Edward Kiledjian

The Quebec Superior court has ordered Telus to reimburse customers to the tune of $2.6M in text messaging fees. This is a  result of Telus unilaterally changing terms and conditions for 172425 customers in Quebec (charging 15 cents per incoming text message).

If you are one of the affected customers, you could receive a whopping $15 but know that Telus is reviewing the decision. They could of course appeal the decision so we'll have to wait and see.

It seems password theft is in the news every week and even average computer users are starting to learn about the benefits of 2 factor authentication. 2 factor authentication increasing your account security because it add to your password (something you know) with a second factor (something you have). 

The something you have is usually either an SMS message with a one-time authentication code to your primary phone on file or a special software that generates the same kind of code. The SMS option seems convenient but is less attractive when you consider the site would have to send your secure log in code encrypted through a 3rd party carrier (which is never a good idea in my opinion). Using a software one-time code generator is a much more attractive proposition in my book.

Which major sites use 2 factor authentication?

Almost every major site uses 2 factor authentication... Some (small list) examples are:

• Facebook
• Google+
• LinkedIn
• Twitter
• Tumblr
• WordPress.com

What is Authy?

Since most people have heard of Google Authenticator, let me take a minute and introduce Authy before I jump into the comparison. Like the Google product, Authy is a  Time-based One-time Password Algorithm and adheres to RFC 6238 (link) described by the  Internet Engineering Task Force. 

In addition to being a slick well designed app, Authy allows you to manage all of your TOTP 2 factor authentication tokens with it (including Google Authenticator tokens).

And with the Bluetooth agent on Apple computers, you don't even need to touch your phone when logging into websites. The entire process is slick and beautiful.

Authy also trives for 99.9995% uptime and has built their infrastructure accordingly. You can read a great techical article on Leanstack.io (link) about this.

Authy versus Google Authenticator

There are 2 types of Authy implementations:

1. A site can use Authy as their 2-factor authentication system (front and back end)
2. A site can use the Google Authenticator back end and the customer can choose to use Authy as the token generation client app

Let's take scenario number 1 first.

Let's say you are using Google Authenticator and you lose you phone, the only course of action you have is to find your backup 2-factor codes (that you hopefully printed when you set the entire thing up) and deactivate your tokens app by app (or site by site).

If the sites use Authy as the back/front end, you can revoke a apps token very easily from their site.

The other major issue with Google Authenticator touches world travelers. There are some countries where you won't have connectivity on your mobile device for extended periods of time which could lead to a drift between your phone's time and that on the Google servers. If the drift becomes too wide, you won't be able to login anymore because the entire TOPT process uses time in the calculation algorithm. The Authy team has accounted for this possibility and has built in more refined time drift smoothing algorithms to reduce the likelihood of this occurring.

Google Authenticator is built to run on only 1 device but more tech savvy users know that you can use your authenticator seed on multiple devices. The problem is that all your devices use the same seen which means if any device is compromised ot stolen, you have to cancel and regenerate all of your tokens. Even when used in multi-device mode, Authy create unique seeds for each device (when used with sites that have implemented the Authy backend not the Google authenticator backend). Which means you can revoke the rights to one device without having to reset everything.

Let's take scenario 2 now

One thing I hate with Google authenticator is that I have to redo the entire token creation process for every 2-factor enabled site everytime I change my phone. I could save a screenshot of my seed and use that in the future (instead of going through the entire process again) but that is a HUUUUUUUGGGEEE security risk. You really don't want to store your seed unencrypted.

Authy has a account synchronnization feature that allows you to move your entire token vault to a new phone or to a second device. Security analysts know that the goal is to minimize the attack surface and therefore sometimes you may chose to only allow 2-factor authentication code generation on one device. Authy actually sets its default configuration to only work on one device to ensure multi-device support is a conscious decision by the user.

To enable Multi-Device synchronization of your tokens, they have created a model of inherited trust which means a new device can only be authorized from an already trusted device.

This means that if you buy a new device (to replace your existing one or a tablet), you can easily transfer your authentication tokens over. 

The other benefit is that everytime you start the app, you get a fresh authentication code valid for 20 seconds which means you're not waiting 1 minute for the app to refresh with a new code.

Overall the app is much nicer than Google's. It is a clean touch friendly interface that is a joy to use. I have now migrated all my Google tokens to Authy and it is the only 2-factor authentication app on my devices: smartphones and tablets.

You can download Authy for free

• Mac App: (link)

• iPhone App: (link)

• Android App: (link)

I test thousands of apps every year for Android and IOS, and after a couple of weeks, most end up being deleted. 2 weeks ago I discovered a very useful free android app I think every Android owner should download now.

The app is called Agent (link) and offers 5 very useful pre-configured functions called Agents (which you see in the above image).

