I remember a time before Google maps when navigation meant buying paper maps from the petrol station and required a navigator. Then came the smartphone with its GPS magic powered by Google Maps, and our lives became instantly better. 

There are times when GPS is unreliable (like dense city centers), or you want to maximize your smartphone battery life, or there are times you simply don't want to give Google your precise location for privacy reasons. 

This is where an Android app called SmartNavi shines. SmartNavi uses steps to determine your location instead of an always-on GPS antenna. Without a GPS components, this app is more geared towards pedestrians, hikers, bikers, skateboarders or other non-car users. 

Your phone is a cornucopia of sensors and SmartNavi uses these to calculate your steps and then guesses your current location. At startup, the app connects to the internet and GPS to pinpoint your starting location but from that point on, no more cheating.

This means that even if you are walking in the densest downtown (like Hong Kong) or lose your internet connection, you will still be able to navigate. The app claims it can save 80% more battery (compared to Google Maps or Apple Maps) by not using the GPS antenna.

There is also the important notion of privacy. There are times you simply want to go somewhere without big brother looking over your shoulder (logging and then analyzing your travel patterns). Using the app is simple. You download it from the Google Play Store (Appstore); you open and set-up the app (first time) and then input your destination.

During the initial set-up, the app asks for your height. This isn't to profile you but to better calculate your steps.

Obviously, this isn’t the perfect app for everyone but it does meet a unique need for many smartphone users.

There are lots of “less than reputable” websites that scrape the web for your information and then make it cheaply available to anyone willing to spend money.

I recently found a website that has a ton of information about many Americans including address, telephone number and even some relationship information.

Once you enter your name and state, it will show you a list of possible “victims”. You choose your listing and prepare to be astounded by the amount of information they have about you.

Now that your are properly terrorized, here is how to remove your information from Cyber BackGRound Check

1. Go here: https://www.cyberbackgroundchecks.com/removal

2. Agree to the conditions and enter his email address

3. Complete the CAPTCHA and then click “Start Removal Process.”

4. Find your records and click the Remove My Record button at the top of the page (must be on the details page of your profile to do this)

5. Check your email for the removal confirmation note and click the enclosed link

6. 48-72 hours later, your information should be removed from the site

*** This is not a sponsored post ***

I love Titanium EDC gear. Now that my obsession with Ti is out of the way, let’s talk about pens. Most people buy the cheapest pen they can find or that their company will provide. I would like to submit that a well-designed pen is as much a tool as it is a work of art.

I bought my Ti Arto EDC pen in 2016 and it has been with me every day ever since.

IT has been around the world multiple times and is still my favourite pen ever (and I have owned very expensive ones).

What makes the Ti Arto EDC Pen great

First, it is machined out of a solid piece of titanium. Second, it accepts 750 different pen refills without having to hack or mod the refills or use (easy to lose) spacers. Third, you can adjust the length of the pen by swirling the back (longer or shorter).

Why is titanium great for everyday carry? Because titanium is a very hard and resistant metal. This pen has travelled in my wallet pocket for 4 years around the world and isn’t dented. Obviously it is created a bit but I find it shows character that way. the scratches aren’t deep and can’t be felt using the pen.

The Ti Arto EDC pen is well balanced (capped or uncapped) which means it is comfortable to use even for someone with smaller hands or for someone that writes a lot. Even after 4 years of daily use (and abuse), the cap stays on the end when desired. It doesn’t slip off because of gaskets on it.

When writing with the cap screwed on, the cap doesn’t rattle.

The Ti Arto also has a wider girth that makes writing for long periods more comfortable (aka less hand strain).

The refills

When you buy the pen, it comes with a Schneider 0.4 mm black gel ink refill installed. Over the years I have tried different refills and have chose the Signo RT as my preferred choice right now (although the fisher space pen refill was also a good choice).

Big Idea Design, the Ti Arto’s designers, have tested 750 different refills and they created a google spreadsheet with the list of supported refills.

Conclusion

I know many of your reading this will consider a $90US pen a frivolous purchase when you can buy a disposable pen for $1.99 or a slightly better quality reusable Pilot pen for $10-20. Your position is perfectly understandable.

I believe in buying fewer items but buying high-quality ones for the products you chose to introduce into your life. Think about how many times you have used a pen in the last 2 weeks. This is something that will last a very long time and that you can be proud to show friends and colleagues,

If this is something you think you would be interested in, here is the link on Big Idea Design’s website (not an affiliate link) : here.

I own other Big Idea Design products that will make it into my favourites list so stay tuned.

Other articles you may like:

• Ed’ favourite things - Meet the Supply Co Single-Edge razor

• Ed's favourite things - Best Qi wireless charger

• Ed's favourite things - Best Password Manager

• Best collapsible water bottle

• Review of The Grayl Ultralight water filter & purifier

There are companies out there that will pay top dollar for working full chain smartphone vulnerabilities that will lead to a complete compromise (check out Zerodium as an example ). A full zero-click compromise for a patched android phone can net you a cool 2.5M$ (Wired).

Considering how we use smartphones and the information they contain (or can leak), these aren’t just simple electronic tools. Smartphones can be considered a bionic extension of your mind—anyone who can access your phone gains unprecedented access to your mind, life and psyche.

You may doubt the validity of the above statement, but think about it. Your smartphone knows where you are and where you have been. It knows who your friends and colleagues are. It knows whom you interact with. It has access to all your emails and other messaging. It has a camera that can be remotely triggered and a microphone to listen in on any of your private conversations (when was the last time you were more than 6 ft from your smartphone?).

Who is this article for?

The more secure you make something, the less usable it becomes. Security professionals have to tailor their security recommendations based on the risk profile of their customers.

For this article, I am assuming you are a “normal” general computing user that is not subject to elevated risks or custom attacks (aka you aren’t in the intelligence field, a journalist in a less favourable geography, a politician, etc.)

Why is this important? An average user will be targeted by unsophisticated actors (ex-partners, lovers, former angry friends, coworkers, or script kiddies) or medium sophisticated actors (scammers, general hackers, etc.)

An average user is not important enough to merit an attack by state-sponsored actors or organized crime. These advanced actors have more developed capabilities that would require a customized security program built by an experienced security professional.

What are we trying to accomplish?

Whether I am building a multimillion-dollar security program for a large cloud service provider or helping you secure your own smartphone, the goal is always the same.

Absolute security does not exist regardless of how careful you are or how much you spend.

The goal of a solid security program is to be "good enough" to tire your attacker and encourage them to move onto their next victim. Even with the most expensive door lock, a thief can use a battering ram to break down your front door, but they probably won't. You buy a lock that is sufficiently strong to resist breaking with kicks. A good security program is the same.

Let’s begin.

Encrypt your device

If you are running an iPhone with IOS 12 or later, it comes automatically encrypted out of the box. IF you are running an older version, check out these instructions. Most modern Android devices from reputable manufacturers come encrypted as well. If you are running a phone from a lesser-known manufacturer, a phone that comes from a market where encryption is illegal or it is older, check out these instructions to encrypt your phone.

Password or Pin

Since IOS 9, Apple has made a six-digit pin mandatory (although you can still force it back to a four-digit pin). Remember that once an attacker finds your pin code, they are in, and no additional tools are protecting you.

The goal is to make your adversary’s life as difficult as possible. A 4 digit pin means your attacker will have to try 10,000 possible combinations. It may seem significant to you, but remember, they have tools to automate this process. Simply moving to a six-digit mixed password means there are 1,000,000 possible combinations.

If you choose to implement a passphrase instead, you make it more difficult for you but you also make it more difficult for an attacker to crack.

Fun fact, approximately 25% of all smartphones can be cracked by using one of these pin codes:

• 1234

• 1111

• 0000

• 1212

• 7777

• 1004

• 2000

• 4444

• 2222

• 6969

• 9999

• 3333

• 5555

• 6666

• 1122

• 1313

• 8888

• 4321

• 2001

• 1010

Most phones also support a feature that wipes all the data from your phone after a certain number of wrong attempts have been made. This eliminates the threat of automated attacks.

Remotely wipe your phone

. If you feel someone else may be in possession of your phone, and it is connected to the internet, you may be able to remotely wipe the data.

On Android it is normally called Find My Device

On iPhone it is called Find My iPhone.

You can log into the manufacturer portal to find your device or wipe it if necessary.

