Open a magazine, newspaper, your local nightly news or almost internet blog, and you will be confronted with news about another security breach. Breaches, breaches everywhere. 

Concerned netizens are trying to find ways to protect themselves when online and to protect their privacy. In response, I have written a bunch of articles (such as):

• KeepSolid VPN Unlimited Review
• Review of Private Internet Access (PIA)
• Honest review of the ProtonVPN service
• Honest review of the Tunnelbear VPN service
• VyprVPN Review
• Review of HideMyAss VPN (HMA)

The above reviews were VPN services, but what if you wanted a piece of hardware that was portable and could be used with any WIFI enabled device?

• Invizbox GO Review
• Anonabox Pro Review

A new player in the hardware category is LTE WIFI Hotspot service provider Karma. 
Karma is releasing a new LTE hotspot (for the US market) called Karma Black LTE hotspot. This device costs $149 now (will go up to $249 after the January 15 pre-order closes). In addition to the initial cost, you will have to plunk down $20 a month for its security services. Karma promises to encrypt your internet traffic and to hide other privacy-invading markers like location, browser identifiers, etc. 

It looks like you will be able to use this service with your own WIFI networks (home, office, hotel, etc.) Karma is also promising to add additional features in the future like TOR, network antivirus, ad blocking and parental control. 

In addition to the monthly security service fee, you will have to spend more money if you want to use the device's LTE connectivity feature ($3/month + $10/GB on the "drift" plan). 

Is it worth it?

I have not had a chance to test the device so everything written here is based on the documentation. 
 

I believe the goal is noble but the question is "should you spend $20 a month for this level of security?".

A technical user knows that sites, threat actors, and government intelligence agencies have multiple ways to identify and track users. Even with all of the security measures deployed by Karma in its Karma Black hotspot, there are fairly easy ways to identify and its track users [here is an article that talks about TOR deanonymization].

As an example, a site that uses TLS encryption (aka most sites these days) is able to set up a secure connection between your browser and its site. They can drop a supercookie in your browser then track you as you browse the web. Facebook and Twitter did this.

There is an easy to implement technique called browser fingerprinting that would allow an online actor to create a unique fingerprint for your machine using nothing more than the information your browser willingly hands over to any site that asks. You can test this yourself here. 

Using a secure tunnel (aka a VPN), Karma can mask your internet traffic from your local ISP but they can see where you are going. We know very little about what they log. VPN providers like TunnelBear have clear & easy to understand privacy policies. Tunnelbear has had independent audits to confirm that they are living up to their policies. ProtonVPN has a technology that they call SecureCore to prevent privacy breaches if any of their VPN termination endpoints are compromised. 

Unfortunately, there is insufficient information about how Karma Black is actually (technically) delivering these security services, and therefore I have to take every claim with a grain of salt. You can probably buy similar protection from the Invizbox for $190 (hardware plus 12 months of IP Vanish VPN service). You then use the Chrome browser with the uBlock Origin plug-in and you should have equivalent or better protection. 

Most security professionals will tell you tech is easy and that the biggest security weakness is the user. Users normally don't have good security hygiene and even the best security tools can easily be broken why careless users.

My professional recommendation would be to hold off buying one of these devices until a "real" security professional has a chance to test one in a lab and determine how good the security controls actually are. It is easy to mess it up and unintentionally leak metadata. So caveat emptor.

A little history

Early 2017, a security researcher (Andrew Ayer from SSLMate) discovered that three certificate authorities (Symantec Trust Network, GeoTrust Inc., and Thawte Inc), owned by Symantec, had improperly issued 108 TLS certificates. It is important to understand that these improperly issued certificates would allow a threat actor to spoof or impersonate a website that was using HTTPS.

9 of these certificates were issued without the knowledge of the domain owners. 99 were issued without proper validation of domain ownership. 

This improper issuance of certificates directly contravenes the strict (prescriptive) guidelines of the CA/Browser Forum and raised the ire of internet giants like Google, Mozilla, and Microsoft. 

These guidelines and controls underpin the entire trust model of the encrypted internet.

There is no way to verify if these certificates were ever used in the wild but we also cannot verify that they were not used. 

You can see the list of certificates here. 

Chrome to distrust Symantec TLS Certs

Very quickly after this second incident was made public, the developers of the Chromium project announced their intention to distrust all Symantec issued TLS certificates. Since Chromium powers Google Chrome, the most popular browser in the world, this was a punishment for Symantec's mismanagement. So started the two-year roadmap to achieve this goal. 

You can read the blog article on the Google Security blog entitled "Chrome’s Plan to Distrust Symantec Certificates".

As you can see above, the process is broken down into 3 distinct phases:

1. Certificates issued after December 1, 2017, from Symantec's legacy infrastructure will not be trusted
2. Certificates issued before June 1, 2016, from Symantec's legacy infrastructure will not be trusted
3. All certificates issued from Symantec's legacy infrastructure will not be trusted.

The first phase is rolling out with Chrome beta version 66 on March 15, 2018. Domain admins still using Symantec certs issued before June 1, 2016, are encouraged to replace them ASAP. 

The full roadmap will come to fruition with Google Chrome beta 70 (due October 16, 2018). 

In an October 2017 Symantec security blog entry, we learned that Digicert will takeover certificate updated as of December 1, 2017. 

The Sultan of Search, Google, announced in June that it would introduce ad blocking tech in an upcoming version of the Google Chrome browser (and Chromebook). 

We can now confirm that this feature will make it into our browser on February 15 (2018). Chrome 64 will be delivered on January 23 and Chrome 65 on March 6. Either this feature will be part of Chrome 64 and turned on with a remote trigger, or it will be a server-side function. We will have to wait and see how Google implements this feature. 

Google will deliver this functionality simultaneously to desktop and mobile clients.

Why would an advertising company block ads?

To be clear, the blocked will only prevent ads that don't meet the standards set by the Coalition for Better Ads. 

