Even the top-of-the-range Sur­face Lap­top fails to im­press Jon, along with Win­dows 10 S, be­fore he turns his mind to the im­por­tance of VPNs

PC & Tech Authority - - CONTENTS - JON HONEY­BALL JON HONEY­BALL Jon is the MD of an IT con­sul­tancy that spe­cialises in test­ing and de­ploy­ing hard­ware @jon­honey­ball

Even the top-of-the-range Sur­face Lap­top fails to im­press Jon, along with Win­dows 10 S, be­fore he turns his mind to the im­por­tance of VPNs ...................................

Iwas in­trigued by the new Mi­crosoft Sur­face Lap­top. So much so, that I de­cided I needed to buy one. The prices seem a lit­tle ro­bust, start­ing at $1,499 for the base-level spec­i­fi­ca­tion of Core i5 pro­ces­sor, 4GB of RAM and 128GB of stor­age. A more Honey­bal­lesque spec­i­fi­ca­tion of Core i7, 16GB of RAM and 512GB of stor­age runs to a some­what more fruity $3,299, which is quite a lot of money. Nev­er­the­less, it had to be done.

First im­pres­sions? Mi­crosoft is build­ing on its pre­vi­ous work with the Sur­face Book and Sur­face Pro, and has de­liv­ered a high-qual­ity prod­uct. No-one can ar­gue with the build qual­ity, al­though I’m still quite con­flicted about the “furry” key­board area. I can’t help but feel it will be­come grubby over time; plain alu­minium would have been a some­what more sen­si­ble so­lu­tion. Only time will tell how this ma­te­rial fares.

The Next Big Thing with Sur­face Lap­top is, of course, Win­dows 10 S. This is ver­sion 1703, al­though ac­tu­ally it’s OS Build 15063.242, a con­fu­sion that will no doubt be ex­plained away by some­one who un­der­stands such things. The S means… well, it’s still not clear. Se­cure? Maybe. If it was truly se­cure, then I’d ar­gue that it wouldn’t need an­tivirus. Ap­ple iOS man­ages just fine with­out it, and that has a se­cured, val­i­dated app store that is the only place from which you can in­stall apps. The same is true of Win­dows 10 S. Try to in­stall an app from out­side of the Win­dows Store, and a win­dow will pop up in­form­ing you that: “For se­cu­rity and per­for­mance, Win­dows 10 S only runs ver­i­fied apps.” I wanted to in­stall Google Chrome, but it wasn’t hav­ing any of it. In­deed, it con­tin­ued by no­ti­fy­ing me that “Mi­crosoft Edge is the faster, safer browser de­signed for Win­dows 10 S” and of­fered me a but­ton to “Open Mi­crosoft Edge”. How kind.

I un­der­stand the think­ing here, and there is a per­fectly log­i­cal po­si­tion – re­strict­ing ex­e­cu­tion to apps that have been down­loaded from the Win­dows Store means that apps have to be dig­i­tally signed. This means they need to have been submitted to the Store, and this im­me­di­ately wipes out a whole his­tory of Win­dows apps that you might just have lay­ing around on an old CD. It doesn’t mat­ter what you try to do, within the bound­aries of sen­si­ble hack­ing – you won’t get an un­signed, old Win­dows app to run.

I find my­self cu­ri­ously con­flicted by this. I’ve been whin­ing for years about the down­side of hav­ing such a long and rich legacy of Win32 apps out there. And that many, even most, of them are pretty ropey – so much so, that you can al­most al­ways do bet­ter by choos­ing a mod­ern re­place­ment. And so hav­ing the tools baked into the OS to pre­vent you run­ning this old code is clearly a good thing.

How­ever, you can throw a switch to re-en­able the sup­port for old code. It takes a few mouse clicks, and sud­denly it all works. This kind of sug­gests that it’s all there any­way; it’s just hid­ing in the back­ground. Maybe I’d be more re­as­sured if it was more dif­fi­cult to get old Win32 code run­ning. Af­ter all, might it be pos­si­ble for some cun­ning mal­ware hid­den away in a Win­dows Store app to en­able the old Win32 sup­port to work, or for some mal­ware writer to find a way to do it within the OS it­self? I don’t know – I’d like to be more re­as­sured here.

