[NBLUG/talk] How do you handle physical device passwords?

Rick Moen rick at linuxmafia.com
Mon May 8 13:30:38 PDT 2017


Quoting Jordan Erickson (jerickson at logicalnetworking.net):

> Not exactly "non-password method", but as I've mentioned before I carry
> around a Palm Pilot with most of my truly sensitive information in it.

If you don't know of and use it yet, you need to acquire and try out
Keyring for PalmOS, an open-source 3DES-encrypted database for
passwords, other security tokens, and other sensitive bits of data.
http://gnukeyring.sourceforge.net/

If you find that useful, be aware that J-Pilot
(https://en.wikipedia.org/wiki/J-Pilot), the GTK+-based front-end
graphical 'desktop' application for pilot-link, includes a conduit that
permits you to get access to Keyring data in your backup sets.

I still use this combination to hold my sensitive data in an airgapped
(but backed up) PalmOS PDA.  If you never use the (conduit-based) access
from J-Pilot, then the threat model is very well-mapped and manageable,
indeed.  Any time you use the desktop access, you are of course taking a
risk that your host running the software has a security problem, but at
least you would be doing so mindfully.

Although all remaining PalmOS PDAs are now comically antique, they have
the advantage that, in standalone operation, they're a bit too dumb to 
have much of a threat surface (especially if you don't enable networking
and don't install a lot of weird-ass apps).  When being backed up, you
are merely doing a USB file copy over pilot-xfer, which I don't think
gives much access to the machine especially given its single-tasking
nature.  So, crude and simple has its advantages.

> IMHO there's nothing like a truly disconnected device in today's world.

Amen to that.


More information about the talk mailing list