Search Google for "Bug-out bag," and you will get 137M results. YouTube has a 144K videos discussing it. A Bug-out bag (also called Go Bag, BOB, 72-hour kit, grab bag, a battle box, personal emergency relocation kit) is a small personal maintenance kit that would allow you to survive 72-hours when faced with an emergency. 

Most emergency agencies reconnect you prepare some kind of emergency kit. Emergency Preparedness Canada has a website dedicated to building basic bug-out kits. The US Department of Homeland security offers similar suggestions on their website. 

Without going overboard, the purpose of this article is to provide general guidelines for the average Joe interested in being better prepared (not for a survivalist or extreme prepper).

Where should I keep it?

Location, location, location... You Bug-out bag is useless if you cannot quickly grab it during an emergency and quickly leave the risk region. 

Your bug-out bag should be kept close to the main exit for your dwelling so you can grab it and go. 

An operational security expert will typically run several scenarios to evaluate possible calamities and what the best exits would be (it isn't always your front door). Spent some time thinking about this and place your bug-out bag close to the exit you are most likely to use (garage, front door, back door, bedroom windows, etc).

Basic bug-out bag items

In security, you can spend a little or a lot, it really depends on your level of paranoia. Most people don't need a 200lb bug-out bag that contains $500 of survival items. So here are the basic everyone should have in their kit:

Documents

1. National identification documents (originals or copies). These can include drivers licenses, passports, medical identification cards, etc
2. Keep a couple hundred dollars of cash money in different denominations (assume the electronic payment networks may be unavailable)
3. A printed list of emergency contacts (local hospitals, police stations, family members, friends, etc) 

Personal Items

1. A basic $20 first aid kit (from the pharmacy or Costco)
2. A couple of litres of drinking water in sealed containers
3. High calorie easy to eat snacks (that do not require preparation)
4. Head covering (in case you have to walk in the sun, rain or snow), I keep a buff multiuse scarf
5. Bug repellent
6. Sunblock
7. Prescription medication, glasses and contact lenses

Communication Gear

1. A mobile phone (if possible an extra pre-paid SIM on a different network)
2. Hand crank powered emergency radio 
3. Small notebook, pen and pencil
4. Printed local maps (street and topographic)
5. A large (at least 20,000 mAh) external battery to charge your electronic gear. My battery of choice right now is the OmniChage Pro

General Gear

1. A multipurpose knife (my choice is the Victorinox SwissChamp)
2. Flashlight (ideally something that can be charged with your external battery via USB).
3. "Normal" candle and weather resistant matches
4. 550-lb paracord
5. Handheld mirror
6. Phrasebook if travelling abroad

The Pack

Talking about Bug-out bags is like discussing religion. Everyone has strong opinions about that the "best" bag is. My recommendation is to choose a backpack (since these balance the weight better and are easier to carry over long distances). 

My only recommendation is to choose something that is as light as possible while being resistant.

A captive portal is the intercept page you see when trying to log into most free public WIFI hotspots (e.g. airport, restaurant, hotel, etc.) You are normally shown a page that collects your email and then asks you to agree to the provider's terms of conditions. 

As browsers adopt more secure protocols by defaults (iPhone, Android, Windows, Mac, iPad, etc.) there are situations when your device may not trigger the portal webpage correctly. The browser may block redirection to the portal page because it is typically transmitted using unsecured HTTP. 

In some cases, devices will attempt to detect and open an unencrypted webpage to allow the public WIFI router to inject a redirect URL. WirelessPhreak has a good technical article that discusses why new more secure tech is causing this issue. 

Each smartphone manufacturer uses a different non-SSL webpage to detect a captive portal:

• Google Android: http://connectivitycheck.gstatic.com/generate_204
• Apple iPhone & iPad: http://captive.apple.com/hotspot-detect.html

What do you do if that automated portal detection doesn't work? How to you trigger the captive portal?

Enter the webpage Never SSL. If you are connected to a public WIFI (that should work) but are not seeing the captive portal, open your browser of choice and navigate to http://neverssl.com/
 

This will fix your issue and you should be bathed in warm loving WIFI Internet. 

A very important function of any information security team is threat intelligence. Threat Intel can be a complicated and costly service in some cases but can be as simple a running a simple search in other cases. Here is a trick to get you started with the simple and cheap function.

Did you know you can find lots of "fun" phishing and malware links using nothing more than a simple VirusTotal search? Search VirusTotal for Google Storage API (precooked link). 

Go down midway on the results page and voila.

The one I highlighted above takes you to a dropbox phishing site

Some may not be fully formed yet. Some may already be taken down but you can find some interesting opportunities for research. 

Simple "script kiddy" level Threat Intel for you.

Amazon Prime Day is here and expect millions of customers to go crazy buying things they don't need. At least those unneeded items are deeply discounted, right? Maybe! Thousands of items will be sold at their lowest price ever, but that isn't the case for everything.

The internet is here to save the day again. A free online tool called CamelCamelCamel will show you the truth.

You paste an Amazon link into the search bar at CamelCamelCamel and it will show you the item's price over time.

You copy the Amazon URL into the CamelCamelCamel search bar

Then you scroll midway down the results page and notice that the current promo is actually a good deal.

CamelCamelCamel covers Amazon sites for Canada, USA, Australia, China, France, Germany, Italy, Japan, Spain and the United Kingdom.

Do you want an example of a not so good deal? Here is one for you:

Looks like a good lightning deal...

