Personal computing discussed

Moderators: renee, David, mac_h8r1, Nelliesboo

 
Captain Ned
Global Moderator
Topic Author
Posts: 28704
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

FIPS 140-2 Compliant Phones

Mon Apr 22, 2013 9:30 am

Anyone know where there's a good list of these. New standards coming down for hooking personal phones to office e-mail and 140-2 compliance is mandatory. The only phones I've found so far that comply are the Samsung Galaxy S2 and S3, as well as the Blackberry Z10.
What we have today is way too much pluribus and not enough unum.
 
Captain Ned
Global Moderator
Topic Author
Posts: 28704
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: FIPS 140-2 Compliant Phones

Tue Apr 23, 2013 5:43 pm

Bueller, Bueller?

I can't be the only one in this pickle. Feel free to PM if worried about attribution.
What we have today is way too much pluribus and not enough unum.
 
sid1089
Gerbil Team Leader
Posts: 290
Joined: Wed Jul 26, 2006 4:56 am

Re: FIPS 140-2 Compliant Phones

Tue Apr 23, 2013 5:54 pm

FIPS 140-2 ?

What is this I don't even
Carpe diem quam minimum credula postero
 
Captain Ned
Global Moderator
Topic Author
Posts: 28704
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: FIPS 140-2 Compliant Phones

Tue Apr 23, 2013 6:00 pm

sid1089 wrote:
FIPS 140-2 ?

What is this I don't even

An information security standard. I'll not even start with Level 1 v Level 4.

http://en.wikipedia.org/wiki/FIPS_140-2

In short, the boffins that run my employer's e-mail system came out with a policy stating that any mobile device that connects to the Exchange server must meet FIPS 140-2 and have AES256 encryption on anything that came from the server. Given my day job it's perfectly clear that said boffins simply regurgitated some "industry standard" without taking any time to find out exactly what devices meet the specification they're pushing down. My Googles have found 3 handsets and 1 tablet that meet the spec. None of them run iOS and Apple does not have a single device cleared under 140-2 that I can find. I despise Apple (take it to another thread), but living in the hippie homeland of Vermont I must acknowledge that the vast majority of smartphone owners love their fruit.

My life was driven by my Outlook calendar, and it's now lost to my phone. Since my old Droid Global 2 cannot meet the FIPS 140-2 spec I've been forced to delete my work e-mail account from the phone. The boffins who implemented the policy obviously did so without even assessing exactly what phones would meet the new standards, unless of course Blackberry paid them off to force purchases of Z10s.
What we have today is way too much pluribus and not enough unum.
 
keltor
Gerbil First Class
Posts: 180
Joined: Thu May 10, 2012 4:29 pm

Re: FIPS 140-2 Compliant Phones

Tue Apr 23, 2013 7:41 pm

http://csrc.nist.gov/groups/STM/cmvp/do ... al-all.htm

That is ALL FIPS140-2 compliance devices.

The only devices are the 2 Samsung Phones, Certain LG devices, the Nexus S, the Motorola Business Ready devices, and oh yeah EVERY SINGLE DEVICE USING OPENSSL, which is to say, all of them.

FIPS140-2 doesn't really say what they "think" it says. None of the data is encrypted on the devices except the Motorola Business Ready phones, Blackberries and iPhones.
 
bthylafh
Maximum Gerbil
Posts: 4320
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: FIPS 140-2 Compliant Phones

Tue Apr 23, 2013 7:47 pm

What do the higher-ups have? One assumes that being a vice-president doesn't exclude one from compliance.
Hakkaa päälle!
i7-8700K|Asus Z-370 Pro|32GB DDR4|Asus Radeon RX-580|Samsung 960 EVO 1TB|1988 Model M||Logitech MX 518 & F310|Samsung C24FG70|Dell 2209WA|ATH-M50x
 
bthylafh
Maximum Gerbil
Posts: 4320
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: FIPS 140-2 Compliant Phones

Tue Apr 23, 2013 7:54 pm

keltor wrote:
EVERY SINGLE DEVICE USING OPENSSL


Only if they're using the FIPS-compliant cryptosystems. Work used to have a critical webserver running SSL3 that was /not/ FIPS compliant because it used RC4 for encryption.

I expect Ned's IT critters are wanting end-user devices that store stuff encrypted, not simply transmitting/receiving it that way.
Hakkaa päälle!
i7-8700K|Asus Z-370 Pro|32GB DDR4|Asus Radeon RX-580|Samsung 960 EVO 1TB|1988 Model M||Logitech MX 518 & F310|Samsung C24FG70|Dell 2209WA|ATH-M50x
 
keltor
Gerbil First Class
Posts: 180
Joined: Thu May 10, 2012 4:29 pm

Re: FIPS 140-2 Compliant Phones

Tue Apr 23, 2013 9:36 pm

The server can easily be limited to only allow certain protocols.

