Internet Tablets in the Workplace
 

(Sorry for the philosophical thread-starting as of late...)

Reading Toonje's signoff, people started mentioning using their tablets at work. Half of this notion intrigues me, the other half mortifies me.

Obviously the tablet is a powerful tool in the IT arsenal, between rDesktop, IM, the network tools, etc., but do you *really* know you don't have any sort of malware on there? I'm running Ubuntu at home and I can't tell you whether I do or not. From a security perspective, you're bringing an external device past the firewalls, past the physical security, and accessing the heart of your IT infrastructure. I realize the odds are low that anything will happen, but people *do* win the lottery.

I've had lots of discussions with our Chief Security Officer at the coffee maker and he's changed my outlook on a lot of things. While I'd love to see Linux on the workstation, until the security aspects become as common as they are for Windows, I don't want it here. The concept of users bringing in home laptops and putting them on the network has always made my jaw drop too, and come to think of it, any of the bad worms we've gotten in the past 2 yrs have been due to this. As IT workers, putting unauthorized and untested devices on the network freaks me out.

That said, I could see it being handy for taking notes, etc., but for most office environments, dragging a notepad or laptop around is a lot easier. A pad of sticky notes is still smaller than a tablet. ;)

So. What do you guys use your tablets for in the workplace? What are your security concerns and how did you address them?

Re: Internet Tablets in the Workplace
 

Are you seriously positing that Windows is more secure than Linux because it has more anti-virus software?

Re: Internet Tablets in the Workplace
 

Well, other than browsing the internet when at my workplace (hospital), I write letters and memos using abiword (and by converting to pdf I can send them as fax, too). I have lots of reference info in pdf inside; I can also compose new pdf docs by selecting pages of existing pdf's and annotate them in xournal, then close the round trip again, to pdf, again for printing or faxing. Xournal is good also for taking notes in meetings - I am always loosing my paper-based notes and keeping them into the tablet prevents this at all. Sporadicly, I have used spreadsheets on Gnumeric to keep track of numbers and type of patients, but I am not the bean-counter type of guy. Well, and when possible I listen to my music that's there as mp3.
The only way I think I could loosen my workplace security is when logging to its internet connecrion via a portable wifi router, right? But other than encrypting that connection, what would be needed from my part?

Re: Internet Tablets in the Workplace
 

I think it's more of a question of knowledge. Windows is more vulnerable etc. but at the same time with a virus scanner you know (hopefully) if there's something on there. It's not a guarantee by any means but there's a way to measure it. When was the last time you ran a check for a root kit on your Linux machine? Or on your tablet? It's obviously possible for such a thing to exist on the tablet but not likely. Still, there's no easy way to verify ...

To answer the question: I work at a university we have our wireless infrastructure cut off from the wired so I can use my tablet for PIM stuff and surf the web without worrying about the other machines on the network (File sharing is also not allowed). I'm still learning the ITT ropes so I expect to find more uses at work soon!

Re: Internet Tablets in the Workplace
 

A few points

Security through obscurity. There are very few known exploits for Linux period. The Maemo tablet is an Arm processor based device running a generally very secure operating system.

Services: The tablets in the hands of "amateurs" is just an email / web client. Any decent IT dept should have those services appropriately locked down.

Geek factor: Those smart enough to do more with their tablets are generally smart enough to avoid problems.

Right now I'm violating official company policy as I type this at work on my MacBook pro. But I have a gentleman's agreement with IT. They cut me some slack and look the other way on my setup and I help them with some of their tasks in my work area.

It really boils down to platform doesn't it? AFAIK, There's never been a cross platform virus and there's only been one self replicating linux virus in the wild.

The reason IT security is so paranoid is thanks to Windows success, there is not enough diversity in the platform gene pool. If there were a variety of platforms and operating systems deployed, the entire IT ecosystem would be more exploit resistance. We're all windows in-bred here so we are all vulnerable to the same exploits.

Re: Internet Tablets in the Workplace
 

I'm using my tablet mostly for email: I can walk around campus and still get email. Most of the time I'm on the external wi-fi network (outside of the firewall), so I get the email through the normal secured/encrypted imap system anyway. When I'm using it for anything else I'll use VPN, mostly to read the internal web or to ssh into somewhere. Not very different from what I'd do from my Linux laptop.

But as far as security problems and risks are concerned, I don't think I'm much wrong in stating that connecting a home laptop running Windows on the corporate network.. that's very, very risky. And connecting the same laptop running Linux is orders of magnitudes less dangerous. I really believe I have a good, deep understanding of what can and can't be done with the Linux operating system itself, at least as much as I think it's possible without being an active kernel developer myself (I've only contributed a couple of small things myself, and that's a long time ago). I used to read every single line of code that was added to the Linux kernel since its very beginning (1991), up to around version 2.4 when it became a bit too overwhelming because of the size. Since then I've just read the changelogs. I believe I know how it works, to put it that way.

Anyway, as far as worms, virueses, infections are concerned there are simply much less ways to get hit with the linux systems: The hooks are just not there. For example, all this about 'opening' attachments: Well, 'opening' an attachment in my Linux email programs doesn't _do_ anything, unless it's something readable. There's nothing that gets executed. On Windows, on the other hand, everything seems to be designed to let viruses and worms in: Clicking on emails and attachments can execute actual code, and as it's almost impossible to get anything done withouth admin rights you give that executable code free run of the system. Word documents have a built-in macro language so just by looking on a document there could be code executing. That's insane! And so on and so forth. Everywhere I look in a Windows system there's a way of executing code sent to you by various means that shouldn't have anything with to do with code to start with: Documents, messages, images even (and image handling is actually implemented in the _kernel_, so not to be too sluggish. That gives you a nice hook to really deep-infect the system).

