How a Tablet Changed My Life

How a Tablet Changed My Life
Ok, so maybe the title is a bit extreme, but I've had this tablet for a few months and I've started noticing that it's changing things up for me. First of all, books are WAY simpler. I pretty much expected this, it's why I bought the thing in the first place. The first thing I did once i got the tablet was get electronic copies of almost every book I own. Fiction, Reference, Non-fiction, books for work, everything. So now if I travel, there's no need to choose what to bring. If I'm at work, and find myself saying - "if only I had Cricket Liu's "DNS and Bind" book, I could explain it to my customer and give them a good citation (page number etc)", no problem, it's there. If I'm building something that I haven't done before, like the FCOE switches that I'm working on this week, I'm not alt-tabbing to the vendor documentation, I have the book / vendor web page / whatever open to the right page, and it's right there. The best part of having a tablet is that it's not a computer. Sure, it has a browser and everything, but the form factor makes it fundamentally different. If my wife and I are watching TV, a laptop has that screen popped up that says "don't talk to me" - a tablet sits in my lap and is generally way less obtrusive than any laptop, it has a lower profile than lots of hardcover books in fact. Using a tablet instead of a laptop has done a fair bit for marital harmony on that front .... But it's enough of a computer to do some useful things. I wrote all of my study notes for SEC542 on this thing, and it was just as easy in Docs2Go as in Excel, which I normally use for notes of this type. The nice thing is that when I was done, it IS in Excel. Picking the right apps makes your data portable. Picking the wrong apps puts your data in "data jail", it'll never leave the tablet - this is really something to consider before deciding on any new app. There seems to be lots of effort to turn data into "prisoners of the tablet" with proprietary file formats, or prisoners of one vendor or another's e-reader software. It's just too easy to browse to a book vendor, click the book and have it a minute later. The problem is, moving that book to a different tablet might be easy, or it might be a real pain when the time comes later. I've been trying to keep as many of my books as possible in portable formats - in my case, PDF and ePub formats. Formats where I have a choice in the application that reads them, that are easily portable to my laptop or a different tablet or different OS. Especially for reference books, a search function is a real help - this isn't always there on "captive" reader applications. On a different topic, I'm seeing that people (not me so far I hope) are a lot less lax on security once they get a tablet. Open access points seem to be fair game for a lot of people now - if there's an open AP, then it's seen as free, fast internet and away they go. I dropped a 3G card into mine - I find that this is pretty cheap, and while not as fast as a lot of home DSL or cable uplinks, it's always there. If I'm pulled over on the side of the road, no problem. If I'm at a client site, I don't need keys or certs to get online. There's a lot of risk in using someone else's open AP - not only is it illegal, it's pretty easy to set up an "evil" AP, often to harvest credentials or credit card info. I invested in a tiny little access point (yes, also from Apple, sorry - Linksys stopped making theirs). This now travels with me as well. If I'm at a client site with secure wireless (ie - I can't use it), I can generally plug in my trusty AP and get the tablet (and phone and laptop for that matter) online through their ethernet for a faster connection. For some reason, people don't seem to care as much about their passwords on a tablet as they otherwise would. They can be in the middle of something totally unrelated, a window will pop up asking for their iTunes password, and they'll just key it in, no questions asked. We had a spirited discussion at the ISC's secret conference room last week about this. I think the consensus was that it'd be pretty simple to embed and hide a password harvester that takes advantage of this behaviour into an app, and that as long as you didn't get too greedy or obvious, it'd probably slide right past any check anyone would want to do. If you have information that might indicate otherwise, we'd be really interested in your input - please use the comment form for this. I'm also not really keen on how most passwords on this device echo back to me - - only one character at a time, but still pretty easy to shoulder-surf. Credit card security likewise seems to have fallen by the wayside a bit. People get really used to a embedding their credit card info into every music and book vendor they deal with. I'm guilty of this - frankly it's tough anymore to keep track of just who's got my credit card info (I keep a file, but still get surprised every now and then). People also are used to having LOTS of small transactions on their monthly bill. When my statement comes, how certain am I all that each and every one of those $2, $3 and $10 charge are legit, and their mine? Me, not so much. I get an email confirmation for every CC and Paypal transaction I make, but do I add them all up and check against my monthly bill? Ummm .. sometimes? Really, life is too busy to do this most months. On the topic of enterprise use, so far I've taken care to not store customer or other confidential info on my tablet, until I've got the time to do a thorough review of risk, proper controls and mitigations. I've been told that the Apple iPad Security overview ( http://images.apple.com/ipad/business/pdf/iPad_Security_Overview.pdf) is pretty good, but haven't had the time to review it myself yet. There may be an equivalent or better Android doc, or better IOS guidance. If anyone has further info on this topic please use the comment form. How have you seen that tablets have changed your life at work or at home? Do these changes have a security-related story behind them? Please, share your experiences - I for one am really interested in how these things are changing how we work / play / whatever. Not to mention that killer app that'll make the tablet that much more useful ... =============== Rob VandenBrink, Metafore ====================	Rob VandenBrink 524 Posts ISC Handler