Defense and Gov't don't allow BYOD, so they'd provide a device if you are allowed to have it at all.

For everything else, it's usually some sort of petty deal. Otherwise use one of the devices which IS individually certified.
 
Flying Fox
Gerbil God
Posts: 25690
Joined: Mon May 24, 2004 2:19 am
Contact:

Re: FIPS 140-2 Compliant Phones

Wed Apr 24, 2013 1:02 am

keltor wrote:
FIPS140-2 doesn't really say what they "think" it says. None of the data is encrypted on the devices except the Motorola Business Ready phones, Blackberries and iPhones.

S3 can do device encryption once it downloads the Exchange policies from the server.
The Model M is not for the faint of heart. You either like them or hate them.

Gerbils unite! Fold for UnitedGerbilNation, team 2630.
 
Captain Ned
Global Moderator
Topic Author
Posts: 28704
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: FIPS 140-2 Compliant Phones

Wed Apr 24, 2013 4:56 am

bthylafh wrote:
I expect Ned's IT critters are wanting end-user devices that store stuff encrypted, not simply transmitting/receiving it that way.

Yup, AES256 is mandatory for on-phone storage.
What we have today is way too much pluribus and not enough unum.
 
Captain Ned
Global Moderator
Topic Author
Posts: 28704
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: FIPS 140-2 Compliant Phones

Wed Apr 24, 2013 5:09 am

bthylafh wrote:
What do the higher-ups have? One assumes that being a vice-president doesn't exclude one from compliance.

You have to be an elected official or at the Commissioner level (appointed, confirmed by state Senate) to get a state-issue phone. Since my work life includes avoiding all such people as much as possible, I don't know.
What we have today is way too much pluribus and not enough unum.
 
bthylafh
Maximum Gerbil
Posts: 4320
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: FIPS 140-2 Compliant Phones

Wed Apr 24, 2013 7:43 pm

This is definitely a workaround, but I think you could meet the letter of the law by accessing the Exchange server through a web browser that's configured to never cache anything.

Assuming Web Services are enabled, naturally.
Hakkaa päälle!
i7-8700K|Asus Z-370 Pro|32GB DDR4|Asus Radeon RX-580|Samsung 960 EVO 1TB|1988 Model M||Logitech MX 518 & F310|Samsung C24FG70|Dell 2209WA|ATH-M50x
 
Captain Ned
Global Moderator
Topic Author
Posts: 28704
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: FIPS 140-2 Compliant Phones

Wed Apr 24, 2013 8:05 pm

bthylafh wrote:
This is definitely a workaround, but I think you could meet the letter of the law by accessing the Exchange server through a web browser that's configured to never cache anything.

Assuming Web Services are enabled, naturally.

The problem is that in the course of my field work I quite often find myself in places where I can't find Ethernet or open Wi-Fi, thus making me reliant on my phone. I'd prefer not to tether (easy on a rooted Droid with a grandfathered unlimited VZW data plan) as it's hard on the phone (you should see the temperature spike as data rates increase) and it adds to the space I need to occupy in places where my space allowance is often a chair and a 3'x3' table, although doing so would meet the letter of the standard. I'd much rather leave e-mail to the phone and put the laptop back in the bag so I have more space to get my work done, thus leaving me with the requirement to meet a standard that my centralized IT boffins cribbed from some "best practices" document without doing the slightest bit of research into whether or not the standard is achievable at not-ridiculous costs.

We've asked Central IT to give us a list of phones that meet their standards. They refused, saying that the analysis of compliance and the required personal signature on the policy stating that our phones comply with their policy is our problem.

I so adore check-box engineering.

[/heavy sarcasm]
What we have today is way too much pluribus and not enough unum.
 
ludi
Lord High Gerbil
Posts: 8646
Joined: Fri Jun 21, 2002 10:47 pm
Location: Sunny Colorado front range

Re: FIPS 140-2 Compliant Phones

Wed Apr 24, 2013 11:56 pm

Captain Ned wrote:
I'd prefer not to tether (easy on a rooted Droid with a grandfathered unlimited VZW data plan) as it's hard on the phone (you should see the temperature spike as data rates increase) and it adds to the space I need to occupy in places where my space allowance is often a chair and a 3'x3' table, although doing so would meet the letter of the standard.

Is this maybe a function of having an older phone? I've not really noticed this kind of problem with my GNex. Also, most of the better smart phones can do WiFi hotspotting these days, which at least gets one of the devices off the desk.
Abacus Model 2.5 | Quad-Row FX with 256 Cherry Red Slider Beads | Applewood Frame | Water Cooling by Brita Filtration
 
Captain Ned
Global Moderator
Topic Author
Posts: 28704
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: FIPS 140-2 Compliant Phones

Thu Apr 25, 2013 4:59 am

ludi wrote:
Is this maybe a function of having an older phone? I've not really noticed this kind of problem with my GNex. Also, most of the better smart phones can do WiFi hotspotting these days, which at least gets one of the devices off the desk.

