Insights For Success

Strategy, Innovation, Leadership and Security

My history with mobile gadgets

GeneralEdward KiledjianComment
alejandro-escamilla-9.jpg

I've been involved in technology for a long time and bought my first real personal digital assistant (PDA) in 1997. It was an Apple Computers MessagePad (Newton) 130, and it was a thing of beauty. It had handwriting recognition, an external keyboard attachment and fueled my geek dreams about what wondrous technologies the future would bring.

Along the way, I owned hundreds of devices including Palm pilots, Treos, Handspring devices, Nokias and almost every other portable gadget in between.

As you can imagine, I also bought the first iPhone and almost every one since (in the last ten years). Every time I watched an Apple keynote, I was like a kid in a candy store. I starred at the presentation anxiously waiting to see what amazing new technologies Apple would bring into my life. Apple didn't invent most of that tech, but it usually made it usable and practical.

Then Steve passed away, and many were worried whether Apple had lost its mojo. Fans defended the Cupertino giant, but we started to see some cracks forming in its otherwise perfect and shining armor. Tech reviewers what would never have dared to challenge the superiority of the big Apple began to ask difficult questions.

For the past five years, I have been carrying both Android and IOS smartphones, but the iPhone has always been my primary daily driver. September 2017, was time for me to upgrade my "primary driver" from an iPhone  6s Plus + an iPhone 7 (yes I have both). I watched the keynote and was dumbfounded by the iPhone X. It was a beautiful piece of kit but had a screen smaller than the plus models and a price tag of $1500CAD. The camera wasn't materially better than the one in the iPhone 8 Plus. The only new "thing" it brought to the table was the FaceID sensor, an OLED screen, and smaller bezels.  

Apple technology innovation

Surely I had missed something. A ~$400 price increase had to bring something new and revolutionary? But it didn't. Having been a gadget geek for the last 25+ years, I knew perfectly well that previous devices  contained technology Apple commercialized many years later:

  • wireless charging (HTC Droid DNA in 2012 - Apple in 2017)
  • dual rear cameras (HTC One M8 in April 2014 - Apple 2016)
  • OLED screen (Nokia N85 in October 2008 - Apple in 2017)
  • Fingerprint scanner ( Motorola ATRIX 4G in March 2011 - Apple 2013)

Apple made many of these technologies better but by the time it included it, Android devices at half the price of an iPhone had them built in.

Apple has been a significant force pushing smartphone manufacturers to make safer, more secure devices and operating systems. This has been a clear win for consumers. Good healthy competition is good for the marketplace.

Is the iPhone more secure than an Android device?

Technologically yes. Apple's IOS is designed with strict application controls to protect user information. Its hardware (e,g, the secure enclave) is a thing of beauty and incredibly well designed to protect your biometric and financial information.

In the real world, for the average consumer that is not being targeted by skilled blackhat hackers or nation-state threat actors, both can be made equally safe with minimal handling precautions.

Not in my walled garden

A couple of months ago, Apple made headlines when it blocked all VPN apps from its China app store. This decision was made to comply with local laws, and Apple had no choice. The problem arises when you realize that Apple doesn't have a mechanism for users to sideload apps onto its devices.

Sideloading apps is a risk because it could be an attack vector, but shouldn't the user be able to accept the risk and perform their desired action on an $800-1000 device?

This had a chilling effect on some activists in China, but the same model of application category control could be applied to anything else in any other country (e.g., a country can outlaw social media or dating apps, etc.).

Time to switch?

Apple's latest financial results show that the company is doing smashingly well. They are selling record numbers of mobile devices, and their cash horde is only getting larger. Any talk about its demise is greatly exaggerated.

There is, however, a growing number of users, who were once ardent fans gobbling up all Apple branded tech, as fast as the company could release them, that are now looking at alternatives. I am amongst this group. My decision to switch isn't based on the cost of the device,  but on the more advanced Artifical intelligence features like the built-in assistant.


Android Auto versus Apple CarPlay

My latest car can support both platforms, but anyone that has used Apple Maps will tell you, it sucks. I can't tell you how many times it has navigated me into a major traffic jam or has taken me 20 minutes in the wrong direction. Apple doesn't like competition and would rather offer a sub-par experience to its users and maintain control.

On Android Auto, I can use other mapping apps, but on the iPhone, you can only use Apple Maps.

On Android Auto, you can choose which music app is your default and voice control it. On Apple, you can only voice control Apple Music.

And this is an example of the user-hostile behavior exhibited by Apple. Not only does it block competition, forcing you into inferior apps, but it isn't even improving the core interaction mechanisms of Car Play: the visual interface and SIRI.

