ECW18
Office Futures
ECW18
Issue 18
3 March, 2002
Anyone keeping an eye on British politics will no doubt be amused by the rumpus over Stephen Byers, the Transport Minister, and Jo Moore. This began on 11 September, when Ms Moore suggested in writing that it would be a good day to “bury” some unpalatable news about the Government. (A small prize to anyone who can remember what that news was. She has succeeded, although her victory is Pyrrhic.)
| At the time, Jo Moore was Mr Byers' “special adviser”. Otherwise known as spin doctors, these advisers are neither fish, flesh nor good red herring, being henchpersons directly appointed by politicians to protect their interests, especially their public image. They are not elected nor are they civil servants. According to the BBC, there are over 80 of these creatures patrolling the corridors of power. |
The British national press immediately succumbed to one of its fits of public rectitude and called for her dismissal. Since most of the British press is owned by a handful of rich men who use every possible means to obscure bad news about themselves, this made the humour of the situation black indeed.
What most of the press is ignoring is the way in which the British government is, as I mentioned in ECW16, exploiting the opportunities created by the events of 11 September to pass spook-friendly and, mainly, business-friendly legislation. You may have your own theories on this -- is the Byers/Moore affair too juicy, do they think the larger matter too complicated or insufficiently newsworthy for their readers, are their owners beneficiaries of the new legislation, or some mixture of these?
|
Before I get on to how this legislative opportunism is working in Britain and elsewhere in Europe (next issue -- Scout's honour), I want to stay with the USA. I do so because there are heartening signs of rucks and gaps appearing in the wall-to-wall patriotism that has smothered American public discourse until now. Among these is the speech made last month by Congressman Dennis Kucinich, a Democrat, of course. Called “A Prayer for America”, it begins:
Let us pray that our nation will remember that the unfolding of the promise of democracy in our nation paralleled the striving for civil rights. That is why we must challenge the rationale of the Patriot Act. We must ask why should America put aside guarantees of constitutional justice?
About time, too.
For ECW, our feature this issue is a contributed article on security and PDAs. Although mainly about the problems for corporate data centres when company computers are mislaid, this has direct application to electronic commerce. If that PDA contains links to your company's purchasing system, the ability it gives the thief or finder to order, say, three printer cartridges for delivery to you will be of little benefit to him or her. The possibility of causing mischief is another matter. What if that order were for three hundred cartridges, for example? If the PDA contained the logon details to an external supplier, your company could be caused public embarrassment as well.
Regards,
Roger Whitehead
*****
PDAs: Who's got their hands on your crown jewels? [top of page]
[top of page]Apple invented the Personal Digital Assistant (PDA)[1] market with the Newton, announced in 1992[2]. Manufacturers and buyers have ever since been struggling to work out quite how this niche hardware area fits in with the general scheme of things. And, as laptops have become ever smaller, more powerful and more capacious, market confusion about the role of PDAs has intensified.
Are PDAs simply trendy electronic filofaxes for macho gadget-freaks who wouldn't be seen dead writing a lady's phone number on a handy beermat with a dead match? Or are they detachable but integral parts of a corporate desktop-based environment, preventing staff from having to leave important data behind when they leave the office for a meeting?
The argument has been raging for a long time, but recently it seems to have finally been settled. PDAs are corporate tools, and not for use by home users or hobbyists. Psion finally accepted this last year, when it announced plans to stop developing and marketing devices for the home market. Other leading PDA makers, such as Compaq and Palm, have always been happy to sell one-off machines to end users but have concentrated their sales efforts on the corporates. Bulk deals reduce the cost of sales.
It's certainly true that a PDA is a must-have adjunct to a desktop PC for anyone who makes regular use of computerised email and diary products such as Exchange or Lotus Notes. Without a PDA to slip into your shirt pocket or handbag before you leave the office, access to your diary, contact database or to-do list while in a meeting or at a social event is simply impossible. And when you get back to the office, you simply pop the PDA into its cradle and all those appointments you made while you were out get merged back into the main system.
But the recent positioning of PDAs as a tool for corporate users poses a big problem, namely one of data security and confidentiality. But their very definition, PDAs will contain useful and important data and thus become attractive to thieves. IT security managers, who pride themselves on imposing strict rules to protect company data when it's on the corporate network, are powerless to act once the data is copied to that shiny black or silver device and taken off site.
