Similar Articles:

• Review of Private Internet Access (PIA) 

• KeepSolid VPN Unlimited Review

• Your ISP is always watching, tracking and profiling you

• Honest review of the ProtonVPN service

• Beware of the fake VPN providers

• What is Tor and should I use it

• Review of HideMyAss VPN (HMA)

Start

I've written about half a dozen articles over the last couple of weeks reviewing various VPN services. I asked my social media followers what other VPN services they wanted me to review, and many readers requested that I review TunnelBear. So here is my review of the TunnelBear VPN service.

TL;DR - TunnelBear is an excellent service that won't disappoint.

First, it meets the multi platform requirement. It supports MacOS, Windows, IOS and Android (with browser extensions for Opera and Google Chrome). These are the most requested platforms by users and will meet the needs of 95% of their user base. If you are a tinker and want an OpenVPN configuration file or router support, you will be sorely disappointed (see VyprVPN in that case). They have talked about a very manual configuration option for Linux using OpenVPN, but this isn't for the faint of heart.

TunnelBear has about 19 servers worldwide. This is in strong contract to companies like HideMyAss that offer 190+ locations with 720+ servers.  Countries listed during my test included: United States, United Kingdom, Canada, Germany, Japan, France, Italy, Netherlands, Sweden, Switzerland, Ireland, Spain, Singapore, Norway, Denmark, Hong Kong, Brazil, Mexico, India.

One issue I have with many services is that there is no "auto-connect to the fastest server" option, but TunnelBear has this option. When compared to VyprVPN, UnlimitedVPN (Keepsolid) or HideMyAss, TunnelBear's performance was always a little bit slower. Youtube was always using a lower quality, and downloading files always took a bit longer. 

Many VPN services just provide a plain; we do not collect logs statement. As a more technical user, I expect a little more "meat" with a statement like that. You can read the TunnelBear privacy policy here.  

I appreciate the honesty and clear privacy terms provided by TunnelBear:

Canada is a member of the five eyes and as a Canadian, I believe my information is collected and shared with the other members of the spying consortium. My preference is to use a VPN service who is headquartered in Switzerland (or another privacy loving locale). 

TunnelBear also offers a free tier (500MB per month) to anyone who wants to test their service or has very limited needs. Free VPN service is a rare offering from a reputable company, and one TunnelBear should be very proud of. 

You can earn one free GB of additional traffic by tweeting about TunnelBear using an in app feature. I tried this twice, and they added 1GB each time within 10 minutes.

I tested Netflix USA with the TunnelBear VPN turned on and Netflix detected the connection as a VPN and refused to show the US catalogue. 

Pricing

The annual TunnelBear subscription is $4.99 a month which is competitive. If you shop around (check out the link in my KeepSolid UnlimitedVPN review) you can get a similar VPN service at $49.99 for an unlimited lifetime subscription. 

Conclusion

TunnelBear offers an easy to use VPN service or the average Joe. It doesn't offer a tonne of client support. It is based in a high-risk country (Canada) and the price is average. 

If your look around on deal sites, you can find an UnlimitedVPN lifetime (5 devices) deal for $49.99 which is a better deal. UnlimitedVPN is based in the USA so they suffer the same headquarter location issue (being based in a Five eyes country) as TunnelBear. The difference is you get a tonne more exit servers than TunnelBear.

For real security, I would say check out Private Internet Access or ProtonVPN.  

As mentioned in my various articles, keeping your operating system and applications updates is a critical component to good overall security. 

Apple released IOS 10.3.3 yesterday, and amongst all of the bugs it fixes, there is one nasty security vulnerability that justifies installing it now. Right now. Do it. I'll wait. Come on, we don't have all day. 

Put Apple's banal sounding description aside for a second ("A memory corruption issue was addressed with improved memory handling".) This vulnerability comes from the Broadcom BCM43xx wifi chipset (CVE-2017-9417) and allows an attacker to execute code on the targeted device with kernel privileges.

To be clear, millions of Android smartphones (e.g. HTC, LG, Nexus and most Samsung devices) are also vulnerable to the BroadPwn vulnerability. 

Google also issued the BroadPwn fix in its July patch bundle (you are receiving the security updates for your phone right?)

Google sees the corporate world as an excellent cash cow and has been working hard to secure its place. Most recently we have the fruits of its labour with redesigned G-Suite offerings, the Jamboard and more.

Google is the king of data and has decided it can help HR do a better job with recruitment. Google Hire is a purpose built solution that promises to make the entire hiring process easier and more efficient (from finding to managing). 

The target customer is the small or medium organisation that may not be using any of the larger more expensive and complicated tools. 

• A 2015 report by Bersin (Deloitte) claimed it took on average 52 days to fill a position (up from 48 in 2011) at the cost of $4,000
• 48% of small businesses report there are few or no qualified applicants for the positions they are trying to fill (NFIB)
• 27% of respondends believe lengthy hiring timelines are a major impedament to increasing staff headcount (Recruiter Sentiment Study 2015 2nd Half, MRI Network, December 2015)

So all in all, we can safely assume the hiring process is broken in small to medium size companies, which may equate to a nice chunk of change for Google (if it plays its cards right).

Google Hire leverages the G-Suite platform and integrates with email and calendaring. In addition to winning new business by offering innovative cost effective new solutions for the SMB market, it also adds value to G-Suite. 

It is conceivable that a long time Microsoft Office customer may eventually switch to Google's G-Suite if it has enough value added features. 

I have spoken to dozens of medium size start-ups that just don't want or need the big Office 365 offering and are just looking for an excuse to make the jump. It is small but targeted offerings like this that may make the difference.

You can check out the Google Hire website for more details.

It's Christmas in July for any tech enthusiast that loves getting "something for nothing". The books are presented in a straight text list (without pictures) and organised by category and file format.

There are no limits, conditions or restrictions. You can download one, or you can download them all.

The books will interest hardcore IT administrators or casual Windows users looking to sharpen their skills. You can click on this link to see the massive list.

Some General computing topics include:

• An employee’s guide to healthy computing
• 10 essential tips and tools for mobile working
• How To Recover That Un-Saved Office Document

There are books on Azure. Books for developers. Books on Sharepoint, Dynamics CRM, Powershell, SQL Server and more.

Don't miss this opportunity. Download them now.

After writing my first VPN service review a couple of weeks ago, I asked my readers "what other VPN services" I should evaluate. A much-requested one was HideMyAss (HMA), so here is that review.

You can't evaluate VPN service providers without seeing HideMyAss.  They have ads everywhere. My first experience with HMA was through a 1-month free offer provided by Anonabox. 

Most security blogs and posts on review sites give HideMyAss a poor rating because they have (allegedly) turned over user log information to authorities (without putting up a fight).  Others complain that the service is "feature light".

HideMyAss has a massive network of termination points (one of the biggest in the world). 

HideMyAss cost

HideMyAss has increased its prices over the years and has a single tier plan (aka you don't pay for usage volume or number of connected devices).

Your commitment term determines your monthly price. At $6.99 for 12-months, they are competing with the likes of VyprVPN and ProtonVPN. HideMyAss is almost double the price of Internet Private Access (IPA), which is regarded as one of the best from a privacy-guarding perspective. Another much more popular cheaper alternative is UnlimitedVPN.

Once a season, HideMyAss does run a 50% off promo so....

HideMyAss features

The first major feature is the sheer size of its VPN network. HideMyAss offers 720+ VPN servers in 320+ locations in 190+ countries.

Now we get to the less feature part of our program. HideMyAss VPN support's two simultaneous connections per subscriber. ProtonVPN supports 2 with it's $4 a month basic plan. VyprVPN supports five simultaneous connections with its $6.67 a month plan. VPN Unlimited is offering a $49.99 lifetime plan with five simultaneous connection support. 

HideMyAss supports OpenVPN, PPTP and L2TP. 

People who buy HideMyAss aren't power users but people who are looking for a "simple" VPN solution with an extensive termination network. They support terminations in locations like Servia and Malawi.

Is HideMyAss Secure and Private?

So many security forums and Reddit threads discuss how HideMyAss (allegedly) turns over user data to police with little pushback. The most prominent example of this accusation is a 2011 situation where it is believed HMA turned over user information for Cody Kretsinger. Cody Kretsinger was a member of LulzSec and arrested by police for hacking Sony Pictures (he was convicted of the crime). 

There are dozens of other such claims, just do a quick Google search.

Reading the End User License Agreement, you learn that HideMyAss (Privax) is a UK company and is now owned by Avast (a Czech company). The UK is not known as a haven for privacy (e.g. snoopers charter). Most UK providers must maintain rich metadata logs.

The HideMyAss privacy statement for their VPN service says "We will store a time stamp and IP address when you connect and disconnect to our VPN service, the amount data transmitted (up- and download) during your session together with the IP address of the individual VPN server used by you. We do not store details of, or monitor, the websites you connect to when using our VPN service. We collect aggregated statistical (non-personal) data about the usage of our mobile apps and software." HMA claims this information is kept for 2 to 3 months but the UK Investigatory Powers Act requires that this type of information be kept for 12 months.

