11-18-2004, 12:00 PM
|
|
Pontificator
Join Date: Aug 2006
Posts: 1,177
|
|
Too Much Security, Too Expensive
With my most recent mobile application development projects in mind I must conclude that "mobile security" is overrated and too expensive.
Companies spend too much resources on the security aspects in their mobile solutions without considering that the chain is not stronger than its weakest link. I am not saying that security is irrelevant. I am saying that security should be implemented at the most appropriate level with regards to each specific situation and requirement. Today it is more like: implement the most strict security level all the time and everywhere regardless of what is being protected and why. This is a waste of resources.
Why invest a fortune in time and money to make the mobile solution safe as a nuclear bomb shelter using the latest biometrical products, strongest passwords and data/communication encrypted using the most complex algorithms if the information is not more vital for an outsider than your grocery list is? Or if the information is then stored and sent unencrypted across the public Internet from head quarters? If anyone really wanted to get at the information, wouldn't it be smarter to just then tap the head quarters than to go after the service technicians?
Back to basic: let real requirements decide.
|
| |
|
|
|
11-18-2004, 12:22 PM
|
|
Philosopher
Join Date: Apr 2002
Posts: 574
|
|
I agree with you that it is a bit strange to encrypt a complete device and than realize the only thing on it is a list of your friends and a lot of notes nobody will even understand.
I have the Hx4700 on review which is pretty good in this, you can decide what is encrypted and with what encryption algorithm. However, plugging it into activesync is a good way of extracting the data as well, and that is not blocked in any way.......
Biometrics sounds cool, encryption as well, but it is damn slow when you are in a hurry to make an appointment. I had turned them on, but i have turned them off one by one: It is such a drag to use (even on a 624Mhz machine!).
Jaap
|
| |
|
|
|
11-18-2004, 03:49 PM
|
|
Editorial Contributor
Join Date: Jun 2007
Posts: 5,411
|
|
Oh my God...suggesting rational thinking at the executive and policy level...what a radical approach.
Anyone see Dilbert this past weekend? Reminiscent of several camera threads here. Scott Adams must work in the industry..he is frighteningly accurate.
__________________
Sometimes you are the anteater, sometimes you are the ant.
|
| |
|
|
|
11-18-2004, 06:48 PM
|
|
Theorist
Join Date: Dec 2006
Posts: 276
|
|
Quote:
|
Originally Posted by Sven
Anyone see Dilbert this past weekend? Reminiscent of several camera threads here. Scott Adams must work in the industry..he is frighteningly accurate.
|
That was exactly the first thing I thought of when reading Andy's post.  For those who don't understand what we're talking about, here is the Dilbert from last Sunday. 
|
| |
|
|
|
11-18-2004, 07:14 PM
|
|
Intellectual
Join Date: May 2006
Posts: 133
|
|
Just because of my line of work I'm going to have to disagree with the general point.
I work for an HP reseller, and most of our business is done through government contracts. Lately we've been very frustrated with the direction mobile computing has been headed. Now this isn't an "average user" argument, but I'm sure there are a lot of industries that could benefit from an ultra secure mobile device without cameras and cell phone cabailities (or sometimes even wireless) built into it. I know of quite a few people that would invest a lot more in mobile tech if they were built with modular capabilities (like being able to physically remove bluetooth or wi-fi).
I just thought it was funny that Nuclear security was brought up, as the last order I put together was for a group working on particle accelerators. Someone working on gear like that needs a secure device (biometric, strong alpha numeric+). And not just application specific either. I would consider that individual's contact and calendar info to be very strict "need to know".
Even with what little info I deal with I have to use a 4 digit PIN on my poor old 3950. Having done so I actually do feel better about using it. The idea of losing it with all of my family and friends contact info is a little unsettling (and activesync doesnt bypass security, it holds it until the PIN is entered).
I agree with the sentiment Andy expressed "let real requirements decide", but I still feel all units should be built with the capabilities for total lock down.
|
| |
|
|
|
11-18-2004, 11:02 PM
|
|
Swami
Join Date: Feb 2004
Posts: 4,303
|
|
Quote:
|
Originally Posted by manywhere
Quote:
|
Originally Posted by Sven
Anyone see Dilbert this past weekend? Reminiscent of several camera threads here. Scott Adams must work in the industry..he is frighteningly accurate.
|
That was exactly the first thing I thought of when reading Andy's post. For those who don't understand what we're talking about, here is the Dilbert from last Sunday. |
Very funny cartoon indeed. I was wondering whether to draw folks attention to it, but you beat me to it.