As far as the Internet tablet is concerned, the risks are even less. No servers to let worms in, until you install dropbear-server or openssh, which, if you don't fix the one obvious hole, will let somelone log in to get a root shell. The user account doesn't have root rights, and by clicking on things you can at most get video or music, in any case only your /home/user/ directory is at risk. You could in principle bring in emails with attachments (that won't do any harm on the ITT) which you, when you're on your corporate network, forward to someone there which has a Windows computer: You're most probably bypassing the corporate virus check that way, and your email (which does nothing on your tablet) may infect your co-worker. (This is probably one of the most realistic problems with any type of device which establishes an unofficial channel into the corporate network).

The best thing is probably to not allow anything (including USB sticks, flash cards and iPods) inside the corporate system. Short of that, I feel infinitely safer if that thing which is connected to the network runs Linux (or anything not Windows, really).

Re: Internet Tablets in the Workplace
 

a large portion of security breeches occur by people in the organization who already have access to "the goods."

The next level are users who are given admin rights who never should have been.

the next level, usually in combination with the previous one are e-mails gotten from Yahoo, google but not internal that contain exploits specifically targetted to Outlook.

break in via N800 ranks pretty far down the list of probable problems. our wireless is locked down pretty tight here now and any iPhone, N8xx, has to give up the MAC Address before it is even allowed on the Network.

Re: Internet Tablets in the Workplace
 

Antilles: I'm not saying Windows is more secure than Linux at all, my belief is the complete opposite. Unfortunately the workplace isn't necessarily a place where one is put their opinions into practice. I still stand by, better the evil you know than the evil you don't. (Ninjatuned basically replied for me - - thanks!)

djs: We had a developer with his own laptop PC. I'm not site support, so it's not my business... but I agreed with IT, it pissed them off to no end. He left, and I'm sure he still has all the licensed software on it (screwing the company). There was no way to know how secure it was... and moreover, they wanted admin rights to it because if he was gonna use it as a company resource, they should be able to manage it as one when it was here. No go. Lots of issues arose from it besides being out a bunch of licenses. (He was a developer, stuff got expensive. He was also friends with a VP which is why he was allowed to bring it in anyway.)

That said, depends on the business. This is a huge BPO, it *has* to be secure as there's credit card / personal info being dealt with. If it were a small design company or something (50-200 users), I'd have no qualms using my tablet for stuff.

One of the worst things in security are the unknowns. My 770 could have a rootkit on it right now and I'd have no clue. If it does, there aren't too many people around here that know what to do. (I do - - REFLASH.) ;)

(I'm seriously a huge proponent of Linux... but as much as I'd love to see it at work, I'd hate to as well.)

Re: Internet Tablets in the Workplace
 

There has been at least one POC cross-platform (win32/linux, i386 only) virus. None in the wild, to my knowledge.

Security breeches? You mean, pants with a padlock? ;)
That's about what I would think.

Don't know if you're considering using it as a grad student as work or not.
At University here, all MACs must be registered, for wireless or wired ethernet. Wireless ethernet has no WEP/WPA at all, which suits me fine. I SSH everything important anyhow. Access to intranet sites is all https. Pretty much any device you bring in is cool, though they won't give you any support for handhelds with WiFi.
As far as really knowing if you have any malware that snuck in, I'd look at porting tripwire, if I thought there was any probability of it. It's not real likely, because root permissions are required to install software. There could be exploits in the package manager, I suppose, but by far the most likely way malware gets on would be installing a trojan. So, short of auditing the source to everything you install, you won't ever know. How much do you trust some random garage.maemo.org project?

Re: Internet Tablets in the Workplace
 

Hmm... I guess thats why you are an admin and not a developer. Tell the sheep to operate as is. Exceptions to the rules are bad. etc. As someone who attempts to create new things and innovate, I try to express my opinion as much as possible in the workplace, but that just me.

The fact that you just HAD to include that last piece of information(friends with a VP) validates my point above. It seems like you are forming this opinion more because you don't like your toes being stepped on by a hotshot developer( regardless if this person was actually worthy of the description) rather than legitimate concerns over the issue. I for one will not take a job for a company (or upper management) that does not have enough faith in my skills to setup and manage my own development machine to maximize my productivity for the company.

Re: Internet Tablets in the Workplace
 

Funny, I for one would not want to do business with a company that puts their customers' security and privacy as second class to a developer's whims. :eek: Would that developer take the fiscal responsibility if something should go wrong? Probably not.

Don't get me wrong, if there is a true business case and the solution chosen has been properly vetted so that a "company" can realistically take responsibility for the actions of its employees, then fine. But there have been too many cases of company (and government agencies) not taking this seriously enough.

Re: Internet Tablets in the Workplace
 

What with every cheap cellphone double-acting as a media player and every clerk sharing yesterdays Youtube finds, complete with every attached virus, with all friends at work, there are few chances left to enforce that. You won't seperate the generations below 40 from their cellphones short of stripping them of all their clothes and belongings, walking them nude through a shower, and refitting them with a company uniform.

Re: Internet Tablets in the Workplace
 

Actually, it is encouraged to use your own devices at my company..

We have an aditional WLan with a slow internetconection for Personal use, with no connection to our company lan.
Checking Emails or the internet on our corparate pcs is an absolute no, but for this we have the wlan. And as surfing with a pda or a handy isn't this much fun, most time its just a fast check for mails..