Unauthorised possession of a PDA also poses another important risk. Companies are moving away from reliance on passwords for network logins, in favour of biometrics and hardware tokens. In some cases, the PDA becomes the hardware token, and this is a growth area. After all, why buy added hardware tokens and go to the expense of managing their distribution to staff when each employee already has a PDA able to run software letting it act as a login token too?
A thief who steals a PDA and manages to gain access to its data will typically find spreadsheets, lots of email, important notes, and hundreds of contact details of clients and staff. If the thief is smart, this information might well find its way to commercial competitors of the PDA owner's employer. Besides the obvious problem, there are some unobvious ones too. The PDA's owner, and the directors of the company, may well be liable under the Data Protection Act for failing to take reasonable steps to protect the personal information.
Some companies have more reason to worry than most. The BBC, for example, has recently started an 18-month programme to standardise on one single PDA platform for all staff. This will help IT security personnel issue a single, controllable, secure platform to ensure that data on staff PDAs remains confidential. The BBC is worried, and rightly so, about the implications of its journalists' contact databases falling into the wrong hands. As, no doubt, are the country's senior politicians and other public figures.
PDAs are not going to go away. Companies like Palm are spending millions developing the next generation of pocket-sized hardware and software. Microsoft, too, with its Windows CE and Pocket PC platform, is keen on enlarging its slice of the market. The third-generation mobile phones, known as 3G, will see further merging of the phone and PDA hardware, and Microsoft's new .NET software development platform will allow even more companies to develop portable versions of existing applications.
PDAs are sexy. They look great, they feel great and they're easy to use. But if you're looking to get some for your company, or to replace the ones you already have, remember that beauty isn't just skin-deep. Look deeper and find out about the security features of the machine. All PDAs have password-protection of their data, but just how secure is it? Try a Web search for terms such as "password crack"[3], for example. See how easy it might be for a thief or hacker to find out how to break into a PDA he's just stolen from one of your staff.
The next version of Palm's PDA operating system will feature biometric voice security, so users can simply speak their password into the device to wake it up. But does this count as improved security, or admission by Palm that security on PDAs is nothing more than fun and a novelty? If your PDA of choice doesn't have enough security out of the box, all is not lost. Many companies sell bolt-on products which provide major PDAs such as Palm and PocketPC with industrial-strength access control and encryption on a par with the products available for desktop PCs and laptops. These include features such as 128-bit encryption and an automatic lockout after three wrong passwords. So if you're equipping staff with portable extensions of their office PC, you have to build in security. A hacker who gains physical access to a desktop PC only has a couple of minutes to attack its contents before being discovered. Someone trying to crack a stolen PDA has all the time in the world to discover your corporate crown jewels - but at what cost to you and your company?
Notes: [top of page]
1. PDA = a hand-held computer with a keyboard too small for use by touch-typists. These days, PDAs come with slyli for freehand writing, people preferring get their RSI from texting.
PDA = a hand-held computer with a keyboard too small for use by touch-typists. These days, PDAs come with slyli for freehand writing, people preferring get their RSI from texting.2. Ken Polsson's Chronology of Handheld Computers says that the Amstrad Pen Pad PDA600 shipped at least five months before the Newton -- but who now remembers that? A stronger claimant for the first popular PDA is the Psion 3, launched in 1991. See http://www.islandnet.com/~kpolsson/handheld/ for more.
Ken Polsson's Chronology of Handheld Computers says that the Amstrad Pen Pad PDA600 shipped at least five months before the Newton -- but who now remembers that? A stronger claimant for the first popular PDA is the Psion 3, launched in 1991. See http://www.islandnet.com/~kpolsson/handheld/ for more.3. Searching on that exact phrase got 24,400 hits in Google, of which it rated 86 really relevant. AllTheWeb offered 2,197 in English, with no relevance indication. Enough between them to find a way into most unprotected PDAs, at any rate.
Searching on that exact phrase got 24,400 hits in Google, of which it rated 86 really relevant. AllTheWeb offered 2,197 in English, with no relevance indication. Enough between them to find a way into most unprotected PDAs, at any rate.This article is based on original material by Magnus Ahlberg, managing director of Pointsec Mobile Technologies, a supplier of security products (see http://www.pointsec.com). Our thanks go to him. To contact Marcus, telephone 01223 451 251 or email magnus.ahlberg@pointsec.com.
*****
About eComWatch [top of page]
[top of page]eComWatch is edited and published by Roger Whitehead and Christopher Ogg. Copyright Roger Whitehead and Christopher Ogg, 2002. eComWatch may be circulated freely in its original format with copyright notice intact. For permission to reproduce any article,