Tech titans Google and Amazon chose Christmas 2017 to battle it out for your love and money. These smart speakers are designed to quickly provide access to each company's ecosystem and make your life easier. At least that is the promise. 

I am heavily invested in the Google ecosystem and have been for over ten years. In addition to using their free services, I pay for Google Music, storage, have an android phone (so I buy apps), etc. 

I signed up for the free Google Apps service in 2007 (predecessor to GSuite) when each domain was given 100 free user accounts. This was a great way to provide essential internet services to my family for my kiledjian.com domain (emails, calendar, etc.)

The Google home

These devices can answer questions about science, history and everything in between. Most buyers use these smart speakers as intelligent modern voice-controlled boomboxes. 

I have owned a Google home almost from its original release date and picked up a Google home mini for my bedroom. 

In addition to making money from the sale of these devices, companies like Amazon and Google hope to lock users into the ecosystem. Except...

The Google Home and Google's account issues forced me to move from Google Music to Spotify.

The music problem GSuite accounts

With an individual music subscription, I can only stream to a single device at a time. I can't listen to music on my smartphone in the gym while my kids listen to music at home. 

I tried to upgrade to a family account, only to be told by a support agent that GSuite accounts are not eligible. So if I wanted to enable on-demand commercial-free music on my multiple devices, I needed to move to Spotify, which I begrudgingly did.

Rant

There have always been irritants when using Gsuite (Google Apps) accounts with some Google services. Until now, all of my issues have been irritants for me, but have not affected Google, which may be why they have never solved this issue. 

This is a situation where their complacency has cost them subscription dollars (steady recurring income). I know that only a small minority of Google's millions of users are affected by this issue, but I receive a constant flow of complaints from my readers about it. 

This is the issue when dealing with giant faceless internet companies like Google. No matter how annoying some of their actions may be, there is nothing you can do as a customer. Your only option is to pick up and spend your money elsewhere. 

TL;DR: Internet traffic to and from major tech companies (Apple, Facebook, Google, Microsoft, Twitch, NTT Communications and Riot Games) were redirected through a Russian provider Wednesday. This appears to have been a deliberate hijack and not an error. 

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

BGP is a routing and reachability protocol used on internet backbones around the world. It is what allows carriers to find routing information between each other (in simple terms).

2 BGP monitoring services have reported short changes to the routing of key internet giants, and they do not believe this was a mistake. 

BGPMon recorded two three-minute hijacks affecting roughly 80 address blocks.

Qrator Labs recorded a two-hour hijack affecting 40 to 80 address blocks.

As mentioned in the BGPMon release, AS39523 is a Russian organization that has been inactive for years. The last time we saw them, they were involved in another BGP "incident" that involved Google.

Luckily most of the traffic that passes through these providers is encrypted at a level that is believed to be currently unbreakable. The concern is that a state-sponsored attacker could have new decryption algorithms that are not yet publicly known and it does means the traffic "could" have been decrypted (however unlikely it remains a possibility). 

How can you test the speed (performance) of my VPN service provider? I receive this question regularly, and I thought it was about time I wrote an article about it. 

When evaluating internet speed, there are dozens or hundreds of different parameters that can influence your final score. In the world of VPN, these may include:

• The distance between you and the VPN server - even though most of your traffic is flowing at the speed of light, users have become accustomed to super speedy internet and even the slightest delay is noticed. If I am sitting in Toronto but using a VPN in Switzerland (where privacy laws a much stronger), I should expect a more noticeable slowdown in my internet speed.
• VPN server capacity - Most internet service providers "over-sell" their service to offer lower prices. If too many of their customers try to log into the same servers at the same time, they will experience noticeable performance reductions (slowdowns) and maybe even dropped connections (which could lead to your private information leaking). I only use VPN providers that show the loads on their servers.

• Your Internet Service Provider speed (ISP) - Obviously your VPN performance can never exceed the "last mile" performance of your Internet Service Provider. Remember that the speeds plastered on their marketing material are usually indicative speeds and many services see severe performance degradation during peak usage hours (when everyone is trying to stream Netflix or Youtube content). Additionally some regional Internet Service Providers throttle (aka slow down) VPN connections on their home use plans to encourage corporate customers to buy corporate (more expensive) plans. The only time a VPN connection may be faster than your native ISP performance is for controversial protocols like BitTorrent. Some ISPs throttle the performance of BitTorrent and so hiding it inside a VPN may deliver better performance. 

