OnlyMe™ For Palm OS Compatible Devices

If you still cannot unlock your device then, unfortunately, you must follow the Forgotten Password procedure.

OnlyMe thinks that it has been "beamed" to another device and has reverted to being the trial version.

For security reasons, OnlyMe ensures that it may not be run from FLASH memory. OnlyMe modifies itself to disable certain methods of bypassing Palm™ security programs. Programs residing in FLASH memory do not modify themselves.

A special, site licensed version of OnlyMe can be modified by the licensee to allow a "backdoor" password and/or an "administration" password on devices running Palm OS version 2 or later. Normal versions of OnlyMe do not accept any other password than the one you set. If you do not know your password, please follow these instructions.

"Private" records provide a handy way to keep seldom-used records off-screen. Private records are stored clearly in data files on any PC that is HotSynced from your device. Too, many programs are available for the device, itself, which allow anyone to view or beam private records. You may or may not have such programs loaded on to your own device.

Care to be more specific?

There are certainly ways that such a person can get to your Palm device. For instance, he could very easily tell the Palm Install Tool program to install a "Trojan Horse" type program. After your next HotSync, such a program can do anything it wants to do on the device. For instance, it could simply remove OnlyMe.

If this sounds harsh, remember what a person with bad intent can do to you if he has access to your PC. That he can access your Palm device may be the least of your troubles.

The Palm device's memory corresponds to a laptop's disk drive. The Palm device's memory is, for practical purposes (at the time of this writing), as secure as a PC or laptop's disk drive.

If you run an operating system on the PC/laptop that stops application programs from accessing some of the data on the drive (with a log-on password, for instance), then you are using the Palm equivalent of "hide records". Defeating "hide records" is usually and probably (at the time of this writing) quicker and easier than defeating the PC/laptop log-on mechanism.

PC/laptop screens are easier to "shoulder surf" than the Palm screen. That is, other people can see a PC/laptop screen easier than a Palm screen.

PC/laptop keyboards can probably be a little easier to "shoulder surf" while you enter a password. Graffiti passwords are probably a little easier to "shoulder surf" than a PC/laptop keyboard. This is, of course, very much a matter of opinion.

Laptops go home with their users. Palm devices do, too. Users copy data from laptops on to their home PC's. Users HotSync their Palm devices with their home PC's.

Laptops are harder to lose that Palm devices. Laptops usually need stickers to identify the owner. Palm devices can have stickers and/or they can be identified in the Owner Preferences.

Users can copy personal data and programs from a laptop to their "work" PC's. Users will usually keep personal data on their Palm devices and will HotSync it to a "work" PC or server.

Users can connect their laptops to their "work" LAN and run programs on the laptop that can access other PC's, etc. on the LAN. In the future, connectivity will probably be better between Palm devices and the outside world. For now, though, from a security point of view, it's better that Palm devices are not so "connected."

Users can copy data and programs through floppy disks, serial and parallel ports to other PC/laptops. Users can "beam" programs from their Palm devices to other Palm devices.

Encryption programs exist for both laptops' disks and Palm devices' memory.

To be really secure, you will need a program that uses a "strong" encryption algorithm - and a password that is a phrase of several words, minimum. Naturally, your password cannot be saved as a Graffiti shortcut!

Technically, the security of encrypted data usually depends upon two things:

1. The amount of data-ambiguity in the password.
2. The amount of data-ambiguity lost in the encryption method.

"Data-ambiguity" means, for rough purposes, "how many possible passwords can there be." For instance, if you use a 1 letter, A through Z password - and the bad guy knows that you have a 1 letter, A through Z password - then the "data-ambiguity" of your password is 1 in 26. That is, the bad guy can try 26 possibilities and be assured of decrypting your data. As the length of your password goes up, the data ambiguity goes up.

So called "strong" encryption methods, for reasonable passwords, don't lose any data-ambiguity from the password's inherent data-ambiguity. That is, they don't take a password with a data-ambiguity of, say, 1 in 1000, and trim it to 1 in 100. Unless you encrypt your data with such a "strong" encryption mechanism, your data is almost certainly not very secure.