Re: Internet Tablets in the Workplace
 

You have a valid point and I agree with you in cases in which that occurs.

That being said, I have never put my "whims" above any customer's best interest. I have faith and pride in my code and my security architecture to where this would never be an issue. In fact I would trust a developers commitment to perfection in all aspects of a project(RE: security practices) that they have put countless hours and sleepless nights into over any security policy chosen by a corporate IT department. If you can not grant a developer trust in this regard they should not be touching any code that accesses sensitive information. The thing is developers are going to be the users you should be LEAST concerned about. If you are worried about criminal or unmoral concerns with a particular developer, then address that issue with them on a individual, personal basis.

The chances of this happening at any corporation with a board or investors are next to none. Its all about passing the ball to the next person in line.

Re: Internet Tablets in the Workplace
 

Gazoo: *thank you*

Bleek: Actually, I have nothing to do with operations or site support. In fact, my title was SQL developer and I dealt with report development (where my innovative ideas to make 75 min reports run in 5 mins *were* squashed), and worked closely with the guys who did the Java front end stuff for the dialer. My work issued laptop was actually beefier than the one the guy was using. (My guess is he wanted our software licenses to do freelance work on the side, which he did.)

Asking someone to use a work issued laptop doesn't stifle innovation, at least I can't think of many cases where it would. What it *does* do is bring uncertainty into the realm of security and as I said we were dealing with credit card numbers and personal information. *THE* reason for disallowing personal machines is accountability. If anything happened the company would be held responsible and I don't think a certain credit card company whose cards live in many of our pockets would appreciate knowing the source of the breach was a personal laptop being used in the workplace. The company is accountable regardless, but the company should be accountable on it's own terms. There's also the issue of data security once said employee rolls out to greener pastures. How can you ensure your data doesn't reside on that machine?

Re: Internet Tablets in the Workplace
 

I got mine onto our private network and things are working ok.. even TTLS over peap yay! Also i have the vpn software working and the front end for it.. It even read in our cisco config file. So i now can vpn in and then remote into my mac with vnc. Deskside support rocks now that I can go to the user's desk and have my computer in my hands with me.
I have to admit the 810 just rocks.

Re: Internet Tablets in the Workplace
 

I think you are having your priorities backward. If connecting a PC with malware on the network is all what it takes for a security breach, there is something very, very wrong with the IT department.



And here again: I think that if a firm lets vital data on one machine, or under the control of a single individual, there is something very, very wrong with their human resources management.

Re: Internet Tablets in the Workplace
 

Ok, Normal reaction. Here we go again.

The IT does not run windows. It does not run an OS modeled on the MS design concept. What this means is that you cannot solve MS problems on a Linux box. It's an exercise in futility.

Linux doesn't have virus' period. Not in the way Windows does because unlike windows it is modeled on the concept of privilege separation. As a result in order for a virus to exist on a Linux device it would need to have a human user there to assist it by telling it root's password or intentionally running it as root. Then you would have to tell each of the other users on the box to run this program as well.

Second MS binaries don't run on Linux (Wine covered separately and doesn't work on the IT) as a result if a virus were stored on a Linux system it would require the conscious effort of a human to move it to a winbox.

Now one thing that can happen is that a Linbox can have a file put on it that later you put onto a windows box (sneaker net, samba drag and drop, scp perhaps) and then the user of the windows box can go "Hey what's this executable let me click on it and see." Then again any thing that can store a file could have this problem. The secret is to never execute any file put on your winbox until the winbox has virus scanned it.

On windows you have the concept of the box/MS/systems ability to do things for you automagically without you first telling it to do them. Linux has automagic yes. But, I told it, configured it, to do this, it doesn't happen without prior knowledge. I don't get Ubuntu or Mandriva downloading files in the middle of the night that I didn't want through some secret back door. (MS has this.) Any file transfered from anywhere to my Linux box has to first have a human initiate the action This initiation can be asynchronous (cron job) but it can't happen without a human knowing about it. Linux doesn't allow anonymous file transfer.

Security by obscurity also has little to do with it. Truth be know there are as many if not more Linux installs in corporate (insert country name) as there are WinBoxes. The problem is you don't know it. Cisco.... uses Linux.... Linksys, netgear, juniper, every little managed switch router etc etc etc. Yep most of them run an embeded Linux install (keeps Windriver and MontaVista alive) Not to mention the embeded Linux in some phones and most Centrex/VOIP/Telephone Exchange systems. (Astrix is everywhere!) Then you finally get down to the servers/mainframes/clusters/we all know and love.

The #1 single most dangerous thing, you let into your environment every day is not a computer or an OS. It's people. Keeping hardware out is a lot like trying to keep pregnancy from occurring by forbidding adult toys. It ain't the toys fault, it's the humans who made it happen.

It comes down to a function of trust. Frankly if you can't trust the people you work with it's time to go to work somewhere else. Period. Computers are stupid. The only dang thing they can do is add 1+1 1+0 or 1+-1 (Honeywell did 1+-0). But it can do it really, really fast, enabling Humans to be able to turn that into some very intricate programs. That at least, on Linux, can only run if a human sitting in front of a console (remote or local, gotta love ssh/vnc) says go.

Rick Moen's Linux Virus FAQ

Wine (Wine Is Not an Emulater) is a way of running windows programs on Linux. It has been so successful at running windows programs that even some virus' have been show to run there. Wine won't run on the IT (It's not x86) so no damage there.

