Insights For Success

Strategy, Innovation, Leadership and Security

Best 360 degree camera for consumers

GeneralEdward Kiledjian

Nokia Ozo. Photo courtesy of Nokia.

360 degree videos are the new THING because they capture more of the experience you are trying to share. Facebook, Youtube & Twitter all support this new more immersive medium. So the question is "What's the best 360 degree consumer video camera available?" Good question considering your local BestBuy has over a dozen in store and on display.

Having tested about a dozen of them, the best one is still the Ricoh Theta S. 

Ricoh

Theta S

Why the Theta S? First it is easy to use. You press that big button and it starts to record. It has built in WIFI that allows you to review the captured content or control the camera with your smartphone. Last but not least, it captures good quality video.

Video is good but not great

When buying one of these devices, it is important to understand that you will get good video but it won't be an ultra sharp crystal clear 4K video (like one coming from a mid priced DSLR). The video quality will be good and acceptable but the manufacturers chose not to go super high quality because the stitching would require too much horsepower. 

Some technical specs

So what kind of sensor does this little device have? It has 2 12 megapixel sensors and  ultrawide 240 degree lenses. The camera then processes these two inputs and automatically created one 14 megapixel video (at 1080p) that automatically hides the camera. 

Pair this 360 degree video with some kind of VR headset (even a cheap Google Cardboard) and you get wonderfully imersive video that feels like you are in the moment. You can move around and see everything. This means you (as the photographer) have to consider this immersive experience when taking the video. Be cognizant of how you are holding the camera. 

Let's talk quality of video

So the Ricoh Theta S produces some very good video with good color reproduction (even is low light situations). Using the smartphone app, you can tune basic settings like exposure compensation, shutter speed, ISO and go fully manual (which I don't recommend).

Video clips can be up to 25 minutes long. Let's be honest, you videos shouldn't be longer than this anyway.

Let's talk device in hand

The Ricoh Theta S is a slim device which means it is easy to hold even for people with smallish hands. It is thin and long and a bit thick (which makes holding the device easy and comfortable).

It has a nice easy to hold onto plastic surface that has good grip. It has a standard tripod mount on the bottom which means you can easily mount this to any tripod (including a flexible Joby Griptight).

The device is easy to use and allows you to quickly switch from 360 degree videos to 360 degree pictures and back. All without having to fiddle with finicky menus or having to use the smartphone app. You can turn WIFI on or OFF (WIFI sucks battery so turn it off when not needed).

Let's talk battery life

Richoh doesn't provide good information about battery life. Assuming you are using the device for videos and have WIFI tuned off, you can expect about 1 hour of use time on a single charge. The device does not have a removable battery so you'll have to charge it with a portable battery when in the field. 

It's a 360 degree video

The output from the device is either a JPG or MP4 file with metadata identifying it as a 360 degree video. You can upload this to Youtube, Facebook, Twitter or Flickr and it will identify the file appropriately and then perform all of the required processing in the background to make it immersive and navigable.

Each 1 minute of video consumes about 100MB of storage and if you transfer it via WIFI to your phone will take 3-5 minutes. During this time you have to leave the app open and therefore won't be able to do anything on your device (or you can transfer it via USB if you have a laptop).

The free Theta+ or Theta+ video apps let you edit videos and even create non 360 degree cropped output files. They are fairly basic but allow you to add text, music or trim the video length.

When possible, use a tripod (even a mini one) to hold the camera otherwise you are likely to see fingers in the shot as you press the recording button. Or use the smartphone app to start/stop recording.

It can live stream

The Ricoh Theta S can also live stream when connected to a desktop with the special Theta software loaded on it (Mac and Windows). To enable live streaming you "Press the shooting mode button and power button of the camera together". 

You can live stream your 360 degree masterpiece to Youtube or Facebook. You may want to add the free OBS Studio app to the streaming mix.