Does HideMyAss allow Peer2Peer networking? The answer is Yes for legal content and no for illegal ones. Here is an example of a Reddit thread where a user claims HMA cut-off his service for downloading copyrighted content. In this thread, a user called neonovo says "Yes, two dmca notices from the vpn hide my ass, which as they did not hide my ass I did some much-needed research and found btguard.

If you want to download torrent based content (legal of course), you should check out the list of torrent friendly providers maintained by TorrentFreak. 

Is HideMyAss secure?

I emailed HideMyAss support asking for details about its encryption technologies and directed to this support write-up. This write-up does not answer any of my questions about what cyphers are used and how. I believe some of their protocols (like L2TP) use pre-shared keys (which is a bad thing).

Without any additional information, I have to assume the worst and say "I don't consider HideMyAss secure at this point". My starting position is to assume technology is insecure unless proven otherwise.

I could not find DNS leak protection as an option in the Windows client, but my tests showed that it did not leak DNS information. 

HideMyAss performance

Assuming everything above didn't scare you away, you may be wondering about performance. Anytime I perform a VPN test; it is done using a 100MB fibre connection (<10ms ping) with a cleanly installed and patched Windows 10 computer connected directly to the internet connection. 

Some HideMyAss connections had excellent performance, and other's cut my throughput by more than 50%. Through trial and error, you will be able to find the servers that work best for you, but there is no automated performance cataloguing function. 

One item I will add here is the ability to get US Netflix. I  test this with every VPN and Netflix never works, except this time it did with one of the US servers I tested. Since it did not work consistently, I am assuming there were a couple of IP addresses Netflix hadn't catalogued as VPN yet. 

Conclusion

I don't use VPN to hide illegal activities. I use VPN to protect my privacy when I am using untrusted networks or from my ISP [read Your ISP is tracking you]. With everything that I learned during this review, I can't recommend HideMyAss. There are so many better options (in my opinion) that you shouldn't settle for a company that doesn't go the extra mile. 

There's a good chance you never heard about Microsoft's very unpopular Grove music streaming service (Apple Music, Google Music, Pandora, Spotify, Deezer, etc.). 

Microsoft is determined to change the fate of this little-known offering by enticing you to subscribe with a fantastic deal: when you buy a single month of service for $US9.99, they give you two 3-month vouchers to share or use yourself. 

If you are a Microsoft fanboy already paying for this service, then you are out of luck, this applies to new subscribers only.

Here is the fine print:

This is unfortunatly a US only deal. 

You can subscribe here. 

The question I receive the most is "what VPN service should I use when I travel?".  I started writing and testing the most popular ones and so far you can read these ones:

• Honest review of the ProtonVPN service

• Beware of the fake VPN provides

• KeepSolid VPN Unlimited Review

• VyprVPN Review

The next most requested service is Private Internet Access (referred to online as PIA). 

Introduction

Private Internet Access (PIA) is one of the most popular and affordable VPN service providers around. At last count, PIA offers 3,193 servers hosted in 24 countries. PIA belongs to an organisation called  London Trust Media, Inc. 

The tech

Private Internet Access is an easy choice for the general consumer because of the wide range of clients it supports: MacOS (10.4 and newer), Windows 7/8/10, Unix/Linux, Ipad/iPhone (PPTP, IPSEC, L2TP), Android (PPTP, IPSEC, L2TP, OpenVPN), DDWRT, Tomato OpenVPN, PfSense OpenVPN.

It not only securely reroutes your traffic but it can also block ads, trackers and malware. It does support P2P traffic and has a strict no log policy. 

Rick Falkvinge, head of privacy at PIA, talking about their no log policy and why it's important.

The client

Their clients are simple and straightforward but offer interesting features like the level of encryptions, DNS leak protection and a kill switch (to stop all traffic if the VPN drops).

It will let you pick a region to exit from but not a particular server. 

PIA allows you to connect up to 5 devices simultaneously. 

The speed

For comparison purposes, I tested PIA against ProtonVPN, ProXPN, UnlimitedVPN and VyprVPN. All terminating in Canada. My connection to the internet was a machine connected straight into my internet router with no other traffic (keeping all the variables controlled). The machine was a freshly imaged version of Windows 10 with all of the latest patches applied and only Google Chrome installed.

My connection is a 100MB down / 10 MB up. Without a VPN I usually get performance slightly better than advertised. With VyprVPN (the fastest), I managed to get close to 95MB down / 9.6 MB up. With PIA, I managed to get 87 MB down / 7 MB up. 

My ping without a VPN was below 12 ms but hit around 25-50 with PIA. 

Netflix?

People want to know if they can access US Netflix via PIA and based on my testing, the answer is: almost never. During my testing, Netflix detected the PIA connection and blocked access. A small number of recent online comments (on various sites) said Netflix worked for them but I was not able to reproduce it.

Support

I had no need for support but read dozens of complaints online about their support. Your mileage may vary. 

Price

The annual price here is a no-brainer: $39.95US a year everything included. This is an incredible deal. VyprVPN comes in at ~$80 a month (paid annually). 

Conclusion

PIA offers a trusted and well respected VPN service for a very competitive price. If you need a layer of protection from your ISP then this is definitely an option you need to consider. Advanced users may find the sparse low granularity interfaces annoying but then again, sometimes you just want things to work without having to tinker. 

UPDATE 7/5/2017: My connection to the ProtonVPN endpoints using their Windows client is extremely unreliable. At random intervals, the connection just "stops working" and the only way to fix it is to connect to a new location. I have had a support request open for over 1.5 weeks and my issue hasn't been resolved yet. I cannot recommend the ProtonVPN service at this time for the reasons listed below and because my experience has been unstable (and support has been slow to non-existent).

------------------------------------------------------------------

Since the official public launch, I have received dozens of emails (and Twitter DMs) from readers asking me to review ProtonVPN. 

A group of scientists with a track record of building secure products (ProtonMail) designed ProtonVPN from the ground up to be safe and privacy-enhancing.  The promise is that they will bring the same end to end encryption model to the highly uncertain world of VPN.

They talk a lot about the benefits of being headquartered in Switzerland, and many of their statements are accurate. Let's talk about the Five Eyes

Who are the "Five Eyes"?

With the Edward Snowden leaks, we learned about the complex data collection agreements between "friendly" countries. The first significant agreement is called the UKUSA agreement and is an agreement by the United Kingson, United States, Australia, Canada and New Zealand to collect, analyse and share intelligence information with each other.

This group is referred to as the "five eyes" because of their laser-like focus on sucking up incredibly massive amounts of data and sharing it with their "partner" intelligence friends. Some have even accused these countries of using this partnership to circumvent local laws designed to present local intelligence agencies from spying on their people (they get another five eyes Country to do it and report back).

So the Five Eyes countries are:

1. Australia
2. Canada
3. New Zealand
4. United Kingdom
5. United States

Not wanting to be left out, other countries soon sought membership in this coveted group, and now we believe the extended group should be called the 14 eyes:

• Denmark
• France Netherlands
• Norway
• Belgium
• Germany
• Italy
• Spain
• Sweden

Switzerland is not part of the 14 eyes (or five eyes)

So protonVPN is located in a much more privacy friendly jurisdiction that does not have a formal intelligence gathering and sharing agreement with the rest of the world.

ProtonVPN technology

ProtonVPN uses industry standard OpenVPN with UDP or TCP. It currently has a ProtonVPN branded Windows client.

As I write this, ProtonVPN allows you to use any OpenVPN client with their service which is how you can connect from IOS, Android, MacOS or Linux. We are being promised clients for these platforms, but there is no firm committed to date.

Does ProtonVPN slowdown my connection?

I did extensive testing of the ProtonVPN service from various internet connections (home, office, coffee shops and three different cell phone providers). I also used different clients (Windows, MacOS, Android and IOS). 

If you are using (non-secure core) close by exit node with low traffic, the performance hit is usually 5-12%. This is no better or worse than other high-quality VPN providers. When you turn on secure core routeing, you can lose 20-45% of your connection speed because it is sending your traffic through 3 secure data centres plus the exit node. 

What is the Secure Core Technology?

Secure Core is a nice enhancement to traditional VPN technologies that pass your traffic through multiple ProtonVPN owned and managed servers before finally delivering it to the exit node. 

Why Secure Core?

Secure Core was created to add additional protection when your exit node is in a "high risk" jurisdiction. As an example, you may want to exit in the US to gain access to geographically locked content but want to ensure your privacy is protected (knowing that almost all US traffic is captured, analysed and stored).

What does Secure Core protect against?

Leaked documents have shown that governments can deanonymize TOR traffic by controlling a large number of TOR exit nodes. The same can be done using VPN exit nodes. Most providers use local service provider facilities, networks and computer as termination points for their VPN service.