Find my device links

• Android : https://support.google.com/accounts/answer/6160491?hl=en

• IOS : https://support.apple.com/explore/find-my

Two Factor Authentication

Remember that your phone is an extension to your online Google or Apple ID. It is very important that you protect these from unauthorized access. You should be using a long, complex, non-dictionary, passphrase to log in. You should also enable two-factor authentication to add another layer of protection to your account in case your password is compromised.

The easiest is to use Time based One Time Authentication codes.

On Apple devices, you will use your smartphone (or any other Apple device connected to your account. The Apple instructions are here.

Google users can use a software TOTP system with any one of the free TOPT clients available. The cleints I recommend are :

• Google authenticator

• Authy

• andOTP

or some password managers (e.g. 1Password) also offer this as a function. The most secure option is to use a hardware token (e.g. Yubikey) but this is slightly more demanding and I won’t be covering it here.

Update and uninstall

Most attacks are against old vulnerabilities that remain unpatched. If you have a phone from a manufacturer that does not regularly deliver (monthly) security updates or the updates for your phone have stopped then it is time to buy something else.

You must update your phone operating system and all the apps on it regularly. Doing this will reduce your attack surface (ake make an attackers life more difficult).

Remember that applications may have undiscovered or unpublished vulnerabilities. In addition to updating them using the Apple AppStore or Google Play, you should uninstall any applications you do not regularly use. Many of these apps are stying on your anyway but they could be the weak gateway an attacker gains access to your phone.

Where possible, use the web version of services. As an example, instead of using a Twitter app (on most of my devices), I use the PWA website at mobile.twitter.com. This gives me full functionality without needing an app (that can track me or compromise by device).

Only install apps from official apps stores (Apple AppStore or Google Play). Apps in these stores are cryptographically signed to prevent impersonation by attackers. If you are a little more adventurous (on Android), you can also check out the F-Droid alternative app store.

Reboot often

We have seen many attacks in the last 3 years that are not persistent. This means they go away after you reboot your device. This is why it is a good idea to regularly reboot your device. I typically try to reboot it every 8 hours or so (while I am awake).

Turn off your phone

A phone that is off can’t be attacked.

An unsophisticated attacker will not be able to compromise your phone’s baseband chip and turn on your phone.

It is a good idea to turn off your phone when you can (at night or when you will be away from it from a while). Plus turning it off while charging will often allow your phone to charge a bit faster.

Install a firewall

You may not know it but if you use a Windows or macOS device, there is a manufacturer-provided firewall on your device. Unfortunately, smartphones do not come bundled with them but they are extremely useful.

It seems every week we read about another couple hundred apps (on IOS and Android) that made it to the app store but that were malicious. A firewall will define what apps will be permitted to use WIFI and/or LTE.

The best firewall for Android is Netguard and the best one for IOS is called Lockdown.

These apps can work in 2 modes:

• blacklists mode, is where you choose what apps should not be allowed to communicate

• whitelist mode, is where no apps can communicate unless you specifically allow them to

Obviously whitelist mode is the most secure but may require a little bit of tweaking when an app just doesn’t work right.

Due to recent societal changes, expect the authors of these apps to change the above terms shortly. Blacklist will be changed to blocklist and whitelist will be changed to allow list.

Disable WIFI and Bluetooth

Anytime you are out of a trusted location (home or work), turn off WIFI and Bluetooth. Also make sure that any feature that would automatically turn them back on is disabled (e.g. Automatically connect to public networks).

Attackers can set up a malicious network and easily trick your device into connecting to it. This is trivial but not part of this discussion so I won’t explain how to do it here.

Many public venues (e.g. malls use your phones Bluetooth beaconing to track you as you walk around. This works without any intervention from you. When you don’t need Bluetooth, turn it off.

Remember that public WIFI is evil. Any WIFI that you don’t control can be used to steal your information. If you have to connect to untrusted WIFI, use a VPN. Please use a good VPN and know that good VPNs are never free or extremely cheap. You get what you pay for.

Many will recommend TOR but it is slow and most users would find the experience painful. So I stopped recommending TOR for most users.

Browsers

Browsers are dangerous. Dangerous. Dangerous. They run code delivered to your device from another computer which means it could be a wonderful way for someone to compromise your device remotely.

If you don’t believe me, read this article China hacked iPhones and Android devices to target Uyghur Muslims.

For iPhone users, I recommend sticking with the built-in Safari. Apple has done a relatively good job with it and it should be secure enough.

On Android, my browser of choice is Bromite . Bromite has native support for the uBlockOrigin adblock engine( the best in my opinion). It supports DNS over HTTPS, to encrypt your DNS queries. It is always in incognito mode and it offers many more wonderful security-friendly features. Remember to turn on HTTPS everywhere in it and disable Javascript.

Is IOS more secure than Android?

To close out this article, I will quickly touch on the question I receive the most often.

For this discussion, we have to separate privacy and security. This article was written to improve your security not your privacy. They do not usually go hand in hand.

For a general user looking for a no worry relatively secure platform then IOS is probably the way to go.

For a general user that doesn’t mind a little work and that wants good security, Android is the way to go. IT offers more customization options to make your device more secure.

For a more security-conscious geek, then I recommend going to GrapheneOS. GrapheneOS will require some work (you have to install it) and will make you uncomfortable (does not come with any Google services or the Google Play store) but it is the most secure consumer option right now.

Companies large and small are always looking for new and creative ways to violate your privacy.

One popular tool of the trade is to embed trackers and ask for more permissions than necessary to "steal" user data. The question is, how do you know what trackers are embedded in your installed Android apps? This is were The Exodus Privacy Report tool comes in.

Here is a sample report for the Adobe Acrobat app

When you click on one of the trackers, it gives you interesting information

Clearly they want to acquire as much information about you as possible to track your device. You can then decide if the app is worth giving up all this information or if you want to use another app that is less invasive.

Are iPhone users safe? The answer is no, but researchers don't have permission to analyze IOS apps. We know that many of the worst offending apps are on both platforms and use cross-platform Software Development Kits.

So what do you do? Remove any apps from your smartphone that you don't use regularly. Before installing any application, make sure you read and understand the permissions being requested by the app. If a game wants your location, access to your camera or other weird permission, pick something else.

Are there "good" apps?

Yes, there are. Protonmail is an example of an app that only has crash analytics trackers built-in. Another example of a "good" app is the DuckDuckGo Privacy browser; it contains zero trackers.

I was disappointed to see NordVPN with its six trackers. NordVPN is tracking user behaviour.

You can access the database online here.

This is an opinion piece.

TikTok is a Chinese social media network that allows creators to publish short videos. It started with a ton of slapstick comedy and karaoke but has since matured with much more diverse content. It has become one of the most popular social media platforms because of its powerful video pairing algorithm. It has an incredible ability to show you a continuous stream of content you will find interesting, and it is usually correct. 

You can see samples on their trending webpage without needing an account.

TikTok belongs to a large Chinese company called ByteDance. This is problematic for western politicians because (it is suspected) Chinese corporations have been stealing IP from their western counterparts for decades. 

But why is the USA talking about banning TikTok (a rare censorship move by the US government)? 

It is important to remember that China has banned most western social media apps within its borders. Without working around the great firewall of China, a citizen cannot access Facebook, Twitter, Reddit, or any Google property. It banned them to stifle conversation, to censor free speech and to monitor its citizens. 

You can use a website like Blocked In China or Comparitech to check if a site is accessible from China

I have lived in Hong Kong and worked in China for a considerable amount of time. So I hope that I can bring some interesting perspectives about China and this TikTok discussion.

The first thing to remember is that you cannot evaluate this matter through an American lens. 

Every medium-sized company or larger (think larger than 50-75 employees) is beholden to the Chinese government. This means that the Chinese government can seize, capture or use any information held by any Chinese company. Unlike US authorities, they do not need a court order to undertake any of these activities). Even though the Chinese government has allowed companies to operate with a semi capitalistic model, they theoretically own all Chinese companies operating in China. 

A more risky point is (it is said) the fact that the Chinese government incentives Chinese companies and citizens to expand internationally and sign partnerships with western organizations to steal IP. The goal (it is said) is to use this knowledge to build a Chinese variant. Once perfected, the end-goal is to export this Chinese version overseas and take over that market (this works in every vertical from clothing to aerospace). 

Read about their 14th five year plan here. Think of the five-year plan as a master blueprint for their economy. It lists the industries they want to lead in during that five year period. The next one (2021-2026 will cover the environment and green tech). During those five years, they want to become industry leaders at any cost (remember the IP theft claim above).