SIRI the terrible


Most iPhone users from teenagers to CEOs use Siri a couple of times at first, then give up. I had hoped that Apple would update Siri's capabilities with IOS 11 (particularly with the expected December release of the Siri powered home speaker system, the HomePod). Surely Apple would impress us with massive gains in understanding and capabilities. Nope. Nothing.

While the Amazon Echo and Google Assistant improve every month, Apple hasn't developed Siri in years. It feels like Amazon and Google are working in internet time while Apple is working ... To be honest, I don't even think they are working on Siri. I say that facetious. I know they are working on Siri, but until users benefit from that work, it is useless.

The big data problem

I work in security and understand that absolute security is the enemy of usability. An absolutely secure system is not usable.
In the enterprise space, we are continually struggling to find the right balance between security and usability.

It feels Apple has taken a more security-focused approach and is willing to sacrifice modern functionality.

Any modern deep learning expert (aka neural networking that powers smart assistants) will tell you that the key to success is having vast amounts of ingestible data. Apple doesn't have this type of data because of it is privileging user privacy, whereas Google and Amazon do. Where Apple's image search can show you a dog, Google's can find the chihuahua on a beach eating a hotdog.

Siri is a parlour trick you get tired of after a day or two. Google Assistant will become a real time saver and thus will become something you will likely come back to over and over.

The latest and greatest thinking in machine learning from Geoffrey Hinton may eventually be beneficial for Apple. It is called Capsule Theory and is a new way of developing machine learning models that require much less data, but this is still early day research.

Conclusion

As I search for my next daily driver, I am testing a handful of new Android smartphones that I will review shortly on my blog. First-up will be a review of the Samsung Note 8. I won't be discussing the specifications but looking at it from the viewpoint of an iPhone user considering the switch.

I am hoping to also get my hands on a Mate 10 Pro, Pixel 2 XL and the ONePlus 5T.

Essential now has an Android 8 Oreo beta porogram

GeneralEdward KiledjianComment
A1_Photo.PNG

Android 8 Oreo is the next thing for Android devices and everybody is working hard to bring it to their phones. Now Essential has implemented a special Oreo beta program for owners of its beautiful Essential Phone. Where Samsung allows you to install the Oreo beta (on the S8 and S8 Plus) via OTA update, Essential will force you to use ADB.

Essential does provide clear instructions but this can be seen as a natural filter that disqualifies anyone that doesn't really understand how Android works or understand what a beta is.

You will find, using the above link, a build for NM181C (for Sprint and Telus) and NMJ32F (for the other carriers)

Warning !

Remember this is a beta and you will experience issues and bugs. Known bugs already include: high battery drain, Android Auto issues and app instability.

OPSEC - Introduction to Malware

GeneralEdward KiledjianComment
hacked-1734197_1920.jpg

What is malware

Malware is shorthand for Malicious Software and has been around almost from the start of computing. Its main purpose is to harm the computer or the user. Malware has been known to steal login credentials, monitor the user, tamper with information (breaking integrity), steal information or just making the system unusable. 

Malware can be designed by a nefarious teenager in his mother's basement looking to make a name for himself or by a state-sponsored threat actor against activists or journalists.

How can I tell if my computer is infected

The first rule of thumb is to use the Antivirus product that came with your operating system. As an example, all modern Windows systems are shipped with a self-updating antivirus supported by Microsoft. Third party products have been known to cause issues (here, here, etc).

To be transparent, antivirus will detect standard run of the mill type of malware but anything more sophisticated will easily get through. Larger companies with well-funded security teams typically eschew antivirus for more advanced malware detection tools based on a series of technologies like application behaviour monitoring, machine learning, artificial intelligence and system baselining. Unfortunately, these are not yet available for small operations but expect them to eventually make their way there.

So the question of detecting malware on your computer is a difficult one and often requires a highly skilled technician with precise tools that knows what he/she is looking for.  At the very least, use the tools available to you now:

warning I received when someone in Sao Paulo tried to log into my Lastpass account.

warning I received when someone in Sao Paulo tried to log into my Lastpass account.

  • Sign up for services that offer 2-factor authentication (so malware can't log into your account by simply stealing a password) and that will notify you of unusual behaviour (Google, LastPass, etc). 
  • Notice subtle indicators. Pay attention to your computer and look for subtle inconsistencies. Does your webcam light turn on when you are not using it? Does it look like you sent an email you don't remember sending? Does an online service show a login time you know you weren't working?  Pay attention to subtle cues.

How did I get infected?

The most common technique used by threat actors is to trick the user into installing malware pretending to be something else. It can pretend to be a system update. It can pretend to be a holiday card from a family member. It can pretend to be a work file from your boss. It can be a drive-by download where your system is exploited simply by being vulnerable and you visiting a carefully crafted webpage. 

