Insights For Success

Strategy, Innovation, Leadership and Security

iPhone

OnePlus policy that makes it a better buy than Samsung, HTC or LG

GeneralEdward KiledjianComment
7dde5baaa7509370f2b16982bfd0605d_260_0.png

As a security technologist, the security philosophy of the OEM is a crucial determinant of my decision to buy or recommend a device. This is where Apple shines with it's iPhone update strategy. Every single iPhone receives updates (security and version) at the same time. 

This is why I highly recommend Google's Pixel devices. The Pixel line offers the same regular and speedy update schedule. The other Android manufacturer that has shown it cares about upgrades is OnePlus. Until this week, it did a great job delivering updates quickly, but it didn't formally commit to a software upgrade schedule. 

OnePlus Software Maintenance Schedule.png

All of that changes this week when OnePlus unveiled its new operating system (Android) maintenance schedule. It has copied the Google Pixel model and will deliver major upgrades for two years and security updates for three years. 

As per the maintenance schedule, there will be 2 years of regular software updates from the release date of the phone (release dates of T variants would be considered), including new features, Android versions, Android security patches and bug fixes and an additional year of Android security patch updates every 2 months.
— OnePlus OS Maintenance Schedule

Conclusion

OnePlus has always offered solid well-designed devices at competitive prices. This new software maintenance schedule commitment makes their offering that much more compelling. 

I can no longer recommend devices from manufacturers that do not regularly deliver security and version upgrades. This is why I only recommend Android devices from Google, Blackberry Mobile and OnePlus. 

Google launches New Tasks App (Mobile & Web)

GeneralEdward KiledjianComment
Capture.PNG

In a blog post entitled "With new security and intelligent features, the new Gmail means business", David Thacker (Google VP Product Management, G Suite) announced, "We’re also introducing a new way to manage work on the go with Tasks."

The new refreshed Tasks system will be available on the web and have accompanying mobile apps (Android and IOS). The new updated Tasks system will allow you to create tasks & subtasks with due dates and notifications. 

Gmail_Convergence_Enterprise_Image_7.max-1000x1000.png

The current tasks was an anemic stand-alone product that barely worked. The new one will integrate into the G Suite and allow you to drag & drop emails from GMAIL, files from Google Drive and more. 

Now you can quickly reference, create or edit Calendar invites, capture ideas in Keep or manage to-dos in Tasks all from a side panel in your inbox.
— David Thacker

The announcement is happening in the G Suite (Enterprise blog), but this update will flow to the free consumer-friendly version as well. 

The Google help centre provides additional information about how all of this will work.

Download the new Android version here and the IOS one here

OPSEC - Security when making calls

GeneralEdward KiledjianComment
radar-2799606_1920.jpg

RELATED: OPSEC - Introduction to Malware

RELATED: OPSEC - How to securely delete files

If you are making calls using a cellphone or landline phone then you should assume that your conversation can easily be intercepted by the carrier (providing the service or a government agency that has control over that carrier). Security researchers have even proven that with $1,500 in parts, they can build a cell phone call interception device by pretending they are a cell tower.

Regular phone calls on your cell phone (including SMS and MMS messages) are easily intercepted and should be considered insecure.

What about VOIP?

VOIP stands for Voice Over IP and any app that allows you to make voice calls is typically using VOIP (Whatsapp, Skype, DUO, etc). Many carriers have started offering Voice Over WIFI and Voice Over LTE. VOWIFI and VoLTE have the same security (or insecurity) as making a regular call using your carrier's normal cell network.

Some VOIP software offers decent or good end-to-end encryption. These require both parties to have the same software and typically callout that they use encryption in their literature. But be careful, not all encryption is created equal. Telegram Messenger advertises that it is secure but a deep dive into its model shows it uses "bad" (my opinion) encryption and shouldn't be trusted. 

RELATED: Telegram Messenger isn't as secure as you think

So some VOIP services offer good reliable encryption and others don't. Here are the ones you can rely on.

Signal

I have written about the free open-source Signal messaging app for years. Signal is the defacto reference on how to build solid end-to-end encryption. Their model was so good, they helped Whatsapp when it wanted to improve its security. 

RELATED: Whatsapp to become more secure than Apple Messages

Signal is cross-platform (Windows, Mac, ChromeOS, Chrome Browser). Signal offers a simple encrypted text messaging service and secure encrypted calling service. 

Signal uses your existing number and address book to simplify your authentication and connection with other users. Therefore there is no separate username or password to remember.

I have to highlight the fact that a motivated attacker can still collect metadata from signal calls because the central management servers are still owned by Whisper Systems. Whisper Systems does not have a way to listen in on calls or read messages but they do know who you spoke to, when and for how long. Having said this though, they still offer the most secure and best build encrypted messaging app around, and it is all offered for free.

Jitsi for encrypted video chats

If you want a free open-source tool for encrypted video chats (does audio too) then take a look at Jitsi. It also supports group chats. There is no requirement to sign-up for anything and therefore your personal information isn't sitting on some third-party server, 

You visit the site, enter a meeting name (without spaces and difficult to guess) and share that link with the other participants. It's really all there is to it. Safe, Easy and Secure.

What about Skype or Google Hangouts?

Most VOIP solutions offer transport encryption (which means a third-party like your carrier can't eavesdrop) but the data is managed unencrypted once it reaches the provider's network. In most cases, I discourage the use of these services for situations where security is the utmost priority. One caveat is that Skype has announced that it will work with the Signal team to implement end-to-end encryption (like Whatsapp did) but that is still many months away.  

There are dozens of products that use security to differentiate themselves and most have not been independently reviewed. I recommend you stick to the 2 products mentioned above.

Conclusion

Good security requires some planning but is well worth the effort. Hopefully, this article helps

What is DXO Mark Mobile and should you care?

GeneralEdward KiledjianComment
bryan-minear-315906.jpg

Over the span of a couple of weeks, we saw three phones released, and with every release, the manufacturer touted the device's incredible "best ever" DXO Mark Mobile performance rating:

  1. Samsung released the Galaxy Note 8 with a DXO Camera score of 94
  2. Apple released the iPhone 8 Plus with a DXO Camera score of 94
  3. Google released the Pixel 2 / Pixel 2 XL with a DXO Camera score of 98

Manufacturers love touting these scores to "prove" that they have designed the finest camera a distinguished tech user could ask for. For all intents and purposes, technology should get better and this means every new phone released (at the high end) should have better overall performance than its predecessor. Why would you buy an inferior phone?

While most blogs blindly write headlines repeating this single "representative" number, very few actually take the time to read the full DXO reviews and explain the details to their readers. 

It's complicated

The first thing to keep in mind that blending complex factors into a single easy to digest number is complicated and sometimes may mislead some readers. While most blogs only show the single number, DXO actually provides a generous amount of valuable information for the curious reader.

The DXO tests include a slew of carefully controlled tests and other real world tests that are more subjective. 

If we pick on today's "highest ranking" phone, the Google Pixel 2, here is how the rating of 98 is made up:

dxo1.png

DXO provides detailed test results and write-ups for each of these categories. While most blogs will tout that the Pixel 2 has a rating of 98 (the best ever rating for a smartphone), they rarely provide the makeup of that number.

And the make-up of that number is critical to your buying decision. If you will use the camera primarily for video, you may notice it scored 96. You can also check out how DXO made up that score by evaluating what is important to you about video (which attributes are more important to you).

  • Exposure and contrast
  • color
  • Autofocus
  • Texture
  • Noise
  • Artifacts
  • Stabilization

Remeber that the video rating fo 96 is not a straight average but rather a "black box" formulae closely guarded by DXO. 

Is DXO Mark Trustworthy?

The next question is "can you trust the DXO testing methodology"?

Having reviewed the public information made available by DXO, I say yes. They have a well-documented methodology that is as good as it is going to get. I trust their rating but use the detailed review information to make up my mind, not the single number most blogs publicise. 

It is also important to keep in mind that DXO is a for-profit consulting company that manufacturers hire. DXO works with manufacturers to tune their imaging systems and get the best possible performance out of the equipment and software. DXO also sells image quality testing solutions.

I do not believe this consulting arm influences the device ratings in any way but it is still an important fact to keep in mind.

DXO Optics Pro

DXO Optics makes very good photo improvement software because of all this camera/lens knowledge they have accumulated. They know the shortcomings of each of the camera/lens combos and can this build specific correction profiles. 

I own their software and paid for it myself. 

90% of all the questions I receive these days is about comparing the iPhone to the Google Pixel2.  In addition to all the information I have already written and the info provided above, there is one more piece of knowledge you should consider. 

The Google Camera app on the Pixel 2 does not natively support RAW (the iPhone 5s or newer) does. This means DXO Optics Pro has corrective filters for all these iPhone RAW images, but does not for the Google Pixel2. This could be a major deciding factor for more astute or demanding mobile photographer.

Conclusion

I know most users simply don't care about the details. They want one easy to read headline that justifies their belief (Google is better / iPhone is better). My ask is that you, my more knowledgeable readers, take the time to look at the data that makes up the numbers.

It's a worthwhile investment of your time.

VyprVPN Review

GeneralEdward KiledjianComment

VyprVPN owns and manages its own networks and servers. During my recent VPN testing shoot-out, VyprVPN consistently ranked as one of the fastest VPN providers out there. 

In addition to raw speed, they have an incredible list of supported clients from traditional PCs (Mac, Windows, Linux), to routers (DDWRT, OpenWRT, AsusWRT), smartphones (iPhone, Android, Blackphone, Network Attached Storage (QNAP, Synology), TVs and the Anonabox

Contrast this to other popular VPN solutions like UnlimitedVPN, which only supports a small number of custom made clients.

It's VPN clients are well designed with easy to use interfaces and useful features (kill switch, auto-connect, etc). A cool and useful feature is called Chameleon. They explain Chameleon as:

Our Chameleon technology uses the unmodified OpenVPN 256-bit protocol and scrambles the metadata to prevent DPI, VPN blocking and throttling.

The first important note is that the Chameleon protocol is not available for IOS due to Apple restrictions on the VPN function. I had the opportunity to test the Chameleon protocol on a Windows laptop from a corporate network with strong VPN restrictions, an ISP that throttles VPN traffic and from a country that severely slows (painfully) down VPN traffic. In all three of these situations, the Chameleon protocol delivered that it promised.

  • It punched through the heavily controlled corporate network
  • When used with the ISP that throttles "normal" VPN traffic, it managed to trick the provider and I was able to use a full speed connection
  • A friend travelling to a highly restrictive country compared VyprVPN to 3 other VPN providers and VyprVPN with the Chameleon protocol was the only one that seemed to operate at normal speed (aka didn't seem to be artificially slowed down)

With more and more internet traffic being encrypted, many companies, organisations and governments have turned to DNS based control tools. DNS is still an unencrypted means to determine web destinations. DNS be used to prevent a user from accessing certain types of sites (religious, political, pornography, etc) and to log web browsing habits. It can also be used to redirect your traffic (quickly without you even realizing it), to inject your session with malicious code and c compromise your device. VyprVPN offers their own self-managed private "no log" DNS solution to protect their customers from DNS snooping and control.

VyprVPN offers a clear and well-written privacy policy. Obviously you aren't anonymous but in summary, they retain " Each time a user connects to VyprVPN, we retain the following data for 30 days: the user's source IP address, the VyprVPN IP address used by the user, connection start and stop time and the total number of bytes used."

And they offer a wide range to termination locations.

VyprVPN and leaktests

I setup VyprVPN on a Windows machine configured for maximum privacy. I then ran a battery of tests to determine how well it protected my privacy.

  • does not leak DNS queries when in VPN mode (go here to test)
  • does hide your actual IP address (go here to test)
  • does not leak IP or DNS information via JAVA or Flash ( Go here to test)
  • protecting P2P traffic. Although I do not condone or encourage the use of P2P tools to steal protected media, there are dozens of legitimate uses for P2P technology. It is important to ensure your VPN product protects you while using P2P and VyprVPN did. You go to this site and the find the Torrent Address Detection. You download their magnet link into your P2P client of choice then activate the test. If it shows your real IP or DNS, you are not protected. You should only see your VPN address here.
  • VyprVPN is not subject to WebRTC leaks when in VPN mode (go here to test

VyprVPN seems well written and does offer good protection.

Beware of the unknown

The only information that we have about the service comes from VyprVPN themselves. Remember that none of the statements about privacy and logging have been reviewed by an independent third party.

They are a US company and therefore they are subject to US data collection laws including the infamous National Security Letter (NSL). 

The above caution statement isn't unique to VyprVPN. I am not aware of any consumer VPN services that have been independently audited but it is still an important factor to consider. 

Some users may want to use a non-US based VPN provider to ensure the company is beyond the legal reach of US laws. The one I am looking into right now is ProtonVPN (which I will be reviewing shortly).

Other users may choose to roll their own VPN solution (lifehacker instructions using the Algo script or you can use anyone of the other scripts that almost automate the creation of a private dedicated VPN instance you control like OpenVPN Road Warrior, streisand, etc.) 

Conclusion

VyprVPN is a fast service with a broad selection of clients and a decent privacy policy. If you are performing illegal activities or are a human rights activist in a questionable region, this probably isn't for you. If you are a "regular" user looking for a decent level or privacy when using the internet, then this is definitely something you should consider. 

For the casual user that only connects to a VPN when using public WIFI, you may want to look elsewhere because VyprVPN isn't cheap. A prepaid annual subscription costs $6,67 a month (or $12.95 paid monthly).A casual user can buy a lifetime subscription to UnlimitedVPN for $49.99 here or a 3-year subscription for $29.99 here.). 

I started testing ProtonVPN recently and will write a review shortly but their offering (plus level) is $8 a month prepaid for 1 year). VyprVPN offers the Chameleon protocol, more servers and their own DNS service (which ProtonVPN does not yet). 

So the price is on the higher end but is in no way the most expensive. For the very casual user, you could be better served by another provider, but for the more security conscious user or traveler, this is definitely a service to evaluate.