As of this writing, the U.S. government restricts exportation of "strong" encryption programs that allow data-ambiguity ("key" length) of more than 56 binary bits (56 bits is 1 in 72,057,594,037,927,936).

The cryptographic community regards 56-bit keys to be breakable if there is enough incentive to do so.

Horrors, right? Should patriotic Americans wonder whether their government is, in fact, on their own side?

Well, let's drop that sensitive topic and remember that in order to encrypt to 56 bits of data-ambiguity, you must use a password that actually has 56 bits of data-ambiguity. If you do, and you enter the password often, you spend a good deal of your life doing so! A half dozen or more random, six to ten character words in your favorite language and an odd symbol or two might get you 56 bits of data-ambiguity, for instance.

But, there are advantages to using a secure data storage program:

• The data is encrypted on your PC, too. And, backup copies of the data from your PC will be encrypted.

• It will be very clear to you what data is encrypted and what data is not encrypted. Clarity in this area is a good thing. It allows you to spend you mental energy on other things. And, it helps you avoid mistakes.

That said, here are the reasons:

• An effective encryption password would need to be too long for lock/unlock use.

• Which data should be encrypted? Making that decision too easy makes it too easy to make a mistake. To be effective, this decision needs to be made in a more serious way than by checking a checkbox on or off. Once the box has been checked off, for instance, there is probably no going back. The data has been compromised.

• Programs that cause alarms (silent or otherwise) need their data. If the data is encrypted, such programs will crash. If the data is decrypted during alarm processing, then the lock program doing the decryption needs access to the "password" to decrypt the data. If such a lock program has access to the "password", then it has done the equivalent to leaving the key under the front door mat.

• Most modern PalmOS devices will be nothing but trouble if alarm processing is disabled. Some devices require alarm processing to operate.

• Encryption/decryption takes time. Too much time to be done without user irritation when power turns off and on.

• If instead of encrypting and decrypting when the device lock/unlocks, encryption/decryption is done "on the fly", then the "password" must be available at all times during normal device operation. This is the equivalent to leaving copies of your front door key out in the open all over the place.

Quick answer: trojans.

In this context, a "trojan" is a program that someone can beam on to your device to pick up your password when you later enter it.

Second quick answer: are you sure about that password?

If you use a secure storage program, you are probably pretty sensitive about your data. It's generally a good idea to put another fence around such data. The "other fence" serves to make it difficult to copy your encrypted data from your device to a more powerful machine.

If the bad guy copies the data to his own machine, then he can put a lot of computer power to work on decryption.

A lock program makes this whole process more difficult for the bad guy.

The reason why, with many systems, you must "hit Enter" is that you are not telling your password directly to the system that validates it. Instead, you are telling your password to an intermediary: a computer program/system that, once it is told that you have completed your password entry, sends your password to another computer/system for validation.

OnlyMe directly validates your password. Therefore OnlyMe does not need to be told when you have completed your password.

Systems that separately enter and validate a password can be built as securely as OnlyMe with regard to keeping a password in memory. But often, in practice, one of two things may happen:

1. The password entry system will store the password in clear-text, locally.
2. The password will be transmitted to the validation system in clear-text.

These are not good things.

More practically, an "Enter" key is about the equivalent of one extra, simple OnlyMe "keyboard" key (A..F).

First, OnlyMe knows whether you have entered your password. It does not need to send the password to any external system for verification. In fact, OnlyMe does not actually store your password at any time - even during entry - but it does store a "hash" of your password.

For OnlyMe to check a new password against many previous passwords, OnlyMe would need to store hashes for those many previous passwords. That means that if the "bad guy" gets his hands on this record, not only does he know your current password hash, but many previous password hashes. As a general rule, it is not wise to give the "bad guy" any extra information or help. The full record of your "hashes" may, for instance, help the "bad guy" know what new password pattern you use. And he may naturally expect that you would use a similar pattern for other systems that require password changes.

It is for this reason that effective password-change systems rely on a separate, remote, secure validation system. PalmOS devices do not have access to such an external, secure system. Nor, as noted above, does OnlyMe need such a system.

There are some negative security implications to this common practice:

• If you do so, then you may more easily forget your password. This fact can lead to:
  • the equivalent of writing your password on a "post-it" note pasted to your computer terminal.
  • discontinuing password security usage.

