Chapter 1 – Introduction

Thank you for trying TealLock. This program replaces the standard security application with a powerful and flexible system with many activation and customization options, insuring the security of your personal and company data.

This manual supports the consumer version of TealLock as well as TealLock Corporate Edition and TealLock Enterprise Edition, which add special administrator access features designed for corporate use.

Contents

This archive contains the following files:

Program files:

TEALLOCK.PRC The TealLock program file

TPSETUP.EXE Easy-installer program (Windows)

IMAGEMGR.EXE TealPaint Image Manager (Windows)

Document files:

LOCKDOC.PDF Program manual in Adobe Acrobat (PDF) format

LOCKDOC.HTM Program manual in HTML format (sans images)

LOCKDOC.PRC Program manual in TealDoc format

REGISTER.HTM TealPoint Registration form in HTML format

REGISTER.TXT TealPoint Registration form in text format

LOCKIMGS.PDB Sample TealLock Background images

Chapter 2 – Installing

Single copy/demo installation

Windows:

Double-click on TPSETUP.EXE to install the necessary files.

All Operating Systems:

You may also use the Palm Installer to install TealLock. After installing the program file, TEALLOCK.PRC, the program will appear on your device after the next HotSync. You may also want to install LOCKIMGS.PDB which includes sample TealLock background images and LOCKDOC.PRC which is the TealLock manual as a Palm OS document. This file can be read with our application TealDoc.

The PalmOS Installer appears as in icon in the Palm Desktop program on your desktop computer. Instructions on how to use the Palm installer are in the Palm Handbook that came with your Pilot, PalmPilot, Palm, Visor, WorkPad, Handera, or CLIE.

Upgrading from older versions

When upgrading TealLock from older versions of the program, you may safely HotSync the new version over the old, but you must first turn off the previous version before HotSyncing the new one. If you don’t, HotSync, cannot copy the new version over.
If significant features have been added in the new version, you may need to re-enter your password, settings and registration information.

Site License Installations

To install a site license version of TealLock Corporate Edition or TealLock Enterprise Edition, install the custom .prc file delivered upon completion of the license agreement using the PalmOS installer. To install along with identical settings on multiple units, see the Installation File instructions later in this document. As with single installations, any prior versions of TealLock will need to be turned off before installing a newer version. This can be done using an Uninstall File also detailed below.

Precautions

Due to the nature of this program (a security app), you are strongly advised to back up your organizer following the instructions in your PalmPilot handbook before activating TealLock and setting a password. In the event you should you forget your password or run a downloaded application that interferes with TealLock, you may otherwise have limited options in getting back to your data.

Chapter 3 – Overview

Every year, some 20,000 handheld organizers are lost or stolen, many loaded with sensitive private or personal information. Most of these units have no protection against unauthorized use. TealLock fulfills this need by automatically locking a PalmOS handheld, hiding private records according to customized settings, encrypting sensitive data in memory or external storage cards, and requiring a password for continued use.

Background

The Palm Operating System comes equipped with some basic security features such as a system password, private record support, and a system-locking screen. However, the default system is cumbersome, as one has to manually start the system security application to change the state of hidden records or to lock the device. Furthermore, its interface is inflexible, relying on graffiti as the primary way to enter passwords, and features few activation or customization options. Lastly, the system is largely insecure, including no encryption features to prevent unauthorized access to sensitive data. Consequently, the system security features are often too clumsy to use and are often ignored, leaving handhelds with no security whatsoever.

TealLock

TealLock replaces the standard security application. It offers greater flexibility in order to meet individual security needs. TealLock supports 128-bit hashed passwords, encrypting of files in memory, encrypting of files on external storage cards, optional password entry by hardware buttons or online keypads, customized locking screens with text and images, graffiti stroke activation, and automatic timed activation with numerous configuration options.

TealLock is so powerful that it has been adopted by Palm itself, appearing in ROM on select Palm handhelds such as the Tungsten T2 and Tungsten C. TealLock incorporates all the features present in this enhanced TealLock Security application, with additional customizations and encryption options available nowhere else.

TealLock Corporate Edition

TealLock Corporate Edition expands on TealLock, providing features especially useful in a corporate environment, including a separate administrator password. The administrator password allows a company’s IT department to access a handheld or issue a time-sensitive emergency password should an employee forget his or her password. More importantly, when an administrator password is active, the user is required to continue using the program; a user password cannot be used to turn off or delete TealLock or change its configuration settings. The administrator can also:

· unlock employee devices, using a time-sensitive temporary password

· set a minimum length for user passwords

· require use of both numbers and letters in user passwords

· require both upper and lower case letters in passwords

· lock out the User Password after too many failed attempts (bit wipe)

· install identical settings on multiple devices using an install file

· update settings using a combination of install and uninstall files

TealLock Enterprise Edition

TealLock Enterprise Edition is available exclusively to site license customers. Enhanced for specialized security needs, it adds support for optional encryption with a 128-bit AES encryption algorithm.

Chapter 4 – TealLock Main Screen

Once installed, to start TealLock, go to the Palm applications launcher and tap on the TealLock icon. The TealLock Main Screen will appear. Here you can set a password, show or hide private records, or turn on or off TealLock protection.

TealLock Status

The TealLock Status indicator shows whether TealLock has been activated. Activation is necessary before TealLock can respond to shortcut macros or automatically lock or hide private records.

Click on the ON button to activate TealLock protection. On handhelds running PalmOS 3 or PalmOS 4, the devices will reboot to enable protection.

Once activated, if a User Password has been set, it will be requested before TealLock can be turned back off.

Setting Passwords

The User Password indicator on the main screen shows whether the TealLock User Password has been set. Tap on the indicator to set or change the User Password.

TealLock maintains its own unlocking password, which can optionally be kept in sync with the system standard password. Similar to the standard security app, you set a password to lock the device or protect private records from unauthorized viewing. The Quick Password is explained later in this document.

Both the standard Security application and TealLock can hide and show private records, so you should make sure that a password is set in the standard application even if one has already been set inside TealLock. It's probably a good idea to make the two passwords the same so there will not be any confusion between the two. This option can be set automatically in TealLock using the Keep System Password in Sync option, which changes the system password whenever the password is set in TealLock.

NOTE: Under PalmOS 5 and later, do not use the automatic locking features in the Palm standard security program simultaneously with TealLock. When running TealLock, use TealLock’s automatic locking options instead. And turn off any standard Security automatic locking features before activating TealLock.

Private Record State

TealLock’s secondary function is to act as a mechanism for hiding and showing private records. Palm OS supports a global private record setting which is individually supported by applications to hide or show sensitive files, entries, or data records.

Manual Hide/Show/Mask Control

The Private Records indicator displays the current private records state: globally shown, masked or hidden. Tap on the hide, mask, or show buttons to change the current setting. If a User Password has been set, you will be asked to enter it in order to show private records that have been hidden.

NOTE: TealLock changes the system global hide/show state for private records, but does not modify the data itself. Under the PalmOS private record system, it is up to individual applications to actually read the current hide/show/mask state and hide or mask private records and files accordingly.

Locking the Handheld

TealLock’s primary function is as a locking program. It secures the handheld by bringing up a locking screen that requests a password before granting access.

Manual Locking

The Lock and Off button on TealLock’s main screen lets you quickly secure the handheld from within TealLock. The device will be turned off, and when turned on again later, will appear on the TealLock Locking Screen, requesting a password to continue.

Automatic Locking

There are other numerous and more convenient automatic activation options as well, accessible from the TealLock Settings Screens, described next.

Changing Settings

The Change Settings button lets you access the TealLock Settings Screen to set and adjust many more interesting activation and customization options.

When a password has been set, it will be required to access the settings screen. In the Corporate Edition, the normal User Password cannot gain entry. Instead, the Administrator password must be entered instead.

Settings fall into four categories: Activation, Security, Lock Screen, and Other. In TealLock Corporate Edition and TealLock Enterprise Edition , the last category is called Admin and contains extended selections.

Details for using individual features and settings in each of these categories follow in the next four chapters.

Chapter 5 – Activation Settings

The Activation Settings screens adjust when and how TealLock engages to lock the device or handle private records. There are three activation screens:

• Shortcut Strokes
• Automatic Hiding/Masking
• Automatic Locking.

Shortcut Strokes

The Shortcut Strokes screen specifies the graffiti shortcuts used to hide or show private records or to lock the handheld. To enter a shortcut stroke, write a cursive 'l' (lower case ‘L’) followed by the specified letter or number.

Shortcut Stroke support requires a device with graffiti entry support. On devices like the Treo600 or Treo650, TealScript can be used to add Graffiti writing support.

NOTE: Capitalization is ignored and these shortcuts override any standard graffiti shortcut macros, so you should set your TealLock shortcuts to letters that are not used as the first letter of any PalmOS macros specified in Preferences.

Automatic Hiding/Masking

The Automatic Hiding/Masking screen adjusts when private records are automatically hidden or masked. The following options are available.

Minutes after power off

Activates when the handheld has been off longer than a specified time period. Set to 0 for automatic activation immediately after power off.

Minutes after password entry

Activates if the specified number of minutes has passed since your password was last entered. Use this setting to setup behavior where your password is “valid” for only the specified period of time before it needs to be re-entered. The unit must be powered down before actual record hiding/locking takes place to insure that user data is not inadvertently lost.

Minutes after last activity

Similar to the mins after power off option, this option also takes into account the last time the screen was tapped or a button was pressed if the unit powers down due to lack of activity. Note that this option still requires the unit to power down, as it will never forcibly take control of the unit while it is on and might be in use.

On system reset

Activates if the unit is reset either by a system crash, by software control, or by the pinhole reset button in the back of the device.

Daily, at time

Activates at a specified time of day. In other words, if a specified time passes, TealLock will activate the next time the handheld is powered on.