Next, the IT is an ARM architecture. Guess what it can't run x86 binaries. Windows can't run ARM binaries. Guess what this means, it means A can't damage B unless if a human who owns A walks in and sits down at the console of B and starts deleting files.

Lastly, and this is again a result of poor security. I guess a HUMAN sitting with an IT that has been given access to your network, could start scanning for weak passwords and given a few weeks (the IT is slow) they can install a root kit. Root kits are fun, they are not virus's they are in fact a result of intentional effort applied to poor security practices. (Change the dang password on your IT to something other than a curse word, your wifes name or p455w0rD) tear up the sticky notes (even the stupid Apple program and it's "hidden" feature) that has your password and you can protect yourself.

Remember in the end 3 things are there for you no matter what OS.

1. Think before you act. If you don't have time to do it right, you'll never have time to do it over.

2. Trust, the human kind, if you don't have it, get a new job. No amount of retinal scans (rectal?) will replace the intimate knowledge of trust. Ask anyone who's been in combat, trust can keep you alive.

3. No matter how hard you work at keeping hardware out. while you are watching the hardware some human just walked off with a CD that has all of your customers CC numbers. The #1 hacking danger is social engineering, not rouge hardware.

Re: Internet Tablets in the Workplace
 

I beg to differ. Sure, Windows is security nightmare compared to Linux, but Linux (or Unix, etc..) is far from perfect. For example worms targeted at specific server software have been a problem (type "apache worm" in google). On a more IT related basis: it would be fairly easy to write a virus for the N800, given that everything works under the control of the user account.

You seem to also ignore the problem of industrial espionage. This kind of viruses or trojans are less known from the general public, as they are typically designed to spread only on specific installations, but they are a problem whenever sensitive data is processed. Actually, all this boils down to the commercial interest of malware: windows viruses are known by the general public, because they are used for botnets and therefore designed to spread massively. But if infecting a single machine will bring you lots of money (credit card lists, the blueprints of a prototype, etc...) it will be tried.

I'll say it again: windows is the worst for all this. But you should not believe that Linux is 100% safe, just because virus have not been massively reported. It's safer, but typically far less than you think.

So I stand by my opinion: "If connecting a PC with malware on the network is all what it takes for a security breach, there is something very, very wrong with the IT department."

Re: Internet Tablets in the Workplace
 

If you only could convince the drones that won't let me connect my embedded linux computer, with no servers running, no open ports and physical access available only to qualified personnel (which, BTW, had no problem in managing another linux computer that luckily needed no access to the network), to the factory network, unless I install a "certified" antivirus.....(which, BTW, is a real POS and I'm sure it'll disrupt the operation of my embedded controller).
Oh, and their security policies are so good that you can take any computer (with an approved antivirus solution, of course) on the factory floor and get access to the internet at large (apparently their peripheral access control is based on windows, 'nuff said).

Re: Internet Tablets in the Workplace
 

Then you need to get the phuck out of the IT industry.
It's people like you who "run things" and have no idea what they're doing that is destroying the will to live of those of us who do know what we're doing.
In other words, that one sentence you wrote nullifies your entire argument and makes you look like a clueless *****.

Where I work we're all about open source and Linux and the president of the company has told us "you're network engineers, you know what's safe and what isn't. If I can't trust you, then this whole thing falls apart."
But hey, I guess anyone complaining that they can't bring an IT into the workplace doesn't have a really important job there.

Re: Internet Tablets in the Workplace
 

WOW. I've been trying to lay back and have an exploratory conversation but I'm done with that.

I will not, and have never written a 30 page diatribe to contain every possible angle to qualify things that I've said.

If you think you can sit back and tell me your Linux box is 100% secure and you're sure of that, then you're deluded unless you just installed and it's never achieved connectivity. That's the fun part about security breaches, they're usually not evident the second they happen. I think that attitude means I *should* stay into IT (it seems you're not considering that it goes beyond site support and development). The last person I would want to work with is some overconfident egomaniac with a smug look on his face. You're making a lot of assumptions that I sit back and "run things" but I don't. I've done a lot of server side/infrastructure related work (both admin and development) and aren't enough of a jerk to think my work is the be all and end all. So far as I know my Ubuntu box is clean. So far as I know, someone in a cabin in Russia hasn't come out with anything that I've never seen or heard about before. That makes me realistic, not clueless. My IT regularly comes with me into the workplace. It only connects to the Wifi provided for clients that's solely an internet connection, nothing to do with our network.

And Jerome... obviously I can form somewhat coherent sentences, shouldn't immediately qualify me to know the obvious - - that security goes beyond malware/viruses? Any CC related call centers operate as a clean room (no paper, pens, recorders, etc.) and there are a host of other physical security concerns. Machines are locked with strict policies through AD to prevent agents from running anything that could conceivably help them scoop numbers/info. I'm not getting into all the details but jeeze... and NO, that machine wasn't the only repository of vital data, but it was a COPY. One which *I* wouldn't feel comfortable having walk out the door with a now non-employee. When you quit your manager's job at McDonalds do they let you keep a copy of the key to the safe?

And to the snotty developers getting their knickers in a knot. (As I've said, I *DO* development work, most people I work with I like, a lot drive me crazy as bat sh*t for their poor practices.) You don't even have to post these back, but think about them. Which apply to you?

1.) I resent the fact my work has to go to QA, I checked it myself.
2.) I argue a lot with QA
3.) When I get specs I try to improve them and sometimes that takes longer than the project initially allotted.
4.) I'm awesome, the organization couldn't survive without me.
5.) This is the only thing I'm good at, I suck in social situations, and I get my neck beard in a knot when people try to stymie my brilliant ideas. I know assembler you f*ck!!!