The three VPN services I am testing right now (ProtonVPN, UnlimitedVPN, ProXPN) all use Amanah Tech as their Toronto-based exit point. If a government agency were to compromise the equipment, they could then start de-anonymizing traffic flowing through it.

By routeing your traffic through multiple (typically three), ProtonVPN owned and managed devices in secure jurisdictions first; they make the de-anonymization (even if a government agency compromises the exit node) much more challenging.

When most people think of governments monitoring internet traffic, they think of (China, Russia, Iran and Turkey). It is important to remember that the 14 Eyes also monitor internet traffic and share the data amongst themselves.

Does ProtonVPN support Peer to Peer protocols (P2P)?

Like all VPN providers, ProtonVPN does not condone the use of their service for any illegal activities (including the illegal download of copyrighted content via P2P networks). Before I start receiving hate mail, I know there are legitimate uses for P2P technologies (like Resilio Sync or Tails OS).

ProtonVPN clearly marks endpoints that they recommend you use with P2P traffic:

The double arrows mean that is a P2P supported exit node. The Onion icon next to Switzerland is an example of a location that has a TOR entry node.

Does ProtonVPN log?

ProtonVPN is built on a pedigree of privacy, and their stated logging policy exemplifies that. ProtonVPN has a No Logs policy which means they do not store any information about your connection, what you do while connected and where you connect from.

The only information they log (for security reasons) is a single timestamp of the most recent logging from your account.

ProtonVPN sign-up

Potonmail and ProtonVPN have linked accounts and payment can be made via Credit Card or Bitcoin (instructions).

ProtonVPN goes to great lengths to protect your identity, but I would still say it is a privacy tool and not an anonymization service. The best anonymization system is still the free TOR browser(you should donate to them if you haven't already).

ProtonVPN Paid Plans

ProtonVPN offers a free plan but most users will want to upgrade to the Plus paid plan.

VyprVPN which is one of the best-in-class VPN providers offers an annual paid subscription for ($6.67 a month). This plan includes their Chameleon protocol (which hides the fact you are using a VPN and makes it usable from some highly restrictive locations). One of the other VyprVPN advantages is that they use their servers and networks as exit nodes. Is the $1.33 a month worth it? That is a personal question. VyprVPN offers Chameleon, but ProtonVPN offers Secure Core. Either will serve you well, but right now I still have to recommend VyprVPN. My recommendation would quickly switch to ProtonVPN if they released clients for the other platforms. 

ProtonVPN recommendations

ProtonVPN is a good attempt but there is definitely room for improvement:

1. Release clients for all major platforms [ongoing]: MacOS, IOS, Android.
2. Build a VPN hiding mode to enable use in highly controlled locations (like Chameleon on VyprVPN and KeepSolid Wise on Unlimited VPN). 
3. Create mini 2-minute tutorials for the various functions (TOR, Secure Core, P2P support, etc)
4. Mark the Plus servers for Plus/Visionary customers
5. Have a way of routing VPN traffic (for Plus/Visionary customers) that does not show up as a proxy on Hulu, Netflix, etc)

Conclusion

I have tested about a dozen VPN services over the last year and the top provides are:

• UnlimitedVPN: Ease of use and speed
• VyprVPN: Ease of use, Chameleon protocol and they use VyprVPN owned servers and networks
• ProtonVPN: Privacy oriented Swiss-based solution

The first two are amazing if used in the right context. If ProtonVPN answered my top 5 recommendations, then they would be the clear winner, but I cannot recommend an $8 a month VPN service without native clients on key platforms. As much as I want to, I simply can't.

Right now, I would say ProtonVPN is an excellent choice if most of your use will be on Windows. Otherwise, try VyprVPN for now and check back with Proton in a couple of months to see how the service has evolved. 

I've written 2 reviews for VPN Services recently:

• VyprVPN Review
• KeepSolid VPN Unlimited Review

I've also written 2 reviews for WIFI VPN/TOR portable boxes:

• Anonabox Review
• Invizbox Go Review

One item I have never covered is the proliferation of scammy VPN services sold by snake oil salesmen. 

With the Edward Snowden leaks and all the media coverage about the loss of online privacy, even the most complacent internet netizens are starting to think about securing their online presence. Protecting it not only from government agencies but from unscrupulous websites and even their own ISP (Your ISP is watching you).

So what was once the domain of geeks and corporations (VPN) has now become mainstream. The truth is the tech behind VPN is complicated for the average Joe to understand and most are simply not interested in digging into the details. It is this nonchalance that attracts scammers trying to make a quick buck. 

Example of scam VPN Service

MySafeVPN was a fake VPN service created by unknown bad guys trying to scam users. They obtained a confidential Plex database and used the customer emails as targets. Each target received an invitation pretending to come from Plex and offering their brand new VPN service called MySafeVPN (discussion thread here). 

Once Plex found out about this fake service, it provided an official rebuttal statement to its users. The scammers quickly disappeared and took the money raised with them.

Copying legitimate services

Scammers are inherently lazy and love copying what already works. They often copy the look, feel and content of legitimate VPN providers, making it hard for the "average Joe" to distinguish the good from the bad.

Telltale signs of a scammy VPN provider

It's free or unreasonably cheap

Running a VPN service costs money. Providers have to pay for hosting, servers, development and connectivity. If the price is unreasonably cheap, it may just be a pretty interface to public proxy servers or they probably have another revenue stream (like selling your services or injecting malware into your traffic).

Reputation, reputation, reputation

Search the web and figure out how long the service has been in business. Unless I know something about the founders, I tend not to trust new VPN services (e.g. ProtonMail create ProtonVPN so I trust them). Search forums for comments (positive or negative). If a bunch of the comments seem to be posted around the same time period, assume that they may be fake. 

Outrageous claims

Reputable services provide a certain level of technical detail to backup all of the claims they make. As an example, ProtonVPN has a "Secure Core" technical which enhances security and privacy. In addition to just talking about it, they provide the technical details about how it works. Beware of VPN providers that make grandious claims without any technical supporting information (e.g. The fastest, the most secure, etc).

Support model

A real VPN provider will have solid support channels to ensure it's customers are happy. As an example, KeepSolid VPN Unlimited provides support via online form and email. Additionally, you can contact them via Twitter. When you submit a question, they will respond within a reasonable timeframe (even if you are testing the service or aren't even a customer yet).

Conclusion

Like all fraud, detecting fake VPN service isn't always easy or straightforward. I hope the tips and tricks I have provided here will help some of you avoid these unscrupulous scam artists. As always, if you have questions or comments, feel free to post a message below or tweet me (@ekiledjian). I normally answer questions within 48 hours.

VPN Unlimited is one of the most popular VPN services available and for good reason. It is fast, reliable and competitively priced (deal below).

VPN Unlimited is a USA based provider and offers termination in more than 30 countries (with multiple locations in most countries). VPN Unlimited has good platform support (Windows, Mac, iPhone, iPad, Android) and very well written clients.

Above is a screenshot of the protection menu option on their IOS client. When set to High security, they (in addition to VPN protection) automatically add anti-malware, tracking blocking and ad blocking.) All of this extra security is done at the network layer without the need to configure any additional applications or pay additional fees.

Like most VPN service providers, VPN Unlimited specifically mentions that they do not allow illegal torrenting via their service. They recognise that not all torrents are illegal and allow the use of the BitTorrent protocol on these VPN termination points: US-California 1, Canada-Ontario, Romania, Luxembourg, and France servers.

A question I get asked often is "Does VPN Unlimited support OpenVPN on iOS, iPhone or iPad?" The answer is Yes! As shown in the above screenshot. Additionally, they support a protocol they call KeepSolid Wise (similar to the Chameleon protocol on VyprVPN). KeepSolid Wise uses common ports (TCP 443/USP 33434) which help bypass firewall restrictions and packet shaping control for most environments. KeepSolid Wise is available on iOS, Android, MacOS, Linux and Windows clients.

I setup VPN Unlimited on a Windows machine configured for maximum privacy. I then ran a battery of tests to determine how well it protected my privacy.

• does not leak DNS queries when in VPN mode (go here to test)
• does hide your actual IP address (go here to test)
• does not leak IP or DNS information via JAVA or Flash ( Go here to test)
• protecting P2P traffic. Although I do not condone or encourage the use of P2P tools to steal protected media, there are dozens of legitimate uses for P2P technology. It is important to ensure your VPN product protects you while using P2P and VyprVPN did. You go to this site and the find the Torrent Address Detection. You download their magnet link into your P2P client of choice then activate the test. If it shows your real IP or DNS, you are not protected. You should only see your VPN address here.
• VPN Unlimited is not subject to WebRTC leaks when in VPN mode (go here to test

VPN Unlimited seems well written and does offer good protection.

