Tech companies are notoriously secretive about their user makeup and their internal operations. Snap filled its paperwork for its IPO (Initial Public Offering) and it makes for a fantastic read. You too can read the S1 here. 

As much as Android fans want to pretend they are as vibrant as the IOS community, the Snap S1 begs to differ. They clearly highlight that most users of Snapchat are on IOS thus making it the priority development platform for the service.

The other interesting tidbit is that the mast majority of the service operates on Google's cloud service (instead of Amazon AWS and Microsoft Azure). Snap recently signed a $2B 5-year deal with the sultan of search.

They also talk about a continued commitment to innovation and this is seen as a way to improve user engagement and thus improve ad revenue. Hopefully innovation is more than filters and glasses.

Another interesting tidbit is their underhanded acknowledgement of Facebook and its potential to disrupt Snapchat's business model.

The final snippet of information I wanted to share was that they aren't profitable and may never be profitable.

Even with this grim view of the world, analysts expect the IPO to be a smash hit. Time will tell but what does it say when investors are willing to spend billions for a company that may never return a penny?

Google has started taking hardware seriously in recent years with its Chromecast and Pixels. Then Google launched the Google Home a voice controlled speaker system that competes directly against the Amazon Echo.

In addition to basic voice control, it brought the Google Assistant (until then reserved for the Pixel line of smartphones) to the masses. You can ask Google Home any question and watch it miraculously respond leveraging the massive Google knowledge graph. 

It can play music from Google Play or Spotify, It an give you weather, news and sport scores. It can do math, spell words and provide definitions. It can even add items to a shopping list. 

Continuing its massive advertising spend, Google will showcase Google Home during the Superbowl with a commercial showing some of its capabilities.  Because they show examples of commands, if you own a Google Home or Pixel smartphone, just know they will go off a couple of times,

•  
• Whether you are a burgeoning social media star, a marketer or just a lover of everything social, you probably want to use the name username on all the major social media sites. Using the same name makes it easy for your adoring fans to find you. 

This is when an online service called NameCheckr comes into play. You enter the desired username and it check the sites for availability. The sites included in its search (as I write this are):

• Domain (.com)
• Domain (.net)
• Domain (.org)
• Domain (.io)
• Facebook
• MySpace
• GitHub
• About.Me
• Twitter
• Instagram
• Vimeo
• Papaly
• Google+
• Youtube
• GetSatisfaction
• StumbleUpon
• Tumblr
• Meetup
• FeedBurner
• Blogger
• Reddit
• Pinterest
• FourSquare
• Pinterest
• Flickr
• Ello
• Dribble
• Last.FM
• IFTTT

Click on the load more option and you also get

• Vine
• DeviantArt
• Kinja
• Spotify
• ETSY
• LiveJournal
• Badoo
• Disqus
• eBay
• Technorati
• Wordpress
• Behave
• Domain (.co)
• Domain (.us)
• Domain (.cc)
• Domain (.me)
• Domain (.biz)
• Domain (.info)
• Domain (.de)
• Domain (.at)
• Domain (.eu)
• Domain (.ru)
• Domain (.jp)
• Domain (.mobi)
• Domain (.in)

Click on any of the services showing the name is available and it will take you to the page where you can register it on that service.

Testing the service

As a test, I ran ekiledjian through the service and after a couple of minutes of processing, it showed me which services had it avaialble or not. 

Regardless of the sales pitch companies make, most self-service initiatives are to save the company money and not necessarily to improve the customer experience. Automated interactive voice support systems are no exception. Everyone dreads entering the maze of never-ending menus filled with frustration and annoyance.

There is a better way. What if you could bypass the machine and go straight to a living breathing human? Welcome to the salvation that is GetHuman.com. 

Let's say I want to call Bell Canada:

Go to GetHuman.com and search for the company

Then you choose the purpose of the call

Let's use cancel service

And here they try to sell you their service which is obviously annoying since the info was built by thousands of users when the site was firsts created (and was free by the way). This is immensely frustrating but there is a workaround.

Trick to get the information for free

Download the GetHuman app on IOS or Android and the information you seek will be provided for free.

Here is the Bell Canada information.

The middle box gives you all of the information you need to quickly navigate the Interactive Voice Response menu. Some listed companies are no longer in business because the free updates from customers stopped when they started pissing off users by trying to charge for everything but I still still find 85% of the info I need.

