Insights For Success

Strategy, Innovation, Leadership and Security

Windows

What is a Progressive Web App

GeneralEdward KiledjianComment
clement-h-544786-unsplash.jpg

Over the last 18 months, I have seen more and more sites prompting me to "Add to Home Screen" from websites I have been browsing. Then you add this site, it installs itself in the background and is now accessible like a native app from your smartphone.

Screenshot_20181015-071538.png

What I have just described is the wondrous workings of a fairly new technology called Progressive Web Apps. This technology (called PWA) works even when you are offline and behaves like a "normal" smartphone app.

What are progressive web apps?

PWAs were created by Alex Russell and Frances Berriman. The technology driving Progressive Web Apps isn’t new. What was required was a new recipe to make Progressive Web Apps behave like native apps. This means that a progressive web app will work (as long as the platform supports it) on an iphone or Androis smartphone, a chromebook or ipad, on Windows or Mac.

True cross platform applications without needed to join an app store with super restrictive controls (I’m looking at you Apple).

Why Progressive Web apps

Like many of you, I live in a world with abundantly fast internet. This simply isn’t the reality everywhere. Even in my own backyard of Ontario (Canada), there are communities where internet is delivered via very slow ADSL,

PWAs, once installed, cache the content locally which means they will respond quickly even for those on slow internet connections.

Statistics show that users still prefer native apps to web pages. There are a tone of reasons for this from convenience (single click from your home screen), ability to get push notifications, etc. The web simply doesn’t offer the same bells and whistles.

PWAs offer most (if not all) native functions. They startup with a single click from the home screen and can hook into most native features. PWAs can even offer notifications (like a native app) and therefore remind the user to open and engage with the app.

What is required to build a progressive web app?

This is not a technical instructional article but you need 4 elements to build a Progressive Web App:

Google Firebase Web App Manifest Generator

Google Firebase Web App Manifest Generator

  1. Web App Manifest - It is a JSON file with meta data about the web app, It contains information such as the icon, background color, app name, etc.

  2. Service Workers - Even driven agents that work in the background. They perform tasks like updating the web app or its content.

  3. Icon - You need an icon to represent the Progressive Web App on the home screen

  4. HTTPS - The app and its content must be securely delivered over a TLS session.

Progressive Web app examples

You will find new PWAs every day but here are a couple of cool ones to get you started:

Changing Google.com country domain no longer works

GeneralEdward KiledjianComment

Google power users knew that changing the Google country top-level domain (ccTLD) would allow you to find results optimized for another country or language (e.g. searching Google.ch instead of Google.com to get more swiss biased results). 

There are a tone of reasons why I used this little trick:

  • Accessing Google.com results when terminating a VPN in another country
  • Travelling to a European country that skews results (right to be forgotten) and wanting "real" information returned
  • and much more

In a blog post, Google announced that results will now be customized based on the user's location (without regard for the country ccTLD input in the URL). So if I am in France and try to access American results by using the Google.com site, I will still get french results.

Google explains that 1/5 searches are location dependent (therefore detecting and using the user's actual location makes sense).  If I am traveling to Paris and search for pâtisserie, the logic motivation is that I am searching for a pâtisserie in Paris, not Toronto (my home city). 

You can still search for results in another location but the process is much more complicated now (you can still go into settings and select the correct country service you want to receive.) 

It’s important to note that while this update will change the way Google Search and Maps services are labeled, it won’t affect the way these products work, nor will it change how we handle obligations under national law.
— Google blog post

Source: Google Blog

What the CIA Vault7 Wikileak really means for consumers

GeneralEdward Kiledjian1 Comment
Wikileaks Unveils ‘Vault 7’: “The Largest Ever Publication Of Confidential CIA Documents”; Another Snowden Emerges
— Zerohedge
It includes software that could allow people to take control of the most popular consumer electronics products used today, claimed WikiLeaks.
— independent.co.uk
Surprise, everyone, the US Central Intelligence Agency (CIA) allegedly has the means to hack everyday electronics.
— techradar.com

Yes Wikileaks released a very large chunk of CIA information dubbed Vault7 that explains some of the hacking capabilities of the US intelligence service vis-a-vis consumer electronics. Obviously this "isn't good" from a privacy perspective because if the US intelligence community has these capabilities, other nation-states may also have them. 

After going through some of the information, I want to dispel some of the FUD (Fear Uncertainty and Doubt).