If you watched Silicon Valley on HBO, they alluded to this characteristic when Jìan-Yáng "borrowed" American company ideas to start copies in China (time-code 0:44). 

Sometimes patriotic hackers could also attack foreign companies to aid China. The US Department of Justice pinned the Equifax hack on 4 Chinese hackers.  This hack gave hackers ,and (it is said) the Chinese government, access to the credit records of millions of Americans. They also had access to confidential Equifax business processes. 

So what?

Let's summarise

• every Chinese company is owned by the Chinese government

• The Chinese government has access to all the data these Chinese companies have

So considering the above, prima facie, Tiktok should be a national security threat. Last year American senators "woke up" and asked their national intelligence agencies for analysis. 

Obviously, Tiktok pushed back by saying that they use American servers running in the USA. TikTok also appointed an American CEO.

Think of all the data these companies collect about you (name, location, social graph, habits, likes, etc.). Used "properly" it can generate a ton of obviously useful and some less obviously useful data points. 

Read my 2014 article about how Target predicted its’ customers were pregnant before they knew it by data-mining their buying habits. Now imagine what could be done with a ton more information.

Regardless of where the data sits, the company that owns TikTok is ByteDance, a large, fully Chinese organization. Even if the data sits in the USA, ByteDance (it is believed) cannot refuse a request from the Chinese government (regardless of where the data sits). 

Remember that Chinese employees have access to the American servers and data. It is claimed that ByteDance has ties to the communist party back home. All of these simply bring TikTok closer to the Chinese government and make obtaining information that much simpler. 

In addition to concerns about China gaining access to traditional social media users’ data, there is the concern of TikTok being a tool to exercise soft power. 

A popular tool used in cyber offensive activities is Psychological Operations (PsyOps). The goal of a psyops program is to secretly fuel the fire in a foreign country's population to take actions desirable to you. 

We heard about TikTok users coordinating on the platform to troll Trump's Tulsa rally. 

Was this truly a grassroots movement, or was a foreign adversary secretly working in the background to encourage actions aligned with its interests? Remember that a good psyops program is secret and almost impossible to identify. 

Americans see TikTok as a bastion of free speech, but it isn't. Many have claimed Tiktok removes other types of videos that would not normally be considered bad in the west:

• TikTok Is Reportedly Removing Videos of People with "Abnormal Body Shapes" 

• TikTok 'tried to filter out videos from ugly, poor or disabled users' 

We have heard other complaints about videos critical of China also were removed. I don't know if this is true, but it would be consistent with how we believe China operates. Don't forget China uses TikTok to flex its soft power by encouraging creators to publish pro Chinese content. 

This goes back to the original point of not evaluating TikTok with your American lens. Whereas the removal rules for videos on Youtube, Facebook or Twitter are relatively well accepted (harmful, child abuse, exploitation, promoting hate, etc.), Chinese rules for removal of content are very different. China has an ambiguous law that aims to “prevent the spread of rumours”, What constitutes a rumour is purposefully vague and this law has been used to shut down dissenting voices. When watching online complaints about the types of videos actually being taken down, it seems more aligned with enforcing this law to protect the Chinese “face”.

My assessment is that the Chinese government doesn't care about users discussing American politics. They want to ensure no one criticizes China, the Chinese system or the government's authoritarian rule. This is exemplified by TikTok deleting a video by a makeup channel. She talked about the plight of the Uyghur while doing her makeup and had her video deleted. 

China believes in free speech as long as it doesn't impact them or their narrative of the world. Try searching TikTok for videos discussing Hong Kong independence, Taiwan independence, or anything else criticizing China. 

Here is a shocking trend for you. Teens in the US and Europe that believe they may have been shadowbanned will publish videos with the Chinese national anthem playing in the background, with pictures of Xi Jinping and professing their love for China. Even though this is being done mockingly, doing this enough could have unintended psychological consequences and start creating positive associations in these teens about China.

Conclusion

I am anxious to see if the USA will ban TikTok and on what grounds. Will they conduct a full and impartial review, or will it simply be a decision of political convenience. Don't get me wrong, as a security professional; I don't trust any company based in China that is beholden to the Chinese government. The general public making dance videos may not care that their data could be used to build a profile of each user.

That if the Chinese government wanted, they could use the videos to create a sizeable facial recognition database with a robust social graph.

That this data, merged with other data from other breaches and leaks, could help build a reasonably reliable profile of hundreds of millions of people.

That the platform could be used to sway younger voters in a particular political direction more aligned with Chinese interests.

I am curious about how the US would implement a ban? Even if they mandated the appstores remove the apps, Android users could sideload it, or TikTok could build a Progressive Web App (a web page that looks and acts like an app). We simply don’t have the same censorship tools as China.

I don't know if the platform IS a risk to national security, but I personally don’t trust it.

If I start seeing more "Chinese contraband" content on TikTok, then I will be inclined to believe they are independent of the Chinese government. I want to see

• videos about the Muslim minorities being sent to re-education camps

• videos asking for freedom to be restored in Hong Kong

• videos talking about Taiwanese independence

• videos criticizing the communist government

• videos discussing he persecution of Falun Gong members (even imprisonment)

Until then, I hope users understand what could happen with their data. Particularly parents of younger children. Once something is uploaded to the internet, it can never really be removed.

*** Let me state at the top, that this is not a sponsored post. ***

Look at my picture on my blog, and you will notice I have a shaved head. I have been shaving it since I was 18 years old using the standard Gillette cartridge razor and shaving cream method.

Earlier this year, I started investigating alternative shaving techniques and tested over a dozen injector razors and double-edge razors. Cartridge style razors (Gillette, Harry's, Schick, etc.) are the type of blade most of us grew up using. They are highly available and easy to use.

I shave my face and head every day; the cost of cartridges is significantly more (even with Harry's or Dollar Shave Club.) A typical blade lasts st most a week.

So single-edge and double-edge replacement blades cost less. Contrary to popular advertising, adding more blades didn't make the shave easier on my skin. Using a proper shaving regimen with the single-edge or double-edge razors yielded a gentler shave with less irritation.

Exploring

I bought a bunch of different razors (handle and blade combos for double-edge and single-edge injector kids). My double-edge blade collection is a collection sourced from 14 different countries.

After everything was said and done, I chose the Supply Co single-edge injector style razor as my preferred shaver.

I tested the following injector razors:

• Supply Co (version 2)

• Shave Classic Single Edge Razor Handle

• Schick injector razor (old version)

I tested the following injector blades:

• Schick

• Supply Co

• Personna mini

Introduction to the Supply Co Razor

The first characteristic you will notice is just how nice the razor feels in your hard.

It is an all-metal build using Metal Injection Molding (typically used to manufacture aerospace components or medical items). This process allows them to create razors with very tight tolerances. You would expect an all-metal razor to be slippery. Still, the bead-blasted surface allows for easy gripping, even with wet hands. It is very subtle, and the razor looks sleek and smooth.

Supply Co understands that preferences are personal. They include three configuration plates for the blades (think gentle, classic and close). After testing all three, I chose and still use the close adjustment plate. You can use any injector blade with the Supply Co razor.

They include a small supply of Supply Co razor blades with each kit (and they run free blade for life promos every once in a while). Their blades are slightly thicker than the competition, making them particularly suitable for mowing down multi-day beards. The Supply Co razor injector comes with eight blades and a used blade catcher underneath.

A traditional Gillette style cartridge razor required two passes to get a good shave (even with their 5-blade razors). Using a pre-save cream, shave soap, and the Supply Co razor requires an additional pass. The result is a less irritated and closer shave.

What about the cost?

I always used high-quality shaving products, so moving to a pre-shave cream and shave soap didn't increase the cost that much. The Supply Co razor is ($75USD) is more expensive than a traditional Gillette razor ($10-15USD).

Still, the cost of razors and blades catches up at five months, and it becomes much cheaper after that.

The other important factor to consider is that the Supply Co razor is guaranteed for 100 years. As long as you don’t lose or abuse the razor, you likely won’t have to buy another razor for a while (if ever).

What about the Double-Edged razors

I tested several razors and blades. All in all, I must have gone through 30 separate combinations. Which blades did I try? here is the list of double-edge blades I tried

• Derby Extra

• Astra Superior Double platinum

• Shark

• Asco

• Lord Cool

• Big Ben

• Shark Platinum

• Rapira Voskhod

• Clifton

• Treet Dura Sharp

• Silver star

• Vidyut Super-Max

• Ladas

Here is the list of double-edge razors I tried:

• Wilkinson Sword

• Merkur Classic 3 piece

• Merkur progress adjustable 2 piece

• Weishi Long Handle

I found the Supply Co razor more gentle (less irritation). I found it particularly challenging, shaving the back of my head with the double-edge (more prone to cutting and missing patches of hair) than the Supply Co razor.