Subscribe	Dec 8th 2010 9 years ago
How the tablets have changed my life at work? Well, every executive, marketing person, sales guy or persons otherwise unburdened by technical knowledge or understanding of basic security principles, insist on stuffing them full of proprietary and confidential data. Claiming that with release of the iPad, laptops have lost all of their previous functionality and portability, apparently confusing coolness factor for technological necessity. Other than that - I will have to wait for a tablet that doesn't require security to be available on the app store, before I can make any further calls on how it changed my life. For now, I'll stick to my smartphone.	oleksiy 34 Posts
Quote	Dec 8th 2010 9 years ago
The box asking for passwords everywhere arrived with multitasking in iOS. I have seen it as a risk ever since I saw it first time. Apple need to give users a way to verify the context of the alert box. Maybe have an official alert app that can jump like apps on OSX that needs attention. I see this as one of the bigger risks at the moment. Especially since people tends to re-use e-mail and passwords. That is one reason why my account is only used for iTunes, and nothing else. On top of that, I use another e-mail address for most other things, and I use 1Password such that I can have unique complex passwords everywhere.	Povl H. 73 Posts
Quote	Dec 8th 2010 9 years ago
I've used convertible tablet computers for over 4 years now, buying my first one used on eBay. They have each run a full OS (some version of Windows) and have all the applications I need. They are a bit thicker than the current limited OS tablet craze, but I like having the keyboard there if I need it, because I can type faster and with more accuracy than I can write. I could have gotten slate tablets, still a full computer, but with no keyboard. I don't understand why tablet computers in various forms have been out for years, but these original tablets are never talked about, except in the dedicated tablet computer forums, like gottabemobile.com and tabletpcbuzz.com. My current computer is a Lenovo x200 Tablet with Windows 7, and I love it!	Anonymous
Quote	Dec 8th 2010 9 years ago
"If I'm at a client site with secure wireless (ie - I can't use it), I can generally plug in my trusty AP and get the tablet (and phone and laptop for that matter) online through their ethernet for a faster connection." Im sure this is in accordance with their security policies, right?	Anonymous
Quote	Dec 8th 2010 9 years ago
Yes, of course. If I'm not able to plug an AP in based on policy, 3G is a good fallback	Rob VandenBrink 524 Posts ISC Handler
Quote	Dec 8th 2010 9 years ago
Draft DISA STIG for iPhone/iPad is here: http://iase.disa.mil/stigs/draft-stigs/ And (ahem) iOS 4.1 security guidelines here: http://cisecurity.org/en-us/?route=downloads.browse.category.benchmarks.mobile.iphone	Rob VandenBrink 8 Posts
Quote	Dec 8th 2010 9 years ago
I'm pretty reluctant to join the tablet revolution, I admit. I touch-type, so I find keyboardless devices frustratingly slow to interact with. I feel like a netbook is a better fit for me.	Anonymous
Quote	Dec 8th 2010 9 years ago
I tend towards the "paranoid security guy" way of doing things. I don't even have a cell phone. I send enough time trying to secure my home network in my off hours, I don't need a phone or tablet that is owned and controlled by Google or Apple to worry about. And I'm glad Josh brought it up. That line about setting up a wireless AP made me cringe.	Anonymous
Quote	Dec 9th 2010 9 years ago
Our group of 130 people has 10 iPads and more on order. We have national lukewarm-but-official support for iPads and iPhones (alongside Blackberries). We have our own iOS STIG derived from public sources, and iPCU profiles that make applying most of the STIG relatively painless (no we can't release any of that). We require all iPhones and iPads to be on MobileMe for findme and remote wipe (we're not running Exchange). We haven't gone whole hog on over-the-air provisioning, or third-party lockdown/encryption. A small IT support group decided that supporting and securing iPhones and iPads was better than sticking our heads in the sand and hoping for the best. Then our new CEO showed up with an iPad this summer. Coincidentally, national IT support for iPads was announced a few weeks later. IMO, the business value of iPads is still a solid "maybe", but YMMV. Most user inquiries start with "I'm tired of dragging my laptop around, I want an iPad", which leads to an extended discusssion/discouragement session. They want to receive, edit, and return Word, Excel, and PowerPoint files, and that's still very much a work in progress, especially since we're prohibited from using tools like DropBox. Many middle managers view iPads as a waste of time and money, so adoption is spotty. My own iPad substitutes for a laptop about half of the time. If all I need is email and web browsing, works great. Also great for whiling away the hours in undersized airline coach seats, watching podcasts and other videos. Not so good for running your favorite open source network scan or vulnerability assessment tools, especially on wired-only networks And I still haven't solved the search-through-1000-page-PDF-manual problem. Are iPads perfectly secure or securable? No, but no platform is perfect and risk-free. Each organization needs to weigh the pros and cons.	Anonymous
Quote	Dec 9th 2010 9 years ago
Sorry Rob, this article reads just like an Apple ad.	Anonymous
Quote	Dec 9th 2010 9 years ago