• Device capacity - An often overlooked performance limiter is the ability of your local VPN termination device to compute the required encryption/decryption quickly (most often a PC, laptop, smartphone or tablet). The faster your internet speed, the more processing power your end device will need to "keep up". 

How do I test VPN speed?

The only way to test VPN speed is to use one of the (well designed) speed testing sites. 

SpeedOfMe

SpeedOfMe is a nice light HTML5 speed test service that works on every device (Windows, MAc, iPhone, iPad, Android, Chromebook, etc).

TestMy.Net

What makes TestMy.Net interesting is that use multiple download servers and combine the information to provide one real world statistic. They use IP geolocation to find servers in your terminated area.

TestTest by Ookla

No speed test article would be complete without mentioning Ookla. They are the 800lb gorilla. Just make sure the test server is in your termination city otherwise you will get a false score.

When something leaks, it's usually bad news. A leaking pipe in the kitchen or a leaking radiator. The same principle applies to your VPN. When a poorly designed VPN fails and leaks your data, that's the start of a bad day.

Unfortunately, there is no visible indication that your VPN is leaking.    Obviously, well-designed VPN services do not leak, my favourites being: 

• VyprVPN Review

• Honest review of the ProtonVPN service

• Honest review of the Tunnelbear VPN service

When looking for VPN leaks, we typically evaluate these angles:

• DNS leaks
• IP address leaks (IPv4 & IPv6)
• WebRTC leaks

Below are basic instructions on how to quickly identify VPN leaking. If you are more paranoid or highly technical and demand to use your magical IT skills, you can also inspect the packets using tcpdump or WinDump while running the below tests. 

It's time to start testing

• ipleak.net  (tests IPv4, IPv6, WebRTC & DNS)
• dnsleak.com (tests DNS)
• perfect privacy ip checker (tests IPv4 & IPv6)
• perfect privacy WebRTC check (test WebRTC)
• testipv6.com (tests IPv6)
• dnsleaktest (use extended - tests DNS)
• browserleaks WebRTC (tests WebRTC)
• browserleaks IP (tests IPv4 & IPv6)
• ipx.ax (tests IPv4, IPv6, WebRTC, DNS)

What am I looking for?

Obviously, you connect to your VPN service first, then visit all of these sites. The hope is that none of the information shown should actually be associated with your "real" computer (IP address, DNS server and WebRTC). 

The most significant failure I see with most VPNs is DNS and WebRTC leakage.

If your VPN service provider offers multiple servers, then you should run the tests with the various servers.

If your VPN service provider offers multiple protocols, then you should run the test with each of the protocols.

I have found some VPN providers where it did not leak on one server but leaked on another. Where it did not leak via one protocol but leaked with another. Testing the various combinations is time-consuming but critically important. 

The above test shows that the VPN is protecting my IP and DNS information but in this case was leaking my private 10.x test lab internal IP address (which is obviously bad). When I switched to a new server from the same provider, the leak stopped.

Mobile phone VPN leaks

An August 2016 research paper highlighted the issue of IP leakage on Android smartphones. They discovered that 84% of Android VPN apps leaked the user's "real" IP address.

What is WebRTC and why does it leak?

WebRTC is an API standard that allows voice and video chat without needing to install any plug-ins. It is a cross-platform web browser standard. 

The "trick" to leaking your WebRTC information is to use basic Javascript to send a UDP packet to a Session Traversal Utilities for NAT (STUN) server. That server sends back a packet containing the IP address where the request originated. 

If vulnerable, you will see your internal IP Address in the WebRTC response. 

What is DNS and why does it leak?

The domain name system (DNS) is a special global directory that converts URLs into numeric addresses that the internet can route. If you enter kiledjian.com into your browser from New York, your DNS server will return the numeric routable IP address for my website 104.28.2.40. 