If powered up between specified hours

Activates if the handheld is powered up (switched on) during a specified time of day.

Enabled on specified days

Sets the days of the week when the above activation options (except shortcut) apply. On the days that are not highlighted, automatic activation will not occur. (Highlighted items appear blue or gray.)

Enabled between specified hours

This option allows one to specify a time range in which automatic activation is active. Note that this option is not the same as the “If on between” setting. That option will trigger a TealLock activation request in certain circumstances, while this option determines whether that request (or any of the other automatic activation requests) are handled at all. Basically, unless you wish automated settings to be inactive during a certain time period, the specified hours should be set to ‘betweeen the hours of 12:00 am and 11:59pm’.

NOTE: Setting the first time earlier than the second time (e.g. 8:00 am to 5:59 pm) will enable automatic activation in the times between. Setting the first time later than the second time (e.g. 6:00 pm to 7:59 am) will enable automatic activation to all times before the first time or after the second time on any given day. Setting the start time to one minute past the end time (e.g. 4:00 pm to 3:59pm) will enable automatic activation at all times.

Automatic Locking

The Automatic Locking screen is very similar to the Automatic Hiding/Masking screen, and supports all the same options described above.

Chapter 6 – Lock Screen Settings

TealLock’s locking screen is highly configurable, offering numerous customization options for its appearance, background, controls, and input methods.

Lock Screen Settings let you adjust the appearance, contents, and functionality of the TealLock lock screen.

Password Key Mapping

TealLock allows you to map characters and basic functions to the four application buttons, the Palm directional controller, and the auxiliary voice-record button on the Tungsten T. If locking password is set to corresponding characters, you can use this feature to enter your password completely pen-free in all TealLock-controlled password entry screens.

By default, numbers are mapped to the application buttons, but you can reassign the buttons in the Password Key Mapping window.

By default, the up button is mapped as a backspace key, and the down is mapped to an “enter” stroke. These buttons can be remapped as well, and all buttons can be mapped to any combination of functions by entering a two-letter code for that button’s mapping:

no - Do nothing. Set this value to keep the buttons from entering characters

bk - Backspace

en - An “Enter” stroke. Equivalent to tapping the “OK” button

sh - Select the “Show Private Recs” box on the lock screen (if enabled) New in 5.4

ms - Select the “Mask Private Recs” box on the lock screen (if enabled) New in 5.4

hi - Select the “Hide Private Recs” box on the lock screen (if enabled) New in 5.4

Owner Text

In the Owner Text screen, you can select the content, font, and alignment of the text that appears on the Locking Screen. Typically, this consists of instructions, company, or owner information in case the device is lost.

The text specified here can also alternatively be moved to a separate help screen instead of appearing directly on the main locking screen. Use the “help screen option” under Additional Display Options to do this.

Background Image

The Background Image Settings screen lets you select a custom image to be used as a backdrop for the locking screen. The image must already be loaded onto your handheld, having been created in TealPaint or imported using the included TealPoint Image Manager (See Appendix). You can download the demo version of TealPaint to get a copy of the Image Manager. On hires handhelds, images larger than 160x160 are displayed in high resolution.

The image must be in TealPaint image format. If multiple images exist in the named database, one will be selected at random each time the handheld is locked. You can also choose to treat the image database as an animation by selecting the “Animate” checkbox item, and selecting an animation speed.

For best results, make sure the source image used matches the default current display mode of the handheld. Most monochrome devices run applications in 1-bit mode, which color apps are typically run in 8-bit mode.

For better looking images, the “Grayscale” option can be used on monochrome handhelds running PalmOS 3.3 or higher to show background images in 16-shade grayscale instead of the default black and white mode. Similarly, to better show 16-bit images, “16-bit” mode will force the system display mode to 16-bit mode while on the lock screen.

Lastly, choose the “Cache Image” option for faster screen updates if available memory permits.

Additional Display Options

The Display Options screen lets you customize the appearance and functionality of the locking screen, adding additional items such as clocks and battery level indicators.

Options available on this screen include:

Battery level indicator

Adds a battery level indicator to the lock screen.

Window border frame

Adds a border around the locking window.

Entry Attempt Count

Shows a count of password attempts (tries) entered into the lock screen.

Private rec boxes

Adds pushbutton controls to the lock screen that allow you to select the state of private records before unlocking the device. The private record control can be preset to whatever setting was active prior to locking the device (show current), or can be specifically set to hide, show, or mask. Masking is not supported by some older versions PalmOS.

Number keypad

Adds a keypad to the lock screen to aid in entering numerical passwords, or to mislead would-be miscreants even if the password has letters. The numerical keypad comes in two sizes, and can take on either a standard computer keypad layout (with 7,8, and 9 at the top) or in an inverted “phone-style” layout (with 1,2, and 3 at the top). The large “phone-style” keypad has alphabetic characters on it corresponding to those found on phone pads in the United States.

Date and Time

Adds an on-screen date and time indicator to the lock screen. Three different fonts are supported (standard, bold, and large) as well as a choice of left-aligned or center text. A seventh option also exists to place the date and time indicator in the title bar of the window, resembling the PalmOS lock screen on newer handhelds.

Move owner text to help screen

This option moves the owner text off the locking screen and onto a separate “help screen”. Text on the help screen is shown without alignment or formatting, but can be scrolled to accommodate more than one page of text.

A help button is added to the locking screen to access the moved text. You can specify the name of this button, setting it to “Help”, “Owner” or “More” or any other short text that fits in space provided.

Sync owner text with system

When this option is set, TealLock uses and modifies the owner text set in PalmOS Preferences instead of maintaining its own separate text.

This is especially useful when used in conjunction with a Corporate Edition install file, as it allows each individual user to show their personal owner information on the lock screen instead of adopting internal TealLock text that gets adopted from an Install File.

Chapter 7 – Security Settings

The Security Settings screens contain options for adjusting password controls, encryption, and advanced security options.

Password Controls

Password Controls allow you to specify how passwords are entered, accepted, and displayed. In TealLock Corporate Edition or TealLock Enterprise Edition, these options are particularly useful in insuring that employees choose secure passwords. Additional password controls can be found on the Admin Settings.

Minimum length

Used mainly in conjunction with the administration password in TealLock Corporate Edition or TealLock Enterprise Edition, the minimum password length feature allows an administrator to prevent a user from setting their personal password to anything shorter than a specified number of characters.

Mask passwords during entry

When set, this option displays entered passwords using placeholder characters (asterisks or boxes depending on PalmOS version) so that prying eyes cannot read the password as it is entered.

Require change every XX days

When set, this option requires the User Password be changed at regular intervals. When an expired password is entered, TealLock will bring up a reminder message requesting a new password to continue. When used with TealLock Corporate Edition or TealLock Enterprise Edition, this feature can be used to ensure greater security. Standard TealLock users may find this feature useful as a reminder to regularly change passwords.

Keep system password in sync

When this option is enabled, the PalmOS system password is changed to match the TealLock User Password whenever the latter is entered.

NOTE: if you subsequently change the system password using the standard Security application, it will not by synchronized back to TealLock. To keep both passwords in sync, only change passwords in TealLock.

Guest Password

A guest password can be specified and enabled with this option. A guest password can be used to unlock TealLock, but not to show private records or access settings in TealLock. In fact, unlocking a Palm with the guest password will automatically hide private records if they are currently shown. Guest passwords are useful if you wish to loan your handheld to a friend, but do not want to grant him or her access to all of your private data.

Emergency Password

When TealLock is registered, it is assigned an emergency password based on its HotSync user name and registration information, which accompanies a registration confirmation and key. This key can be kept in a safe place to unlock the device in an emergency. Turning off this option will disable the emergency key, giving stronger security but removing the option to unlock the device if a password is forgotten.

NOTE: The Emergency Password will not decrypt encrypted data

NOTE to Corporate Users:
TealLock Corporate Edition and TealLock Enterprise Edition automatically disables the emergency password once an Administrator key is set, as the two serve a similar purpose.

Enable Quick Password

An optional secondary “quick” password allows fast unlocking of a handheld without compromising long-term security against someone trying to unlock the device by guessing passwords. When enabled, the Quick Password can be set when you change/set the User Password.

Using this feature, a much longer more secure full password can be set without making daily use of the device inconvenient.

When a Quick Password is enabled, you have only one chance to enter the Quick Password to unlock the device. If an incorrect password is entered, or if it is not entered within a specified time, the full password is required.

Typically, the Quick Password is set to a combination of letters or numbers mapped to the hardware buttons or on-screen keypad. When the lock screen first appears, a timer begins counting down the remaining time. If the correct password is entered (tapping OK is not required), the unit is unlocked. If time elapses or an incorrect character is entered, the full password is requested.

Note: Even if an incorrect key is entered, the full countdown always continues, so someone repeatedly trying the bypass the Quick Password at different times will get no feedback if any entered letters were correct. If a mistake is made during entry, you can manually dismiss the quick passkey timer with a backspace stroke.

Quick password time limit

Specifies the number of seconds a user has to enter the Quick Password before the full password is required.

Start countdown after first key

Sometimes, third party applications may wake up the handheld, causing the Quick Password timer to expire before it can be used. This can also happen when a button is accidentally pressed while the handheld is in a pocket or purse. When this option is set, the countdown waits for the user to enter a key, and only begins after the first character is received.

Hide Countdown Indicator

Normally, when a Quick Password is available, a countdown prompt is drawn on the text entry line when a Quick Password can be entered. When this option is set, no visual indicator is given to hint to a potential attacker that a Quick Password can even be entered prior to entering the first keystroke.

Locking/Unlocking Options

The following options on the Locking/Unlocking screen affect how TealLock functions when locking or unlocking the handheld.

Power off after manual locking

When set, the handheld automatically turns off after being manually locked from the Graffiti “locking” shortcut.