Ok, so maybe the title is a bit extreme, but I've had this tablet for a few months and I've started noticing that it's changing things up for me.

First of all, books are WAY simpler. I pretty much expected this, it's why I bought the thing in the first place. The first thing I did once i got the tablet was get electronic copies of almost every book I own. Fiction, Reference, Non-fiction, books for work, everything. So now if I travel, there's no need to choose what to bring. If I'm at work, and find myself saying - "if only I had Cricket Liu's "DNS and Bind" book, I could explain it to my customer and give them a good citation (page number etc)", no problem, it's there.

If I'm building something that I haven't done before, like the FCOE switches that I'm working on this week, I'm not alt-tabbing to the vendor documentation, I have the book / vendor web page / whatever open to the right page, and it's right there.

The best part of having a tablet is that it's not a computer. Sure, it has a browser and everything, but the form factor makes it fundamentally different. If my wife and I are watching TV, a laptop has that screen popped up that says "don't talk to me" - a tablet sits in my lap and is generally way less obtrusive than any laptop, it has a lower profile than lots of hardcover books in fact. Using a tablet instead of a laptop has done a fair bit for marital harmony on that front ....

But it's enough of a computer to do some useful things. I wrote all of my study notes for SEC542 on this thing, and it was just as easy in Docs2Go as in Excel, which I normally use for notes of this type. The nice thing is that when I was done, it IS in Excel. Picking the right apps makes your data portable. Picking the wrong apps puts your data in "data jail", it'll never leave the tablet - this is really something to consider before deciding on any new app.