Deal

VPN Unlimited is currently running a couple of specials that are worth considering (I bought the unlimited plan):

• KeepSolid VPN Unlimited lifetime subscription for only $49.99 (for 5 devices)
• KeepSolid VPN Unlimited 3-year subscription for only $29.99 (for 5 devices)
• Add their Infinity Plan (aka 5 additional device licenses) for $14.99  but you must own one of the above subscriptions

Conclusion

The best summary I can give you is that VPN Unlimited has a permanent stop on the first page of my iPhone and I use it regularly. 

VPN Unlimited has decent privacy policies but isn't the super secret spy-proof identity protection service. If you want to protect your connection while out and about, VPN Unlimited is cheap, fast and reliable. If you want a super secret identity protecting connection then create your own VPN service on AWS or Azure using one of the pre-made scripts.

Questions

Does KeepSolid Wise work in China?

China severely controls encryption and in some cases slows down encrypted connections making them barely usable. A friend recently travelled to mainland China and reported that VPN Unlimited (with KeepSolid Wise UDP) worked flawlessly.

Does KeepSolid VPN Unlimited support video streaming?

Some of the cheaper VPN providers limit the quality of video from streaming sites because these stress the technical infrastructure of the provider. VPN Unlimited supports streaming video on all termination points but also makes available streaming optimized termination points which are specifically designed to work "better" with sites like Youtube, Dailymotion, Vimeo and more.

Does KeepSolid VPN limit connection speed?

There are dozens of factors that contribute to your overall internet speed but VPN Unlimited does not have tiered pricing based on speed and does not limit connection speed in any way. On most clients, they even show the workload on each termination point which means you can choose one with the least amount of current load (which should lead to better performance).

Does VPN Unlimited support Chromebooks?

VPN Unlimited has a Google Chrome plugin (which works on Chromebooks) and allows you to protect your web browsing only. Obviously as a proxy, it is less secure and missing many of the additional features you expect from VPN Unlimited but it is a great way to browse quickly (securely) and a great option on a Chromebook that doesn't require Jedi level knowledge to implement. 

VyprVPN owns and manages its own networks and servers. During my recent VPN testing shoot-out, VyprVPN consistently ranked as one of the fastest VPN providers out there. 

In addition to raw speed, they have an incredible list of supported clients from traditional PCs (Mac, Windows, Linux), to routers (DDWRT, OpenWRT, AsusWRT), smartphones (iPhone, Android, Blackphone, Network Attached Storage (QNAP, Synology), TVs and the Anonabox. 

Contrast this to other popular VPN solutions like UnlimitedVPN, which only supports a small number of custom made clients.

It's VPN clients are well designed with easy to use interfaces and useful features (kill switch, auto-connect, etc). A cool and useful feature is called Chameleon. They explain Chameleon as:

The first important note is that the Chameleon protocol is not available for IOS due to Apple restrictions on the VPN function. I had the opportunity to test the Chameleon protocol on a Windows laptop from a corporate network with strong VPN restrictions, an ISP that throttles VPN traffic and from a country that severely slows (painfully) down VPN traffic. In all three of these situations, the Chameleon protocol delivered that it promised.

• It punched through the heavily controlled corporate network
• When used with the ISP that throttles "normal" VPN traffic, it managed to trick the provider and I was able to use a full speed connection
• A friend travelling to a highly restrictive country compared VyprVPN to 3 other VPN providers and VyprVPN with the Chameleon protocol was the only one that seemed to operate at normal speed (aka didn't seem to be artificially slowed down)

With more and more internet traffic being encrypted, many companies, organisations and governments have turned to DNS based control tools. DNS is still an unencrypted means to determine web destinations. DNS be used to prevent a user from accessing certain types of sites (religious, political, pornography, etc) and to log web browsing habits. It can also be used to redirect your traffic (quickly without you even realizing it), to inject your session with malicious code and c compromise your device. VyprVPN offers their own self-managed private "no log" DNS solution to protect their customers from DNS snooping and control.

VyprVPN offers a clear and well-written privacy policy. Obviously you aren't anonymous but in summary, they retain " Each time a user connects to VyprVPN, we retain the following data for 30 days: the user's source IP address, the VyprVPN IP address used by the user, connection start and stop time and the total number of bytes used."

And they offer a wide range to termination locations.

VyprVPN and leaktests

I setup VyprVPN on a Windows machine configured for maximum privacy. I then ran a battery of tests to determine how well it protected my privacy.

• does not leak DNS queries when in VPN mode (go here to test)
• does hide your actual IP address (go here to test)
• does not leak IP or DNS information via JAVA or Flash ( Go here to test)
• protecting P2P traffic. Although I do not condone or encourage the use of P2P tools to steal protected media, there are dozens of legitimate uses for P2P technology. It is important to ensure your VPN product protects you while using P2P and VyprVPN did. You go to this site and the find the Torrent Address Detection. You download their magnet link into your P2P client of choice then activate the test. If it shows your real IP or DNS, you are not protected. You should only see your VPN address here.
• VyprVPN is not subject to WebRTC leaks when in VPN mode (go here to test

VyprVPN seems well written and does offer good protection.

Beware of the unknown

The only information that we have about the service comes from VyprVPN themselves. Remember that none of the statements about privacy and logging have been reviewed by an independent third party.

They are a US company and therefore they are subject to US data collection laws including the infamous National Security Letter (NSL). 

The above caution statement isn't unique to VyprVPN. I am not aware of any consumer VPN services that have been independently audited but it is still an important factor to consider. 

Some users may want to use a non-US based VPN provider to ensure the company is beyond the legal reach of US laws. The one I am looking into right now is ProtonVPN (which I will be reviewing shortly).

Other users may choose to roll their own VPN solution (lifehacker instructions using the Algo script or you can use anyone of the other scripts that almost automate the creation of a private dedicated VPN instance you control like OpenVPN Road Warrior, streisand, etc.) 

Conclusion

VyprVPN is a fast service with a broad selection of clients and a decent privacy policy. If you are performing illegal activities or are a human rights activist in a questionable region, this probably isn't for you. If you are a "regular" user looking for a decent level or privacy when using the internet, then this is definitely something you should consider. 

For the casual user that only connects to a VPN when using public WIFI, you may want to look elsewhere because VyprVPN isn't cheap. A prepaid annual subscription costs $6,67 a month (or $12.95 paid monthly).A casual user can buy a lifetime subscription to UnlimitedVPN for $49.99 here or a 3-year subscription for $29.99 here.). 

I started testing ProtonVPN recently and will write a review shortly but their offering (plus level) is $8 a month prepaid for 1 year). VyprVPN offers the Chameleon protocol, more servers and their own DNS service (which ProtonVPN does not yet). 

So the price is on the higher end but is in no way the most expensive. For the very casual user, you could be better served by another provider, but for the more security conscious user or traveler, this is definitely a service to evaluate. 

Think of all the valuable data your PC contains (pictures, files, invoices, contacts, etc). Now imagine losing all of that data Virus' are still a thing but you should be more worried about ransomware, worms and all of the other digital creepy crawlies roaming the net looking to make you their next victim.

Go read my article entitled "How to secure Windows 10".

Backup everything, then back it up again

In 2012, I wrote an article entitled "The best way to protect your data - images, music, documents". The main point is that you should always remember the 3-2-1 rule of backups:

1. Have 3 copies of all of your important data (1 primary and 2 backups)
2. Make sure your 2 backups are on separate media technologies (e.g.1 on a hard drive and the other in the cloud or 1 on a hard drive and the other on a tape backup)
3. 1 of your backups should be offsite in a remote location that would not be impacted by a major disaster that hits your area (e.g. in the cloud).

The advantage of most cloud backups is that they support version control which means if you infect your files with ransomware, you can always go back to  a known good version. My backup strategy involves:

1. 1 primary version of my data and a local hard drive backup
2. 1 complete synchronization of my files on a fully encrypted trust no one online storage service
3. 1 complete backup using a remote backup service (like backblaze or carbonite)

Update everything

WannaCry created an incredibly outcry in the tech world with thousands of companies getting infected in hundreds of countries. The truth is that an update published 2 months prior patched that vulnerability. Updating computers in large companies is complicated but your home PC shouldn't be.

You must must must update your operating system and applications regularly to stay protected.

The latest version of the operating systems from Microsoft, Apple and Ubuntu are all configured to auto-update themselves. In addition to the OS, make sure you periodically check for application updates.

If you use an Apple Macintosh computer, you may even want to use something like MacUpdate Desktop to constantly check if any of your installed apps have updates available.

Leave the built-in firewall on

Some "Security" apps turn off the built in firewall but it is critically important to ensure it is always on. On Windows, you can turn if on/off with these instructions. You can find information about the Apple Mac application firewall here. 

Use an antivirus

The question I get asked the most often is should I buy a third party antivirus for my home computer and my answer is no. Anytime you add a third party tool, you increase the attack vector therefore rely on what Microsoft bundles with Windows 10. You can follow these instructions to change the Windows Defender Antivirus cloud-protection level to 10.

