Google Chrome's Spectre Mitigation is consuming 10% more RAM

July 12, 2018GeneralEdward Kiledjian

Google Chrome has always been a resource hog, but you may have noticed it's been consuming just a little bit more RAM lately (on your desktop).

This new more demanding Chrome is because of the Google's Spectre mitigation efforts.
The Google Chrome security team has enabled site isolation as a default (in Chrome v67 for desktops). Justin Schuh, head of Google Chrome Security, explained that site isolation separates each website process thereby preventing a malicious tab from stealing data from another.

“When Site Isolation is enabled, each renderer process contains documents from at most one site. This means all navigations to cross-site documents cause a tab to switch processes. It also means all cross-site iframes are put into a different process than their parent frame, using “out-of-process iframes.” ”

Technical highlights: The current version defends only against data leakage attacks (e.g. Spectre), but work is underway to protect against attacks from compromised renderers. We also haven't shipped to Android yet, as we're still working on resource consumption issues.
— Justin Schuh 😑 (@justinschuh) July 11, 2018

Don't expect to see this update on the Android version anytime soon, the resource consumption requirements are too high (for now).

Chrome is obviously my browser of choice but I have been concerned at the amount of resources it requires and this move (although right from a security perspective) further pushes Chrome in the wrong direction.

Additional reading:

Honest review or NordVPN

July 10, 2018GeneralEdward Kiledjian

Recently I started seeing more ads for the NordVPN service. It seems some of you may be in the same position as I've received several emails asking me for my opinion about them.

After a careful review, here it is. NordVPN is best described as a good "one size fits all" VPN service. You pay one fixed price and get full access to their network endpoints (1000+ servers in 57 countries) and the full available speed.

TL;DR:NordVPN offers impressively fast VPN, good security and easy to use clients.

You will find an impressive list of tutorials for dozens of different platforms from the usual (Windows, Mac, iPhone and Android) to Belking, Microtik and Arris routers.

Protection

NordVPN promises that it is a no-log service. They use 2048-bit encryption; they run their DNS servers to minimize DNS leakage and have a "kill switch" that will block application internet access in case the VPN get's disconnected.

Validating their claims

Many providers promise a no-log service, but there is no way for consumers to validate this statement independently. I have chatted with their support and had no reason to doubt their claim.

I have run my standard VPN tests on Windows and MacOS and can confirm that I did not detect any DNS, WebRTC or identity leakage. My most useful test was validating their kill switch functionality (by manually killing the VPN process) and confirmed it worked

Multiple devices

NordVPN offers access to 6 devices simultaneously. If you connect multiple devices to the same endpoint, you will have to choose different VPN protocols for each (L2TP, PPTP, OpenVPN TCP and OpenVPN UDP).

Price

I recommend you shop around for deals. Their "normal" promo is $79.00 for 2 years (a 72% discount). If you browse the web, you can find links with additional discounts of up to 77%. Here is the link I used below (not an affiliate link)

Conclusion

Overall NordVPN seems like a competitive offering with good security.

26 girls saved from exploitation by Twitter

July 9, 2018GeneralEdward Kiledjian

The media is quick to publish reports about the "evils" of social media. Twitter is a favourite whipping target.

Here is a little-told story about 26 young girls (aged 10-14) being saved from the clutches of human traffickers in India because of a simple tweet. Adarsh Shrivastava, a good samaritan, travelling on an Indian train noticed a group of young girls that seemed to be in distress. He twitted the train operator which was the start of their rescue.

I am traveling in Avadh express(19040). in s5. in my coach their are 25 girls all are juvenile some of them are crying and all feeling unsecure.@RailMinIndia @PiyushGoyal @PMOIndia @PiyushGoyalOffc @narendramodi @manojsinhabjp @yogi
— Adarsh Shrivastava (@AdarshS74227065) July 5, 2018

A representative from the Ministry of Railways forwarded a support request to the railway police.

Kindly look into this matter @rpfner
— Indian Railways Seva (@RailwaySeva) July 5, 2018

Shortly after being notified, the railway police intervened and rescued the girls. Two men were arrested.

Source: NDTV

Freedom Mobile removes insurance coverage for lost or stolen phones

July 9, 2018GeneralEdward Kiledjian

Freedom Mobile's phone protection plan is removing coverage for lost or stolen phones. In exchange, they are reducing the monthly fee by $1 (down to $9). This change was first noticed on Reddit by user Alphalee and you can read messages from upset customers (obviously).

This change will come into effect on August 2nd, 2018. Repair service is now listed at $99 (was unlimited in the past). It looks like this is an attempt to limit fraud and reduce insurance costs for Freedom Mobile. Their coverage seems to be underwritten by Asurion (same provider used by Telus, Bell, Virgin Mobile and Koodo.

The existing Mobile Freedom coverage still protect's devices from accidental damage (such as a broken screen or liquid damage).

Review of the free Mozilla Send service

July 4, 2018GeneralEdward Kiledjian

As a citizen of the digital world, you probably transfer large files daily. Sure you could use Google Drive, Dropbox or OpenText Core but Mozilla believes there is a better way (Mozilla Send). Mozilla Send is a web experiment that allows you to easily transfer large files up to 1GB in size.

Mozilla Send can be used with any modern browser.

How to use Send

1 - Go to https://send.firefox.com/

2 - Upload a file

3 - Decide how many downloads you want to allow in a 24-hour window. Determine if you want to enable a download password.

4 - send the link to the recipient of the file.

Mozilla Send Security

Mozilla send uses AES-128 (AES-GCM algorithm) to encrypt and authenticate the file. Encryption is performed on the client before the file is uploaded to the Mozilla Send servers. Mozilla Send also uses the Web Cryptography API. This Web Cryptography API is the magic that performs hashing, signature verification, encryption, etc). All the security is performed without requiring any user intervention.

It is important to highlight the fact that anyone that intercepts the URL can download the file. The encryption key is appended to the URL.

Sample URL : https://send.firefox.com/download/2f3eea2e0f/#6kUB9cj4gXgTZWgDXrPEZQ

Important security notes:

Once 24-hours has elapsed or the maximum number of downloads has been reached, Mozilla Send deletes the file from the server
You can manually delete the file using the Delete button. An important note is that the Delete button only shows up on that initial download page. If you think you might need the delete button, keep that original upload confirmation page open.

Web Experiment

Mozilla send is a Web Experiment and Mozilla is gathering usage statistics to determine if this is something they want to keep as a permanent offering. Right now it is a great example of solid design and engineering.