file. 8O I couldn't imagine that in a text file, and the eWallet file is portable. I also work with people that have half of this lesson correct. They keep all of their data with them on their PDA... in a Notes/Memo application. AAARRRGGGHHHH! You might as well keep passwords on post-it notes around your monitor or write your PIN number on your ATM card.<!>


Text file in PGP is sure far more secure than eWallet RC4

PGP is stronger than RC4.

Cracking RC4 is a sport on the net, last report is 56bits, but report on cracking PGP so far has been pretty scant. RC4 is basically broken.
http://www.cl.cam.ac.uk/users/rnc1/brute.html

Just because something is payware doesn't make it automagically better.

TawnerX is absolutely correct. So far as I can see, the PPC progrms use encryption algorithms that are easy on the programmer. And to make matters worse, must of them use "modofied" or "similar to" algorithms that are probably worthless if faced with a serious cryptographic attack.

Of course, there may be little chance that your PPC will be the subject of a serious attack, because there's not enough value to attract a serious attacker. So the PPC programs might not have to do much more than keep out the ametures and casual hackers.

PGP can be secure, depending on the key type and length that you select. Beyond that, even with a very good key, it might not be as secure as you think. Where did you store that private key -- on your laptop? Then at best the security is no better than the strength of your password. We have a serious security requirement where I work. We use PGP. We have restrictions on the type and length of keys. And we NEVER place private keys on laptops, PPCs, or any other device that leaves our very secure room in our very secure building (which is protected by locks, passcards, cameras, etc.) If somebody at work wants to use PGP with a laptop, they have to keep their private key on external media that stays in the secured room (CD, zip, floppy, etc.) Needless to say, our building also does not have WiFi, we have multiple levels of network security, etc. ad nauseum.

Security is available, but it is not easy and it is not convenient. You have to select the level of security to match the value of what you are protecting and the likelyhood of attack. For many people, PPC programs with "modified RC4" encryption is probably fine.

BTW - PGP can encrypt data bases and spread sheets as well as flat files.

Maybe the reporter doesn't have as many passwords as you do. If it works for him, why criticize that? He has encrypted it, after all.
Well, it doesn't work. ;) He said he didn't have his data with him.

As to the RC4/PGP comments, you quys are dead on. I know what I am doing isn't 100% secure, but it is secure enough that few would bother cracking it. Trust me, what they got out of my file wouldn't be worth thier effort. :lol:

I'm just asking people to use a bit of common sense. If they did, cracks/hacks/DOS attacks would be much les frequent and effective.

If you are someone who needs the data on you Pocket PC 100% secure, then you need to use software that fully encrypts the device and memory cards. There are products from PointSec, Movian, BeCrypt and New Media Security that offer this. The later New Media Security is available in the UK from www.pocketpc-solutions.co.uk

As to the RC4/PGP comments, you quys are dead on. I know what I am doing isn't 100% secure, but it is secure enough that few would bother cracking it. Trust me, what they got out of my file wouldn't be worth thier effort. :lol:
.

at question is your opinion that textfile using PGP is less secure then payware eWallet using RC4.

you can say eWallet is more convinient and has better looing interface, but you cannot say it's more secure or cheaper than properly implemented PGP.

at question is your opinion that textfile using PGP is less secure then payware eWallet using RC4.
Please show me where I said that because I will correct it instantly. As I reread my post I think the two points were made:

1) The author of the article keeps his data in a text file. I said it was secure but was not convenient, a point he himself made.
I typed those digits, along with every other password I could remember, into a text file and encrypted it with the Pretty Good Privacy program. That's worked well for me . . . except when I've had to go home to log in to a site.

2) Knowing he has a Palm, I simply suggested using a product that could be used on both the desktop and PDA that would also keep his data secure, yet be more convenient. I used eWallet as an example because I use it and I happen to know they have a Palm version. There are other excellent Pocket PC apps like Code Wallet and I am sure there are half a dozen PalmOS only variants.

Now, everyone throws 128bit RC4 encryption around as if you could crack it on your PC in a few hours. I know in January 1999, RC4-40 was cracked in 8 hrs. Since RC4-128 keys are approximately 309,485,009,821,345,068,724,781,056 times harder to crack, it would take 1 trillion X 1 trillion (that is 1,000,000,000,000^2) years using the same computing power. Computing power has probably risen by a factor of 10 to 20 since that time. So I still think my data is safe. Is it as secure as PGP? No. But whether it takes you 1 trillion years squared or 1 billion trillion years squared to crack it, I could care less. All my info will be worthless by then anyway.