• What kinds of ads will get blocked? 
• Ads that pop-up when you open a website
• Ads that fill the entire screen
• Ads that automatically play a video
• Ads that trick you into clicking on them by pretending to be a close button
• and many more

A single violation won't move a site into the blocked list. There are thresholds Google will be looking for and a site can come off the "bad" list if it removes the offending ads.

Google probably realized that these ads are forcing users to install aggressive ad blocking add-ons which are having an impact on its revenue. 
 

Link: Google blog post

What is the best outdoor knife?

Those who know me well know that I love the outdoors and I love knives. If I were stranded on an island and could only bring one home comfort, it would be an outdoor knife. Having many outdoor enthusiast readers, I am regularly asked what knife I like best. 

When I first started studying survival skills, I had the misguided belief that the more expensive your equipment, the better it must be. I quickly learned that this wasn't always the case and sometimes even the most basic tool, used correctly, could be a lifesaver. 

Nowhere is this more true than outdoor (camping or survival knives). I say outdoor because my choice for an everyday carry knife is very different. 

Outdoors you say?

I have been camping for 30+ years and have been interested in wilderness survival and native survival skills for the last five years. I have been fortunate enough to have participated in training camps with some of the industries most recognized names in forests hours from the nearest city. 

While camping or during a survival event, a knife could be the difference between life and death. It can help you catch & process food, build shelter, start a fire and much more. In the wild, I can

• make a natural "sleeping bag" with logs and leaves
• make utensils and plates from logs
• use rocks as cookware on a fire

What I can't make in the wild is a knife. Sure you can use a sharp rock, but that won't allow you to batton firewood or perform any of the hundreds of tasks a real sturdy knife can.

Let's be clear, a knife without training won't save your life. But with decent knowledge, a bit of practice and a good knife, you can save your life even in the most treacherous environment. 

What about a multitool?

I carry a Victorinox Swiss Champ with me every day (EDC). I wouldn't leave home without it. I own and carry various dependable leatherman multitools, but in the wild, I want a knife. A multitool just wouldn't be able to take the abuse of real outdoor survival. You try batoning a log with a multitool and see how long it lasts. 

Aren't all survival knives the same?

The answer is No. Just in case you were confused, the answer is no, no and no. Go to any Walmart, and you will find a dozen knives marked as survival knives. Most are garbage, but unless you are an experienced user, you will undoubtedly be overwhelmed with conflicting marketing messages and the sheer number of possible options.

An excellent outdoor knife will:

• Be a multi-use item but not a multi-tool. You will have to stay away from the specialized products (e.g., blades with hooks to help gut a catch, a tanto point to stab, etc.)
• Be durable in the field. You need a tool that is designed to last and won't fail you when you need it most. Remember "that which can fail will fail." This is why I stay away from folding knives when looking for the ideal outdoor knife.
• Be built for survival and hard use. The ideal knife must be full-tang which means the blade's steel runs into the handle. Some knives have a long thick tang in the handle (typically more expensive), while others use a skinnier metal body in the handle (typically less expensive). 
• Be budget friendly. The more expensive your knife, the less likely you are to use and abuse it. The knife must be "expensive enough" to be well designed and crafted using quality materials, yet cheap enough that you will use it in the wild (you can't cry every time you baton logs with it). 

What characteristics should I look for?

Blade: My preference is the Scandinavian grind (SG). The SG is a wide flat bevel (V) that wind to the end of the blade. There is no secondary bevel. This produces a knife with excellent cut control. It is slightly more fragile than over edges and can be strengthened with a slight secondary bevel. This is a blade edge that is easy to maintain in the field with a single sharpening stone and sharpening requires less skill [compared to other edges]. 

Length: Blade length is a very personal decision, but I have found 4-6" to be the sweet spot. Too short and the knife's usefulness is greatly diminished. Too long and the blade will be difficult to control and will be on your way when hanging on your belt.

Price: As mentioned earlier, it has to be expensive enough to be well built from quality materials. It shouldn't be too expensive causing you to avoid using it in the field. 

What is the best outdoor knife?

If I had to pick one knife right now that I would want in a survival situation, it would be the Morakniv Garberg MultiMount. Anyone interested in camping or survival has probably heard of MoraKniv. The poster child for Mora knives (Mora is a region in Sweden) is Cody Lundin from the Aboriginal Living Skills School and TV personality.

The Garberg meets all of my requires. It is durable, versatile, easy to maintain in the field and affordable. I have used the cheaper $20 Mora knives in the early days, and most of them are still in my collection today and are regularly used.

The MoraKniv Garberg has a simple but comfortable plastic handle which means you have better control and won't have hand pain after extended use. 

It is a full-tang knife, which means it can withstand the abuse of batoning. You can easily baton 3.5-4inch pieces of wood with ease.

The Morakiv Garberg uses 14C28N stainless steel which does not rust, hold's an edge relatively well and is easy to sharpen in the wild with a stone. Surprise surprise it has a Scandinavian grind. 

The back end of the blade has a 90-degree spine so you can use it with magnesium or a feral rod to start a fire. 

The Garberg comes with a nice sheath that works well for righties or lefties. Mora also included Velcro straps that allow you to easily hang the knife on a free or a backpack (Molle attachment). The blade is made from rust-resistant stainless steel but Mora still included drainage holes in the sheath (a nice touch). 

To make a good knife deal even better, Morakniv offers a lifetime warranty that covers defects. As long as you have maintained the knife according to their guidelines and haven't abused the product, Morakniv will fix or replace the product if you have any issues (this is their Knife for Life guarantee).

The price

This is not a sponsored post so I won't link to any specific retailer but you should be able to buy a Morakniv Garberg Multi-Mount (make sure you pick up the multi-mount version) for $70-$80 USD (~$125CAD). Online retailers, you can check out include:

• USA: Amazon, KnifeCenter, Cutlery USA, MEC, etc.
• Canada: Adventure Pro Zone, Canadian Outdoor Equipment, Bushcraft Canada, etc
• Europe: Bushgear UK, Knives, and Tools, Amazon, etc. 

Make sure you shop around because prices can be $10-30 different per site for the same item.

You sure?