DNS services are typically provided by your internet service provider or company. Anytime you try to access a webpage; you ask that DNS server for the numeric routable IP address of the site and thus your provide (or school or company) have a running list of every website you tried to access. When using a good VPN service, all DNS requests should be routed to their anonymous DNS service thus protecting your browsing information. When your browser sends the request to your ISP DNS anyway, that is called a DNS leak because your privacy is "broken".

Do I need a dual-sim phone? The answer is probably not. Most people sign a carrier contract and live with that service for two years. 

There is a small niche group that could benefit from a dual-SIM phone, and this is an article for them. Who are these mythical "special" people:

• users with a personal and professional mobile phone line that want to carry one phone
• users that travel often and want to use a low-cost SIM in their destination
• users that live in regions were carriers aren't national providers, and "good" coverage requires service from 2 providers (much of Asia)
• users that can find low cost unlimited data-only SIM and want another SIM for voice calls and text messaging, 

Not all dual SIM phones are created equal. 

Categories of dual sim phones

Passive dual-sim phones

Passive dual-SIM phones can only use one of the SIM cards at a time which means the user can switch between SIMs using software or a physical switch. 

Standy dual sim phones

Standby dual sim phones (often with the MediaTek chipset) use both SIMs using time multiplexing. Anytime you start using one of the sims (to make a call, send a message or use data), the other SIM is ignored. If someone calls the second sim when the first one is "active", the caller would receive a busy signal.

Active dial sim phones

Active dual-sim phones are capable of using both sims simultaneously and typically have to IMEIs since the phones come equipped with two radios. 

and we continue...

Because things weren't complicated enough, there is also the concept of unequal connectors. Some phones will be passive or active dual sim but may only be able to support full speed 4G on the primary SIM while slowing down to 3G/2G for the second sim.

Some buys mistakenly assume you can leverage both SIMs simultaneously for doubly fast data connectivity. This simply isn't the case. Dual sim capable phones do not perform network bonding to allow dual network stream aggregation. 

When I upgraded my daily drive smartphone, I switched from an iPhone 6s Plus to a Note 8 dual sim. When not travelling, the second slot hosts my SD card, but when I travel, I will load my KnowRoaming SIM. 

I know several account executives that use dual sim phones (one with their personal sim and the other with their work one). This means they can carry one device yet send/receive messages from either. Even in Canada, I know people that use dual sim phones with low-cost fringe providers. They use these providers when in their home zone for cheap service but switch to a pay as you go national carrier when outside of their "home" coverage area.

My Note 8 SIM Manager

• I can choose if both SIMs are active.
• I can choose which service to use with which SIM by default (calls, texts, mobile data).
• I can even ask the phone to confirm which SIM card to use before each call.

Another important consideration

With carriers that support VoLTE (Voice over LTE) or VoWIFI (Voice over WIFI), this functionality is typically only supported on the primary SIM slot. Don't expect both to support VoLTE and VoWIFI. 

Where do I buy a dual sim phone?

Most North American phone models do not come in dual sim versions. The most common way to buy a dual sim phone is either from an importer or you have to import one from a region that sells these devices.

My 128GB dual sim Note 8 was imported from Hong Kong by a Montreal based smartphone importer called PDA Plaza (this is not an ad and is not a sponsored post). I was able to buy my dual sim phone cheaper than what I would have paid locally from Samsung, Bestbuy or my carrier.

There are many options to choose from including Samsung, LG, Asus, OnePlus, etc. Just make sure you check the specifications and ensure the device supports the dual sim model you are looking for.

Examples

Asus Zenphone 5

OnePlus 5T

Huawei Mate 10 Pro

Xiamo Red Mi dual sim

Amazon Music Unlimited is (in my opinion) just another streaming music service, but since it's Amazon, it's worth mentioning. 

It is expanding to 28 additional countries, so the world a little more inclusive today. Similar to another (nameless) streaming service, Amazon Music Unlimited stresses the fact that its playlists are "human curated". 

The requisite PR created launch statement can be found here. 