Sec­ond, if you do make the choice to en­able full apps, you get Win­dows 10 Pro­fes­sional – de­spite this Sur­face Lap­top hav­ing a strong home/stu­dent tar­get mar­ket feel. Given that it turns into Win10 Pro, it’s al­most as if Mi­crosoft is prep­ping the busi­ness world for the “S” move across the board some­time soon now. It cer­tainly wouldn’t sur­prise me.

On the flip side, do you re­ally need ac­cess to full Win32 code? Well, you might if you trea­sure that li­cence for a decade-old ver­sion of Of­fice. Or, you have an older ver­sion of Pho­to­shop that you rely on. And therein lies the prob­lem. The Win­dows Store is just fine, and is a good place to go, pro­vid­ing the tools you need are there. Not hav­ing Chrome would be quite a wrench for me, and al­though I have lots of li­cences for Of­fice 365, I might be able to give up Of­fice 2003 for a fresh in­stall of Li­bre-Of­fice. Ex­cept I can’t, be­cause it isn’t in the Win­dows Store. Ev­ery­thing is push­ing me to­wards tak­ing out sub­scrip­tions to

the Mi­crosoft ser­vices plat­form, namely O ce 365. I can buy Adobe Pho­to­shop El­e­ments 15 for US$99, but what hap­pens if I have an Adobe sub­scrip­tion to the full plat­form? Again, it isn’t to be found in the Store.

Look­ing at the avail­able an­tivirus apps, I could go for Avast Free or AVG Free. Kaspersky Now tells me that it “dis­plays your PC’s pro­tec­tion sta­tus in real time, di­rectly through the Win­dows 8 User In­ter­face”. So there’s a good rea­son to avoid that op­tion, if it can’t even men­tion Win­dows 10. Nor­ton Stu­dio is “Uniquely de­signed and op­ti­mized for Win­dows 10” – which is enough for a mild fris­son of ex­cite­ment, I guess. It goes on to say, “Nor­ton Stu­dio al­lows users to view, man­age and ex­plore Nor­ton prod­ucts, on var­i­ous de­vices all from a con­ve­nient cen­tral lo­ca­tion.” This sug­gests it doesn’t ac­tu­ally do any an­tivirus of its own. But who knows? Is this the qual­ity of app store that we de­serve to get?

And that’s the gripe. Go­ing to Win­dows 10 Pro is a one-way street. There’s no way of go­ing back to Win­dows 10 S, un­less you do a some­what tor­tu­ous full clean and re­in­stall – which in­volves cre­at­ing a re­cov­ery USB stick, then down­load­ing a large ZIP file from Mi­crosoft, then patch­ing the USB stick with the con­tents of the ZIP file, and then wip­ing the lap­top clean and start­ing afresh. Should it re­ally be so di cult?

Just to con­fuse mat­ters, if you’re run­ning Win­dows 10 Cre­ators Up­date then you can choose to only run apps from the Mi­crosoft Store. So re­ally, what is the point of Win­dows 10 S?

In­ci­den­tally, I’d like to have the op­tion to “only run apps from the Mi­crosoft Store or from known Mi­crosoft devel­op­ers”, thus al­low­ing me to run dig­i­tally signed code but to ex­clude any­thing that’s un­signed. This would surely give me the pro­tec­tion I’m af­ter, but with the flex­i­bil­ity I might need. It isn’t im­pos­si­ble: this is ex­actly what macOS gives me, and it works well.

So like many things Mi­crosoft, es­pe­cially re­lated to Win­dows on the desk­top, 10 S seems a lit­tle half-baked. I can see the good in­ten­tions, but I’m dis­ap­pointed by the clunkiness of the im­ple­men­ta­tion. Af­ter all, the rea­son to run Win­dows is sim­ply be­cause I need to run legacy apps. If I don’t, and if mostly ev­ery­thing can be man­aged ei­ther by a store-signed app or a web in­ter­face, then why wouldn’t I have an iPad Pro in­stead?

Squar­ing that cir­cle is one that I still have to re­solve. I had hoped “S” would be the next-step slam-dunk so­lu­tion from Mi­crosoft that kept it right at the leadingedge. As it is, I fear it will be hard to keep my Sur­face Lap­top on Win­dows 10 S and it will have to slide back to full Win­dows 10 Pro­fes­sional.