We don't know if the mobile apps will one day be updated and become for-pay also but use it now while you can. Great resource that has saved me a tone of time.

Everyone hates being ripped off and consumers are always looking for ways to protect themselves. We use credit cards for online purchases to protect against fraud. We use Amazon ratings to judge the worthiness of a seller. But what is a cyber-criminal to do? A criminal can't reverse a charge because they don't use credit cards.

So anywhere there is a void, an entrepreneur will fill the void and the dark underbelly of the cyber-criminal world is no exception. A site called Ripper.CC was launched to help these cyber-criminals identify these scammer "bad guys" anytime they need to buy valuable items in the underworld.

This isn't completely new but what makes Ripper.CC unique is the care and design of the service. It's database is top notch and easy to use with browser plug-ins (for Firefox and Chrome).  The browser plug-in makes it easy to identity criminals that rip off others, find their Ripper.cc profile, and the forum accounts those ripper use.

Obviously the value of any such service is the quality and freshness of the database so the creators of the service have gone to great lengths to be the blue ribbon reference. The service was built in collaboration with well known and trusted members of the underworld. Additionally any new ripper report goes through a documented validation process.

The site uses advertising to cover costs but they may eventually add additional for-pay services. 

There is no such thing as bulletproof security. If a well funded, technically competent and determined adversary is targeting you, they will get in. Your job is to make their life as difficult as possible by using passwords that are complex (difficult to guess) and by keeping your software up to date.

Apple has been a good steward of IOS security and regularly releases patches to protect its user base. Today we were gifted IOS 10.2.1 which is an out of plan upgrade I recommend you download asap.

IOS 10.2.1 includes some important security protection that you definitely want to get. These security fixes touch WebKit (the rendering engine for Safari) and protect against arbitrary code execution using kernel privilege (aka an exploit using this flaw could take complete control of your device).

This complete control thing is why you need to download it now. A skilled threat actor could use this to install/delete apps, copy files and spy on you. The Webkit flaws also allow an attacker to run arbitrary code. 

Looks like many of the vulnerabilities were discovered by Google's Project Zero security research team. Obviously finding these required extremely skilled professionals but these high grade specialists work on both sides of the fence (some are white hats and others black hats). Due to the nature and complexity of the vulnerabilities, anyone exploiting them would be a nation state actor but an ounce of protection is worth a pound of cure.

To upgrade IOS, open the Settings applet and choose General > Software Update

George H Heilmeier was a DARPA director and developed 9 questions to help the agency determine the worthiness of project being submitted to it for funding. These 9 powerful questions as referred to as the "Heilmeier Catechism" and have become a core operating paradigm for DARPA [Defense Advance Research Projects Activity] And IARPA [Intelligence Advance Research Project Activity].

These questions are so powerful, they are used in the business world day in and day out. I first learned about these questions while having lunch with a VC in San Francisco. He explained that many of his peers also use these questions when determining the funding worthiness of a proposal.

There have been variations to the questions but I recommended sticking with the original 9:

1. What are you trying to do? Articulate your objectives using absolutely no jargon.  What is the problem?  Why is it hard?
2. How is it done today, and what are the limits of current practice?
3. What's new in your approach and why do you think it will be successful?
4. Who cares?
5. If you're successful, what difference will it make?   What impact will success have?  How will it be measured?
6. What are the risks and the payoffs?
7. How much will it cost?
8. How long will it take?
9. What are the midterm and final "exams" to check for success?  How will progress be measured?

This is a variation on the journalists who, what, where, when, why and how strategy. Obviously answering these questions will not change the world or guarantee the success of a project. They will greatly reduce the risks you take by ensuring the key concepts are thought off and understood

SEE UPDATE BELOW ABOUT WARRANTY CLAIM

As a frequent traveler, I had always been looking for a lighter alternative that is safe to fly (as long is it is in your carry-on) so I decided to test the Plazmatic X lighter. This is also convenient to users wanted alternatives to disposable lighters or ones that require constant refueling. 

The Plazmatic X is a well built product made from metal.It is light to carry every day (as part of your EDC) but feels solid and reliable in the hand.

Charging

The device charges with a standard USB cable and you can go from empty to full charge in about 1 hour (depending on your power source). In my testing, the device pulled 5.15V & 0.15A (from a 2.4A Capable charger). Once charging is complete, it is pulling 0 Amps, which is a good thing.

