Insights For Success

Strategy, Innovation, Leadership and Security

Bose QuietComfort 25 Review (QC-25)

GeneralEdward KiledjianComment
qc1.png

TL;DR: I have tested dozens of headphones over the last 12 months and the QuietComfort (QC-25) 25 is still the most comfortable headphone with excellent noise cancellation and good sound reproduction. 

Comparing the QC-25 to the QC-35

The QuietComfort 35 (QC-35) is the wireless bluetooth version of the QC-25. The QuietComfort 35 (QC-35) offers slightly better noise cancellation and a slightly different noise profile. If you need bluetooth (iphone 7 or iphone 7 Plus) then get the QC-35 otherwise I would recommend getting the cheaper QC-25.

Not for everyone

Noise cancellation headphones are not ideal for people that need noise-cancellation sometimes. Noise cancellation headphones are not a replacement for regular headphones. If you need good all around headphones then don't get this (or any other noise cancelling headphone) or you will be disappointed. 

The golden rule is that noise cancellation headphones add about $100-150 to the cost of headphones and typically deliver worse overall sound quality when compared to non noise-cancellation models. I can't stress that enough. 

Noise cancellation works extremely well for low frequency (machine style) sounds like train on a track or airplane engine noise. They don't work as well for higher frequency sounds like voices or crying babies on a plane.

If you only need noise reduction occasionally, then you may be better served by a good pair of sealed headphones. You would get better sound quality and would probably pay a lot less.

Who should buy the QC-25

I just wrote 4 paragraphs of who shouldn't buy the QuietComfort 25 (Qc-25). It is important to note that anyone who is a frequent traveler (plane or train) will definitely benefit from these headphones. By making your travel a little bit quieter, you will arrive less stressed and more refreshed.  

Quietcomfort 25 (QC-25) versus in-ear headphones

The best question I need to address is the eternal debate between these types of on-ear headphones and in-ear headphones. The truth is that there is no golden rule that is right for everyone.

Some people opt for in-ear headphones because they are smaller and lighter. Many people who wear glasses also prefer in-ear headphones because their frames may prevent the headphones from sealing properly this allowing the dreaded noise in.

Bose, likely due to owning several important noise-cancellation patents, currently makes our picks for the best over-ear and best in-ear noise-cancelling headphones. Which one should you choose? There’s no simple answer, as it depends on what you’re looking for.

The third reason I have found some travelers prefer in-ear headphones is that they find them better to sleep with on flights.

The fourth reason is that some people find that on-ear headphones make their ear hot after extended use. 

The fifth and final point is on noise cancellation for low frequency sound. From a sound quality, the Bose noise cancelling headphones (QC-30) tend to reduce low frequency noises a little more and offer some noise-isolation which makes things just a little bit quieter. Mid and high sound reproduction is always better with bigger headphones for the QC-25/QC-35 takes the crown here.

Additionally some people just can't stand having anything inserted into their ears. They find it annoying and bothersome. Obviously if you fall into this category, go with the QC-25/QC-35.

Conclusion

If you are looking for amazing sounding, super comfortable wired on-ear noise cancelling headphones then get this. The sound is good enough, it is comfortable (even on a long haul Toronto to Hong Kong flight) and it fits in a relatively smallish case for easy carry.

It offers good low frequency sound reproduction (40Hz or below) and the rest is a little muddied (which is normal for noise cancelling headphones). You can use the QuietComfort 25 even when the batteries die (which is a nice upgrade from previous models) but the sound is pretty bad but at least you aren't stranded witout entertainment. 

If you need bluetooth because you can't live with wires or your smartphone got rid of the headphone port (looking at you Apple), then go with the QuietComfort 35 (QC-35).

Review of encrypted email provider Protonmail

GeneralEdward KiledjianComment

Why would anyone use Protonmail instead of Gmail or Hotmail? SECURITY

Email is inherently insecure and if you are a political dissident whose online communications can mean the difference between living and dying, don't use email. For everyone else looking for an easy and secure email solution, keep reading about Protonmail.

Everyone needs to understand that SMTP was not designed to be secure and will always have security weaknesses.

We use email because we don't have a choice and everyone agrees it won't be displaced tomorrow.

The other major issue faced by secre service providers is ease of use. PGP is a good example of strong unbreakable email encryption that never became mainstream because it was simply too complicated for the mortal man. 

Absolute security is unpractical and will never gain widespread adoption so good security should be the goal for most services.

There is always a tradeoff between usability and security, The difficulty is finding the right balance.

So what does Protonmail offer?