I have tested over 50 knives in the last 3 years and conducted hours of research before choosing this knife. I take this type of review seriously and put in the hours, so you don't have to. As I write this (December 2017) The Morakniv Garber multi-mount is the best deal on an outdoor knife available. The offers the biggest band for the buck and has the least negative characteristics. 

Link to Morakniv

Note: This is not a sponsored review. 

Tech titans Google and Amazon chose Christmas 2017 to battle it out for your love and money. These smart speakers are designed to quickly provide access to each company's ecosystem and make your life easier. At least that is the promise. 

I am heavily invested in the Google ecosystem and have been for over ten years. In addition to using their free services, I pay for Google Music, storage, have an android phone (so I buy apps), etc. 

I signed up for the free Google Apps service in 2007 (predecessor to GSuite) when each domain was given 100 free user accounts. This was a great way to provide essential internet services to my family for my kiledjian.com domain (emails, calendar, etc.)

The Google home

These devices can answer questions about science, history and everything in between. Most buyers use these smart speakers as intelligent modern voice-controlled boomboxes. 

I have owned a Google home almost from its original release date and picked up a Google home mini for my bedroom. 

In addition to making money from the sale of these devices, companies like Amazon and Google hope to lock users into the ecosystem. Except...

The Google Home and Google's account issues forced me to move from Google Music to Spotify.

The music problem GSuite accounts

With an individual music subscription, I can only stream to a single device at a time. I can't listen to music on my smartphone in the gym while my kids listen to music at home. 

I tried to upgrade to a family account, only to be told by a support agent that GSuite accounts are not eligible. So if I wanted to enable on-demand commercial-free music on my multiple devices, I needed to move to Spotify, which I begrudgingly did.

Rant

There have always been irritants when using Gsuite (Google Apps) accounts with some Google services. Until now, all of my issues have been irritants for me, but have not affected Google, which may be why they have never solved this issue. 

This is a situation where their complacency has cost them subscription dollars (steady recurring income). I know that only a small minority of Google's millions of users are affected by this issue, but I receive a constant flow of complaints from my readers about it. 

This is the issue when dealing with giant faceless internet companies like Google. No matter how annoying some of their actions may be, there is nothing you can do as a customer. Your only option is to pick up and spend your money elsewhere. 

TL;DR: Internet traffic to and from major tech companies (Apple, Facebook, Google, Microsoft, Twitch, NTT Communications and Riot Games) were redirected through a Russian provider Wednesday. This appears to have been a deliberate hijack and not an error. 

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

BGP is a routing and reachability protocol used on internet backbones around the world. It is what allows carriers to find routing information between each other (in simple terms).

2 BGP monitoring services have reported short changes to the routing of key internet giants, and they do not believe this was a mistake. 

BGPMon recorded two three-minute hijacks affecting roughly 80 address blocks.

Qrator Labs recorded a two-hour hijack affecting 40 to 80 address blocks.

As mentioned in the BGPMon release, AS39523 is a Russian organization that has been inactive for years. The last time we saw them, they were involved in another BGP "incident" that involved Google.

Luckily most of the traffic that passes through these providers is encrypted at a level that is believed to be currently unbreakable. The concern is that a state-sponsored attacker could have new decryption algorithms that are not yet publicly known and it does means the traffic "could" have been decrypted (however unlikely it remains a possibility). 

How can you test the speed (performance) of my VPN service provider? I receive this question regularly, and I thought it was about time I wrote an article about it. 

When evaluating internet speed, there are dozens or hundreds of different parameters that can influence your final score. In the world of VPN, these may include:

• The distance between you and the VPN server - even though most of your traffic is flowing at the speed of light, users have become accustomed to super speedy internet and even the slightest delay is noticed. If I am sitting in Toronto but using a VPN in Switzerland (where privacy laws a much stronger), I should expect a more noticeable slowdown in my internet speed.
• VPN server capacity - Most internet service providers "over-sell" their service to offer lower prices. If too many of their customers try to log into the same servers at the same time, they will experience noticeable performance reductions (slowdowns) and maybe even dropped connections (which could lead to your private information leaking). I only use VPN providers that show the loads on their servers.

• Your Internet Service Provider speed (ISP) - Obviously your VPN performance can never exceed the "last mile" performance of your Internet Service Provider. Remember that the speeds plastered on their marketing material are usually indicative speeds and many services see severe performance degradation during peak usage hours (when everyone is trying to stream Netflix or Youtube content). Additionally some regional Internet Service Providers throttle (aka slow down) VPN connections on their home use plans to encourage corporate customers to buy corporate (more expensive) plans. The only time a VPN connection may be faster than your native ISP performance is for controversial protocols like BitTorrent. Some ISPs throttle the performance of BitTorrent and so hiding it inside a VPN may deliver better performance. 

• Device capacity - An often overlooked performance limiter is the ability of your local VPN termination device to compute the required encryption/decryption quickly (most often a PC, laptop, smartphone or tablet). The faster your internet speed, the more processing power your end device will need to "keep up". 

How do I test VPN speed?

The only way to test VPN speed is to use one of the (well designed) speed testing sites. 

SpeedOfMe

SpeedOfMe is a nice light HTML5 speed test service that works on every device (Windows, MAc, iPhone, iPad, Android, Chromebook, etc).

TestMy.Net

What makes TestMy.Net interesting is that use multiple download servers and combine the information to provide one real world statistic. They use IP geolocation to find servers in your terminated area.

TestTest by Ookla

No speed test article would be complete without mentioning Ookla. They are the 800lb gorilla. Just make sure the test server is in your termination city otherwise you will get a false score.

When something leaks, it's usually bad news. A leaking pipe in the kitchen or a leaking radiator. The same principle applies to your VPN. When a poorly designed VPN fails and leaks your data, that's the start of a bad day.

