Surface Pro 3 Review

My Surface Pro 3 just arrived.  Having just spoken about the KingSing tablet which is about the cheapest full Windows device on the market – I’ll now talk about this one which must be about the most expensive tablet you can buy.

I’ve been a huge fan of the Surface range since they were launched – I’ve had the original RT and both the original Pro and the Pro 2.  They’ve all been pretty good devices, but each one has had a few flaws….  I’ve talked extensively about RT not quite cutting it for my needs – so I’ll just compare the Pro 3 to the Pro 2.  This will be a bit superficial because I’ve only had it for a few days – but I really wanted to get a review about it out from an ordinary punter in UK.  I’m also taking it as read for this review that I think Windows 8 tablets are a really good option for an IT professional who wants a single device that does everything.

I bought the Core I7 with 8G RAM and 256G disk space.  The memory is not expandable but it will take an SD card for extra storage.  It weighs 798g and has a 12 inch display running at 2160 x 1440.

In the picture below the Surface Pro 3 is in the middle with the Pro 2 to its left and the original RT to its right.


I have to say from initial perceptions this has to be the nicest device I have ever used.

All the Surfaces I have used have had nice displays and decent touch screens – but this one is by far the best.  I’m heavily reliant on using an attached monitor – particularly for report writing, and I’ve struggled slightly with having the Pro 2’s 10 inch display as a secondary screen – it is really a bit small to use next to a desktop monitor.  The extra 2 inches of the Pro 3 really make a difference (so size does matter).  The slightly different form factor and large screen makes it brilliant for reading a pdf or an ebook of a technical document – it renders a whole page from the book on a single screen in one column.

The screen is bright, with good contrast and easy to read – it is also very smooth and responsive to touch.  The only disadvantage is (like all this type of panel) it is hard to use in bright sunlight as it is pretty reflective.

The battery life seems to be about nine hours of medium use.

Having read some of the very detailed performance reviews of the Surface from the US tech sites – I decided to do some basic performance testing of my own.  I used Passmark Performance Test 8.0 for this – it runs a suite of tests against CPU, memory, disk, graphics etc.  The other machines tested were as follows:-

Surface Pro 2 – last year’s model. Core I5-4200U @ 1.6GHz 8 G RAM.  Touch screen.

Laptop 1 –  old school power laptop – weight 2.6kg. Core i7-4800MQ @ 2.70GHz 16G RAM.  No touch screen.

Laptop 2 – smaller laptop – weight 1.6kg.  Core i7-4600U @ 2.1GHz 16G RAM.  No touch screen.

Desktop – Gigabyte mini PC – Core i7-4500U – @1.8GHz 16G RAM.   No screen or keyboard built in – so not an option for travelling.

Tablet – weight 320g – Atom CPU 1.33 GHz 1G RAM.  Touch screen.

I also wanted to include the Apple MacBook Air in my benchmarks, but unfortunately the testing software is Windows only, and my partner reneged on letting me upgrade it for him🙂.

The results are pretty much what I expected.  Laptop1 with its huge weight and large chassis for cooling fans can run a full fat processor and pretty much kicks the others in raw performance.  Laptop2 and the Surface 3 are almost identical performance wise apart from Laptop2 has a very expensive high end SD which was bought separately in it so scores well exceptionally well on disk.  Neither of the two other laptops have a touch screen.  So from a performance perspective – a lot would depend on whether you need the raw performance of Laptop1 – the only thing I can think of which you would really need this for as a tester would be password cracking where you are on site. For me – the light weight and touch screen of the Surface win out over the other two every time – particularly as I am largely an application tester.  For interest (because it isn’t a fair comparison) the Surface Pro 2 scored 1500 on the same test, and the Tablet scored 400 – it is to its credit that it managed to run the software at all.  Here are the results in graphical form.


A few other features I like about the Pro 3 compared to its predecessors.

a)  It is much thinner and more elegant than the Pro 1 and Pro 2 and has lost their slightly clunky feel.

b) The power cord fits into the machine easily without having to fiddle about with it.  The fact that it isn’t backwardly compatible with the other two is a small price to pay for this because it was definitely a weakness of the original design.

c) The built in trackpad on the keyboard is about 1000% better – actually a pleasure to use.

d) There is a mechanism to lock the keyboard into place by snapping it up towards the screen.  This makes the unit a great deal more stable for using it on your knees – and much more like a laptop with a fully rigid keyboard when used in this mode.