In February I wrote an article entitled "Companies buying bitcoin to prepare for cyber extortion" and in there included this paragraph:

You can run something like RansomFree on your home PC in addition to the Windows antivirus. 

Upgrade the fleshware

The truth is that even the best most advanced technology can't prevent an infection if the user does something stupid. Often users are the weakest link the the corporate security chain and you are no different. 

Using good security hygiene will go a long way to protecting you. Basic tips:

• never open an attachment from a user you do not know well or that you are not expecting
• never click on a link embedded in an email
• never install applications from untrusted sources (including torrents or anything pirated)
• Remember that you can also get infected from a website so use Google Chrome with the the Ublock Origin plug-in

What to do if you get infected?

If a user's PC or Mac does get infected, their first thought is to find someone that can clean it. The truth is that once your PC is infected, it can' really be cleaned properly or trusted. At that point, you must do  a clean re-installation from a known clean source and then recover your files from a known good backup.

Some technical support companies will offer cleanup services but don't do it. Once your PC is infected, you don't know what else could be lurking in the background waiting to strike again. The best course of action is to start fresh.

Hopefully you have backups and everything will work out just fine. If you don't have backups and your files are encrypted by ransomware, you can always check out a free online site called No More Ransom Project and see if they offer a free decryptor for your ransomware. There are no guarantees your infection strain has a decryptor but it doesn't hurt to check.

Phishing is a powerful and effective tool and a favorite in the threat actor arsenal. So what happens when your cloud provider gives threat actors a roadmap to steal from you?

A couple of weeks ago, Workday sent a security advisory to its customers regarding a phishing campaign targeting its customers. Although details of the attack campaign are light, here is what I believe is happening based on discussions on various darknet forums.

What was the Workday phishing attack model?

First, none of this is a weakness or vulnerability in Workday or any of its systems or processes. The threat actors send an email to employees, pretending to originate from a high ranking executive (CFO, CEO, SVP HR, etc.) and are asking, asking them to log into "Workday" to fix an issue. This fake Workday site harvests the credentials which then allow the threat actors to log in and change direct deposit accounts for employees thus stealing money. 

Based on reports I have seen, these emails are professionally written (so they do not contain the telltale signs of being a scam) and are currently not being caught by many large spam filtering services.

How did Workday facilitate this attack?

Like many SAAS and cloud service providers, Workday proudly displays a ling list of satisfied customers on its webpage. This marketing list basically becomes an attack plan for these threat actors by knowing exactly which customer to target with which SAAS provider name and which attach to use. 

Security is a balancing act. It always has been and always will be. Ultimate security means severely reduced usability and no marketing. More marketing and usability means less security.
 

Security is a balancing act

Marketing is tasked with growing the business and nothing helps more than social proof (aka showing others that have made the same decision you are thinking about). The fact Workday marketing is publishing hundreds of customer names on its website is aligned with their objective of supporting business growth. After all, why should marketing avoid using all of the tools available to it just to protect the business from some attack that may or may not occur?

Even if marketing hadn’t published an exhaustive list, they probably would publish a press release when a new big-name customer was signed. This means a determine attacker could build his own list of high-value targets. Right?

As an example, they published this press released in April entitled “Workday Continues Momentum in Canada.” This wonderful piece of marketing includes this section:

To be clear, this is not a Workday issue but a generalized cloud services provider issue. As an example, a service provider called CVM solutions has a customer search on its webpage:

Where does marketing end and security start? 

Stop making it easy

In addition to publishing a customer list, most Software As A Service (SAAS) companies publish a custom login page for each customer (which is usually pretty easy to find).

In Workday's case, you go here

Enter the customer name of a customer and find their login page

Again this is a common practice by many large SAAS providers. Even a giant like Microsoft does this for their Office 365 in the cloud offering. I searched the web for Microsoft Office 365 success stories and stumbled on blog post. 

So I know the American Cancer Society uses Office 365. I then need an email address to plug into the portal page so Microsoft switches me to their customized Office 365 login portal. In this case, I chose to use a service called Jigsaw.com (from Salesforce.com) and found the email address of their CEO.

Keep in mind that finding email addresses is easy. There are billions of them on the web. There are dozens of hacked site database dumps every week. This is trivial but I chose Data.com just to show it visually here.

You then are sent to the appropriate login page for authentication.

If you are a threat actor, you scrape this page, register a close-looking URL and then target all of the users of Cancer.org you can find (remember there are huge lists everywhere on the web and darknet if you know where to look).

Let's be real

Marketing is a business necessity and every company has an obligation to maximize its top line by leveraging everything it legally can. As a potential customer, I love hearing about other customers that have already chosen the product I am evaluating and learning how they leveraged it to improve their operations (Social Proof - Social Influence). If a vendor tells me that one of my main competitors chose their product and that it is contributing to their success, I really want to know more. How can I leverage their tool too?

If I am a threat actor and determined to phish a particular company, there are other means for me to collect the data I need. A popular technique is called Open Source Intelligence (OSINT for short) and the folks at Rapid7 provide a nice example here. 

Using OSINT techniques, they provide a list of customers that include SAAS providers in their publicly available SPF records.

So the question is how easy to we want to make it for threat actors? OSINT is intelligence gathered from public legal sources but it still requires a more sophisticated attacker. Publishing a list of customers on your website means even the most garden variety kiddy "attacker" can easily target your customer.

I've spent half my career on the consulting and services provider side and understand the hugely powerful tool of social proof. If I tell a small shop owner other small shops (like his/hers) are using a tool and have found it immensely useful, that is a huge motivator. People love seeing others like them making the same decisions. It validates their choices. 

The company I work for recently conducted product reviews for various security tools, and  having spoken to another large multinational customer was one of the reasons we chose that product. It validated our findings and also showed others (like us) made the same conclusions.

There is no real answer

I'm going to disappoint you and say there is no magical silver bullet . Obviously user awareness is critical, since most often, the human firewall is what will allow or prevent an attack. 

Companies have and will continue using customer names to convince the next prospect to jump on-board. Threat actors will always continue to be create and find news ways to do bad things to good companies.

I believe the only solution is to ensure marketing and security are talking regularly and openly about strategy and impact. It is only through tight collaboration built on mutual respect and trust, that companies can decide what the right balance is between public disclosure and security.

To a hammer, everything looks like a nail. To a security professional, everything looks like a security vulnerability, but it is important to remember that sales is the only reason you are around. Our job as security professionals, is to provide enough security to protect our customers and support our business objectives. 

American politics is an extremely divisive issue and I will not be taking any sides in this debate. The purpose of this article isn't to promote any sides but rather to talk about how encrypted communication tools are being used.

Michael Moore launched a sub-page to his domain called Trumpileaks. The purpose is to give whistle blowers a "secure mechanism" to share information. 

The website recommends a bunch of encrypted messaging apps to share information via the web or by traditional mail. It recommends the use of Signal, Peerio, WhatsApp, Encrypted Email (Protonmail), traditional mail or general email if you just don't care.

These tools are very good for general secure communication but not if you are trying to "hide" from the american intelligence community. All of these tools leave a crumb trail of meta data which can be tracked back to you and the fact this isn't mentioned is irresponsible (my opinion).

What follows is not an exhaustive operational security guide (OPSEC) but just general recommendations.

Protecting your network access

The first thing you will want to do is protect your network identity, which would be used to narrow down a list of suspects when trying to identify you. 

Connect from free WIFI

The first recommendation is to use free open WIFI in a location away from your normal living areas (home, work, etc). Chose a place that is relatively far away like a coffee shop. Before using it to leak info, make sure you visit it looking for cameras in and around the area. When visiting it do not buy anything or leave any trail you were here. 

Remember that your cell phone is a beacon that broadcasts your location constantly and turning it off doesn't work. Either leave it behind or place it in a cell phone blocking Faraday cage bag (buy or make your own). You must block your signals before leaving your house.

I recommend going to your end location using public transit (since your car can get tracked via license plate or in-car navigation). Pay using anonymous transit tokens purchased with cash.

Use an anonymous VPN

Once you have found a good location, you will need a VPN device like the Invizbox (review here or you can buy it here. Since you will use this once, I recommend buying one with 2 months of VPN access. Invizbox allows you to buy via Bitcoin so do that. Make sure you setup a non trackable one time use bitcoin wallet for this transaction and ship the device to a fake name/fake location (so it can't be tracked back to you). 

Set up the Invizbox a couple of days before using a secure machine (described later), at another anonymous WIFI location using fake information. 

Use a service like Fake Name generator to help you create your fake identity. 

When setting up your Invizbox Go, use their VPN service to connect to a location like Switzerland. but do not use their TOR service.

How to buy anonymous bitcoin

Cash is king but for some transactions you may need bitcoin. You can use a site like LocalBitcoins to find a local Bitcoin trader that will allow you to pay cash and stay anonymous. 