The new countries being shown some love by Amazon are:

• Belgium
• Iceland
• Bolivia
• Latvia
• Bulgaria
• Liechtenstein
• Chile
• Lithuania
• Colombia
• Luxembourg
• Costa Rica
• Malta
• Cyprus
• Netherlands
• Czech Republic
• Panama
• Ecuador
• Peru
• El Salvador
• Poland
• Estonia
• Portugal
• Finland
• Slovakia
• Greece
• Sweden
• Hungary
• Uruguay

I live in Canada, and the Echo product line just launched here. Chances are the country you are in (if not the US) either doesn't have or just received the Amazon Echo line of products. For those of us not yet invested in the Amazon voice assistant product line, there is little to get excited here. 

Not very exciting for most of you but news worthy since its Amazon. 

Chrome Remote Desktop has been around for years and has always been a free and reliable alternative to products like TeamViewer, GoToMyPC, and many more. 

Not only was (and is) it a free service but even the most non-technical user could get it setup and running in a matter of minutes: download the Chrome extension, install a mini app, set up a local password and voila. 

Long live Progressive Web Apps

I will write about Progressive Web Apps in a future article but I am in love with them. PWAs are magical web "apps" that work online, offline and on all device types.

Google has redesigned its Remote Desktop access site (which had not been updated in years) to act like a PWA ( https://remotedesktop.google.com )

Using this website, you can now access a Google Remote Desktop simply and efficiently using any mobile browser. This new approach no longer requires extensions (to access remote desktops). 

A new feature is the ability to connect to a Chromebook remotely. This only makes sense when using it for remote support. 

To request support, you visit the site, install the mini app and click on Request Support. Your support person visits the site, uses the code and within seconds is helping you solve your issue. 

Official information from Google is scarce, and there aren't any support write-ups about this new refreshed version. Obviously, this was updated to support their effort to kill all Chrome apps. Consider this service beta and expect it to have a few hiccups, but it is a wonderfully promising start. 

ZDNet got the scoop on this significant leak. AI.type, a third-party keyboard replacement for Android has leaked data for its 31 million users online. 

How did this happen? A database administrator didn't secure the database.  Anyone with basic skills could access and query the unprotected database and "have fun" with the 577 GB of data it contained.

What type of data leaked? The leak includes fun elements like name, email address, precise user geolocation data, city and country. Researchers have also found [that some records contain] phone numbers, IP addresses dates of birth, gender, etc.

Why stop there? Researchers also found that some user contacts were in the database. One table contained ~375M telephone numbers.

This is a perfect example why Apple forces users to enter passwords and sensitive information using their native keyboard (even if the user has chosen to install a third party one.)

On Android, I use the Google keyboard for this exact reason. Another alternative is Swiftkey, which now belongs to Microsoft (another company I would trust).

Google apps have hundreds of features (some from Google, some from third parties) most users don't know about. In this short article, I want to share four tips that will make your life writing in Google apps easier (useful for students and professionals alike). 

Voice Typing

Over the years, I have spent hundreds of dollars on voice typing apps for Mac and Windows (most going to the Dragon Naturally speaking product line from Nuance software). 
For 85% of users, these expensive & complicated products are overkill, and Google makes it's excellent voice recognition engine available for free to all Google Docs users. 
Just click on tools and select Voice Typing.

• You can check out the Google Support doc explaining this feature here but it is so simple, you should be able to turn it on and start using it immediately. Remember that you can also dictate punctuation:
• Period
• Comma
• Exclamation point
• Question mark
• New line
• New paragraph

Write well with Grammarly

Grammarly is a free (has a paid upgrade) service that helps improve the quality of your writing by :

• Checking your grammar
• checking contextually aware spelling
• recommending vocabulary enhancements

In its simplest (free) form, Grammarly is a Chrome plug-in that works seamlessly with most web services (including Google Docs), and their correction engine is much more robust than simple word misspelling detection. 
You can upgrade to their premium service which costs ($11.66 a month when paid annually). In addition to all the features included in the free version, the premium service adds:

• advanced check for punctuation, grammar, context and sentence structure
• vocabulary enhanced suggestions
• genre-specific writing style checks
• Plagiarism detector that references more than 8B webpages

Most users will be perfectly fine with the free version so check it out.

Grade readability

The free Hemingway App allows you to paste content into its online editor and assigns a readability score. It uses colour highlighting to identify hard to read sentences. It provides tips on how to simplify the text, use of passive voice, etc. 

There is a $19.99 premium version that operates as a standalone app (Windows and Mac only) but the web version works fine and is accessible anywhere you have a web browser.