In preparation for this entry, I shaved a 2-day beard with my favourite double-edge combination and the Supply co razor with their in-house blades. With three passes using the same process, the Supply Co side was smoother, less irritated and had fewer nicks.

Change in mindset

The other unintended change was my mindset around shaving. Not sure why this change happened, but it did. I had always seen shaving as a necessary evil.

When I switched to the single-edge razor with a pre-shave cream, shave soap with a boar hair brush and an alum stone, I find shaving a relaxing self-care ritual.

Shaving is personal

Shaving is a very personal experience, and everyone will have different preferences. I suggest you get involved in the dozens of online communities and find the combo that best suits you.

A handful of members in these communities also switched to the Supply Co after my experience, and have now become converts.

Some may prefer the double-edge razors, while others will always see shaving as a chore and go with the mid-priced cartridge razor on special at their local pharmacy.

Ultimately shaving is something most of us will do for many years, so it is worth investing a little bit of time in finding the best solution for you.

Microsoft has launched an incredible new initiative powered by free learning content, low-cost certifications and job seeker tools to help 25 million individuals re-enter the workforce.

Microsoft has launched a new initiative that combines content from it's LinkedIn learning and Github entities, mixed with other content previously only available internally to Microsoft employees.

The purpose of this initiative is to help upskill or retool individuals that may have lost their jobs due to COVID. Microsoft is forecasting up to a quarter-billion unemployed individuals (globally) in 2020 due to COVID. Microsoft is using its proprietary data to identify the most in-demand jobs; it is building a curriculum from its various entities and is offers low-cost certifications.

You can access all of these resources and more at opportunity,linkedin.com.

Combining all of its employment and tech-related data, Microsoft believes that the ten most in-demand jobs (globally) over the next decade will be:

1. Software developer

2. Sales representative

3. Project manager

4. IT Administrator

5. Customer service specialist

6. Digital marketing specialist

7. IT support

8. Data analyst

9. Financial analyst

10. Graphic designer

Microsoft has designed a custom curriculum for each of these career paths and makes the training content available for free until March 2021.

The content is available in English, French, Spanish and German.

Each custom-designed curriculum path includes LinkedIn learning content. The curriculum may also include content from Microsoft Learn. To prove proficiency, Microsoft has made its new role-based certifications available for $15 (if you attest that COVID19 has impacted your job).

Microsoft blog

Controlling the flow of information is a critical tool in the arsenal of despots, dictators and authoritarian regimes. Some countries want to block a handful of internet sites (Facebook, Instagram, Twitter, etc.) while others exert an almost inconceivable stranglehold on the internet (think Iran). 

When we think of censorship, the typical list that comes to mind is North Korea, Iran, China and Cuba. The list is much more worrisome than that and includes countries such as Bahrain, Ethiopia, India, Pakistan, Russia, Saudi Arabia, Sudan, Syria, United Arab Emirates and more. Other countries typically offer an open internet to their population except during major events like Egypt during the spring uprising. 

Enter Psiphon

Psiphon is a Canadian company that started at the Citizen Lab intending to design censorship busting technology. It is an open-source tool designed to allow citizens living in restrictive regimes to access "forbidden content easily." The basic version of Psiphon that is free for everyone forever without requiring is account is speed limited to 2Mb/s. You can earn (by watching promo advertising videos) or buy PsiCash, which allows you to unlock faster speeds for a certain amount of time (up to 5Mb/s).

Earning PsiCash

As an example, watching a 30-second video ad earns you 35 PsiCash. You can watch about 5 in a row (earning you 150 PsiCash). You can exchange 100 PsiCash for 1 hour of "speed boost."

This is likely how citizens of repressive regimes would use the tool. If you are willing to spend cash via the Google Play store, you can buy 1000 PsiCash for $0.99CAD (10 hours of "speed boost"), 5000 PsiCash for $4,99CAD (50 hours of "speed boost"), etc. Every chuck of "speed boost" you buy starts counting down once you activate it.

If you want a more traditional monthly subscription with unlimited use, you can opt for a recurring subscription.

Or you can opt for an onetime pass unlimited use pass (if you are travelling to one of the regions that censors the internet)

Who are these monthly recurring subscriptions for? They are for regions where the population is much better off (think Saudi Arabia) or for users that work in environments where undesirable internet sites are blocked (e.g. corporations, universities, etc).

DNS Leak Tests

I conducted a bunch of DNS Leak tests on Windows & Android and didn't detect any leaks. On some tests, Google DNS servers did show up but these were proxies by Psiphon so your confidentiality is protected. 

Different App Versions

You can download Psiphon from the Google Play Store, from the Apple AppStore, from their website (for Android or Windows).
 
If you send an empty email to [email protected], they will respond with an automated response listing different AWS URLs you can download the client from. The purpose of this option is to make the download available from cloud providers that are typically allowed. 

Some news-oriented newspapers blocked in certain regions recommend you use Psiphon to access them (BBC, The Intercept, etc.). These sites even set up the same type of email download link response service, to help you find Psiphon easier (e.g. The Intercept set up [email protected]).

Most platforms offer 2 versions of the Psiphon app (basic and Pro). The basic version is the all free version, capped at 2Mb/s and it comes with small ads.

The Pro version seems to have more prominent ads but offers the option to have them removed if you buy a monthly subscription. 

The subscription and "speed boost" pricing is only available in the app, and pricing is region-specific (The high-speed monthly subscription seems to be $9.99USD/$14.99CAD/£9.99.) 

Last year Psiphon offered a 30 day trial for the subscription but has now lowered the trial to 7 days. 

Ease of use

Once you install the app, you can immediately start the speed-limited service. It does not require any type of registration. This lack of red tape speeds up the process but also means any PsiCash you buy is bound to that device and that particular installation. If you clear the app cache or reinstall the app (even on the same device), you PsiCash is gone.

During my initial test, I sideloaded the app on Android and wasn’t shown ads during use. That behaviour may change, so your mileage may vary. The Google Play versions I installed did show me ads.

You will notice a **Stats** menu option in the previous image; this shows you how much data you have uploaded and downloaded. This is less of a concern in industrialized regions, but many developing countries have expensive data plans. This **stats** option aims to help users make smarter data usage choices.

How secure is Psiphon?

This article will not be a technical evaluation discussion about their security; however, you should read this section to ensure you understand what it does and what it does not. Psiphon is, first and foremost, a censorship busting tool. It uses a variety of technologies to ensure they can bust through most of the time. They combine different technologies like always changing server IPs, a series of cascading protocols (SSH, VPN, handshake obfuscation, etc.) and other anti fingerprinting techniques.

These work excessively well. A buddy in China installed the Android version and freely accessed restricted sites (consistently over a test period of a week). All traffic from your device to the Psiphon servers is always encrypted, and they don't log any personally identifiable information. The last piece is that the software is open-source and can be inspected by anyone.

This service is NOT a replacement for other more common western VPNs like ExpressVPN, NordVPN, ProtonVPN, etc. Psiphon does a much better job of breaking through censorship controls. Still, it does not offer all of the privacy-protecting tools that traditional VPNs do (CyberSec DNS from Nord or the ability to control where you exit the network).

Psiphon does not claim to increase your privacy because they don't protect you from website fingerprinting, beacons on the web or other privacy destroying techniques.

Psiphon shares aggregated information with its commercial partners.

Use Psiphon is you need to break censorship controls.

If you need strong privacy, go TOR (TOR does not work in most censoring regions).

Conclusion

I read a ton of discussions about Psiphon on different social media sites from people claiming to in repressive regimes. Even with the fact it is slow, clunky and not the most beautiful app, it provides a critical service that nothing else seems to offer.

Most users benefit from the free version, and Psiphon doesn't have an army of support people waiting to chat with you or respond to your emails.

If you are in a country that controls the internet, try TOR first. If it doesn't work, then jump to Psiphon.

If you live in one of the western countries where we enjoy relatively unfettered access to the internet, you would be better served by a traditional VPN service.

This is not a sponsored post, and links are not affiliated links. 

Most moderately priced (or higher) smartphones now come with wireless charging, which means it is a little luxury you can easily add to your everyday experience. 