Call TealGlance on Unlock

Activates the program TealGlance to bring up its information screen after the unlock screen has been dismissed. TealGlance normally appears on power-on, but won’t do so if the device is locked in TealLock. This option provides for a delayed activation of that program.

Launch specified app on unlock

This option lets you specify a program to run after the handheld is unlocked. Any individual application can be specified here, including the system application launcher.

When you do NOT use this option, TealLock returns to the program that was running before locking, if it is present in RAM. If you were running a card-based application, the temporary copy loaded into memory by the system launcher has likely been deleted by PalmOS, so control will return to the TealLock main screen instead.

Allow app(s) to run when locked

A specialized feature meant for specific applications, this option instructs the locking screen to release control to a specified application to run even when the handheld is locked. When that application exits, control is returned to TealLock.

This option can be used either to allow phone dial screens or other apps to temporarily be launched from within the TealLock locking screen, or to allow select timed applications (like backup apps) to run when the device is locked. You can set up to two applications to be run this way, and can optionally place two on-screen buttons for launching those apps. In specialized applications, this feature can even set up a “Restricted Use” mode (described below), where the device can only be used to run one or two specific applications.

NOTE: The device must already be on the locking screen before it releases control, so when using apps that run themselves at a specified time, the wake up device to lock handheld option should be set to insure that the handheld will not still be trying to transition to the locking screen when the timed event wakes up the device.

Compatibility

This option works best with PalmOS 4 or earlier, and will *not* work with all devices, configurations, and third-party programs. As the device is temporarily unlocked to allow an app to run, the configuration must be tested to insure that the app does not do anything to jeopardize security when running.

PalmOS 5

On OS 5 handhelds, one must be particularly careful that undesirable application launching mechanisms are disabled, as PalmOS requires TealLock unlock the device before the identity of the new application is available. While TealLock will relock the device if it is not the specified app, a brief flash of an undesired app may appear if it is not blocked from starting. This usually means mapping application buttons to keystrokes to prevent them from launching their default apps.

Backup Programs

Programs that support timed automatic backup often need to switch itself to the current application. The “run when locked” option can be used to allow these backups to run. In order to work, the backup app must support the backup process when the system lock flag is set. This works with our own backup program TealBackup, but may not be compatible with the launch modes of all backup applications.

PalmOS-powered phones

This option can be used to allow phone dialing and/or receiving on Treo phones and Kyocera Smartphones. Please test this feature to insure it is functional and secure with your handheld configuration.

See the chapter Enabling PalmOS Phones for more information on using this function to allow you to dial and/or receive calls when locked.

Restricted Use Mode

In some industrial or educational applications, it is sometimes useful to restrict users to running only one or two specific programs. This feature can allow a Palm handheld to be used, say, as a secure aide for a closed-book exam, or to encourage devices passed out for marketing surveys to be returned.

See the chapter Restricted Use Mode for more information on using this function.

Enable G2 Write-Anywhere

This option automatically turns on the Write Anywhere mode for devices running Graffiti-2 whenever the device is locked. If TealScript is installed, its Write Anywhere mode is enabled instead. New in 5.40!

Do not require password

This unusual option is present when TealLock is not really being used as a locking program at all. Instead, the lock screen is used as a “Welcome” screen for commercial or promotional purposes, and automatic “locking” activation is used to bring up this welcome screen. Setting this option turns off the password requirement for the locking screen, while still leaving the password in place for securing private records.

Data Encryption

TealLock’s Data Encryption feature lets you add an additional layer of protection, encrypting selected databases when your device is locked. To turn on encryption, set the data encryption pick list to “on”.

NOTE: Files are in an encrypted state only when the device is locked, securing them from being directly read off the memory chips using specialized hardware.

Data Applications/Files

Files to encrypt can be selected by application or individual file. Up to six individual files can be selected and an unlimited number of applications. When an application is selected, all .PDB database files associated with that application are automatically encrypted.

Private / Public Records

The following encryption methods are available.

Fast Encryption

A custom fast encryption method adds additional protection to TealLock’s locking and private record mechanism with minimum added encryption and decryption time.

128-bit MDC

A more secure 128-bit MDC encryption based on an industry-standard MD5-Hash provides stronger encryption

128-bit Blowfish

This algorithm provides the strongest standard protection with a reasonably fast encryption speed.

128-bit AES

Available in TealLock Enterprise Edition only, the AES algorithm provides the strongest protection available.

128-bit RSA RC4

This encryption algorithm is available as standard equipment on the Tungsten C. When running on this device only, TealLock provides support for this encryption method.

Both private and non-private records can be protected, and their encryption types can be individually set or turned off. By setting different encryption types for different records, maximum protection can be achieved with minimum encryption time.

Card Encryption

TealLock’s Card Encryption feature lets you also encrypt data files stored externally on a removable VFS-compatible storage card such as compact flash, Memory Stick, SD, and MMC.

Set card encryption to “on”, select files to encrypt, and select an encryption type to enable card encryption. Note that access speed to external cards is much slower than internal memory, so be conservative when choosing which files to encrypt.

To add files to the list to encrypt, tap “Add” to bring up a list of external files. Double-Tap on folder names to navigate into those folders, or tap “Add All” to add all the files in that folder.

HINT:
If a card containing encrypted files is ejected on the Locking Screen, it can be inserted at a later time after the device is unlocked. The files will stay encrypted and will only be decrypted the next time the handheld is locked and unlocked.

You can use this workaround to leave files encrypted on the card even after the device is unlocked. Simply eject the card after encryption, and insert it after the device has been unlocked. To later decrypt the files, go through a full lock/unlock cycle with the card inserted.

Data Self-Destruct

TealLock’s data self-destruct option provides a last line of defense against unauthorized access to sensitive data. This feature can be used to destroy data if it detects an attempt at unauthorized access. Once data is destroyed, the handheld will have all write-enabled databases deleted and must be hard-reset before it can be used again.

Booby Trap Password

A booby trap password can be set to destroy data if a particular password is entered. This can be used to keep someone from unlock a handheld by guessing common passwords. For instance, a handheld can be set to self-destruct if “password” (a common insecure password) is entered as a guess.

Being even more devious, a help screen can be set to purposely mislead someone. For instance, one might set the locking screen help text to: “Enter my password. Hint: my favorite color”, and set a booby trap to “blue”. Of course, any booby trap password you choose shouldn’t be something you might accidentally confuse with a real password.

Destroy data after too many tries

This “self-destruct” option can be used to prevent brute force attacks by erasing all databases on the handheld after too many incorrect passwords have been entered into a locked device. Use extreme caution activating this feature so that a forgotten password or other text entry problem does not inadvertently cause loss of data. Always fully back up all data and verify password functionality before setting this option.

NOTE to Corporate users: When used in conjunction with the User Password lockout option in TealLock Corporate Edition or TealLock Enterprise Edition, this self-destruct mechanism will activate based on the number of failed attempts to unlock the device *after* the User Password has already been locked out.

Advanced Options

The Advanced Settings screen allows one to set options designed to fine-tune TealLock’s behavior or compatibility with other programs.

Advanced options include:

Blank screen before switching current app to TealLock

When TealLock is set to hide private records or lock the device on power-off, it can be set to blank the screen to prevent the previous application from flashing up briefly on screen before the lock screen appears. This may interfere with a few drawing programs, (notably Bugme!), which store their graphics directly in screen memory. For compatibility with such programs, you may wish to turn this option off. On some devices or with some programs, popup alarms may also appear blank if this option is selected. If this occurs, turn off this option.

Wake up handheld to lock/hide

Normally, when a time-determined option is selected, such as “lock after elapsed minutes” or “lock daily at time”, TealLock checks the elapsed time when the handheld is turned on and puts up the lock screen, if necessary.

Even if the handheld is set to lock immediately on power-off, this cannot occur until power-up because the processor is turned off before the lock screen can be enabled.

When this option is selected, TealLock uses a system timer to briefly wake the handheld and lock the unit roughly 30 seconds after the locking condition has been met. This insures that the handheld is already locked and records have been encrypted by the time the handheld is manually awoken later.

HINT: Turn on this option when running a PalmOS-powered phone or when using timed-backups, or any other application that might turn on the device on its own.

Lock out silkscreen buttons

This option blocks pen strokes in the silkscreen area below the screen when the unit is on the TealLock lock screen. This is useful in preventing some third party popup programs and launchers from recognizing taps in the graffiti area and popping up when the handheld is locked.

Lock out serial port

When activated, this option opens the serial port upon entry of the lock screen. This can prevent the unlikely scenario of someone using the Palm OS serial debugger or other program to access data on the unit, and is primarily useful when running PalmOS 3 devices. Handhelds running PalmOS 4 or later do not allow the serial debugger to run when the system is locked.

Using this option can consume power more quickly on some devices, and you should not use this option when connected to an external modem another device that might automatically turn on when the port is left open.

Lock out Infrared port

When activated, this option opens the infrared library upon entry of the lock screen to prevent beamed files from being put on the device. For most devices, this is desired, however this option can let you turn off this feature in the rare case that system error message come up because an add-on application or driver has already allocated or disabled the IR port.

Toggle backlight on power up

When this option is set, a command to toggle the handheld’s backlight (if supported) is to the PalmOS display system. Use this option to automatically turn on the backlight on devices (like the PalmV or m505) that do not store the previous state of the backlight.

On modern devices that already restore the previous state, this option will cause the backlight to alternate between on and off at each use, which is not a particularly useful feature.

Activation timing

Activation timing allows one to adjust how long TealLock waits before bringing up the TealLock lock screen after power-up for compatibility with third-party programs. Changing to either faster or shorter delay times may result in quicker overall switching times, as too fast a delay time may result in a failed switching attempts and a required retry.

NOTE: Recent code changes make this option largely unnecessary, but experimentation may still yield helpful results with some applications. This setting has no effect on handhelds running PalmOS 5 or higher.