Are Whatsapp or Signal hacked?

I have written about Whatsapp security and professed my love for Signal . Many readers messaged me in a panic asking if these apps had "weak" security and had been breached by the CIA. 

Signal and Whatsapp encryption was not broken. 

The CIA would compromise the smartphone (iphone or Android) and then would install malware that would record audio, text or video before the Whatsapp/Signal encryption. 

The Wikileaks statement reads like this:

These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the ‘smart’ phones that they run on and collecting audio and message traffic before encryption is applied.
— Wikileaks

So the short answer is no, these messaging apps were not compromised and their security is still good. Every security researcher know you must must must secure the endpoint because it is normally the weakest link in the chain. Here is proof. 

The security of Signal protocol was recently reviewed during a security audit and it passed with glowing colors. The EFF also rates Signal as an "all green" messaging app. 

Is the CIA hoarding 0 zero vulnerabilities?

We don't know what the CIA is really doing but based on the Vault7 Wikileak, I would say no. Very few 0 day attacks seem to be mentioned in the dump and any that were are being actively used. Nothing in the leak seems to indicate a hoarding of 0 zero vulnerabilities for emergency use.

The attacks mentioned in the leaks may be worrisome to John or Jane Doe but they are nothing new for anyone working in security. They seem to be leveraging "stuff" we already know about the Information Security circles. Yes they sometimes buy advanced attacks from brokers or researchers but most of what I read, I expected them to have.

Nothing I read would indicate that the CIA digital attack toolkit is better than that of the NSA. It is safe to assume the NSA has much stealthier and more powerful tools.

Do I break my Smart TV?

Don't throw away your Smart TV just yet. We learned that the CIA can hack your Smart TV and turn it into an espionage tool by running hacking software via USB port on the TV. Let me say that again, via USB port

Nothing in the document indicates that they can do this remotely via the internet. In security, we always assume that it is impossible to protect an asset if a bad actor can gain physical access to it. Nothing new here. 

Attribution

There are 2 pieces of malware in the wild that were thought to have come from China and Russia but can now likely be attributed to the CIA. These leaks provide enough information for security companies to now make educated assumptions about malware sources they know about and are trying to identify the source of. 

A colleagues working for a US security company said that they can now attribute 2 malware to the CIA previously thought to have come from China or Russia. He said his company will now use the info in these leaks to built signatures to detect and remediate some of the vulnerabilities mentioned here. 

Does this hurt the CIA. I would say no. There are enough vulnerability brokers in the dark market and the CIA has enough money to quickly rebuild a new toolkit.

Are these advanced hacking techniques?

No. They may seem advanced for the average Joe but there wasn't anything monumental or earth shattering for a security researcher. Funny enough, I've been chatting with one of my employees about a new tool from Hak5 called Bash Bunny. The Bash Bunny seems to be more advanced than many of the techniques revealed in this document. 

Is my tech safe?

The BBC published a good article documenting the reaction from major consumer tech manufacturers. 

As expected, Apple provided a lengthy response and committed to working with its security team to plug as many of the holes as quickly as possible.

While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities
— Apple PR

Samsung provided this response

We are aware of the report in question and are urgently looking into the matter.
— Samsung PR
We are aware of the report and are looking into it
— Microsoft PR

Notably absent (at least while I write this) is a response from Google about the vulnerabilities in Android that were actively exploited. As we know, not all Android phones receive timely updates and even those that do have some worrisome vulnerabilities. 

For the general consumer that is not being targeted by a nation-state intelligence agency, as long as you adhere to good security practices, an a Google branded Android phone will be just as safe as an Apple iPhone. I cannot recommend buying an Android phone from any other manufacturer as updates may be slow or non-existent. 

If you are in a job were security is critical, i would still contend that the iPhone is likely more secure because of the way Apple locks everything down.

Conclusion

I won't lose any sleep over the CIA leak. Yes it confirms that the US intelligence apparatus is actively targeting consumer hardware but we all assumed they were doing this anyway. Nothing in this leak revealed anything new and I would assume the NSA Signals Intelligence team is still the king of the hill. Sure the CIA seems to have a couple pocket knives but the NSA still has that 10" Rambo knife strapped to its belt.

 Also assume anything the US is doing can be easily replicated by other nation state actors. Do you really want foreign governments to have these abilities and your own (Canada, US, UK, Australia, etc) not to?

