(Sorry for the philosophical thread-starting as of late...)

Reading Toonje's signoff, people started mentioning using their tablets at work. Half of this notion intrigues me, the other half mortifies me.

Obviously the tablet is a powerful tool in the IT arsenal, between rDesktop, IM, the network tools, etc., but do you *really* know you don't have any sort of malware on there? I'm running Ubuntu at home and I can't tell you whether I do or not. From a security perspective, you're bringing an external device past the firewalls, past the physical security, and accessing the heart of your IT infrastructure. I realize the odds are low that anything will happen, but people *do* win the lottery.

I've had lots of discussions with our Chief Security Officer at the coffee maker and he's changed my outlook on a lot of things. While I'd love to see Linux on the workstation, until the security aspects become as common as they are for Windows, I don't want it here. The concept of users bringing in home laptops and putting them on the network has always made my jaw drop too, and come to think of it, any of the bad worms we've gotten in the past 2 yrs have been due to this. As IT workers, putting unauthorized and untested devices on the network freaks me out.

That said, I could see it being handy for taking notes, etc., but for most office environments, dragging a notepad or laptop around is a lot easier. A pad of sticky notes is still smaller than a tablet.

So. What do you guys use your tablets for in the workplace? What are your security concerns and how did you address them?

Are you seriously positing that Windows is more secure than Linux because it has more anti-virus software?

Well, other than browsing the internet when at my workplace (hospital), I write letters and memos using abiword (and by converting to pdf I can send them as fax, too). I have lots of reference info in pdf inside; I can also compose new pdf docs by selecting pages of existing pdf's and annotate them in xournal, then close the round trip again, to pdf, again for printing or faxing. Xournal is good also for taking notes in meetings - I am always loosing my paper-based notes and keeping them into the tablet prevents this at all. Sporadicly, I have used spreadsheets on Gnumeric to keep track of numbers and type of patients, but I am not the bean-counter type of guy. Well, and when possible I listen to my music that's there as mp3.
The only way I think I could loosen my workplace security is when logging to its internet connecrion via a portable wifi router, right? But other than encrypting that connection, what would be needed from my part?

I think it's more of a question of knowledge. Windows is more vulnerable etc. but at the same time with a virus scanner you know (hopefully) if there's something on there. It's not a guarantee by any means but there's a way to measure it. When was the last time you ran a check for a root kit on your Linux machine? Or on your tablet? It's obviously possible for such a thing to exist on the tablet but not likely. Still, there's no easy way to verify ...

To answer the question: I work at a university we have our wireless infrastructure cut off from the wired so I can use my tablet for PIM stuff and surf the web without worrying about the other machines on the network (File sharing is also not allowed). I'm still learning the ITT ropes so I expect to find more uses at work soon!

A few points

Security through obscurity. There are very few known exploits for Linux period. The Maemo tablet is an Arm processor based device running a generally very secure operating system.

Services: The tablets in the hands of "amateurs" is just an email / web client. Any decent IT dept should have those services appropriately locked down.

Geek factor: Those smart enough to do more with their tablets are generally smart enough to avoid problems.

Right now I'm violating official company policy as I type this at work on my MacBook pro. But I have a gentleman's agreement with IT. They cut me some slack and look the other way on my setup and I help them with some of their tasks in my work area.

It really boils down to platform doesn't it? AFAIK, There's never been a cross platform virus and there's only been one self replicating linux virus in the wild.

The reason IT security is so paranoid is thanks to Windows success, there is not enough diversity in the platform gene pool. If there were a variety of platforms and operating systems deployed, the entire IT ecosystem would be more exploit resistance. We're all windows in-bred here so we are all vulnerable to the same exploits.

I'm using my tablet mostly for email: I can walk around campus and still get email. Most of the time I'm on the external wi-fi network (outside of the firewall), so I get the email through the normal secured/encrypted imap system anyway. When I'm using it for anything else I'll use VPN, mostly to read the internal web or to ssh into somewhere. Not very different from what I'd do from my Linux laptop.

But as far as security problems and risks are concerned, I don't think I'm much wrong in stating that connecting a home laptop running Windows on the corporate network.. that's very, very risky. And connecting the same laptop running Linux is orders of magnitudes less dangerous. I really believe I have a good, deep understanding of what can and can't be done with the Linux operating system itself, at least as much as I think it's possible without being an active kernel developer myself (I've only contributed a couple of small things myself, and that's a long time ago). I used to read every single line of code that was added to the Linux kernel since its very beginning (1991), up to around version 2.4 when it became a bit too overwhelming because of the size. Since then I've just read the changelogs. I believe I know how it works, to put it that way.