When you plug it in, the blue charging light comes on and the battery is full when that indicator light switches off. With a full charge, I was able to get about 80 "normal uses". I was able to charge the lighter with a USB wall adapter, car lighter USB charger, external battery, Biolite CampStove and 7W GoalZero solar panel.

The battery is not user serviceable and my question to support about battery cycles hasn't been answered yet. My expectation is that the battery should be able to support 300-400 cycles which means it gives you about 24000 lights (which should last 5 years or more for the average user).

Lighting

I was surprised to find that the Plazmatic X lighter was able to light anything I threw at it, as long as the item fit inside the 4 electrodes. It was able to light little twigs, cigarettes (no I don't smoke), candles, paper, and more within a second or two. 

You will have issues because larger items (like cigars) won't fit but this is the exception rather than the rule. 

The lighting mechanism is wind proof so there is no concern in high wind situations.

Uses

If you are a smoker, the use of a lighter is self explanatory. Even if you don't smoke, I believe you should carry a lighter with you all the time as part of your Everyday Carry Kit (EDC). I carry one along with a Victorinox SwissChamp. You can use it to :

• light a fire
• light a cigarette for a friend
• light a candle
• melt plastic
• sterilize a needle
• etc

Durability

I have been testing my device for 1 month and so far the product is working and looks exactly like it did the day I opened the package. If it breaks, I'll write an update but so far it looks like it will last

Chinese clones

I ordered a handful of Chinese clones from AliExpress (Alibaba) and found that the cheaper products were cheaply made. One refused to charge. The Other charged but gave me 20 lights per 1 hour charge. A third one was so slimy and the top fell off.

So forget about the $16 copies.

1 of the more expensive ones was a very good copy matching the performance of the Plazmatic but the price was so close, you might as well get the original from an American company.

Conclusion

My biggest issue was receiving the item. From the time the order was confirmed to the time I received the item was almost 3.5 weeks. I kept being told that they were waiting for their shipment from the manufacturer so...... I would say they need to improve their logistics processes. An item like this should be in a consumers hands within 3-4 days of being ordered. 

Putting shipping aside, I love the product and would recommend it to anyone looking for an easy to use every day carry reliable lighter than doesn't require fuel, is travel safe and not disposable (better for the environment). 

UPDATE 1-14-2017:

A day after writing this entry, my lighter malfunctioned and I send a warranty request to Plazmatic. A gentleman called Nils collected the required information and 2 days later, still no information about how they will proceed. I will update this post as the warranty claim progresses.

I have written plenty of articles about TOR over the years:

• What is Tor and should I use it

• Why use Facebook over the TOR secure network

• What is the dark web

Is TOR really anonymous

We know that large scale government actors that control many of the TOR exit nodes have techniques to deanonymize TOR traffic, but this is still difficult to do and TOR is still the most reliable web anonymization technique available.

The Onion Browser

The Onion Browser was released ion 2012 by a developer that wanted to scratch his own privacy itch on IOS. Like many good products, the developer (Mike Tigas) built something he needed and published it at the cheapest rate ($0.99) Apple would allow [just to see what would happen].

Mike started working for ProPublica in 2016 and decided to to give up his In a blog post he says :

The team behind my favorite Android TOR products The Guradian Project (OrBot and OrFox) has decided to support the Onion Browser. The most visible change will be a full app rewrite with a new interface. 

Additionally Onion Browser is the TOR project recommendation for IOS.

I would say go and download it now.

Without much fanfare or pre-announcement, the IOS 10.2 update released earlier today finally enabled WI-FI calling for Telus customers. 

After installing the update, the device rebooted. I then enabled WI-FI calling by:

Settings > Phone > WiFi Calling > Toggle ON

WI-FI calling means cellular calls could be routed via a WIFI network in areas with poor cellular coverage. When the phone detect low cellular connectivity (aka reception dots in the upper left hand corner), it will route inbound and outbound calls with WIFI. 

As soon as I enabled WI-FI calling, I received an email from Telus with this new "free" option automatically added to my line.

Telus support said VoLTE (Voice over LTE) is coming but couldn't give me a date.

In November, I wrote an article that explained the new free unlimited Whatsapp offer from KnowRoaming for travellers. 

When you consider Whatsapp is the primary communication tool for most users and that KnowRoaming has an extensive global roaming partnership network, it was a great win for their customers.

