The New iPad

[RobertJasiek]

Thank you and everybody for the detailed explanations!

unless you jailbreak, since then well, it's like running Linux without proper security in place...

Ah. So in principle I could first become a linux security expert, then jailbreak, then install my preferred security concept on the iPad (or Android, where it seems more urgent), then connect to the Internet. But... judging from a similar path under Windows, I might need 2 years of learning advanced security details:(

[RobertJasiek]

My impression is that, if you're comfortable banking on your windows PC, you should be fine on your iPad

Are you sure?:)
http://home.snafu.de/jasiek/windows_sec ... ncept.html

--especially if you use your bank's apps.

Of course, I do not trust any bank to create secure PC software...

Maybe one of those matte screen protector things would do the trick?

1) It loses the point of a tablet: to be a simple device with great design.

2) c't has tested that and it was at best an improvement but not a real substitute.

[RBerenguel]

Thank you and everybody for the detailed explanations!

unless you jailbreak, since then well, it's like running Linux without proper security in place...

Ah. So in principle I could first become a linux security expert, then jailbreak, then install my preferred security concept on the iPad (or Android, where it seems more urgent), then connect to the Internet. But... judging from a similar path under Windows, I might need 2 years of learning advanced security details:(

Usually, no. It's only paranoia if you are not really being followed. If you are on a Windows computer, you are more or less a sitting duck in the fair waiting for the shot. Almost all malware is pointing at you. In a Linux computer, an exploit is *very* hard to get along, since you need a serious breakage of some fundamental piece of code. That's what root users are for: only root can do damage to a linux or Mac system, as I said, without something very basic broken.

Think of it like giving your home's keys to an stranger. For an exploit to get along, you'd have to have your door open... and no-one in your neighbourhood care to tell you. In an Android, you can install almost whatever you'd like (and there's a lot of things in the Android market), and almost all these apps can get these (or close) privileges *by asking you* (I'm getting in messy areas here because I'm not sure how the Android market and Android apps go, but if it worked like Apple's this should not happen, so I'm just guessing). This is what Android advocates tell you about freedom: you can tell your app what you allow them to do. But if you don't like that, you can't install it. In an iPad you are in "a walled garden". There's no way an app can do it, period.

This pisses off many people, but for me (been using Linux, Windows and Mac for a while already) just means I don't need to give much thought to security and just do my business. I've done banking with my iPad (well, checking my accounts and similar, or some Paypal stuff) without much concern. If something has gone so deep in my iPad to be able to hijack https connections, and are really interested in doing so with my accounting data, there's probably little I can do to secure all my computer systems... But that would be paranoia

[oren]

Oh, on my PC? Can't the Windows Explorer be used and is the iPad not recognised like a USB storage device then?

This is where I find my Android tablet to be much much simpler than trying to use my family's ipad. Transferring data and working with it is much easier. I don't really feel like I lose anything on Android to Ipad and save a lot more money. The only app I want that is iOS only currently is Nihon Kiin magazines, but they're working on the Android version now.

[RBerenguel]

Are you sure?:)
http://home.snafu.de/jasiek/windows_sec ... ncept.html

Holy detritus! Then I'd bet you can't use an iPad Seriously, this is why I stopped using Windows. Having an antivirus on all day. Checking for malware each week, upgrading antiviri and malware databases, double checking everything I downloaded, cleaning cookies, removing permissions to Internet Explorer stuff... All that time was better spent just working with my MacBook (or my Linux system for that matter, but I also have ranted about the "just do it from scratch" approach of linux systems in the past...). Of course I know enough about Unix/Linux permissions, execution, security levels and whatnot to be quite sure about what I should and should not do, but most of what you advocate for Windows is more or less "automatic" in *nix systems. As an example, if you download some executable thing from the internet and try to open it in a Mac, you'll get a nice alert "hey that was downloaded from the internet" giving you an option to re-check the page, cancel or keep opening the program. Nothing gets executed by default.

[RobertJasiek]

paranoia

What a security expert calls "reality".