One small negative comment – more aimed at MS than the machine itself.  My pen is not working correctly (which is why I have not reviewed it).  I’m pretty much sure this is because the two coin batteries in the top of the pen need replaced as this is mentioned as the probable cause in the manual and meets with all the symptoms.  It would be nice if someone had thought about including a couple of replacements with the pen because this type of very small coin battery is not the sort of thing everyone has in their house, and it is a bit frustrating not to be able to try it out – particularly when you live right out in the wilds like we do.  So I will need to order some batteries and review the pen when I get them.

So in general, this seems to be a lovely machine.  I’ve bought four Surfaces in total (so far).  The original Surface RT was fine as a tablet (I still use it) but didn’t run proper Windows programs so not that much use for testing.  The original Pro didn’t have a great battery life.  The Pro 2 was getting there but was a bit clunky and the screen size and keyboard had distinct limitations which meant it was fine as a tablet, but a bit awkward as a laptop when taken out on site as the only machine you would be using for weeks at a time (I actually did this recently when I had an on site engagement for two weeks – and it did start to become a bit of a strain to the eyes and fingers after a while).  At the moment the Pro 3 seems to me to press all the buttons as a tablet/laptop/desktop replacement that a tester could use.  It combines the ability to run all the testing tools you need, heavyweight IDEs like Visual Studio, and MS office for those all important reports.  It is lightweight, stylish and a pleasure to use.

Of course because I now have a super stylish machine with a silver chassis and a bright red keyboard which matches my Lumia 1020, I have come in for a whole load of flak from my partner about preferring style over substance.  But I can cope with this – I wouldn’t go back to having the kind of boring PC laptop with a bad display which was about the only thing available a few years ago.


The Tablet that Tests – cut price version….

Last year I presented at Securi-Tay on using the (then) new Surface RT tablet as a platform for testing.  The substance behind it was that the iPad and Android tablets were fine to be used for consumption of content by end users – but were not too great as testing platforms because they just couldn’t run the tools we need as testers.

My conclusion at the time was that the Windows RT Surface went some way towards a ‘tablet that tests’ but couldn’t really hack it because even when jail broken – the number of apps which could run on it was restricted to things which could be recompiled for ARM and using only those libraries exposed to the RT runtime. 

So before I go any further with this – I have to say that I love the Surface RT as a concept – and I approve of a lot of the security measures built in to it – but just last week I have seen the device that will kill RT off.   It isn’t Android or iOS – ironically it is Windows 8.1 (the full fat version). 

So these are my requirements in a testing device (I mostly test applications but also do infrastructure tests).  I use lots of other software and tools but these are the absolute must haves…


Nessus (client end so just a web browser)

Burp (so Java required)

Word – for report writing

Aside from this – an absolute requirement for a tester’s machine is the ability to unrestrictedly install software, modify system settings etc. 

RT couldn’t supply most of those requirements but I just  bought a tablet that could for less than £100.  The KingSing W8 tablet has these specs

Intel Atom Bay Trail processor, 1GB of RAM, 16GB of storage,1280 x 800 pixel IPS display with 5-point multitouch support, a 4500mAh battery, stereo speakers, a microSD card reader, 802.11n WiFi, Bluetooth 4.0  The Windows license is free on this type of small device – so it has a full fat version of Windows 8.1 on it.

I have to say I love this little tablet – in general the build quality is good, the screen is responsive, and although it doesn’t have a lot of local storage, I put a 32G SD card into it and tripled its capacity with no issues.  It runs nmap, gives me access to my Nessus server and has a proper Java environment so I can run Burp.  I’ve also installed MS Office with no problems.   It amazes me that something that weighs less that 500g can deliver this kind of access to software.  You can plug it in to a full sized monitor, attach a Bluetooth keyboard and mouse and you have a proper PC.  There are no fans, it runs very cool and the battery life seems pretty reasonable (more than eight hours anyway).

I suppose the obvious question is can Linux (not talking Android – but a full on OS with access to professional applications) be delivered on a similar spec of tablet at a similar price?  I’ll say ‘no’ at this stage because my experience of installing it on the Surface Pro was not a positive one – (see my earlier review).  Also no Word for Linux although the online version could be usable dependent on the complexity of the template and any requirement for automation (I like my VBA for automation of reports).