Important considerations

  • First is the price. At roughly $350US it isn't a cheap product and it can't be your main or only recording device. 
  • It doesn't shoot in 4K. Considering most people will be viewing this content on VR visors, smartphones or in web browsers, this should be a major problem but it is important to remember.
  • The built in 8GB of storage (no SD Card support) is annoying. It's major competitors (Nikon Keymission 360, Samsung Gear 360 and Insta360 all accept nano SD cards).
  • Without a removable SD card, you also can't just "pop out" the card and transfer data at super fast speeds using a USB card reader.
  • If you edit the 360 pictures, some editors will strip the 360 degree marker from the metadata and the uploaded sites won't know that it requires special handling. You can add this back but its a pain.

Conclusion

If you want to buy an affordable, easy to use 360 degree video camera, the Ricoh Theta S is the one to buy today. It offers the right combination of quality, price and features. With everything said and done, it is still early days and the experience still isn't perfect.

I wouldn't recommend my parents go out and buy this. Not yet. Not right now. If you have a desire for 360 degree video then go out and get one. You won't be disappointed as long as you remember it's not a mass market product yet.

For John and Jane Doe, the technology still needs to mature and improve a bit.

 

 

 

Downloaded over a billion email addresses and passwords this weekend

Edward Kiledjian

I am a CISO (Chief Information Security Officer) for a major tech company and manage people, budgets and strategy. But the security researcher in me never went away. Over the weekend our intelligence service downloaded 3 separate dumps totalling over 1B leaked credentials (the largest of which was the 400M+ credentials.)  The smallest one was a Pastebin dump that contained 6,500 email addresses with cleartext passwords (I was able to verify 3 email/passwords listed in the list by contacting people I recognized on the list).

We use these list to check for employees that may be impacted by these breaches (or close-knit partners. 

How most people should check

John / Jane Doe won't look for or find these dumps. So what should they do?

Most people should just to go Troy Hunt's Have I been Pwned and use the free lookup service.

You visit the site and enter your email address (one by one if you have multiple)

And hopefully you get this happy green message that tells you everything is ok (at least the site thinks its ok).

Or you can get the dreaded "red box"

Millions of sites have been compromised

Funny enough I wrote on article on May 3 called 2017 has started as a busy year for hackers and talked about the major compromises we have seen in 2017 (before the major dumps I picked up this weekend). At the end of that article, I had a section called What can you do. I suggest you go read it but the summary sentence is " you are responsible for your data protection".

  •  you are responsible for your data protection
  •  you are responsible for your data protection
  •  you are responsible for your data protection
  •  you are responsible for your data protection

We are complacent and neglectful. We create accounts everywhere using the same easy to guess password. Then someone hacks a site with poor security practices and suddenly your entire digital life is there on display for the hackers.

LinkedIn lost the account information for 167 million users. To protect passwords properly, sites need to salt then hash them. It seems that LinkedIn had not been salting passwords (when the hack was undertaken) and the passwords were only hashed. What does this mean to you? Hackers were able to easily reverse engineer the hash and convert the passwords to plaintext.

It is important that you create a long unique and random password for each site or service you use.

The moral of the story is that your information will eventually get hacked. Make it difficult for hackers by using long complex unique passwords that for each service you use. That way cracking the security on one site doesn't expose your entire life.

Anytime hackers gain access to un-encrypted passwords or are able to reverse engineer the badly protected ones, they feed these into automated systems that test these accounts against the top 20 major global website (Gmail, Hotmail, Outlook, Facebook, Twitter, etc) and try to determine which ones are good, fresh and valid.

Unfortunately people often reuse the same password or use a derivative of the same password and this allows hackers to wreck peoples lives.

If a hacker logs into a service with a valid account, the service will most likely not know it is a fraudulent transaction. Don't rely on companies to protect you.

Anytime we find a data dump, we look for information pertaining to our company and also analyze the content looking for source and hacker.

Looking at stupid passwords in a 6500 account Pastebin dump

People still use stupid easy to guess dictionary based passwords. Why oh why?  Several dozen  people in the above list use Pa55word as their password.

Some people used variations of "123456" such as a123456b.

Other "gems" used as passwords in this dump include: letmein, monkey, trust, trustme, etc. And simple variations of these like adding numbers at the end (letmein01, monkey123, etc).

Don’t use common words in your passwords. You complex random passwords.

Most password managers can generate complicated random passwords or checkout my article entitled 5 best Random Password Generators

Conclusion

As security researchers and a corporate security team, we are careful about how we handle the data. We make sure we securely delete the details once we have scraped it for our own corporate information (so we can proactively reach out to those users and offer advice and guidance).  

Hackers are so considerate. Someone will try to hack you, the question is how easy will you make their job?

 

2017 has started as a busy year for hackers

GeneralEdward Kiledjian

2017 is shaping up to be a busy year for Information Security professionals. The last major hack was HipChat from Atlassian. Surprisingly most consumers still "don't care" about their data security and millions have bad security hygiene.

Visualizing the hacks

To make the data more palatable, firms have tried to create visually appealing representation of these hacks. The first is called the World's Biggest Data Breaches and provides a nice easy to understand list since 2004. 

In this case the size of bubble represents the size of the breached data.

Hovering your mouse over one of the bubbles provide a general summary regarding the breach.

Clicking on the bubble give a short description about what was taken.

Finally clicking on this information card takes you to a news article regarding the breach.

Who is attacking who (now)?

Cyber is the new attack space and people are attacking each other all the time. How do you visualize this constant barrage of attacks? Using a pew pew map (as we call it in the industry). It's called a pew pew map because one of the most used services adds a little pew pew sound to the attack map if you want.

It's important to know what these maps show and what they do not show. It is impossible to show all attacks in real time across the internet. Each of the companies providing these types of maps uses its own collection techniques and it is an attempt by them to show are realistically as possible what their tools are seeing. Their data could be based on customer site equipment they manage, honeypots (decoy systems used to gather information about attacks) and general monitoring of the internet. No one company has an all encompassing view and none of these should be considered as the absolute truth.

The grand daddy of this type of free attack mapping service is IPViking. This is probably the favorite most viewed free attack map on the internet. For each attack, they show attacking organization name, internet address, target city and target service. As I write this, the service seems to be down so I am not able to add a visual representation of it but it is worth checking out.

FireEye is the 800lb gorilla when it comes to incident response (since they bought Mandiant) and they have their own free attack map. The FireEye map is fairly basic with limited refresh and limited supporting data but it is still clean and easy to understand.

The next map comes from Arbor Networks. Arbor powers the network protection tools for many large national carriers and says their map is fed from 270+ ISP customers. What's unique about the Arbor offering is that it allows you to go back in time (to 2013). Additionally the arbor tool provides neat information (such as type of attack, port, unusual traffic, etc).

The OpenDNS map (Cisco) isn't something I use often but it is visually appealing so here it is for your viewing enjoyment. 

And of course there are many many many more on the web. 

Who got hacked in 2017

2017 has started with a bang and hopefully it isn't a sign of things to come. here are some of the more interesting ones:

  1. Washington school of medicine - A Washington School of Medicine employee is believed to have fallen victim to a phishing attack that may have compromised 80,270 patient records. 
  2. Intercontinental hotels group - IHG which owns prime hotel brands like Crowne Plaza, Holiday Inn and many, suffered a data breach on its payment processing systems which may have impacted 1,200 hotels. 
  3. Arby's - It looks like the chain was infected with a Point of Sales malware that may have stolen information from up to 355,000 credit and debit cards. 
  4. Saks Fifth Avenue - Buzzfeed reported that the chain may ave inadvertently exposed private customer information to the internet. They provided a snapshot of the information as proof.
  5. Free Application for Federal Student Aid - An IRS website designed to help students apply for student aid was "attacked" and the tax information of up to 100,000 taxpayers may have been taken. As I write this, the IRS believes 8,000 fraudulent returns were already files costing them $30M. 
  6. E-sport entertainment Association - On December 30 2016, ESEA issued a warning to its members after it discovered a breach. OVer 1.5M people were impacted by this breach. Information included username/encrypted password,  email address, date of birth, zip code, telephone number, website, steam ID, XBOX ID and PSN ID.
  7. Dun & Bradstreet - D&N found its marketing database with 33 M corporate contacts shared across the web in March. The company claimed it was not breached but likely one of it;s customers, who had bought the list, probably lost it. It contained information for millions of employees in companies like AT&T, Walmart, CVS Health and many more.
  8. Chipotle - The burrito restaurant posted a Notice o Data Security Incident to its website advising visitors that it had detected suspicious network activity in a system that supports in-restaurant payment processing. Information is scarce since their investigation is ongoing but this is the latest show to fall so far this year (April 25 2017).

What can you do?

A message to all consumers is that you are responsible for your data protection. If you are sloppy or careless, you will be impacted and you will have no one to blame but yourself. 

  1. Use a password manager like KeepassX, Lastpass or 1Password. [ Simplify password management [for free] with LastPass ], [ Protect your online accounts from compromise before its too late ]
  2. Generate long impossible to guess unique passwords for each internet service you register for [5 best Random Password Generators
  3. Enable 2 factor authentication on any site that supports it. A list of sites can be found here. An article comparing Authy to Google authenticator can be found here
  4. Clean up your social media authorizations regularly using this tool. Make sure only apps and services you currently use have access to your social media networks.
  5. Deal with firms that prioritize your privacy and security. Using any free email system means you are giving the provider access to your email so they can profile you and target advertising. This means they can access your data and if they have a rogue employee or hacked, those too will have access to your unprotected information. ProtonMail is an example of a paid provider that does not have access to your information unencrypted so even if they are hacked, hackers will not get anything usable. Instead of using Dropbox or OneDrive, check out SpiderOak for encrypted online storage. Like Protonmail, they store your information in encrypted form only and if they are hacked, any data gained by the attacker would be useless.
  6. Use fake information - Sites often ask you for personal information when you register so they can challenge "you" when you need a password reset. The problem is many of the questions have easy to find answers (like your mother's maiden name) and if one of these services is hacked, the attackers can use this information on other sites. I recommend providing fake answers to these questions and make them unique to each site. Use your password manager to store the answers. 

Bose QuietComfort 25 Review (QC-25)

GeneralEdward Kiledjian

TL;DR: I have tested dozens of headphones over the last 12 months and the QuietComfort (QC-25) 25 is still the most comfortable headphone with excellent noise cancellation and good sound reproduction. 

Comparing the QC-25 to the QC-35

The QuietComfort 35 (QC-35) is the wireless bluetooth version of the QC-25. The QuietComfort 35 (QC-35) offers slightly better noise cancellation and a slightly different noise profile. If you need bluetooth (iphone 7 or iphone 7 Plus) then get the QC-35 otherwise I would recommend getting the cheaper QC-25.

Not for everyone

Noise cancellation headphones are not ideal for people that need noise-cancellation sometimes. Noise cancellation headphones are not a replacement for regular headphones. If you need good all around headphones then don't get this (or any other noise cancelling headphone) or you will be disappointed. 

The golden rule is that noise cancellation headphones add about $100-150 to the cost of headphones and typically deliver worse overall sound quality when compared to non noise-cancellation models. I can't stress that enough. 

Noise cancellation works extremely well for low frequency (machine style) sounds like train on a track or airplane engine noise. They don't work as well for higher frequency sounds like voices or crying babies on a plane.

If you only need noise reduction occasionally, then you may be better served by a good pair of sealed headphones. You would get better sound quality and would probably pay a lot less.

Who should buy the QC-25

I just wrote 4 paragraphs of who shouldn't buy the QuietComfort 25 (Qc-25). It is important to note that anyone who is a frequent traveler (plane or train) will definitely benefit from these headphones. By making your travel a little bit quieter, you will arrive less stressed and more refreshed.  

