<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<font face="Arial">Paul/Marc,<br>
<br>
well this is the kind of feature that Nokia, should put into the base
product
along with a data/file encryption option (kind of like the Encrypting
File System aka EFS feature in Windows 200/XP Pro/Vista). With EFS
selected files are
automatically encrypted/decrypted by the filesystem using keys that are
specific to the logged in user.<br>
<br>
Maybe the solution is to have a suite of security apps that can be
optionally enabled to allow the corporate user and his/her sysadmin to
achieve a higher level of security for the data on these devices. I
could foresee the following:<br>
</font>
<blockquote>
<ol>
<li>Stateful in/out firewall (already discussed on this list)<br>
</li>
<li>Remote device disable/wipe</li>
<li>File Encryption</li>
<li>SSL VPN client compatibility. <br>
</li>
</ol>
</blockquote>
With respect to item 4 I can even think of one particular supplier's
SSL VPN concentrator product family to consider here for
integration/compatibility, the Nokia 50/60/100/500 s:<br>
<blockquote><br>
<a class="moz-txt-link-freetext" href="http://europe.nokia.com/A4153103">http://europe.nokia.com/A4153103</a><br>
<br>
</blockquote>
In fact the data sheet even mentions "mobile devices" access.<br>
<br>
<blockquote>"Since deploying laptops to the bulk of<br>
employees could be cost-prohibitive<br>
especially in a small business environment,<br>
Nokia SSL VPN offers support for a wide<br>
range of remote devices from company<br>
issued laptops to personal PCs <b>and<br>
handheld devices</b>."<br>
</blockquote>
<blockquote><br>
<a class="moz-txt-link-freetext" href="http://europe.nokia.com/NOKIA_BUSINESS_26/Europe/Products/Security_Products/Nokia_SSL_VPN/Nokia_50s/nokia_sslvpn_50s_datasheet_emea.pdf">http://europe.nokia.com/NOKIA_BUSINESS_26/Europe/Products/Security_Products/Nokia_SSL_VPN/Nokia_50s/nokia_sslvpn_50s_datasheet_emea.pdf</a><br>
</blockquote>
<div class="moz-signature">
<meta http-equiv="Content-Type" content="text/html; ">
<meta name="ProgId" content="Word.Document">
<meta name="Generator" content="Microsoft Word 10">
<meta name="Originator" content="Microsoft Word 10">
<link rel="File-List"
href="ASN%20End%20of%20Message%20Signature%2004%2022%2006_files/filelist.xml">
<title>Best Regards,</title>
<o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="place">
<o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="PersonName"><o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="phone">
<!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Author>John B. Holmblad</o:Author>
<o:LastAuthor>John B. Holmblad</o:LastAuthor>
<o:Revision>5</o:Revision>
<o:TotalTime>8</o:TotalTime>
<o:Created>2006-04-22T20:38:00Z</o:Created>
<o:LastSaved>2006-10-20T20:57:00Z</o:LastSaved>
<o:Pages>1</o:Pages>
<o:Words>52</o:Words>
<o:Characters>302</o:Characters>
<o:Company>Televerage International</o:Company>
<o:Lines>2</o:Lines>
<o:Paragraphs>1</o:Paragraphs>
<o:CharactersWithSpaces>353</o:CharactersWithSpaces>
<o:Version>10.6817</o:Version>
</o:DocumentProperties>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:SpellingState>Clean</w:SpellingState>
<w:GrammarState>Clean</w:GrammarState>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
</w:Compatibility>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
</w:WordDocument>
</xml><![endif]--><!--[
if !mso]><object
classid="clsid:38481807-CA0E-42D2-BF39-B33AF135CC4D" id=ieooui></object>
<style>
st1\:*{behavior:url(#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;
mso-font-alt:"\FF2D\FF33 \660E\671D";
mso-font-charset:128;
mso-generic-font-family:modern;
mso-font-pitch:fixed;
mso-font-signature:-1610612033 1757936891 16 0 131231 0;}
@font-face
{font-family:Papyrus;
panose-1:3 7 5 2 6 5 2 3 2 5;
mso-font-charset:0;
mso-generic-font-family:script;
mso-font-pitch:variable;
mso-font-signature:3 0 0 0 1 0;}
@font-face
{font-family:"\@MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;
mso-font-charset:128;
mso-generic-font-family:modern;
mso-font-pitch:fixed;
mso-font-signature:-1610612033 1757936891 16 0 131231 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-parent:"";
margin:0in;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"MS Mincho";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;
text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;
text-underline:single;}
span.grame
{mso-style-name:grame;}
span.GramE
{mso-style-name:"";
mso-gram-e:yes;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;
mso-header-margin:.5in;
mso-footer-margin:.5in;
mso-paper-source:0;}
div.Section1
{page:Section1;}
-->
</style><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";}
</style>
<![endif]--><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="7170"/>
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1"/>
</o:shapelayout></xml><![endif]-->
</o:SmartTagType></o:SmartTagType></o:SmartTagType>
<div class="Section1">
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: Papyrus; color: navy;"><br>
</span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: Papyrus; color: navy;">Best