There seems to be lots of effort to turn data into "prisoners of the tablet" with proprietary file formats, or prisoners of one vendor or another's e-reader software. It's just too easy to browse to a book vendor, click the book and have it a minute later. The problem is, moving that book to a different tablet might be easy, or it might be a real pain when the time comes later. I've been trying to keep as many of my books as possible in portable formats - in my case, PDF and ePub formats. Formats where I have a choice in the application that reads them, that are easily portable to my laptop or a different tablet or different OS. Especially for reference books, a search function is a real help - this isn't always there on "captive" reader applications.

On a different topic, I'm seeing that people (not me so far I hope) are a lot less lax on security once they get a tablet.

Open access points seem to be fair game for a lot of people now - if there's an open AP, then it's seen as free, fast internet and away they go. I dropped a 3G card into mine - I find that this is pretty cheap, and while not as fast as a lot of home DSL or cable uplinks, it's always there. If I'm pulled over on the side of the road, no problem. If I'm at a client site, I don't need keys or certs to get online. There's a lot of risk in using someone else's open AP - not only is it illegal, it's pretty easy to set up an "evil" AP, often to harvest credentials or credit card info.

I invested in a tiny little access point (yes, also from Apple, sorry - Linksys stopped making theirs). This now travels with me as well. If I'm at a client site with secure wireless (ie - I can't use it), I can generally plug in my trusty AP and get the tablet (and phone and laptop for that matter) online through their ethernet for a faster connection.

For some reason, people don't seem to care as much about their passwords on a tablet as they otherwise would. They can be in the middle of something totally unrelated, a window will pop up asking for their iTunes password, and they'll just key it in, no questions asked. We had a spirited discussion at the ISC's secret conference room last week about this. I think the consensus was that it'd be pretty simple to embed and hide a password harvester that takes advantage of this behaviour into an app, and that as long as you didn't get too greedy or obvious, it'd probably slide right past any check anyone would want to do. If you have information that might indicate otherwise, we'd be really interested in your input - please use the comment form for this.

I'm also not really keen on how most passwords on this device echo back to me - - only one character at a time, but still pretty easy to shoulder-surf.

Credit card security likewise seems to have fallen by the wayside a bit. People get really used to a embedding their credit card info into every music and book vendor they deal with. I'm guilty of this - frankly it's tough anymore to keep track of just who's got my credit card info (I keep a file, but still get surprised every now and then). People also are used to having LOTS of small transactions on their monthly bill. When my statement comes, how certain am I all that each and every one of those $2, $3 and $10 charge are legit, and their mine? Me, not so much. I get an email confirmation for every CC and Paypal transaction I make, but do I add them all up and check against my monthly bill? Ummm .. sometimes? Really, life is too busy to do this most months.

On the topic of enterprise use, so far I've taken care to not store customer or other confidential info on my tablet, until I've got the time to do a thorough review of risk, proper controls and mitigations. I've been told that the Apple iPad Security overview ( http://images.apple.com/ipad/business/pdf/iPad_Security_Overview.pdf) is pretty good, but haven't had the time to review it myself yet. There may be an equivalent or better Android doc, or better IOS guidance. If anyone has further info on this topic please use the comment form.

How have you seen that tablets have changed your life at work or at home?
Do these changes have a security-related story behind them?
Please, share your experiences - I for one am really interested in how these things are changing how we work / play / whatever.

Not to mention that killer app that'll make the tablet that much more useful ...

=============== Rob VandenBrink, Metafore ====================

Rob VandenBrink

524 Posts
ISC Handler

How the tablets have changed my life at work? Well, every executive, marketing person, sales guy or persons otherwise unburdened by technical knowledge or understanding of basic security principles, insist on stuffing them full of proprietary and confidential data. Claiming that with release of the iPad, laptops have lost all of their previous functionality and portability, apparently confusing coolness factor for technological necessity. Other than that - I will have to wait for a tablet that doesn't require security to be available on the app store, before I can make any further calls on how it changed my life. For now, I'll stick to my smartphone.

oleksiy

34 Posts

The box asking for passwords everywhere arrived with multitasking in iOS. I have seen it as a risk ever since I saw it first time. Apple need to give users a way to verify the context of the alert box. Maybe have an official alert app that can jump like apps on OSX that needs attention.

