Insights For Success

Strategy, Innovation, Leadership and Security

Vacation

Common hotel safety and security questions

GeneralEdward Kiledjian

When an operational security expert thinks about hotel risks, we typically group them in these buckets:

  1. physical security
  2. safety
  3. technological risk

Travel security means you need to think about potential risks you may be exposed to and how you could mitigate them.

What about room security?

First, think you should do when you walk into any hotel room is walk around and identify all potential ingress points. Make sure that they are locked (windows, sliding doors, doors to adjoining rooms, etc).

The front door is your primary risk and anytime you are in the room, you should always use all of the protection mechanisms made available to you (lock, hasp and deadbolt).

When travelling, I always carry a light and cheap Addalock to provide an additional level of safety.

If I'm going to sleep and believe that the risk level may be higher than normal, I will stack the glass cups (water and coffee) in front of the door so any attempted opening will cause them to fall and wake me up.

Are peepholes in hotel rooms really an issue?

The short answer is yes. There are inexpensive adapters that reverse the magnification of a peephole and allow a threat actor to watch you inside your room. I have even seen some with smartphone adapters so you can even record video.

Tip: If the peephole doesn't have a cover built-in, roll up some toilet paper and shove it in the peephole.

Is a hotel safer than an AirBNB?

This is a question I receive regularly and the answer isn't simple.

Most AirBNBs are located in non-descript residential buildings and therefore could allow you to blend in with the locals. Remember that you have to trust the Airbnb host. 

A hotel, on the other hand, is flashy and everyone knows where it is (forget about blending in) but these establishments typically have stronger better-designed security,

Hotels typically set up shop in safer neighbourhoods whereas an Airbnb can be anywhere.

You need to do some research and determine what your risk profile is and then determine which solution best meets your requirements. 

What should I look for before booking a hotel room?

In an emergency situation, you are ultimately responsible for your own safety. An ounce of prevention is worth a pound of cure. Do your research before booking a hotel and the room. I generally want a non-biased third party to provide the below answers. If that is not possible then I try to stick to major Western chains that usually will be fairly honest with their answers.

  • Choose a hotel where the room locks are electronics. This makes it harder for previous guests or “bad guys” to have access to your room. Ask for 2 copies of the room key and keep both on you. If you misplace or lose one, immediately notify the hotel and have replacements made.
  • Make sure the room is equipped with a deadbolt lock and a peephole
  • Most of us do not pay attention to the hotel’s fire suppression system but trust me this one is important. Make sure your room is equipped with a smoke detector and that each room (and the hallways) have visible sprinkler systems. In many countries, the fire response teams are not as fast, well equipped or trained as in North America.
  • Make sure that the hotel environment is secure with proper fencing and that the guest areas are well lit (parking, hallways, ice rooms, etc).
  • Generally, I prefer hotels where the elevator leaving the parking area only goes to the lobby (and not directly to the rooms).
  • I try to make sure that any hotel I choose has adequate security personnel. I like to see uniformed security personnel that seem to be well trained and adequately equipped (in this case adequate depends on the area.) They should be willing to escort you to your room or vehicle if requested.
  • I recommend you contact the foreign affairs ministry of your country (DFAIT in Canada, US Embassy for the USA, etc). Ask them about the area the hotel is located in and determine how safe it is.

How do I ensure my stuff hasn't been tampered with?

If you have read my other articles, I talk about hotels being a prime target for intelligence gathering. Where possible, take all of your "stuff" (passports, money, electronics, etc) with you. Sometimes that isn't possible or desirable, so what do you do.

Make sure everything is turned off (not in hibernation or sleep mode).

Use discreet alignment of your "stuff" to detect if anyone has tampered with it. Discreet alignment means that everything has been placed in specific ways so you will detect the slightest movement. As an example, maybe you place a water bottle 1 thumb away from the USB port of your laptop. When you come back, you will immediately know if someone tampered with that port (if the alignment is off).

You can also use cardinal bearings (alone or with discreet alignment). Cardinal bearings are basically compass headings. So you place the protective item (coffee cup in front of the sensitive USB port) and make sure the handle of the coffee cup has a perfect bearing of north. You can also use pens or anything else that is easy to move.

Once you have set up your environment, take pictures of it with your smartphone camera.

If you are being tracked, make sure everything looks natural. You do not want anyone to suspect that you are laying traps.