The only thing that was not free was video messaging. Video messaging was specifically excluded but this week, KnowRoaming added it to its free Whatsapp offering. So the KnowRoaming free unlimited global use offer includes all Whatsapp services:

• Text and picture messaging
• voice calling
• video calling

And it is automatically available to all KnowRoaming customers. If you have KnowRoaming credit, and you should if you travel, they will refund Whatsapp usage charges every couple of hours. 

What about competitors?

I used SkyRoam many times during my global trips but stopped when I realized their account management webpage (adding credits, storing credit card information, etc) was all being transacted in a non-secure manner. Wrote about it here. Mistakes happen but the most frustrating part of the entire SkyRoam issue is that they ignored me for the longest time then promised to fix it ASAP but didn't. Obviously customer security isn't their top priority.

I am waiting for the GeeFi to ship but until then, I will stop to KnowRoaming.

The KnowRoaming issues

KnowRoaming works very well when enabled but enabling it isn't easy and reliable. You need an unlocked phone and I have had issues where the app couldn't connect to the internet in the remote location and thus wouldn't let me enable the KnowRoaming sticker. 

Then once you activate the plan, you have to install the KnowRoaming profile which means you can't VPN when using KnowRoaming. This VPN limitation is a major problem when using public wifi. 

The third issue is related to speed. All KnowRoaming connections are 3G even if the partner network and your smartphone support LTE. I was told this is being looked at but I haven't been given any promises or dates.

Conclusion

After everything is said and done, KnowRoaming is (in my mind) the best solution for global roaming on the cheap today. I am anxious to test the new crop of global roaming hotspots that will hit the market early 2017. 

KnowRoaming really needs to spend the time and money to completely rework its app and to make the enable/disable process easier. 

Tends to find fault with others o these questions look familiar?

• Tends to find fault with others
• Is relaxed, handles stress well
• Is emotionally stable, not easily upset
• Is easily distracted
• etc

A large percentage of Facebook users have played with these "personality analysis" games at least once in their life (some do them regularly). Why not? It's a fun way of finding out if a "test" will evaluate you the same way you evaluate yourself... right? WRONG!

These online games and questionnaires are known as the OCEAN test and rate you against 5 psychological traits:

1. Openness
2. Conscientiousness
3. Extraversion
4. Agreeableness
5. Neuroticism

What may seem like a fun way to spend a few minutes and then boast to your friends about the results may be a firm performing deep psychometric analysis of you. 

We believe companies like Cambridge Analytica have been using these Facebook games as a toolkit to build psychological profiles representing millions of users worldwide. 

They collect this incredible treasure trove of data by creating enticing Facebook games and questionnaires. Usually they provide a quick peak at your OCEAN score summary but then using Facebook tools, they can associate that psychological snapshot with your Facebook profile and real name. This link to your online/offline self is what makes this practice controversial and the term used to describe it is onboarding.

Cambridge Analytica has said they have 3000-5000 data points for each of the 230 million psychological profiles they track. These data points may include age, income, debt, hobbies, criminality, purchase history, religious/secular beliefs,etc.

The pedigree

Cambridge Analytica is a spin-off of British firm SCL (Strategic Communication Laboratories  [goo.gl/iuh9gz](https://goo.gl/iuh9gz)) which is known tp have performed PsyOps (Psychological Operations) counter-terrorism in war torn countries like Afghanistan.

The Trump efffect

During the last hotly contested US election, the media repeated a fact over and over "that the trump campaign wasn't using traditional media advertising". The media was right. Instead of traditional macro targeting, Trump turned to Cambirge Analytica (first used by his adversary Cruz) to win voters or dissuade voters of his opposition.

The real problem lies with lax privacy laws implemented in the US. In Europe, most countries have strict data protection and privacy laws severely limiting the second or third hand use of personal data about their citizens. The US has no such protection for its population which means data brokers can access a treasure trove of (often) very private and personal data about its targets. This is how true, powerful and proven micro-targeting is implemented at its best.

Facebook is doing very well. They successfully moved to mobile and their increased profitability from advertising shows it. They are sticky now with 1.71 billion monthly active users. Stickiness doesn't tell the true story. The question is how much was each user worth to Facebook? 

• A global user generates $3.82 a user per year (up from $2.76 a year ago)
• A USA user generates $14.34 a user per year (up from $9.30)

The power of Facebook advertising isn't so much the reach but the micro-segmentation it makes available is. This micro-segmentation is possible because facebook knows who you are, where you live/work, who your friends are, what you like/dislike, how much you make and much more. I wrote an article entitled Facebook knows more about you than you realize. 