Anyway this particular tablet is not without its disadvantages – 1G RAM is very light for Windows 8 and I wouldn’t want to work with that on a daily basis (or try Visual Studio on it).   Doubling the RAM would greatly improve it in that respect.  But for something which doesn’t weigh much more than my phone to be able to run all the programs a tester needs on a daily basis is quite remarkable.   I would happily stick this in my bag and go out for the day with the confidence that if I need to access my scans or answer a customer query I would be able to do this.

So congratulations to KingSing on having achieved this – and a somewhat backhanded compliment to Microsoft on having made an OS that delivers it.  I suspect that in the future Windows tablets will take a huge proportion of the marketplace because of their obvious advantages over Android and iOS – but I can’t see that those tablets will be running RT.


Lochgoilhead Gala Day

Since last year we have been based in Lochgoilhead which is a small village in rural Argyll. Today is gala day here, and ScotSTS have been happy to sponsor the event. I will be drawing the prizes down by the Loch this afternoon.

We consider ourselves privileged to be able to live and work in such a beautiful area, and we think that it is greatly beneficial to National Parks (we are in the Argyll Forest Park) that small consultancies like ours should be able to take advantage of improved technology and shifting work patterns to base themselves in areas where traditional economic activity tends to cause environmental damage. We can definitely see this being a theme over the next five years as improved internet connectivity moves testers and developers out of cities and into the countryside.

The benefits are on both sides so we are happy to help the community here and good luck with the gala day.



Rory and I just returned from OWASP AppSec EU where (for once) I was presenting but Rory wasn’t (as he was on the selection panel – though barred from reviewing my presentation!).

The quality of the talks was very high – though in my opinion there was rather too much of an emphasis on mobile this year. I know it is the exciting new area at the moment – but call me old fashioned but I would personally have liked to see more stuff on traditional web security. Perhaps (as per a talk Rory did a year or so back) it is just that there is no point of saying any more about it because no one is fixing the existing problems. I particularly enjoyed Maty Simon on HTML 5, James Kettle on Active Scan++ module for Burp and Jerry Hoff’s talk on mobile security.

We also heard Dr Richard Stallman talking about his views on ‘free’ software. I actually share more of his opinions than I would have thought – particularly around data privacy, although of course I do fundamentally disagree with him about proprietary software. I made a donation to his foundation and for a while I guess I may have been the only person in the world wearing a Microsoft T-Shirt with a GNU/Linux badge pinned on it. Anyway – I greatly respect him and his right to hold his views and I think he has stuck to his guns in a way that must cause him great personal inconvenience in the modern world.

Rory and I also attended the ‘Mobile Boot Camp Training’ as we were keen to expand Rory’s iOS and my Windows Phone knowledge into Android. It was a good course and we learnt a lot, but I have to say that the more I see of Android as a platform, the less I would be inclined to use it myself or to recommend it to others – particularly in an Enterprise environment. Be that as it may – we are now in the pretty rare position for a small consultancy of covering all the major mobile platforms.

My talk was an updated version of the Windows Store App presentation I did for Securitay back in January. There is quite a lot of new material and I seem to have managed to remove some of the annoying mannerisms from my delivery – The main new feature is ‘Store Sheep’ which I have just launched as an OWASP project. This is going to be a training app along the lines of ‘Web Goat’ which introduces testers and developers to Windows Store Apps and shows how to find and fix security issues in them. It is very much in Alpha at the moment (code word for ‘I haven’t anything like finished writing it yet’) – but I will be posting about it here as I make progress on it.

Rory at AppSec EU

Rory at AppSec EU

The picture is of Rory looking pensively at some Ruby Code while we were enjoying an excellent breakfast at ‘La Patisserie Vallerie’.

Just one other quick plug for an attraction any geek would love. We went to the Museum of Computing in Cambridge They have hundreds of old computers in working order – check out Attic Attack on the Spectrum and ‘Flappy Bird’ for the ZX80. Also Altair 8800, Apple II etc. One of the best fun mornings I have had in a long time.


Web Application Testing Workshop

We did our Workshop on testing Web Applications at Scottish Ruby Conf today. This took place at Crieff Hydro and was targeted at Ruby developers and other people who are keen on the language. It is the fifth year of the conference this year and Rory has taken part in all of them.