Using the do not disturb sign

In security, we want as much advanced notification as possible that something is wrong. The trick here is to place the do not disturb sign on your door but to do it in a way that is unique but natural. As an example, instead of letting the sign just hang freely from the handle, you place the edge into the door frame so it is on a slight angle. To most people, it will seem like you left in a hurry and the sign justs got stuck in the door. If you come back and the sign is no longer on an angle stuck in the door frame (aka it is hanging freely), that means someone was in your room and that you should approach with caution.

Skyroam Solis Review: a traveller's best friend?

GeneralEdward Kiledjian

I've been using a Skyroam hotspot for many years now and my 2 most popular blog posts (for the old device and service) are here: 

They recently upgraded their back-end service and global WIFI hotspot, and I wanted to test and review it for you. 

Solis is the latest version of the Global WIFI hotspot sold by Skyroam. For those new to this company, they offer a small portable global WIFI hotspot that works in 100+ countries, costs $10US a day for unlimited data and is activated on demand.
 
Although I had many complaints about the pass purchase process with the original product, their hotspot has been part of my every day (EDC) carry kit for three years now.

The Solis improves on its older brother in 2 days:

  • it now supports LTE speeds on countries were it is available (otherwise it drops down to 3G) 
  • it can now operate as a backup battery (in a pinch) to charge your mobile phone

Nice little intro video

I have had the Solis for several months and have already taken it on a US road trip. It is a well-built successor to the original Skyroad hotspot, but the world has changed.

When I started using the original Skyroam in 2014, my carrier didn't offer a global travel package, and it was a pay per megabyte type affair. It got very expensive very fast. Today my carrier offers a US travel package for $7 a day or a global package (in 80+ countries for $10 a day).

If all you need is access on one device, then your carrier package may be more advantageous since it is immediate and does not require any changes. But.... The Skyroam Solis offers coverage in more countries and can provide wonderful internet goodness to up to 5 devices simultaneously. 

In my case, I still rely on Solis or KnowRoaming when I travel since I know that they will offer service everyone for one set price and it is one less worry when I travel. 

The device

If you look at the above picture, the Solis is a beautifully visible shade of orange. It is made of plastic that should withstand the rigours of travel very well. If the battery does weaken, you can order a replacement from Skyroam.

I find the Skyroam Solis much easier to carry than its competitors (including the Geefi).

Using the device

You probably noticed that the device (unlike its older brother) doesn't have a screen. To manage the device, you turn it on and connect to it from your smartphone. You will then be presented with an information page showing signal, passes left, battery level, etc. To use the device "in the field", you turn it on then press the WIFI button on the top. This automatically applies one of your day passes and you get 24 hours of internet. It knows where you are and downloads a virtual SIM for the Skyroam partner in that country. 

You can travel to as many countries as you want during that 24-hour window. All you have to do when you switch countries is turn the unit off and back on. When it starts up, it will identify the local country and download the appropriate country SIM.

You could open the a.skyroam.com captive portal from any device with a browser but it is formatted for smartphones (will look odd on a laptop). Why isn't it responsive?

The Solis is charged with any USBC adaptor which is fantastic if you have a USB C smartphone and laptop. You can charge everything with one adapter.  They provide a mini USB-C to USB-A adapter so you can charge other devices from the Solis but I wouldn't recommend it. WIFI needs every little bit of juice in that battery. 

In my testing (in zones with good LTE coverage and with 1 device connected), I was able to eek out 10-14 hours of usage on a single charge. This number will drop if the wireless signal is weak and/or if you connect multiple WIFI devices to the hotspot. When I tested it with a Chromebook and a Note 8 smartphone, I still got 10 hours of solid use (usage was primarily web pages without heavy streaming).

The software is periodically updated which is a nice touch. I recommend you start the device and let it connect to your local home network (without using a pass) before travelling. If the device needs an update, better to do it now then at a foreign airport waiting for the 15 minute upgrade process to complete. 

How fast is the connection?

I will not post speed test results because that depends on the local carrier, congestion, etc. I will say that in my testing, the Solis achieved LTE speeds comparable to an iPhone 6s Plus. The Note 8 outperformed it with is carrier aggregation technology. 

There is an LTE cap of around 500MB in a 24 hour period. After this, they throttle the connection down to 2G. They claim that this isn't automatic and done to protect the experience for all customers, but I hit this limit consistently (for testing) and saw my speed drop to dial-up performance. At the lower throttled speed, even simple apps like Google Maps took forever to load, and GPS navigation became impossible. 

I understand the need to control their costs but wish there were a way to buy more LTE access if I needed it. 