You can change the wording around if you like, as long as you don't change the jist of the question. (Some developers I know haven't yet achieved the ability to grow facial hair on their neck.)

(P.S. I develop. I'm not site support. If you're going to make sweeping assumptions about me, let's at least get it in the right ballpark.)

Hugs & Kisses,
Hedge

Re: Internet Tablets in the Workplace
 

Oh, I never said it was _practical_ :) The best thing, security wise, is to not allow anything in. In real life though (depending on the place.. there _are_ places where "nothing should be allowed in, period".) it's a compromise. We don't disallow these gadgets where I work, for example. But then the engineers are highly qualified, but more important - there aren't many Windows boxes to find. And of course the wi-fi is outside the corporate firewall.

Re: Internet Tablets in the Workplace
 

I am not entirely sure I understand you. If it is operated as a clean room and people can't bring in a pen, how are they going to sneak in a laptop? Really, you confuse me. It is a completely different environment where one cannot connect anything to the network before submitting to a full body search and where one can bring in a laptop full of virii.

All I am saying is: if people can bring in a Nokia to connect to the network, the environment is such that people connecting their home laptop full of virii (or their Linux laptop with a port scanner...) is a definite possibility. In that case, something really sensible (like, e.g. credit card numbers) should not be accessible from that network. So your horror scenario implies gross incompetence from the IT department, and as a consequence I think your horror scenario is not real.

And no: I never had a manager job at McDonald's.

Re: Internet Tablets in the Workplace
 

I didn't mean to imply you did. The "you" in "you have to give your key back" wasn't "you" specifically. :)

In my scenario there are many sites, the clean room approach is call center specific, and doesn't apply to corporate or any of the support sites. I brought up the cleanroom and physical security because in the midst of getting attacked by neckbeards it was implied that keeping rogue machines off the network was step one of one in securing it.

I wouldn't call it a nightmare scenario at all. All I was trying to say (in spirit of the original post) was that in my line of business (BPO), introducing any potential unknowns isn't acceptable to the clients so we just can't do it. There are contractual fines for all sorts of stupid things and, being accountable, it ain't worth it. We've even seen the effects of it (the last worm was because someone in facilities brought in a laptop and plugged 'er in). This is not incompetence by the IT department (brand new worm, wasn't known yet.), as Linuxrebel said, it was a problem with people. I was happy that it was just ignorant (I don't use that word in a bad sense) users rather than a developer with a sense of entitlement.

Re: Internet Tablets in the Workplace
 

You are, of course, talking of worms not virusses. Virusses aren't very common nowadays in comparison to worms and their potential threat on a Windows box is only so great because of the common disposition to run with full admin rights all the time.

The first well-know worm, however was multiplatform (UNIX on DEC VAX boxes and Sun Workstations) and did more damage to the Internet (at the time, 1988) than blaster slammer or any other modern pathogen.

The reason security is so paranoid is that a level of paranoia is healthy and helps attempt to stay one step ahead of the guys who are out to get you ;) The Windows monoculture just makes us all weaker not more paranoid.

Exactly right, but just because something is running Linux doesn't make it any more trustworthy - your IT department still does not know what is running on there. There are much more powerful tools installed by default on a Linux box (things like perl, ssh etc) which can make writing custom software to use the new machine as a conduit into the corporate network much easier, and the custom code will sail through any signature based analysis (AV, malware checks).

Sniffing and spoofing MAC addresses is extremely easy and quick. MAC filtering is a level of protection that will serve you for seconds. You may as well not do it. In fact, you'd be better off monitoring and alerting on unauthorised MACs. That way you have a way of knowing a rogue device is attempting to connect to the network.

On a properly managed network there is. There are plenty of packages around that can selectively disable USB (and other) ports based on a centralised policy. You have a business reason for using that USB key? OK, you can use it but only that one, the software will block any other one.

Re: Internet Tablets in the Workplace
 

[1988] You're talking about the 'finger' worm, right? I remember that the manager in charge of the network at the single point of connection to the Atlantic cable actually pulled the plug, literally, when getting notified about the worm. Thereby stopping it before it arrived, and also disconnecting one whole country from major parts of the internet (or possibly several countries, my memory gets fuzzy).

Anyway, what's interesting about that worm is that it could spread only because of the homogenity of Unix systems at that time.. they all (or nearly all) used the exact same code base for the part which the finger worm penetrated. Today the same trick wouldn't have worked, or at least not with the exponential speed increase that shocked even the worm author. Uniformity.. same operating system and applications installled on the vast majority of computers.. does that remind you of something? ;)

Re: Internet Tablets in the Workplace
 

I was talking about the 'morris' worm. It had (at least) three methods of propogation, the finger hole, a hole in sendmail and a brute-force login attempt. It attacked two quite different UNIX flavours with different hardware architectures.
I would be the last person to say that a monoculture is a good thing. I was just pointing out the fallacy in believing that a cross-platform worm is impossible. I will go back and state that a monoculture does not increase the risk of successful attack, but it makes the ramifications of such an attack an order of magnitude more severe.

Re: Internet Tablets in the Workplace
 

Boy has this thread gotten a little hostile...

Cross platform: I agree. Not impossible but uncommon enough that worrying about it is way down the priority list.

