When I first heard about the Google Chromebook, I couldn't understand why anybody would buy a computer that only "ran a browser". Sure you could buy one for $300-500 but then again, you can pickup a "cheap" windows based laptop for about the same price. 

Notes from my day job

My day job is being the Chief Information Security Officer (CISO) of a large multinational manufacturer. When our employees travel to high risk locations, they are equipped with a special laptop with a hardened image and they are instructed to only load the bare minimum amount of information needed during this trip. We ask that everything else be kept on our company servers.

Why do we do this? Because the risk of having your equipment hacked is higher in some countries. Add to that the fact that most countries and ask you to log into your computer so that it can be "inspected" at the border. 

Chromebook is the safest travel computer

So the Google Chromebook is designed to run a special operating system called the ChromeOS. It is basically a thin Linux operating system on which Google runs a customized version of their famous Chrome browser.

Because the entire system is the Chrome browser, you can't "install" typical applications. Sure this can be a pain but it is also one of the features that makes the Chromebook so secure. Even clicking on a malicious email or browsing a malicious website can't stealthily install malware. ChromeOS supports Flash but a malicious Flash attack using advertising networks can't infect your Chromebook. ChromeOS also doesn't run Java so you're safe from all of those attacks.

You can install a malicious Chrome extension or one that is made malicious later through an update but you should only be installing extensions from trusted brand name developers. 

So obviously Chrome is extremely difficult to hack which makes it a better option for high risk travel. Most Chromebooks come with a small token amount of storage because the entire premise of the Chromebook is that you should store your files in the cloud. 

Easy & automatic encryption

Upon initial setup of your Chromebook, Google creates a private encryption key for you using the eCryptfs encrypting file system. This means an unauthorized person cannot see your data even if they rip our the drive. 

Boot up secure check

Every time you boot a Chromebook, it runs a Verified boot process to ensure the software hasn't been tampered with. It checks every loaded component as it loads from Kernel to drivers (making sure they are the genuine unmodified Google provided versions).

This means that every time you log into a Chromebook, you can be assured you are logging into a secure login environment. This is much better than any Windows or Mac computer. 

Update your system to stay secure

Anytime a vulnerability is discovered, software manufacturers rush to push out updates to their products. Microsoft has automated the process as much as possible but Google's Chromebook once again wins this round. 

Google releases updates on an as needed basis or at least once every 6 weeks. Like the Chrome browser, the Chromebook automatically downloads and install the update with no user intervention. In the case of the Chromebook though, this process can update everything from the lowest level operating system function to how extensions are handled. 

Just to be safe, Chromebook keeps a copy of the last known good version onboard and can quickly boot to it if the unthinkable happens during an update.

Ultimate privacy 

We all know you can enable Incognito mode to browse privately and not leave too many trails. Google's Chromebook has a mode called Guest Mode which is Incognito on steroids. You can log into a Chromebook as a guest (without credentials) and everything you do during the session is ephemeral and wiped at the end of your session. 

Reinstallation takes minutes

If things aren't working just right or you want to ensure you are working with a fresh clean version of the operating system then you can enable a feature called PowerWash. PowerWash basically performs a complete factory reset of the device bringing it back to an original out of the box state (within minutes). My Acer C720P can perform a PowerWash and show me a login prompt within 5 minutes. 

Why would you want to perform a PowerWash? Because something isn't working  and you can't figure out what. Or you just visited a high risk country and even though a Chromebook is fairly secure, you want the additional piece of mind that comes from a fresh cleanly reinstalled operating environment. 

The Google security goodness

In addition to everything I wrote above, you get the extra security features Google has built into Chrome which means all transactions with Google are performed over a secure TLS connection. 

If anyone tries to spoof a google certificate to steal your credentials (man in the middle style attack), the browser will notify you and prevent the attack. 

You get GMAIL's perfect forward secrecy.

VPN your way to a more secure connection

The best security comes from multiple layers of protection. In addition to everything I mentioned above, you can use a VPN service to tunnel your way out of the badlands into a safer internet. 

Google's Chromebook supports 3 types of VPN connections:

1. L2TP over IPsec with PSK
2. L2TP over IPsec with certificate-based authentication
3. OpenVPN

The last one is the safest and should be your preferred option. Not only does establishing a VPN prevent someone from eavesdropping on your "internet discussion", it also means you can access sites that may be forbidden in your destination country (think Facebook from China or HULU from Canada). 