What are dark posts?

To continue the discussion, we need to talk about something called Dark Posts or Dark Ads. In simple term, they are posts using news feed style layouts visible in your feed but not actually posted in it. Confused yet? Because they aren't traditional advertising posts cluttering up your newsfeed, you are less likely to "hide" the advertising which otherwise would look like spam. Imagine how powerful this becomes for companies performing A/B testing.  They could run multiple ads against the same person in one day without looking like SPAM.

Think of these as special newsfeed items seen only by the person being targeted, all the wile looking like "normal" posts (not jumping out as advertising) and being temporary. 

Let's make the cake

So take the power of Cambridge Analytica and merge it with the hidden advertising of Facebook dark posts and this is (we believe) what allowed Trump's digital marketing team to serve the right ad to the right voter at the right time. 

A good example is the divisive issue of gun ownership. A gun owner profiled to be anti-establishment could be shown ads about how the opposition wants to weaken the USA by taking guns away (the national anthem playing in the back with a flag waving in the wind). A gun owner with strong religious family values could be shown a pleasant message about how father and son could bond over hunting, alone in the wilderness [but that the opposition would make guns illegal and take this beautiful bonding opportunity away].

Dark ads with good psychological profiles can also be used to create apathy and encourage some opponent voters not to turn out therefore reducing the power of the opponent. Trump created anti Hillary ads pushing out negative messages (Hillary claimed to carry hot sauce with her (link))

Conclusion

What may seem as a simple and fun way to spend 5 minutes could allow a company, well funded group or government to psychologically manipulate you without you ever becoming consciously aware. 

I hope that by sharing this blog article, you will be a little more careful and a lot more distrustful about what you see on Facebook.

Apple hates ports and will kill each and every one of them come hell or high water. The iPhone 7 / 7 Plus pushed the market away from wired headphones into the loving arms of Bluetooth. Audiophiles will explain that Bluetooth has limited bandwidth which means audio fidelity is severely compromised and they are right. Bluetooth can't match the quality of a good set of wired headphones, but let's be honest, most people aren't listening to high quality audio tracks fed through a good headphone amp and $1000 headphones. Most people are streaming their music via Google Play Music, Apple Music, Spotify or Pandora at 128/256 kbps (some are now streaming 320kbps). 

For the geeky reader, a CD ... Yes that plastic disk us old people use to play music from ;-)  So a music CD was 44.1 kHz x 16 bits x 2 channels = 1411.2 kbps, just for comparison.  

Let's dive into the new in-ear Bluetooth noise cancelling champ from Bose. 

This is more of a first look at the QC30 and a more in depth review will come later. The Qc30 seems to beat the QC35 when strictly comparing noise cancellation quality.  The QC35 has a 12 step noise cancellation intensity control. Where is this useful? When you may want "some" noise cancellation but still need situational awareness (e.g. using these while walking on a busy street). 

So the branding change was done because you now (for the first time) have that variable noise cancellation strength. 

Design

Most users assume wireless and light weight go hand in hand but not when it comes to the QC30. The QC30 has that strange neckband that connects to the earbuds. When passing the device around, people liked the headband, were indifferent about it or absolutely ragefully hated it. Regardless of how you feel about it, itis universally regarded as ugly.

The ugly spaceship around your neck is the lifeline of the product housing the battery. Bose promises 10 hours of use per charge which is good for most situations (except the long haul overseas flights to Asia). 

Remember that the QC20 had that in line battery compartment which itself was ugly and relatively heavy. 

The other noticeable improvement is fit. I have normal medium sized ear canals and rarely have fit problems with in-ear headphones. The QC30 seem to fit better than the QC20 did which means improved sound quality and noise isolation

The audio control module has all of the standard controls you expect plus additional buttons to control the level of noise cancellation. After a couple of days, you can control everything by feel because of the unique shape of the control module. 

Sound Quality

Let's cut to the chase,  the noise cancellation delivered by the QC30 is truly spectacular. The noise cancellation of the QC30 is as good as the full sized (over the ear) QC35. The only difference is the QC35 benefits from much better noise isolation in addition to active noise cancellation.

I cannot stress how useful the variable noise cancellation strength feature is. It means you can use this on the plane, on the train or while walking on the street. 