Keep transferred amounts small so as not to arouse law enforcement interest (less than $500 per transaction). Use a disposable cheap android phone to host your bitcoin wallet and load only 1 identity on it. 

Create a fake identity that cannot be traced back to you. Buy burner phones cash. 

Remember, making one mistake will cause your anonymity to fall.

Protecting your Operating System

Use a secure Operating System with TOR

Your computer can be compromised to leak your identity. Even without being compromised, it leaks your identity all the time. Not only do you leak data but the unique setup of your computer leaks your digital fingerprint to any site that wants to track you (article here). If you want to test this yourself, check out Panopticlick. 

Hopefully you now agree that traditional operating systems aren't secure enough for the purposes of anonymity. You will need an Amnesic Incognito Live System called TAILS. This is a free operating system that you boot from a USB key that is fresh everytime you use it and doesn't leave any forensic traces on the machine it was used on. 

Tails also routes all internet traffic through TOR or I2P (use TOR). So you will use the Invizbox Go to tunnel to Switzerland and then you will use Tails with TOR to get to the dark web.

Tails is built for privacy and has a specially designed browser to minimize tractability. Ensure you follow the instructions to double check the integrity of the file you download. You will then need 2 fresh USB keys to built the final Tails USB bootable system.

You will have to make sure you laptop is compatible.

Protecting your transmission

Secure email

If you are going to use email, then make it as secure and anonymous as possible. Use a free Potonmail account (review here) via TOR. 

Anonymize your style - Stylometry

Well funded threat actors and nation state intelligence are able to identify people using stylometry. This is a technology that analyzes your writing style and then uses this knowledge to de-anonymize your content on darknet sites. 

Think of stylometry as a digital fingerprint built against your writing style (how to evade stylometry) . You may also want to checkout the Anonymouth tool  from The Privacy, Security and Automation Lab (PSAL) Drexel University, Philadelphia PA. 

Using Anonymouth will allow you to engage online while minimizing the intelligence community's ability to perform stylometry on you.

Michael Moore should setup a TOR SecureDrop service

The best way to send information as a leaker is to use a TOR service hosting SecureDrop (create by internet privacy advocate Aaron Swartz). It is an encrypted dead drop used by journalists to collect info from whistle-blowers while protecting their identity. 

The Freedom of Press Foundation has taken over the project since Aaron's death and helps media organizations install and run the tool. the FPF is addressing all of the shortcomings of the original tool

Don't trust printed leaks

You may be thinking printing and mailing is the best option but it isn't. Many printers have a hidden feature which adds invisible identification to every printed page (see EFF article here). These "invisible" yellow dots allow intelligence agencies and police to track down which printer printed a document. Recently this technique was used to track down an NSA leaker when a picture of a leaked document was show by The Intercept and the NSA found out the document was printed on one of its documents.

If you are interested, you can read about this technique here. 

Conclusion

Simply following the basic instructions on the Trumpileaks website is irresponsible and dangerous. Ask yourself what would be the impact if the leak was tied back to you?  Are you willing to live with the consequences?

Even with strong knowledge and good security hygiene, perfect anonymity does not exist on the internet. If you are determined to leak, learn how to do it and take the above precautions but know there is always a risk you will be discovered.

360 degree videos are the new THING because they capture more of the experience you are trying to share. Facebook, Youtube & Twitter all support this new more immersive medium. So the question is "What's the best 360 degree consumer video camera available?" Good question considering your local BestBuy has over a dozen in store and on display.

Having tested about a dozen of them, the best one is still the Ricoh Theta S. 

Why the Theta S? First it is easy to use. You press that big button and it starts to record. It has built in WIFI that allows you to review the captured content or control the camera with your smartphone. Last but not least, it captures good quality video.

Video is good but not great

When buying one of these devices, it is important to understand that you will get good video but it won't be an ultra sharp crystal clear 4K video (like one coming from a mid priced DSLR). The video quality will be good and acceptable but the manufacturers chose not to go super high quality because the stitching would require too much horsepower. 

Some technical specs

So what kind of sensor does this little device have? It has 2 12 megapixel sensors and  ultrawide 240 degree lenses. The camera then processes these two inputs and automatically created one 14 megapixel video (at 1080p) that automatically hides the camera. 

Pair this 360 degree video with some kind of VR headset (even a cheap Google Cardboard) and you get wonderfully imersive video that feels like you are in the moment. You can move around and see everything. This means you (as the photographer) have to consider this immersive experience when taking the video. Be cognizant of how you are holding the camera. 

Let's talk quality of video

So the Ricoh Theta S produces some very good video with good color reproduction (even is low light situations). Using the smartphone app, you can tune basic settings like exposure compensation, shutter speed, ISO and go fully manual (which I don't recommend).

Video clips can be up to 25 minutes long. Let's be honest, you videos shouldn't be longer than this anyway.

Let's talk device in hand

The Ricoh Theta S is a slim device which means it is easy to hold even for people with smallish hands. It is thin and long and a bit thick (which makes holding the device easy and comfortable).

It has a nice easy to hold onto plastic surface that has good grip. It has a standard tripod mount on the bottom which means you can easily mount this to any tripod (including a flexible Joby Griptight).

The device is easy to use and allows you to quickly switch from 360 degree videos to 360 degree pictures and back. All without having to fiddle with finicky menus or having to use the smartphone app. You can turn WIFI on or OFF (WIFI sucks battery so turn it off when not needed).

Let's talk battery life

Richoh doesn't provide good information about battery life. Assuming you are using the device for videos and have WIFI tuned off, you can expect about 1 hour of use time on a single charge. The device does not have a removable battery so you'll have to charge it with a portable battery when in the field. 

It's a 360 degree video

The output from the device is either a JPG or MP4 file with metadata identifying it as a 360 degree video. You can upload this to Youtube, Facebook, Twitter or Flickr and it will identify the file appropriately and then perform all of the required processing in the background to make it immersive and navigable.

Each 1 minute of video consumes about 100MB of storage and if you transfer it via WIFI to your phone will take 3-5 minutes. During this time you have to leave the app open and therefore won't be able to do anything on your device (or you can transfer it via USB if you have a laptop).

The free Theta+ or Theta+ video apps let you edit videos and even create non 360 degree cropped output files. They are fairly basic but allow you to add text, music or trim the video length.

When possible, use a tripod (even a mini one) to hold the camera otherwise you are likely to see fingers in the shot as you press the recording button. Or use the smartphone app to start/stop recording.

It can live stream

The Ricoh Theta S can also live stream when connected to a desktop with the special Theta software loaded on it (Mac and Windows). To enable live streaming you "Press the shooting mode button and power button of the camera together". 

You can live stream your 360 degree masterpiece to Youtube or Facebook. You may want to add the free OBS Studio app to the streaming mix.

Important considerations

• First is the price. At roughly $350US it isn't a cheap product and it can't be your main or only recording device. 
• It doesn't shoot in 4K. Considering most people will be viewing this content on VR visors, smartphones or in web browsers, this should be a major problem but it is important to remember.
• The built in 8GB of storage (no SD Card support) is annoying. It's major competitors (Nikon Keymission 360, Samsung Gear 360 and Insta360 all accept nano SD cards).
• Without a removable SD card, you also can't just "pop out" the card and transfer data at super fast speeds using a USB card reader.
• If you edit the 360 pictures, some editors will strip the 360 degree marker from the metadata and the uploaded sites won't know that it requires special handling. You can add this back but its a pain.

Conclusion

If you want to buy an affordable, easy to use 360 degree video camera, the Ricoh Theta S is the one to buy today. It offers the right combination of quality, price and features. With everything said and done, it is still early days and the experience still isn't perfect.

I wouldn't recommend my parents go out and buy this. Not yet. Not right now. If you have a desire for 360 degree video then go out and get one. You won't be disappointed as long as you remember it's not a mass market product yet.

For John and Jane Doe, the technology still needs to mature and improve a bit.

2017 is shaping up to be a busy year for Information Security professionals. The last major hack was HipChat from Atlassian. Surprisingly most consumers still "don't care" about their data security and millions have bad security hygiene.

Visualizing the hacks

To make the data more palatable, firms have tried to create visually appealing representation of these hacks. The first is called the World's Biggest Data Breaches and provides a nice easy to understand list since 2004. 

Hovering your mouse over one of the bubbles provide a general summary regarding the breach.

Clicking on the bubble give a short description about what was taken.

Finally clicking on this information card takes you to a news article regarding the breach.

Who is attacking who (now)?

Cyber is the new attack space and people are attacking each other all the time. How do you visualize this constant barrage of attacks? Using a pew pew map (as we call it in the industry). It's called a pew pew map because one of the most used services adds a little pew pew sound to the attack map if you want.