People are the problem. You can engineer a great security system and if some employee wants to cause problems, he'll find a way. If you lock down the network so tight that it is very, very hard for anyone to do anything bad then you have created a network environment that is "hostile" for those of us that know what the hell we are doing and want to innovate and do our jobs.

I respect IT, they have a tough job. But I'm laying the groundwork right now to quit and start my own consulting business because I am sick and tired of fighting people in my own company to get the resources to do my job.

IT is so paranoid that they can't see the forest for the trees. My job title is "senior software engineer" for a NASA contractor but they actually made me fight to get admin rights on my boxes. When Symantec blocked download of netcat for some testing, I asked IT to change the virus scanner settings on my box. They said no, netcat be used for hacking. I explained to them I was not trying to hack their network, just do my job but they refused. I even pointed them to a symantec web page that recommends netcat as a troubleshooting tool. No joy.

So it has turned to a hostile relationship. I ignore their rules and get my job done. My boss knows everything I do and how I do it. If they want to fire me, that's fine by me. But because I ignore their crippling rules, I get a lot done and contribute too much to the project to fire. To be clear, I'm not doing anything that will compromise their network and I am not dealing with sensitive data. If I screw anything up, I'll pay the price and get all my privileges yanked.

But from what I hear, IT is a PITA for everyone. So hopefully in late 2008, I'm taking my act solo and working for the highest bidders.

David

Re: Internet Tablets in the Workplace
 

Really, what a lot of this comes down to (as always) is convenience and ease of use vs. security. You can make a very secure, locked-down system, and it will work well for things like data entry/web/etc. If you need to do things beyond that, you generally need to relax some rules or remove policies - again, I'm speaking VERY generally here - such as adding VisualStudio users to a "Debug" group that has SOME administrator privileges. At my previous university, all USB ports were disabled in BIOS of the machines in a certain lab because a large, costly database lived on a server, and the licensing terms prohibited anything that could be used to copy off that database. The result was a revolt by graduate students that eventually led to the company changing the licensing terms to allow signed affidavits that we would not copy their data. The loss of usability in this case outweighed the added "security" for the data, and caused a lot of work for the IT folks and legal types in re-negotiating the contract. Again, as always, there is no perfect trade-off between ease of use and security.

I work in a university environment that is reasonably secure. All users must authenticate against Active Directory to get access to network resources, public jacks are protected via 802.1x, and private (office) jacks are somewhat protected against things like MAC flooding. The wireless network is secured by WPA2 and a Radius server which authenticates with the AD controller. Windows and Mac client machines must use the site-licensed antivirus, a VPN is in place to connect from home, all outgoing connections are NATed, traffic shaping reduces the burden of file sharing, and strong passwords are enforced along with changes every 60 days, etc. Linux is not an officially sanctioned OS, but I know that I, among others, use it daily in both workstation and server roles, with IT approval for the servers. Thus, I'd classify it as a pretty secure network, certainly on par with some corporate networks, but not as secure as a certain local very large company that I hear about from students. This makes sense, as most of our data is about students, and is protected by Federal privacy laws. It would certainly be bad for it to leak, but it would not cause the end of existence for the university.

How do I know my Linux machine (not N800) is secure? Two reasons:
1. I only run SSH as a service, and have passwords that are secure as defined by the local AD server, and changed every 60 days. The fact that no other servers are running automatically lowers the number of exploits that can be used, but doesn't eliminate all threats. Being behind a NAT firewall also means that the only people that could be hacking against my machine are on-campus, and I know for certain that port-scanning detection is in place on the network, and Ethernet jacks that exhibit the signs of running a port scan are shut down immediately.
2. I run a rootkit checker every week as a cron job and email the report to myself. Could something get by? Yes, but I feel I'm exercising due diligence in protecting the machine and the network by doing so.

So, to return to the original poster's question, "Is my N800 secure? Should it be allowed onto the campus network?" Well, the answer is obviously different than some corporate settings, for the reasons outlined above, but the answer is "If it can meet the same requirements as other devices allowed on the network, then yes". That means, if IT doesn't allow personal laptops or PDA's to connect to local resources, this device would be included. If policy prohibits card readers, this device would also be included. In my case, the device can support the wireless connection security the same as any student laptop, so there's no reason not to allow it on the network. Could it have malware? Yes. Could that malware potentially damage the network, attached devices, or data? Yes. Could a student or faculty laptop have the same effect? Yes. That's why so many protections are on the network, to allow a (for a university) reasonable trade-off between security and ease of use.

Re: Internet Tablets in the Workplace
 

Iball, you have made some good points, but in what manner is this rhetoric necessary to your argument?

Hedge, thanks for initiating this discussion. It's a tough one certainly, but even the *difficult* posts are worth reading!

My 2cents: Security comes down to trusting people, and some businesses can 'afford' to do it, others simply can't. I work at a University where there are so many people, layers and devices that no 'security system' is sufficient for the whole. Breaches occur not just because people are malicious (which they can be) but because they are careless, lazy or both (which they are more likely to be:D

Re: Internet Tablets in the Workplace
 

OP, your sentiments just go to show what windows has done to the computing industry. It's sheer ubiquitousness combined with it's security flaws have convinced people that if you don't have firewalls and virus scanners and malware scanners you don't have security.

When in fact, no amount of scanners and security software in the world can protect a system from a careless or malicious user.

Linux and linux based devices are inherently more secure simply by not defaulting to root level system access to all users.

Add to that the fact that it's not only a linux device, but running a non-x86 processor and you have a very unlikely source for security breeches.

It just seems to me you're overreacting.