Like every other noise cancellation headphone I have ever tried, sound reproduction typically suffers. The QC30 offer clean and clear low/mid ranges. The highs are were it suffers. Highs are drowned out by the other ranges and don't sound as clean as I had hoped. 

The Bose QC30 offers better sound reproduction than the QC20/20i and the sound-stage is more open and airy. So when comparing it to good headphones, sound quality suffers but is a step up when compared to its older sibling.

The bad

Sound is more bass heavy which may impact your enjoyment of some types of more balanced music.  The on/off slider is badly designed (difficult to figure out if the device is on or off when you aren't using the earbuds. 

The ugly UGLY neckband. 

I have to add the price here. At $299 its a rather considerable investment. Not surprising as this is typically the price range for Bose noise cancellation headphones but still....

Conclusion

There is no perfect device. The truth is that this type of noise cancelling headphone has always catered to a specific affluent customer base. Unlike previous years, the in-ear earbuds now offer noise cancellation on par with the on-ear big brother. 

Sound reproduction is good for noise cancelling headphones/earphone but not as good as "normal" ones. If your primary use isn't while on noisy transit and sound quality is important to you, you may want to look at a non noise-cancelling product. If you need noise cancellation, the QC30 offers sound quality better than its noise-cancelling competitors.

If you are looking for standard in-ear bluetooth headphones with decent sound quality and good battery life, take a look at the JLAB Epic 2. 

A question I receive regularly is "What in-ear noise cancelling headphone do you recommend for travel?" In 2013 my recommendation was the QC20/20i and that recommendation is still valid. The QC20/20i offers the best wired noise cancellation when comparing it to others in the same price category (and of course being wired).

From a pure noise cancellation perspective, the QC20/20i does a better noise cancellation job than my QC25 but the QC25 does an overall better job because it benefits from over-ear noise isolation. When I originally recommended it, the QC20/20i was priced at $299 but can now be bought for $199. 

Usually the next question I receive is regarding sound quality. Let me be crystal clear. I have never used a good sound cancelling (active) headphone (on or in-ear) that also offered amazing sound quality. The Bose QC20/20i is no exception. It offers amazing noise cancellation and acceptable sound reproduction. 

Size matters

I have taken  both (QC25 & QC20) on flights to test the differences and the most striking difference is overall size. Even with the origami fold of the QC25, it is massive compared to the QC20. 

I don't wear glasses but if you do, the QC20 is even more attractive because it allows you to get a good seal (not so with the QC25 and the headband).

Love at first listen

The real test is how much you use it. Several dozen readers have purchased the QC20/20i (based on emails I received) and everyone of them I contacted as a follow-up said they never leave home without it. One reader is a tech exec that travels over 350K miles a year and said "this is the most used and useful travel tool I have ever bought".

Comparing the QC20/20i to the QC30

I will be testing and reviewing the QC30 soon. Stay tuned but remember the QC30 is bluetooth and therefore it needs batteries.

The title may have been just a little exaggerated but most people, computational photography does feel like magic. Google knows you have boxes of photos just collecting dust and deteriorating. Our unofficial benevolent leader (aka Google) has decided to use its computer science chops to help Joe Regular digitize those boxes of old photos without having to fork over $500 for a flatbed scanner or spend hours retouching pictures.

The app takes multiple pictures of each photo and completely get's rid of glare. Then it automatigically  performs edge detection, perspective correction and smart rotation.

If you so chose, you can then upload your new digital cherished memories into the loving arms of Google Photos. 

If you are a computer geek and want to understand the magic of computational photography in an easy to understand manner, check out the new NAt & Lo video below.

Download the free app now:

• On Android
• On Iphone

November 25 2016 update at the end of the article. TL;DR the service is still vulnerable.

Since I traveled a lot in the past, I am always looking for new tech to make travel simpler,. easier or more enjoyable. Since smartphones are indispensable travel tools, I was very excited when SkyRoam was released and wrote several articles about it. 

But as a security guy, there is a hidden danger that I wanted to share with my audience. The danger is present even before you take your first trip and is related to how to you add day-passes to your account.

When you visit their portal, you are greeted with this login page

Notice that the page you are on is not encrypted

This means that anyone can easily intercept your username/password as you type it in. 