CamelCamelCamel says this item was sold December 2017 for $53.82, a full $6.48 cheaper. This means that if you don't need this item right away, you may want to wait a bit or find an alternative that may actually be a deal. 

And one more thing

I'll sweeten the pot with one more tip for Amazon Prime Day (PrimeDay) and this one is related to the product reviews. You will notice that those Bluedio headphones seem to have a good user review rating of 4/5 stars (with 273 customer reviews). Can you trust those reviews?

Enter Fakespot! Like CamelCamelCamel you copy the Amazon product URL into the Fakespot search bar and you are presented with a review reliability score

Fakespot isn't perfect but it is a great way to quickly determine how much trust you should put in the user reviews. Notice above the analysis is old. if you see that button, press the ReAnalyze button and wait until you get a new rating.

When I tested Fakespot with these on-special headphones, the user review rating improved from an F to a D. 

The moral of the story is that you will probably find hundreds of great deals worth the asking price but make sure to perform your own due diligence using CamelCamelCamel and Fakespot. 

Google Chrome has always been a resource hog, but you may have noticed it's been consuming just a little bit more RAM lately (on your desktop).

This new more demanding Chrome is because of the Google's Spectre mitigation efforts.
The Google Chrome security team has enabled site isolation as a default (in Chrome v67 for desktops). Justin Schuh, head of Google Chrome Security, explained that site isolation separates each website process thereby preventing a malicious tab from stealing data from another.

Don't expect to see this update on the Android version anytime soon, the resource consumption requirements are too high (for now).

Chrome is obviously my browser of choice but I have been concerned at the amount of resources it requires and this move (although right from a security perspective) further pushes Chrome in the wrong direction. 

Additional reading:

• Google Security Blog
• Chromium project site isolation write-up

Recently I started seeing more ads for the NordVPN service. It seems some of you may be in the same position as I've received several emails asking me for my opinion about them. 

After a careful review, here it is. NordVPN is best described as a good "one size fits all" VPN service. You pay one fixed price and get full access to their network endpoints (1000+ servers in 57 countries) and the full available speed.

TL;DR:NordVPN offers impressively fast VPN, good security and easy to use clients. 

You will find an impressive list of tutorials for dozens of different platforms from the usual (Windows, Mac, iPhone and Android) to Belking, Microtik and Arris routers. 

Protection

NordVPN promises that it is a no-log service. They use 2048-bit encryption; they run their DNS servers to minimize DNS leakage and have a "kill switch" that will block application internet access in case the VPN get's disconnected.

Validating their claims

Many providers promise a no-log service, but there is no way for consumers to validate this statement independently. I have chatted with their support and had no reason to doubt their claim. 

I have run my standard VPN tests on Windows and MacOS and can confirm that I did not detect any DNS, WebRTC or identity leakage. My most useful test was validating their kill switch functionality  (by manually killing the VPN process) and confirmed it worked

Multiple devices

NordVPN offers access to 6 devices simultaneously. If you connect multiple devices to the same endpoint, you will have to choose different VPN protocols for each (L2TP, PPTP, OpenVPN TCP and OpenVPN UDP). 

Price

I recommend you shop around for deals. Their "normal" promo is $79.00 for 2 years (a 72% discount). If you browse the web, you can find links with additional discounts of up to 77%. Here is the link I used below (not an affiliate link) 

Conclusion

Overall NordVPN seems like a competitive offering with good security. 

The media is quick to publish reports about the "evils" of social media. Twitter is a favourite whipping target.

Here is a little-told story about 26 young girls (aged 10-14) being saved from the clutches of human traffickers in India because of a simple tweet.  Adarsh Shrivastava, a good samaritan, travelling on an Indian train noticed a group of young girls that seemed to be in distress. He twitted the train operator which was the start of their rescue. 

A representative from the Ministry of Railways forwarded a support request to the railway police. 

Shortly after being notified, the railway police intervened and rescued the girls. Two men were arrested. 

Source: NDTV

Freedom Mobile's phone protection plan is removing coverage for lost or stolen phones. In exchange, they are reducing the monthly fee by $1 (down to $9). This change was first noticed on Reddit by user Alphalee and you can read messages from upset customers (obviously).

This change will come into effect on August 2nd, 2018. Repair service is now listed at $99 (was unlimited in the past).  It looks like this is an attempt to limit fraud and reduce insurance costs for Freedom Mobile. Their coverage seems to be underwritten by Asurion (same provider used by Telus, Bell, Virgin Mobile and Koodo.

The existing Mobile Freedom coverage still protect's devices from accidental damage (such as a broken screen or liquid damage). 

As a citizen of the digital world, you probably transfer large files daily. Sure you could use Google Drive, Dropbox or OpenText Core but Mozilla believes there is a better way (Mozilla Send). Mozilla Send is a web experiment that allows you to easily transfer large files up to 1GB in size.

Mozilla Send can be used with any modern browser.

How to use Send

1 - Go to https://send.firefox.com/

2 - Upload a file

3 - Decide how many downloads you want to allow in a 24-hour window. Determine if you want to enable a download password.

4 - send the link to the recipient of the file.

Mozilla Send Security

Mozilla send uses AES-128 (AES-GCM algorithm) to encrypt and authenticate the file. Encryption is performed on the client before the file is uploaded to the Mozilla Send servers. Mozilla Send also uses the Web Cryptography API. This Web Cryptography API is the magic that performs hashing, signature verification, encryption, etc). All the security is performed without requiring any user intervention.

It is important to highlight the fact that anyone that intercepts the URL can download the file. The encryption key is appended to the URL.

Sample URL : https://send.firefox.com/download/2f3eea2e0f/#6kUB9cj4gXgTZWgDXrPEZQ

Important security notes:

• Once 24-hours has elapsed or the maximum number of downloads has been reached, Mozilla Send deletes the file from the server
• You can manually delete the file using the Delete button. An important note is that the Delete button only shows up on that initial download page. If you think you might need the delete button, keep that original upload confirmation page open. 

Web Experiment

Mozilla send is a Web Experiment and Mozilla is gathering usage statistics to determine if this is something they want to keep as a permanent offering. Right now it is a great example of solid design and engineering.

As a frequent traveller, I have picked up some tricks that make travelling a lot easier. I wanted to share some of those with you and hopefully make your life a little easier.

Global WIFI Hotspot

I wrote my first review of the (gen 1) Skyroam Global hotspot in 2015 and it became one of my most used travel items. When they released (gen 2) a new LTE capable model, the Skyroam Solis, I bought one and reviewed it as well.

TL;DR: I have tested dozens of global roaming services (hotspots and global SIMs) and the product I carry in my bag every day is the Skyroam Solis.

Some readers have asked if my Skyroam tests were promotional and the answer is no. I have not received any compensation from Skyroam to test and review any of their products. When I find something that works well and is priced competitively, I recommend it.

I recommend you read my full review, but the summary is that the Skyroam Solis is a pre-paid global 4G (LTE) capable hotspot that works in 100+ countries. They offer an "unlimited" data package sold in chunks of 24 hours (day passes) for about $9 a day (or a monthly pass for $99).

Most companies offering this type of service label their offering as "unlimited data" but this doesn't mean you can stream Netflix while cruising the french riviera. Every company I have reviewed imposes some type of "fair use policy". Skyroam's Solis day pass never cut-off your data access but does slow it down to a painful (and barely usable) 2G after you consumer about 500MB per 24-hour period. This period resets during each day pass.  This means that you shouldn't be streaming music or videos (Spotify, Google Music, Apple Music, Youtube, Netflix, HULU, Amazon Video, etc).

As an example, the GeefiGlobal WIFI hotspot fair use policy says "GeeFi will begin limiting the download speed after you exceed 500 MB (megabytes) of data in most countries".

Frequent travellers can buy a Skyroam Solis WIFI hotspot for $149.99 (includes one day pass worth $9). Infrequent travellers can rent a Skyroam Solis with the appropriate number of day passes for $9.95 a day (basically $1 per day to rent the unit plus shipping costs back and forth).

Collapsible water bottle

I wrote about the Nomander collapsible water bottle in 2016 and still recommend it for travel.

TL;DR: The Nomander water bottle is a light flexible easy to pack piece of kit you can store easily and use when needed. It avoids having to pay $5 for a 500ml bottle of water that would otherwise cost $0.50 anywhere in the "real world".

The Nomanderis made from food grade silicone so it doesn't retain smell.  It is leakproof. Where my older recommendation (the Vapur) becomes giggly when less than 3/4 full, the Nomander retains its shape fairly well for a foldable bottle. 

With the plastic sleeve in the middle, the bottle is sturdy enough to stand on its own.  The Nomander is (top rack) dishwasher safe, You can also freshen it up, like most other water bottles by soaking a mixture of filtered water and fresh cut lemons for 24-hours.

The water filter

Browse the aisles of any camping goods store and prepare to be amazed at the dozens of water filters available for your immediate purchase. I have been camping most of my life and have travelled to many locations known for terrible horribly diseased water.

I have tried over a hundred filters, tablets and sterilizers. The one I keep coming back to over and over is the Grayl. I first wrote about the Grayl water filter in 2016 and have been recommending it since. It beats every other filter I had tried before or that I have tested since.

TL;DR: The Grayl water filter is the easy to use, easy to carry, low maintenance and high-reliability water filter you want when in the backcountry or when travelling to locations with questionable water sanitation practices.

When using the orange travel filter, you purify and sanitize the water with one (strong) push. This means I no longer carry a UV sterilizer (Steripen) in addition to a filter (Lifestraw or Sawyer mini).

The Grayl Orange Travel filter removes:

Each cartridge lasts about 300 uses (with 3 full uses a day, a single filter would last 100 days). The filtering process requires a bit of brute strengh but you never have to worry about batteries and there is no need to backwash the filter. 

Portable laundry machine

Everyone starts travelling with lots of extra clothes and big check-in pieces of luggage. Eventually, you learn that one-bag travel is the only way to go. One-bag travel does mean you are travelling with the minimum and thus may need a way to clean your clothes while on the move. 5 years ago I bought a Scrubba wash bag and have brought it with me on almost every trip (longer than a week).

TL;DR: The Srubba is a waterproof bag with scrubbing "teeth" you can use to clean your clothes anywhere in about 10 minutes.

Scrubba has become a trusted travel item for business trips and family adventures (vacations with kids, camping, road trips, etc). I use this with either  Woolite Travel Laundry Soap individually packaged travel packets or Dr. Bronner organic Castille soap. Both of these detergents are gentle, work with all types of materials and wash out easily without leaving a soapie residue.

Airborne and NoJetlag

I started taking both of these products 6-7 years ago and believe they help keep me healthy when travelling (particularly the long North America to Asia flights).

I am not a doctor and the effect could be nothing more than placebo but since I started taking Airborne on longer flights, I find I get sick a lot less Worst case scenario, it is a vitamin C supplement but my experience has been very positive. I have managed to stay healthy even with colleagues have gotten sick.

When travelling to faraway destinations, I started using No-Jet-Lag. While consulting for Cathay Pacific Airlines (based in Hong Kong), a flight attendant recommended it and I have used it ever since (when travelling through more than 4-5 time zones).

The simple rule of thumb is to chew on one tablet, every time your plane takes off and every time it lands.  Then chew on one tablet every 2 hours while in flight. I normally follow the manufacturer instructions and take it an hour before or 2 hours after a meal.

I'm the first person to admit the questionable medical value of homeopathic products and my results may be nothing more than a placebo effect but it has worked for me and has been recommended to me by about a dozen different flight crew members.

Tom Bihn Synapse 25 backpack

Talking about backpacks is almost akin to talking about religion. It seems people are easily offended when you recommend something different than their preferred bag.  Unlike the average traveller, I have 1M+ miles under my belt and have recently tested about 25 different (well rated) backpacks before I recommended the Tom Bihn Synapse 25 backpack February 2018.

TL;DR: If you can only buy one backpack (EDC, work and travel), I recommend the USA designed and manufactured Tom Bihn Synapse 25 backpack.

I recommend you read my full review here. This bag is light, durable and has carefully designed features that will make travel much easier. Plus it is built like a tank and will not break on your mid-trip.

Best carry on luggage

I first recommended the RedOxx AirBoss in March 2012 and it has been my favourite carry-on luggage since. I have tried 50-60 different products since and always come back to this thing. It is designed to last and comes with a no questions lifetime warranty. Along with Tom Bihn, RedOxx offers the best warranty in the business. 

The RedOxx AirBoss is a 100% USA designed and manufactured bag. It is made from incredibly resilient materials. The bag you see above has travelled 1,000,000 + miles since 2012 and it looks almost brand new.

• Since does not have wheels, I am rarely asked to check its size.
• It has a flexible shell which means I can push and shove it into even the smallest overhead compartments.
• It doesn't waste any room on wheels and a pull handle which maximizes available space
• It can be used with or without packing cubes

If you could buy only 1 luggage that will have to last 10+years, this is the one.

Pacsafe anti-theft packs

There are times when you will be travelling to riskier destinations where theft is a real constant concern (Shanghai, Delhi, Mumbai, Barcelona, etc). Then travelling to these "special" locations, you may have to take specialized gear to stay safe and no one offers a wider selection of anti-theft backpacks, packs and bags than Pacsafe.

I own both a Pacsafe backpack and a shoulder pack. Both of my products are no longer offered but you can easily find something that would meet your needs. During "normal" trips, I would choose the lighter and more functional Tom Bihn Synapse 25 every time but when I need extra security, the Pacsafe products are a must.  The bags are lined with a metal mesh to prevent theft by slashing. Even the shoulder straps are reinforced with metal mesh to prevent a slash and go incident. Best of all, the Pacsafe bags look like normal everyday products.

I own an older version of the Metrosafe and found an everyday use for it you may find interesting. In addition to keeping my valuables safe while I travel, I use it when at the beach or public pool.  I lock it to a bench or medium tall tree and know my valuables (glasses, wallet, cell phone, etc) will be there when I get back. When at the beach, I can go swimming without worrying that someone will steal my wallet. All you have to do it pair it with a travel cable based lock. 

As a security technologist, the security philosophy of the OEM is a crucial determinant of my decision to buy or recommend a device. This is where Apple shines with it's iPhone update strategy. Every single iPhone receives updates (security and version) at the same time. 

This is why I highly recommend Google's Pixel devices. The Pixel line offers the same regular and speedy update schedule. The other Android manufacturer that has shown it cares about upgrades is OnePlus. Until this week, it did a great job delivering updates quickly, but it didn't formally commit to a software upgrade schedule. 

All of that changes this week when OnePlus unveiled its new operating system (Android) maintenance schedule. It has copied the Google Pixel model and will deliver major upgrades for two years and security updates for three years. 

Conclusion

OnePlus has always offered solid well-designed devices at competitive prices. This new software maintenance schedule commitment makes their offering that much more compelling. 

I can no longer recommend devices from manufacturers that do not regularly deliver security and version upgrades. This is why I only recommend Android devices from Google, Blackberry Mobile and OnePlus. 

One of the most frequently asked questions I receive from readers (from this blog, Twitter and LinkedIn) is "Should I consider TOR private and anonymous?" 

This question is interesting with fervent activists on each side [of the issue]. On one side are TOR proponents extolling the virtues of the platform and explaining how it will save humanity from the scourge of privacy-invading networks. On the other side of the discussion are conspiracy theorists that claim TOR is nothing more than an NSA honeypot (a data collection tool). 

Like most important topics, the truth is never as clean as we would like it. The truth is that TOR is a little bit of this and a little bit of that. Let's dive straight in. 

Who started TOR?

Conspiracy theorists love highlighting the fact that the United States Navy developed TOR. So the first question we need to tackle is regarding this origin statement.

The core privacy functionality of the TOR network, the onion routing, was developed by United State Naval research laboratory employees named Paul Syverson, Michael G Reed and Favid Goldschlag. The purpose of the technology was to protect US intelligence communication. 

The TOR Project was launched in September 2002 by Paul Syverson,  Roger Dingldine and Nick Mathewson. In 2004, the Naval Research Laboratory released the TOR code under a free license, and the EFF (Electronic Frontier Foundation) began funding the initiative. The Tor project we know and love today was started in December 2006 as a 501(c)(3) non-profit organization with support from the US International Broadcast Bureau, Internews, Human Rights Watch, the University of Cambridge, Google and  Stichting NLnet.

It is true that the majority of the funding for the free and open source project came from the US government. 

Does the government control TOR entry and exit nodes?

When talking about TOR privacy and confidentiality, there are 2 distinct question most astute users ask:

1. Can someone "see into" my traffic?
2. Can someone tie TOR traffic back to me? 

The first theory I read about consistently was that world governments (particularly the 14 Eyes Countries) control the majority of the TOR Exit nodes thus can "see into the traffic." Looking strictly at the Exit node piece, governments have no deterministic way of knowing where a suspects traffic will exit from the network. As long as they don't control all of the TOR Exit nodes (which we believe they do not), they can't be sure the suspect traffic will flow through their nodes. Additionally, if the site you are visiting is using cheap and easy to implement security (like TLS) then even if the government controls the exit node, they won't be able to "see inside the traffic." Traffic that joins the TOR network to access a TOR hidden service never exits the network so it wouldn't even pass through an Exit node.

What if a government controls both the Entry node and Exit node you use? Assuming you are using TOR to browse the "normal" internet then you will hit an exit node. If the government(s) control enough of the entry and exit nodes, they can use statistical correlation tie traffic back to you. 

If you are browsing a site with well-designed security, they still would not be able to see "inside your traffic" but would know that you originated the traffic flow (aka collect metadata). 

It is important to remember that the TOR Project isn't just idly sitting on the sidelines watching the government violate its technology. They are actively working to harden the platform and work tirelessly to make it more secure every day. Some of the techniques used by the TOR platform include:

• Switching TOR circuits regularly and unpredictably. Thus making long-term data mining more difficult. 
• Ensuring that the TOR nodes used are as randomized as possible. Thus making predictability of route near impossible.
• and more 

Has the TOR browser been hacked?

The answer is yes but hold on before you install the TOR browser from your computer. I would submit that almost every commercial or free software has exploitable bugs that would compromise a users privacy and confidentiality. The question isn't whether a product has these types of exploitable bugs but rather what the software "vendor" does about them. The TOR project has been an incredibly honourable steward of the TOR platform. They quickly patch any discovered vulnerability. 

The other "trick" for the extra paranoid is to switch the security level in the TOR Browser to high. This will break some sites, but you want strong security don't you? 

Can I be tracked using the TOR Browser?

I wrote an article in 2016 talking about browser fingerprinting techniques and referred readers to the EFF's Panopticlick site to test this on their own devices. Browser Fingerprinting is a technique that leverages information your browser gladly provides to sites to uniquely identify you and then track you as you browse the web. 

To illustrate the power or browser fingerprinting, I ran the Ponopticlick site on my "normal use" machine using different browsers. 

• My reference browser will be Google Chrome (same results with or without UBlock Origin): Your browser fingerprint appears to be unique among the 1,747,285 tested in the past 45 days. Currently, we estimate that your browser has a fingerprint that conveys at least 20.74 bits of identifying information.
• The Brave "privacy" browser (default configuration): Your browser fingerprint appears to be unique among the 1,747,235 tested in the past 45 days. Currently, we estimate that your browser has a fingerprint that conveys at least 20.74 bits of identifying information.
• Microsoft Edge (Win 10 latest update): Within our dataset of several million visitors tested in the past 45 days, only one in 218410.63 browsers have the same fingerprint as yours.
  Currently, we estimate that your browser has a fingerprint that conveys 17.74 bits of identifying information.
• Microsoft Internet Explorer (Win 10 latest update): Your browser fingerprint appears to be unique among the 1,747,285 tested in the past 45 days. Currently, we estimate that your browser has a fingerprint that conveys at least 20.74 bits of identifying information.

• Tor Browser with safest security option: Within our dataset of several million visitors tested in the past 45 days, one in 92.3 browsers have the same fingerprint as yours. Currently, we estimate that your browser has a fingerprint that conveys 6.53 bits of identifying information.

So in safest mode, the TOR browser does dramatically reduce information leaking about your browser but the fact you are using a low popularity browser is in fact itself a tracking tool. The short answer to this question is that tracking is still possible.

Should I trust the TOR Browser?

I've addressed some of the most common questions I receive, but the only reason you read this article is for this one question alone. You want to know if the TOR browser is safe enough for you. 

Unfortunately for you, I'm a security professional, and I believe security is never black or white. The question of whether the TOR Browser is safe enough for you is the real question and that depends. 

It depends on the types of activities you are performing. 

On the low end of the spectrum is a general user that wants to use TOR to browse questionable websites from work without leaving traces in the company proxy logs or without being stopped by a URL filtering tool. For this type of user, the privacy and anonymity afforded by TOR are probably sufficient. It is unlikely that a nation state will target you for deanonymization and tracking. 

On the other end of the spectrum is a hardened criminal trying to sell nuclear secrets to the highest bidder. You would probably be classified as a high-value target by the global intelligence community, and thus they would use the full arsenal of tools to identify and track you. If you are a criminal mastermind hellbent on world domination, you probably need better tools than TOR. 

A tweet by Edward Snowden explains it best:

Security is a complex system of risk management and mitigating controls. There is no magic bullet where everyone is safe and anonymous all of the time. True security is a complex architecture of different technologies implemented in very particular ways, to achieve the protection level you desire or need. 

If you are browsing adult content from home and want some level of anonymity, TOR is perfect. 

If you want to browse it while at work, know that most companies have agents installed on your workstation to track your browsing regardless of the browser used. 

Therein lies the real risk. Whether you are using TOR or the end-to-end encrypted Signal messenger, the tools themselves are often secure.  However, if someone compromises either of the endpoints, you can still be de-anonymized. This is why true security must be done in layers.

Maybe you need to run a secure Operating System, like Qubes OS that routes its traffic through TOR (booted from read-only media and hash checked to ensure it has not been tampered with). Additionally, even if you have a safe and secure computer, operating system and connection, you must still be careful not to involuntary divulge clues about yourself when online, so security hygiene is also very critical. 

Security is though. Perfect security doesn't exist.

Ookla, everyone's favourite speed test service has just published internet performance metrics for North American airports. Calgary Airport has been rated as the best performer of all Canadian airports and is the third best in North America.

1. Seattle Tacoma International
2. Denver International Airport
3. Calgary International

Montreal's Pierre Elliot Trudeau Airport was rated the worst. Toronto's expensive Toronto Pearson International Airport is rated 23rd.

I have received a lot of requests from readers, LinkedIn and Twitter connections to provide examples of some "interesting" darknet (TOR Onion Network) sites. I have posted over a dozen on my LinkedIn page but thought I would show a couple here.

My security team and I perform internet and darknet reconnaissance work to create briefing packages on cyber crime, determine trends and spot organizational dangers. As part of this research, we sometimes stumble on interesting examples that I share. 

I have chosen not to hide the onion addresses (aka the URL) because I want to show that these are not made up designs but actual sites. I discourage anyone from using or visiting these sites. I am providing these as example for educational purposes only.

Bitcoin Fig is a centralized Bitcoin tumbler. A Cryptocurrency tumbler is a service that intakes identifiable, tainted or stollen cryptocurrencies and delivers them back with an obscure trail. This is used to improve anonymity when questionable transactions are being performed. These firms typically charge 1-4% of the "cleaned" amount and operate out of countries with strict private banking laws like Cayman Islands, Panama and the Bahamas.

The The Cannabis Growers and Merchants Cooperative CGMC is a "by invitation" cannabis market. They offer a trustless (aka escrow) shopping experience to protect buyers.

The sense of anonymity offered by TOR, attracts many with much more questionable products. Above is the French connection that deals in Heroin, Meth, brown sugar, Superman XTC pills, black tar, Amber glass BHO crumble and other products guaranteed to screw your life.

We've covered drugs and now we turn our attention to sports betting. BETTOR claims to be a marketplace that sells winning bets (not predictions). They claim to have 100% winning bets for football, basketball and tennis. I don't gamble so I cannot vouch for the quality of their recommendations. 

CyberGuerrilla is another example of groups using the pseudo-anonymity of TOR to do what they probably wouldn't on the "normal" internet. This site describes it's mission as "The CyberGuerrilla Collective is an autonomous body based in Europe with collective members worldwide. Our purpose is to aid in the creation of a free society, a world with freedom from want and freedom of expression, a world without oppression or hierarchy, where power is shared equally. We do this by providing communication and computer resources to allies engaged in struggles against capitalism and other forms of oppression."

I describe this site as a blog platform for closet anarchists. 

Escrow defense is a buyer/seller escrow service. 

Cash is King is a get rich quick scheme. You pay them in BItcoin and they "sell" you cash that was destined for destruction. They claim to have a way of moving the cash before it is destroyed but need you to "launder it". How much is this service you ask?

What if you were scared as a king by Burger King and want nothing to do with a King? What is a cash strapped person to do? You can always buy counterfit US dollars from the USD site

What if you want to deal with digital currency? No worries, enter Vendor. Vendor sells hacked Paypal accounts.

How do you cash out these PayPal accounts without getting caught? Conveniently they offer a "cheap" laundered bitcoin service for a small nominal fee ($45USD for each BTC).

So now you have your drugs, your cheap cash and your cheap bitcoin. All this money is burning a hole in your wallet and you want to spend it on "cool" stuff. How about some counterfeit clothing?

What about stolen electronics like a Sony Playstation, an iPad, iPhone, Acer laptop,  or Samsung Galaxy S9?

Since you haven't spent all your money yet, maybe you should think about the future and use DoubleBit to grow your crypto using darknet markets. For a "small" fee, they will "invest" your crypto for growth then will return "clean crypto" back to you with outrageously generous short term returns (I am being sarcastic, I have never used their service so I wouldn't know).

Why invest when you simply buy money from the BigDeal marketplace (http://bh3ly32vcg52brrc.onion/)

If you work for a publicly traded company and want to cash out some insider knowledge, you can use The Stock Insiders site

Pew Research publishes interesting surveys, and they recently shared results about what teens use most. Contrary to public opinion, Snapchat is still king with teens, followed by Youtube. Facebook usage amongst teens is down 71% compared to the 2014-2015 Pew report. 

• 45% of teens admitted to being online "almost constantly."
• 24% of teens admitted to being online "several times a day."

Girls are more likely to be "almost constantly" online (50%) compared to boys (39%). 

Instagram is still going strong and 72% of teens now use it (up from 52% in 2015). 70% of teens use Snapchat (up from 41% in 2015). 

Most platforms have an equal amount of creation and consumption except Youtube, where the most significant proportion is consumption. 

You will notice that Snapchat and Instagram have higher usage than Facebook. Interestingly you will note:

• Instagram/Snapchat are designed to post pictures, whereas Facebook supports photos but videos, links, text updates, etc.
• Instagram/Snapchat are designed to be used on a smartphone, whereas Facebook is multiplatform. This is confirmed when the stats show that 95% of teens have or have access to a smartphone (88% of teens have access to a computer at home).

31% of teens believe social media has a positive impact on their lives while 24% think it has a negative one. 45% believe it has a neutral effect on their lives. 

Anytime I pull out a Chromebook in a professional setting, colleagues and friends are dumbfounded how a tech geek like me would "settle" for a browser only thin client. People are downright shocked when I pull out my $1200 Pixelbook. 

Why would I buy a "browser only" device when I could use a Windows or Mac device that can run the Chrome browser but do so much more?

Chromebooks can't run apps

If you are reading this article, there is a good chance you are not a millennial that grew up with iPads and smartphones. For you, a personal computing device (Windows, Mac or Linux) needs to run native apps. I'm here to shock you but Chromebooks (ChromeOS) devices do and do it without requiring dual-booting.

Chromebooks run Android apps. Most modern Chromebooks can easily install and run most Google Play store Android apps. The list of Android app capable devices is extensive and growing daily (list).

The most common Microsoft Office apps for Android (Word, Excel and Powerpoint) run surprisingly well on Chromebooks. 

Chromebooks will run Linux apps. VentureBeat first reported this and it was later confirmed during Google IO 2018. Goole's Chromebooks will be able to run native Linux applications using the built-in container technology (without dual-booting or emulation). 

Chromebooks will run Windows apps. CrossOver has a Chromebook app that will allow users to run Windows-only apps (like Quicken and Microsoft Office) on a Chromebook without needing to install Windows. 

Truth is that most users, will not need any of these functionalities most of the time. With a little updating of your work structures, you will likely be able to work on a Chromebook 98% of the time without needing to run Windows or Linux apps, but it's nice to know you can.

As an example, I switched to Polarr for my photo editing and it does everything I need. It is affordable, cross-platform and worth like a charm on Chromebooks. If you are looking for a very good password manager, you can use the Steve Gibson approved LastPass. 

Chromebooks are slow

You get what you pay for. When you compare dollar for dollar a Chromebook will always be fast, more reliable and more secure than Windows, Mac or Linux. The comparison most people late is a $1000 Macbook to a $250 Chromebook. That simply isn't a fair comparison. Chromebooks have become the defacto educational devices because they are very functional even at the low end of the scale. 

When comparing machines with comparable pricing, the Chromebook will always be faster.

I bought a $350 Acer C720P in 2013 (5+ years old) and it :

• is still fast when running Chrome
• receives regular updates from Google
• is always kept secure by Google

I have 3+-year-old ($600-1000) Dell, HP and Lenovo Windows machines that have become slow and painful to use. 

My Pixelbook goes from powered off (not sleep but totally off) to ready to log in, in 5 seconds. 

Chromebooks are useless without an internet connection

I am convinced much of what you do (on your PC, smartphone or tablet) is internet based. As an experiment, try turning off WIFI (or cellular connectivity) for 1 day and see how dependent you really are. 

When the CR-48 came out (first Chromebook test unit from Google), it was nothing more than an internet connected thin client. This hasn't been true for a long time though. 

Google's most popular services (Gmail, Calendar, Google Drive, Google Docs, Google Sheets, etc) are all offline enabled. The Google Chrome Web Store even has a page dedicated to offline apps.

Add to these the millions of Android apps and you can do just about anything offline these days. The Chromebook actually has an advantage over competing platforms here (Windows or Mac). As an example, on a traditional laptop, I can't download Netflix content for offline consumption whereas I can with the Android Netflix app running on a Chromebook. Since Chromebooks are power efficient, this becomes an excellent offline and disconnected media consumption platform (aka planes).

Chromebooks barely run Android apps

For better or worse, Google makes many of its experiments public. It is true that Google has made multiple attempts to bring Android to Chromebooks (ChromeOS) and that most have failed. If you tried running Android apps on a Chromebook even a year ago, you may have thought it was a slow and painful experience but not anymore. It still isn't perfect but for those unique occasional needs, the current setup more than satisfies that functionality itch. 

I have tested Android apps on a Google Pixelbook, Acer Chromebook Flip C302 and a Samsung Chromebook Pro and the apps worked great on all of them. 

Chromebooks have no local storage

Not sure how this started but all Chromebooks have local storage. My Pixelbook comes with 250GB of lightning-fast SSD storage (similar storage capacity to my  MacBook Pro Retina). For content that is only occasionally accessed, you can store it in the Google Drive cloud and access it as you would a local file. The Chromebook "file explorer" integrated Google Drive for easy access. 

Chromebooks can't print

Chromebooks support both local and network-based printers. For most users, you will plug in your local printer via USB and it will automagically work (if it is a recent printer). When shopping for a new device, why not opt for one that is Google Cloud Print ready? All major manufacturers support Google Cloud Print, including but not limited to : Brother, Canon, Dell, Epson, HP, Kyocera, Lexmark, Sharp, Toshiba, Xerox and more.

Chromebooks don't have any antivirus protection

This comment comes from Windows users that have been trained to install antivirus products on all of their devices. 

Remember that ChromeOS (the operating system powering Chromebooks) was designed to be secure from the start. As an example, it uses techniques like process isolation to keep you safe. Most manufacturers say that Chromebooks do not need antivirus products because : 

• ChromeOS is updated every 6 weeks
• ChromeOS is designed with an application and process sandboxing framwork
• All data on a Chromebook is encrypted by default

So let's extend the question and talk about Chromebook (ChromeOS) security. Why do most security professionals choose Chromebooks as their personal device of choice? Why do security professionals bring Chromebooks to the world's most tech hostile conferences (blackhat, defcon, shmoocon, etc)?