Conclusion

Yes the Chromebook is much more limiting than a traditional computer but the truth is many users have migrated from laptops or desktops to tablets. If you can live with a tablet then the Chromebook is a no brainer. 

Not only is it more secure but the fact that you have no maintenance to perform is a wonderful feeling. We use a Chromebook as a 3rd or 4th computing device in the house and my wife uses it to show websites to potential clients. It boots in 7 seconds and doesn't slow down with continued use (I'm looking at you Windows). 

Over the last 24 months I went from a Chromebook hater to a Chromebook lover. You can even splurge on Google's new and update Chromebook Pixel. It is a reference design by Google that costs $999 but offers everything you could ever want in a Chromebook. Incredibly responsive keyboard and trackpad. Super high resolution touch screen. 9-12 hours of battery life. Solid metal construction. 

When web placement was paid per click or per view, Twitter importance was measured by the number of followers you had. Those days are long gone because modern tech savvy social media users understand that engagement is the ultimate measure.

In some cases, people bought Twitter followers to make themselves look  better but there are times when those fake followers are added by bots. Why? Because many people automatically follow back all of their followers and these SPAM accounts get a decent following quickly.

Fakers App

The first tool is an online service called the Fakers App.  This app allows you to identify how many fake or empty accounts follow you. Better yet, they can perform this same magic on competitors or service providers trying to sell you on their HUGE social media following.

Head over to the webpage (link)

Click on the Connect to Twitter button

Authorize the app to connect to your twitter account. Then let it do its magic

In my case only 3% of my followers are fake. 46% are inactive which isn't surprising knowing how most registered Twitter users rarely tweet. You can use the search box to check this info for someone else

TwitterAudit

TwitterAudit (link)  is another interesting tool that takes a 5,000 follower sample from your account and then creates a follower value score by looking at the ratio of followers to following, number of tweets, date of last tweet, etc.

It creates some interesting graphs:

Conclusion

You'll notice that the stats provided by each site aren't perfectly aligned but they are close. The Inactive status of the Fakers App isn't too valuable for me considering most people sign up and spend most of their time on twitter lurking. 

Ultimately less than 3% (in both cases) of my followers are fake. What about you?

It has been a good week for IOS device owners. First we were gifted an official Google Calendar app and now Nokia has released its Nokia Here Maps for IOS. 

This is one of the Nokia units that was not acquired by Microsoft and it seems they take mapping very seriously. In addition to offering turn by turn navigation, voice guidance, real time traffic alerts and public transit routing, it offers users the ability to download maps locally for over 100 countries.  This means you can route even when travelling out of country or going through bad reception areas.

I have been using the android version since its beta release and overall I am very pleased with its performance. It provides much more accurate routing than the built in Apple Maps.

Why not download this little gem and keep it in your toolkit for a rainy day?

App Store link (link)

Google finally released a calendar app for iPhone today. Even Google's own blog post title says "[...] It's about time". I couldn't agree more.

My early tests show it is based on the (released in November) updated Android app which simplified calendar management (transforming GMAIL events into calendar entries automatically). Like Fantastical, it also has an Assist feature which helps you fill our the various pieces of a calendar entry. 

Here is the direct link to the app on iTunes (link) , I couldn't find it with the itunes Search feature.

The sky cleared and trumpets sounded when Microsoft bamboozled the entire cloud storage market by offering unlimited OneDrive storage with certain Office 365 subscriptions. 

In addition to bumping up your storage quote to unlimited, they switched the maximum single-file size limit to 10GB (from 2GB). Just when you think you hit the jackpot, you hit an undocumented artificial limit that prevents you from using the all you can eat buffet in the sky. 

What is this artificial limit ?

They limit you to 20,000 files total. This means that most users won't get anywhere near the kinds of storage usage scenarios most of us thought Microsoft would be dealing with.  Unfortunately most users aren't aware of this. They will start uploading their photo collection and then all of a sudden their agent will stop uploading files. The agent won't generate any errors. Everything will look perfectly fine but they have reached their limit and the game is over.

What about the competition? Dropbox has a statement on this (link) page that says:

Although Microsoft's Office 365 + unlimited storage seems enticing, I would still stick with Dropbox for online cloud storage because it just works better in every way ( faster upload, faster download, no artificial file limits, clients on every platform that work well, etc).

We have seen claims that the luxury hotel chain has suffered a credit card breach (some outlets are now confirming it). 

The last confirmation I received was that the chain is working with its banking partners to investigate the claims. We don't know yet if the breach impact some or all of its global properties. Unnamed sources say the breach goes back to just before christmas 2014. 