If you are on a Windows computer, you are more or less a sitting duck in the fair waiting for the shot.

Since Windows NT 6.x (Vista, W7...), it is (for a badly / not configured PC) pretty solid security IF the user does not do the dangerous manually (open the email attached exectuable etc.).

I've done banking with my iPad (well, checking my accounts and similar, or some Paypal stuff) without much concern.

The greatest danger there is careless usage of some WiFi access point.

[averell]

The greatest danger there is careless usage of some WiFi access point.

The whole point of SSL is that that is not a danger. Unless of course you're in the habit of ignoring certificate warnings while banking online.

[RobertJasiek]

The whole point of SSL is that that is not a danger.

I forgot the details but the trick seems to be to construct a man in the middle attack with which the encrypted part of the communication is circumvented, i.e. the middle man has some CA stuff and pretends to be the recipient.

[averell]

The whole point of SSL is that that is not a danger.

I forgot the details but the trick seems to be to construct a man in the middle attack with which the encrypted part of the communication is circumvented, i.e. the middle man has some CA stuff and pretends to be the recipient.

That is an attack, but that is exactly why you have certificates. The bad guy can of course sign his own, but then your browser will warn you (because he doesn't trust "Random Guy CA Inc."), which i hinted at in the second part. And your bank pays money to get a real one from a company listed in the trusted certificate authorities section of your browser.

[Boidhre]

Shush now! I've been desperately trying to convince myself that I don't need to upgrade from the iPad 1 (which my son now monopolises)...

If you don't care about the higher resolution display (i.e., you were generally satisfied with iPad 1 resolution), and you don't care about having a very high quality rear-facing camera (which I have never used myself), then you have an excellent excuse to get the iPad 2 at the reduced price. Then you have your toy and can report how deal-minded you are to your significant other (if necessary).

The reason I didn't get an iPad 2 was the resolution staying the same...

[hyperpape]

I would not feel secure enough for doing banking with the iPad. Also my concern is the tremendous popularity of the iPad, which surely must lead to greater interest of malware writers.

No, there's almost no market. A few months ago, McAfee declared that there were no reports of malware didn't even list malware on non jailbroken iOS devices on their survey of mobile malware (because it was so limited in comparison to other platforms).

There's a combination of things: iOS is harder because of sandboxing and the app store, and the majority of devices are up to date which makes the rare exploits less valuable. It's much like the situation involving Windows where the growing popularity of Windows 7 has not yet led to it catching up with Windows XP in malware.

Edit: a probably unnecessary clarification added.

[judicata]

The reason I didn't get an iPad 2 was the resolution staying the same...

Ah, then you're just out of luck. Looks like you have to buy the new one.

[Kirby]

paranoia

What a security expert calls "reality".

A security expert would do enough research on the device to know the answers to the basic questions you asked about the device prior to getting paranoid.

Paranoia without the slightest bit of research is just unfounded.

[hyperpape]

The whole point of SSL is that that is not a danger.

I forgot the details but the trick seems to be to construct a man in the middle attack with which the encrypted part of the communication is circumvented, i.e. the middle man has some CA stuff and pretends to be the recipient.

That is an attack, but that is exactly why you have certificates. The bad guy can of course sign his own, but then your browser will warn you (because he doesn't trust "Random Guy CA Inc."), which i hinted at in the second part. And your bank pays money to get a real one from a company listed in the trusted certificate authorities section of your browser.

The people who do this won't be targeting your bank account, but the more I learn about certificates, the less safe I feel: http://www.computerworlduk.com/news/sec ... sl-spying/.

[averell]

The people who do this won't be targeting your bank account, but the more I learn about certificates, the less safe I feel: http://www.computerworlduk.com/news/sec ... sl-spying/.

That is hilarious. I especially like the part about it being the industry standard to betray their customers. But effectively it's not much different from CA's being compromised, which has happened before. There is only so much you can do from a technical side, when you cannot place your trust in these authorities either, and being at home or on some random starbucks wifi won't make a difference.