Several years ago, I sought a definitive answer for information security using REXwireless' ToDoMatrix, IdeaMatrix, and their Always*Safe and REXdesktop (web access) features. What I learned is that:
- REXwireless takes reasonable precautions to protect data stored on their servers: rather than using a conventional relational database, they encrypt and store your personal data on their servers as a unit
- Data is not encrypted enroute between your Blackberry and their servers (i.e. during sync, backup, and restore operations)
Following my signature below, I've quoted a
post that they made about this on their support forum. (I quoted this from their server just now, so presuambly it remains an accurate statement.)
When you log onto their
REXdesktop service (via HTTPS, so all those interactions with your browser are encrypted), there is a pause while their server loads your database(s). My IdeaMatrix database is huge, so the delay is quite noticeable to me!
While you're interacting with the data using the web interface, it is reasonable to assume that wherever they temporarily store the working copy is
not encrypted, so clearly, a very sophisticated hacker with fully-open access to their running server could,
possibly, maybe, get to your sensitive information in plaintext. This is what I meant by saying that REXwireless takes "reasonable precautions".
(Related anecdote: years ago I learned from CitiBank's fraud protection service that my credit card had been compromised from a so-called "secure" on-line transaction. The site had all the seals-of-assurance, and the connection was secured via HTTPS/SSL. It turned out that the "secure" server proceeded to
email the orders to the vendor -- in plaintext! All someone had to do was to grab these emails as they were routed, and so they did. Using credit card issuer's "temporary card number" services with their user-defined limits and expirations is a GREAT practice!)
REXwireless' statement (quoted below) explains their rationale for the lack of encryption during Blackberry syncing. The upshot of all this is:
- REXwireless products seem reasonably secure for most purposes, including most "proprietary" but routine corporate information, however, they are not secure enough for passwords, financial access information, or identity protection.
- REXwireless products are probably more secure than most "online storage" facilities, including and in particular, Google.
- Having been thoroughly impressed with every direct interaction I've had with REXwireless folks over the years, and based on my assessment of their technical proficiency and integrity, as well as the evident quality of their software, I have no hesitation storing my data in their product or on their servers.
Incidentally, I went with
Ascendo DataVault for all the stuff that's too sensitive for REXwireless products, and that has given me a superb and trustworthy operating environment.
As far as ToDoMatrix itself is concerned, I have never encountered a more powerful or better-engineered task management product on
any platform than ToDoMatrix. The closest thing (for sophisticated use) might be Llamagraphics'
Life Balance, but it's been a very long time since I used a Palm... ToDoMatrix seems to be superbly functional to combine the best characteristics of both Allen's Getting Things Done (GTD) and Covey's First Things First (FTF). And with the enhanced Blackberry integration they provide through REXconnect and now the well-done bidirectional native Task manager syncing, I can't even imagine anything coming close.
(Full disclosure: I have absolutely no connection with any of these companies other than being a long-term and satisfied user.)
-^-rdj-^-
Quote:
Where is my data encrypted and where is it not encrypted?
by REXadmin » 05 Oct 2007 10:45
Where is my data encrypted and where is it not encrypted in the REXwireless overall system?
REXwireless applications are currently designed to offer good security against the most prevalent hacker threats; however, note that our applications are not currently competing in the high-security "password vault" space. We strive to balance productivity and application functionality vs. reasonable security.
REXwireless's Always*Safe subsystem backs up data to our servers to protect the user against BlackBerry damage or loss, and to protect data during software upgrades and users changing to new devices. Our servers reside in large commercial datacenters which have comprehensive physical security schemes and 7 x 24 security personnel onsite.
The most prevalent threat, after physical loss of the BlackBerry which is far and away the most common problem, is a hacker gaining access to a server. To address this concern, REXwireless user application data is not stored in a relational database format on the servers. Rather, the datafiles on the server are individually encrypted with AES-256 standards. If our servers were ever compromised by a hacker, the datafiles of the users would not be compromised. There are no known breaks of AES-256.
When a user logs onto REXdesktop.com, his or her datafile is "checked out", decrypted, and loaded into server memory to enable the user's access and modification. Every time there is a modification, the change processed and written back to the disk in an encrypted format. The data is removed from server memory upon log-out of a session. The database is not loaded to the local PC or Mac using the browser to access the session.
At the BlackBerry end, the user's REXwireless database is not encrypted. When a record is modified, the change is transmitted to REXwireless servers, where the server writes the change in encrypted format to disk. The privacy feature in IdeaMatrix is a simple cloaking scheme and does not encrypt the user's data.
At this time, changes transmitted between the BlackBerry and REXwireless servers are not encrypted enroute. This is quite common practice - consider that most e-mails that travel between companies travel without encryption. Please note that the majority of REXwireless transmissions are simply the field that changed, not the entire record or database.
REXadmin
Site Admin
Posts: 128
Joined: 24 Sep 2007 21:52
|