Re: Internet Tablets in the Workplace
 

As a "Developer" (and recently the dev group manager) who uses his own equipment on the company network (and we probably deal with more critical data than you do, CC data being the _least_ important of it) -- their are reasons for exceptions to the rules. Rules should never be the end all answer -- they should be the guidelines and should be used to give you the intent of the law, not stifle user productivity.

And a laptop (which I and most of my developers use) is much more productive than a desktop machine. In the above issue you presented If "my" machine was faster than the companies; then I would want to use it. If the company was only going to give me a desktop I would lobby for allow me to use my laptop. I am far more productive on a laptop because inspiration can strike at 11pm at night. I've used a laptop for development work for over 15 years now. :)

In most developers cases; real debugging is a lot harder (and in some cases impossible) to handle in a locked down account -- and since debug rights basically give you the "keys" to the machine (any developer with real debug rights on W2k/XP (not sure about vista) can take over the machine anyways).

However, I'm not saying give the guy "network" admin rights -- "local" admin account rights is imho pretty much needed for any programmers who programs in any true compiled languages. Not only are the majority of developers pretty picky about their "setup" of the machine; but letting them setup their machine the way they want improves their productivity quite a bit for the minor security possibilities. (Emacs vs VI debate anyone?)

We assign the proper "network" rights based on the areas of responsibility.

Just to make your day (cringe <g>) since you seem to be very security paranoid -- My machine is NOT a member of the domain; nor does it run the company wide standard "virus" scanner, nor does it run the standard IM client. Hmm, thinking about it, I don't even run the standard browser nor the standard email clients. Hmm, standard.... Not sure their is much of anything "standard" on my computer. Technically, a sys-admins worst nightmare. <g>

However, as so eloquently phrased, with great power comes great responsibility. I run better (yes, imho & based on research) software than the company does. I do have AV, and run several other security related stuff that would be "overkill" for normal uses (software firewall, etc). I also read several different security mailing lists (and rss feeds to others -- so I often know long before IT if an issue might be something that they will need to be aware of).

Since we do deal with "critical" information -- I've introduced encrypted partitions/disks, source code control, build control, etc; to the company since I've been here. And at the end of the day if a problem that IT can't solve occurs, it lands on my desk as its last stop. ;-)

Now, if you tried to "handcuffed" me; I would be pretty upset too. My .02c from the other side of the fence.


As long as you have it keep itself up to date; adding a linux server is good for the company. Having different "genes" in the gene pool helps promote stability. Having all the same genes gives birth defects. Guess what the computer industry suffers from. :)

Nathan.

Re: Internet Tablets in the Workplace
 

I'm glad this took a turn for civility again. I'm actually not too paranoid about security, given the chance to use my tablet I would in a second. I'm arguing points on both side of the coin, and I'll (much to your dismay/mental health) regularly switch sides. :) (That's how I explore a topic fully.)

For the most part, you guys seem to be consciencious developers. You've got social skills, can function normally, and come up with ideas that are an actual help to projects.

... but in your career paths, you've had to see the other side (which is what I was pointing my finger at). The developer who doesn't need admin rights for any reason but insists on them because it's an affront to his perceived intellect. The one who wants to use his own machine for no other reason than to set his own standards and play by his own rules regardless of the impact it would have for another department (say, the one charged with maintaining everything - - IT). The one who comes up with ideas not because they're helpful but because they're grandiose and are a challenge as opposed to the usual daily code, and subsquently delays the project because rebuilding the wheel didn't work (like it didn't last time and the time before that).

It's been brought up before but in business it comes down to accountability. You might be frickin Linus Torvalds but if IT can't guarantee that your linux tablet is secure, they can't in good conscience allow it on the network. This cheeses off the hyper-intelligent developer to no end but seriously... at the end of the day they're accountable and don't want to take the risk no matter how small. Different story if it hinders work, but refer to the above paragraph as those are the examples I'm referring to.

(And in my specific case, all devs do have widescreen laptops which still kicked the crap out of that rogue machine specs-wise - - the guy was just being difficult and wanted to use the tools for his own on-the-side efforts.) ;)

Besides being all about accountability at the end of the day, there definately has to be a balance. If you needed admin rights to do your job, I'd have dumped them on you in a split second (providing I got in writing why you needed them to cover my own a** (There's that accountability again)) :)

Re: Internet Tablets in the Workplace
 

Everybody has their opinions and nobody else wants to write a 30 page diatribe on every angle they have either. Hence we do get some miscommunications. :)

Very true statement! However the same applies with any OS. You have to weight things. For instance -- am I MORE sure my Linux box is not infected than my Win Box or Mac Box is? It is a numbers game. In terms of basic security on "Average" a recent auto-patching distribution of Linux / MacOSX are more secure than a auto-patching Windows box. However, that being said my personal opinion in security is Linux, Mac OSX, Windows. In that specific order, with Windows being the least secure of the bunch. (Please note I use a WinXP box all day as my primary machine -- it also imho is the box I'm most productive on). I'm pro-use the right tool for the right job.

Cool, so far it sounds well thought out. I assume you don't actually have _any_ other wireless access point that are actually inside the network correct? Otherwise that "insecure" point of failure is a whole lot worse than just the IT connecting to it.


Nice that all sounds like pretty good security, I assume USB, & Fireware are also _totally_ disabled (in hardware) in your call center -- and autorun is also disabled for all drives on all machines in your facility, right?


I might be one of the "snotty" developers (well at least I will admit the "developer" part <G>) But based on my relationship in my company -- I think everyone in my company just thinks of me as the nice guy that knows a lot about computers and if they have a question I'm always willing to help. I also try and explain why/how the problem occurred so our support desk can handle it in the future.