Anyway, as far as worms, virueses, infections are concerned there are simply much less ways to get hit with the linux systems: The hooks are just not there. For example, all this about 'opening' attachments: Well, 'opening' an attachment in my Linux email programs doesn't _do_ anything, unless it's something readable. There's nothing that gets executed. On Windows, on the other hand, everything seems to be designed to let viruses and worms in: Clicking on emails and attachments can execute actual code, and as it's almost impossible to get anything done withouth admin rights you give that executable code free run of the system. Word documents have a built-in macro language so just by looking on a document there could be code executing. That's insane! And so on and so forth. Everywhere I look in a Windows system there's a way of executing code sent to you by various means that shouldn't have anything with to do with code to start with: Documents, messages, images even (and image handling is actually implemented in the _kernel_, so not to be too sluggish. That gives you a nice hook to really deep-infect the system).

As far as the Internet tablet is concerned, the risks are even less. No servers to let worms in, until you install dropbear-server or openssh, which, if you don't fix the one obvious hole, will let somelone log in to get a root shell. The user account doesn't have root rights, and by clicking on things you can at most get video or music, in any case only your /home/user/ directory is at risk. You could in principle bring in emails with attachments (that won't do any harm on the ITT) which you, when you're on your corporate network, forward to someone there which has a Windows computer: You're most probably bypassing the corporate virus check that way, and your email (which does nothing on your tablet) may infect your co-worker. (This is probably one of the most realistic problems with any type of device which establishes an unofficial channel into the corporate network).

The best thing is probably to not allow anything (including USB sticks, flash cards and iPods) inside the corporate system. Short of that, I feel infinitely safer if that thing which is connected to the network runs Linux (or anything not Windows, really).

a large portion of security breeches occur by people in the organization who already have access to "the goods."

The next level are users who are given admin rights who never should have been.

the next level, usually in combination with the previous one are e-mails gotten from Yahoo, google but not internal that contain exploits specifically targetted to Outlook.

break in via N800 ranks pretty far down the list of probable problems. our wireless is locked down pretty tight here now and any iPhone, N8xx, has to give up the MAC Address before it is even allowed on the Network.

Antilles: I'm not saying Windows is more secure than Linux at all, my belief is the complete opposite. Unfortunately the workplace isn't necessarily a place where one is put their opinions into practice. I still stand by, better the evil you know than the evil you don't. (Ninjatuned basically replied for me - - thanks!)

djs: We had a developer with his own laptop PC. I'm not site support, so it's not my business... but I agreed with IT, it pissed them off to no end. He left, and I'm sure he still has all the licensed software on it (screwing the company). There was no way to know how secure it was... and moreover, they wanted admin rights to it because if he was gonna use it as a company resource, they should be able to manage it as one when it was here. No go. Lots of issues arose from it besides being out a bunch of licenses. (He was a developer, stuff got expensive. He was also friends with a VP which is why he was allowed to bring it in anyway.)

That said, depends on the business. This is a huge BPO, it *has* to be secure as there's credit card / personal info being dealt with. If it were a small design company or something (50-200 users), I'd have no qualms using my tablet for stuff.

One of the worst things in security are the unknowns. My 770 could have a rootkit on it right now and I'd have no clue. If it does, there aren't too many people around here that know what to do. (I do - - REFLASH.)

(I'm seriously a huge proponent of Linux... but as much as I'd love to see it at work, I'd hate to as well.)

There has been at least one POC cross-platform (win32/linux, i386 only) virus. None in the wild, to my knowledge.

Security breeches? You mean, pants with a padlock?
That's about what I would think.

Don't know if you're considering using it as a grad student as work or not.
At University here, all MACs must be registered, for wireless or wired ethernet. Wireless ethernet has no WEP/WPA at all, which suits me fine. I SSH everything important anyhow. Access to intranet sites is all https. Pretty much any device you bring in is cool, though they won't give you any support for handhelds with WiFi.
As far as really knowing if you have any malware that snuck in, I'd look at porting tripwire, if I thought there was any probability of it. It's not real likely, because root permissions are required to install software. There could be exploits in the package manager, I suppose, but by far the most likely way malware gets on would be installing a trojan. So, short of auditing the source to everything you install, you won't ever know. How much do you trust some random garage.maemo.org project?

Hmm... I guess thats why you are an admin and not a developer. Tell the sheep to operate as is. Exceptions to the rules are bad. etc. As someone who attempts to create new things and innovate, I try to express my opinion as much as possible in the workplace, but that just me.

The fact that you just HAD to include that last piece of information(friends with a VP) validates my point above. It seems like you are forming this opinion more because you don't like your toes being stepped on by a hotshot developer( regardless if this person was actually worthy of the description) rather than legitimate concerns over the issue. I for one will not take a job for a company (or upper management) that does not have enough faith in my skills to setup and manage my own development machine to maximize my productivity for the company.