When evaluating wireless Qi chargers, I only looked at the stand models because it allows you to use the device while it charges, and it makes finding the charging zone effortless. 

Over the years, I have tested hundreds of cables, chargers and wireless chargers and have concluded that Anker and Ravpower manufacture the most reliable units. After testing about 20 models available on Amazon, I wasn't surprised to find that the best units came from these two brands. 

The best wireless charger is the RAVPower Wireless Charging Stand (RP-PC069). The charge speed will depend on your smartphone (Androids will charge faster than iPhones), but the best in class wireless chargers perform 20-40% better than the cheaper competition. This unit delivers a constant 7.5 watts for iPhones and 10 watts for Android devices. 

The RavPower is a complete kit that includes the charging cradle, charger cable and the wall adapter. The RavPower has 2 coils which means you can place you charge your phone horizontally (to play games while charging) or vertically (to check messages or video chat).

Unlike cheap Chinese competitors, the Anker and RavPower units are certified by the Qi Power Association, so you know it will not damage your expensive smartphone. 

Additionally, the best units have dim lights (that won't bother you during sleep), and they don't make unusual noises. 

• Amazon Canada (~$70 CAD)

• Amazon USA (~$53 USD)

Be aware these items regularly sell out so keep checking their availability.

If the RavPower isn't available and you need to buy something immediately, you can pick up the Anker PowerWave Stand. Anker includes the cable (micro-USB) but not the wall charger. It will deliver 5 watts for most devices and 10 watts to Samsung devices when paired with a QC2/3 certified wall plug. Expect it to perform 30% slower than the RavPower for most phones.

• Amazon Canada (~$25 CAD)

• Amazon USA (~$20 USD)

Don’t forget you will need a wall plug for this unit. You probably have one, but it you don’t take a look at this Anker QC2 unit.

There is no shortage of password managers. Anytime you listen to a podcast or read an online blog post, you will probably be bombarded with ads for tools like Lastpass, Dashlane or 1Password. Add to that list the neverending supply of free password managers (Keepass, BitWarden, RoboForm, etc.)

Free isn’t bad

The truth is there are a lot of very good free password managers. These are great options for users that can't or don't want to spend money. I'll mention my favourite free pic later in the article.

Favourite paid password manager

Before jumping to 1Password a couple of years ago, I had been a paid Lastpass customer for about ten years. I started looking for an alternative because of irritants and an issue I experienced when I needed support, and Lastpass was unresponsive. Plus Lastpass is unrefined and a little clunky. After testing 10 of the best rated paid password managers, I chose 1Password.

Here is why I chose it and why it may be a good fit for you. It supports all the platforms I use, such as Windows, Macs, Chromebooks, iOS devices and Android devices. WatchTower is a great feature Lastpass didn't offer that ensures you aren't reusing passwords, that you are using strong passwords and that you aren't using passwords that are part of a site breach (therefore would already be on a list of passwords hackers would use first to break accounts).

Tell me more, please

1PasswordX for easier browser integration

As a ChromeOS user, 1Password was off-limits for many years because it did not have a self-contained browser extension. The original version of 1Password required that you install the full client on Mac and Windows to support their light browser plug-in. This changed with the release of a product called 1Password X. 1PasswordX works in Google Chrome, Microsoft Edge (Chromium version), Firefox and Opera (Chromium version). 1PasswordX offers all of the password management functionality without requiring any client installation so it also works on ChromeOS.

1Password uses multiple Vaults

1Password has implemented a password grouping concept called a Vault. A Vault is a container that stores all of your 1Password information. During installation, you create a default vault and everything is stored there automatically. But if you are also storing business information, you can create a separate Vault for those.

Another interesting use of Vaults is to improve travel security. We live in a world where our personal privacy is constantly under attack. Nowhere is this more true than when crossing an international border. Border agents can order you to unlock your device and your password vaults. Which would give them access to all of your sites and personal information. You can mark certain Vaults as safe for travel and store the less sensitive passwords here. If your device is inspected at a border crossing, only the vaults marked as safe for travel will appear.

Biometric support

All versions of 1Password support biometric authentication (depending on the features available on the platform of use). Since your main unlock password should be painfully long, this is a wonderful feature to enable on smartphones and tablets.

1Password for the security-conscious

Security is a balancing act competing with usability. My default, 1Password encrypted all of your information (on device) using AES256 before the blob is sent to their servers. This means that if their servers are ever compromised, your passwords are safe, as long as you are using a good strong, long password. You can and should read about their security model here.

If you want, you can be extra paranoid and configure 1Password not to sync the vaults to their servers. This means you can manually copy the encrypted vaults to your devices using whatever mechanism you want. For users that want this standalone model, 1Password does sell a standalone license for Windows and MacOS. Know that the standalone license does not include 1PasswordX. Most users should opt for the “normal” subscription model.

1Password for files

1Password (like Lastpass) gives you 1GB of encrypted cloud storage to store sensitive information you may need while out (think scans of passports, credit cards, health cards, tax papers, etc).

Support

1Password is a Canadian company with Canadian support. Believe it or not, getting in touch with a real human is very easy, not buried 32 levels deep like other products. Their online support site is clean, has well-written articles with nice screenshots and video walkthroughs. This one item sets them apart from many of their competitors.

1Password isn’t perfect

Perfection doesn’t exist in nature or the computer world. By default, the Vaults lock after 1o minutes of inactivity to protect your information. I think this is a desirable feature, but some may find it slightly annoying. You can change this setting but.. should you? I say keep it as is.

A little annoyance is acceptable in exchange for better security. Lastpass has a forever free version that meets the requirements of “normal” users. 1Password does not offer a free version (only a 30-day trial). I believe in paying for good products to encourage the developers and ensure the product survives.

What is the best free password manager?

I tested about ten free password managers while investigating what product I should be using daily. And after reading privacy policies, reading the security model documentation, I tested about ten free password managers while investigating what product I should be using on a daily basis. And after reading privacy policies, reading security whitepapers and testing the products, the winner is…. Bitwarden.

There are three features 1Password offers that differentiate it from Bitwarden. If you don’t need these features, then BitWarden may be a better option for you. The three features are:

• WatchTower’s password checkup features

• physical hardware security key support (e.g. Yubico)

• 1GB of encrypted storage

BitwarDen has the essential features every password manager should offer, such as the ability to manually synchronize your data on as many devices as you want, the ability to store an unlimited number of passwords. The free version of BitWarden allows you to share select passwords with one other person (e.g. spouse or partner).

Bitwarden supports a wide range of devices such as Windows, macOS and Linux. It supports all major browsers with a plug-in (Chrome, Firefox, Opera, Microsoft Edge, Safari, Brace). On mobile, it supports both IOS and Android. If you are an uber-geek, BitWarden supports Command Line Interface to its vaults (CLI).

BitWarden uses similar vault security as 1Password but… it does not submit itself to independent security auditing as 1Password does.

BitWarden apps and plug-ins aren’t as polished as 1Password but they are highly functional.

Anytime we talk about free products, I am reminded of the saying “If you aren’t paying for the product, you are the product”. I read the BitWarden privacy policy, Nothing glaringly bad popped out. They don’t sell or share your data for commercial purposes. Although they do have the right to share some anonymized data.

You will get ads for their premium version in their free products, which is understandable. Remember that if you decide to pay, take a look at 1Password first.

When you first started using your computer, it was silky smooth and fast. Now it is a sluggish mess.
Especially now that many of you are stuck at home, you may be trying new apps that turn out to be a disappointment.

• How do you make sure you remove all the files when you uninstall that application?

• Why doesn't the app you just installed have an uninstall option in add/remove applications?

The free app I am going to talk about will help with all of the above and more. It is called BCUninstaller.

What is BCUninstaller?

BCUninstaller stands for Bulk Crap Uninstaller and is a well designed tool to help remove any application, leftover files and more simply and quickly.

Many apps don’t have easy to find uninstaller options in the Windows Add/Remove Application applet but most leave behind a ton of garbage files. BCUninstaller uses its own appliction detection engine and has options to clean up “leftoer files”.

Here is a great video that shows how it works

Installing BCUninstaller is as simple as downloading the installer (from here) and then following the standard installation options.

Once the application installs, it will scan your computer and find all the installed applications. If you want to uninstall something, search for it using the search feature and then click on the uninstall button at the top.

