POWER USER

PDAs are petite, but security worries are X-large

John McCormick

As prices plunge for personal digital assistant devices, agencies are starting to buy in. PDAs can be fantastic tools, and I myself carry one everywhere, but I'm acutely aware that they're a first-class security headache.

If you don't have a PDA yet, just think of what you would probably load onto it. Home phone numbers for everyone in your work group. Those ever-changing passwords. The boss's home address. Network configuration data. Radio frequencies. Meeting schedules.

Depending on your job, you probably would store anything on your handheld that you need to keep handy'even confidential or secret information. As recent FBI and State Department revelations showed, even large, expensive notebook PCs can disappear without a trace. How much more likely are inexpensive PDAs to wander off?

Personally, I think they should come with a small metal security loop to attach to a belt or key chain. But that's too geeky for most people, so encryption and other protection schemes are necessary.

Some vendor eventually will add a fingerprint reader or DNA sampler to PDAs, but until that happens they are vulnerable. And now that they cost less than $200, many more people will be carrying them around than ever took work home on notebook PCs.

It makes as much sense for clerks and secretaries to have PDAs as managers. As more users start to synchronize their PDAs with both home and office PCs, more confidential information will be sitting on home hard drives'not merely those owned by former U.S. intelligence chiefs.

The first step in protection is to make PDA security part of the standard electronic security manual that, with any luck, is already being enforced in your office.

Someone in authority must decide what categories of information should never be placed on a PDA, even though enforcing such rules will probably prove impossible.

Agencies also should standardize on some sort of encryption software for their users' PDAs.
A password is not enough to protect a Palm OS device.

The Palm Development Tool Guide, downloadable from www.palmos.com, describes how to use a serial port connection'not the Universal Serial Bus sync cradle'to access the debugger mode on most Palm OS devices. It gives code-level access to any data stored on the handheld. The latest OS version has security tools but is still far from what I would call secure.

One security tool to consider is the $30 PDA Defense application, formerly known as PDABomb, from Asynchrony.com of St. Louis, at www.pdabomb.com. If someone enters the wrong password on a PDABomb-protected device, the memory gets wiped.

Ilium Software of Ann Arbor, Mich., at www.iliumsoft.com/wallet.htm, makes several versions of its $30, 128-bit RC4 eWallet encryption software. This simple database tool creates Rolodex-type records and encrypts any personal identification numbers or passwords.

CodeWallet from Developer One Inc. of Greendale, Wis., at www.codewallet.com/cw/home.htm, works in the same way for PDAs running Microsoft Windows CE.

Other encryption programs are available, but none of them meets strict criteria for government security. It's up to the users to watch their PDAs carefully'both the device itself and what goes into it.

A virus could travel through the infrared port, so virus protection is necessary if you don't disable the port. There might even be a way to transfer a PC virus from PDA to PDA, then infect a network during the next sync.

Fortunately, I've heard no reports of that happening yet.

Don't let security concerns scare you or your office out of adopting PDAs into your information management system. They're a great tool even if they're a hassle to secure. At least they're under your physical control, unlike the wireless networks that are about the only alternative for users who need quick access to data on the move.

John McCormick is a free-lance writer and computer consultant. E-mail him at poweruser@mail.usa.com.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above