The page does not even temporarily switch to encrypted during the login. Everything stays plain text. This  is completely unacceptable on a modern web where WIFI attacks are easy and fast. Certificates to encrypt the connection are cheap and readily available (even free with services like LetsEncrypt) . So companies have no excuse not to encrypt the connection: its either incompetence or a complete disregard for the security of their users (in my opinion). 

I recommend you go in and delete your default payment info on file. To  do this, click on the Account tab and then choose payment options and delete it.

I have daypasses which I will consume but wont add any more due to their lax stance regarding security, particularly the security of my credit card and login information. Even the credit card entry page is not protected.

This is pretty bad and I'm not sure how Visa and Mastercard aren't intervening. To be transparent, I have tweeted this issue multiple times over the last 3 months. When I didn't receive a response, I called their helpdesk 3 weeks ago and told the agent to open a ticket. When I did not receive a confirmation email (about a ticket being opened), I opened another ticket myself with a screenshot and clear description a week ago. I never received a response and the issue was never fixed.

Look for alternatives

I am anxiously waiting for the arrival of the GeeFi global hotspot which is expected to provide LTE service for $9.99 with unlimited bandwidth. Based on everything I have read, I am relatively sure GeeFi will take better security precautions and will be a better custodian for my confidential information. 

November 25 2016 UPDATE

Some people messaged me that the site was protected so let me check

The login page is still unencrypted

Main account page still unencryped

When you visit the page to add a credit card, they show a lock logo while its loading 

but that entire page is unencrypted

Even though someone from SkyRoam promised the issue would be resolved (9 days ago), it is still unprotected and I therefore I would still urge caution.

Public Mobile is a low-cost limited network Canadian mobile service provider. It has recently announced in its forums that it will be adding a new US Roaming add-on (option) through new deals struck with T-Mobile and AT&T.

The carrier has said this is in response to comments made in its forums and will come in 10-day chunks of phone only, text only, data only or a combo plan. 

Limited data is available but we expect the options to look like this:

1. unlimited USA talk $CAD8
2. unlimited text $CAD8
3. 1GB of data for $CAD20

Let's compare the data rate to the pay per use rate of $US0.10 per MB. 1GB = 1000MB = $US100. Obviously the Public Mobile rate is cheaper. You can also buy the KnowRoaming unlimited data plan for $US7.99 per day which would cost $US79.99 for 10 days of unlimited data.

Let's compare it to Roam Mobility. A 1GB data only plan good for 30 days costs $CAD21.95 which is competitive. You can get their unlimited talk+text+data plan for only $4.95 / day ($CAD49.50 for 10 days of everything unlimited). If you add the 10 days of talk, text and 1GB of Data from PublicMobile, you get $36. 

Looking at above, my recommendation is to go with Roam Mobility. For $14 more, you get unlimited data for 10 days which will likely be more attractive to most users.

When a new undisclosed (0 day) vulnerability is used to hack a target's device, the media jumps all over it and create a small panic. Government intelligence and organized crime are always looking for new creative ways to break into target devices and are willing to pay top dollar for new unknown hacks. Vulnerability brokers (companies that are willing to sell 0-day vulnerabilities) are paying to dollar for these rare and very in demand weaknesses. Zerodium is now paying $1.5M for a good complete IOS attack.

Although these are troubling, the truth is the majority of attacks (and malware/virus') still exploit time tested and patchable vulnerabilities. This is why keeping your computer, smartphone and tablet operating system/apps updated is so important.  This is one of the reasons Microsoft switched to an automatic forced update model with Windows 10.

Apple's products are opaque and I do not believe in security through obscurity. I wish they allowed for more scrutiny of their mobile products but when something is discovered, they release updates very quickly and make it immediately available to all supported devices worldwide regardless of the carrier it was acquired through. 

This is one of the chief complaints against Android. Most Android devices are never updated once they ship and the ones that do receive updated typically get them slowly and infrequently. Check out the Android Platform distribution statistics:  

Even top tier manufacturers like Samsung (Note 7 issue notwithstanding) only update their most recent flagship products and that is if your carrier decides to allow it. 

Right now, as I write this, I have an Apple iPhone 6s Plus and and Google Nexus 6P sitting next to me. I  love android and find many of the features in the most recent Nougat release better than comparable Apple features. Don't call me an Apple fanboy or Google hater. The moral of the story is you shouldn't buy any Android phone where the manufacturer has not committed to delivering (quickly) the OS updates and the monthly security releases. 