Unfortunately, there is no visible indication that your VPN is leaking.    Obviously, well-designed VPN services do not leak, my favourites being: 

• VyprVPN Review

• Honest review of the ProtonVPN service

• Honest review of the Tunnelbear VPN service

When looking for VPN leaks, we typically evaluate these angles:

• DNS leaks
• IP address leaks (IPv4 & IPv6)
• WebRTC leaks

Below are basic instructions on how to quickly identify VPN leaking. If you are more paranoid or highly technical and demand to use your magical IT skills, you can also inspect the packets using tcpdump or WinDump while running the below tests. 

It's time to start testing

• ipleak.net  (tests IPv4, IPv6, WebRTC & DNS)
• dnsleak.com (tests DNS)
• perfect privacy ip checker (tests IPv4 & IPv6)
• perfect privacy WebRTC check (test WebRTC)
• testipv6.com (tests IPv6)
• dnsleaktest (use extended - tests DNS)
• browserleaks WebRTC (tests WebRTC)
• browserleaks IP (tests IPv4 & IPv6)
• ipx.ax (tests IPv4, IPv6, WebRTC, DNS)

What am I looking for?

Obviously, you connect to your VPN service first, then visit all of these sites. The hope is that none of the information shown should actually be associated with your "real" computer (IP address, DNS server and WebRTC). 

The most significant failure I see with most VPNs is DNS and WebRTC leakage.

If your VPN service provider offers multiple servers, then you should run the tests with the various servers.

If your VPN service provider offers multiple protocols, then you should run the test with each of the protocols.

I have found some VPN providers where it did not leak on one server but leaked on another. Where it did not leak via one protocol but leaked with another. Testing the various combinations is time-consuming but critically important. 

The above test shows that the VPN is protecting my IP and DNS information but in this case was leaking my private 10.x test lab internal IP address (which is obviously bad). When I switched to a new server from the same provider, the leak stopped.

Mobile phone VPN leaks

An August 2016 research paper highlighted the issue of IP leakage on Android smartphones. They discovered that 84% of Android VPN apps leaked the user's "real" IP address.

What is WebRTC and why does it leak?

WebRTC is an API standard that allows voice and video chat without needing to install any plug-ins. It is a cross-platform web browser standard. 

The "trick" to leaking your WebRTC information is to use basic Javascript to send a UDP packet to a Session Traversal Utilities for NAT (STUN) server. That server sends back a packet containing the IP address where the request originated. 

If vulnerable, you will see your internal IP Address in the WebRTC response. 

What is DNS and why does it leak?

The domain name system (DNS) is a special global directory that converts URLs into numeric addresses that the internet can route. If you enter kiledjian.com into your browser from New York, your DNS server will return the numeric routable IP address for my website 104.28.2.40. 

DNS services are typically provided by your internet service provider or company. Anytime you try to access a webpage; you ask that DNS server for the numeric routable IP address of the site and thus your provide (or school or company) have a running list of every website you tried to access. When using a good VPN service, all DNS requests should be routed to their anonymous DNS service thus protecting your browsing information. When your browser sends the request to your ISP DNS anyway, that is called a DNS leak because your privacy is "broken".

Do I need a dual-sim phone? The answer is probably not. Most people sign a carrier contract and live with that service for two years. 

There is a small niche group that could benefit from a dual-SIM phone, and this is an article for them. Who are these mythical "special" people:

• users with a personal and professional mobile phone line that want to carry one phone
• users that travel often and want to use a low-cost SIM in their destination
• users that live in regions were carriers aren't national providers, and "good" coverage requires service from 2 providers (much of Asia)
• users that can find low cost unlimited data-only SIM and want another SIM for voice calls and text messaging, 

Not all dual SIM phones are created equal. 

Categories of dual sim phones

Passive dual-sim phones

Passive dual-SIM phones can only use one of the SIM cards at a time which means the user can switch between SIMs using software or a physical switch. 

Standy dual sim phones

Standby dual sim phones (often with the MediaTek chipset) use both SIMs using time multiplexing. Anytime you start using one of the sims (to make a call, send a message or use data), the other SIM is ignored. If someone calls the second sim when the first one is "active", the caller would receive a busy signal.

Active dial sim phones

Active dual-sim phones are capable of using both sims simultaneously and typically have to IMEIs since the phones come equipped with two radios. 

and we continue...

Because things weren't complicated enough, there is also the concept of unequal connectors. Some phones will be passive or active dual sim but may only be able to support full speed 4G on the primary SIM while slowing down to 3G/2G for the second sim.

Some buys mistakenly assume you can leverage both SIMs simultaneously for doubly fast data connectivity. This simply isn't the case. Dual sim capable phones do not perform network bonding to allow dual network stream aggregation. 

When I upgraded my daily drive smartphone, I switched from an iPhone 6s Plus to a Note 8 dual sim. When not travelling, the second slot hosts my SD card, but when I travel, I will load my KnowRoaming SIM. 

I know several account executives that use dual sim phones (one with their personal sim and the other with their work one). This means they can carry one device yet send/receive messages from either. Even in Canada, I know people that use dual sim phones with low-cost fringe providers. They use these providers when in their home zone for cheap service but switch to a pay as you go national carrier when outside of their "home" coverage area.

My Note 8 SIM Manager

• I can choose if both SIMs are active.
• I can choose which service to use with which SIM by default (calls, texts, mobile data).
• I can even ask the phone to confirm which SIM card to use before each call.

Another important consideration

With carriers that support VoLTE (Voice over LTE) or VoWIFI (Voice over WIFI), this functionality is typically only supported on the primary SIM slot. Don't expect both to support VoLTE and VoWIFI. 

Where do I buy a dual sim phone?

Most North American phone models do not come in dual sim versions. The most common way to buy a dual sim phone is either from an importer or you have to import one from a region that sells these devices.

My 128GB dual sim Note 8 was imported from Hong Kong by a Montreal based smartphone importer called PDA Plaza (this is not an ad and is not a sponsored post). I was able to buy my dual sim phone cheaper than what I would have paid locally from Samsung, Bestbuy or my carrier.

There are many options to choose from including Samsung, LG, Asus, OnePlus, etc. Just make sure you check the specifications and ensure the device supports the dual sim model you are looking for.

