Strategy, Innovation, Leadership and Security
Google Play's birthday is fast approaching which may be why we started seeing a handful of apps already priced at $0.10.
Right now there is only a handful but more should be added shortly.
If you were thinking about these apps, now is a good time to jump on them. If you see other apps, please post a commend below
I want to start of this review by clearly stating that I am not a Bose fanboy. I don't automatically recommend all of their products just because they carry the Bose name. I tested 19 headphones for this review.
Noise cancelling headphones are the only options for frequent travellers looking for small oasis in an otherwise jungle of airports, taxis and urban sprawl. When I recommend a pair of noise cancelling headphones, it is a job I take very seriously. Having said all of this this, the Bose QC25 noise cancelling headphones are the best choice for anyone frequent user of planes, trains or any urban dweller looking to create a little oasis of silence. Let me be clear, these aren't reference headphones that perfectly reproduce music but are good sounding headphones with amazing voice cancellation. This is an important distinction to make sure you are not disapointed.
When I tested noise cancelling headphones, I wanted something that worked well, that was light/comfortable and that can be easily stowed away when not in use.
The first question I asked the Bose clerk was to enumerate the difference between the new Bose QC25 and the older QC15. After several minutes of verbal diarrhea it became clear he didn't know what he was talking about. For those wondering what the differences are, here you go:
Those are the main differences. If you already own a pair of QC15s, don't even think about upgrading.
Many of my readers email me asking for a recommendation cheaper than the Bose. If you want something cheaper (understanding the sound quality won't be as good and the noise quality is also inferior) then look at the Audio-Technica ATH-ANC7b.
I own a pair of these and find that the band is slightly too small for my medium head. I find it just doesn't sit comfortably on my head and it bothers me. But for the price (almost half the price of the Bose), you get a decent bang for your buck.
I know a handful of readers that purchased the QC15 and were disappointed because they didn't understand the real usefulness (or lack) of these types of headphones. Noise cancellation headphones work by listening to your environment and then add a negative sound pattern in your ear to cancel our the external noise. They work very well for continuous low mechanical sounds (like train sounds, airplane engines, air conditioner, fan, etc).
They don't work so well for higher pitch non repetitive sounds like screaming co-workers or crying babies. They will still reduce the intensity of those sounds but buying a $300 pair of headphones can't be justified for them.
If you want good headphones and will occasionally (read rarely) use the noise cancellation functionality then noise cancelling headphones aren't for you. You would be better served with a lower cost but higher quality close back over the ear headphones.
I am a big fan of in-ear noise isolating headphones and my 2 favourite headphones right now are the :
The Etymotic ER-4 microPro offer amazing sound reproduction and fantastic noise isolation (35-42db). I find that the noise reduction powers of the ER-4 are better than the Bose but this requires that I jam the earphones deep into my ear canal.
This jamming of the earphones doesn't bother me but many many people I know just can't stand it. For these people the Bose is the better option.
I had a chance to compare the QC25 to the older Bose QC15 and the QC20 in ear noise cancelling headphones. The QC25 just sounds cleaner, better and more engaging.
The QC25 is also lighter and more comfortable than the 2 others.
If you are ok shoving an in-ear earphone into your ear canal, the Etymotic ER-4 is another option that has better sound, is smaller and lighter.
In conclusion the QC25 is the best noise on ear cancelling headphone you can buy.
Image by Nick Carter used under Creative Commons License
As a security expert, my biggest security risk (in the corporate world) is people. I can buy the best technology and write the most efficient processes but if people get sloppy, everything falls apart.
Security and convenience (simplicity) are on opposing ends of the spectrum. Ultimate security means no convenience and ultimate convenience means no security. Did I mentioned that only through good security can you get good privacy?
We make decisions about relative importance of security over functionality everyday. If you use an Android smartphone and have enabled GoogleNOW, you understand how practical it can be for the Google hivemind to process everything about you and give you the information you need, when you need it, all without having to do anything. Go to the airport your boarding pass magically shows up on your lock screen or smart watch. Go to a foreign country, get the currency conversion. Go to a new city and see all of the important sights to visit right then and there. We love convenience.
It is this convenience or simplicity that has caused the explosion of everything-must-connect-to-the-internet syndrome. When connecting to the internet meant you had to be a tech expert, buy $3000 of equipment, then setup complicated dialup services, only the brave wanted in. Now that all of the technical underpinnings are hidden, everyone wants to be on the net.
But most users forget that the internet is not magic. There are companies and people working in the background to make all of this possible. None of these people or companies are non-profit charities. Our Internet Service Provider (ISP) sees all of our internet traffic. Our email provider knows who we message, why and how often. Our DNS provider knows what sites we visit and how often. SmugMug or Flickr see all of your photos. If you use a Chromebook (and I own one), you want someone to even manage your endpoint device.
Every Time you interact with an internet connected device, remember that it is logging and tracking almost everything you do. Some companies call it telemetry, usage information, meta-data but know it exists. They use it to improve their product and figure out whats popular and whats not. They want to know when something crashed, why and how. Often sending debug information along with the crash report, which could include personal data.