Use a Chromebook

Those that have been following me for a while know I love Chromebooks. Chromebooks aren't perfect and won't meet everyone's requirements. Chromebooks do provide a stable, safe and reliable platform when using web-based services. 

Everything mentioned in this article is based on the web or is a chrome extension. These tips will work flawlessly on Chromebooks (whether a $200 Lenovo or a $999 Pixelbook). 

I've been using a Skyroam hotspot for many years now and my 2 most popular blog posts (for the old device and service) are here: 

• Skyroam Global Hotspot review

• The hidden danger of using the SkyRoam global WIFI Hotspot

They recently upgraded their back-end service and global WIFI hotspot, and I wanted to test and review it for you. 

Solis is the latest version of the Global WIFI hotspot sold by Skyroam. For those new to this company, they offer a small portable global WIFI hotspot that works in 100+ countries, costs $10US a day for unlimited data and is activated on demand.
 
Although I had many complaints about the pass purchase process with the original product, their hotspot has been part of my every day (EDC) carry kit for three years now.

The Solis improves on its older brother in 2 days:

• it now supports LTE speeds on countries were it is available (otherwise it drops down to 3G) 
• it can now operate as a backup battery (in a pinch) to charge your mobile phone

Nice little intro video

I have had the Solis for several months and have already taken it on a US road trip. It is a well-built successor to the original Skyroad hotspot, but the world has changed.

When I started using the original Skyroam in 2014, my carrier didn't offer a global travel package, and it was a pay per megabyte type affair. It got very expensive very fast. Today my carrier offers a US travel package for $7 a day or a global package (in 80+ countries for $10 a day).

If all you need is access on one device, then your carrier package may be more advantageous since it is immediate and does not require any changes. But.... The Skyroam Solis offers coverage in more countries and can provide wonderful internet goodness to up to 5 devices simultaneously. 

In my case, I still rely on Solis or KnowRoaming when I travel since I know that they will offer service everyone for one set price and it is one less worry when I travel. 

The device

If you look at the above picture, the Solis is a beautifully visible shade of orange. It is made of plastic that should withstand the rigours of travel very well. If the battery does weaken, you can order a replacement from Skyroam.

I find the Skyroam Solis much easier to carry than its competitors (including the Geefi).

Using the device

You probably noticed that the device (unlike its older brother) doesn't have a screen. To manage the device, you turn it on and connect to it from your smartphone. You will then be presented with an information page showing signal, passes left, battery level, etc. To use the device "in the field", you turn it on then press the WIFI button on the top. This automatically applies one of your day passes and you get 24 hours of internet. It knows where you are and downloads a virtual SIM for the Skyroam partner in that country. 

You can travel to as many countries as you want during that 24-hour window. All you have to do when you switch countries is turn the unit off and back on. When it starts up, it will identify the local country and download the appropriate country SIM.

You could open the a.skyroam.com captive portal from any device with a browser but it is formatted for smartphones (will look odd on a laptop). Why isn't it responsive?

The Solis is charged with any USBC adaptor which is fantastic if you have a USB C smartphone and laptop. You can charge everything with one adapter.  They provide a mini USB-C to USB-A adapter so you can charge other devices from the Solis but I wouldn't recommend it. WIFI needs every little bit of juice in that battery. 

In my testing (in zones with good LTE coverage and with 1 device connected), I was able to eek out 10-14 hours of usage on a single charge. This number will drop if the wireless signal is weak and/or if you connect multiple WIFI devices to the hotspot. When I tested it with a Chromebook and a Note 8 smartphone, I still got 10 hours of solid use (usage was primarily web pages without heavy streaming).

The software is periodically updated which is a nice touch. I recommend you start the device and let it connect to your local home network (without using a pass) before travelling. If the device needs an update, better to do it now then at a foreign airport waiting for the 15 minute upgrade process to complete. 

How fast is the connection?

I will not post speed test results because that depends on the local carrier, congestion, etc. I will say that in my testing, the Solis achieved LTE speeds comparable to an iPhone 6s Plus. The Note 8 outperformed it with is carrier aggregation technology. 

