Even the top-of-the-range Surface Laptop fails to impress Jon, along with Windows 10 S, before he turns his mind to the importance of VPNs
Even the top-of-the-range Surface Laptop fails to impress Jon, along with Windows 10 S, before he turns his mind to the importance of VPNs ...................................
Iwas intrigued by the new Microsoft Surface Laptop. So much so, that I decided I needed to buy one. The prices seem a little robust, starting at $1,499 for the base-level specification of Core i5 processor, 4GB of RAM and 128GB of storage. A more Honeyballesque specification of Core i7, 16GB of RAM and 512GB of storage runs to a somewhat more fruity $3,299, which is quite a lot of money. Nevertheless, it had to be done.
First impressions? Microsoft is building on its previous work with the Surface Book and Surface Pro, and has delivered a high-quality product. No-one can argue with the build quality, although I’m still quite conflicted about the “furry” keyboard area. I can’t help but feel it will become grubby over time; plain aluminium would have been a somewhat more sensible solution. Only time will tell how this material fares.
The Next Big Thing with Surface Laptop is, of course, Windows 10 S. This is version 1703, although actually it’s OS Build 15063.242, a confusion that will no doubt be explained away by someone who understands such things. The S means… well, it’s still not clear. Secure? Maybe. If it was truly secure, then I’d argue that it wouldn’t need antivirus. Apple iOS manages just fine without it, and that has a secured, validated app store that is the only place from which you can install apps. The same is true of Windows 10 S. Try to install an app from outside of the Windows Store, and a window will pop up informing you that: “For security and performance, Windows 10 S only runs verified apps.” I wanted to install Google Chrome, but it wasn’t having any of it. Indeed, it continued by notifying me that “Microsoft Edge is the faster, safer browser designed for Windows 10 S” and offered me a button to “Open Microsoft Edge”. How kind.
I understand the thinking here, and there is a perfectly logical position – restricting execution to apps that have been downloaded from the Windows Store means that apps have to be digitally signed. This means they need to have been submitted to the Store, and this immediately wipes out a whole history of Windows apps that you might just have laying around on an old CD. It doesn’t matter what you try to do, within the boundaries of sensible hacking – you won’t get an unsigned, old Windows app to run.
I find myself curiously conflicted by this. I’ve been whining for years about the downside of having such a long and rich legacy of Win32 apps out there. And that many, even most, of them are pretty ropey – so much so, that you can almost always do better by choosing a modern replacement. And so having the tools baked into the OS to prevent you running this old code is clearly a good thing.
However, you can throw a switch to re-enable the support for old code. It takes a few mouse clicks, and suddenly it all works. This kind of suggests that it’s all there anyway; it’s just hiding in the background. Maybe I’d be more reassured if it was more difficult to get old Win32 code running. After all, might it be possible for some cunning malware hidden away in a Windows Store app to enable the old Win32 support to work, or for some malware writer to find a way to do it within the OS itself? I don’t know – I’d like to be more reassured here.
Second, if you do make the choice to enable full apps, you get Windows 10 Professional – despite this Surface Laptop having a strong home/student target market feel. Given that it turns into Win10 Pro, it’s almost as if Microsoft is prepping the business world for the “S” move across the board sometime soon now. It certainly wouldn’t surprise me.
On the flip side, do you really need access to full Win32 code? Well, you might if you treasure that licence for a decade-old version of Office. Or, you have an older version of Photoshop that you rely on. And therein lies the problem. The Windows Store is just fine, and is a good place to go, providing the tools you need are there. Not having Chrome would be quite a wrench for me, and although I have lots of licences for Office 365, I might be able to give up Office 2003 for a fresh install of Libre-Office. Except I can’t, because it isn’t in the Windows Store. Everything is pushing me towards taking out subscriptions to
the Microsoft services platform, namely O ce 365. I can buy Adobe Photoshop Elements 15 for US$99, but what happens if I have an Adobe subscription to the full platform? Again, it isn’t to be found in the Store.