Pre-encrypt files in RAM on every power off

Included for compatibility with earlier versions of TealLock, this option has largely been made obsolete by the wake up to lock option. We recommend using the latter option instead, as it tends to be more secure and more compatible with third party applications.

When selected, this option forces TealLock to always go through the encryption process when the unit is turned off. This was originally intended to prevent someone from bypassing the encryption process by performing a soft reset.

This process starts when the power button is pressed or the device times out. It does not put up a visual indicator. As the unit only turns off after selected databases have been encrypted, this will cause a delay from when the device is manually switched off and when the display actually shuts off. When the device is powered up, databases will be automatically decrypted if the lock condition has not been met. Because TealLock encrypts without exiting your open programs, care must be taken not to turn off the device while abusive applications are running. (Abusive applications are those which abuse system resources, not leaving enough memory for a third party application to run.)

NOTE: This option is NOT compatible with card encryption. For this and other reasons mentioned above, we recommend using the “Wake to lock handheld” option if possible.

Allow Popups when Locked

Normally, when TealLock is on its lock screen, it calls a PalmOS system function to lock out most system popup windows such as those used to respond to network or wireless events. Use this special-purpose advanced option to allow system pop-ups if required for a particular need. The usefulness and functionality of this option will vary from device to device depending on third party and system software, and will likely require experimentation and test to see if it meets a particular need.

Chapter 8 – Other Settings

Settings file

TealLock allows you to save the current settings, including password, activation state, and customization options, into a Settings File that can be manipulated in memory or backed up onto the desktop. When moved into flash memory along with TealLock (by using a third party utility like FlashPro), the file can be used to restore settings and lock the handheld even after a full power loss or hard reset. (When this occurs, the handheld’s memory and other data have already been erased, but this feature may encourage someone to return a lost handheld instead of keeping it.)

Warning: Be extremely careful when using a settings file for this purpose. Do not attempt this procedure using pre-release versions or test builds, or with passwords one might lose, as recovering the unit afterwards can be extremely difficult, or sometimes impossible.

To create and use a settings file:

1) Turn off TealLock

2) Move TealLock into flash using a third-party flash utility like FlashPro or JackFlash

3) Turn On TealLock (now in flash)

4) Write a settings file

5) Move the settings file (“TealLock Settings”) into flash as well.

Before the file is written, you will be asked for a password to imbed into the file. The passkey will be restored in event of memory loss and will be set as the system password as well. Use this feature with extreme care, because if you forget your passkey, you may be permanently locked out of your device.

The settings file can also be used to install identical settings on multiple devices when used under a company Site License. To do so, write a settings file and backup as described above. The settings file will be copied back to the desktop computer in the user’s backup folder (typically c:\palm\username\backup). Make a copy of this file (“TealLock_Settings.pdb”) and install it along with TealLock onto a new handheld. When TealLock is first run on that device, it will adopt its settings from the settings file, which can then be optionally deleted using a file management utility, as it is no longer needed.

When using TealLock Corporate Edition or TealLock Enterprise Edition, the Install File (see below), should be used for this purpose. Do not use both an install file and settings file simultaneously.

NOTE: Because of the high potential risk and the difficulty of using a third party flash utility, we do not generally recommend using this feature, and cannot give specific support and instructions beyond what is presented here.

Chapter 9 – Enabling PalmOS Phones

We recommend the following settings when running on a PalmOS-powered phone.

Allowing Timed Activation

As phones tend to automatically activate when a call is received, we recommend setting the Wake up to lock handheld option to prevent incoming calls or messages from interfering with automatic timed locking. This option is also necessary if using automatic locking in conjunction with the “Run app when locked” feature below.

Receiving Incoming Calls

Enabling Phone App when Locked

The phone/dialing screen in most PalmOS Phones is actually a separate application. In order to receive calls when the TealLock is locked, you must turn on the Run App when Locked option and select your phone’s special phone/dialing application.

Kyocera 7135: On the Kyocera 7135, the dialing application is simply

called “dialer”.

Treo600/Treo650: On the Treo, it is called “Phone”.

As functionality varies from device to device, please test this feature to insure it is functional and secure with your handheld and current configuration.

Enabling Call Answering Button

For incoming calls on the Treo600 series and most other phones, the system will automatically attempt to launch the phone application in response to an incoming call. On these devices, no additional configuration is necessary to receive calls. For other phones, receiving calls, if possible, may require enabling an “answer phone” button to launch the dialing app. For these devices, follow the instructions below for outgoing calls.

Dialing Outgoing Calls

Once incoming calls are enabled, all that need to be done to allow outgoing calls is simply enabling a mechanism to manually launch the phone/dialing application.

Hardware Button Mapping

On the Treo600 and Treo650, the phone application is mapped by default to the first application button. To enable the normal dialing functionality for these and similar devices, simply turn off Password Entry Key Mapping in TealLock for that particular button, setting the mapping to “no”.

You may wish to leave some TealLock key mapping in place if you want to lock out outgoing calls but still use the “run when locked” feature to allow incoming calls.

Screen Button Mapping

If the normal dialing method does not work, say because the dialing application is normally brought up by a silkscreen tap or other locked-out interface, you can still map an on-screen button to access the dialing screen. Do this by enabling the optional named button associated with the Run App when Locked option.

Treo600 / Treo650 Operation

Dialing Screen Operation

On the Treo600 and Treo650, the dialing screen limits some functionality when the system is locked. The options at the bottom of the dialing screen are locked out and may be replaced by simple Dial / Hangup / Cancel buttons. Because of this, you cannot switch to the address book directly from the dialing screen and must select “Cancel” when you want to close it.

On the newer 650’s, an expanded favorites menu is normally available at the bottom of the screen. You may wish to test any applications you set here to make sure they do not interfere with TealLock when locked or otherwise provide unauthorized access to data. When a device is locked, TealLock prevents the user from changing what applications are mapped to these buttons.

Dialing from the Address Book

To make a call using the address book, you must enable the AddressBook/Contacts application as a second Run when Locked app. Then, you must either map a hardware button to the address book or turn on the on-screen application button associated with the second Run when Locked app. You can then call up the address book directly and dial a call from there.

NOTE: If you enable the address book in this way, all your non-private contacts will be accessible even when your handheld is locked.

Chapter 10 – Restricted Use Mode

In some industrial or educational applications, it is sometimes useful to restrict users to running only one or two specific programs. TealLock’s Run App when Locked feature can allow a Palm handheld to be used, say, as a secure aide for a closed-book exam, or to encourage devices passed out for marketing surveys to be returned.

Setting up Locking Screen

To set up TealLock in Restricted Use mode, the lock screen should be set up as the program starting point, probably with instructions and buttons to launch the specified app(s). You can configure the appearance of the lock screen accordingly, typically entering instructions for the user in TealLock’s Owner Text settings screen.

Setting up Password

A secure password should be set that is unknown to the users receiving the devices.

Setting up Applications

The last step is to assign one or two applications as Run App when Locked apps, enabling an on-screen button for them.

Each user can then tap on a button to launch the “allowed” app. If they try to exit that app, they will be returned to TealLock. If they try to soft reset the device instead, the handheld will be returned to the system lock screen, again securing the device from running other applications.

Chapter 11 – Corporate/Enterprise Admin Settings

In TealLock Corporate Edition and TealLock Enterprise Edition, the Other menu is replaced by an Admin selection that contains additional settings useful in a multi-unit corporate environment. Typically, only a company-designated administrator is allowed global access to devices and TealLock settings.

The following choices are available exclusively in TealLock Corporate Edition and TealLock Enterprise Edition.

Admin Controls

From the Admin Controls screen you can set the administrator password and set User Password and lockout controls.

Administrator Password

The Administrator password field lets you set a separate password for deactivating TealLock or accessing the settings screens. When an administrator password is set, TealLock’s emergency password is disabled, and the User Password will not be accepted for turning either off TealLock or accessing the settings screen, only for unlocking the handheld or showing private records. Instead, only the Administrator password will grant full access to the device and TealLock’s settings.

Lockout after too many password attempts

When the lockout option is active, a user has only a specified number of attempts to unlock a locked handheld. After the attempts have expired, the User Password is no longer accepted and the administrator password is needed to unlock the unit.

Require letters and numbers

When set, this option requires User Passwords to contain at least one number and one alphabetic character. Use this option in conjunction with the minimum password length control to prevent an employee from setting an insecure or easy-to-guess password.

Require upper and lower case

When set, this option requires User Passwords to contain at least one upper case and one lower case letter. This option is not recommended for handhelds running PalmOS 3, as those devices support a system password that is case insensitive, and the difference in restrictions between the system and TealLock’s passwords may confuse the user. New in 5.40!

Log attempts to TealDoc file

When set, a log file is generated recording the date and time whenever TealLock is locked, unlocked, or fails to unlock with an invalid password. The log is written to a TealDoc-format text file in memory called “TealLock5 log.txt”. The log is particularly useful in creating an audit trail for handhelds used as part of a HIPAA compliance program. New in 5.45!

Double up system lock when reset

Normally, if the handheld is reset while on the TealLock locking screen, TealLock will fall back to the Palm OS system security lockout screen. When the double-up option is set, TealLock’s lock screen will also stay active, and will be shown after the system lockout screen is dispatched. This option may be useful if for some reason the system’s security password is disabled outside TealLock, rendering the system lockout screen less secure.

Remote Unlock

One of TealLock Corporate Edition and TealLock Enterprise Edition’s extremely useful and exclusive features is the ability for an Administrator to use Remote Unlock to unlock an employee’s handheld from another location, generating a temporary password which can be read over the phone or transmitted over email and keyed to the individual user’s device.

Valid for only one hour, the remote passkey is no longer valid after expiration and is secured by 128-bit encryption. It cannot be used to calculate a passkey valid at a later date or derive the administrator passkey.