There is an LTE cap of around 500MB in a 24 hour period. After this, they throttle the connection down to 2G. They claim that this isn't automatic and done to protect the experience for all customers, but I hit this limit consistently (for testing) and saw my speed drop to dial-up performance. At the lower throttled speed, even simple apps like Google Maps took forever to load, and GPS navigation became impossible. 

I understand the need to control their costs but wish there were a way to buy more LTE access if I needed it. 

What about security?

September 2016, I reached out to Skyroam and complained about major security gaps on their online pass purchasing website. After multiple attempts to responsibly disclose the issues (with no follow-up from Skyroam), I wrote an article about it. I am happy to report that the new version of their online portal has fixes all of the issues I previously reported.

What about the general security? It is as secure as your home internet connection. My standing recommendation is to use a VPN where/when possible. You can get a VPNUnlimited lifetime VPN subscription for 5-devices for $18 (promo link), so you have no excuses.

So should I buy a Skyroam Solis?

So the question you are asking yourself is "Should I buy the Solis?". There is no simple answer. If you used the old version, then the Solis is a wonderful upgrade. Every time I tried it, it worked flawlessly without a hitch. The cost is predictable, and I have a bunch of passes purchased ready to use when needed. 

If you are a European with an EU SIM travelling within the EU, you get free roaming anyway. If you are an American with one of those great TMobile plans with free global roaming, you probably don't need this device either. 

A Skyroam PR rep had said months ago that additional functionality would be unlocked on the device (like Bluetooth and GPS), but since they are not available today, I can't factor them in as a benefit. 

For everyone that travels more than twice a year (and doesn't have free roaming), you really should consider it. The best recommendation I can make is that I own one and carry it with me every day (even when in my home country). I will be travelling considerably over the next four months (within the USA and globally) and will be using this thing a lot. 

If you travel once a year and don't want to buy a Skyroam Solis, you can rent one directly from the company. They will mail it to you or you can pick it up (US pickup is available in San Francisco, Atlanta and Austin.)

I've written about the VPN Unlimited service before, you should go read the review. 

If you check out the VPN Unlimited purchase page, you will see that they are running a promo and selling it for $149.99. Normally StackSocial sells this same plan for $49.99 but wait ...

They are currently running a promo and have marked it down to $29.99, but wait ...

If you add it to your cart and use the code CYBER40 at checkout, the price drops to $18.

I don't know how long the CYBER40 promo code will work so if you are interested, buy it soon.

Special discount page: link

If you buy Google new premium Chromebook, the Pixelbook, you now receive a free Google Home. This promo is live now and runs until December 31, 2017, and is open to Canadian customers. 

To receive your free Google Home, all you have to do is add it to your shopping cart with the Pixelbook, and the price will be $0. 

Offer is available while supplies last (shouldn't be a problem) and remember that the Pixelbook is not available in Quebec (probably since they don't offer french keyboard, box and manuals. 

Google Store

Quad9 is a new DNS service launched by a non-profit consortium (founding members are IBM Security, Packet Clearing House & Global Cyber Alliance). The promise of the Quad9 DNS service is good security using the knowledge of some of the world's leading security research firms, by merely changing your default DNS server and ALL for free. 

The service is (not so creatively) called Quad9 because the DNS address is 9.9.9.9

Is the Quad9 service fast?

I used the free DNS Benchmark tool by Steve Gibson with connections from Canada, the USA, the UK and Switzerland. I performed ten tests from each region, and in every test, the Quad9 service was in the top 3 fastest DNS services available. In most cases coming in first. 

Quad9 is lightning fast because they use anycast routing which automatically finds and uses the nearest DNS server to the user. 

At launch, the service is powered by 70 servers in 40 countries, but the intention (in 2018) is to grow the fleet to 160 servers.

So how does it improve my security?

So why should you switch from your existing DNS service to the free Quad9 DNS service? Quad9 is a security and privacy enhancing DNS service that delivers much more security than any other DNS service currently available to consumers (more than your ISP, OpenDNS, etc.)

Quad9 says " Quad9 blocks against known malicious domains, preventing your computers and IoT devices from connecting malware or phishing sites." The threat intelligence is provided by the IBM X-Force but also includes 18 additional threat feeds from partners. Typically companies would pay tens of thousands for this level of protection and they are offering it for free.