If anyone has data to show these numbers are invalid and you could crack a 128bit RC4 key in a few hrs, days or weeks, please post links. And no links to the articles a few months ago whereby 128bit SSL was "cracked" by having internal access to the network and sniffers in place watching the SSL connection being established and getting the key that way. Thanks.

...I find most solutions, like encrypting a txt file to cumbersome.
I need a solution that is fast and nearly invisible so to speak
or I won't end up using it.
Sentry 2020 (www.softwinter.com) does exactly that. I have been using it for a few years now. Works like a charm.

For example, before I got eWallet, I used to have records for each credit card provider I had in Contacts. On the Notes page, I'd save the credit card numbers for that provider (as most providers want that number if you contact them). I never had a problem with that set up.

You never had a problem with it. But did your Pocket PC get stolen in that timeframe? :mrgreen: That's like saying your car hasn't had a problem resisting body damage falling off a cliff when you haven't yet fallen off a cliff. See how naïve your statement is? Security is always "enough" until the moment it's bypassed and suddenly hindsight tells you maybe you should have done something a bit better. :wink:

Regarding PGP being better than 128-bit encryption on digital wallets, security is always about finding the balance between convinience and effectiveness. For instance, I don't put a power-on password on my Pocket PC, because I find it irritating and it's a barrier to using my device. Even if I had one, I'd probably make it so short it would be almost useless. However, I use FlexWallet to store my critical data, and even if my Pocket PC was stolen, the thief would have information about me (which IS dangerous mind you) but no access to credit card numbers, bank account information, etc. Ultimately a highly secure solution that doesn't get used is far, far worse than a moderately secur solution that DOES get used.

1) The author of the article keeps ...

1. he uses PGP to encrypt his data file in the text file.
2. PGP exists in Palm.

-PGP encryption algorithm is more robust than RC, which is the essence of security debate. The open PGP also exist as freedownload.

-if you are debating that using RC4 with pretty user interface is safer then a text data encrypted in PGP, then you are wrong.

-there are more than one way to store small snipets of text file including a database file, text editor is not the only way storing it.

-The increase of key rate of brute for attack is exponentials and has far higher rate then your estimate.

People who knowingly trade convience and illusion of security deserves to get hacked.


your request to comment for revision text:

Huh? Come on. Sure that data is secure but in a text file? Use eWallet or a comparable product. I have over 280 cards in my personal eWallet file and a whole bunch more in my work eWallet file. icon_eek.gif I couldn't imagine that in a text file, and the eWallet file is portable. I also work with people that have half of this lesson correct. They keep all of their data with them on their PDA... in a Notes/Memo application. AAARRRGGGHHHH! You might as well keep passwords on post-it notes around your monitor or write your PIN number on your ATM card.

The safest way to keep your memory secure is to sit down for an hour in a black leather chair, memorize all your password, and get back to living.

You see? No one will ever crack that..... Without a rack and some voltage wires :)

-if you are debating that using RC4 with pretty user interface is safer then a text data encrypted in PGP, then you are wrong.
Second request: where did I say that?
-The increase of key rate of brute for attack is exponentials and has far higher rate then your estimate.
Second request: links showing that it is *reasonable* for me to care. Distributed.net took over 1,700 days with tens of thousands of computers to crack a 56 (or was it 64?) bit RC5 key. I am not too concerned about a thief getting my eWallet file and enlisting tens of thousands of computers over a period of years to crack my file.
People who knowingly trade convience and illusion of security deserves to get hacked.
Again, 128bit RC4 is NOT an illusion of security. I never said RC4=>PGP, but when it comes to practicallity, It is like deciding the best way to level a mountain, do I use a 100 megaton or a 250 megaton bomb? Who cares? The mountain will survive neither. :roll:

Let's put it this way,

did you or did you not think using ewallet is better than using .txt method you quoted above?

Let's put it this way,
No, lets not put it that way. You accused me of saying 128bit RC4 was superior than PGP. I didn't. And for the third time I am asking for backup from you saying 128bit RC4 is unsecure. If it is unsecure, I want to know because I use it everytime my browser locks in with an SSL connection. If it is secure, though not as secure as PGP, drop it. At a point, it is what is practical. ROT13 is very easy, but totally unsecure and therefore not practical. 128bit RC4 is very secure, very easy because it is incorporated in many software packages that put a pretty UI on it and therefore very pracital. PGP is very secure, not easy for the average person because they won't grasp the keyring concept, public and private keys, is not, to my knowledge, incorporated into any "wallet" type software packages that make it easy to use, and is there fore, less practical than is a wallet type app.