The Remote Unlock feature can only be used on handheld units with identical installation settings to the Administrator’s handheld. Settings will be identical if…

1) The remote handheld was installed using an Install File generated on the Administrator’s handheld, or

2) If both units were set up using the same Install File.

Remote Unlock will not function on handhelds installed with a different administrator passwords or in the standard (non-Corporate) version of TealLock.

Using Remote Unlock

1) The administrator instructs the employee to enter the text ‘REMOTECODE’ (no space, not case-sensitive, no quotes) as the unlocking password on the locked-out device:

2) The employee’s handheld will return a 15 digit numerical Remote ID Code which encodes the date-stamp and identity hash of the device. This code is reported back to the administrator:

3) Using a second device, the administrator enters the Remote ID Code on the ‘Remote Unlocking’ screen (with no spaces) to generate a temporary unlocking code keyed to the specific device and valid one hour from the ‘Valid at’ time. The validity of the code is verified by the time on the remote unit, so if the time on that device is set incorrectly or if the employee is in another time zone, the remote time should be used when making the code.

4) To verify the time on the remote handheld, the local time can be displayed in TealLock by entering an incorrect password.

NOTE: To prevent an employee from requesting a passkey which may be valid at a future date, TealLock will show a warning if the Remote ID reflects either 1) a future time relative to the time on the Administrator’s handheld, or 2) if the install time on the remote handheld precedes the last time the administrator key was set on the administrator’s handheld. If time differences are due to time zone discrepancies or if the administrator passkey has been adjusted (and restored) after initial installation, the warnings can be ignored.

5) The administrator taps ‘Make Unlock Code’ to generate a 28-digit temporary unlocking key valid for the specified time. Unlike the numerical Remote ID code, the Unlocking Code will consist of both numbers and letters. Note that the letters i, z, and o are not used in the unlock code to avoid confusion with the numbers 1, 2, and 0, respectively.

6) The administrator relays the unlock code to the employee, who enters it into the locked device to gain access.

7) After unlocking, the employee will be asked to enter and verify a new User Password to replace the lost one.

Install File

Once desired settings are configured on an administrator’s machine, the Install File feature can be used to automatically copy these settings onto individual employee devices upon installation.

NOTE: An Install File will also copy registration keys to target devices. If the other devices are not running identically-keyed site license copies (available for 50+ units), they will need to be manually registered with their individual passkeys.

To create and use an Install File, perform the following steps:

1) Configure an initial administrator handheld with the desired individual display, activation, and password settings. If the program is a customized program version received as part of a site license, enter the company registration key as well.

2) Tap on the Install/Uninstall File button to create the install file on the model handheld, and select Install File. You will be asked for a password to imbed into the file, which will be the initial password needed to unlock the device immediately after installation. After initially unlocking the handheld with this password, the employee will be asked to enter a new unique individual password for personal use.

3) HotSync the administrator handheld. The install file will be copied to the handheld’s backup folder on the desktop computer. The exact location depends on where the Palm Desktop Software was installed, but a typical location is

C:\Program Files\Palm\UserName\Backup

Where “UserName” is an abbreviated form of your handheld’s HotSync User Name.

4) Locate the backed-up file on the desktop and make a copy to a convenient location. If you are encrypting named databases, you should also find and save the file “TealLock AppListDB”, which contains the IDs of the files to be encrypted.

5) Using the Palm Install Tool, install the install file and TealLock (and optionally the AppListDB) to individual handheld devices. If a previous version of TealLock is already running on any of the devices, it must be turned off first to continue.

For convenient installation, the program TealInstall can also be used to bind TealLock and the install file into a single self-installing Windows executable file which can be distributed via email, networks or other convenient means. With TealInstall, the employee only need double-click on the file to install TealLock at the next HotSync. Download TealInstall on our developer’s page (www.tealpoint.com/developr.htm) or contact us for a corporate site license.

NOTE: Other third-party HotSync solutions, such as Extended Systems can be used here as well. To work, the solution need only be able to simultaneously install all files onto a target handheld and trigger a soft reset after installation.

6) Unlike a simple settings file, the install file forces a reset on the new Palm after HotSync. TealLock will automatically install, activate, and lock the Palm, and require the initial password to unlock. After unlocking, it will ask the user to specify a new password before continuing.

7) If a customized site-license version of TealLock Corporate Edition or TealLock Enterprise Edition is being used, it should already be registered from the install file. If instead, the employee copies are being installed as individual licenses, individual registration passkeys will need to be entered on the individual devices to turn off registration reminders.

Uninstall File

An Uninstall File automates entry of an administrator password used to turn off devices deployed in the field. An older version of TealLock must be turned off before a newer version or updated settings are installed.

To use this feature, perform the following steps on a handheld running the SAME VERSION of TealLock as the units in the field:

1) Tap on “Uninstall File”. You will be asked for a password to imbed into the file, which should be the administrator password installed onto the field units.

2) HotSync the administrator handheld. The install file will be copied to the handheld’s backup folder on the desktop computer. The exact location depends on where the Palm Desktop Software was installed, but a typical location is

C:\Program Files\Palm\UserName\Backup

Where “UserName” is an abbreviated form of the handheld’s HotSync User Name.

3) Locate the backed-up file on the desktop and make a copy to a convenient location.

4) Using the Palm Install Tool, install the uninstall file to the field units. Other HotSync solutions (such as Extended System) can also be used to install files to the other handhelds. The TealMover file transfer program can even be used to directly beam the file onto a field unit.

5) After receiving the uninstall file, a dialog requesting a soft reset should appear on each handheld. When tapped, the units should reset and restart with TealLock turned off, ready for installation of a new program version and settings.

When changing settings only

When updating TealLock settings but not changing TealLock versions, an install file and uninstall file can be used simultaneously to update settings. The new settings file MUST, however, contain a new administrator password.

When updating TealLock versions

When upgrading TealLock to a new version, the uninstalling of the old version and installation of the new version must be done in two steps unless using a site license version of TealLock and upgrading to TealLock 5 or higher. When this is the case, make sure the uninstall file is made with the older version and the install file made using the new program with new settings.

SECURITY NOTE: The Uninstall File feature simply imbeds whatever password you enter when you create the file. It does derive the password from the current Administrator Password set on the device. Thus, the feature cannot be used beforehand to compromise an administrator password.

Once an uninstall file has been created and deployed in the field, however, the old administrator password should be considered insecure, as the uninstall file contains a lightly encrypted copy of the password. Also, anyone with a copy of the file can use it to turn off security on any units using the old administrator password. Thus, care should be taken to upgrade all devices in the field as simultaneously as possible once the old administrator password is no longer secure.

Appendix A – Usage Tips

Setting a Password

If you set a password, whenever you lock the device, you'll be required to enter the key again to regain access to your data. If you hide private records, you'll also be asked for the same key to show the records again. Obviously, you should keep your password in a safe place. Be sure to set a password for the standard security app as well, so private records cannot be shown from there without a password. We recommend you set both passwords to the same value or use the Keep system password in sync option to do this automatically.

Emergency Password

When you register, you'll be assigned an emergency password based on your registration key and Hotsync User Name that can be used to unlock your unit should you forget your normal password and have the “Emergency Password” option set. This is not the same as your registration key. If you need an emergency key, you can request that it be sent to the registration email that we have on file.

NOTE: The emergency password only works with TealLock, not with the System Lockout screen, which comes up if someone tries to bypass TealLock by resetting the handheld. Also, the emergency Password is disabled in TealLock Corporate Edition or TealLock Enterprise Edition once an administrator password is set. You can disable the emergency password in the standard edition as well by unchecking the corresponding option in the Advanced Security settings screen. Lastly, the emergency password can be used to gain last-resort access to the device, but it WILL NOT DECRYPT DATABASES that you have encrypted on the device, and any data encrypted when you use an emergency password will likely be lost.

Receiving calls with your Treo or Kyocera Smartphone

TealLock does not automatically allow applications to run while your handheld is locked. Since PDA phones require a Phone/Dialing application to run in order to receive calls, you need to specifically set TealLock to allow the Phone/Dialer app to run. See the Chapter: Enabling PalmOS Phones for more information on configuring TealLock to best work with combination phone/organizer devices.

Lock-screen Images

You can select an image database to be used as background imagery for your locking screen. This database must be in TealPaint format and can be modified in TealPaint. Use the TealPaint Image Manager to import your own image to TealPaint format. You can have multiple images in this database. If you do, a random image will be chosen each time you lock the handheld.

Using this feature, you can create a number of images in TealPaint, and add text there if you wish for "quote of the day" functionality, inspirational images, etc. In the image-select screen, enter the name of the image database to use. The sample one provided with TealLock is called "LockImgs". If you change it, be sure to specify the name as it appears in TealPaint with the exact same spelling and capitalization.

Lock-screen Text

The text that appears on the "Locked" screen can be modified. It can be bold or not, but is always black on white and drawn from the left hand side of the display or centered. If you are using an image, you should make space for the text, or better yet, render the text into the images themselves.

Shortcuts

Use the shortcuts to hide private records, show private records, or lock the handheld, at anytime. You do not need to be in a text-editing field for the shortcuts to work. A shortcut is a graffiti stroke which resembles a cursive lower-case 'L' followed by letter you select. A popup screen will tell you when private records are shown or hidden. When showing private records, if you have a password set, you'll be asked for the password to continue, and returned to the previous application when done.

When selecting shortcut strokes, make sure the letters do not match the first letters of any standard PalmOS shortcut macros set in Preferences.

Shortcut support requires a PalmOS device that provides Graffiti-style input. For devices like the Treo600 and Treo650, which do not support Graffiti, you can add Graffiti optionally support with TealScript.

Welcome Screen

If you want to use a password to protect your private records, but don't want to lock your device, you can set the "Don’t require password" option, which turns the "locked" screen into a "welcome" screen that does not require a password, but shows your message and waits for an "OK" before continuing.