You can configure your home router to use Quad9 and all device inside your house would be automatically protected (including that cheap easy to hack $29 webcam you bought from a shady online reseller). 

If a device (using Quad9) tries to contact a "bad" site, they will get back an NX domain error code (aka not found). This is how they prevent devices from being directed to dangerous sites.

Remember that a known good site could have been compromised and therefore could attempt to pull content from a shady site. Quad9 will prevent this from happening. 

Quad9 will continue adding features to further improve your security.

What about false positives?

They maintain a list of the 1,000,000 most used sites on the internet as a whitelist. This means that they cannot (mistakenly) blacklist an important site and make it unavailable. 

It looks like a well designed and well thought out platform.

What about my privacy?

The first thing you should realise is that most home connection use the DNS services of their ISP, and I consider most ISPs as the least trustworthy operators in your computing chain. Most are willing to sell your data cheaply to anyone willing to buy it.

Quad9's privacy statement is clear "No personally identifiable information is collected by the system. IP addresses of end-users are not stored on disk or distributed outside of the equipment answering the query in the local data center. Quad 9 is a nonprofit organization dedicated only to the operation of DNS services. There are no other secondary revenue streams for personally identifiable data; and the core charter of the organization is to provide secure, fast, private DNS."

Conclusion

I switched to Quad9, and it has been everything they promised. I recommend everyone reading this switch and try it out. It is one more layer of protection, and this one is easy & free.

Bitcoin is all the rage, and everyone is talking about it.  Any discussion or write up about Bitcoin usually starts with the fact that is it a decentralized digital currency. Decentralized means that no government or company controls it and it also means each participant is on his/her own when it comes to protecting their Bitcoin investment.

With US fiat currency saved in a bank, you have a high level of confidence that the money will be there in a day, week, month or a year. If the unthinkable happens and the bank is hacked,  most bank deposits are federally insured, and the government will make you whole.

Bitcoin does not have any insurance or governmental oversight. Any Bitcoin left on an exchange is only as secure as that exchange's platform.

In Bitcoin, your ownership is confirmed using a super secret private key. When you store coins on an exchange, they hold the private keys for these coins. Any hacker that manages to obtain these private keys can, therefore, control your (now their) coins and move them into a new account they control. Once your coins are gone, there is no way to recover them.

How to secure your Bitcoin

The first rule is: do not leave your Bitcoins on an exchange. Most theft happens from exchanges because hackers know that compromising one exchange can yield millions in gains.

Some Exchanges (e.g., Coinbase) offer offline cold storage options. These are more secure than their traditional active accounts (since they double check transaction requests and have long waiting periods), but if someone steals the private keys due to infrastructure insecurity,  they would be able to access your coins.

The second rule: control your private keys. When managing your private keys, computer security becomes critically important. I have written dozens of articles about it, so I won't take a deep dive here, but you'll have to spend some time thinking about it.  

In TL;DR form: I recommend that you chose the safest and most robust computing environment when processing your private keys or performing Bitcoin transactions (purchase, sale or transfer). For most individuals, I recommend using a name brand Chromebook. A Chromebook a purpose-built device running Google Chrome on a very secure Linux operating system. Google continuously updates Chromebooks. Chromebooks offer a small attack surface and are less susceptible to compromise than a Windows or MacOS device.

Now that you have a secure platform to complete your transactions, the next question is: Where do I store my private keys?  

You should keep a small amount of Bitcoin in a reputable smartphone app, where you can access it quickly if you feel like spending it.  I like the Jaxx wallet (it is simple, well written and cross-platform).

You should store most of your bitcoin in a purpose-built offline (not on your computer or connected to the internet) hardware device. My device of choice is the Trezor wallet, but there are other excellent options (e.g., Ledger). These devices generate and protect your private keys. By keeping your private keys offline, they are immune to infections on your computer or constant hacking attempts. A Chrome extension powers the Trezor wallet, therefore it works beautifully on a Chromebook.

When setting up these hardware wallets, you generate a special recovery sentence (typically consists of 20 unrelated words). You should write this down on paper and store it somewhere safe. Never save this online, since anyone with access to this code could recover your private keys and steal your money. In the unlikely event that your hardware wallet dies, you can order a replacement and restore your private keys (during initialization) by entering your unique secret recovery sentence.