  • Link to a malware site can be disguised as a link to a popular internet site (Apple, Amazon, Microsoft), shared content (a document, holiday card, music file, etc) or a fake system update (flash update, etc).
  • You may be targetted via email. It is common for highly skilled threat actors to compromise the systems of people you trust and use that trust to trick you into running malware, visiting a malware site or performing an action you otherwise would not. Remeber that these are often highly skilled practitioners that understand human psychology and will exploit it as needed. This includes chat apps, email, messages on forums, web pages, etc.
  • You can get infected by connecting purpose-built attack hardware to your computer. We have devices that look normal (like the USB Rubber Ducky from Hak5) but that can run attack code without your knowledge as soon as they are connected to your computer. 
  • Someone can gain physical access to your computer and plant malware without your knowledge. In security we consider it game over if anyone has access to your equipment, This is why companies spend large sums of money physically protecting their servers in isolated access controlled cages inside heavily guarded and secured datacenters. 

The more valuable you are as a target the less likely you are to notice the attack. 

How can I protect myself from malware?

  • Make sure you are running legally registered versions of all the products you use daily. Using legal versions entitles you to the latest updates and every security person will recommend keeping all of your software and operating systems updates regularly. Threat actors will often exploit vulnerabilities that have been patched (aka if you update you are protected). 
  • Only install the software you absolutely need. Remember that every software is a potential attack vector. Install only what you need and only download it from the manufacturer never from a download site like CNET, Download.com, etc (to prevent supply chain attacks like CCleaner.) Many of these download sites make money by bundling garbage apps that get silently installed and these can also be used to attack you.
  • Remember that anything you open or click on can compromise your security. Call a sender before opening a file. Download and scan it first with something like VirusTotal before opening it. Never click on links in email or instant messaging. Always go to the URL yourself (obfuscating a malicious link to look 'good' is easy). If you use Gmail, open questionable attachments in Google docs or sheets as this will often strip the malicious content.
  • Remember that one second of forgetfulness is all it takes. Be extra vigilant when browsing the web. Never run anything on the web. Always know that the web can be faked. Even known sites can be compromised and used to inject malware.
  • When travelling to high-risk areas, I usually travel with a Google Chromebook. It auto updates itself. There are very few known attacks against it. Chromebooks have a feature called Powerwash that factory resets the device image to "like new" within 2 minutes. Often times I will powerwash my device before performing sensitive tasks. Also, data is stored in the Google cloud. Regardless of how you feel about their privacy policies, they have proven to be excellent at protecting their users from targeted attacks. Make sure you turn on 2-factor authentication.
  • Turn off your computer and unplug it from a physical network when not in use.

What can I do if I am infected?

  • The first rule is that if you are infected or even suspect that you are infected, forget about cleaning your device and have it completely reinstalled from scratch using known clean installation media. 
  • If you are infected, immediately unplug your computer from the internet (ethernet or WIFI) and shut down your computer.
  • Use a known clean computer to log into your web services and change all your passwords immediately.  
  • If one of your devices is compromised, and you are a high target, assume all your other devices could be compromised and reinstall everything from scratch including your smartphone.
  • If you have support from a government agency, reach out to them and ask them for support. If you are a journalist or activist, reach out to one of the public security support organizations like the Toronto Citizen Lab
  • If you know when you were infected, make sure you restore files from a date prior to the infection. It is critically important to use a backup service that provides version control (e.g. blackblaze version control). 

Google's FilesGo File Manager cleaner is now available as beta

GeneralEdward KiledjianComment
FilesGo1.PNG

TL;DR : Go here and download this app (while it's available).

Earlier this week, we saw FileGo leak on the Google Play Store but it was quickly taken down. FileGo is specifically built to help users (even novices) manage and clean files from their devices (duplicate photos, application cache files, etc).

FileGo also contains a function (similar to Apple's AirDrop) that allows Android users within close proximity to transfer files to each other. 

FilesGo is still beta software (aka it could still have bugs) but in my testing has been reasonably reliable and hasn't crashed yet (tested on a Nexus 6P and Note 8). 

Keep in mind that Google can change user eligibility once the app is officially released (may be limited to Android One users or restricted to certain regions) but right now it seems to be available to all users globally.

Essential phone get's another $50 price drop at BestBuy

GeneralEdward KiledjianComment
EssentialBB1.PNG

I wrote a short article about the merits and issues with the Essential phone here. I wrote that review because dozens of readers wanted to know if the phone was worth it at its newly reduce $499 price. 

Another day and another discount for the struggling Essential phone. Now BestBuy is kicking in another $50 off (bringing the price to $449.99).

For $449, you can buy a beautiful unlocked Android smartphone with the latest specs including:

  • Snapdragon 835
  • 4GB of RAM
  • 128GB of storage
  • Dual cameras

If you read my review, there are some shortcomings but at $449, it is hard to complain. You are getting alot of phone for very little money.