Examples

Asus Zenphone 5

OnePlus 5T

Huawei Mate 10 Pro

Xiamo Red Mi dual sim

Amazon Music Unlimited is (in my opinion) just another streaming music service, but since it's Amazon, it's worth mentioning. 

It is expanding to 28 additional countries, so the world a little more inclusive today. Similar to another (nameless) streaming service, Amazon Music Unlimited stresses the fact that its playlists are "human curated". 

The requisite PR created launch statement can be found here. 

The new countries being shown some love by Amazon are:

• Belgium
• Iceland
• Bolivia
• Latvia
• Bulgaria
• Liechtenstein
• Chile
• Lithuania
• Colombia
• Luxembourg
• Costa Rica
• Malta
• Cyprus
• Netherlands
• Czech Republic
• Panama
• Ecuador
• Peru
• El Salvador
• Poland
• Estonia
• Portugal
• Finland
• Slovakia
• Greece
• Sweden
• Hungary
• Uruguay

I live in Canada, and the Echo product line just launched here. Chances are the country you are in (if not the US) either doesn't have or just received the Amazon Echo line of products. For those of us not yet invested in the Amazon voice assistant product line, there is little to get excited here. 

Not very exciting for most of you but news worthy since its Amazon. 

Chrome Remote Desktop has been around for years and has always been a free and reliable alternative to products like TeamViewer, GoToMyPC, and many more. 

Not only was (and is) it a free service but even the most non-technical user could get it setup and running in a matter of minutes: download the Chrome extension, install a mini app, set up a local password and voila. 

Long live Progressive Web Apps

I will write about Progressive Web Apps in a future article but I am in love with them. PWAs are magical web "apps" that work online, offline and on all device types.

Google has redesigned its Remote Desktop access site (which had not been updated in years) to act like a PWA ( https://remotedesktop.google.com )

Using this website, you can now access a Google Remote Desktop simply and efficiently using any mobile browser. This new approach no longer requires extensions (to access remote desktops). 

A new feature is the ability to connect to a Chromebook remotely. This only makes sense when using it for remote support. 

To request support, you visit the site, install the mini app and click on Request Support. Your support person visits the site, uses the code and within seconds is helping you solve your issue. 

Official information from Google is scarce, and there aren't any support write-ups about this new refreshed version. Obviously, this was updated to support their effort to kill all Chrome apps. Consider this service beta and expect it to have a few hiccups, but it is a wonderfully promising start. 

ZDNet got the scoop on this significant leak. AI.type, a third-party keyboard replacement for Android has leaked data for its 31 million users online. 

How did this happen? A database administrator didn't secure the database.  Anyone with basic skills could access and query the unprotected database and "have fun" with the 577 GB of data it contained.

What type of data leaked? The leak includes fun elements like name, email address, precise user geolocation data, city and country. Researchers have also found [that some records contain] phone numbers, IP addresses dates of birth, gender, etc.

Why stop there? Researchers also found that some user contacts were in the database. One table contained ~375M telephone numbers.

This is a perfect example why Apple forces users to enter passwords and sensitive information using their native keyboard (even if the user has chosen to install a third party one.)

On Android, I use the Google keyboard for this exact reason. Another alternative is Swiftkey, which now belongs to Microsoft (another company I would trust).

Google apps have hundreds of features (some from Google, some from third parties) most users don't know about. In this short article, I want to share four tips that will make your life writing in Google apps easier (useful for students and professionals alike). 

Voice Typing

Over the years, I have spent hundreds of dollars on voice typing apps for Mac and Windows (most going to the Dragon Naturally speaking product line from Nuance software). 
For 85% of users, these expensive & complicated products are overkill, and Google makes it's excellent voice recognition engine available for free to all Google Docs users. 
Just click on tools and select Voice Typing.

• You can check out the Google Support doc explaining this feature here but it is so simple, you should be able to turn it on and start using it immediately. Remember that you can also dictate punctuation:
• Period
• Comma
• Exclamation point
• Question mark
• New line
• New paragraph

Write well with Grammarly

Grammarly is a free (has a paid upgrade) service that helps improve the quality of your writing by :

• Checking your grammar
• checking contextually aware spelling
• recommending vocabulary enhancements

In its simplest (free) form, Grammarly is a Chrome plug-in that works seamlessly with most web services (including Google Docs), and their correction engine is much more robust than simple word misspelling detection. 
You can upgrade to their premium service which costs ($11.66 a month when paid annually). In addition to all the features included in the free version, the premium service adds:

• advanced check for punctuation, grammar, context and sentence structure
• vocabulary enhanced suggestions
• genre-specific writing style checks
• Plagiarism detector that references more than 8B webpages

Most users will be perfectly fine with the free version so check it out.

Grade readability

The free Hemingway App allows you to paste content into its online editor and assigns a readability score. It uses colour highlighting to identify hard to read sentences. It provides tips on how to simplify the text, use of passive voice, etc. 

There is a $19.99 premium version that operates as a standalone app (Windows and Mac only) but the web version works fine and is accessible anywhere you have a web browser.

Use a Chromebook

Those that have been following me for a while know I love Chromebooks. Chromebooks aren't perfect and won't meet everyone's requirements. Chromebooks do provide a stable, safe and reliable platform when using web-based services. 

Everything mentioned in this article is based on the web or is a chrome extension. These tips will work flawlessly on Chromebooks (whether a $200 Lenovo or a $999 Pixelbook). 

I've been using a Skyroam hotspot for many years now and my 2 most popular blog posts (for the old device and service) are here: 

• Skyroam Global Hotspot review

• The hidden danger of using the SkyRoam global WIFI Hotspot

They recently upgraded their back-end service and global WIFI hotspot, and I wanted to test and review it for you. 

Solis is the latest version of the Global WIFI hotspot sold by Skyroam. For those new to this company, they offer a small portable global WIFI hotspot that works in 100+ countries, costs $10US a day for unlimited data and is activated on demand.
 
Although I had many complaints about the pass purchase process with the original product, their hotspot has been part of my every day (EDC) carry kit for three years now.