• You may choose less secure and/or usable passwords. How many people react to systems that enforce password changes by choosing passwords of forms like these?
  • 12345
  • 23456
  • 34567
  • 45678
  • etc.
  • aaaaa
  • bbbbb
  • ccccc
  • ddddd
  • etc.
  • january
  • february
  • march
  • april
  • etc.

1. To date, every person who has suggested that OnlyMe disallow "obvious" passwords (including the OnlyMe author), has suggested a different set of "obvious" passwords. What is "obvious" to one person seems to be completely out of the thoughts of another.

2. To do so lessens the number of possible passwords. This has the effect of requiring a longer password to get the same level of security.

When will you lose your device? During certain hours only?

And, what about weekends and holidays - should you want to be unlocked during the day?

So, if you use scheduled locking, those with experience with Murphy's Law may have little sympathy with you when your device is gone - out of your control.

Copies of any data on your device may be in memory at any location. Those copies may be stored in proper, OS-managed databases, or they may not. Data not contained in OS-managed databases would not be erased by clever or dainty methods.

Site licensees receive a WinDOS program, TZOnlyMe, that allows site IT people to set/disable certain internal OnlyMe options.

You may safely assume a few things about the information in these advisories (to date, May 7, 2001):

• The information in these advisories has generally been well known in the Palm developer community.

• The information is incomplete. There are other things that could be said about Palm devices and security.

• When you read an advisory, you have just read a reason why programs such as OnlyMe exist.

• Reasonable access security programs (of which there are probably several now) for PalmOS devices regard closing these particular holes, to the best of their abilities, to be a minimum requirement.

A study of particular password methods:

Interesting editorial with things to say about passwords:

Lots of security related books.

A method for picking long passwords, suitable for using to encrypt data (Diceware).

Un-uplifting reaon why passwords will be with us for some time to come.

A web page the plays a guessing game with you. It can demonstrate why the human mind does not pick items (like password characters, for instance), at random.

Humor:

Um die deutsche Version von OnlyMe zu benutzen, installieren Sie bitte die Datei "OnlyMe_German.prc" aus dem OnlyMe ZIP-Archiv.

OnlyMe wurde von Jens Herrmann (www.jhc.de) ins deutsche übersetzt.
Übersetzt wurden alle Menüs, Informationen und Anleitungen in OnlyMe.

Für deutschsprachigen Support steht Ihnen die eMail-Adresse onlyme_de@tranzoa.com zur Verfügung.

Version 5.08 : November 23, 2003 Release

Various changes to OSv5 power and Lock Delay control.
More logging of special values and events (dev versions).
Disable FastStart upon normal or ambiguous program entry.

Version 5.07 : November 16, 2003 Private release

Apply German changes to new Support tab option.

Version 5.06 : November 5, 2003 Limited Beta

Under OSv5, handle certain programs that do not allow device to lock (e.g. DateBk5 pending alarms).
Allow certain Legend and other, now OEM key events to pass.
Recognize particular T/W system extension.
Tungsten 3 - Disallow Picture Capture (build setting option).
T3 - do not hash screen at lock time.
T3 - Slide Dynamic Input Area out and in/out (if device is up-to-date).
T3 - Disallow most DIA operations while locked.
Correct a bad special setting for Tungsten W, making it (finally!) able to answer calls and see incoming SMS's when locked. Note: Setting can be made to versions v5.03+.
Don't let D-side-keys "try" a password while picture or owner-info or ClockOn is displayed.
Under OSv5, don't lock when in cradle/charger and Pref's 'Stay On In Cradle/Charger' option is set.
Recognize ClockOn v1.06 and run it directly as a plugin under OSv5.

Version 5.05 : October 1, 2003 Private release

Version 5.04 : August 18, 2003

Better sensing of current app under OSv5.
Fix the code that allows specific-case beam-stopping logic for certain phones.
Fix a keyboard-rectangle-showing problem with certain OSv3.x devices when OnlyMe is set to show backdrop at power-on time.

Version 5.03 : June 7, 2003 Release

Turn off Graffiti 2 on-screen logic while inputting password.
Make mods for Fossil watch.
Configurable device logic for auto-power-off and in-beam control.
API disable doesn't account for admin password logic.

Version 5.02 : May 12, 2003

Fixes to FAQ.
Set force-pen-up logic to minimum of a minute.

Version 5.01 : March 31, 2003 Beta

Display total powered-on time HH:MM in the log tab.
Use Find rather than Graffiti Ronamatic gesture to capture the screen (changed to make consistent for thumbboard devices).1
Save certain device id and program info in power on/off log entries.
Save screen images to pref database rather than program database.
Allow OSv5 devices to stay on if "spuriously" turned on without Require Power Key option checked. Includes Tungsten T slider turn-on.
Save/restore OSv5 and other standard PalmOS hi-res screens.
Show more device information on Support tab.
Add several more dev/debug log items, including spoof-pen events.
Include app type in app log events.
Pass through certain external app and lib key events under OSv4+.

Version 5.00 : January 12, 2003 Beta

Sub-call Prefs|Owner on a Tungsten/T, which has a 'Done' button.
Site license option to clear out all free memory space when locking.
Change the version in prep for non-confusing version numbering, matching OS major version.
OSv5 database wipe logic. Not complete memory, as under OSv4-.
Various clean-ups - draw-windowing, mostly.

Version 2.39 : December 17, 2002

Yet another Attention manager dialog box display fix - in-place lock over attn mgr over model dialog.
Specialized fixes for i705 power control. May have been influenced/conflicts by/with AIM 2.0, though.
FastStart log entry.
OSv4+: allow Launcher to delete enabled OnlyMe - with (admin) password entry.
Don't allow API to disable without admin password, if one exists.
Allow thumb-board Treo to use ... key to capture screen image.
Treo blue-app/up/down keys map to 'g'..'l' ('7'...'9'+).
Pass through Treo blue power and cradle keys.
Translate Palm D-key keys to password keys: up('e') right('l') down('f') left('k').
Use Clie QWERTY board for alpha('a'..'z')/space(' ') password key entry.
API disable accounts for admin password logic.

Version 2.38 : September 2, 2002

Fix the uncomfortable Lock Delay value editting logic (especially in pop-up-keyboard, debug-ROM situations).
Keep ClockOn display showing for configured time when Lock Delay allows device to unlock without password.
Allow ClockOn user to tap title bar to keep clock on-screen.
Put sort direction/control buttons at the top of the log list display.
Allow "invisible" keyboard.
Put in Support tab a button to store all on-device database names, Creator IDs, and types to TZ_DB_List.pdb.
Take password generation out of the program. Silly idea, but nicely done. Too bad really high quality, random passwords are so hard to remember.

Version 2.37 : June 15, 2002

Display dots for wrong passwords.
Log display tab.
Put password generation in a tab.
Take the backlight control option out of the Support tab.
Password generate logic.
API function to mix data into the random data.
API function to get random data quality.
After switch-app, if the running app no longer exists (was run off a card), return to the Launcher.
Add some magic numbers for OSv4.1 system extensions.
Documentation changes.
Change the name of the German version to OnlyMe_German.prc from OnlyMe_DE.prc.

Version 2.36 : February 20, 2002 Release

Stop from trying to run under PalmOS version 5.
German language executable.
Explanation popup for SwitchApp checkbox.
Change set-password label to confirm when appropriate.
Change "Operations" to "History" in the main menu.

Version 2.35 : January 5, 2002 Release

Don't auto-show clock plugin if HotSync button is pushed to turn on power.
Show some device info in Support tab.
Be robust in the face of a rogue clock plugin database.
Change OMClock to ClockOn.
Keep the modification date/time stable (for XTND Server use).
Allow alarming programs to run themselves during DisableLock time.
Keep spurious penUpEvent from current app.

Version 2.34 : December 14, 2001

Fix the OSv1 and 2 version warning. (OnlyMe version 2.15 is required for these older versions of the OS.)
Allow clock plugin.
Put turn-backlight-on option into Support tab.
Don't do disable locking logic if they have tried a password.
Move "Allow Alarm Display" from Advanced tab to Support tab.
Put in frightening, disable-lock logic (OSv3.1+) to Support tab (for middle-of-night programs that must switch to themselves).
Site license option to leave initial background up when hard-buttons are pushed.
Use large, bold font for most non-QWERTY keyboard keys.
Number-pad password entry keyboard.
Wider QWERTY L to take the extra key position.
Telephone X rather than zero in star position.
Change "Reset" button on password entry screen to read "Retry".
Sense device specific things at enable/disable time - not just at prefs-create time.

Version 2.33 : November 3, 2001

Site license option to turn on backlight when power turns on.
Alternate keyboards: QWERTY and Telephone.
Fix Handera Menu/shortcut-up-in-OM problem.

Version 2.32 : September 30, 2001

Bump the unwarned OS version to 4.1.
Do the untested-OS pop-up after lock/unlock in case of app-switch and/or reset (fixes switch-app, OSv4.1, double-pw entry).
Allow run on Handera 330. (Unresolved issues remain. Reset display. OM menu/lock undefined window.)

Version 2.31 : September 15, 2001 Release

Do not do Switch App logic if records are to be masked or hidden. The option can be turned on by hand in the support "tab".
Site license option to show Julian date instead of battery-charge indicator.
Set up to better handle Handera 330 in debug build.

Version 2.30 : August 27, 2001 Beta

Fix trial version / unique-per-use-backdoor-password bug.
Be less invasive with the bug-in-3rd-party-Launcher work-arounds.
Allow two Cracker Time Lock messages so that it can say, "Please Wait!", too.
Move all but a couple of images out of the distribution ZIP file.
Put the rest of the images on line at http://www.tranzoa.com/cgi-local/pictures.pl.
Handle attention/alarm list power-off logic under OSv4.0+.

Version 2.29 : August 16, 2001 Special, limited release

Put switch-app checkbox in a new, hidden support tab (Graffiti S inside the advanced tab to access the support tab.).

Version 2.28 : August 15, 2001

If default for instant power lock is ON, then allow only the admin user to turn it off - if there is an admin password set.
Switch-App when DiddleBug or BugMe! is the current app (to avoid screen-save problems).
Tabbed interface.
Do Switch App logic if records are to be masked or hidden.
Show HotSync name and one-time-use backdoor passwords when OnlyMe icon is tapped - not at other super-owner-show times.
Ignore app-stop event at forced-enable, set-password time.
Don't show the reset-time help info alert when forced-enable, pre-set password options etc. are set.
Handle time/change in debug ROMs' Prefs app at reset time.
Default to Allow Alarm Display on.
Force Switch App on Sony hi-res devices.

Version 2.27 : July 17, 2001

PalmGear/Yahoo store URL change in docs.
Ability to switch from and return to Prefs panels and built-in Security app.
Support multiple, one-time-use backdoor passwords.
Fix a goof in pre-OSv3.5-screen-restore introduced with 32-bit screen save size.
Option to require power key turn-on.
Color icons.
Color backdrops included in distribution.
Handle alarms in formless environments.
Allow certain system files to be ignored by the install-over-hack detection logic.
Reset wipe-memory/normal password-counter when valid password is entered.
Do wipe-memory/normal-password logic count-down only at unique CTL times.

Version 2.26 : June 19, 2001

Add and improve certain logging items.
32-bit screen save size.
A certain Sony hard-key may power on the device.
Allow prefs db to not exist at ROM/FLASH test time.
Properly automatically switch-app if screen takes too much memory to save.
Don't flash the OnlyMe main screen after switch-app unlock.

Version 2.25 : June 11, 2001

Re-calibrate digitizer if DateBook and MemoPad keys are pressed and held for 5 seconds.
Be cleaner about showing no backdrop, captured image if the LCD pixel depth has changed since the image was captured.
Avoid a loop by stopping backdoor password from disabling OnlyMe permanently if force-user-to-set-password is turned on.
Handle GoBar leaving active/draw window set to invalid-window/un-allocated memory when running programs.
Don't be confused (yet again) with silk screen presses while setting password.

Version 2.24 : June 7, 2001

Tell info in in-ROM/FLASH pop-up for diagnostic reasons.
Fix an unknown-key event mistake.
Raised RAM resident memory address cutoff back to v2.15's value.

Version 2.23 : June 2, 2001 Release

API's for monitoring whether password has been entered - which type and when.
Better handle clock changes.
Don't log certain events if non-debug version.

Version 2.22 : May 17, 2001

Clean up system Security "footprints" at main screen UI time.
Do not allow running on Handera 330, yet.
Yet another special case for "hack" warnings (M500).
Lighten up the background color of this file.

Version 2.21 : May 12, 2001

Clear and set certain recursion flags.
Print information about installing-over application and/or memory address of hook routine.
Give option to reset in disable-hacks popup.
Menu option to toggle on app-switch logic.
Yet another HandSpring extensions recognition thing (to suppress "hack" warning) - more to come.

Version 2.20 : May 7, 2001

Be easier going on HandSpring extensions "hack" detection.
PalmOSv4.0 Alarm GoTo keeps power on so user can enter password.
Site license option to totally wipe memory at 'n' Cracker Time Lock time.
Use OnlyMeData for data storage.
After installation pop alert to tell user to run OnlyMe to enable it.
Tell user what hacks are in the way of enable/disable.

Version 2.19 : April 29, 2001

Run only under PalmOSv3.0+ and above.
Option to not use Saved_Preferences for storage.
Improve in-ROM detection logic.
Fast Start option.

Version 2.18 : April 18, 2001

Update the time/battery display more often (every 3 seconds instead of 30).
Change the charging-battery picture to look more like the Palm "lightning bolt" picture.
Do shut-down-and-lock logic inside us rather than letting it through to the Security app.
Event logging.

Version 2.17 : April 4, 2001

Allow certain non-Palm events to pass through.

Version 2.16 : March 24, 2001

Require OSv2.0 or newer.
Make all newly installed instances of OnlyMe reset the password and options.
Create API to be source of random data.

Version 2.16 : March 12, 2001

Finally (!) fix that darned text field logic so the pop-up keyboard can be used.
Implement _set_password API function.
Better explain overclocking.
Fix a missing bang in the API function onlyme_lc_enable so that it works. Ouch!

Version 2.15 : January 21, 2001 Release

Change this HTM file to reflect the new, PC backup directory name for OnlyMe.prc (was Only_Me.prc).
Fix a glitch so that admin users can disable OnlyMe if OnlyMe has the force-user-to-set-pasword-and-enable option set.
Site license No-show-owner-information and Disable-capture options.
Added Register Now! URL.

Version 2.14 : January 1, 2001

Put a battery charge indicator on the password entry screen (PalmOS v3.00+).
Warn users about possible security holes when both OnlyMe and the built-in Security app are used to lock the device.
Fix a site license option so that devices won't need cold boots to remove certain, indiscreet options.

Version 2.13 : Nowhen

Non-US people may be interested to know that there are tall buildings in the US with no 13th floor! Let's not push anyones button.

Version 2.12 : December 26, 2000

Site license option to force user to set password and to enable OnlyMe.
Site license option to set owner and super-owner fonts.
Work around OSv3.5 Launcher category bug (Note: Bug is fixed in Handspring OSv3.5 and OSv4.x).
Fix the HandSpring Prism charging cradle problem. Screen stays off.
Use a more direct way of turning off the power on newer-OS devices.
Site license option to force user to set password.

Version 2.11 : December 8, 2000

Comment PayPal logo out until an automated scheme can be built.
Work with and replace existing OnlyMe (2.11+, and in most cases, earlier versions) at install time.
Snapshot/capture screen feature.
Move password entry history display/reset into the menus.
Allow maximum lock delay value setting.
Allow non-admins to set lock delay value up to maximum.
Tighten up the lock delay field entry code.

Version 2.10 : October 27, 2000

Fixed tiny text field memory leak.
Put PayPal logo in.
Do the mask/hide record logic at main screen exit time.
Mask private records options for PalmOS v3.5+.
Allow TZOnlyMe to set any of power-on keyboard/backdrop/owner/super-owner display.
Show day-of-week in time display.
Use new Handango logo in onlyme.htm.
Auto-set Allow Alarm Display on PalmVII's and when certain applications are in memory.
Allow up-key to pop m100 clock program if Lock Delay has not timed out.
Tighten up Lock Delay in cases of repetitive alarms.
Power down device quickly after device turns on from non-user-hit-key reason (i.e. an alarm).
Handle some undocumented, m100 "keys".
Get rid of the "Set Owner Information" button.
At enable time, warn the user if it looks like he does not have his owner information set. Give him a zap-to option.
Move a hard-coded string into a resource.
Allow negative Lock Delay values. Convert them to positive.

Version 2.09 : September 14, 2000

Speed up the duplicate Graffiti shortcut elimination routine.
Work-around for BigClock 2.7, pre-PalmOS v3.5, and v3.5+ excepting non-Allow Alarm Display mode.
Include local links in onlyme.htm so that support email can reference them.
Fix typo in "Set Owner Information" button logic.

Version 2.08 : August 28, 2000 Release

Change reset id.
In program build: put default password entry keyboard position in the middle of the screen.
Allow program to run under newer, untested-with OS's. But warn 'em.
Include order information in the uses-remaining alert.
Use only the HotSync name for registration info. Don't use the device serial number.
Remember and reset key rates.
Allow onlyme_lc_run_without_password function to force the issue over the user's input.
Most implemented API's tested for positive functionality (error conditions not thoroughly tested) in APITST01.C.

Version 2.07 : July 9, 2000

Allow Graffiti strokes that begin and end at the "same" place.

Version 2.06 : June 18, 2000

Be even more strict about stopping stroke/tap hacks from working during password entry.
Automatically remove duplicated Graffiti Shortcuts (fixes pre-3.5 OS bug).
Automatically add reverse-Indiglo Graffiti Shortbut (ribbon.dot.dot.8) if it should be defined.
Try to save the user from crashes by warning of installed hacks on same hooks as OnlyMe will use.
Keep trying to de-install on program entry if user said to, but we could not because of an over-riding hack.
Add another untested API call - for password entry satisfaction, application-run.

Version 2.05 : June 14, 2000

Put HotSync name in super owner display (so it's easier to find registered owners whose device is 'sent' to Tranzoa).
Include 'Trial', 'Registered', or 'Branded' on the version label.
Paint a "Cracker Time Lock" notice when it's triggered.

Version 2.04 : June 4, 2000

Allow Graffiti strokes to switch from backrop/owner display to keyboard display mode.
Fix emulatable non-reset condition if normal password is set by site licensee.
Update the doc file.

Version 2.03 : May 21, 2000

Add Instant Power Lock option.
Put password entry keyboard at fixed location at bottom of screen.
Add site-licensee-only options:

• Run/force-run application after password entry.
• Run AvantGo URL after password entry.
• Administration password required to run OnlyMe.
• Password entry keyboard vertical location.
• Option for no initial display of password entry keyboard.
• Allow site licensee to set initial state for all program options.

Change PalmGear's phone number.
Add Handango to doc file.

Version 2.02 : March 19, 2000 Release

Allow screen color depth to change while OnlyMe is enabled - and still save the screen.
Be as gentle as is possible in case there is not enough memory to save the screen.
Note: 2.01 was accidently uploaded before its time. (Backdrops contain wrong internal names.)

Version 2.00 : March 11, 2000

Save color screen and other OSv3.5 changes.
Hash the screen at power-down time like the original program did, sort of.
Certain alarm and power-on key changes to work around device and OS weirdnesses as best we can.
Discourage pop-up-stroke "hacks" from bypassing security.
Don't show blank owner name in certain cases and add more owner name boiler plate filtering strings.
Branded version: entry of backdoor password permanently disables program security. Note: As a side effect of this, you must delete an trial copy of OnlyMe from a device before loading a branded version.
No filtering that is made redundant by certain ROM discoveries.
Jump the version number to V2.00 because of version number ambiguity with the old, sub-version 1.21 and others.

Version 1.10 : October 18, 1999

Option to Allow Alarm Display.
Fix for conflict with IRLink.

Version 1.9 : September 14, 1999 Release

Require new password to be set if the date/time is more than 24 hours away from when the password was last entered correctly.
Documentation changes.

Version 1.8 : September 6, 1999

Don't power up from Up/Down/Contrast buttons. Try to eliminate Up/Down during alarm turn-ons.
Be aware of whether StayOffHack is installed and superset its logic if so.
Use key modifier mask for sensing power-on key - not timeout.
Reset and restore the key mask in case games have changed it.
Noted that \Pilot and \Palm are used, depending upon Desktop version.
Sense Graffiti fast time-out of uses for testing trial version.

Version 1.7 : July 23, 1999

Option (for the cased V) to stop power-on from spurious app-button hits.
Fix menu-button bug in Set Password.
Pass contrast button for the V.
Pass 0x11e (OS V3.2+ SysSleep) character.
Pass lowBatteryChr.
Interim "solution" to the VII radio battery autoOffChr/SysSleep problem.

Version 1.6 : June 6, 1999

BackupBuddy certification image and link.
HTM: note about reset at install time.

Version 1.5 : May 31, 1999 Release

TZONLYME changes super-owner text.

Version 1.4 : May 29, 1999

Finally (we hope) fixed the re-HotSync thing.

Version 1.3(1) : May 21, 1999

Update the HTML to reflect that a whacked password may not have been Hotsync'd.
Avoid low-level, OSV3.1 arithmetic bug accessed by DeLorme Solus program.

Version 1.3 : May 2, 1999

Stack-available sensing and self-launch if low-stack.
Usage recording and display.
Lock Delay.
Document the lost password procedure.
Play two different tunes at cracker time lock alarm time.
Paint backdrop picture, if present.
Allow site licenses to configure a minimum password length.
Allow site licenses to configure an extra, long password.
Allow site licenses to use branded, non-registration-check version.
Move the Information "I" button up to the menu line.
Disallow putting program into FLASH memory (security risk).
Implement, without testing, some API functions.
Allow power-off timeout even when the pen is down. (OS, itself, will not do so.)
Require password to launch OnlyMe when it is enabled.
Move the password input window around vertically to smooth out screen wear.
Show-Tranzoa-information icon-button.
Show-owner-information button.
Show-backdrop-picture button.
Reset-password-input button.
Set-owner-information button (except OS Version 1).
Crank up the maximum Cracker Time Lock lock-out to 28 minutes.
Turn Graffiti back off if it was off before password entry logic.
Changes to take less dynamic memory.
Changes for less troublesome interaction with certain programs.

Version 1.21 : January 29, 1999 Release

Allow only alpha, numeric, and SPACE in passwords.
Reset Graffiti aggressively to fix the N, O, and shortcut problem.
Ensure that Graffiti is turned on at password input time.
Refresh the Graffiti shift-state indicator after password input.
Continue to lower run-time memory requirements.
HTML changes.

Version 1.20 : January 23, 1999

Works on all Palm™ devices.
HTML changes.

Version 1.10 : January 22, 1999

Disallow warm-reset, brute force trick.
Disallow password characters over 127 (warm-reset artifact and "Command" character).
Pass through alarms and power-on/hotsync application-start keys.
Fix double-warm-reset problem.
Link to feedback.htm from this file.
HTML changes.

Version 1.00 : January 10, 1999 Release

Release, with access notes, etc.
HTML changes.

Version 0.06 : January 1, 1999

Require OS Version 3 or greater at run time.
Include feedback.htm in ZIP file and at web site.
HTML changes.

Version 0.05 : December 19, 1998

Allow very fast gesture input.
"Breakout" to stop malicious, trained-user, OS, side door.
No copy of the clear-text password is kept anywhere.
Get time/date format preferences each lock time.
HTML changes.

Version 0.04 : December 15, 1998

Stop Graffiti special functions/states (OnlyMe is now more secure than OS Security application).
System Preferences control time/date display.
Step over owner boiler plate.
Be quieter and faster.
Smaller screen hash memory.
Be nicer after Cracker Time Lock timeout.
HTML changes.

Version 0.03 : December 6, 1998

Tips/html changes.
Faster password stroke input.
Removed spurious power-on/warm-reset keys.
De-bullet tips (for OS V3.1).
Registered/trial logic.