It's important to know what these maps show and what they do not show. It is impossible to show all attacks in real time across the internet. Each of the companies providing these types of maps uses its own collection techniques and it is an attempt by them to show are realistically as possible what their tools are seeing. Their data could be based on customer site equipment they manage, honeypots (decoy systems used to gather information about attacks) and general monitoring of the internet. No one company has an all encompassing view and none of these should be considered as the absolute truth.

The grand daddy of this type of free attack mapping service is IPViking. This is probably the favorite most viewed free attack map on the internet. For each attack, they show attacking organization name, internet address, target city and target service. As I write this, the service seems to be down so I am not able to add a visual representation of it but it is worth checking out.

FireEye is the 800lb gorilla when it comes to incident response (since they bought Mandiant) and they have their own free attack map. The FireEye map is fairly basic with limited refresh and limited supporting data but it is still clean and easy to understand.

The next map comes from Arbor Networks. Arbor powers the network protection tools for many large national carriers and says their map is fed from 270+ ISP customers. What's unique about the Arbor offering is that it allows you to go back in time (to 2013). Additionally the arbor tool provides neat information (such as type of attack, port, unusual traffic, etc).

The OpenDNS map (Cisco) isn't something I use often but it is visually appealing so here it is for your viewing enjoyment. 

And of course there are many many many more on the web. 

Who got hacked in 2017

2017 has started with a bang and hopefully it isn't a sign of things to come. here are some of the more interesting ones:

1. Washington school of medicine - A Washington School of Medicine employee is believed to have fallen victim to a phishing attack that may have compromised 80,270 patient records. 
2. Intercontinental hotels group - IHG which owns prime hotel brands like Crowne Plaza, Holiday Inn and many, suffered a data breach on its payment processing systems which may have impacted 1,200 hotels. 
3. Arby's - It looks like the chain was infected with a Point of Sales malware that may have stolen information from up to 355,000 credit and debit cards. 
4. Saks Fifth Avenue - Buzzfeed reported that the chain may ave inadvertently exposed private customer information to the internet. They provided a snapshot of the information as proof.
5. Free Application for Federal Student Aid - An IRS website designed to help students apply for student aid was "attacked" and the tax information of up to 100,000 taxpayers may have been taken. As I write this, the IRS believes 8,000 fraudulent returns were already files costing them $30M. 
6. E-sport entertainment Association - On December 30 2016, ESEA issued a warning to its members after it discovered a breach. OVer 1.5M people were impacted by this breach. Information included username/encrypted password,  email address, date of birth, zip code, telephone number, website, steam ID, XBOX ID and PSN ID.
7. Dun & Bradstreet - D&N found its marketing database with 33 M corporate contacts shared across the web in March. The company claimed it was not breached but likely one of it;s customers, who had bought the list, probably lost it. It contained information for millions of employees in companies like AT&T, Walmart, CVS Health and many more.
8. Chipotle - The burrito restaurant posted a Notice o Data Security Incident to its website advising visitors that it had detected suspicious network activity in a system that supports in-restaurant payment processing. Information is scarce since their investigation is ongoing but this is the latest show to fall so far this year (April 25 2017).

What can you do?

A message to all consumers is that you are responsible for your data protection. If you are sloppy or careless, you will be impacted and you will have no one to blame but yourself. 

1. Use a password manager like KeepassX, Lastpass or 1Password. [ Simplify password management [for free] with LastPass ], [ Protect your online accounts from compromise before its too late ]
2. Generate long impossible to guess unique passwords for each internet service you register for [5 best Random Password Generators ] 
3. Enable 2 factor authentication on any site that supports it. A list of sites can be found here. An article comparing Authy to Google authenticator can be found here. 
4. Clean up your social media authorizations regularly using this tool. Make sure only apps and services you currently use have access to your social media networks.
5. Deal with firms that prioritize your privacy and security. Using any free email system means you are giving the provider access to your email so they can profile you and target advertising. This means they can access your data and if they have a rogue employee or hacked, those too will have access to your unprotected information. ProtonMail is an example of a paid provider that does not have access to your information unencrypted so even if they are hacked, hackers will not get anything usable. Instead of using Dropbox or OneDrive, check out SpiderOak for encrypted online storage. Like Protonmail, they store your information in encrypted form only and if they are hacked, any data gained by the attacker would be useless.
6. Use fake information - Sites often ask you for personal information when you register so they can challenge "you" when you need a password reset. The problem is many of the questions have easy to find answers (like your mother's maiden name) and if one of these services is hacked, the attackers can use this information on other sites. I recommend providing fake answers to these questions and make them unique to each site. Use your password manager to store the answers. 

TL;DR: I have tested dozens of headphones over the last 12 months and the QuietComfort (QC-25) 25 is still the most comfortable headphone with excellent noise cancellation and good sound reproduction. 

Comparing the QC-25 to the QC-35

The QuietComfort 35 (QC-35) is the wireless bluetooth version of the QC-25. The QuietComfort 35 (QC-35) offers slightly better noise cancellation and a slightly different noise profile. If you need bluetooth (iphone 7 or iphone 7 Plus) then get the QC-35 otherwise I would recommend getting the cheaper QC-25.

Not for everyone

Noise cancellation headphones are not ideal for people that need noise-cancellation sometimes. Noise cancellation headphones are not a replacement for regular headphones. If you need good all around headphones then don't get this (or any other noise cancelling headphone) or you will be disappointed. 

The golden rule is that noise cancellation headphones add about $100-150 to the cost of headphones and typically deliver worse overall sound quality when compared to non noise-cancellation models. I can't stress that enough. 

Noise cancellation works extremely well for low frequency (machine style) sounds like train on a track or airplane engine noise. They don't work as well for higher frequency sounds like voices or crying babies on a plane.

If you only need noise reduction occasionally, then you may be better served by a good pair of sealed headphones. You would get better sound quality and would probably pay a lot less.

Who should buy the QC-25

I just wrote 4 paragraphs of who shouldn't buy the QuietComfort 25 (Qc-25). It is important to note that anyone who is a frequent traveler (plane or train) will definitely benefit from these headphones. By making your travel a little bit quieter, you will arrive less stressed and more refreshed.  

Quietcomfort 25 (QC-25) versus in-ear headphones

The best question I need to address is the eternal debate between these types of on-ear headphones and in-ear headphones. The truth is that there is no golden rule that is right for everyone.

Some people opt for in-ear headphones because they are smaller and lighter. Many people who wear glasses also prefer in-ear headphones because their frames may prevent the headphones from sealing properly this allowing the dreaded noise in.

Bose, likely due to owning several important noise-cancellation patents, currently makes our picks for the best over-ear and best in-ear noise-cancelling headphones. Which one should you choose? There’s no simple answer, as it depends on what you’re looking for.

The third reason I have found some travelers prefer in-ear headphones is that they find them better to sleep with on flights.

The fourth reason is that some people find that on-ear headphones make their ear hot after extended use. 

The fifth and final point is on noise cancellation for low frequency sound. From a sound quality, the Bose noise cancelling headphones (QC-30) tend to reduce low frequency noises a little more and offer some noise-isolation which makes things just a little bit quieter. Mid and high sound reproduction is always better with bigger headphones for the QC-25/QC-35 takes the crown here.

Additionally some people just can't stand having anything inserted into their ears. They find it annoying and bothersome. Obviously if you fall into this category, go with the QC-25/QC-35.

Conclusion

If you are looking for amazing sounding, super comfortable wired on-ear noise cancelling headphones then get this. The sound is good enough, it is comfortable (even on a long haul Toronto to Hong Kong flight) and it fits in a relatively smallish case for easy carry.

It offers good low frequency sound reproduction (40Hz or below) and the rest is a little muddied (which is normal for noise cancelling headphones). You can use the QuietComfort 25 even when the batteries die (which is a nice upgrade from previous models) but the sound is pretty bad but at least you aren't stranded witout entertainment. 

If you need bluetooth because you can't live with wires or your smartphone got rid of the headphone port (looking at you Apple), then go with the QuietComfort 35 (QC-35).

Why would anyone use Protonmail instead of Gmail or Hotmail? SECURITY

Email is inherently insecure and if you are a political dissident whose online communications can mean the difference between living and dying, don't use email. For everyone else looking for an easy and secure email solution, keep reading about Protonmail.

We use email because we don't have a choice and everyone agrees it won't be displaced tomorrow.

The other major issue faced by secre service providers is ease of use. PGP is a good example of strong unbreakable email encryption that never became mainstream because it was simply too complicated for the mortal man. 

There is always a tradeoff between usability and security, The difficulty is finding the right balance.

So what does Protonmail offer?

The bright scientists behind Protonmail understand fine balance they must find between usability and security. Make the product too secure and no one will use it (aka bankruptcy) or make it extremely user friendly but not secure (become a me too email provider). 

They have chosen to implement good enough security which makes encryption generally accessible to the masses while protecting against unauthorized government seizure or mass surveillance.

What are the weaknesses of Protonmail?

Read my blog post about the Vault7 leaks (here) and you will realize that when government is stifled  by strong encryption (Whatsapp, Signal, etc), they compromise the endpoint and extract the information pre/post-encryption. 