LOL, I might be atypical -- lets see
#1 -- I happened to implemented a lot of it.
#2 -- Nope, I happed to believe in QA, Programmers make mistakes; and I know I make them. QA is a good defensive line.
#3 -- Umm, no -- bad recipe for disaster.
#4 -- No, nobody is un-replaceable. In fact, I try to do the opposite -- I attempt to make myself very replaceable. I've found throughout the years that more replaceable I become the more responsibility I get. Since if I can be moved from project a easily; then I can jump on project c where they might need some help. Now, I would say -- I would be hard to replace overall -- I know we've been looking for another equally qualified developer for as long as I've been working here, which has been quite a while.
#5 -- Well I am awkward in some social settings, not a socialite by any means. But, if you don't agree with my "facts" you are entitled to your own opinions. (j/k) -- in all reality we (as a team) rarely clash. And I have no problems doing it another way. Most the time we discuss where the "conflict" is at and figure out why and the decide on the course of action.

A couple questions:
1. What do you develop? Native compiled language, or runtime? Do you debug it if it is a compiled?
2. Do you have local admin rights to your computer?

Nathan.
P.S. Don't think I'm picking on you. I'm mainly trying to field the answers to questions you raised from a senior developers perspective who has been developing (& playing!) for 20-ish years (man that makes me sound old... <g>)

Re: Internet Tablets in the Workplace
 

When it comes down to it, it's our (the IT folks) network. If there's an AUP stating you can't use a personal machine on the network, you're not using a personal machine on the network. If it states you can use a personal machine, but have to have one of our admin accounts installed on it and you don't want one of our accounts on it, it doesn't connect to the network. If we find that you have connected a personal machine to our network, it either gets confiscated, and you get to explain yourself to the director of technology, and/or, you find yourself a new job.

Re: Internet Tablets in the Workplace
 

LOL, I love technology -- hence my purchasing a N810 when I can (The dev codes hopefully will be live on the 15th). I plan on using it at work, and I'm sure the other IT guys will see it and want one too. They got Moto-Q's because it was cool. Just wait until they see a N810 in action. ;-D



Security based on "who" you are is not good. Security based on "what" you need is. I'm all for making the CEO/CFO mad by removing their network security that they don't need. ;-)


Depends on circumstances. If he actually impacts other departments then yes that is a problem. If he makes other departments uncomfortable that is their problem. For instance we have a set way to manage source; it is followed. This impacts any developers that work on that source base. However, on some projects we only have one developer and he has control of the build process -- as this really does not effect anything "globally". Others we have a set build process since it is multiple people (typically automated). Analyze the need and give the responsibility to those that "can" and "do" want it. Those that don't want it or can't do it don't.


Ah, see I look at it a bit differently -- if you give someone the right to customize their machine (such as I do for the devs because of the productivity factors) -- The only thing I require from IT department to do is rebrick the machine if the developer doesn't know how to. With Power comes responsibility. You mess it up, you fix it. If you can't fix it you get to rebrick it. And that loss of time is yours. Keeps everyone accountable. ;-) For our CS department, the machines are fairly locked down. They don't need that "freedom" (nor do many of them want it) and then IT fully supports their configurations. Right tool for the right job...


I think I might also take a different look at this. I really don't like the Not Invented Here syndrome -- however, occasion for a new developer I will let them do it and then I have a "teaching" opportunity. ;-) Sometimes the cost for getting that teaching opportunity is worth suffering a NIH loss. ;-D


Wow this must be one of the few Windows places that actually removes/blocks internet explorer, active-x. I haven't heard of that many places taking that tough of a stance on security. Color me impressed. I wish I could get my company to ban it -- it would sure help security wise...


See, then that makes a bit more sense why you are balking at adding another machine to the network. No good reason = no! Do your devs get to bring their notebooks home? Do your devs get local admin rights?

Nathan.

Re: Internet Tablets in the Workplace
 

Petty tyrants are invariably the worst.:mad:

It's not your network. It's the company's. Your job is making sure they can use the network to do theirs. If the user is responsible and the personal device will improve their productivity, everyone benefits if you green-light their access. You might even learn something. Possession shouldn't extend beyond personal pride in your work.

Re: Internet Tablets in the Workplace
 

No, I'll bet part of his job is to protect the company's IT resources and data. And that's probably even more important to the company than getting your unapproved device onto the company network.

Re: Internet Tablets in the Workplace
 

Nathan: Awesome answers, I think I like arguing with you. :) SQL has been my bag for a while (which explains my anal retentiveness - - for a while I was going to go the DBA route). I've also done stuff in Java/C and done a lot of application/system design. Education-wise I've got a Systems Analysis diploma and a Programming one. (That was mostly VB/VC though, plus all the design aspects covered in both.) Also to your enquiry about local security, USB ports are locked down in the call center environment, as well as on any machine where the user doesn't have admin rights. I do have admin rights on my laptop, as does most of IT. Contrary to the picture I'm painting, Mussolini hasn't teamed up with Hitler to dictate security policy. It's a comfortable blend between users and those charged with keeping the lights on.

Someone brought up a good point that I've been dodging around because I'm not a fan of fascism... it ain't the employees' network, it's the company. And sorry to bring ITIL into this but keeping services running is of prime importance, not making someone 10% less productive because they can't use their personal laptop with 1GB extra RAM than their company allotted laptop. Call it tyrannical, but if work was fun we'd all have google business cards. ;)