What about security?

September 2016, I reached out to Skyroam and complained about major security gaps on their online pass purchasing website. After multiple attempts to responsibly disclose the issues (with no follow-up from Skyroam), I wrote an article about it. I am happy to report that the new version of their online portal has fixes all of the issues I previously reported.

What about the general security? It is as secure as your home internet connection. My standing recommendation is to use a VPN where/when possible. You can get a VPNUnlimited lifetime VPN subscription for 5-devices for $18 (promo link), so you have no excuses.

So should I buy a Skyroam Solis?

So the question you are asking yourself is "Should I buy the Solis?". There is no simple answer. If you used the old version, then the Solis is a wonderful upgrade. Every time I tried it, it worked flawlessly without a hitch. The cost is predictable, and I have a bunch of passes purchased ready to use when needed. 

If you are a European with an EU SIM travelling within the EU, you get free roaming anyway. If you are an American with one of those great TMobile plans with free global roaming, you probably don't need this device either. 

A Skyroam PR rep had said months ago that additional functionality would be unlocked on the device (like Bluetooth and GPS), but since they are not available today, I can't factor them in as a benefit. 

For everyone that travels more than twice a year (and doesn't have free roaming), you really should consider it. The best recommendation I can make is that I own one and carry it with me every day (even when in my home country). I will be travelling considerably over the next four months (within the USA and globally) and will be using this thing a lot. 

If you travel once a year and don't want to buy a Skyroam Solis, you can rent one directly from the company. They will mail it to you or you can pick it up (US pickup is available in San Francisco, Atlanta and Austin.)

Bose QuietComfort 25 Review (QC-25)

GeneralEdward Kiledjian

TL;DR: I have tested dozens of headphones over the last 12 months and the QuietComfort (QC-25) 25 is still the most comfortable headphone with excellent noise cancellation and good sound reproduction. 

Comparing the QC-25 to the QC-35

The QuietComfort 35 (QC-35) is the wireless bluetooth version of the QC-25. The QuietComfort 35 (QC-35) offers slightly better noise cancellation and a slightly different noise profile. If you need bluetooth (iphone 7 or iphone 7 Plus) then get the QC-35 otherwise I would recommend getting the cheaper QC-25.

Not for everyone

Noise cancellation headphones are not ideal for people that need noise-cancellation sometimes. Noise cancellation headphones are not a replacement for regular headphones. If you need good all around headphones then don't get this (or any other noise cancelling headphone) or you will be disappointed. 

The golden rule is that noise cancellation headphones add about $100-150 to the cost of headphones and typically deliver worse overall sound quality when compared to non noise-cancellation models. I can't stress that enough. 

Noise cancellation works extremely well for low frequency (machine style) sounds like train on a track or airplane engine noise. They don't work as well for higher frequency sounds like voices or crying babies on a plane.

If you only need noise reduction occasionally, then you may be better served by a good pair of sealed headphones. You would get better sound quality and would probably pay a lot less.

Who should buy the QC-25

I just wrote 4 paragraphs of who shouldn't buy the QuietComfort 25 (Qc-25). It is important to note that anyone who is a frequent traveler (plane or train) will definitely benefit from these headphones. By making your travel a little bit quieter, you will arrive less stressed and more refreshed.  

Quietcomfort 25 (QC-25) versus in-ear headphones

The best question I need to address is the eternal debate between these types of on-ear headphones and in-ear headphones. The truth is that there is no golden rule that is right for everyone.

Some people opt for in-ear headphones because they are smaller and lighter. Many people who wear glasses also prefer in-ear headphones because their frames may prevent the headphones from sealing properly this allowing the dreaded noise in.

Bose, likely due to owning several important noise-cancellation patents, currently makes our picks for the best over-ear and best in-ear noise-cancelling headphones. Which one should you choose? There’s no simple answer, as it depends on what you’re looking for.

The third reason I have found some travelers prefer in-ear headphones is that they find them better to sleep with on flights.

The fourth reason is that some people find that on-ear headphones make their ear hot after extended use. 

The fifth and final point is on noise cancellation for low frequency sound. From a sound quality, the Bose noise cancelling headphones (QC-30) tend to reduce low frequency noises a little more and offer some noise-isolation which makes things just a little bit quieter. Mid and high sound reproduction is always better with bigger headphones for the QC-25/QC-35 takes the crown here.

Additionally some people just can't stand having anything inserted into their ears. They find it annoying and bothersome. Obviously if you fall into this category, go with the QC-25/QC-35.