Protonmail does not protect you if your endpoint is compromised. It would be unreasonable to assume any secure online service could protect you from this type of attack. if you want maximum endpoint security, learn about real security protocols and use a secure operating system like Qubes OS.

Nation state level man in the middle attack. Protonmail implements all of the controls to prevent a common man in the middle type of attack but a nation state actor with the ability to redirect your web traffic and generate real "fake" TLS certificates could theoretically intercept your traffic, ask you for your username/password then use those to access your account and decryption keys. Let's be clear that your garden variety hackers (even those that are extremely skilled) won't be able to pull this off. This would require skills, money and huge technical capabilities to reroute internet traffic and generate encryption certificates.

Intelligence break in. With all the talk about government backdoors, the third major weakness of Protonmail (and all other secure services products you did not write) is the fear that a nation-state actor would somehow infiltrate Protonmail and then implement "special" code that sends bad encryption code to the users thus allowing the threat actor to access unempted versions of the messages. Protonmail has stated that they have multiple controls in place to protect against this type of attack. They scan servers for unauthorized code changes.

Some nice features of Protonmail

Protonmail is a Swiss company based in Switzerland. Any government request for information would have to be done there using Swiss law, which is very protective of private information (USA cannot issue a National Security Letter to force the company to turn over information and hide the request from the user).

In the rare situation that a government were to spend the money and convince the Swiss court to compel Protonmail to turn over user information... Protonmail uses "Zero Access Cryptography" which means they do not hold the encryption keys and therefore can only turn over encrypted information. 

Protonmail supports (and you should use) 2-factor account authentication. This means that in addition to something you know (your username and password), you need something you have (a time based authentication code generated by an authentication app Google Authenticator or Authy.)

If you want to send something more secure than normal email to a non-Protonmail user, you can create a Protonmail hosted message that requires a password to open (obviously don't send the password using email) and can even have a fixed expiry date. 

Protonmail stores user based encrypted authentication logs. This means you can see when your account was logged into and from which IP address. You can turn this off it you don't want this captured. Protonmail does not capture or log your IP anywhere else.

The ProtonMail service has internal authentication logs. When I say internal, I mean that these details are available only to the account owner, and are recorded and encrypted with all the other data inside the account. As I mentioned earlier, Proton Technologies AG doesn’t log IP addresses, but this information can be logged inside your web client session. If you don’t need them, just wipe the logs and switch to basic mode which doesn’t record info on the IP addresses you logged in from.

Basic stores login dates / times only. Advanced also stores the IP Address from where you logged in. The choice is yours. You can always download this information or secure erase it.

No user profiling. When you use a free service, the provider is conducting deep analysis and creating a deep analysis about you. Protonmail doesn't do this since everything is encrypted.

They encrypt all non Protonmail emails received immediately upon ingestion. 

This is good for security but limits what they can do for SPAM control. In a blog post, they explain what they do to help fight SPAM:

1. They check the IP address of the incoming SMTP server against known blacklists
2. They pass all messages through their own Bayesian filter marking suspicious emails as SPAM
3. They generate a checksum for each email message and verify this checksum against known SPAM messages
4. They verify the authenticity of the email using standard protocols (SPF, DKIM and DMARC)

Sending secure emails to non Protonmail users

I alluded to this earlier but wanted to restate it here in it's own section since I would otherwise receive a dozen emails asking this question. 

When sending emails to non-Protonmail users, you can:

1. Send an un-encrypted standard email. This is what every other email provider does.
2. You can use the lock icon in the compose window which asks for a password (See screenshot earlier in this post). In the case this is set, the recipient will receive a message with a link to a Protonmail web interface and he/she can use to  enter the provided message password and see the email. 

Free versus paid

Protonmail offers a free basic tier and I recommend everyone start with this level. If it meets your needs, you should consider upgrading to a paid tier which offers custom domains and more storage. 

Conclusion

I love Protonmail and am moving my private (not public) email address there. I like the security it provides and the open philosophy they espouse. I say use them if you want something more secure and private.

You may also want to read my article about SpiderOak. SpiderOak is a Google Drive, Microsoft OneDrive or Dropbox alternative with strong trust no one encryption.

Right or wrong, Edward Snowden has become the poster child for online privacy. He has been adamant that anyone interested in true online security should stay away from the name brand online services : Dropbox, Facebook, Google, etc.

Trust No One Security

Before we talk about SpiderOak, this is a good time to write about TNO (Trust No One Security model). This is a philosophy that dictates that anytime security is needed, strong encryption must be applied and the keys to that encryption must be kept in the hands of the user. 

As an example, anytime you conduct online transactions with your bank, you connection is encrypted using end-to-end encryption (TLS) but the keys are held by the bank and created by a certificate authority. Either of those 2 can therefore intercept and decrypt the traffic if they have malicious intent. 

In the TNO model, the provider does not hold the keys to the kingdom and cannot therefore decrypt or access the data in its native format. 

Anytime a provider has the capability of resetting your password, it means it is NOT TNO and it means the provider can access your data. If they can access your data, that means a hacker may also be able to compromise their systems and access your data.

What is SpiderOak?

Unless you are a techie or a security person, you probably haven't heard about SpiderOak. Short of rolling your own cloud service, SpiderOak is the most secure commercially available TNO cloud service around.

The key to the magical security they provide is that your client encrypts all of the data on your computer before being sent through the security hostile internet to SpiderOak. They cannot see the content and if you love you password (aka encryption key), you have to create a new account and restart from scratch.

So you get Dropbox, Google Drive and Microsoft OneDrive like features, without having to trust the provider. 

Why is TNO important?

Governments are becoming very hostile towards individual privacy. The Snowden leaks have shown that the secret FISA courts allow law enforcement to compel the turnover of user data without having the ability to notify them. With most cloud storage companies, this means they (or a hacker) can gain access to your data and then do with it whatever they want.

With SpiderOak's encryption model, they can turn over your encrypted data but they do not hold the decryption keys. The encryption is strong enough to make forced automated decryption unpractical. This means they would have to secure a court order and force you to hand over the decryption keys.

If a hacker does compromise the SpiderOak servers, the data is once again encrypted and therefore unusable by these bad actors. 

It also means they are not and cannot use your data to profile you. 

SpiderOak features

So you are convinced they offer the kind of security you want. What about features you say.

First and foremost, they offer automatic (on change) backups. This is a set and forget model that works in the background.  There is no file size limit. There is no file type restrictions. No bandwidth control or throttling on their end (some providers slow down your connection if you try backing up large amounts of files to protect the responsiveness of their service for their entire user population). 

It can backup mapped (external USB connected) drives. 

Any issues with SpiderOak?

Files are encrypted on your device and SpiderOak cannot access them unencrypted so they are unable to offer offline file delivery (sending you a hard drive with your files). 

Anytime my computer is disconnected for a while, Backblaze sends me alerts notifying me it hasn't been able to backup my files in XX days. SpiderOak has no such notification mechanism. They could implement this even with the TNO model.

During my testing, I simulated an unreliable WIFI connection to see how the client would react and eventually it hung. Even when the connection became stable and on for 8+ hours, the client stopped backing up. Rebooting didn't help. I was forced to uninstall the client, reinstall it and create a completely new backup set. This was a bit annoying. The doubly annoying issue was that support is only available through email. Support seems to be available during standard north american business hours and usually response takes 5-8 hours.

Another issue is that although they offer mobile clients (IOS and Android), those clients are read-only (aka you can't upload content). SpiderOak did say they are working to add this functionality but they didn't provide any timeline. "Currently, you are unable to upload documents using the Mobile Application. We are working on including this feature in a future release." (mobile info)

There is no way to identify a connection as "metered" and tell it not to backup using that connection (like a pay per use WIFI LTE hotspot).

Not a technical issue but the pricing is a bit more expensive than I would have hoped. I am willing to pay more for security but wish they offered more storage with each paid tier. 1TB of storage on Google and Dropbox costs $9.99 a month.

My experience

Overall my experience was good but not great. Because plans are capacity based, you can sync as many devices you want. Because everything is encrypted, there are no file type restrictions. 

Versioning worked well. They seem to use a bit level delta storage function which means you aren't consuming space for the entire file with every version.

SpiderOak provides tones of information about security. 

Files can only be permanently deleted from the original device they were uploaded from. This is a great feature.

You can right click on any folder (or file) in Windows explorer or the Mac finder and ask SpiderOak to back it up. Easy. 

You can download backed up files to any computer via the web interface.

Conclusion

There are small annoying things I would like them to solve but no major show stoppers. My biggest gripe is not being able to upload via mobile or Chromebook. I really wish they would solve this. 

Outside of that, I like everything else I have seen and think they should be your go to provider for safe and secure online storage.

Related articles:

• Bruce Schnier on TNO here. 
• Steve Gibson on TNO here.