It can detect these types of applications:

• Normal registered applications (same as Programs and Features and many other uninstallers)

• Hidden/protected registered applications

• Applications with damaged or missing uninstallers

• Portable applications (looks in common locations and on portable drives, configurable)

• Chocolatey packages

• Oculus games/apps

• Steam games/apps

• Windows Features

• Windows Store apps (Universal Windows Platform apps)

• Windows Updates Applications from all of these sources are treated the same - you can filter, export and automatically uninstall them in the same way.

To clean leftover files, click the Tools tab, then choose Clean up Program file folder and choose which discovered files you want to delete.

As millions around the world work from home, corporate security teams have ramped up their protection protocols because the threat actors are very active. Many threat actors have also lost their “day jobs” and are relying on their nefarious cyber activities to pay the bills/

From an antivirus perspective, most users will be properly protected by the free Windows Defender included with all versions of Windows 10 . You may have clicked on a questionable link or opened a questionable attachment and you scan your computer using Windows Defender. Sometimes you may want a “second opinion” and the question is which online scanner should you use?

How about none of them. Why not rely on the free antivirus included in Google Chrome. What, you say. Google Chrome? Chrome the browser? Why yes.

Open the Google Chrome browser

In the address bar, enter chrome://settings/cleanup

You click on Find and let it run.

So what is it looking for?

• Hijacked settings detection - It will detect if a browser extension ha changed your settings without your consent.

• Chrome Cleanup - Sometimes you download and install the software you need and install unwanted secondary software unwittingly. Often times this is how some of the download sites monetize their service. Chrome will detect many of these unwanted installations and remove them.

• ESET Antivirus - Google can change the AV engine anytime but right now they have partnered with ESET.

  
  
  

Obviously, this isn’t a complete antivirus and should be relied on as your primary protection mechanism but it is nice to know there is a second opinion waiting for you if you ever need it.

Computational photography is a field of image processing that uses computer algorithms to improve the quality of digital images. It was coined by Michael Abrash in 1999, and has seen a number of innovations since then.

Smartphones use computational photography to improve the quality of their images, and this has had a major impact on traditional mirrorless camera vendors. By incorporating techniques such as deep fusion, which combines multiple images to reduce noise and increase resolution, smartphones are able to produce high-quality images even in challenging lighting conditions.

Despite these advances, there are still some limitations to computational photography. One challenge is that it can be difficult for the software algorithms to account for all the possible variables in a given scene. This can lead to artifacts or other issues in the final image.

Another challenge is that computational photography techniques often require significant processing power, which can drain a device's battery quickly. As a result, many devices only use these techniques when necessary, such as in low-light conditions.

Nevertheless, computational photography has the potential to transform the way we capture and edit images, and it remains an exciting area of research and development in the field of image processing.

Keywords: computer algorithms, image processing, deep fusion, noise reduction, resolution enhancement, lighting conditions, processing power, artifact creation.

Smartphone hacking is a very lucrative business “threat actors”. Vulnerability broker Zerodium is now paying as much as $2,500,000.00 for an Android full chain (Zero-Click) with persistence.

The increased payouts and interest in smartphone hacking isn’t because they are easy targets but because they are valuable. For most users, the smartphone is like a second brain. It contains personal data and insights like nothing ever has in the past. Access into your smartphone is almost like gaining access into your brain, your thoughts, your beliefs and your habits.

There is this misguided belief in the market than an iPhone is more secure than an Android device. That is not the case. An adequately secured Android can be as (or more) secure than a normally configured iPhone. And Android offers more options to heighten your security where you may need it (whereas iPhone is one size fits all).

As you read through this article, I will try to explain some of the differences.

Who is this tutorial for?

As a security professional, my recommendations are designed based on the threat model of the customer I am advising. This article aims to help a general consumer or business user, that is trying to mitigate the most common and general types of risks. This means that their typical attacker will be a low-resource individual using conventional attack techniques such a stalkerware, scams, social engineering and easily accessible hacking tools.

This article is not for an individual that is targeted by a nation-state or well-funded criminal organization. This last category requires custom attention that cannot be addressed via an article.

What is the goal of strong security?

Total, complete and unbreakable security does not exist. The goal of this article is to set up enough roadblocks that the type of adversary you are dealing with will likely give up and move on to another target. The best analogy is to think of this in terms of a door lock. A good door lock will keep out common criminals but won’t deter a determined, skilled and well-funded adversary.

Is Security the same as privacy?

Privacy is becoming more and more talked about because of very public breaches (Marriott, Equifax, etc.) and new regulations like GDPR or CCPA. Security often will support privacy but not always. There are times when you have to choose one of the other. Where such a choice is required in this article, know that I have chosen the secure option.

Encryption

Most modern devices are encrypted during the initial setup but you should double-check just to be sure.

The EFF published an article explaining how to encrypt IOS devices (from version 4-11).

To maximize the protection encryption offers, you should choose a long (but memorable) alphanumeric password or a 6-8 digit passcode.

• An example of a long memorable alphanumeric passphrase is: I3at@ppl3sAtMidn1ght

• An example of an 8 digit secure passcode is: 72046290

You should also configure your device to erase all contents after a certain number of failed login attempts. This will protect you from a brute force attack.

Device encryption is a tool to secure your data when someone has physical access to your device but does not have the password (loss or theft of your device). It offers no protection from malware, viruses, or other related nasties.

Find my device

The iPhone and Android offer free tools to find a lost or stolen device. More importantly, they offer the option to remotely wipe your device if you are sure it is lost (not misplaced). For this remote feature to work, you have to ensure that the option is enabled on your device.

• Here is the Apple article explaining how to enable Find My Phone on IOS devices.

• Here is the Google article explaining how to enable Find My Phone on Android devices.

Remember that this option needs to be enabled before you lose your device (it cannot be done afterwards).

Both IOS and Android require that the phone be powered on and connected to the internet for this feature to work. If you want to remotely wipe your device, do it before you report your phone lost to your carrier (they will immediately deactivate your line and remote wiping won’t work).

Enable two-factor authentication

A chain is only as strong as its weakest link. Today’s smartphone is a powerful network-connected computer. Most smartphones connect back to either an Apple or Apple account. Any compromise of these accounts can lead to a compromise of your smartphone.

Two-factor authentication may sound scary but it is very simple to implement with Apple and Google. By doing this you secure your online presence by making your account more difficult to compromise and more resilient to unauthorized access.

• Here is a Google article on how to enable two-factor authentication for a Google account.

• Here is an Apple article on how to enable two-factor authentication for an Apple ID.

The modern implementation of this system is that your phone will be pinged by the service (when you are logging in from a computer) or another device connected to your account (when logging in from a mobile device).

When setting up, you will be asked to choose a backup authentication mechanism and you should choose a Time Based One Time Password (TOTP) option. Never choose SMS or email (as those are very easy to compromise).

You will be asked to download a TOTP application and scan the barcode they show during the setup of two-factor authentication. This barcode is a one-time thing and will never be shown again. A good cross-platform TOTP app that synchronize your codes across multiple devices is Authy. Authy is a trusted well-designed app and is completely free.

• You can download Authy from the Google Play store (for Android) here

• You can download Authy from the iTunes store (for IOS) here

Another good app (that is available on both platforms) is the Google Authenticator app. The Google app does not sync TOTP tokens across devices so if you change your smartphone, you have to revisit each site and reset the two-factor authentication process to get a new seed (aka the barcode).

Another good backup option is using a USB security token. The best option right now is the Yubikey product. It does cost money but is solid and unbroken (as I write this). I am not recommending the Google Titan key because many third party sites that allow two-factor authentication (see the list here) do not support the Google Titan but do support the Yubikey products.

Update, Update, Update

I had to write update three times because it is critically important. Make sure you configure your phone to download and install updates automatically for both the operating system AND the applications.

95% of hacks are made possible because people use insecure passwords, don’t enable two-factor authentication and don’t update their applications & operating systems.

Reboot regularly

We have seen a healthy number of non-persistent malware in the wild. This means that the hack used does not persist after a reboot (aka a reboot get’s rid of the hack). This isn’t always the case but nevertheless, it is a good idea to regularly reboot your device.

Application firewalls

Know that hackers that crack software are not benevolent and that cracked app probably contains malware. Unless you know what you are doing, never download applications from third-party app stores or web sites (this is a problem on Android but not on IOS since Apple does not allow users to side-load applications).

Even apps on the app stores can sometimes become malicious when the original developer sells the app and the new owners push a change containing malware. Apple and Google work hard to prevent this but we have seen examples of this in the real world on both platforms.

