The New iPad

[RobertJasiek]

paranoia

What a security expert calls "reality".

If you are on a Windows computer, you are more or less a sitting duck in the fair waiting for the shot.

Since Windows NT 6.x (Vista, W7...), it is (for a badly / not configured PC) pretty solid security IF the user does not do the dangerous manually (open the email attached exectuable etc.).

I've done banking with my iPad (well, checking my accounts and similar, or some Paypal stuff) without much concern.

The greatest danger there is careless usage of some WiFi access point.

[averell]

The greatest danger there is careless usage of some WiFi access point.

The whole point of SSL is that that is not a danger. Unless of course you're in the habit of ignoring certificate warnings while banking online.

[RobertJasiek]

The whole point of SSL is that that is not a danger.

I forgot the details but the trick seems to be to construct a man in the middle attack with which the encrypted part of the communication is circumvented, i.e. the middle man has some CA stuff and pretends to be the recipient.

[averell]

The whole point of SSL is that that is not a danger.

I forgot the details but the trick seems to be to construct a man in the middle attack with which the encrypted part of the communication is circumvented, i.e. the middle man has some CA stuff and pretends to be the recipient.

That is an attack, but that is exactly why you have certificates. The bad guy can of course sign his own, but then your browser will warn you (because he doesn't trust "Random Guy CA Inc."), which i hinted at in the second part. And your bank pays money to get a real one from a company listed in the trusted certificate authorities section of your browser.

[Boidhre]

Shush now! I've been desperately trying to convince myself that I don't need to upgrade from the iPad 1 (which my son now monopolises)...

If you don't care about the higher resolution display (i.e., you were generally satisfied with iPad 1 resolution), and you don't care about having a very high quality rear-facing camera (which I have never used myself), then you have an excellent excuse to get the iPad 2 at the reduced price. Then you have your toy and can report how deal-minded you are to your significant other (if necessary).

The reason I didn't get an iPad 2 was the resolution staying the same...

[hyperpape]

I would not feel secure enough for doing banking with the iPad. Also my concern is the tremendous popularity of the iPad, which surely must lead to greater interest of malware writers.

No, there's almost no market. A few months ago, McAfee declared that there were no reports of malware didn't even list malware on non jailbroken iOS devices on their survey of mobile malware (because it was so limited in comparison to other platforms).

There's a combination of things: iOS is harder because of sandboxing and the app store, and the majority of devices are up to date which makes the rare exploits less valuable. It's much like the situation involving Windows where the growing popularity of Windows 7 has not yet led to it catching up with Windows XP in malware.

Edit: a probably unnecessary clarification added.

[judicata]

The reason I didn't get an iPad 2 was the resolution staying the same...

Ah, then you're just out of luck. Looks like you have to buy the new one.

[Kirby]

paranoia

What a security expert calls "reality".

A security expert would do enough research on the device to know the answers to the basic questions you asked about the device prior to getting paranoid.

Paranoia without the slightest bit of research is just unfounded.

[hyperpape]

The whole point of SSL is that that is not a danger.

I forgot the details but the trick seems to be to construct a man in the middle attack with which the encrypted part of the communication is circumvented, i.e. the middle man has some CA stuff and pretends to be the recipient.

That is an attack, but that is exactly why you have certificates. The bad guy can of course sign his own, but then your browser will warn you (because he doesn't trust "Random Guy CA Inc."), which i hinted at in the second part. And your bank pays money to get a real one from a company listed in the trusted certificate authorities section of your browser.

The people who do this won't be targeting your bank account, but the more I learn about certificates, the less safe I feel: http://www.computerworlduk.com/news/sec ... sl-spying/.

[averell]

The people who do this won't be targeting your bank account, but the more I learn about certificates, the less safe I feel: http://www.computerworlduk.com/news/sec ... sl-spying/.

That is hilarious. I especially like the part about it being the industry standard to betray their customers. But effectively it's not much different from CA's being compromised, which has happened before. There is only so much you can do from a technical side, when you cannot place your trust in these authorities either, and being at home or on some random starbucks wifi won't make a difference.

[RobertJasiek]

A security expert would do enough research on the device to know the answers to the basic questions you asked about the device prior to getting paranoid.

That's what security experts did before concluding: It hardly matters whether one uses Windows, Android or iOS. Whichever OS one uses, one has to do the best effort to learn and understand security aspects and then configure the computer as securely as possible.

[hyperpape]

The people who do this won't be targeting your bank account, but the more I learn about certificates, the less safe I feel: http://www.computerworlduk.com/news/sec ... sl-spying/.

That is hilarious. I especially like the part about it being the industry standard to betray their customers. But effectively it's not much different from CA's being compromised, which has happened before. There is only so much you can do from a technical side, when you cannot place your trust in these authorities either, and being at home or on some random starbucks wifi won't make a difference.

I'm not sure, but can't an OS that only runs Tor traffic help? https://tails.boum.org/

[hyperpape]

Depending on why you're concerned about security, this article could be either comforting or really scary: http://www.forbes.com/sites/andygreenbe ... gure-fees/.

[RBerenguel]

But in any case, the user has to do something. It's not like my iPad is sitting here in the ground and the bad guys are just stealing my data. They have to trick the user into doing something (opening an email, opening a webpage...). Of course, emails are always risky. If you are over the top with security, just don't ever open an email and always type your URLs. Of course, make sure your router is completely secure, and all traffic is encrypted. And that your ISP is not tinkering with MITM schemes. And then you just forget to close the window and the spies just make photocopies of your papers. Meh.

[RobertJasiek]

don't ever open an email

It suffices to view emails as plain text and not open-execute any executable attachment.