It is too soon to speculate how they were stolen. Some outlets jumped the gun and claimed the chains main reservation system was breached but it is important to remember that the breach could be on a Point of Sale terminal in the hotel (store, restaurant, etc).

Since the chain is made up of luxury properties, its patrons typically have high value credit cards that could fetch a premium in the credit card sale black market. 

If I am made aware of any developments, I will update this post accordingly.

For the record, I have stayed on many of their asian properties and I love the Mandarin Oriental chain.

About 70% of my readers are also Google users so most of you will be ecstatic that Google is trying to fix the broken Contacts web app. 

Who can argue with a more usable experience? The new UI gives you a faster way of merging duplicates, automatically updating contacts and seeing recent emails right in the Contacts app.

You can read the Google blog posts here (link)

Unfortunately when I try accessing the preview link this morning (link) I get the dreaded 404 page not found:

Google Play's birthday is fast approaching which may be why we started seeing a handful of apps already priced at $0.10.

Right now there is only a handful but more should be added shortly.

• RunTastic Running Pro (link)
• Runtastic Sit-Ups PRO Trainer (link) 
• Facetune (link)

If you were thinking about these apps, now is a good time to jump on them. If you see other apps, please post a commend below

I want to start of this review by clearly stating that I am not a Bose fanboy. I don't automatically recommend all of their products just because they carry the Bose name. I tested 19 headphones for this review.

Noise cancelling headphones are the only options for frequent travellers looking for small oasis in an otherwise jungle of airports, taxis and urban sprawl. When I recommend a pair of noise cancelling headphones, it is a job I take very seriously. Having said all of this this, the Bose QC25 noise cancelling headphones are the best choice for anyone frequent user of planes, trains or any urban dweller looking to create a little oasis of silence. Let me be clear, these aren't reference headphones that perfectly reproduce music but are good sounding headphones with amazing voice cancellation. This is an important distinction to make sure you are not disapointed.

When I tested noise cancelling headphones, I wanted something that worked well, that was light/comfortable and that can be easily stowed away when not in use. 

How does the QC25 compare to the QC15?

The first question I asked the Bose clerk was to enumerate the difference between the new Bose QC25 and the older QC15. After several minutes of verbal diarrhea it became clear he didn't know what he was talking about. For those wondering what the differences are, here you go:

• Bose QC15 have been discontinued and quickly sold from the channel
• The QC25 can play music even when the noise cancelling mechanism is turned off or when your battery dies
• The QC25 has a marginally improved noise cancellation profile (but nothing too dramatic)
• The QC25 has a slightly livelier mids and lows

Those are the main differences. If you already own a pair of QC15s, don't even think about upgrading. 

What's a lower cost alternative to the QC25?

Many of my readers email me asking for a recommendation cheaper than the Bose. If you want something cheaper (understanding the sound quality won't be as good and the noise quality is also inferior) then look at the Audio-Technica ATH-ANC7b.

I own a pair of these and find that the band is slightly too small for my medium head. I find it just doesn't sit comfortably on my head and it bothers me. But for the price (almost half the price of the Bose), you get a decent bang for your buck.

Disclaimer about noise cancelling headphones

I know a handful of readers that purchased the QC15 and were disappointed because they didn't understand the real usefulness (or lack) of these types of headphones. Noise cancellation headphones work by listening to your environment and then add a negative sound pattern in your ear to cancel our the external noise. They work very well for continuous low mechanical sounds (like train sounds, airplane engines, air conditioner, fan, etc).

They don't work so well for higher pitch non repetitive sounds like screaming co-workers or crying babies. They will still reduce the intensity of those sounds but buying a $300 pair of headphones can't be justified for them. 

If you want good headphones and will occasionally (read rarely) use the noise cancellation functionality then noise cancelling headphones aren't for you. You would be better served with a lower cost but higher quality close back over the ear headphones.

What about in ear noise isolating headphones?

I am a big fan of in-ear noise isolating headphones and my 2 favourite headphones right now are the :

• Ultimate Ears Triple-FI 10 
• Etymotic ER-4 microPro (I love these)
• Etymotic hf5

The Etymotic ER-4 microPro offer amazing sound reproduction and fantastic noise isolation (35-42db). I find that the noise reduction powers of the ER-4 are better than the Bose but this requires that I jam the earphones deep into my ear canal. 

This jamming of the earphones doesn't bother me but many many people I know just can't stand it. For these people the Bose is the better option. 