System Lockout Screen

If your handheld is reset while locked, TealLock will fallback to the System Lockout Screen in ROM for maximum security. This lockout screen has the text "System Lockout" in the title bar on older devices, and the date and time on newer ones.

The password for this screen will only be the same as TealLock's password if you set them to be the same, or use the advanced option “Keep system password in sync” to do this automatically whenever you change the User Password. The TealLock emergency password and administrator passwords will NOT work for the System Lockout Screen, and there is no way past this lockout screen if you forget the password here.

NOTE: Under TealLock Corporate Edition, TealLock’s password screen can be set to double-up on the system password, so in case of an undiscovered flaw or backdoor in the system security, TealLock locking screen will still need a valid password to unlock the handheld.

Appendix B – HIPAA Compliance with TealLock

Background

The Health Insurance Portability and Accountability Act (HIPAA), establishes standards, requirements, and penalties designed to insure the privacy and security of patient records and data. Finalized in February 2003, the security provisions of HIPAA include physical, administrative, and technical safeguards to protect the integrity and access to information. Covered health care organizations are required to comply with HIPAA or face penalties of up to 10 years imprisonment and a $250,000 fine.

TealLock HIPAA compliance features

With more and more patient-related data finding its way onto to physician-owned handhelds, TealLock can play a vital role in insuring that any organization’s HIPAA compliance program. TealLock features relating to HIPAA Security Technical Safeguards (164.312) include:

Access control TealLock password-protection insures that only persons with access rights can view or modify protected health information (PHI) stored on the device.

Automatic logoff TealLock can automatically lock the handheld a specified number of minutes after a password is entered, performing an automatic logoff.

Emergency access procedure TealLock Corporate Edition’s administrator passwords can provide authorized individuals full access rights to data stored on the handhelds in an emergency.

.

Encryption and decryption TealLock supports encryption and decryption of data stored both in memory and on external storage cards with industry-standard 128-bit protection.

Audit trail TealLock Corporate Edition’s access log feature provides an audit trail for tracing for all logins, logouts and attempted logins.

TealLock site licenses are available for companies and organizations of 50 or more handhelds. Contact us at corporate@tealpoint.com or visit www.tealpoint.com for more information.

Appendix C – TealPoint Image Manager

The TealPoint Image Manager (IMAGEMGR.EXE) is a new Windows utility that replaces the TealPaint Image Manager that accompanied previous versions of TealPaint.

Use the TealPoint Image Manager to import or export images to or from TealPaint-format databases, view them on the desktop, or print them to a Windows printer.

Step 1 – Select a Database File

You can create a new TealPaint-format database, or find the backup of an existing one created on your handheld. Click on “Load” or load an existing database or “New” to create a new one.

When you HotSync your handheld, TealPaint image databases are automatically backed up to a folder called “BACKUP”
which in turn resides in a folder named after your handheld’s Hotsync User Name in the Palm install folder.

For instance, if your user name is “John Smith”, the backup folder would be in another folder named “SmithJ”. The backed-up files are named the same as the databases on the PalmPilot, but have a '.PDB' extension, like “PICTURES.PDB.”

NOTE: All PalmOS database files have a “.PDB” file extension. If you find an image database on, say, a website that also has a .PDB extension, it may not be (and probably is not) in TealPaint format, so don’t be surprised if the image manager cannot load it.

Step 2 – Preview images

Once a database is loaded, you can view any of the images in the database. Scroll the Image List to see the list of images by selection. Tap on a name to see that image to the left.

Step 3 – Import or Export Images

Importing an Image

Click on “Import” to import images from .BMP format. You can also click “Paste” to import an image copied to the Windows clipboard from another program or captured using the PrintScreen button. The Image Import window will appear, with a preview of how the image will appear.

On this screen you can set the target bit depth and image size of the final imported image, and also adjust the brightness and contrast of the converted image. Two options are also present:

Maintain proportions when scaling

When setting image sizes or fitting the image to a screen size, this option makes sure the image’s aspect ratio remains intact. When this option is not set, you’ll be free to stretch the image vertically or horizontally out of shape.

Dither image pixels

Allows the program to using patterns of similar colors to simulate the presence of intermediate colors. This option can greatly enhance the appearance of photographic images in grayscale or 8-bit modes.

Importing Multiple Images

When selecting a .BMP image to import, you can actually use the SHIFT button to choose more than one image at a time if they reside in the same folder, and import them in one step into the TealPaint image database.

When you do so, the first image selected will appear as normal, but a new “Import All” button will appear in the lower right. Click on it to import all the images together using the same settings, or “Import” to import only the first image and reopen the Import window with the next image selected.

Exporting Images

Click on the “Export” button to export one or more images to .BMP format, or “Copy” to export the currently selected image to the Windows clipboard so that it can be pasted into a PC-based paint or other program.

You have three export choices:

Single image to named file

The current image shown in the main window will be exported to a .BMP file you specify

Multiple images to base filename plus numbers

All the images in the database will be exported in order as numbered files. You specify the base filename, after which three numbers will be added. For instance, if you specify “Fred.bmp”, the actual files will be named “Fred000.bmp”, “Fred001.bmp”, “Fred002.bmp”, and so on.

All images using image labels as filenames

All images in the database will be exported using each image’s name as its filename. The Image Manager will add the .BMP extension as necessary, and will add “[2]”, “[3]”, etc to images whose names conflict with existing files or previous images. You specify a default filename to be used for files with no description or whose name consists of invalid Windows filename characters.

Step 4 – Other Actions

Printing an Image

Click on “Print” to print the current image to your Windows printer.

Install Database

Once changes have been made to a database, you need to “install” the changes to copy them back to the handheld. This is true even if the file exists in the user backup folder, as the Palm Desktop will not automatically mirror the changes back. In fact, it is even more important to install a database here, as the backup file will get overwritten if the database is modified on the handheld.

You can use the Palm Install Tool in the Palm Desktop program to install the databases, or tap on the “Install” button in the Image Manager to automatically install the current database for you.

NOTE: Never make changes to the same database (or databases of the same name) on both the desktop and handheld at the same time. The entire database is backed up when changes are made on the handheld, and entire databases (not just individual images)completely overwrite the same file on the handheld when you install them.

Appendix D – Security Whitepaper

Password Security and Data Encryption in TealLock

TealPoint Software

This document outlines the password and encryption methods used in TealLock as they apply to TealLock Corporate Edition for PalmOS. TealLock is a security application for PalmOS handhelds, supplementing the security of the device with an automatic password-based locking mechanism and optional encryption of selected databases while the device is locked.

Individual Passwords

Both individual user and administrator passwords are handled in TealLock in a similar manner. The passwords are not saved on the device, but hashed using an industry standard 128-bit MD5 algorithm. When a password is requested, entered values are hashed using the MD5 and compared to saved values to gain access.

Remote Passwords

Remote-unlocking passwords, unique to TealLock on the PalmOS platform, allow IT personnel to issue time-sensitive passwords to individual users to unlock their devices without compromising the global administrator password or future remote passwords. While simple checksums and embedded bits in unlocking keys are used to code a particular unlocking key to a single device or hour of the day, an MD5-based OTP (one time password) system prevents a code from being used after the day of issuance even if the program code is reverse-engineered. When generating codes on the administrator device, TealLock issues a warning should an employee misadjust their system time in an attempt to request a key for a future date. TealLock can generate 1000 unique remote passwords, one valid for each day after initial selection of the administrator password. Thus, the administrator password used on devices in the field should be changed at least once every 2 and ½ years to avoid running out of valid remote passwords.

Encryption Keys

Encryption keys in TealLock are generated using an MD5 hash of the User Password, utilizing a separate hashing key from that used for password verification. After encryption, the key is deleted from memory. When a User Password is entered to unlock the handheld, it is hashed using the encryption hashing key to regenerate the encryption key used to decrypt the encrypted data.

In TealLock Corporate Edition, when an administration key has also been set, a second encryption key based on the administrator passkey is also generated. The user and admin keys are then each used to create encrypted backups of the other using a 128-bit MDC/MD5 block cipher, and the original keys are erased from the device. This system allows recovering of the encryption key only if either the administrator or User Password is entered.

Encryption Algorithms

TealLock supports three standard encryption methods:

1) Fast

The “fast” encryption method utilizes the output of a 64-bit pseudo-random number generator as a bit stream to XOR with the data to be masked. Designed for speed, it is not designed to be robust from a “known-text” attack by a crypto-analyst, but is suitable for routine use and protection from ordinary individuals.

2) 128-bit MDC/MD5

This known algorithm, added to TealLock in version 4.00, consists of a message digest cipher (MDC) using an MD5 algorithm as the one-way hashing function. Commonly in use, this is known as an MDC/MD5 and is the slowest algorithm supported, but is useful for encrypting small amounts of data.

3) 128-bit Blowfish

Added to TealLock in version 4.15, the blowfish algorithm was created by Bruce Schneier as a drop-in replacement for DES or IDEA, and is growing in popularity as a strong encryption algorithm. Supporting variable key sizes from 32 to 448 bits, it has been implemented in TealLock using a 128-bit key.

4) 128-bit AES

Added to TealLock in Enterprise Edition 5.60, AES provides the strongest encryption choice. TealLock’s AES algorithm has been tested and verified with the AES Monte Carlo Test (MCT).

Encryption Strength

All encryption methods use keys based on User Passwords, salted with additional machine metrics specific to the device and files being encrypted. The 128-bit keys provide maximum protection for alphanumeric passwords up to 20 characters in length. Real-world protection depends on the actual length of User Passwords.