The workshop was a bit like the one we did at BSides London last year – only where that one dealt with a sample infrastructure, this one covered how we go about testing a Web App – including an introduction to Burp and some sample exercises from OWASP ‘RailsGoat’ (a deliberately vulnerable Web App based on Ruby on Rails). We spent all day yesterday setting it up and cloning and testing 40 VMS. The VMS went on our new mini-server ‘Rhododendron’ and two laptops – we also had three WI-FI routers and sundry cables – so not as much stuff as last year but still a fair amount (the nice thing this year being that we could stick it all in the car boot).

We had done a fair bit of work to make sure that the whole Workshop would work offline because we have been to enough conference hotels to know that the wireless connection to the internet would really suck. This proved a challenge because late on yesterday afternoon we noticed that the app uses the Google chart API and it doesn’t work offline. Lucky Rory managed to hack that part of it out and we were good to go. We got up at six to arrive at Crieff nice and early – had a good breakfast and got set up in plenty of time. We had been warned plenty of people would turn up – and sure enough – we had nearly 40.

We were bang on the money about the hotel Wi-Fi and very glad we didn’t rely on it because it was very slow and caused issues in the other workshops we attended. Then our audience arrived (95% male and 95% MAC users – not necessarily the same people though!). Everything seemed to go very well and the majority of our demos worked. One thing I would take away from it is that if we do it again we need to go over the tool setup part more slowly and allow more time for showing people stuff – we tend to forget how complex these things are as we do them every day.

But we got about 3/4 of the examples done and we were able to show SQLi, XSS and command injection actually working – I think the real and immediate impact that they have surprised some of the audience. Our presentation is attached to this post and includes some more general notes on Web Application testing. Some of the things we mentioned today… The Web Application Hacker’s Handbook we recommended and is available here :- OWASP top 10 here – RailsGoat (sample app used) – Sample XSS vectors –
We are happy to answer any questions from attendees at the workshop – our addresses are on this site. Great conference, nice venue (shame about the wi-fi). Hope to be back next year.

WP_20140512_12_50_32_Pro 1

Presentation from Conference

Open Source Responsibility

Unless you’ve been living under a rock for the last couple of days you will have noticed a bit of a kerfuffle about a vulnerability in OpenSSL. One of the more notable parts of this story has been the wide variety of large companies who have been seriously affected by the problem.

This led me to thinking about the fact that a lot of very large profitable corporations are essentially relying on software that they haven’t purchased and which, I doubt, many of them have good security assurance over.

* First Question how many billion dollar companies rely on OpenSSL for secure communications?

* Second question how many of those same companies have sponsored a security review of OpenSSL over the last two years?

Now I don’t know the exact answer to either of these questions, but I’m willing to wager that the first is a lot higher than the second.

The real question then becomes, should corporations who rely on open source software be taking an active part in ensuring the security of that software?

Well I’m a security guy so obviously is say yes🙂 it seems obvious that if you rely on things you have an interest in the quality of that software…

House of Cards

I was reading this post and I was thinking that this is another good example of the general theme in a lot of modern business and security.

People will a lot of times neglect some of the “plumbing” of their website and not realise quite how important it is to their sites security. In the linked example it was DNS. An attacker was able to get control of the site domain name and then essentially controlled the site. That’s one way of pulling it off but there are others.

Good examples of services which are often overlooked but are critical

– Hosting services. If you use VPS or the like and the hosting service is compromised then, the attackers can likely get access to your servers too. A good example of this was the Linode hack in 2013. There the attackers didn’t even have Linode as a primary target, they were after one specific customer.
– DNS providers. If the attacker can control your DNS, they can redirect mail, carry out MITM attacks on web sites, basically make a right mess of your system. But hacks on DNS providers (either social engineering or direct) are a common theme in stories of compromise.
– E-Mail providers. Might not seem as critical, but how are most password resets done…. by E-Mail. If the attacker owns your e-mail service they can usually trigger password resets for other things like DNS or hosting.

So what makes me say these things are “neglected”? Well look at the market and it’s pretty obvious. In a lot of cases the successful providers in these areas are the cheapest/easiest to use, not the most secure. Of course there’s the usual security problem of a “market for lemons” in that all providers will say that they’re secure but I’d still recommend that if you have a system that’s important to you (and that’s true for an increasing number of companies who do business primarily on-line), then spending some time trying to find high quality “plumbing” will pay off in the long run.