The answer is that Chromebooks are more secure than any other traditional computing platform (including MacOS). How?

• Automatic updates - Google pushes a ChromeOS update every 6 weeks that all devices receive immediately (regardless of where you bought your Chromebook from and the manufacturer of the Chromebook). These updates add functionality but more importantly they fix security issues.
• Sandboxing - Each web-page and application on a Chromebook is isolated from every other web-page and application using a technique called Sandboxing. If you visit a malicious web-page, the malware cannot infect other tabs or the computer itself. 
• Verified Boot - If magically threat actors manage to exploit a vulnerability and "jump" out of the sandbox to infect the boot process (to ensure they infect the device every time it restarts, The verified boot process will detect this and it will automatically repair itself. Every time a Chromebook boots, it checks itself and if it detects that the boot process has been tampered with, it fixes itself without any user intervention. 
• Data Encryption - Using tamper-resistant encryption (a local TPM chip), all local data is encrypted with a user key which means it cannot be accessed by other users or by threat actors if stolen.
• Recovery Mode - If anything does go wrong with your Chromebook, you can use a special keyboard combination (differs by manufacturer to enter a special recovery mode that brings back a fresh, clean version of ChromeOS in minutes and with no user intervention. All your data and settings are stored in the cloud so as soon as you log in, your personalizations and settings will all automagically come back.

Conclusion

This article could have easily been 5 times longer, but I believe I captured the most important concepts. If you haven't tried a Chromebook in a while, I encourage you to take a look. Remember that no single device meets everyone's needs, and a Chromebook is no different. I believe Chromebooks are THE alternative for most general computing users and even some individual edge cases (like us crazy security people). 

Remeber that you get what you pay for. Don't expect a $200 Chromebook to perform like $1200 MacBook. Compare a $1200 Google Pixelbook to a $1200 MacBook, and now you have a fair comparison. 

It seems not a week goes by without Google renaming, cancelling or somehow changing one of its services. Google will update its music service with the hope of dethroning  Spotify and Apple Music. 

Google will leverage its most recognized media brand to give music a fighting chance. So you will soon welcome YouTube Music into this world. 

Early information suggests it will marry the substantial unique music of Youtube (live performances, covers, etc.) to advanced discovery probably powered by AI. 

This new service will (eventually) replace Google Music. Taking a page out of the Youtube and Spotify playbooks, they will offer a limited ad-supported free tier. Music lovers will be able to buy a $9.99 per month subscription to YouTube Music Premium which will offer ad-free listening. 

Youtube Music will firsts roll out to the U.S., Australia, New Zealand, Mexico and South Korea. Once again Canada is a second-class citizen. Other key markets will launch "soon" including Austria, Canada, Denmark, Finland, France, Germany, Ireland, Italy, Norway, Russia, Spain, Sweden, Switzerland and the United Kingdom. 

You can sign up to their availability tracker here music.youtube.com/coming-soon

Source : Youtube blog

Google just announced their new Google One service. Google One will replace the existing Google Drive service and will allow users to buy additional storage that can be used across its various properties (gmail, drive, photos, etc). 

In addition to the new name, Google is throwing in some additional goodies into the existing plans

• The $US9.99 ($CAD13.99) 1 TB storage plan will be upgraded to 2 TB for free
• A new 200 GB tier will be implemented ($US2.99)

Existing 1 TB customers will automatically get upgraded in the coming weeks as soon as the move is implemented. 

Google promises to add some sort of consumer product help and provide "extras" like Google Play credits for subscribers. There aren't too many details yet so we'll have to wait and see. Sounds a lot like the TMobile Tuesday promo.

Google promises to roll out Google One to users in the USA over the coming weeks. No news on the global expansion yet.

When Google finally shut down its Goo.gl shortening service, I wrote an article about the best alternative URL shorteners. 

Security specialists cringe at these services because they can often be used to hide attacks, but when brute forced (using a program that tries to find valid links automatically), you can usually find classified or confidential information. If you are interested in this type of research, check out this academic paper entitled "Gone in Six Characters: Short URLs Considered Harmful for Cloud Services."

The TLDR is that shortened URLs can be scanned using automation and doing so reveals a tone of Microsoft OneDrive accounts storing private information (most unlocked). Knowing that these files are automatically downloaded (most of the time) to the user's PC through synchronization, a threat actor can weaponize them. The researchers also discovered location information such as driving instructions for specialize medical services, prisons or adult establishments. 

Make that link scary

None of these valid concerns is the reason I wrote this article though. The purpose of this article is to take legitimate links and make them scary (at least for tech-savvy recipients). 

The purpose of VeryLegit is to take good links and make them scary (without actually being dangerous of course).

When asked how the service works, the humorous authors deliver this little gem:

Let's try it

1 - You copy a link like my article about Google Tasks  "https://www.kiledjian.com/main/2018/4/25/google-launches-new-tasks-app-mobile-web"

2- You paste it into the magical input box

3 - You click on Make it look dodgy

4 - You copy the scary looking link (http://ctf.verylegit.link/+javaexploit_970speedupurpc!!install-now!!java0day.docm.js.pdf) and voila.  Scare the pants of a tech-aware friend. 

It will redirect you to your original link only adding lots of scary extensions typically used by scammers and Nigerian princes wanting to give you millions of dollars.

So welcome to Monday, time to have some fun.