It is alarming and somewhat amusing to note some past competing products claiming 512-bit or higher protection, which is, of course, unachievable since all salting data must reside in memory with the device and the strength of the encryption from a brute force attack relies on the strength of the user password. A 512-bit encryption key would require users to enter passkeys with 80 or more randomly chosen characters. A common minimum password length of 8-characters represents at most only 52 or so bits of entropy, limiting any true achievable security to the same bit length regardless of encryption bit depth. In reality, using a 512-bit encryption algorithm under such circumstances and filling in the missing bits with salting data stored on the device could likely compromise security and result in less secure data than encryption algorithm chosen to match password length.

Additional Password Features

The selection of insecure passwords by end users is the largest security threat in any corporate environment. To enhance password security, TealLock supports features to enforce minimum lengths for User Passwords and optional requirement for both letters and numbers and/or upper and lower case characters to be present in passwords to prevent “dictionary” cracking methods. In addition, options are provided for both a User Password lockout and data self-destruct (bit wipe) modes to deter brute force attacks.

Device-specific Implementations

TealLock 5.0 supports additional encryption ciphers by way of the PalmOS Cryptomanager library. Encryption ciphers installed into ROM by the handheld manufacturer are automatically recognized by TealLock and make available for use.

On the Palm Tungsten C handheld, TealLock supports optional 128-bit RC4 encryption via the Cryptomanager library. In fact, the standard Security application present in ROM on both the Tungsten C and Tungsten T2 are special streamlined versions of TealLock standard edition, licensed by Palm from TealPoint Software specifically to enhance the security of those devices for the enterprise market.

Appendix E – Compatibility

As we cannot control the style and robustness of other products, we cannot guarantee compatibility with Palm OS applications beyond those included from Palm Computing. However, we try to resolve compatibility issues as best we can.

Tungsten T5 / Treo650 Compatibility

The Tungsten T5 and Treo650 include the new PalmOS non-volatile file system (NVFS). Make sure you are running TealLock 5.4 or higher, which has been upgraded to work around changes in the memory architecture on these devices.

Installation and launching

I can't HotSync the new version or move it to Flash memory

The built-in delete-protection will prevent you from overriding the program while it is currently running. You must first turn it off first before upgrading to a newer version or deleting the program.

TealLock crashes as soon as I try to run it; I've restored from backup

There is a known problem with Backupbuddy correctly backing-up and/or restoring TealLock, possibly because it cannot handle files which are currently locked and hooked up into PalmOS. When run, Backupbuddy "restores" a corrupt 1k file which cannot be run or deleted by the standard system launcher. To fix it, use TealMover or a similar file-management program to delete the 1k TealLock file after turning off its protect and read-only bits and reinstall TealLock from the original download, and check with Blue Nomad for more assistance.

Password entry

Help! I can't enter my password

Make sure that the Text entry line is active, which is indicated by a flashing cursor. If it is not, click on the text entry line first.

The Quick Password doesn't work sometimes...

By default, the four hardware buttons are mapped to '1','2','3', and '4', respectively. This allows you to unlock your device 'pen free' using the Quick Password if your Quick Password uses these numbers or whatever characters you choose to map. When you turn on the device using a hardware application button (or accidentally do so while it's in your pocket), that first press counts as entering a key, which will invalidate your Quick Password entry. To keep this from happening, you can map all four buttons (and optionally the Palm V contrast button) to nothing by setting them all to "no".

In TealLock 5.0, you can set the Quick Password countdown to start only after the initial key presss.

Help! My Treo keeps asking me for a 4-digit numerical password, but I haven't set one.

This is the phone-locking screen that is part of the Treo's "Phone" application. It is not a request coming from TealLock. The Treo will automatically activate its own locking in certain circumstances, but uses a different password that is not related to the one set in TealLock. By default, this password is set to the last 4 digits of your phone number.

Help! I reset the Palm and my password doesn't work.

After a reset, TealLock falls back to the system lockout screen, which is part of the Palm OS, not the TealLock locking screen. If you set the standard Palm security app to a different passkey, and have not set the "Keep system password in sync" option or have changed the system password after the one in TealLock, enter the system key instead of your TealLock key. The system security screen says "System Lockout" in the title bar.

PalmOS Phone Support

How can I receive calls when locked?

Try using TealLock’s “Allow app to run when locked” feature to permit your phone’s dialing application to run. See the chapter: PalmOS Phones above for more information.

Compatibility

Is TealLock compatible with PalmOS 5?

Yes. TealLock is fully compatible with PalmOS 5 and handhelds running ARM processors like the Tungsten T. Make sure you are running version 5.0 or higher.

Sometimes, I turn on my device and only a blank screen is showing...

An alarm going off or a conflict with the running program may have prevented TealLock from switching to the lock screen. The active screen or alarm dialog is probably active and waiting for a button tap, but its buttons have just been erased in preparation for the locking process. Try turning off the "blank screen" option in TealLock if this occurs. In TealLock 5, it is off by default.

Help. I seem to be noticing decreased battery life when running TealLock.

If you are trying a demo version of the program, be sure not to leave the TealLock waiting on the popup registration reminder screen for an extended period of time after activation, as the program sits in a loop here waiting for a pen tap, which can use battery life more quickly than when sitting idle in the main body of an application.

Alarms

My alarms or snooze messages do not show when the handheld is locked.

Are you encrypting the Datebook or ToDo databases? When a database is encrypted, it is protected from access to safeguard the data, so the Datebook application cannot access it. When TealLock detects a Datebook alarm with an encrypted database, it will sound and show a substitute alarm screen. Datebk5, however, may also expect the ToDo database to be unencrypted as well, and may not display snooze messages if the ToDo database is encrypted.

Under TealLock 5 and PalmOS5, the datebook will show alarms as “Private Appointment” when the handheld is locked. This is standard functionality also found in the standard security app and part of designed PalmOS locking behavior.

Encryption

What kind of encryption does TealLock support?

TealLock supports a number of different encryption types, from a simple fast encryption method to industry-standard 128-bit Blowfish encryption. On a Tungsten C, RC4 is also available.

How to I Restore Encrypted Records after I reset?

If the Palm is reset while on the Palm locking screen, TealLock will fall back to the system security screen. When this is unlocked, TealLock will automatically launch and decrypt the encrypted records. If for some reason, a conflict with installed “hack” extensions, for instance, TealLock is not able to decrypt the records, simply relock and unlock under TealLock to restore your records. Do not change your password before doing so and do not run other programs that may try to access the encrypted records, as they may either crash or modify the encrypted data, preventing it from being decrypted properly.

Flash Memory

Can I put TealLock in flash memory or extra protection?

Yes. We do not recommend using this feature for most people, but it has been included for customers with specific needs in this area.

See the manual on how to create a "settings file" to snapshot your current settings. To put both into non-removeable flash memory (if present on your device), use a utility like FlashPro from TRG. Note that you cannot put TealLock into a *removable* flash card because it must stay connected to the system to remain functioning.

I can exit the locking screen on a Visor by inserting a flash memory card

If you are running Launcher III, this is a bug in that program, which hijacks the system when a card is removed. We've found that it even bypasses the standard Palm Security's lock screen, and does so if Launcher III is installed, regardless of whether it is activated as the default launcher. Programs which inadvertantly leave files open on the expansion card can cause this behaviour.

Site Licenses

How can I obtain a licensing information for TealLock Corporate Edition?

Please email our Corporate Services Department at corporate@tealpoint.com. Site licenses are available for 50 or more customers. Download the latest version from our Corporate Edition information page at http://www.tealpoint.com/corplock.htm.

Appendix F – Products

Visit us online for our complete product line, including:

SHORTCIRCUIT ( http://www.tealpoint.com/softshrt.htm )

A new twist on gameplay fused from your all time action puzzle favorite games, connect falling conduit pieces into explosive loops in this frantic race against the clock.

SUDOKUADDICT ( http://www.tealpoint.com/softsudo.htm )

Sudoku Addict brings to your handheld the addictive worldwide puzzle craze that has displaced crossword puzzles in many newspapers in Great Britain and Japan.

TEALAGENT ( http://www.tealpoint.com/softagnt.htm )

Get news, movie times, stock quotes, driving directions, web pages and more without need for a wireless connection. TealAgent fetches and formats web-based content for offline viewing.

TEALALIAS ( http://www.tealpoint.com/softalia.htm )

Free up memory and make the most of external expansion cards. Placeholder 'Alias' shortcut files automatically find, load, and launch apps and data from external SD cards, increasing free main memory.

TEALAUTO ( http://www.tealpoint.com/softauto.htm )

Track and graph automobile mileage, service, and expenses with TealAuto, the complete log book for your car or any vehicle. Extensive customization options and unmatched in features and functionality.

TEALBACKUP ( http://www.tealpoint.com/softback.htm )

Backup your valuable data with TealBackup, supporting manual and automatic backups to SD/MMC/CF cards and Memory Stick, backups through HotSync, and optional compression and encryption.

TEALDOC ( http://www.tealpoint.com/softdoc.htm )

Read, edit, and browse documents, Doc files, eBooks and text files with TealDoc, the enhanced doc reader. Extensive display and customization options; TealDoc is unmatched in features and usability.

TEALECHO ( http://www.tealpoint.com/softecho.htm )

Improve your Graffiti text input speed and accuracy, seeing what you write with TealEcho digital "ink". No more writing blind!

TEALGLANCE ( http://www.tealpoint.com/softglnc.htm )

See the time, date, upcoming appointments and todo items at power-up with TealGlance. The TealGlance pop-up utility comes up when you power up your handheld letting you see your day "at a glance."

TEALINFO ( http://www.tealpoint.com/softinfo.htm )

Lookup postal rates, area codes, tip tables, schedules, airports, and info from hundreds of free TealInfo databases. Create you own mini-apps; a handheld reference library.

TEALLAUNCH ( http://www.tealpoint.com/softlnch.htm )

Launch applications instantly with the TealLaunch pop-up launcher and button/stroke-mapping utility. Map applications to button presses and pen swipes so you can get to your apps quickly.