The Solis improves on its older brother in 2 days:

• it now supports LTE speeds on countries were it is available (otherwise it drops down to 3G) 
• it can now operate as a backup battery (in a pinch) to charge your mobile phone

Nice little intro video

I have had the Solis for several months and have already taken it on a US road trip. It is a well-built successor to the original Skyroad hotspot, but the world has changed.

When I started using the original Skyroam in 2014, my carrier didn't offer a global travel package, and it was a pay per megabyte type affair. It got very expensive very fast. Today my carrier offers a US travel package for $7 a day or a global package (in 80+ countries for $10 a day).

If all you need is access on one device, then your carrier package may be more advantageous since it is immediate and does not require any changes. But.... The Skyroam Solis offers coverage in more countries and can provide wonderful internet goodness to up to 5 devices simultaneously. 

In my case, I still rely on Solis or KnowRoaming when I travel since I know that they will offer service everyone for one set price and it is one less worry when I travel. 

The device

If you look at the above picture, the Solis is a beautifully visible shade of orange. It is made of plastic that should withstand the rigours of travel very well. If the battery does weaken, you can order a replacement from Skyroam.

I find the Skyroam Solis much easier to carry than its competitors (including the Geefi).

Using the device

You probably noticed that the device (unlike its older brother) doesn't have a screen. To manage the device, you turn it on and connect to it from your smartphone. You will then be presented with an information page showing signal, passes left, battery level, etc. To use the device "in the field", you turn it on then press the WIFI button on the top. This automatically applies one of your day passes and you get 24 hours of internet. It knows where you are and downloads a virtual SIM for the Skyroam partner in that country. 

You can travel to as many countries as you want during that 24-hour window. All you have to do when you switch countries is turn the unit off and back on. When it starts up, it will identify the local country and download the appropriate country SIM.

You could open the a.skyroam.com captive portal from any device with a browser but it is formatted for smartphones (will look odd on a laptop). Why isn't it responsive?

The Solis is charged with any USBC adaptor which is fantastic if you have a USB C smartphone and laptop. You can charge everything with one adapter.  They provide a mini USB-C to USB-A adapter so you can charge other devices from the Solis but I wouldn't recommend it. WIFI needs every little bit of juice in that battery. 

In my testing (in zones with good LTE coverage and with 1 device connected), I was able to eek out 10-14 hours of usage on a single charge. This number will drop if the wireless signal is weak and/or if you connect multiple WIFI devices to the hotspot. When I tested it with a Chromebook and a Note 8 smartphone, I still got 10 hours of solid use (usage was primarily web pages without heavy streaming).

The software is periodically updated which is a nice touch. I recommend you start the device and let it connect to your local home network (without using a pass) before travelling. If the device needs an update, better to do it now then at a foreign airport waiting for the 15 minute upgrade process to complete. 

How fast is the connection?

I will not post speed test results because that depends on the local carrier, congestion, etc. I will say that in my testing, the Solis achieved LTE speeds comparable to an iPhone 6s Plus. The Note 8 outperformed it with is carrier aggregation technology. 

There is an LTE cap of around 500MB in a 24 hour period. After this, they throttle the connection down to 2G. They claim that this isn't automatic and done to protect the experience for all customers, but I hit this limit consistently (for testing) and saw my speed drop to dial-up performance. At the lower throttled speed, even simple apps like Google Maps took forever to load, and GPS navigation became impossible. 

I understand the need to control their costs but wish there were a way to buy more LTE access if I needed it. 

What about security?

September 2016, I reached out to Skyroam and complained about major security gaps on their online pass purchasing website. After multiple attempts to responsibly disclose the issues (with no follow-up from Skyroam), I wrote an article about it. I am happy to report that the new version of their online portal has fixes all of the issues I previously reported.

What about the general security? It is as secure as your home internet connection. My standing recommendation is to use a VPN where/when possible. You can get a VPNUnlimited lifetime VPN subscription for 5-devices for $18 (promo link), so you have no excuses.

So should I buy a Skyroam Solis?

So the question you are asking yourself is "Should I buy the Solis?". There is no simple answer. If you used the old version, then the Solis is a wonderful upgrade. Every time I tried it, it worked flawlessly without a hitch. The cost is predictable, and I have a bunch of passes purchased ready to use when needed. 

If you are a European with an EU SIM travelling within the EU, you get free roaming anyway. If you are an American with one of those great TMobile plans with free global roaming, you probably don't need this device either. 

A Skyroam PR rep had said months ago that additional functionality would be unlocked on the device (like Bluetooth and GPS), but since they are not available today, I can't factor them in as a benefit. 

For everyone that travels more than twice a year (and doesn't have free roaming), you really should consider it. The best recommendation I can make is that I own one and carry it with me every day (even when in my home country). I will be travelling considerably over the next four months (within the USA and globally) and will be using this thing a lot. 

If you travel once a year and don't want to buy a Skyroam Solis, you can rent one directly from the company. They will mail it to you or you can pick it up (US pickup is available in San Francisco, Atlanta and Austin.)

I've written about the VPN Unlimited service before, you should go read the review. 

If you check out the VPN Unlimited purchase page, you will see that they are running a promo and selling it for $149.99. Normally StackSocial sells this same plan for $49.99 but wait ...

They are currently running a promo and have marked it down to $29.99, but wait ...

If you add it to your cart and use the code CYBER40 at checkout, the price drops to $18.

I don't know how long the CYBER40 promo code will work so if you are interested, buy it soon.

Special discount page: link

If you buy Google new premium Chromebook, the Pixelbook, you now receive a free Google Home. This promo is live now and runs until December 31, 2017, and is open to Canadian customers. 

To receive your free Google Home, all you have to do is add it to your shopping cart with the Pixelbook, and the price will be $0. 

Offer is available while supplies last (shouldn't be a problem) and remember that the Pixelbook is not available in Quebec (probably since they don't offer french keyboard, box and manuals. 