The 6 apps every traveller should download now

GeneralEdward KiledjianComment
image by  fdecomite  used under Creative Commons License

image by fdecomite used under Creative Commons License

The smartphone has quickly become the most important device we own. It allows us to be productive at work. It allows us to stay in touch with family and friends. It helps keep us healthy and accountable. 

It has also become the travellers best friend. I can't imagine taking a trip without it and here are some of my favourite apps that make travelling better, more efficient and much more fun.

1 - Uber and Lyft

I know Uber and Lyft have created an uproar in dozens of cities around world. Taxi drivers are upset and are lobbying their governments to block them.... Try as you may, you cannot block progress so. I have used Uber's UberX in dozens of cities around the world and it has always been a fantastic experience. 

Sure UberX is cheaper in most cities compared to traditional licensed taxis (cabs) but it is also a much better experience. You can order a car without talking to anyone and are always able to get transportation even during the busiest travel times. I can spend 30-45 minutes in New York or Chicago trying to hail a cab but able can book an UberX within minutes. 

Even with surge pricing, the convenience of Uber makes it a must and therefore number 1 on my list.

2 - Waze

I avoid renting a car whenever possible and choose Uber (see number 1) but regardless of mode of transportation, Waze has found a permanent spot on my must have travel app list. 

Waze has sometimes shown me great shortcuts to beat traffic that I have asked my Uber driver to take (which saves you money).

3 - Rome2Rio

Rome2Rio is a very easy app that allows you to "searches any city, town, landmark, attraction or address across the globe with thousands of multi-modal routes to easily get you from A to B." It is a great way to find great ways to get from point A to point B. It even includes options with Uber, taxi, local public transits (including trains) and more.

4 - Google Translate

Google translate is the babel fish of our time. It breaks through language barriers allowing you to explore freely. In addition to the website, Google offers translate apps for IOS and Android (all free). At it's base, it allows you to translate between 52 languages offline (without an internet connection). It allows you to perform 2 way voice translation in 32 languages and camera translation of text in 29 languages.

This camera translation feature was incorporated when Google bought a company called WorldLens. This cool trick allows you to translate signs, menus and invoices. 

5 - XE Currency Converter

Knowing the conversion between currencies is the difference between getting a good deal or getting taken advantage of. I have been using the XE.com currency conversion on their website for years and the XE app makes everything that much easier (IOS, Android, Windows and Blackberry).

Be careful because you can rarely convert currencies at the listed rate (because most agents make their money by charging a high spread) but it still very useful to know if someone is trying to take advantage of you during currency conversion.

6 - AirHelp

So this isn't an app but it is so good and useful that I just had to add it. AirHelp is a service that helps passengers to secure reasonable compensation from airlines when you are delayed, your flight is cancelled or the flight is overbooked. Most passengers don't know their rights and wouldn't know where to start to seek compensation.  The service is free and starts when you allow them to scan your emails for flight information. They will tell you if you are entitled to a claim and they only get paid if you do (they charge 25% of the compensation amount). They can go back up to 3 years and I have friends that have managed to recover up to $1000. 

AirHelp is an international service so why not try it?

Microsoft to launch global wifi network for enterprise customers

technologyEdward KiledjianComment

Microsoft's Skype entity already offers a product called Skype WIFI (link) which allows you to buy WIFI access in millions of locations by the minute. A barebones webpage now may indicate that Microsoft has bigger plan for it's WIFI resale business and may be branding it Microsoft WIFI (link). 

The service (purportedly) will offer access to its millions of WIFI access hotspots to Office 365 Enterprise subscribers, Surface 2 owners or buyers of the Work & Play bundle. 

The DNS lookup of the website seems to indicate that it belongs to Microsoft so I am assuming it is legitimate but it is still very sparse and missing tones of information. Based on the info it does contain, it looks like this service will continue in the path started by Skype WIFI where Microsoft will resell WIFI hotspot access belonging to other providers such as Boingo, XFinity WIFI, BT and more. And yes, it does look like a global service. 

We don't know the model they will use. Will it be a subscription based model, a pay-per-use model or a hybrid? Will some access time be included in the base subscriptions? 

We do know, based on the website that they will have apps for most platforms including Windows, Android, Mac OS X, iOS and Windows Phone. Skype WIFI also offered an app for these platforms but also included one for Linux (which the Microsoft WIFI page does not mention right now).

At this point that's all we know but I'll keep watching this site and report back when things develop further.