“A nearly impenetrable thicket of geekitude…”

Anti-security from Palm Europe

Posted on June 1, 2003 at 12:43

Security problems are usually built right into products and called “features”. Sometimes, though, the vendor provides them free of charge as an after-market upgrade. This particularly egregious example comes from Palm Europe.

Because I went to the trouble of registering my Palm m505 when I bought it, I regularly receive newsletters from Palm Europe advertising new models and giving useful little usage hints. Most of the time, these are quite innocuous if you don’t count the tendency I have to drool on the keyboard whenever Palm bring out yet another exquisite techno-toy.

This week, I received just such a newsletter, this time talking about the new Tungsten C and Tungsten W models. Both of these have the usual wallet-endangering combination of high price tag and desirable features I fear most, but I managed to nail my credit card down for long enough to reach the “Hot Tip” section at the end. I can do no better than to quote directly from the newsletter here:

When entering your password (see How To), it is displayed in plain text, which anyone can read. The longer your password, the more time the person has to read and memorise it. One way to prevent this is to assign a shortcut to your password.

The article proceeds to describe how you can simplify all that annoying entry of long secret passwords by assigning the shortcut squiggle SS to it. This is, to say the least, rather a bad idea, particularly if everyone who reads this tip sets up their password shortcut according to the example. After all, this will mean that all of those people have effectively changed their password to squiggle SS. In addition, the theoretically readable tiny black characters in the password have been exchanged for the squiggle SS gestures with the pen, which are probably “shoulder surfable” from a greater distance.

What makes this security blunder particularly irritating to me is that it comes at the end of a long newsletter devoted mainly to positive security, with a subject line of “New Palm Tungsten C delivers iron-clad security”. Well, that subject line may be true in some sense, but anyone following the “Hot Tip” is pretty much negating any security the hardware provides.

Tags: