Insights For Success

Strategy, Innovation, Leadership and Security

ChromeOS 62 rolling out now with Krack patch

GeneralEdward Kiledjian

Google started rolling out Chrome 62 to Windows and Mac clients about a week ago and now most Chromebook users should have received the update. For those that haven't realized it, Chromebook updates typically lag behind their Windows/Mac counterpart by about a week.

What does ChromeOS 62 bring?

ChromeOS 62 brings an improved file manager, improved OS notifications, and most importantly vulnerability fixes (including the famous KRACK vulnerability).

Pressing and holding a file in the file manager now allows you to select a file (or more) instead of bringing up the right-click menu.

Google updated the system notification to look more like Android notifications (they use to look more like Chrome for Windows notifications in the past). This more Androidesque style brings material design with large icons. 

If you take a screenshot, you are now presented with a thumbnail of the notification (similar to Android). 

You now have better captive portal detection  ( that interstitial webpage in a coffee shop that asks you for your email address before giving you web access).

The most important update for me (a security guy) is the remediation of the WPA2 KRACK vulnerability.

Microsoft takes aim at Google Chrome vulnerabilities

GeneralEdward Kiledjian

July 2014, Google launched it's project zero initiative to identify Zero-Day vulnerabilities in commercial software thus making computing generally more secure. 

Google's modus operandi is to inform affected vendors and give them 60 days to release patches. After the 60 day window, they go public even if a patch is not yet available. 

Our standing recommendation is that companies should fix critical vulnerabilities within 60 days — or, if a fix is not possible, they should notify the public about the risk and offer workarounds. We encourage researchers to publish their findings if reported issues will take longer to patch
— Google

There have been situations where Microsoft has not been able to release a public patch within that 60-day Window and obviously this has created a tense relationship between Google and Microsoft. 

Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.

You can read this Microsoft blog entry about their disappointment with google. not wanting to take the hit and move on, it looks like Microsoft security research has been looking for flaws in Google's products and found 2 bad ones. Realizing security is now a major differentiator, they decided to play Google's game and disclose the vulnerabilities after an elapsed wait time. 

Here is a sentence that takes a jab at Google's Chrome while praising their own Microsoft Edge security architecture :

This kind of attack drives our commitment to keep on making our products secure on all fronts. With Microsoft Edge, we continue to both improve the isolation technology and to make arbitrary code execution difficult to achieve in the first place. For their part, Google is working on a site isolation feature which, once complete, should make Chrome more resilient to this kind of RCE attack by guaranteeing that any given renderer process can only ever interact with a single origin

Microsoft justified the release of the detailed vulnerability information with this sentence:

it’s important to note that the source code for the fix was made available publicly on Github before being pushed to customers.

I think large well-funded companies should be doing general security research and helping improve the overall security of the entire ecosystem. I wish they could agree on a more friendly approach to vulnerability disclosure, not leaving their customers open and unprotected. This should not become a marketing tool but more of a commitment to societal improvement.

A guy can dream, can't he?

Chrome for Windows helps recover your browser from hijacking

GeneralEdward Kiledjian

Google Chrome, Microsoft Edge, and Mozilla Firefox are all mainstream browsers that work extra hard to keep you safe in cyberspace. Each company has taken a different approach, but users are more protected than ever before.

Nothing is foolproof though. What happens when badware gets through those defences and takes over your browser making your leisurely stroll through cyberspace painfully slow or dangerous by stealing your passwords?

In the latest version of Chrome for Windows, Google adds more tools to the arsenal. 

Hijacked settings 

Recently we have seen a surge in companies selling reputable browser extensions to other companies and these new owners leveraging the installed base to do bad things like stealthily changing your browser settings.

Chrome now looks out for this type of attack and offers to restore your settings. 

Chrome cleanup

Many companies bundle crapware in their product installers as a source of additional revenue. In some cases, the user may not even be aware that the crapware was installed. 

Chrome cleanup looks for this type of attack and offers to clean up Chrome (thus returning Chrome to a known good state). 

Google redesigned Chrome cleanup to be more powerful and more straightforward to use.

Rolling out now

The new version will slowly roll out to users over the next few days and you will benefit from these improvements automagically. 

 

Google blog post

You're going to love the DuckDuckGo Terms of Service

GeneralEdward Kiledjian

Terms of service are professionally written notices you agree to every time you use a new smartphone, install a new software or sign up for a new web service. Consumers are rightfully annoyed by 50+ page terms used by large companies.

Sometimes, you stumble on a company that has "good" terms of service in that they actually protect you (the consumer). This write up is about DuckDuckGo because I receive several dozen emails from readers every month asking if they really are a good alternative (from a security perspective to use). 

In this article, I am only tackling their terms of service. As specified on their privacy site "DuckDuckGo does not collect or share personal information."

DuckDuckGo says they don't save your searches. They don't send your searches or information to any other site. They don't store any personal information about you. 

They only save cookies to your browser if you enable a function that needs it (like persistent settings). 

They save search information but only as aggregated data without any personally identifying information. 

So DuckDuckGo lives up to its promise of personal secure web searching, which is great. I give it an A grade for protection in their TOS.

What is DXO Mark Mobile and should you care?

GeneralEdward Kiledjian

Over the span of a couple of weeks, we saw three phones released, and with every release, the manufacturer touted the device's incredible "best ever" DXO Mark Mobile performance rating:

  1. Samsung released the Galaxy Note 8 with a DXO Camera score of 94
  2. Apple released the iPhone 8 Plus with a DXO Camera score of 94
  3. Google released the Pixel 2 / Pixel 2 XL with a DXO Camera score of 98

Manufacturers love touting these scores to "prove" that they have designed the finest camera a distinguished tech user could ask for. For all intents and purposes, technology should get better and this means every new phone released (at the high end) should have better overall performance than its predecessor. Why would you buy an inferior phone?

While most blogs blindly write headlines repeating this single "representative" number, very few actually take the time to read the full DXO reviews and explain the details to their readers. 

It's complicated

The first thing to keep in mind that blending complex factors into a single easy to digest number is complicated and sometimes may mislead some readers. While most blogs only show the single number, DXO actually provides a generous amount of valuable information for the curious reader.

The DXO tests include a slew of carefully controlled tests and other real world tests that are more subjective. 

If we pick on today's "highest ranking" phone, the Google Pixel 2, here is how the rating of 98 is made up:

DXO provides detailed test results and write-ups for each of these categories. While most blogs will tout that the Pixel 2 has a rating of 98 (the best ever rating for a smartphone), they rarely provide the makeup of that number.

And the make-up of that number is critical to your buying decision. If you will use the camera primarily for video, you may notice it scored 96. You can also check out how DXO made up that score by evaluating what is important to you about video (which attributes are more important to you).

  • Exposure and contrast
  • color
  • Autofocus
  • Texture
  • Noise
  • Artifacts
  • Stabilization

Remeber that the video rating fo 96 is not a straight average but rather a "black box" formulae closely guarded by DXO. 

Is DXO Mark Trustworthy?

The next question is "can you trust the DXO testing methodology"?

Having reviewed the public information made available by DXO, I say yes. They have a well-documented methodology that is as good as it is going to get. I trust their rating but use the detailed review information to make up my mind, not the single number most blogs publicise. 

It is also important to keep in mind that DXO is a for-profit consulting company that manufacturers hire. DXO works with manufacturers to tune their imaging systems and get the best possible performance out of the equipment and software. DXO also sells image quality testing solutions.

I do not believe this consulting arm influences the device ratings in any way but it is still an important fact to keep in mind.

DXO Optics Pro

DXO Optics makes very good photo improvement software because of all this camera/lens knowledge they have accumulated. They know the shortcomings of each of the camera/lens combos and can this build specific correction profiles. 

I own their software and paid for it myself. 

90% of all the questions I receive these days is about comparing the iPhone to the Google Pixel2.  In addition to all the information I have already written and the info provided above, there is one more piece of knowledge you should consider. 

The Google Camera app on the Pixel 2 does not natively support RAW (the iPhone 5s or newer) does. This means DXO Optics Pro has corrective filters for all these iPhone RAW images, but does not for the Google Pixel2. This could be a major deciding factor for more astute or demanding mobile photographer.

Conclusion

I know most users simply don't care about the details. They want one easy to read headline that justifies their belief (Google is better / iPhone is better). My ask is that you, my more knowledgeable readers, take the time to look at the data that makes up the numbers.

It's a worthwhile investment of your time.