Conclusion

If you are looking for amazing sounding, super comfortable wired on-ear noise cancelling headphones then get this. The sound is good enough, it is comfortable (even on a long haul Toronto to Hong Kong flight) and it fits in a relatively smallish case for easy carry.

It offers good low frequency sound reproduction (40Hz or below) and the rest is a little muddied (which is normal for noise cancelling headphones). You can use the QuietComfort 25 even when the batteries die (which is a nice upgrade from previous models) but the sound is pretty bad but at least you aren't stranded witout entertainment. 

If you need bluetooth because you can't live with wires or your smartphone got rid of the headphone port (looking at you Apple), then go with the QuietComfort 35 (QC-35).

New US Border Control rules for Canadians

GeneralEdward Kiledjian

Since the tightening of US border entry rules, readers have been emailing asking:

What should I do when crossing the USA / Canada border?

Canadian readers (and non-US) travelers to the US wanted to know what the new tighter controls mean when crossing into the US. 

The first important truth most travelers need to accept is that "entering another country is a privilege and not a right". Although the controls may have tightened a bit, they haven't changed materially. Having visited over 40 countries in the last 30 years, I accept the fact that anytime I cross a national border, I am subject to the controls of that country and prepare accordingly.

The cardinal rule of information security is "know your risk". The first step is to determine all your risk factors (status entering that country, data you will be traveling with, travel history, your background, travel risk level of the region you are entering, etc).

Before you leave

  1. Minimize the amount of information you travel with. People often forget the treasure trove of information they carry on a daily basis. Your smartphone (as an example) contains all your contacts, login information for all your social networks, health information, GPS location history, networks you have connected to, etc. Anytime you cross a border (not just the USA but this applies to any national border crossing), the agents are tasked with protecting that county and may "take" any information you are entering the country with to determine your traveler risk. Do not take anything you wouldn't want to hand over.
  2. Minimize the amount of devices you travel with. This may sound stupid but I have seen business travelers cross the border with a personal smartphone, work smartphone, a personal tablet, a work tablet and a work laptop. Understand that anything you enter the country with can be seized or taken  for analysis. With all the Snowden, Vault7, Wikileak dumps, its clear that if a border agent touches your device, you shouldn't use it anymore. You should assume it has been permanently hacked. Where possible, do not bring devices with you. If you do, try to bring "disposable" devices you wouldn't mind throwing away if need be.

What should I do before crossing the border?

  1. Remove all information from your devices that you do not absolutely need to bring with you.
  2. Anything you could need, try to move it to the cloud and securely delete your local copy.
  3. Delete any apps from your smartphone for which you don't want to hand over login credentials to.
  4. If you use a password vault solution synchronized with the cloud, you may want to delete that (Lastpass, 1Password) and reinstall it after you enter the country.
  5. If you use a cloud synchronized 2-factor authentication solution, you may want to delete that (Authy) and reinstall it after you enter the country.
  6. If you can, leave the device at home. If you have a work phone, bring it with you but leave your personal back home.  Instead of bringing a tablet, try to load your content on the smartphone.
  7. If you can, travel with the least complex device possible (chromebook instead of a laptop or tablet instead of a laptop)
  8. Ensure device encryption is turned on.
  9. Turn off your devices before crossing the border.
  10. Switch the unlock mechanism from fingerprint to password based.

At the border

Never lie to a border agent. Never! Ever! Ever!

Any foreigner that refuses to comply with a border agent request (any border not just the USA) will likely be turned away and sent back to their home country. In extreme cases, you can even be bared from entering that country again.

This means that you are "forced" to comply with any request made by the border agent. If asked for your device password, you can provide it and cooperate or defy them. If you defy the request, they will likely take the device and send it for investigation while denying you entry (maybe even keeping you for secondary questioning). Either way, once you "lose control" of your device, you should assume it has been permanently hacked and that a clean re-install will not make it trustworthy again.

They may also ask you for your social media login information. Even if you do not have the app installed on your devices, they know you have an account and can ask for the credentials. Never lie. Refusing to cooperate can cause you to be detained for additional questioning and given an entry ban.

What should I do while crossing the border?

  1. Always be polite and respectful. Remember the agent is doing his/her job.
  2. Never lie. Always be truthful. 
  3. If asked to hand over a device or password, I would do it without putting up a fight. Once you are at the border, you have decided you are engaged and have to cooperate. 