The bright scientists behind Protonmail understand fine balance they must find between usability and security. Make the product too secure and no one will use it (aka bankruptcy) or make it extremely user friendly but not secure (become a me too email provider). 

They have chosen to implement good enough security which makes encryption generally accessible to the masses while protecting against unauthorized government seizure or mass surveillance.

What are the weaknesses of Protonmail?

Read my blog post about the Vault7 leaks (here) and you will realize that when government is stifled  by strong encryption (Whatsapp, Signal, etc), they compromise the endpoint and extract the information pre/post-encryption. 

Protonmail does not protect you if your endpoint is compromised. It would be unreasonable to assume any secure online service could protect you from this type of attack. if you want maximum endpoint security, learn about real security protocols and use a secure operating system like Qubes OS.

Nation state level man in the middle attack. Protonmail implements all of the controls to prevent a common man in the middle type of attack but a nation state actor with the ability to redirect your web traffic and generate real "fake" TLS certificates could theoretically intercept your traffic, ask you for your username/password then use those to access your account and decryption keys. Let's be clear that your garden variety hackers (even those that are extremely skilled) won't be able to pull this off. This would require skills, money and huge technical capabilities to reroute internet traffic and generate encryption certificates.

Intelligence break in. With all the talk about government backdoors, the third major weakness of Protonmail (and all other secure services products you did not write) is the fear that a nation-state actor would somehow infiltrate Protonmail and then implement "special" code that sends bad encryption code to the users thus allowing the threat actor to access unempted versions of the messages. Protonmail has stated that they have multiple controls in place to protect against this type of attack. They scan servers for unauthorized code changes.

Some nice features of Protonmail

Protonmail is a Swiss company based in Switzerland. Any government request for information would have to be done there using Swiss law, which is very protective of private information (USA cannot issue a National Security Letter to force the company to turn over information and hide the request from the user).

In the rare situation that a government were to spend the money and convince the Swiss court to compel Protonmail to turn over user information... Protonmail uses "Zero Access Cryptography" which means they do not hold the encryption keys and therefore can only turn over encrypted information. 

Protonmail supports (and you should use) 2-factor account authentication. This means that in addition to something you know (your username and password), you need something you have (a time based authentication code generated by an authentication app Google Authenticator or Authy.)

If you want to send something more secure than normal email to a non-Protonmail user, you can create a Protonmail hosted message that requires a password to open (obviously don't send the password using email) and can even have a fixed expiry date. 

Creating a password for the secure "hosted" email

Creating a password for the secure "hosted" email

Setting an expiry time for the message

Setting an expiry time for the message

Protonmail stores user based encrypted authentication logs. This means you can see when your account was logged into and from which IP address. You can turn this off it you don't want this captured. Protonmail does not capture or log your IP anywhere else.

 

The ProtonMail service has internal authentication logs. When I say internal, I mean that these details are available only to the account owner, and are recorded and encrypted with all the other data inside the account. As I mentioned earlier, Proton Technologies AG doesn’t log IP addresses, but this information can be logged inside your web client session. If you don’t need them, just wipe the logs and switch to basic mode which doesn’t record info on the IP addresses you logged in from.

Basic stores login dates / times only. Advanced also stores the IP Address from where you logged in. The choice is yours. You can always download this information or secure erase it.

No user profiling. When you use a free service, the provider is conducting deep analysis and creating a deep analysis about you. Protonmail doesn't do this since everything is encrypted.

They encrypt all non Protonmail emails received immediately upon ingestion. 

Emails that come from third party email providers obviously cannot be delivered with end-to-end encryption, but upon reaching our mail servers, we will encrypt them with the recipient’s public key before saving the messages. All this is done in memory so that by the time anything is permanently stored to disk, the email is already unreadable to us.

This is good for security but limits what they can do for SPAM control. In a blog post, they explain what they do to help fight SPAM:

  1. They check the IP address of the incoming SMTP server against known blacklists
  2. They pass all messages through their own Bayesian filter marking suspicious emails as SPAM
  3. They generate a checksum for each email message and verify this checksum against known SPAM messages
  4. They verify the authenticity of the email using standard protocols (SPF, DKIM and DMARC)

Sending secure emails to non Protonmail users

I alluded to this earlier but wanted to restate it here in it's own section since I would otherwise receive a dozen emails asking this question. 

Can secure emails be sent from Protonmail to non-Protonmail uers (Gmail, Hotmail, Outlook, etc)?