Google Store

Quad9 is a new DNS service launched by a non-profit consortium (founding members are IBM Security, Packet Clearing House & Global Cyber Alliance). The promise of the Quad9 DNS service is good security using the knowledge of some of the world's leading security research firms, by merely changing your default DNS server and ALL for free. 

The service is (not so creatively) called Quad9 because the DNS address is 9.9.9.9

Is the Quad9 service fast?

I used the free DNS Benchmark tool by Steve Gibson with connections from Canada, the USA, the UK and Switzerland. I performed ten tests from each region, and in every test, the Quad9 service was in the top 3 fastest DNS services available. In most cases coming in first. 

Quad9 is lightning fast because they use anycast routing which automatically finds and uses the nearest DNS server to the user. 

At launch, the service is powered by 70 servers in 40 countries, but the intention (in 2018) is to grow the fleet to 160 servers.

So how does it improve my security?

So why should you switch from your existing DNS service to the free Quad9 DNS service? Quad9 is a security and privacy enhancing DNS service that delivers much more security than any other DNS service currently available to consumers (more than your ISP, OpenDNS, etc.)

Quad9 says " Quad9 blocks against known malicious domains, preventing your computers and IoT devices from connecting malware or phishing sites." The threat intelligence is provided by the IBM X-Force but also includes 18 additional threat feeds from partners. Typically companies would pay tens of thousands for this level of protection and they are offering it for free.

You can configure your home router to use Quad9 and all device inside your house would be automatically protected (including that cheap easy to hack $29 webcam you bought from a shady online reseller). 

If a device (using Quad9) tries to contact a "bad" site, they will get back an NX domain error code (aka not found). This is how they prevent devices from being directed to dangerous sites.

Remember that a known good site could have been compromised and therefore could attempt to pull content from a shady site. Quad9 will prevent this from happening. 

Quad9 will continue adding features to further improve your security.

What about false positives?

They maintain a list of the 1,000,000 most used sites on the internet as a whitelist. This means that they cannot (mistakenly) blacklist an important site and make it unavailable. 

It looks like a well designed and well thought out platform.

What about my privacy?

The first thing you should realise is that most home connection use the DNS services of their ISP, and I consider most ISPs as the least trustworthy operators in your computing chain. Most are willing to sell your data cheaply to anyone willing to buy it.

Quad9's privacy statement is clear "No personally identifiable information is collected by the system. IP addresses of end-users are not stored on disk or distributed outside of the equipment answering the query in the local data center. Quad 9 is a nonprofit organization dedicated only to the operation of DNS services. There are no other secondary revenue streams for personally identifiable data; and the core charter of the organization is to provide secure, fast, private DNS."

Conclusion

I switched to Quad9, and it has been everything they promised. I recommend everyone reading this switch and try it out. It is one more layer of protection, and this one is easy & free.

Bitcoin is all the rage, and everyone is talking about it.  Any discussion or write up about Bitcoin usually starts with the fact that is it a decentralized digital currency. Decentralized means that no government or company controls it and it also means each participant is on his/her own when it comes to protecting their Bitcoin investment.

With US fiat currency saved in a bank, you have a high level of confidence that the money will be there in a day, week, month or a year. If the unthinkable happens and the bank is hacked,  most bank deposits are federally insured, and the government will make you whole.

Bitcoin does not have any insurance or governmental oversight. Any Bitcoin left on an exchange is only as secure as that exchange's platform.

In Bitcoin, your ownership is confirmed using a super secret private key. When you store coins on an exchange, they hold the private keys for these coins. Any hacker that manages to obtain these private keys can, therefore, control your (now their) coins and move them into a new account they control. Once your coins are gone, there is no way to recover them.

How to secure your Bitcoin

The first rule is: do not leave your Bitcoins on an exchange. Most theft happens from exchanges because hackers know that compromising one exchange can yield millions in gains.

Some Exchanges (e.g., Coinbase) offer offline cold storage options. These are more secure than their traditional active accounts (since they double check transaction requests and have long waiting periods), but if someone steals the private keys due to infrastructure insecurity,  they would be able to access your coins.

The second rule: control your private keys. When managing your private keys, computer security becomes critically important. I have written dozens of articles about it, so I won't take a deep dive here, but you'll have to spend some time thinking about it.  

In TL;DR form: I recommend that you chose the safest and most robust computing environment when processing your private keys or performing Bitcoin transactions (purchase, sale or transfer). For most individuals, I recommend using a name brand Chromebook. A Chromebook a purpose-built device running Google Chrome on a very secure Linux operating system. Google continuously updates Chromebooks. Chromebooks offer a small attack surface and are less susceptible to compromise than a Windows or MacOS device.

Now that you have a secure platform to complete your transactions, the next question is: Where do I store my private keys?  

You should keep a small amount of Bitcoin in a reputable smartphone app, where you can access it quickly if you feel like spending it.  I like the Jaxx wallet (it is simple, well written and cross-platform).

You should store most of your bitcoin in a purpose-built offline (not on your computer or connected to the internet) hardware device. My device of choice is the Trezor wallet, but there are other excellent options (e.g., Ledger). These devices generate and protect your private keys. By keeping your private keys offline, they are immune to infections on your computer or constant hacking attempts. A Chrome extension powers the Trezor wallet, therefore it works beautifully on a Chromebook.

When setting up these hardware wallets, you generate a special recovery sentence (typically consists of 20 unrelated words). You should write this down on paper and store it somewhere safe. Never save this online, since anyone with access to this code could recover your private keys and steal your money. In the unlikely event that your hardware wallet dies, you can order a replacement and restore your private keys (during initialization) by entering your unique secret recovery sentence.

As cryptocurrency matures and becomes more widespread, I believe people will have to take a more active role in protecting their own money.  It's probably a good idea to dip your toe now and start learning the ins and outs of crypto currency.

I've been involved in technology for a long time and bought my first real personal digital assistant (PDA) in 1997. It was an Apple Computers MessagePad (Newton) 130, and it was a thing of beauty. It had handwriting recognition, an external keyboard attachment and fueled my geek dreams about what wondrous technologies the future would bring.