Yup, appropriate security is the ideal, but so many folks try to cover their butts by ticking every security option box when specifying systems. "It's not my fault. I ordered high security". :?
|
| |
|
|
|
11-18-2004, 11:39 PM
|
|
Philosopher
Join Date: Apr 2002
Posts: 574
|
|
Quote:
|
Originally Posted by JickBahTech
I just thought it was funny that Nuclear security was brought up, as the last order I put together was for a group working on particle accelerators. Someone working on gear like that needs a secure device (biometric, strong alpha numeric+). And not just application specific either. I would consider that individual's contact and calendar info to be very strict "need to know".
|
I used to work in the nuclear industry, as well as in air traffic control systems as in safety critical stormflodding barriers (i'm a specialist in safety critical systems). I have a different opinion. It is outright paranoia striking there. You have to remember that data without context is nothing. And even then. 10 years ago we al used those idiotic filofaxes, that got stolen or lost at the most inconvenient times. Nobody cared then, nobody cares about them now.
The fact that an event/appointment takes place with a certain agenda does not make it a breach of security. Just to see what it said on the days i worked there, i looked it up. It is so cryptic that without thourough knowledge of the system, you can't make heads or tails of it. After 5 years i myself can only understand half of it, although it used to make a lot of sense at the time. Most of the time it is "meeting with so and so regarding pressure valve controller x-z-u" or "safety test of controller y in area DECO". No deep technical details, an agenda or small notes at most. 99% of these locations were in secured area's anyway, so no need to keep it secret. Because if you knew that things were going to happen, you could not do anything anyway. Collegues at my company could read those appointments as well (that is what groupware is for). That is the daily practice of life.
Encrypting contacts is just outright idiotic. The fact that i know/have access to certain people has absolutely no value. Most key players in those industries/research facilities have familiar names and faces. Almost everybody knows them. Most people are in the company phone-directory anyway, or can be easily found by calling the front-desk of the company. If you steal my mobile phone you not only get the same information, but also get to see when i called them and for how long! That is perhaps more interesting. But nobody even thinks of encryping a mobile phone because it is so irritating when i have to call somebody.
I do say there is some jobs where encryption of this information could be vital. Basically that is the group of operational officers of intelligence services, where names and dates are considered classified. But i think it is plain wrong to make this the standard for the 99,9% of the rest of the world. In business sometimes there are some specific files that should be encrypted (like strategies or new product idea's etc.), but that can easily be solved by other means then biometric equipment.....
Jaap
|
| |
|
|
|
11-19-2004, 06:53 PM
|
|
Intellectual
Join Date: May 2006
Posts: 133
|
|
I do agree that some people do go overboard, but I still believe tools need to be in place for whatever level of security one might need.
Filofaxes are one thing, and PPC's are a totally different kind of beast entirely. A single piece of info by itself probably isnt very valuable, but someone's calendar for the year, with tons of notes or docs or spreadsheets, with a couple memos and some email, and now you're looking at a mass of info. Most wont be able to make heads or tails of it, but some industrious few might, and thats the rub. You're not guarding against Joe Public, but the few that might gain some knowledge.
For example, part of our sales team was in high panic about a month ago when one of our VP's accidentally left his ipaq at a vendor conference. It was full of sales info, and manufacturer contacts, plus a few pricing sheets for Govt. contracts. Exactly the wrong info to give away for free at conference where competitors would be. As this guy was "very important" he couldn't be bothered to use anything to secure his PDA.
I think Biometrics are the perfect solution for mobile computing. The 5550 has become an invaluable unit for sales, as you just have to swipe a finger over a strip. Tell someone they have to enter a strong alphanumeric with a stylus and their eyes glaze over. In my line of sales, we wont sell as many 4700's as we did 5550's for that very reason. Convenience.
Some people go overboard on security, but we should be making it easier for dumb people to use (like self important VP's). We shouldn't be removing tools. I see that as a step backwards.
|
| |
|
|
|
11-19-2004, 09:54 PM
|
|
Editorial Contributor
Join Date: Jun 2007
Posts: 5,411
|
|
Quote:
|
Originally Posted by JickBahTech
IIt was full of sales info, and manufacturer contacts, plus a few pricing sheets for Govt. contracts. Exactly the wrong info to give away for free at conference where competitors would be.
|
Someone enlighten me as I don't use a password on my PPC and haven't played with the biometric ones. I supposed that the biometric reader essentially replaces the PIN/Password screen.
Does this protection on a PPC secure the files on and SD or CF card, or just access to the device as a whole? I understood that I could typically just take the flash card out and throw it in a reader. That's where I expect the execs file were anyway, except for the contacts. I understand there are third party options to encrypt removable media, but the standard stuff doesn't do any of that. right?
__________________
Sometimes you are the anteater, sometimes you are the ant.
|
| |
|
|
|
11-19-2004, 10:35 PM
|
|
Sage
Join Date: Aug 2006
Posts: 810
|
|
Jvan and JickBah - good points all around.
I do think biometric fingerprint readers should be integrated into all laptops, handhelds, and smartphones. That way, if you need it, it's there. If you don't, then no big deal.
|
| |
|
|
|
|
|
Linear Mode