When sending emails to non-Protonmail users, you can:

  1. Send an un-encrypted standard email. This is what every other email provider does.
  2. You can use the lock icon in the compose window which asks for a password (See screenshot earlier in this post). In the case this is set, the recipient will receive a message with a link to a Protonmail web interface and he/she can use to  enter the provided message password and see the email. 
Notification non-Protonmail user receives

Notification non-Protonmail user receives

Password requested by non-Protonmail user.

Password requested by non-Protonmail user.

Free versus paid

Protonmail offers a free basic tier and I recommend everyone start with this level. If it meets your needs, you should consider upgrading to a paid tier which offers custom domains and more storage. 

Conclusion

I love Protonmail and am moving my private (not public) email address there. I like the security it provides and the open philosophy they espouse. I say use them if you want something more secure and private.

You may also want to read my article about SpiderOak. SpiderOak is a Google Drive, Microsoft OneDrive or Dropbox alternative with strong trust no one encryption.

Review of SpiderOak encrypted online storage

GeneralEdward KiledjianComment

Right or wrong, Edward Snowden has become the poster child for online privacy. He has been adamant that anyone interested in true online security should stay away from the name brand online services : Dropbox, Facebook, Google, etc.

Trust No One Security

Before we talk about SpiderOak, this is a good time to write about TNO (Trust No One Security model). This is a philosophy that dictates that anytime security is needed, strong encryption must be applied and the keys to that encryption must be kept in the hands of the user. 

As an example, anytime you conduct online transactions with your bank, you connection is encrypted using end-to-end encryption (TLS) but the keys are held by the bank and created by a certificate authority. Either of those 2 can therefore intercept and decrypt the traffic if they have malicious intent. 

In the TNO model, the provider does not hold the keys to the kingdom and cannot therefore decrypt or access the data in its native format. 

Anytime a provider has the capability of resetting your password, it means it is NOT TNO and it means the provider can access your data. If they can access your data, that means a hacker may also be able to compromise their systems and access your data.

What is SpiderOak?

Unless you are a techie or a security person, you probably haven't heard about SpiderOak. Short of rolling your own cloud service, SpiderOak is the most secure commercially available TNO cloud service around.

The key to the magical security they provide is that your client encrypts all of the data on your computer before being sent through the security hostile internet to SpiderOak. They cannot see the content and if you love you password (aka encryption key), you have to create a new account and restart from scratch.

So you get Dropbox, Google Drive and Microsoft OneDrive like features, without having to trust the provider. 

Why is TNO important?

Governments are becoming very hostile towards individual privacy. The Snowden leaks have shown that the secret FISA courts allow law enforcement to compel the turnover of user data without having the ability to notify them. With most cloud storage companies, this means they (or a hacker) can gain access to your data and then do with it whatever they want.

With SpiderOak's encryption model, they can turn over your encrypted data but they do not hold the decryption keys. The encryption is strong enough to make forced automated decryption unpractical. This means they would have to secure a court order and force you to hand over the decryption keys.

If a hacker does compromise the SpiderOak servers, the data is once again encrypted and therefore unusable by these bad actors. 

It also means they are not and cannot use your data to profile you. 

SpiderOak features

So you are convinced they offer the kind of security you want. What about features you say.

First and foremost, they offer automatic (on change) backups. This is a set and forget model that works in the background.  There is no file size limit. There is no file type restrictions. No bandwidth control or throttling on their end (some providers slow down your connection if you try backing up large amounts of files to protect the responsiveness of their service for their entire user population). 

It can backup mapped (external USB connected) drives. 

Any issues with SpiderOak?

Files are encrypted on your device and SpiderOak cannot access them unencrypted so they are unable to offer offline file delivery (sending you a hard drive with your files). 

Anytime my computer is disconnected for a while, Backblaze sends me alerts notifying me it hasn't been able to backup my files in XX days. SpiderOak has no such notification mechanism. They could implement this even with the TNO model.

During my testing, I simulated an unreliable WIFI connection to see how the client would react and eventually it hung. Even when the connection became stable and on for 8+ hours, the client stopped backing up. Rebooting didn't help. I was forced to uninstall the client, reinstall it and create a completely new backup set. This was a bit annoying. The doubly annoying issue was that support is only available through email. Support seems to be available during standard north american business hours and usually response takes 5-8 hours.

Another issue is that although they offer mobile clients (IOS and Android), those clients are read-only (aka you can't upload content). SpiderOak did say they are working to add this functionality but they didn't provide any timeline. "Currently, you are unable to upload documents using the Mobile Application. We are working on including this feature in a future release." (mobile info)

There is no way to identify a connection as "metered" and tell it not to backup using that connection (like a pay per use WIFI LTE hotspot).