Back to the QC25

I had a chance to compare the QC25 to the older Bose QC15 and the QC20 in ear noise cancelling headphones. The QC25 just sounds cleaner, better and more engaging. 

The QC25 is also lighter and more comfortable than the 2 others.

If you are ok shoving an in-ear earphone into your ear canal, the Etymotic ER-4 is another option that has better sound, is smaller and lighter.  

In conclusion the QC25 is the best noise on ear cancelling headphone you can buy. 

As a security expert, my biggest security risk (in the corporate world) is people. I can buy the best technology and write the most efficient processes but if people get sloppy, everything falls apart.

Security and convenience (simplicity) are on opposing ends of the spectrum. Ultimate security means no convenience and ultimate convenience means no security. Did I mentioned that only through good security can you get good privacy?

We make decisions about relative importance of security over functionality everyday. If you use an Android smartphone and have enabled GoogleNOW, you understand how practical it can be for the Google hivemind to process everything about you and give you the information you need, when you need it, all without having to do anything. Go to the airport your boarding pass magically shows up on your lock screen or smart watch. Go to a foreign country, get the currency conversion. Go to a new city and see all of the important sights to visit right then and there. We love convenience.  

It is this convenience or simplicity that has caused the explosion of everything-must-connect-to-the-internet syndrome. When connecting to the internet meant you had to be a tech expert, buy $3000 of equipment, then setup complicated dialup services, only the brave wanted in. Now that all of the technical underpinnings are hidden, everyone wants to be on the net. 

But most users forget that the internet is not magic. There are companies and people working in the background to make all of this possible. None of these people or companies are non-profit charities. Our Internet Service Provider (ISP) sees all of our internet traffic. Our email provider knows who we message, why and how often. Our DNS provider knows what sites we visit and how often. SmugMug or Flickr see all of your photos. If you use a Chromebook (and I own one), you want someone to even manage your endpoint device.

Every Time you interact with an internet connected device, remember that it is logging and tracking almost everything you do. Some companies call it telemetry, usage information, meta-data but know it exists. They use it to improve their product and figure out whats popular and whats not. They want to know when something crashed, why and how. Often sending debug information along with the crash report, which could include personal data.

It is these companies, who have access to this treasure trove of personal and sometimes private information, that we are tasking with the  protection of our security and privacy. It is also failures in these companies that can lead to a violation of our privacy. Sometimes these violations are because of lax security controls inside the company. Sometimes these violations are performed by well funded, highly skilled, cyber-spies on behalf of national governments. Sometimes this information is stolen for fun and profit by "bad actors" (organized crime, competitors or the kid next-door).

An article in The Intercept (link) talks about a Snowden leak that claim's GCHQ and NSA operatives stolle the SIM encryption keys from Gemalto. You've never heard of Gemalto but they probably made the SIM card sitting on your cell phone right now. It's moto is "Security to be free". 

So it is a bad thing. We didn't want to (or wouldn't) implement security ourselves on our devices so we expect our carrier to do it.  They did, using Gemalto and it is now claimed that the keys uses to protect billions of smartphones has been hacked by national intelligence agencies. 

Secure Instant messaging is a good example. I use the common tools (because everyone is on them) but when I try to convince people to adopt the more secure Threema, they refuse. They want the security but don't want to create and manage keys. Securely exchange keys with the other party, etc. They want someone else to handle everything for them.

In the corporate world we employ expensive highly skilled specialists to manage these security controls because we understand the risks of losing control over our protection mechanisms. We understand the value of what it is we are protecting, but do you? 

You are your own security's worst enemy.

The long term solution is

• more stringent government regulation forcing clearer explanations of what data is collected, how, when, by whom and for what purpose. 
• more intelligent consumers that are aware "nothing is free" and better equipped to make decisions regarding their personal privacy and security. 

Now go on about your day and be secure

In the last 30 days, I participated to 2 CIO conferences (Montreal and San Francisco) and interestingly heard similar questions from executives about the security risks and dangers of Internet of things devices. Are they really that dangerous? 

When I talk about Software as a Service, most readers think of the Google computer cloud, Amazon Web Services or Microsoft's Azure cloud platform. What never gets mentioned is the new breed of Attack as a Service providers. As competition in this space heats up, purveyors of these types of "fine" (said sarcastically) services are looking for ways to reduce the price to win customers. Yes, free market economic is alive and well in the dark underbelly of the internet. 