Application firewalls are an easy way to control which apps can have access to mobile or WIFI data.

• On Android, you can use the NetGuard application available on the Google Play store.

• On IOS, you can use the Lockdown application available on the Apple AppStore.

There are other apps available but these are the easiest for the general user. Here is a quick tutorial and overview of NetGuard

Take the time to install and configure one of those apps. Remember that attackers love using loose application permissions to steal information from your device.

As you set this up, take the time to review all of your installed apps and uninstall any that you no longer require (we call this reducing your attack vector). If you use an app once a quarter, install it and use it, then uninstall it.

Some apps request a lot of permissions but will still work if you restrict some of the more worrisome ones (think about access to your location, photos, microphone, etc). As an example, read this article documenting the time Uber switched when it collected user location data and started collecting it all the time.

The app update (it’s 3.222.4, for those keeping track) changes the way Uber collects location data from its users. Previously, Uber only collected location information while a user had the app open – now, Uber asks users to always share their location with the ride-hailing company. - TechCrunch

Android 10 and IOS 13 both allow you to choose when an app can access your location so ensure you make the right choice and don’t just share your location (or other data) all the time when it may not be required).

Public WIFI is evil

Many companies and venues use WIFI and Bluetooth to track you as you walk around their establishments. Many malls use tools from companies like AisleLabs to track you thus enabling them to target you more accurately. Attackers can use WIFI or Bluetooth to compromise your device as well.

The easiest approach is to assume that all public WIFI is evil.

When not absolutely required, turn off WIFI and Bluetooth.

Do not automatically connect to WIFI networks. I won’t get into the details here (because this is a more general article) but hackers can find out what your home network is called and trick your device into connecting to them (thinking it is that trusted home network).

Anytime you connect to a public (aka not your own WIFI) network, use a VPN to protect your traffic.I won’t discuss which VPN to choose here but stay away from free or very cheap VPNs.

If you aren’t paying for the product, you are the product.

Chose a solid well known provider whose policies and practices have somehow been reviewed.

You can run TOR to secure your traffic but that will be too slow and cumbersome for most users.

Secure backup and cloud

August 31, 2014, hackers released tones of celebrity personal photos and videos (many naked and pornographic in nature). This event was called the fapening and this was made possible because the icloud accounts, used to back up those photos from the smartphones, had been compromised. We don’t believe Apple was compromised but the attackers somehow managed to find the usernames and passwords for these users. Another reason you should enable two-factor authentication now.

Beyond 2 FA, most users may not realize that their information is being backed up to the cloud. Remember that cloud backup is an easy way for attackers to steal your data. Once you have two-factor authentication enabled on your accounts, ask yourself what you should be backing up to the cloud and where it should be backed up.

Remember that if you choose to trust the backup of your default provider (Apple or Google), you are not in control of your data. In most cases, we now the data is saved unencrypted on those services.

• Apple has given police data backed up from an iPhone to icloud

• Google, Dropbox and others routinely scan your content looking for malware or copyrighted material

I recommend choosing a secure end-to-end encrypted cloud backup service (if you want to use one). Although there are a bunch in the market, I recommend looking at Sync.com. They offer an end to end encrypted product (using the Trust No One Model). This means that as long as you use two-factor authentication and a long passphrase, your content should be relatively secure.

Your Browser

So your browser is one of the most dangerous apps on your smartphone because it is designed to run code from a remote server (aka a webpage). In the worst-case scenarios, a browser can load a malicious zero-click compromise that would take over your phone without you having to do anything and without you even realizing it. Most of these are non-persistent which is why I recommended regularly rebooting your device earlier.

On Android, I recommend you take a look at a browser called Bromite. Unfortunately due to app store rules, they do not offer a version on the Google Play store and you have to sideload it if you want it. Bromite supports ad-blocking natively and it uses the Ublock Origin model.

It also supports DNS over HTTPS (DOH). You can also enable HTTPS Everywhere and configure it to block unencrypted traffic. You should also disable Javascript and sparingly re-enable it for some sites that you absolutely need but that break without Javascript.

On IOS, I recommend the Brave browser (which is also available on Android but Bromite is more secure). You can download Brave from the Apple AppStore here.

Stalkerware

Stalkerware is a category of badware installed on your device by a third party to spy on you and often to track you.

The EFF is spearheading an initiative to fight Stalkerware (read this) because it is often used to victimize you. Think of it as commercial spyware that covertly steals your data and sends it to the stalker. In some cases, the stalker can be an ex but remember that many companies use Mobile Device Management software that often can perform the same function (normally if the device is owned or is allowed to access the corporate network.) In the case of companies, it is most often done for security reasons. Otherwise (in the private space), it is used to victimize or control someone.

If you are not using a corporate phone and suspect something may be going on (in most cases you won’t realize it), the only way to secure your device is to perform a factory reset and restart the set up from scratch.

Remember that the threat actor (partner, ex, etc.) has to access your device to install the stalkerware so never leave your device unlocked, never leave it unattended and choose a long and complicated passphrase.

Other settings

On IOS, choose to Limit Ad Tracking, instructions can be found here. Choose to reset your Advertising ID (instructions here) periodically.

On Android, choose Opt-Out of Interest-based Ads, instructions can be found here.

Conclusion

I know this was probably a dry and long article for most of you but I needed to get it out. This is a question I receive regularly and I wanted to write about it rather than respond individually to each of you. If you have questions or want to send me a note, do it on twitter (my handle is @ekiledjian).

Hope you found this article interesting and useful.

Many friends and colleagues asked why I am not buying the Pixel 4, here is my diatribe.

I am a big gadget geek. I love everything new and shiny, I have been an early adopter of every single Nexus, and Pixel phone Google has ever made. The Pixel 4 is their first device I will not acquire and here is why.

Why I buy Google-branded devices?

I am a big fan of Google-branded devices because they show what Google believes their software can do running on optimized hardware. Their hardware typically is the first to receive new updates (both operating system and security updates). Usually, it includes limit-pushing software breakthroughs (e.g. think night sight and hybrid zoom).

An example of this was the Pixel 2. It was the first Google device (I consider) designed for mass-market adoption and showed Google's software prowess. After all, it had an average camera sensor but turned out to be the best android smartphone camera for years.

Not only have I owned almost all the Nexus and Pixel phones, but I also bought every Google Chromebook (starting with a Kijiji bought CR48). I was an early Google Home adopter and more. I want to make it clear that I am a huge Google fan.

So why not buy a Pixel 4?

The Pixel 4 is the first device that feels like Google has fallen behind (since the Pixel 2).

Remember that Rick Osterloh kicked off the event by saying Google wanted to build devices that were more useful for consumers.

It feels like they failed with the Pixel 4 especially when Marc Levoy

(Google distinguished engineer) stood on stage and told us why we didn't need a wide-angle lens and why a telephoto is what uncle Google believes we need instead.

"While wide-angle can be fun, we think telephoto is more important" Marc Levoy, Google Launch Event 2019 (timecode 1:03:43)

Google should have included both considering the price point of the Pixel 4 and the fact its competitors almost all include three lenses now (wide-angle, normal and telephoto). You cannot create a wide-angle shot with computational photography, and it is something I use often enough. This is the first reason the Pixel 4 isn't attractive to me. I need it to be a tool to accomplish what I need done and not what Google believes I should be doing with it.

As a father with young kids, I take a ton of videos and was disappointed Google's Pixel 4 has not improved in the video department (still limited to 4K 30fps). Since the Pixel 4 is now more expensive than the entry-level iPhone 11, we should compare the video quality of the iPhone 11 & the Pixel 4, and there is no comparison. The iPhone blows the Pixel 4 video quality out of the water (frame-rate, colour accuracy, high dynamic range, etc.)

I know the Pixel 4 needed a large forehead to house their new Soli sensor, but I find that sensor a bit gimmicky (the video they released two years ago showed incredible fine-grain control while the Pixel 4 uses it to switch songs.). Additionally, I am still not sure the benefits of face unlock outweigh that ugly 2017-looking phone design.

They touted the incredible smoothness and silkiness of a 90Hz screen. What we are now learning is that under 75% brightness, it drops to 60Hz (75% would kill your battery in no time). The other issue with 90hz is that it hits battery life and the Pixel 4 and Pixel 4 XL already have mediocre battery life.

There are three ways to tackle battery life issues. You can make the battery bigger, you can design an optimized hardware/software set that sips battery, or you can add extreme fast charging.