Likely so. The problem is that a phone upgrade means the end of my grandfathered unlimited data plan.
What we have today is way too much pluribus and not enough unum.
 
ludi
Lord High Gerbil
Posts: 8646
Joined: Fri Jun 21, 2002 10:47 pm
Location: Sunny Colorado front range

Re: FIPS 140-2 Compliant Phones

Thu Apr 25, 2013 11:44 am

Captain Ned wrote:
ludi wrote:
Is this maybe a function of having an older phone? I've not really noticed this kind of problem with my GNex. Also, most of the better smart phones can do WiFi hotspotting these days, which at least gets one of the devices off the desk.

Likely so. The problem is that a phone upgrade means the end of my grandfathered unlimited data plan.

Even if you buy an unlocked phone and swap SIMs?
Abacus Model 2.5 | Quad-Row FX with 256 Cherry Red Slider Beads | Applewood Frame | Water Cooling by Brita Filtration
 
Flying Fox
Gerbil God
Posts: 25690
Joined: Mon May 24, 2004 2:19 am
Contact:

Re: FIPS 140-2 Compliant Phones

Thu Apr 25, 2013 11:47 am

ludi wrote:
Captain Ned wrote:
ludi wrote:
Is this maybe a function of having an older phone? I've not really noticed this kind of problem with my GNex. Also, most of the better smart phones can do WiFi hotspotting these days, which at least gets one of the devices off the desk.

Likely so. The problem is that a phone upgrade means the end of my grandfathered unlimited data plan.

Even if you buy an unlocked phone and swap SIMs?

VZW, no such thing?

Besides, whether you are tethering over wifi or usb, when the data is really flying through (say stream an HD youtube), phones will get hot as they are doing work.
The Model M is not for the faint of heart. You either like them or hate them.

Gerbils unite! Fold for UnitedGerbilNation, team 2630.
 
ludi
Lord High Gerbil
Posts: 8646
Joined: Fri Jun 21, 2002 10:47 pm
Location: Sunny Colorado front range

Re: FIPS 140-2 Compliant Phones

Thu Apr 25, 2013 5:05 pm

Flying Fox wrote:
VZW, no such thing?

AFAIK it depends on the age of the phone. The 4G LTE phones apparently use them, not sure about anything older.
Abacus Model 2.5 | Quad-Row FX with 256 Cherry Red Slider Beads | Applewood Frame | Water Cooling by Brita Filtration
 
Captain Ned
Global Moderator
Topic Author
Posts: 28704
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: FIPS 140-2 Compliant Phones

Thu Apr 25, 2013 5:16 pm

ludi wrote:
Flying Fox wrote:
VZW, no such thing?

AFAIK it depends on the age of the phone. The 4G LTE phones apparently use them, not sure about anything older.

VZW is a CDMA network, so no SIM cards. My Droid 2 Global is CDMA and GSM and has a SIM card that VZW will enable if I travel out of the US to a GSM network area.
What we have today is way too much pluribus and not enough unum.
 
auxy
Graphmaster Gerbil
Posts: 1300
Joined: Sat Jan 19, 2013 4:25 pm
Location: the armpit of Texas

Re: FIPS 140-2 Compliant Phones

Thu Apr 25, 2013 6:03 pm

This confused me too, but apparently LTE is a GSM technology? My dad's Samsung Stratosphere phone on Verizon has a SIM, as does my coworker's HTC <something>. I dunno the story, but a lot of newer Verizon phones do in fact have SIM cards.
 
Captain Ned
Global Moderator
Topic Author
Posts: 28704
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: FIPS 140-2 Compliant Phones

Thu Apr 25, 2013 6:42 pm

auxy wrote:
This confused me too, but apparently LTE is a GSM technology? My dad's Samsung Stratosphere phone on Verizon has a SIM, as does my coworker's HTC <something>. I dunno the story, but a lot of newer Verizon phones do in fact have SIM cards.

It's a card that looks like a SIM card but has another name I can't yet pull out of Wikipedia. LTE is a completely different transmission scheme than GSM or CDMA, although it can still fall back to either. Looks like the real goal with LTE is to get away from the circuit-switched calls of GSM/CDMA and create the cell equivalent of VOIP for everything.
What we have today is way too much pluribus and not enough unum.
 
lonleyppl
Gerbil XP
Posts: 380
Joined: Wed Jan 26, 2011 2:59 pm

Re: FIPS 140-2 Compliant Phones

Thu Apr 25, 2013 11:13 pm

I'm pretty sure you can buy an unsubsidized VZW phone, and then move that onto your plan to keep your unlimited data. I'm not sure how one would go about doing that though...
Lenovo W520
IBM dx340
Nokia Lumia 928
Sony a7 with far too many lenses to list or even count

Who is online

Users browsing this forum: No registered users and 1 guest
GZIP: On