Looking at the available antivirus apps, I could go for Avast Free or AVG Free. Kaspersky Now tells me that it “displays your PC’s protection status in real time, directly through the Windows 8 User Interface”. So there’s a good reason to avoid that option, if it can’t even mention Windows 10. Norton Studio is “Uniquely designed and optimized for Windows 10” – which is enough for a mild frisson of excitement, I guess. It goes on to say, “Norton Studio allows users to view, manage and explore Norton products, on various devices all from a convenient central location.” This suggests it doesn’t actually do any antivirus of its own. But who knows? Is this the quality of app store that we deserve to get?
And that’s the gripe. Going to Windows 10 Pro is a one-way street. There’s no way of going back to Windows 10 S, unless you do a somewhat tortuous full clean and reinstall – which involves creating a recovery USB stick, then downloading a large ZIP file from Microsoft, then patching the USB stick with the contents of the ZIP file, and then wiping the laptop clean and starting afresh. Should it really be so di cult?
Just to confuse matters, if you’re running Windows 10 Creators Update then you can choose to only run apps from the Microsoft Store. So really, what is the point of Windows 10 S?
Incidentally, I’d like to have the option to “only run apps from the Microsoft Store or from known Microsoft developers”, thus allowing me to run digitally signed code but to exclude anything that’s unsigned. This would surely give me the protection I’m after, but with the flexibility I might need. It isn’t impossible: this is exactly what macOS gives me, and it works well.
So like many things Microsoft, especially related to Windows on the desktop, 10 S seems a little half-baked. I can see the good intentions, but I’m disappointed by the clunkiness of the implementation. After all, the reason to run Windows is simply because I need to run legacy apps. If I don’t, and if mostly everything can be managed either by a store-signed app or a web interface, then why wouldn’t I have an iPad Pro instead?
Squaring that circle is one that I still have to resolve. I had hoped “S” would be the next-step slam-dunk solution from Microsoft that kept it right at the leadingedge. As it is, I fear it will be hard to keep my Surface Laptop on Windows 10 S and it will have to slide back to full Windows 10 Professional.
I’m also struggling to see why I would use this rather than a MacBook. Yes, the screen is touch-sensitive, but that means little to me on a laptop where the screen doesn’t detach. And I can see the lack of ports and other connectivity beginning to annoy greatly. Compared to my Surface Book, I’m not convinced I’ve moved forward 18 months. And that’s not good enough.
When you’re travelling away from home, you regularly make data connections. It doesn’t matter if it’s your smartphone or a Wi-Fi-enabled laptop or tablet. Connecting to the internet is something we just do all of the time.
It could well be argued that your smartphone has a more secure connection via 3G/LTE than it does connecting to the Wi-Fi in your local emporium of horribly scorched coffee beans. That’s almost certainly true, because the connection is via LTE to your telco, and thence onto the internet. Doing a man-in-the-middle attack on this isn’t impossible, but is in the realms of James Bond. Indeed, I know of one company that makes such boxes in flight cases for serious spooks, and they can do just such a thing. But getting hold of one of its flight cases takes a huge amount of money and careful vetting.
Actually, I find that LTE – especially in built-up areas – is often considerably faster than a Wi-Fi hotspot, so I tend to keep my connection working over the former. For a laptop or tablet, I’ll often set up my own Wi-Fi hotspot from my LTE phone. The downside is that you’re setting up another Wi-Fi transmission in the 2.4GHz band space, which is congested at the best of times. This is the reason that, despite my reservations, on occasion I find that hopping onto the Burnt Coffee Emporium Wi-Fi is often the better solution.
If you do that, what can you do to protect yourself? The answer is simple: set up a virtual private network. You have some choices. Some might recommend using one of the subscription packages offered by various companies. These can be VPN specialists, or offshoots of antivirus/security software companies. Some offer you the ability to appear to be emerging onto the internet from another location.
For example, you might need to appear to be in New York, even if you’re in Southend. More likely, you might want to appear to be in Melbourne when you’re in New York, so you can access geolocked services. However, geo-locking teams are becoming wise to this and are automatically blocking anything that appears to be from one of these VPN end-point hosts anyway.