Quietcomfort 25 (QC-25) versus in-ear headphones

The best question I need to address is the eternal debate between these types of on-ear headphones and in-ear headphones. The truth is that there is no golden rule that is right for everyone.

Some people opt for in-ear headphones because they are smaller and lighter. Many people who wear glasses also prefer in-ear headphones because their frames may prevent the headphones from sealing properly this allowing the dreaded noise in.

Bose, likely due to owning several important noise-cancellation patents, currently makes our picks for the best over-ear and best in-ear noise-cancelling headphones. Which one should you choose? There’s no simple answer, as it depends on what you’re looking for.

The third reason I have found some travelers prefer in-ear headphones is that they find them better to sleep with on flights.

The fourth reason is that some people find that on-ear headphones make their ear hot after extended use. 

The fifth and final point is on noise cancellation for low frequency sound. From a sound quality, the Bose noise cancelling headphones (QC-30) tend to reduce low frequency noises a little more and offer some noise-isolation which makes things just a little bit quieter. Mid and high sound reproduction is always better with bigger headphones for the QC-25/QC-35 takes the crown here.

Additionally some people just can't stand having anything inserted into their ears. They find it annoying and bothersome. Obviously if you fall into this category, go with the QC-25/QC-35.

Conclusion

If you are looking for amazing sounding, super comfortable wired on-ear noise cancelling headphones then get this. The sound is good enough, it is comfortable (even on a long haul Toronto to Hong Kong flight) and it fits in a relatively smallish case for easy carry.

It offers good low frequency sound reproduction (40Hz or below) and the rest is a little muddied (which is normal for noise cancelling headphones). You can use the QuietComfort 25 even when the batteries die (which is a nice upgrade from previous models) but the sound is pretty bad but at least you aren't stranded witout entertainment. 

If you need bluetooth because you can't live with wires or your smartphone got rid of the headphone port (looking at you Apple), then go with the QuietComfort 35 (QC-35).

Review of encrypted email provider Protonmail

GeneralEdward Kiledjian

Why would anyone use Protonmail instead of Gmail or Hotmail? SECURITY

Email is inherently insecure and if you are a political dissident whose online communications can mean the difference between living and dying, don't use email. For everyone else looking for an easy and secure email solution, keep reading about Protonmail.

Everyone needs to understand that SMTP was not designed to be secure and will always have security weaknesses.

We use email because we don't have a choice and everyone agrees it won't be displaced tomorrow.

The other major issue faced by secre service providers is ease of use. PGP is a good example of strong unbreakable email encryption that never became mainstream because it was simply too complicated for the mortal man. 

Absolute security is unpractical and will never gain widespread adoption so good security should be the goal for most services.

There is always a tradeoff between usability and security, The difficulty is finding the right balance.

So what does Protonmail offer?

The bright scientists behind Protonmail understand fine balance they must find between usability and security. Make the product too secure and no one will use it (aka bankruptcy) or make it extremely user friendly but not secure (become a me too email provider). 

They have chosen to implement good enough security which makes encryption generally accessible to the masses while protecting against unauthorized government seizure or mass surveillance.

What are the weaknesses of Protonmail?

Read my blog post about the Vault7 leaks (here) and you will realize that when government is stifled  by strong encryption (Whatsapp, Signal, etc), they compromise the endpoint and extract the information pre/post-encryption. 

Protonmail does not protect you if your endpoint is compromised. It would be unreasonable to assume any secure online service could protect you from this type of attack. if you want maximum endpoint security, learn about real security protocols and use a secure operating system like Qubes OS.

Nation state level man in the middle attack. Protonmail implements all of the controls to prevent a common man in the middle type of attack but a nation state actor with the ability to redirect your web traffic and generate real "fake" TLS certificates could theoretically intercept your traffic, ask you for your username/password then use those to access your account and decryption keys. Let's be clear that your garden variety hackers (even those that are extremely skilled) won't be able to pull this off. This would require skills, money and huge technical capabilities to reroute internet traffic and generate encryption certificates.