Along the way, I owned hundreds of devices including Palm pilots, Treos, Handspring devices, Nokias and almost every other portable gadget in between.

As you can imagine, I also bought the first iPhone and almost every one since (in the last ten years). Every time I watched an Apple keynote, I was like a kid in a candy store. I starred at the presentation anxiously waiting to see what amazing new technologies Apple would bring into my life. Apple didn't invent most of that tech, but it usually made it usable and practical.

Then Steve passed away, and many were worried whether Apple had lost its mojo. Fans defended the Cupertino giant, but we started to see some cracks forming in its otherwise perfect and shining armor. Tech reviewers what would never have dared to challenge the superiority of the big Apple began to ask difficult questions.

For the past five years, I have been carrying both Android and IOS smartphones, but the iPhone has always been my primary daily driver. September 2017, was time for me to upgrade my "primary driver" from an iPhone  6s Plus + an iPhone 7 (yes I have both). I watched the keynote and was dumbfounded by the iPhone X. It was a beautiful piece of kit but had a screen smaller than the plus models and a price tag of $1500CAD. The camera wasn't materially better than the one in the iPhone 8 Plus. The only new "thing" it brought to the table was the FaceID sensor, an OLED screen, and smaller bezels.  

Apple technology innovation

Surely I had missed something. A ~$400 price increase had to bring something new and revolutionary? But it didn't. Having been a gadget geek for the last 25+ years, I knew perfectly well that previous devices  contained technology Apple commercialized many years later:

• wireless charging (HTC Droid DNA in 2012 - Apple in 2017)
• dual rear cameras (HTC One M8 in April 2014 - Apple 2016)
• OLED screen (Nokia N85 in October 2008 - Apple in 2017)
• Fingerprint scanner ( Motorola ATRIX 4G in March 2011 - Apple 2013)

Apple made many of these technologies better but by the time it included it, Android devices at half the price of an iPhone had them built in.

Apple has been a significant force pushing smartphone manufacturers to make safer, more secure devices and operating systems. This has been a clear win for consumers. Good healthy competition is good for the marketplace.

Is the iPhone more secure than an Android device?

Technologically yes. Apple's IOS is designed with strict application controls to protect user information. Its hardware (e,g, the secure enclave) is a thing of beauty and incredibly well designed to protect your biometric and financial information.

In the real world, for the average consumer that is not being targeted by skilled blackhat hackers or nation-state threat actors, both can be made equally safe with minimal handling precautions.

Not in my walled garden

A couple of months ago, Apple made headlines when it blocked all VPN apps from its China app store. This decision was made to comply with local laws, and Apple had no choice. The problem arises when you realize that Apple doesn't have a mechanism for users to sideload apps onto its devices.

Sideloading apps is a risk because it could be an attack vector, but shouldn't the user be able to accept the risk and perform their desired action on an $800-1000 device?

This had a chilling effect on some activists in China, but the same model of application category control could be applied to anything else in any other country (e.g., a country can outlaw social media or dating apps, etc.).

Time to switch?

Apple's latest financial results show that the company is doing smashingly well. They are selling record numbers of mobile devices, and their cash horde is only getting larger. Any talk about its demise is greatly exaggerated.

There is, however, a growing number of users, who were once ardent fans gobbling up all Apple branded tech, as fast as the company could release them, that are now looking at alternatives. I am amongst this group. My decision to switch isn't based on the cost of the device,  but on the more advanced Artifical intelligence features like the built-in assistant.

Android Auto versus Apple CarPlay

My latest car can support both platforms, but anyone that has used Apple Maps will tell you, it sucks. I can't tell you how many times it has navigated me into a major traffic jam or has taken me 20 minutes in the wrong direction. Apple doesn't like competition and would rather offer a sub-par experience to its users and maintain control.

On Android Auto, I can use other mapping apps, but on the iPhone, you can only use Apple Maps.

On Android Auto, you can choose which music app is your default and voice control it. On Apple, you can only voice control Apple Music.

And this is an example of the user-hostile behavior exhibited by Apple. Not only does it block competition, forcing you into inferior apps, but it isn't even improving the core interaction mechanisms of Car Play: the visual interface and SIRI.

SIRI the terrible

Most iPhone users from teenagers to CEOs use Siri a couple of times at first, then give up. I had hoped that Apple would update Siri's capabilities with IOS 11 (particularly with the expected December release of the Siri powered home speaker system, the HomePod). Surely Apple would impress us with massive gains in understanding and capabilities. Nope. Nothing.

While the Amazon Echo and Google Assistant improve every month, Apple hasn't developed Siri in years. It feels like Amazon and Google are working in internet time while Apple is working ... To be honest, I don't even think they are working on Siri. I say that facetious. I know they are working on Siri, but until users benefit from that work, it is useless.

The big data problem

I work in security and understand that absolute security is the enemy of usability. An absolutely secure system is not usable.
In the enterprise space, we are continually struggling to find the right balance between security and usability.

It feels Apple has taken a more security-focused approach and is willing to sacrifice modern functionality.

Any modern deep learning expert (aka neural networking that powers smart assistants) will tell you that the key to success is having vast amounts of ingestible data. Apple doesn't have this type of data because of it is privileging user privacy, whereas Google and Amazon do. Where Apple's image search can show you a dog, Google's can find the chihuahua on a beach eating a hotdog.

Siri is a parlour trick you get tired of after a day or two. Google Assistant will become a real time saver and thus will become something you will likely come back to over and over.

The latest and greatest thinking in machine learning from Geoffrey Hinton may eventually be beneficial for Apple. It is called Capsule Theory and is a new way of developing machine learning models that require much less data, but this is still early day research.

Conclusion

As I search for my next daily driver, I am testing a handful of new Android smartphones that I will review shortly on my blog. First-up will be a review of the Samsung Note 8. I won't be discussing the specifications but looking at it from the viewpoint of an iPhone user considering the switch.

I am hoping to also get my hands on a Mate 10 Pro, Pixel 2 XL and the ONePlus 5T.