Not a technical issue but the pricing is a bit more expensive than I would have hoped. I am willing to pay more for security but wish they offered more storage with each paid tier. 1TB of storage on Google and Dropbox costs $9.99 a month.

My experience

Overall my experience was good but not great. Because plans are capacity based, you can sync as many devices you want. Because everything is encrypted, there are no file type restrictions. 

Versioning worked well. They seem to use a bit level delta storage function which means you aren't consuming space for the entire file with every version.

SpiderOak provides tones of information about security. 

Files can only be permanently deleted from the original device they were uploaded from. This is a great feature.

You can right click on any folder (or file) in Windows explorer or the Mac finder and ask SpiderOak to back it up. Easy. 

You can download backed up files to any computer via the web interface.

Conclusion

There are small annoying things I would like them to solve but no major show stoppers. My biggest gripe is not being able to upload via mobile or Chromebook. I really wish they would solve this. 

Outside of that, I like everything else I have seen and think they should be your go to provider for safe and secure online storage.

Related articles:

  • Bruce Schnier on TNO here
  • Steve Gibson on TNO here.

Why you need a Glo-toob LED powered Glow Stick

GeneralEdward KiledjianComment

Each year, I test hundreds of new and different items that compete to find a place in my everyday carry kit (EDC). To be clear, my EDC is build for the urban environment and not wilderness survival. 

4 years ago, I tested and fell in love with the Glo-toob lights and it has been part of my kit ever since. I just realized I have never written about it an wanted to share it with you. 

Why not use a cheap glow stick?

Anyone that is building a serious EDC kit knows that you need redundancy. My main everyday carry (EDC) flashlight is the OLight S15R baton with a rechargeable battery. My secondary flashlight is the Ti3 by thrunite (which uses easy to find AAA batteries). there are times when you need a glow stick type of light and for those times, I rely on the Glo-Toob.

Why not use a cheap $5 glow stick? The typical (even high quality) glow stick or Chemical light stick is first and foremost not environmentally friendly (it is disposable and an environmental pollutant). Anyone that has carried them knows that they leak (which also means it won't work when you need it). Plus once you activate it, that's it.

Most of the time, I need it for 5 minutes, 60 minutes or even 180 minutes but that's it. With a chemical glow stick, once you activate it, it's end of life. 

Why I chose the Glo-Toob

I knew I wanted something else as my everyday carry glow stick alternative, but it took several tries until I found the Glo-toob.

First thing you notice is the solid construction (it can withstand the rigors of constant travel and being bumped in a pocket, bag or briefcase). It's waterproof to 200 feet (60 meters). I have taken it night scuba diving to 135ft and have never had issues but it's most common use is in rain or snow and it has worked flawlessly.

It is a small rounded cylinder which means it is small enough for everyday carry. This is something you overlook until you start carrying it all the time. Small and light are critical and the Glo-toob is 10/10 on both points (weights 34g with the battery).

It can be powered with different types of batteries (depending on the model) but I chose the AAA powered one (Original GT-AAA). As I travel and carry this with me, I need to know that I can buy the required power source for my gadgets easily and AAA batteries are available in every street corner anywhere in the world.

The last point was that it had to provide a 360 degree stream of light (similar to a glow stick), which it does. 

Using it

I own 2 GT-AAAs: one with a white LED and one red a one. It has 3 modes (you activate by twisting the cap on and off) high intensity (100%), low intensity (25%) and rapid strobe. Other models offer up to 11 modes and I saw a Chinese competitor with 21 modes but... and the but here is that simple is better. If I need to use this in an emergency, I don't want to fiddle with my EDC gear. By having only 3 modes, choosing the right one is simple.

In low power mode, it is a great long lasting marker light that you can strap on a dog collar or backpack. In high powered mode, it is a great emergency light (during a power outage) or a light you can give the kids without worrying about it breaking.

I have used it while camping to mark our campsite. I have used it when I had to stop on the side of a busy highway at night as a safety beacon. I have used it as a market when canoeing at night. I have used it during power outages and once when  I was stuck in a stopped elevator.

I have used it in high powered mode for about 6-7 hours (with a single AAA battery).