I’m also strug­gling to see why I would use this rather than a MacBook. Yes, the screen is touch-sen­si­tive, but that means lit­tle to me on a lap­top where the screen doesn’t de­tach. And I can see the lack of ports and other con­nec­tiv­ity be­gin­ning to an­noy greatly. Com­pared to my Sur­face Book, I’m not con­vinced I’ve moved for­ward 18 months. And that’s not good enough.


When you’re trav­el­ling away from home, you reg­u­larly make data con­nec­tions. It doesn’t mat­ter if it’s your smart­phone or a Wi-Fi-en­abled lap­top or tablet. Con­nect­ing to the in­ter­net is some­thing we just do all of the time.

It could well be ar­gued that your smart­phone has a more se­cure con­nec­tion via 3G/LTE than it does con­nect­ing to the Wi-Fi in your lo­cal emporium of hor­ri­bly scorched cof­fee beans. That’s al­most cer­tainly true, be­cause the con­nec­tion is via LTE to your telco, and thence onto the in­ter­net. Do­ing a man-in-the-mid­dle at­tack on this isn’t im­pos­si­ble, but is in the realms of James Bond. In­deed, I know of one com­pany that makes such boxes in flight cases for se­ri­ous spooks, and they can do just such a thing. But get­ting hold of one of its flight cases takes a huge amount of money and care­ful vet­ting.

Ac­tu­ally, I find that LTE – es­pe­cially in built-up ar­eas – is of­ten con­sid­er­ably faster than a Wi-Fi hotspot, so I tend to keep my con­nec­tion work­ing over the for­mer. For a lap­top or tablet, I’ll of­ten set up my own Wi-Fi hotspot from my LTE phone. The down­side is that you’re set­ting up an­other Wi-Fi trans­mis­sion in the 2.4GHz band space, which is con­gested at the best of times. This is the rea­son that, de­spite my reser­va­tions, on oc­ca­sion I find that hop­ping onto the Burnt Cof­fee Emporium Wi-Fi is of­ten the bet­ter so­lu­tion.

If you do that, what can you do to pro­tect your­self? The an­swer is sim­ple: set up a vir­tual pri­vate net­work. You have some choices. Some might rec­om­mend us­ing one of the sub­scrip­tion pack­ages of­fered by var­i­ous com­pa­nies. Th­ese can be VPN spe­cial­ists, or off­shoots of an­tivirus/se­cu­rity soft­ware com­pa­nies. Some of­fer you the abil­ity to ap­pear to be emerg­ing onto the in­ter­net from an­other lo­ca­tion.

For ex­am­ple, you might need to ap­pear to be in New York, even if you’re in Southend. More likely, you might want to ap­pear to be in Mel­bourne when you’re in New York, so you can ac­cess ge­olocked ser­vices. How­ever, geo-lock­ing teams are be­com­ing wise to this and are au­to­mat­i­cally blocking any­thing that ap­pears to be from one of th­ese VPN end-point hosts any­way.

Given that my home is my cas­tle (or

my of­fice is, for sure), it makes sense to VPN tun­nel back to a known safe ad­dress. To do this, your bound­ary router/fire­wall needs to un­der­stand the VPN pro­to­cols in use, and be able to ac­cept the in­com­ing con­nec­tion. Con­nect­ing back to home might seem a strange thing to do, and in the old days of dial-up or slow ADSL it re­ally wasn’t a good idea at all, even if it was pos­si­ble. To­day, with FTTC and FTTP, there should be plenty of band­width to play with.

You can buy soft­ware to help man­age VPN tun­nels. I have a li­cence I bought for VPN Tracker, a solid pack­age for macOS that I have on my MacBook Pro that trav­els around the world with me. But the re­al­ity is that you don’t need any app, be­cause it’s all built into any mod­ern OS. So I have the set­tings en­abled in macOS, and on my iPhone. It’s one click to turn on the VPN tun­nel. And you can choose whether to send all the traf­fic over the VPN link or only the traf­fic that needs to go to the VPN end­point. For ex­am­ple, you might de­cide to al­low your work traf­fic to travel over the VPN tun­nel to the of­fice, but al­low non-work traf­fic to trans­port over the cof­fee house in­ter­net con­nec­tion. Or you might force ev­ery­thing to go to the of­fice and in/out from there. Ob­vi­ously, if you’re wor­ried about se­cu­rity then it’s best to en­sure that “Send All Traf­fic” is en­abled.