I see this as one of the bigger risks at the moment. Especially since people tends to re-use e-mail and passwords.

That is one reason why my account is only used for iTunes, and nothing else. On top of that, I use another e-mail address for most other things, and I use 1Password such that I can have unique complex passwords everywhere.

Povl H.

73 Posts

I've used convertible tablet computers for over 4 years now, buying my first one used on eBay. They have each run a full OS (some version of Windows) and have all the applications I need. They are a bit thicker than the current limited OS tablet craze, but I like having the keyboard there if I need it, because I can type faster and with more accuracy than I can write. I could have gotten slate tablets, still a full computer, but with no keyboard.

I don't understand why tablet computers in various forms have been out for years, but these original tablets are never talked about, except in the dedicated tablet computer forums, like gottabemobile.com and tabletpcbuzz.com. My current computer is a Lenovo x200 Tablet with Windows 7, and I love it!

Anonymous

"If I'm at a client site with secure wireless (ie - I can't use it), I can generally plug in my trusty AP and get the tablet (and phone and laptop for that matter) online through their ethernet for a faster connection."

Im sure this is in accordance with their security policies, right?

Anonymous

Yes, of course. If I'm not able to plug an AP in based on policy, 3G is a good fallback

Rob VandenBrink

524 Posts
ISC Handler

Draft DISA STIG for iPhone/iPad is here:
http://iase.disa.mil/stigs/draft-stigs/

And (ahem) iOS 4.1 security guidelines here:
http://cisecurity.org/en-us/?route=downloads.browse.category.benchmarks.mobile.iphone

Rob VandenBrink
8 Posts

I'm pretty reluctant to join the tablet revolution, I admit. I touch-type, so I find keyboardless devices frustratingly slow to interact with. I feel like a netbook is a better fit for me.

Anonymous

I tend towards the "paranoid security guy" way of doing things. I don't even have a cell phone. I send enough time trying to secure my home network in my off hours, I don't need a phone or tablet that is owned and controlled by Google or Apple to worry about.

And I'm glad Josh brought it up. That line about setting up a wireless AP made me cringe.

Anonymous

Our group of 130 people has 10 iPads and more on order. We have national lukewarm-but-official support for iPads and iPhones (alongside Blackberries). We have our own iOS STIG derived from public sources, and iPCU profiles that make applying most of the STIG relatively painless (no we can't release any of that). We require all iPhones and iPads to be on MobileMe for findme and remote wipe (we're not running Exchange). We haven't gone whole hog on over-the-air provisioning, or third-party lockdown/encryption.

A small IT support group decided that supporting and securing iPhones and iPads was better than sticking our heads in the sand and hoping for the best. Then our new CEO showed up with an iPad this summer. Coincidentally, national IT support for iPads was announced a few weeks later.

IMO, the business value of iPads is still a solid "maybe", but YMMV. Most user inquiries start with "I'm tired of dragging my laptop around, I want an iPad", which leads to an extended discusssion/discouragement session. They want to receive, edit, and return Word, Excel, and PowerPoint files, and that's still very much a work in progress, especially since we're prohibited from using tools like DropBox. Many middle managers view iPads as a waste of time and money, so adoption is spotty.

My own iPad substitutes for a laptop about half of the time. If all I need is email and web browsing, works great. Also great for whiling away the hours in undersized airline coach seats, watching podcasts and other videos. Not so good for running your favorite open source network scan or vulnerability assessment tools, especially on wired-only networks :-)

And I still haven't solved the search-through-1000-page-PDF-manual problem.

Are iPads perfectly secure or securable? No, but no platform is perfect and risk-free. Each organization needs to weigh the pros and cons.

Anonymous

Sorry Rob, this article reads just like an Apple ad.

Anonymous