Regards,</span><span style=""><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 6pt; font-family: Papyrus; color: navy;"> </span><span
style="font-size: 6pt;"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: Papyrus; color: navy;">John
Holmblad</span><span style=""><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 6pt; font-family: Papyrus; color: navy;"><o:p> </o:p></span></p>
<br>
<p class="MsoNormal"><st1:PersonName><span
style="font-size: 11pt; font-family: Papyrus; color: navy;"></span></st1:PersonName><span
style=""><o:p></o:p></span></p>
</div>
</div>
marc zonzon wrote:
<blockquote
cite="mid71295b5a0702240613x65ae6fa6re259d1e97d0bf04f@mail.gmail.com"
type="cite">On 2/22/07, Paul Klapperich <a class="moz-txt-link-rfc2396E" href="mailto:maemo.org@bobpaul.org"><maemo.org@bobpaul.org></a>
wrote:
<br>
<br>
<blockquote type="cite">You could setup pubkey authentication on your
home ssh server. Then you
<br>
could add a script to the device such that when it connects it runs
<br>
something like:
<br>
ssh -n -R2022:localhost:22
<br>
<br>
</blockquote>
Good idea, as your ssh is an outbound connection the local firewall
<br>
may accept it. But your command is incomplete, we must have something
<br>
like:
<br>
ssh -n -R2022:localhost:22 <a class="moz-txt-link-abbreviated" href="mailto:myusername@myserver.com">myusername@myserver.com</a> sleep 3600
<br>
and you must be sure that the public key of the nokia user is accepted
by
<br>
<a class="moz-txt-link-abbreviated" href="mailto:myusername@myserver.com">myusername@myserver.com</a>
<br>
It would be helpful to replace sleep by a script that warn you, then
sleep
<br>
<br>
<blockquote type="cite">Then on your local computer you could "ssh
user@localhost -p2022" to connect
<br>
into your device whenever it's on the internet, regardless of where
it's
<br>
connected from. You could manually erase the data, something like:
<br>
for i in /home/user /media/mmc1 /media/mmc2; do
<br>
rm -rf $i
<br>
done
<br>
</blockquote>
<br>
We can do like that but it might be frustrating when you miss the
<br>
connection, or when it is interrupted before you finish, ...
<br>
I think this can only be an add-on to the second option.
<br>
<br>
<blockquote type="cite">Another trick I've used--actually to update
computer labs--is to keep a
<br>
script on your server, then have the device use scp to copy that script
from
<br>
the server and run it whenever it connects. In my case, the script was
<br>
simple. In your case the script would do nothing. To nuke your nokia,
<br>
replace it with one that erases stuff. This will get it the next time
it
<br>
connects and wouldn't require you find know when the device connects.
<br>
</blockquote>
<br>
That's fine we use the same "download at boot and execute" to keep our
<br>
clients up-to-date. We just need to find how the script can be
<br>
triggered when the tablet connect to internet (must not be difficult,
<br>
but I have not looked upon the tablet networking). Your emergency
<br>
script can of course erase sensible data but also add a startup
<br>
service in /etc/init.d that shutdown the tablet if some special action
<br>
(say use some key) is not triggered. Making the use of the tablet
<br>
impossible except for you without reflashing.
<br>
<br>
Better than scp you can download the script from an httpd server using
<br>
netcat, because outbound http connection on port 80 are always open on
<br>
any
<br>
access point your tablet may use.
<br>
<br>
<blockquote type="cite">Other options would include writing a lot
file to your home machine with the
<br>
IP connecting from. This could be used to track your device so you
might be
<br>
able help police recover it. Or you could delete important system files
and
<br>
your personal data to make the device worthless without a reflash.
<br>
</blockquote>
<br>
Too complicated just mail a message when you connect "I'm connected
<br>
from ip n° xxx.xxx.xxx.xxx gateway xxx.xxx.xxx.xxx", if you have
<br>
traceroute you can even traceroute to a known point to help locate the
<br>
device. but I suppose it's of no use, some people complain that the
<br>
police is not even looking for their stolen child, what do you expect
<br>
for your tablet!
<br>
<br>
<br>
At this point I'm wondering if it is not an otion to put on our tablet
<br>
(at least when we are on the go), this "shut down if not
<br>
authenticated" service.
<br>
Of course the tablet policy forbid to authenticate as user before
<br>
loging in, because the second part of the boot process is done as
<br>
user. But why not put a simple query that the user must answer during
<br>
the first 5mn of connection? A startup script may popup a window and
<br>
shutdown the device if not answered. If you keep a ssh access to user
<br>
or root you have some emergency solution if ever you forget the
<br>
password.
<br>
<br>
Marc
<br>
_______________________________________________
<br>
maemo-developers mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:maemo-developers@maemo.org">maemo-developers@maemo.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://maemo.org/mailman/listinfo/maemo-developers">https://maemo.org/mailman/listinfo/maemo-developers</a>
<br>
<br>
</blockquote>
</body>
</html>