Buy an unlocked Nexus or Pixel product directly from Google to make sure you receive all of the updates quickly. 

Questions

Q A question I will likely receive is what about [insert brand / model here]?

A I expect emails asking me about the OnePlus 3, ZTE Axon 7, HTC 10, LG V20, Motorola Moto Z, etc. None of these manufacturers have committed to providing the OS and security updates quickly. The answer therefore is no. I love the price / quality proposition of the ZTE Axon 7 and the OnePlus 3 but without a commitment to updates, its a no go for me.

Q. Aren't iPhones more secure?

A iPhone's are slightly more secure because of the way the operating system is designed and applications are sandboxed. This doesn't mean it is unbreakable and the attempted hack of Saudi human rights activist Mansoor proves it( Read this article by CitizenLab) 

Both platforms can be used safely if you ensure you don't break their built in security (rooting on Android and Jailbreaking on iPhone) and you ensure you only download "real" apps from the official app stores. 

A. What else can I do?

Q In addition to using the "right" device, it is important to think about your privacy and security. Use the right apps for the right job.

• Use encrypted communications apps like Signal. Signal's encryption has been reviewed by leading cryptographers and has been given a big thumbs up.
• When browsing the web, use Tor to protect your identity (easier on Android) with a browser like OrFox. You can even configure Facebook and Twitter (on Android) to use Tor via OrBot.
• Every picture taken with a smartphone contains "hidden" information called Exif information. This is information like the type of camera used, the settings used to take the picture, etc. It also contains the GPS coordinates of where the picture was taken. If you send this to someone, they can extract this information and use it to pinpoint the location the picture was taken. Send it to a social media site and they will start building a travel pattern of you. Make sure you remove EXIF information, using an app, before posting. There are tones of apps, just search the app store.
• Uninstall apps you no longer use. Remember that apps are sometimes sold and the new buyer may push out an update that adds unwanted features "like tracking or recording". If you no longer use an app, get rid of it.

Ive written about TOR a few times but  I regularly receive emails from "newbies" asking me to describe what it is in general terms. That's what this article is about. To get things kicked off, let me share an important quote from everyone's favorite whistle blower, Edward Snowden:

In an effort to grab reader/viewer attention, every-time the media mentions Tor, it is usually done in the context of a report about the "evil" & "bad"  dark-web. The truth is Tor was created by the US State Department to help global activists communicate freely while in repressive locales. 

It takes all of the data leaving your computer (or coming back), creates bundle, encrypts each one multiple times to hard code the path it will take through the TOR network until it reaches its destination. Each node that receives a bundle destined for it, will unencrypt its layer of the bundle which tells it where to send the bundle next. This layered approach is why it is called The Onion Router. Each node only knows where it will send it to next, the receiving node only knows the previous node it came from,  which makes eavesdropping or de-anonymizing TOR much more complicated. 

Tor Hidden Services are what the media calls the Dark Web. Think of a Tor Hidden Services as a website on the Tor network. When using one of these sites, the request never leaves the TOR network (never touches the normal world wide web) so it is considered even more secure. 

Many popular sites, understanding the need and desire for a more private web browsing experience have started creating Tor hidden services for their popular websites (The Intercept, The Guardian, ProPublica, WikiLeaks, Facebook, etc)

Tor does make your browsing experience a little more complicated. First you will notice a drop is performance (i.e. pages load noticeably slower). This slowdown is a side effect of all of the encryption/decryption and the number of hops a packages is forced through to protect your identity. Some sites mark all TOR traffic is potentially malicious and constantly challenge users to "prove their are human" using CATPCHA or a very small group of sites block inbound TOR traffic completely. 

The easiest way to try TOR on a computer is to download the TOR browser bundle directly from the TOR project website. It is a customized version of the Firefox browser that is designed not to leak data and is configured to use Tor correctly.

If you are on an Android device, then I recommend you use to create the TOR tunnel then use their customized TOR browser called OrFox . 

I realize most people care more about ease of use (instead of privacy). I tried Anonabox hoping it would be a good hardware TOR solution but that didn't turn out too well. I am now waiting for the Invizbox and will review it when it finally ships (another delayed project).

I believe privacy is important. If you have questions, feel free to post it in the comments section or send me a note.

Related:

• Russian government offer $111,000 to de-anonymise TOR
• Why use Facebook over the TOR secure network
• Anonabox Pro Review
• What is the dark web