An October 2014 (link) report by Akamai (one of the internet's largest Content Delivery Networks and provider of Website attack protection services) said that they saw a significant increase in the number of UPnP devices being used in amplification attacks. 

The Open Resolver Project has collected a list of 28 million internet connected devices that can be used for amplification attacks (link).

Remember that not so long ago (Christmas Eve and Christmas Day), a group known as the Lizard Squad "took down" the Playstation and XBOX online services through a DDOS attack using thousands of compromised home internet routers. 

As companies rush to cash in on the connect-everything-to-the-internet craze, many are cutting corners on security in order to rush products to market or save money on development costs. These are the same companies that don't update their products when major flaws are discovered in the open source tools they use, which means known vulnerabilities sit waiting to be exploited for the life of that device.

Clearly we have a problem with IoT devices already connected to the internet, and eventually it will have to be fixed somehow or we will see bigger and more devastating DDoS attacks. I'm not sure how these will get fixed but it may come down to government regulation (which I hate to even think about). 

Going forward, I am hoping the larger players with be able to sway device manufacturers to adopt a more security conscious approach. Apple is working on HomeKit and Google bought Nest and Dropcam. Maybe if these larger players use security as a differentiator, it may push  other manufacturers in the right direction. 

The OWASP (link) Internet of Things Top Ten Project is a great start and the site defines its purpose as:

As a security expert, I have very limited IoT technologies in my house. Not because of a lack of desire but out of concern for security. Be careful of what you buy and how you use it. Make sure IoT devices are on a separate network, so that  a compromise of those devices won't give an attacker a foothold in your home's internal network. 

Ask yourself :

This is a market that will explode in the coming years. We will see IoT embedded in everything from our toaster to our pants. Our shoes will provide step counters, our fridge will say how much we ate and the bathroom will illustrate how much time you lost in there reading a magazine.

Everything we do will watch, measure and report on us. Let's try to make sure all this incredible data isn't used for nefarious purposes. As a consumer, demand secure devices from manufacturers. Vote with your dollars. Email company support departments asking for updates and better protection. It's in all of our hands to make security a priority for these companies.

Reuters is reporting (link) that the Chinese government has removed several prominent US tech companies from its authorized vendor list meaning government (state) departments or entities are no longer authorized to purchase them. 

This change isn't surprising considering all of the Snowden leaks about NSA spying.  Reuters does mention that some of its unnamed sources said this change is being done to encourage organizations to buy locally rather than for security concerns.

This cuts off a huge potential market for these american firms and it will be interesting to see how they respond. 

Consumers demand ease of use, power and immediate gratification. Sure the smartphone has simplified our lives but we demand that it become even easier. Satechi believes it has the answer with its Bluetooth Button Series.

The Bluetooth Button Series is a set of 3 small circular aluminium bodied buttons that pair to your smart device via bluetooth and trigger a particular built in function (SIRI, Camera shutter, etc). They work with IOS (iphone, Ipad mini, iPad Air) and Android devices.

Each button retails for about $US25 on Amazon (link). 

Attach the media control button to your steering wheel (using the included attachment accessory) and never fumble to switch a song again.

You can use the shutter release button to snap a group picture without having to set a timer and run back. There are lots of create ways to use these little buttons. 

Canadians are use to being treated like second class citizens. We often watch our american neighbours get all the cool services while we live in the stone age. Maybe it's not that bad but it is pretty bad.

Now Amazon has finally opened up it's Kindle Unlimited service to all Canadians. This means for $9.99, you can read any book from its 750,000 book digital library. What kind of books so they offer? Think of title like Harry Potter, Flash Boys, etc.

All Canadians are eligible for a free 30 days trial of the service except Quebecers. No free trial for you Quebecer! Before any french speaking Quebecois get's mad at me, Kindle Unlimited will offer 15,000 french titles. 

Access Kindle Unlimited on Amazon.ca here (link)

Everyone Android users should know that Amazon generously offers one Android app for free everyday. Some days the offering is a wonderful deal, other times it is a waste of bandwidth. Amazon currently has a promo where it is offering $140 worth of software for free, gratuitement, gratis, kostenlos, pou gratis, grátis, бесплатно

Some of the apps carry regular prices up to $19 so get them while they are free. Some of the more attractive ones are:

• Officesuite Pro 8
• Cut The Rope: Experiments
• Relax Melodies Premium
• Runtastic Pro GPS
• doodle Jump
• Longman Dictionary
• Pocket Yoga

How can you access this wonderful trove of freebies? Click this link