If your bound­ary router/fire­wall doesn’t want to play ball, then change it. Any de­cent fire­wall will al­low mul­ti­ple VPN con­nec­tions con­cur­rently. As I’ve said be­fore, I’m a big fan of the Cisco Mer­aki in­fra­struc­ture, which I have on all four sites here. Con­fig­ur­ing my iPhone to con­nect to it was a triv­ial process in the Mer­aki dash­board: I set up my user­name and pass­word, then a shared se­cret. Over on the phone, I cre­ated a new L2TP VPN tun­nel ac­count, gave it the user­name and pass­word in­for­ma­tion, the shared se­cret and the server IP ad­dress. Flick the switch, the VPN starts up, and all the traf­fic goes over the VPN tun­nel back to the of­fice. Well, it would have done had I man­aged to type in the shared se­cret words cor­rectly. One let­ter of typo caused hours of frus­tra­tion, and I felt a com­plete fool once I’d spot­ted the er­ror. Once fixed, it just worked.

So now when I’m away from the of­fice, and con­nect­ing via a Wi-Fi base whose prove­nance might be in ques­tion, I al­ways turn on the VPN tun­nel. It just works, and it gives you the strong re­as­sur­ance that some­one isn’t sit­ting in the mid­dle try­ing to work out what you’re do­ing.

This re­minds me of some 20 years ago in De­cem­ber, sit­ting in a grotty web café on Ipanema Beach in Rio De Janeiro. It was the hottest day it had been for 20 years, and I needed to check some­thing on my work server. I was so pleased I had in­stalled the cor­rect HTTPS cer­tifi­cate to force the con­nec­tion to be en­crypted. All around me were teens play­ing on­line com­puter games and a rather shady op­er­a­tor lurk­ing in the shad­ows at the back of the room. Who knows what fun they might have had if I’d blithely logged in us­ing an un­en­crypted con­nec­tion.

Hence there’s no real ex­cuse. When in a pub­lic un­trusted space, make sure you’re run­ning a VPN tun­nel. The so­lu­tion is sim­ple, pain­less and easy to set up, pre­sum­ing you have fire­walling of ad­e­quate qual­ity at your of­fice or home. And if you don’t, it’s a good place to start on an over­due hard­ware up­grade.


A spe­cial shout-out goes to Synol­ogy for putting out the beta of Surveillance Sta­tion 8.1. This is the much-her­alded ver­sion that doesn’t re­quire browser plug­ins and other nas­ti­ness. Point your browser at the IP ad­dress, and ev­ery­thing just works. We’ve been wait­ing some time for this, but it’s good to see it fi­nally ar­rive. I did the up­date; it was a sim­ple and seam­less process.

Al­though of no value to me, I was in­trigued to see the sort of in­te­gra­tion on of­fer, in­clud­ing record­ing trans­ac­tions hap­pen­ing in a point-of-sale sys­tem. In essence, the data from POS can be added onto the video feed, and thus you re­ally can check that the three pack­ets of crisps were bought and paid for, and that what was handed over by the POS staff matched up with the trans­ac­tion.

I also like the flex­i­ble op­tions for off­sit­ing the back­ups, and I’ll use this to mir­ror my home cam­eras to work, and work to home. It’s prob­a­bly time to re­tire the some­what old so­lu­tion in the of­fice that just takes live feeds from the IP cam­eras. An in­te­grated so­lu­tion based around Surveillance Sta­tion would make more sense, and I’ll be bring­ing this on­line in the com­ing weeks.

“Go­ing to Win­dows 10 Pro is a one-way street – there’s no way back to 10 S un­less you do a full clean and re­in­stall”

Win­dows 10 S only runs apps from the Win­dows Store. The prob­lem? It doesn’t have ev­ery­thing I need...

Sur­face Lap­top or iPad Pro? I’d go with the lat­ter (and the latte)

I can “view, man­age and ex­plore” Nor­ton prod­ucts with this app – but what about the an­tivirus?

Synol­ogy Surveillance Sys­tem – sim­ple to set up, and it just works

Pro­tect your­self in pub­lic spa­ces by run­ning a VPN tun­nel

Newspapers in English

Newspapers from Australia

© PressReader. All rights reserved.