Companies that have chosen the 5,000 mAh battery route include ASUS ROG Phone II, Samsung Galaxy S30M, Vivo Z1 Pro, etc. Apple has taken the hardware and software optimization road. OnePlus and Oppo have taken the fast charging route pushing 30+ watts, which means you can go from 0 to 75% battery charge in 30 minutes. The Google Pixel just has a mediocre battery with no mitigating features.

If the Pixel 4 were priced $150-200 less than its current MSRP, it would be a bargain, but it is charging flagship pricing. Even a gadget-loving early adopter like me can't justify this device. The other device I won’t be buying is the Pixel Go. I own a Pixelbook (with a pen I use regularly) and a PixelSlate. Both are devices that I love. The Pixelbook Go is a step back at what looks like an attempt to create a mass-market product.

I chose to get the OnePlus 7T that is a well-packaged phone at a very competitive price. Sure the Pixel 4 camera will beat the OnePlus, but overall; the OnePlus is just a better package.

Post Article

As I prepared to publish this article, I saw the below tweet complaining about a generalized slowdown 2 days into using the phone. I am 100% sure this will get fixed by Google but it shouldn’t happen on a device made by the Sultan of Search.

They want to know everything about you

It is no secret that every advertising-funded site (Facebook, Yahoo, Google, Bing, etc) works very hard to build a complete profile about you. They want to know as much as possible so they can sell expensive highly targeted advertisements.

Every search you perform, every site you visit, every link you click is recorded and analyzed.

You live in a filter bubble

The profile we talked about above is also used to return information the site believes you will like most (therefore making themselves more sticky). this is the filter bubble problem.

The site (e.g. Google) will return results that it believes are aligned with your view and this is what we call the filter bubble. At some point, you will stop seeing other opinions or points of view. In the most extreme examples, it can reinforce certain questionable points of view such as the earth is flat or other similar prejudices.

How do I search the web privately

There are many search engines that promise private searches but the problem with most is that they crawl the web themselves and their index of the web just isn’t as good as Google. This is where startpage.com comes in. It allows you to search using the Google web index without giving up your privacy.

• Startpage.com does not log user activity and does not perform any type of user tracking or profiling

• Startpage.com allows you to browse any of the pages returned in a search query anonymously

• Startpage.com is based in the Netherlands which has better privacy protection than the US

Ok but are the search results good?

• Search results use the Google index so they are as good as can be without profiling you to customize the response

• The results layout page is clean and uncluttered

• You can search the web, images or videos

• You have all of the advanced search options you could need (including words contained, avoiding certain words, dates, domains, language, file type, etc)

• Some searches won’t contain ads and those that do clearly mark them with the word Ad

• You can browse any search result link using their free anonymous browsing option (called Anonymous View)

When you browse using the Anonymous View, the webpage is surrounded by a blue frame

How it makes money

Startpagecom generates its revenue from clearly marked search ads and affiliate links.

These ads are not targeted (since they do not profile visitors).

The ads are segregated from the actual search results so as not to confuse the visitor.

Tell me more about Startpage.com’s privacy

Since most of its users originate from the US, Startpage.com has search servers located in the US to speed up searches. These servers are said to be hardened and properly secured.

This should be perfectly acceptable to most users but if you are extra paranoid, Startpage.com does offer users the option of choosing non-USA servers.

Their privacy claims have been independently verified (read this).

They have never showed up on any blacklist (that I can find)

They have an A+ rating from the Qualys SSL Labs site

The Zendure SuperPort and SuperTank are positively talked about on hundreds of blogs throughout the internet. I ordered (I paid for it) 2 SuperPort USBC chargers and a SuperTank 27,000 mAh battery. Both devices have the same design defect. When you have something plugged into the 100-watt port and then plug/unplug another device in the 60-watt port, it resets the 100-watt port every time.

My first 2 SuperPorts were sent back to Zendure for engineering review and the 2 replacements also exhibit the same behaviour. I just tested the SuperTank and can confirm it does the exact same thing.

I have been a Zendure fan and own all of their previous devices. None of them have this same defect. At this point I would recommend you look at other brands for your battery and wall charging needs. I have gone back to my Omnicharge Pro USBC for my battery and will carry an Elecjet and RavPower GAN USBC wall charger.

There are many reasons why you may want to install Firefox on a Chromebook (could be for security, privacy or just as a technical challenge). You could install the Android app but that isn’t a full featured browser. Here are the instructions on how to install it in the Linux container.

Go to Settings

Search for Linux and Turn it On.

You will get the installation window. Continue and let it complete.

Prepare Linux

You will then be presented with the terminal window, run an update then an upgrade.

Install Firefox on ChromeOS

Now we are ready to install Firefox.

Got to the terminal and enter sudo apt install firefox-esr

Now you can start Firefox by entering the firefox-esr command to invoke the app.

If you want to invoke Firefox-Esr but also need your terminal to work (at the same time), use the command firefox-esr &

As we pass to the second half of the year, many companies start their annual merit review cycle. It is an opportunity for your leaders to evaluate the corpus of your work and determine how much value you delivered to the company (thus deserving a salary adjustment).

What employees often forget is that they too should use this period as an opportunity to determine if they are doing the right job, in the right company & at the right compensation level.

Read my blog entry The “You” Brand

The 4 power questions

1. Do you like what you are doing?

2. Do you like who you are doing it with and where you are doing it?

3. Does your company offer a path your desired future job?

4. Are you fairly compensated

As we walk through each of these questions, it is important to remember that there is no "perfect" life partner and there is no "perfect" company. What we are trying to determine is: "Is this company the right one for your at this moment in time".

It is important to evaluate the questions in the order I have presented them.

Do you like what you are doing?

Ask yourself if you (honestly) are excited about the work you are doing. When Friday comes along, do you turn off “work mode” until Monday morning? If you do then you have a job, not a career. It means you are not passionate about your chosen profession and it may be time to figure out “what you want to be when you grow up”.

Do you like who you are doing it with and where you are doing it?

Many leaders would probably break this question down into 2 separate ones (one for people and one for the company) but I believe they work better together.

You may like your job but do you like the people you are doing it with? There is no perfect environment but overall, do you enjoy collaborating and working with most of your co-workers? Are you surrounded by like-minded people who challenge you and respect you? Do the people you work with care as much about you, as you do for them?

In the same vein, do you like working for your company? Do you share the vision, mission and core values of your company? A 2017 MetLife survey found employees (9/10) would rather work for a company that shared their values than one that offered higher pay. The survey also found that employees were willing to take a 21% pay cut to work for that better-aligned company (jumped to 34% for millennials).

This is also the category I include work-life alignment in. Does the ratio of work-life balance the company expects to, align with what you are looking for?

Obviously, every employee’s requirements are different but the importance of this alignment is undeniable.

If you love your job (question 1) and you love who you work with (where), then work doesn’t feel like work. You can enjoy going to work and living your best life.

Does your company offer a path your desired future job?

Not everyone is looking for career advancement but most of you probably are. Does your company offer a supportive, nurturing environment where you can learn and grow? Are executives willing to take a chance with less experienced employees, allowing them to develop? Are executives willing to coach and guide employees to develop their skills in preparation for future promotion? Last, but not least, does the company promote from within or do they hire most leaders from the outside?

Are you fairly compensated

The question about compensation was purposefully left until the end. Every other question we have examined will feed into this one.

The old 1980's corporate mantra was :

"Employees work just enough not to get fired. Employers pay just enough so employees don't quit".

As stupid as this mantra sounds today, some older leaders still espouse this as a "nugget of wisdom" (do the companies values align with yours?).

The modern strategy of salary management dictates that companies must pay enough so employees aren't stressed about money and spend their mental energy on doing what they do best.

The real-world equation is more complicated and is a subjective evaluation of fair pay within the company (often difficult to judge because the information is not readily available), and compare to other organizations offerings for similar roles.

It is easy to understand why a company that compensates you properly, probably also values your skills and expertise properly.

Remember the MetLife survey, where employees were willing to work for less if the company's values aligned with their own? This is also true about the other 3 questions we previously discussed.

If you feel that the company's values don't align with yours and/or that the company doesn't offer career advancement and/or you dislike the people you work with, you may decide to stay but may demand a higher premium for the extra "suffering".

Conclusion

Ultimately this is a deeply personal introspection and one you must do honestly (regardless if you are a new graduate or a seasoned executive).

Your company evaluates you annually to decide if you are worth keeping, you should do the same and decide if the company is worth staying at.