The 5 functions are described as follows (by the manufacturer):

•  Drive Agent is triggered by bluetooth and motion sensing (activity detection). It can be configured to read SMS messages aloud, respond with voice, auto respond to texters and callers to let them know you’re driving (editable message) & only respond to your own hand-picked list
• Battery Agent triggers at a percentage you choose. It helps conserve battery by giving you the option to turn off bluetooth, dim your screen and reverts back to normal settings automatically when you charge your phone. Will also let you know how much battery it saved you.
• Parking Agent remembers where you parked, based off your speed or bluetooth connection. Will remember your last five parking spots
• Meeting Agent syncs with your calendar to silence/ put your phone on vibrate when you don’t want to be disturbed. It can be configured to activate for busy events only, gives you the ability to specify your working week so that it only syncs with your calendar on days and times you prefer, works with shared calendars and auto responds to selected contacts during these "busy" events.
• Sleep Agent will silence your phone automatically when you go to sleep. You can configure sleep times for different days of the week, minutes of inactivity before activating, auto response to selected callers and texters during your sleeping hours, list of contacts that can wake you & Bluetooth, autosync, wifi and mobile data deactivation.

Having played with it for a week, I think this is a beautifully useful app. It is a competitor to the MotoX only MotoAssist by Motorola.  In some ways, it is even more useful than MotoAssist and could coax some die hard MotoX users to switch to other android devices.

We are a society that prides itself on always being connected and there is nothing more frustrating that having weak WIFI or 3G that causes intermittent connectivity flickering. I experience this most often when using hotel WIFI. Sometimes my room is just at the edge of the reception range and I have to walk around trying to find the best spot to get a signal.

Absolute (link) developed its Linkase (for iPhone 5 and 5s) specifically to help you get a signal when you might otherwise not. It does this using an Electromagnetic Wave Guide to direct more of that signal goodness directly into your devices internal antenna. 

Anytime I do a review, the question I want to answer is: "Is the device worth the $39 asking price?" Read on to find out...

Let's get physical

The case itself is made from a hard solid feeling plastic. It has a slightly graining feeling which makes the (normally) slippery iPhone much easier to grip. It measures 126.4mm x 61.2mm x 10.8 mm, which means it is extremely thin and doesn't add bulk to your phone. It is smaller and more compact that the original Apple brand leather iPhone 5s case.

It has 2 EMV antennas:

• Top one for WIFI boosting
• Bottom one for 3G boosting (LTE versions available by region)

As you can see, there is a cutout for the camera and there is a cutout for the side control buttons and the bottom (speaker, microphone and lightning connector).

The EMW sensor is a special material that traps the WIFI or 3G signal and forces it towards you devices internal antenna (without requiting any plugs, cables or device modification). When the antennas are not in use (you can use 1 or both at any given time), they cleanly slide into the case and disappear. 

I used the case with a ZAGG InvisibleShield screen protector and it worked perfectly together.

All of the original iphone controls work very well and are easily accessible. The only difficulty is getting the hard shell on and off.

Unlike the "real" protective cases, this devices primary job is boosting your WIFI /3G signal and therefore it doesn't offer much protection if your phone is dropped. It will prevent scratches but don't expect real dependable drop protection. You give up drop protection in exchange for sleekness.

Does the Linkase Pro work?

I tested the WIFI portion at home, at work and in a coffee shop. Each time I tested network performance using the IOS Speedtest.net app and performed at least 4 pairs of tests (1 pair = with case then without the case).  I ensured that for each pair, the phone didn't move and that the same Speedtest.net endpoint server was being used. I performed 4 pairs of tests to ensure the results where one-off issues.

I discovered that when I was in a good WIFI zone, the case actually seemed to slightly negatively impact WIFI performance. Standing about 10 feet from my Asus 801.11n router, I was downloading around 26.5Mbps without the case and 23.2-24.9 with the case. Surprisingly upload speeds seemed not affected.

But the case is built for low signal boosting so I walked far enough to where the WIFI signal was at 1 bar without the EMW antenna deployed. I then performed the tests again and the case didn't improve download or upload speeds. At this distance, the case had no performance impact on download/upload speeds.

For each test, I also loaded popular websites CNN, Kiledjian.com, Yahoo, Google (clearing cache between each test) and performance wasn't materially different (with or without the case).

My final test was WIFI boosting capabilities in a dead spot. I walked just to the point where my iPhone lost the wifi signal (walking a couple of feet back would bring the signal back). I deployed the WIFI EMV and then checked the network settings app to see if the iPhone could see the WIFI network beacon (with and without the case) and it couldn't. 

What about the 3G boosting capabilities?

I performed similar tests on the 3G boosting capabilities which was easy because I work in a building and area with bad cell reception. The 3G boosting capabilities were just as bad as the WIFI ones. 

For the purpose of comparison, I also tested signal boosting ability of my Wilson Electronics 3G/LTE Active powered booster and this one made a difference to reception quality and strength. Of course I expected the Wilson to perform better since it is powered and has active electronics.