Next time please read what I wrote, quit putting it another way, seeing a product mentioned that has attained cult status and defending it as if it is the end all be all security system and anything less simply won't work.

Ok, so you are not the one who say "use ewallet" instead of .txt encrypted with PGP.

Sorry my mistake, I must have read somebody else's post.

Ok, so you are not the one who say "use ewallet" instead of .txt encrypted with PGP.

Sorry my mistake, I must have read somebody else's post.
Ahhh... now I see what you are thinking. :D See http://www.datanation.com/fallacies/nonseq.htm to understand why "use ewallet or another database app to secure your data" is not the same as saying "another app's security method is superior to PGP." :way to go:

For instance, I don't put a power-on password on my Pocket PC, because I find it irritating and it's a barrier to using my device. Even if I had one, I'd probably make it so short it would be almost useless. Jason - have you tried Visual Key ppc www.viskey.com? It allows me to enter my password in a few screen taps - but it's far more difficult for anybody to guess it than a text input password.

For example, before I got eWallet, I used to have records for each credit card provider I had in Contacts. On the Notes page, I'd save the credit card numbers for that provider (as most providers want that number if you contact them). I never had a problem with that set up.
You never had a problem with it. But did your Pocket PC get stolen in that timeframe? :mrgreen: That's like saying your car hasn't had a problem resisting body damage falling off a cliff when you haven't yet fallen off a cliff. See how naïve your statement is?

My statement was hardly naive. My point was that security is more than just how your data is encrypted. I password protect my devices with strong passwords, so storing things as I did is relatively safe. I also keep a fairly close watch on my Pocket PC when I'm out and about. Whether my Pocket PC has been stolen or not is irrelevant to whether I feel my data is secure or not. By your definition, Ed's claim that RC4 encryption is enough is also "naive" unless his Pocket PC has been stolen. See how naive that yardstick is? :-)

But let's address accessing data. While I don't believe any of my PDAs have been stolen, when I used a Handheld PC, it's possible that I left it sitting in my office at times. During those times, it's possible that somebody could have tried to snoop through my data. So my statement about not having any problems is based on the fact that, even with that possible exposure, I never noticed any fraudulent credit card activity.

Finally, notice that I never claimed that my setup was ideal for somebody else. I was merely relating my experience that I didn't have problems. It's similar to saying that I dropped my Pocket PC and it survived the fall. I'm not saying everybody should drop theirs because they won't be damaged. Each person has to decide what works for themselves.

Security is always "enough" until the moment it's bypassed and suddenly hindsight tells you maybe you should have done something a bit better. :wink:

Of course, like maybe password protecting your Pocket PC? :-) I would rather keep my all of my possessions in a fairly well-locked house than just keep my very valuable possessions in a very secure safe in an unlocked house.

By the way, that's why I think the fingerprint scanner of the HP 5450 is so good. I have a fairly strong password on my device (8 characters with mixed case and digits). However, it is a bit of a pain to input it every time I turn my device off and on, so I have a one-hour time out window. Someone could steal my device in that hour and get access to my data.

With a fingerprint scanner, I think I would have the password expire when the device is powered off, which would eliminate that window of opportunity.

Steve

By the way, that's why I think the fingerprint scanner of the HP 5450 is so good.

Until you manage to melt your fingerprints off, that is. :)

By the way, that's why I think the fingerprint scanner of the HP 5450 is so good.
Until you manage to melt your fingerprints off, that is. :)
I think you misunderstood the "thermal" fingerprint reader technology. :lol:

Steve

I think you misunderstood the "thermal" fingerprint reader technology. :lol:

Steve

Ah. I didn't know about the thermal part. :oops:

(It's been out as long as it has and I didn't know it was thermal? :oops: 8O :oops: Good thing I don't own one. :mrgreen: )

People who knowingly trade convience and illusion of security deserves to get hacked.
OK, I didn't respond to this at first because I would have said some really nasty stuff, but I didn't want to let it slide, either.

Tawner, nobody who is obeying the law deserves to be hacked. If you knowingly leave your car unlocked with the key in the ignition while you run into a store, do you deserve to have your car stolen? It may not be a shock if it happens, but I don't believe that anybody deserves it.

Steve