After crossing the border

If your work device was accessed at the border, notify your company information security group immediately. 

If your personal device was accessed, you have to think long and hard about what you want to do. Know that there may be a permanent (un-removable) backdoor or tracker installed on the device. In some cases even a complete factory reset won't remove it. What do you want to do? In the security space, we recommend throwing the device away and buying a new one but this is a personal decision especially with a $1000 smartphone, tablet or laptop.

Also if they accessed your device or asked for your social media login information (username/password), assume they downloaded you social graph (all of your contact info and the contact info of your contacts). I would change all my social media passwords and double check my account information (email address, recovery phrases, telephone numbers, etc). Also notify your network that you lost control of your social media account and to be extra vigilant with requests and the information being shared with you. 

Other recommendations

If you travel to the US regularly, think about applying for a Nexus card (if you are a Canadian). Having a Nexus card means you have been deeply vetted and all of your fingerprints are on file. My experience has been that the Nexus has made crossing into the USA much easier. 

If you are a tech neophyte, take the time to read up on device security and security best practices. The truth is you are solely responsible for your privacy and security.

7 airport lounge access secret you need to know

GeneralEdward Kiledjian

1 - Buy day-passes online

Most airlines will allow passengers to buy a lounge access day-pass online.

Toronto Air Canada Airport Lounge

As an example, you can buy a day-pass from Air Canada for access to their own lounge for $25 if you are travelling on a Latitude fare. 

United Airlines offers airport lounge access day-pass for $50 here.

2 - Buy day-passes at the airport

Check directly with your airline. If if your airline doesn't own its own named lounge at the airport, they often have deals with private lounges offering them at competitive prices. As an example, Canadian airline Westjet has partnered with private lounge operators in the various regions it travels (Canada, Europe, Caribbean) to. Westjet offers airport lounge access at very competitive prices.

3 hour access to the Plaza Premium lounge costs $40 - 20% (Westjet discount) = $32. 

Some vacation package wholesalers also offer (add-on) lounge access to their customers. As an example, Signature vacations (in Toronto, Vancouver, Edmonton & Winnipeg) sells lounge access to all vacation pass holders. 

3 - Buy access to an independent airport lounge

Some airlines do not offer any type of (direct or indirect) lounge access. Other times companies buy the cheapest ticket they can find which means you may fly 10 different airlines and therefore not gain priority privilege access on any one particular airline. These are the times you may need to buy access to one of the independent lounges. 

If you travel to different airports, you may want to join one of the independent airport lounge access networks like:

As an example, Priority Pass offers access to 1000 airport lounges worldwide. Priority Pass (sold in Canada) offers 3 levels of membership:

  1. Standard($99 a year). Every access will cost $27 for the member or guests.
  2. Standard Plus ($249 a year). Member receives 10 annual visits. Additional visits or guests cost $27 each.
  3. Prestige ($399 a year). Member receives unlimited lounge access and guests can buy access for $27. 

Some credit cards have standing agreements with these lounge access  wholesalers and allow you to buy access without having to pay an annual membership fee. As an example, Diners Club Canada offers members access to worldwide lounges at affordable prices.

Here is an example of their Canadian airport lounges you can buy access to. Access to a lounge in Toronto is about $US30.

4 - Get a credit card with lounge access

If you travel a lot, it may make sense to use a travel credit card that includes access to airport lounge (either free or a pay per use without requiring an annual membership to a lounge network).

Credit Walk (Canada) has published an interesting article comparing various credit card lounge access programs.

Sleeping in Airports (USA) also has an article about credit cards offering lounge access.

5 - Buy a refundable business class ticket

Some travel forums (e.g. maphappy, boarding area, view from the wing ) recommend that you buy a full price refundable business class ticket for travel the same day as your regular discounted ticket, use the lounge and then refund the ticket. 

I have never used this technique and you should make sure the ticket is still refundable if you use the lounge. I know airlines like United have started implementing lounge access software that will help curb this type of abuse but I know this still works on some airlines. 

6 - Buy lounge access from other passengers

You can sometimes buy lounge access from other travelers on classified type sites at discounted rates (eBay, Craigslist, etc). Make sure you check any restrictions that may apply.

Someone selling 4 Air Canada Maple Leaf lounge access on eBay.

7 - Use a Smartphone App for lounge access

There are travel smartphone apps like Loungebuddy (IOS & Android) . 

Loungebuddy offers on the spot lounge access purchased on your smartphone without requiring an annual subscription.