Verdict

This was one of those products that I really really wanted to work. I loved its promise of signal boosting and could imagine dozens of different uses for me (especially when travelling). Unfortunately (in my tests), it didn't provide any benefit WIFI or 3G.

For the purpose of completeness of testing, I installed the case on a non-technical friends iphone 5s and asked him to give me his feedback. A couple of days later he said he didn't notice any change (positive or negative). His exact comment was "With the case, I have the exact same reception as without the case. Dead spots are dead and when I'm in the basement, I get the same abysmal wifi I have always had".

Since this is a user oriented article I won't get into the technical details about what the heartbleed bug is but in simple terms it is a vulnerability in a very commonly used security protocol that could allow an attacker to "steal" 64 KB of server data (from memory) at a time.

Current estimates peg the impact of this bug at about 500,000 sites or ~20 of secured SSL sites on the internet. This bug has gone undetected by mainstream researchers for 2 years and could allow a technically savvy attacker to continually exploit a server in the hope of finding passwords, credit card or other valuable user information.

At this point I am not aware of this bug being exploited in the wild.

I'm a user and I'm panicking

First thing you need to do is calm down. It is a major vulnerability but the fix can only be applied by the operators of the affected sites (Google, Yahoo, etc). 

Know that once the issue is fixed on a server, the server operator will invalidate the old (potentially) compromised security certificate and add it to a revocation list. The first thing you should do is

ensure your browser checks all SSL certificates against that revocation list. In chrome do this:

- Open a new tab

- In the URL address bar, type  chrome://settings/

- Click on show advanced settings

- Scroll down until you see the SSL/TLS section 

- Make sure this checkbox is ticked

Once a website upgrades the software, you should change your password on that site. Changing it before the bug is fixed is useless since it could potential be exploited and stollen again. Some sites (like Facebook and Yahoo) have admitted to using the vulnerable product and have confirmed their software is now upgraded. This means you can go ahead and change your password for those sites.

Other sites (like banking) will likely never admit to having the vulnerability (and not all versions are vulnerable) so you'll have to use the heartbleed site checker tool on sites like Lastpass (link).

What if the site doesn't notify you? Maybe change your password now anyway and change it again once a week for the next 2-3 weeks. Sometimes they won't admit to being vulnerable to hearbleed but may say "your account has been locked for security reasons please change your password."

You should be using a password manager so that you can protect each website with a long unique password. I use WolframAlpha to generate strong long unique passwords for each site (wrote an article about it LINK) and store them in Lastpass (since remembering them is impossible.) 

EVLeaks has proven to be fairly reliable over the years and his latest prediction is that the next Motorola Moto X will be called the Moto X+1. 

We haven't seen too many rumours surrounding this upcoming device so we'll have to wait and see what the Lenovo owned unit will deliver. It is important to remember that many Android watchers still call the Moto X the best Android phone around (even though it was released August 2013).

In Canada the Moto X was released exclusively on Rogers and I am really hoping they bring the new device to Telus and Bell also. 

In the US and Canada, we have seen more and more tier-2 carriers selling the Moto X which typically indicates it will shortly be replaced.

(Product)Red is a Bono charity to fight the global AIDS epidemic. Apple strongly believes in the cause and has a special line of (RED) products and accessories. For each (RED) product sold, Apple makes a donation to the charity and now those donations have added up to $70,000,000. 

(Product)RED has said Apple is single largest corporate benefactor. In addition to the money 
(which is obviously important), Apple also supports the movement by changing its Apple store logos to red during world AIDS day and John Ive has designed special one-off products that were auctioned for (Product)RED.

WSJ (link) is reporting that a company called StoreDot has developed a biological battery that can be charged in 30 seconds. The technology comes from the nanotechnology department of the university of Tel Aviv.

Fast chargers are nothing new but they are typically too big to be considered portable. StoreDot's technology is relative portable and can be adapted for use by almost any cellphone. The other benefit is cost. The company expects its technology to only cost twice the market price of a normal everyday charger. 

As exciting as all of this is, you can put your credit card away. The company doesn't expect to commercialize the product until 2016. 

This is one of the most exciting technologies I have seen in a while and I really hope they stay independent and built this for many smartphones (and not get snapped up by Apple or Samsung).

Epoch.2 is a well rated iPhone, iPod and iPad game that costs anywhere from $2-$6 normally on the store (currently it's priced at $4.99). 

You cannot get it for free as the IGN free game of the month (link). But you have to go through this link to claim your redemption code.

Planes are boring. Sitting on a plane, waiting to takeoff, without entertainment is even worse. Imagine what happens when you take the cast of a Lion King production  (in Australia) and get them to sing The Circle of Life. 

Google released an interesting blog post (link) regarding Office features. The most interesting revelation is that there will be Outlook Web Access OWA for Android. OWA will be released as a native Android app 

Expect this feature to roll out to Office 365 subscribers in 2014.