It is these companies, who have access to this treasure trove of personal and sometimes private information, that we are tasking with the protection of our security and privacy. It is also failures in these companies that can lead to a violation of our privacy. Sometimes these violations are because of lax security controls inside the company. Sometimes these violations are performed by well funded, highly skilled, cyber-spies on behalf of national governments. Sometimes this information is stolen for fun and profit by "bad actors" (organized crime, competitors or the kid next-door).
An article in The Intercept (link) talks about a Snowden leak that claim's GCHQ and NSA operatives stolle the SIM encryption keys from Gemalto. You've never heard of Gemalto but they probably made the SIM card sitting on your cell phone right now. It's moto is "Security to be free".
“Once you have the keys, decrypting traffic is trivial”
So it is a bad thing. We didn't want to (or wouldn't) implement security ourselves on our devices so we expect our carrier to do it. They did, using Gemalto and it is now claimed that the keys uses to protect billions of smartphones has been hacked by national intelligence agencies.
Secure Instant messaging is a good example. I use the common tools (because everyone is on them) but when I try to convince people to adopt the more secure Threema, they refuse. They want the security but don't want to create and manage keys. Securely exchange keys with the other party, etc. They want someone else to handle everything for them.
In the corporate world we employ expensive highly skilled specialists to manage these security controls because we understand the risks of losing control over our protection mechanisms. We understand the value of what it is we are protecting, but do you?
“Every time you give up some privacy in exchange for convenience (or a free service), do it consciously . Ask yourself what’s in it for the other party and is the trade really worth it?”
You are your own security's worst enemy.
The long term solution is
Now go on about your day and be secure
Image by JD Hancock used under Creative Commons License
In the last 30 days, I participated to 2 CIO conferences (Montreal and San Francisco) and interestingly heard similar questions from executives about the security risks and dangers of Internet of things devices. Are they really that dangerous?
When I talk about Software as a Service, most readers think of the Google computer cloud, Amazon Web Services or Microsoft's Azure cloud platform. What never gets mentioned is the new breed of Attack as a Service providers. As competition in this space heats up, purveyors of these types of "fine" (said sarcastically) services are looking for ways to reduce the price to win customers. Yes, free market economic is alive and well in the dark underbelly of the internet.
An October 2014 (link) report by Akamai (one of the internet's largest Content Delivery Networks and provider of Website attack protection services) said that they saw a significant increase in the number of UPnP devices being used in amplification attacks.
“Amplification means an attacker can start with a very small number of attack origin devices, then use flaws and misconfigured internet connected devices to turn the drop into a tidal wave. ”
The Open Resolver Project has collected a list of 28 million internet connected devices that can be used for amplification attacks (link).
Remember that not so long ago (Christmas Eve and Christmas Day), a group known as the Lizard Squad "took down" the Playstation and XBOX online services through a DDOS attack using thousands of compromised home internet routers.
As companies rush to cash in on the connect-everything-to-the-internet craze, many are cutting corners on security in order to rush products to market or save money on development costs. These are the same companies that don't update their products when major flaws are discovered in the open source tools they use, which means known vulnerabilities sit waiting to be exploited for the life of that device.
Clearly we have a problem with IoT devices already connected to the internet, and eventually it will have to be fixed somehow or we will see bigger and more devastating DDoS attacks. I'm not sure how these will get fixed but it may come down to government regulation (which I hate to even think about).
Going forward, I am hoping the larger players with be able to sway device manufacturers to adopt a more security conscious approach. Apple is working on HomeKit and Google bought Nest and Dropcam. Maybe if these larger players use security as a differentiator, it may push other manufacturers in the right direction.
The OWASP (link) Internet of Things Top Ten Project is a great start and the site defines its purpose as:
“The project defines the top ten security surface areas presented by IoT systems, and provides information on threat agents, attack vectors, vulnerabilities, and impacts associated with each. In addition, the project aims to provide practical security recommendations for builders, breakers, and users of IoT systems.”
As a security expert, I have very limited IoT technologies in my house. Not because of a lack of desire but out of concern for security. Be careful of what you buy and how you use it. Make sure IoT devices are on a separate network, so that a compromise of those devices won't give an attacker a foothold in your home's internal network.
Ask yourself :
“What would be the impact if a bad actor saw or listened in on a private conversation? What is they accessed your home internal network and copied your computer files?”
This is a market that will explode in the coming years. We will see IoT embedded in everything from our toaster to our pants. Our shoes will provide step counters, our fridge will say how much we ate and the bathroom will illustrate how much time you lost in there reading a magazine.
Everything we do will watch, measure and report on us. Let's try to make sure all this incredible data isn't used for nefarious purposes. As a consumer, demand secure devices from manufacturers. Vote with your dollars. Email company support departments asking for updates and better protection. It's in all of our hands to make security a priority for these companies.
Image by Gidzy used under Creative Commons License
Reuters is reporting (link) that the Chinese government has removed several prominent US tech companies from its authorized vendor list meaning government (state) departments or entities are no longer authorized to purchase them.
This change isn't surprising considering all of the Snowden leaks about NSA spying. Reuters does mention that some of its unnamed sources said this change is being done to encourage organizations to buy locally rather than for security concerns.
This cuts off a huge potential market for these american firms and it will be interesting to see how they respond.