Given that my home is my castle (or
my office is, for sure), it makes sense to VPN tunnel back to a known safe address. To do this, your boundary router/firewall needs to understand the VPN protocols in use, and be able to accept the incoming connection. Connecting back to home might seem a strange thing to do, and in the old days of dial-up or slow ADSL it really wasn’t a good idea at all, even if it was possible. Today, with FTTC and FTTP, there should be plenty of bandwidth to play with.
You can buy software to help manage VPN tunnels. I have a licence I bought for VPN Tracker, a solid package for macOS that I have on my MacBook Pro that travels around the world with me. But the reality is that you don’t need any app, because it’s all built into any modern OS. So I have the settings enabled in macOS, and on my iPhone. It’s one click to turn on the VPN tunnel. And you can choose whether to send all the traffic over the VPN link or only the traffic that needs to go to the VPN endpoint. For example, you might decide to allow your work traffic to travel over the VPN tunnel to the office, but allow non-work traffic to transport over the coffee house internet connection. Or you might force everything to go to the office and in/out from there. Obviously, if you’re worried about security then it’s best to ensure that “Send All Traffic” is enabled.
If your boundary router/firewall doesn’t want to play ball, then change it. Any decent firewall will allow multiple VPN connections concurrently. As I’ve said before, I’m a big fan of the Cisco Meraki infrastructure, which I have on all four sites here. Configuring my iPhone to connect to it was a trivial process in the Meraki dashboard: I set up my username and password, then a shared secret. Over on the phone, I created a new L2TP VPN tunnel account, gave it the username and password information, the shared secret and the server IP address. Flick the switch, the VPN starts up, and all the traffic goes over the VPN tunnel back to the office. Well, it would have done had I managed to type in the shared secret words correctly. One letter of typo caused hours of frustration, and I felt a complete fool once I’d spotted the error. Once fixed, it just worked.
So now when I’m away from the office, and connecting via a Wi-Fi base whose provenance might be in question, I always turn on the VPN tunnel. It just works, and it gives you the strong reassurance that someone isn’t sitting in the middle trying to work out what you’re doing.
This reminds me of some 20 years ago in December, sitting in a grotty web café on Ipanema Beach in Rio De Janeiro. It was the hottest day it had been for 20 years, and I needed to check something on my work server. I was so pleased I had installed the correct HTTPS certificate to force the connection to be encrypted. All around me were teens playing online computer games and a rather shady operator lurking in the shadows at the back of the room. Who knows what fun they might have had if I’d blithely logged in using an unencrypted connection.
Hence there’s no real excuse. When in a public untrusted space, make sure you’re running a VPN tunnel. The solution is simple, painless and easy to set up, presuming you have firewalling of adequate quality at your office or home. And if you don’t, it’s a good place to start on an overdue hardware upgrade.
SYNOLOGY SURVEILLANCE STATION
A special shout-out goes to Synology for putting out the beta of Surveillance Station 8.1. This is the much-heralded version that doesn’t require browser plugins and other nastiness. Point your browser at the IP address, and everything just works. We’ve been waiting some time for this, but it’s good to see it finally arrive. I did the update; it was a simple and seamless process.
Although of no value to me, I was intrigued to see the sort of integration on offer, including recording transactions happening in a point-of-sale system. In essence, the data from POS can be added onto the video feed, and thus you really can check that the three packets of crisps were bought and paid for, and that what was handed over by the POS staff matched up with the transaction.
I also like the flexible options for offsiting the backups, and I’ll use this to mirror my home cameras to work, and work to home. It’s probably time to retire the somewhat old solution in the office that just takes live feeds from the IP cameras. An integrated solution based around Surveillance Station would make more sense, and I’ll be bringing this online in the coming weeks.
“Going to Windows 10 Pro is a one-way street – there’s no way back to 10 S unless you do a full clean and reinstall”
Windows 10 S only runs apps from the Windows Store. The problem? It doesn’t have everything I need...
Surface Laptop or iPad Pro? I’d go with the latter (and the latte)
I can “view, manage and explore” Norton products with this app – but what about the antivirus?
Synology Surveillance System – simple to set up, and it just works
Protect yourself in public spaces by running a VPN tunnel