Intelligence break in. With all the talk about government backdoors, the third major weakness of Protonmail (and all other secure services products you did not write) is the fear that a nation-state actor would somehow infiltrate Protonmail and then implement "special" code that sends bad encryption code to the users thus allowing the threat actor to access unempted versions of the messages. Protonmail has stated that they have multiple controls in place to protect against this type of attack. They scan servers for unauthorized code changes.

Some nice features of Protonmail

Protonmail is a Swiss company based in Switzerland. Any government request for information would have to be done there using Swiss law, which is very protective of private information (USA cannot issue a National Security Letter to force the company to turn over information and hide the request from the user).

In the rare situation that a government were to spend the money and convince the Swiss court to compel Protonmail to turn over user information... Protonmail uses "Zero Access Cryptography" which means they do not hold the encryption keys and therefore can only turn over encrypted information. 

Protonmail supports (and you should use) 2-factor account authentication. This means that in addition to something you know (your username and password), you need something you have (a time based authentication code generated by an authentication app Google Authenticator or Authy.)

If you want to send something more secure than normal email to a non-Protonmail user, you can create a Protonmail hosted message that requires a password to open (obviously don't send the password using email) and can even have a fixed expiry date. 

Creating a password for the secure "hosted" email

Setting an expiry time for the message

Protonmail stores user based encrypted authentication logs. This means you can see when your account was logged into and from which IP address. You can turn this off it you don't want this captured. Protonmail does not capture or log your IP anywhere else.

 

The ProtonMail service has internal authentication logs. When I say internal, I mean that these details are available only to the account owner, and are recorded and encrypted with all the other data inside the account. As I mentioned earlier, Proton Technologies AG doesn’t log IP addresses, but this information can be logged inside your web client session. If you don’t need them, just wipe the logs and switch to basic mode which doesn’t record info on the IP addresses you logged in from.

Basic stores login dates / times only. Advanced also stores the IP Address from where you logged in. The choice is yours. You can always download this information or secure erase it.

No user profiling. When you use a free service, the provider is conducting deep analysis and creating a deep analysis about you. Protonmail doesn't do this since everything is encrypted.

They encrypt all non Protonmail emails received immediately upon ingestion. 

Emails that come from third party email providers obviously cannot be delivered with end-to-end encryption, but upon reaching our mail servers, we will encrypt them with the recipient’s public key before saving the messages. All this is done in memory so that by the time anything is permanently stored to disk, the email is already unreadable to us.

This is good for security but limits what they can do for SPAM control. In a blog post, they explain what they do to help fight SPAM:

  1. They check the IP address of the incoming SMTP server against known blacklists
  2. They pass all messages through their own Bayesian filter marking suspicious emails as SPAM
  3. They generate a checksum for each email message and verify this checksum against known SPAM messages
  4. They verify the authenticity of the email using standard protocols (SPF, DKIM and DMARC)

Sending secure emails to non Protonmail users

I alluded to this earlier but wanted to restate it here in it's own section since I would otherwise receive a dozen emails asking this question. 

Can secure emails be sent from Protonmail to non-Protonmail uers (Gmail, Hotmail, Outlook, etc)?

When sending emails to non-Protonmail users, you can:

  1. Send an un-encrypted standard email. This is what every other email provider does.
  2. You can use the lock icon in the compose window which asks for a password (See screenshot earlier in this post). In the case this is set, the recipient will receive a message with a link to a Protonmail web interface and he/she can use to  enter the provided message password and see the email. 

Notification non-Protonmail user receives

Password requested by non-Protonmail user.

Free versus paid

Protonmail offers a free basic tier and I recommend everyone start with this level. If it meets your needs, you should consider upgrading to a paid tier which offers custom domains and more storage. 

Conclusion

I love Protonmail and am moving my private (not public) email address there. I like the security it provides and the open philosophy they espouse. I say use them if you want something more secure and private.

You may also want to read my article about SpiderOak. SpiderOak is a Google Drive, Microsoft OneDrive or Dropbox alternative with strong trust no one encryption.