Negative comments

When working on a review, I scour the internet looking for comments (positive or negative) from other users. In this case, I saw a handful of comments touching similar points and I wanted to address these ones:

  • disappointed by the amount of light : this is not a flashlight replacement. If you buy it thinking it is you will obviously be disappointed. This is a replacement for a chemical glow stick.
  • leaked during a dive : With over 85 dives under my belt, I can tell you that I have lived through all kinds of equipment failure at depth. That's one of the reasons everything is done in twos. You never dive alone, you have 2 regulators, etc. Anytime you are in a remote location (whether on land or in the water), you need backups for all your primary systems. Failures happen either because the gear is defective, improperly maintained or improperly used. 
  • worked only a couple of times : I have 2 of these lights and other friends have bought them after testing my units. My units have been in my EDC kit for 4 years now and even after diving, camping and being abused in torrential rain and deep snow, they perform flawlessly. Of the 10 or so units owned by friends and acquaintances, none have failed. It's important to realize that any electronic product can fail and buying it from a reputable reseller (like Amazon) means you have someone to contact if you do need a warranty replacement. 

The Chinese knockoffs

Search AliExpress.com for Glo-toob, EDC warning light or a combination of these types of keywords and you will find hundreds of listings selling these types of tubular lights. I ordered 3 of them ranging from 8.99-14.99 and most ended up being branded EDCGear. 

These are cheap knockoffs and you can feel it immediately. The plastic is light and flimsy. The units have cheap O-rings and none of them lasted more than a couple of uses. The light quality wasn't as good. Build and construction weren't as good and all 3 died immediately when I performed the sink dunking water test (even though they were marketed as waterproof). 

Sometimes the Chinese versions as just as good but this is not one of them. Save yourself the frustration and buy the original from a retailer that will stand behind the warranty.

Conclusion

Priced at around 4-5 times the price of a high quality chemical glow stick, these Glo-toobs are a great investment and will quickly become part of your EDC, camping and survival gear. I love them and recommend them.

Encryption isn't just for terrorists

GeneralEdward KiledjianComment
lock4644654654.jpg

It seems every time there is a terrorist attack, governments around the world use it as an opportunity to chip away at encryption. The latest attack was the UK Home secretary, Amber Rudd, who called WhatsApp's end-to-end encryption "completely unacceptable". She then adds that there should be “no hiding place for terrorists”.

Encryption is publicly known mathematics and there is no way to put the "cat back in the bag". If encryption is banned for law abiding Joe and Jane public, it makes everyone less safe but terrorists will simply use their resources and public encryption libraries to write their own encrypted programs and do their evil work. 

Minister Rudd's comments are the clearly from someone that doesn't understand the technology and how it is the fundamental underpinning of our entire technological society. Anytime you perform online banking, file your taxes with the government online or request a government service, you are using an encrypted channel of communication called TLS. It is the technology that makes using sensitive services on the internet possible. 

Banning encryption would mean no more online shopping, banking or anything else that requires privacy. So banning would not be accepted by our always online generation.

Government would counter this argument by saying they "simply" want a back door and not a ban on encryption. A backdoor would allow intelligence and police to more easily perform investigations while keeping general encryption alive. 

As a security professional, let me be clear that this is simply not possible. The minute a backdoor is implemented, it becomes a vulnerability that threat actors would attempt to find and exploit (organized crime, nation-state actors, foreign rogue governments, etc).If the Snowden and Vault7 leaks have shown us anything, it is that even government has issues keeping secrets. The reason encryption works is that it is based on mathematics and remains perfectly secure even though all the protocols, formula and applications are well know. 

Creating a backdoor for the good guys means you are also creating it for the bad guys. 

The Vault7 leak showed that governments have already solved the Whatsapp encryption issue by hacking the end device. When hacked, government can see pre/post encryption messages and therefore they are able to get the information they need. Yes it requires more work but every job has its challenges. This would bypass the encryption of Signal, Whatsapp or any other encrypted communicator.

Terrorism is a bad thing that affects as all. It is the worst of humanity being manifested because of hatred and misunderstanding of one another. Politicians are targeting encryption because it is the easy target but it isn't the right one.

As a geeky security professional, I will always be able to protect myself by rolling my own encryption, but the general population won't. Considering everything about us can now easily be stolen from our smartphone, I'm worried about any weakening of encryption. Just think about everything stored on your device (location history, contacts, social networks, where you have been and what you have done, health information, etc) and how you would feel if someone had access to all of it without your knowledge. 

We need technically knowledgeable politicians that will fight the good fight (against terrorism) without trying to neuter good wholesome public protecting technologies. It's like saying we will ban pools because there were 3,536 fatal non-boat related drownings in 2015 (there are over 8M pools public and private in the USA). We can't let a small batch of rotten apples contaminate the entire batch of cider.