My local Office Depot offers drop-off recycling services for computers, monitors, and small electronics. Unlike prior offerings of the same, this one you pay for. Buy the size box you need (which includes a pre-paid recycling fee), take it home, fill it up, and return it whenever you want. Compared to what I’ve paid elsewhere it’s a pretty good deal, so I recently bought a few.

While rummaging through my gadget graveyard I came across a couple of old Palm PDAs. After tossing them into a box it occurred to me that their flash RAM conceivably might hold semi-sensitive information. I had used a data encryption tool on at least one, and for all I knew its encryption mechanism was cracked five years ago. And since both had died sudden deaths, I hadn’t even been able to delete the data let alone properly wipe it.

Grumbling to myself, I came up with three options: trash the flash, smash the flash, or perform flashectomy.

Considering the risk, my first inclination was the former - leave them in the box and take my chances. But I could just see Jiminy Cricket tattling to my friend Simson Garfinkel - who certainly knows better - in the middle of our next handshake.

The sledgehammer method also sounded good - ok, easy - but left me wondering if circuit board powder was recyclable. And if Jiminy would have to ask Bambi to find out.

So I did what any other security geek with a moral compass would do - I grabbed my T4 screwdriver and my camera.

Now, about hardware. Twenty years ago I spent a few years developing software for the nuclear industry. Embedded systems that monitored ambient radiation inside power plants, that type of thing. These were custom real-time operating systems that hugged hardware at the level of metal. Despite being a software diehard I learned a few things about hardware. Not that it did me any good on this occasion; after opening these two Palms I didn’t have a clue about what was what.

Truthfully, I never really expected to. Just like I never expected to destroy whatever data remained on the flash. Which drives to the heart of my point.

Securing information isn’t hard. It’d be nice if it was just hard. It’s too damn hard. And much of the culpability lies with - hold your hat - those who expect security. In this case, that was me.

See, I volunteered my money to get these devices. I volunteered a lot of my time to load them with names, addresses, phone numbers, and calendar appointments. At the time I bought them I had no expectation they’d be good padlocks. They weren’t designed for that. Yet in first sensing my dilemma my gut reaction was to blame Palm. Why? Probably because nowadays everybody expects PDAs to be good padlocks. Expectations have changed. Yet it’d be silly for me to hold Palm retroactively accountable for my old purchases.

But in reality we do that all the time. You probably see that in the microcosm of my Palm story, but I wonder if you see it in the technology macrocosm, where (IMHO) we unjustifiably curse our unmet expectations under the guise of “security problems” billions of times per day.

In my experience this is one of our single greatest obstacles to achieving real security. I’ll give explicit examples of what I’m talking about in the near future. But in the words of Dave Pilkey of Captain Underpants fame, before I can tell you that story, I have to tell you another one first. Better make that several. Stay tuned.

Oh - about those Palms. They got boxed and sent same as if they hadn’t distracted me.

Related posts:

1. Encryption is not a Silver Bullet
2. What has 2006 left behind for us to carry into 2007…too much and then some
3. Testing AudioBlog.com
4. ISO 27001 Standard Released
5. Looking for things to worry about?

Posted by Larry J. Hughes, Jr. on Thursday, January 18th, 2007, at 3:47 am, and filed under Articles.

Follow any responses to this entry with the RSS 2.0 feed.

You can post a comment, or trackback from your site.