TEALLOCK ( http://www.tealpoint.com/softlock.htm )

Secure and protect your handheld with TealLock, the automatic locking program with encryption and card support. TealLock has unmatched features and customization options for personal or corporate use.

TEALMAGNIFY ( http://www.tealpoint.com/softlens.htm )

Save your eyesight with TealMagnify, an ever-ready magnifying glass that works with most any program. TealMagnify lets you enlarge the screen for those times the text is too small to read.

TEALMASTER ( http://www.tealpoint.com/softmstr.htm )

Replace Hackmaster with TealMaster, the supercharged 100%-compatible system extensions manager. TealMaster adds enhanced stability, configuration and diagnostic features and PalmOS 5.0 hack emulation.

TEALMEAL ( http://www.tealpoint.com/softmeal.htm )

Save and recall your favorite restaurants with TealMeal, the personal restaurant database. With TealMeal's handy sorting and selection options, never ask "where to eat" again.

TEALMEMBRAIN ( http://www.tealpoint.com/softmemb.htm )

Stop crashes and monitor your memory use with TealMemBrain, the application stack stabilizer. TealMemBrain boosts your stack space on OS3 and OS4 handhelds, eliminating the major cause of system instability.

TEALMOVER ( http://www.tealpoint.com/softmovr.htm )

Beam, delete, rename, and copy files with TealMover, the file management utility for SD/CF/MS cards. TealMover lets you see, move, modify, and delete individual files on the handheld.

TEALMOVIE ( http://www.tealpoint.com/softmovi.htm )

Play and convert high-quality video and synchronized sound with the TealMovie multimedia system. TealMovie includes a handheld audio/movie player and a Windows AVI/Quicktime converter program.

TEALNOTES ( http://www.tealpoint.com/softnote.htm )

Insert freehand graphics anywhere with TealNotes "sticky notes" for Palm OS. TealNotes can be inserted into memos, to-do lists, address book entries--almost anywhere you currently have editable text.

TEALPAINT ( http://www.tealpoint.com/softpnt.htm )

Paint, sketch, or draw with TealPaint, the all-in-one graphics paint program for PalmOS. Highlights include 20 tools, 16 patterns, 24 brushes, zoom, hires, layers, multi-undo, and a desktop converter.

TEALPHONE ( http://www.tealpoint.com/softphon.htm )

Supercharge the address book with TealPhone, the contacts replacement with superior interface and options. Highlights include enhanced display, search, phone-dialing, groups, and linking.

TEALPRINT ( http://www.tealpoint.com/softprnt.htm )

Print text and graphics to IR, serial, and Windows printers with TealPrint. With numerous connection options, TealPrint, is the all-in-one text and graphic printing solution.

TEALSAFE ( http://www.tealpoint.com/softsafe.htm )

Store your passwords, credit cards, PIN numbers, and bank accounts in the TealSafe data wallet. With maximum security and encryption, TealSafe is a must for features and security.

TEALSCRIPT ( http://www.tealpoint.com/softscrp.htm )

Replace Graffiti 1 or Graffiti 2 with TealScript, the text recognition system you can customize. Unlike other systems, you can make or change your own strokes for better speed and accuracy.

TEALTOOLS ( http://www.tealpoint.com/softtool.htm )

Improve productivity with TealTools pop-up Palm Desk Accessories. TealTools includes a popup calculator, clock/stopwatch, preferences panel, editing panel, memopad, and a file/backup manager.

TEALTRACKER ( http://www.tealpoint.com/softtrac.htm )

Track time and expenses with a fast, easy to use interface that requires minimal effort. Generate reports and export data to a spreadsheet. TealTracker is your personal time clock.

Appendix G – Revision History

Version 5.65 – August 22, 2006

· Fixed locking shortcut functionality (broken by 700p fix in version 5.64)

Version 5.64 – August 10, 2006

· Added compatibility with Treo 700p, fixing entry of password on standard security app after reset

Version 5.62B - January 20, 2005

· Fixed background image settings from being reset after soft reset on NVFS devices

Version 5.62 - January 13, 2005

· Added new default logon background image

· Improved interface to ignore key-mapping of 5-way nav buttons on settings screens with passwords

· Improved 5-way navigation order in main and settings screens

· Updated deletion protection to work on newer Palm devices

· Fixed quick password timer from starting pre-advanced when using 'wait for tap' option

· Fixed 'lock on reset' option from mistakenly activating activating after a device reset

· Fixed compatibility with very old PalmOS 3.1 handhelds

Version 5.61 - August 31, 2005

· Added faster and more secure activation mechanism when launching unauthorized apps in 'run when locked' mode

· Added faster and more secure activation mechanism when resetting device

· Added filtering of menu shortcut key to block menu shortcut bar when locked

· Added preselection of lock button on main screen for easier 5-way nav use

· Added selection of text cursor on password popups to keep state alt-shift lock on treo 600/650

· Added code to block HotSync from launching when using 'run apps when locked' feature with some apps

· Improved detection/ignoring/restoring of power-on button presses, especially on Treos and when using system keyguard

· Improved Treo dialpad functionality to lock out contact lookup in "run app when locked" mode

· Improved Treo dialpad functionality to lock out favorites button in "run app when locked" mode

· Fixed compatibility to optionally dialing out calls on Treo 650s when locked

· Fixed compatibility using Treo 600/650 keyguard when device is locked

· Fixed activation timing wake-up looping when using reversed time range

Version 5.50 – June 1, 2005

· Fixed alarms from being silenced early on Treo 600/650

Appendix H – Contact Info

TealLock by TealPoint Software

©1999-2006 All Rights Reserved.

TealPoint Software

TealLock for PalmOS

454 Las Gallinas Ave #318

San Rafael, CA 94903-3618

Please visit us at www.tealpoint.com, or email us at support@tealpoint.com.

We look forward to hearing from you.

Appendix I – Registering Individual Copies

Registering allows you to use the program past the 30 day expiration period and turns off registration reminders.

Currently, you may register by snail mail or online with a credit card and a secured server from the store where you downloaded the software. For the first option, send the following information on a sheet of paper separate from your payment.

· Product Name

· E-Mail Address

· HotSync User ID (Pilot Name Required for Passkey generation. It can be found on the main screen of the HotSync application on the Pilot as "Welcome ________" or in the corner on a PalmIII or higher)

· Check (drawn off a US Bank) or Money Order for ($19.95 US standard edition, $24.95 corporate edition). No international checks or money orders please.

Appendix J – Site Licenses

TealLock Corporate Edition features special administrator access functionality, and is available for site license customers. For 50 or more users, a customized version of the program is available with a single registration key for ease of installation. For more information about obtaining a site license for your business or institution, email corporate@tealpoint.com.

For trial or for offices with fewer than 50 users, individual copies of TealLock Corporate Edition are available for $24.95 per copy. Individually keyed for each handheld, they may be purchased online where you downloaded the program.

Appendix K – Legal Notice

We at TealPoint Software are committed to providing quality, easy-to-use software. However, this product is provided without warranty and the user accepts full responsibility for any damages, consequential or otherwise, resulting from its use.

This archive is freely redistributable, provided it is made available only in its complete, unmodified form with no additional files and for noncommercial purposes only. Any other use must have prior written authorization from TealPoint Software.

Unauthorized commercial use includes, but is not limited to:

· A product for sale.

· Accompanying a product for sale.

· Accompanying a magazine, book or other publication for sale.

· Distribution with "Media", "Copying" or other incidental costs.

· Available for download with access or download fees.

This program may be used on a trial basis for 30 days. The program will continue to function afterwards. However, if after this time you wish to continue using it, please register with us for the nominal fee listed in the program.

Thank you.

CUSTOMER LICENSE AGREEMENT

YOU ARE ABOUT TO DOWNLOAD, INSTALL, OPEN OR USE PROPRIETARY SOFTWARE OWNED BY TEALPOINT SOFTWARE, INC. CAREFULLY READ THE TERMS AND CONDITIONS OF THIS END USER LICENSE BEFORE DOING SO, AND CLICK BELOW THAT YOU ACCEPT THESE TERMS.

1. License. You are authorized to use the Software Product owned and developed by TealPoint Software, Inc. on a single hand-held computing device on a trial basis for thirty (30) days. If after 30 days you wish to continue using it, you are required to register with TealPoint and pay the specified fee. This license is not exclusive and may not be transferred. You may make one copy of the Software for back-up and archival purposes only.

2. Ownership. You acknowledge that the Software Product is the exclusive property of TealPoint Software, Inc, which owns all copyright, trade secret, patent and other proprietary rights in the Software Product.

3. Restrictions. You may NOT: (a) decompile or reverse engineer the Software Product; (b) copy (except as provided in 1 above) sell, distribute or commercially exploit the Software product; or (c) transfer, assign or sublicense this license.

4. Disclaimer of Warranty and Liability. TEALPOINT MAKES NO WARRANTY, EXPRESS OR IMPLIED, AS TO THE ACCURACY, COMPLETENESS OR FUNCTIONING OF THE LICENSED SOFTWARE, INCLUDING WITHOUT LIMITATION, WARRANTIES OF MERCHANTABILITY OR OF FITNESS FOR A PARTICULAR PURPOSE, ALL OF WHICH TEALPOINT DISCLAIMS. ALL LIABILITY IS DISCLAIMED AND TEALPOINT ASSUMES NO RESPONSIBILITY OR LIABILITY FOR LOSS OR DAMAGES OF ANY KIND, DIRECT OR INDIRECT, INCIDENTIAL, CONSEQUENTIAL OR SPECIAL, ARISING OUT OF YOUR USE OF THE LICENSED SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY THEREOF.

5. Termination. You may terminate this Agreement at any time by destroying your copy(ies) of the Software Product. The Agreement will also terminate if you do not comply with any of its terms and conditions, at which time you are required to destroy your copy(ies) of the Software Product and cease all use.

6. Applicable Law. This Agreement is governed by the laws of the State of California.