As cryptocurrency matures and becomes more widespread, I believe people will have to take a more active role in protecting their own money.  It's probably a good idea to dip your toe now and start learning the ins and outs of crypto currency.

I've been involved in technology for a long time and bought my first real personal digital assistant (PDA) in 1997. It was an Apple Computers MessagePad (Newton) 130, and it was a thing of beauty. It had handwriting recognition, an external keyboard attachment and fueled my geek dreams about what wondrous technologies the future would bring.

Along the way, I owned hundreds of devices including Palm pilots, Treos, Handspring devices, Nokias and almost every other portable gadget in between.

As you can imagine, I also bought the first iPhone and almost every one since (in the last ten years). Every time I watched an Apple keynote, I was like a kid in a candy store. I starred at the presentation anxiously waiting to see what amazing new technologies Apple would bring into my life. Apple didn't invent most of that tech, but it usually made it usable and practical.

Then Steve passed away, and many were worried whether Apple had lost its mojo. Fans defended the Cupertino giant, but we started to see some cracks forming in its otherwise perfect and shining armor. Tech reviewers what would never have dared to challenge the superiority of the big Apple began to ask difficult questions.

For the past five years, I have been carrying both Android and IOS smartphones, but the iPhone has always been my primary daily driver. September 2017, was time for me to upgrade my "primary driver" from an iPhone  6s Plus + an iPhone 7 (yes I have both). I watched the keynote and was dumbfounded by the iPhone X. It was a beautiful piece of kit but had a screen smaller than the plus models and a price tag of $1500CAD. The camera wasn't materially better than the one in the iPhone 8 Plus. The only new "thing" it brought to the table was the FaceID sensor, an OLED screen, and smaller bezels.  

Apple technology innovation

Surely I had missed something. A ~$400 price increase had to bring something new and revolutionary? But it didn't. Having been a gadget geek for the last 25+ years, I knew perfectly well that previous devices  contained technology Apple commercialized many years later:

• wireless charging (HTC Droid DNA in 2012 - Apple in 2017)
• dual rear cameras (HTC One M8 in April 2014 - Apple 2016)
• OLED screen (Nokia N85 in October 2008 - Apple in 2017)
• Fingerprint scanner ( Motorola ATRIX 4G in March 2011 - Apple 2013)

Apple made many of these technologies better but by the time it included it, Android devices at half the price of an iPhone had them built in.

Apple has been a significant force pushing smartphone manufacturers to make safer, more secure devices and operating systems. This has been a clear win for consumers. Good healthy competition is good for the marketplace.

Is the iPhone more secure than an Android device?

Technologically yes. Apple's IOS is designed with strict application controls to protect user information. Its hardware (e,g, the secure enclave) is a thing of beauty and incredibly well designed to protect your biometric and financial information.

In the real world, for the average consumer that is not being targeted by skilled blackhat hackers or nation-state threat actors, both can be made equally safe with minimal handling precautions.

Not in my walled garden

A couple of months ago, Apple made headlines when it blocked all VPN apps from its China app store. This decision was made to comply with local laws, and Apple had no choice. The problem arises when you realize that Apple doesn't have a mechanism for users to sideload apps onto its devices.

Sideloading apps is a risk because it could be an attack vector, but shouldn't the user be able to accept the risk and perform their desired action on an $800-1000 device?

This had a chilling effect on some activists in China, but the same model of application category control could be applied to anything else in any other country (e.g., a country can outlaw social media or dating apps, etc.).

Time to switch?

Apple's latest financial results show that the company is doing smashingly well. They are selling record numbers of mobile devices, and their cash horde is only getting larger. Any talk about its demise is greatly exaggerated.

There is, however, a growing number of users, who were once ardent fans gobbling up all Apple branded tech, as fast as the company could release them, that are now looking at alternatives. I am amongst this group. My decision to switch isn't based on the cost of the device,  but on the more advanced Artifical intelligence features like the built-in assistant.

Android Auto versus Apple CarPlay

My latest car can support both platforms, but anyone that has used Apple Maps will tell you, it sucks. I can't tell you how many times it has navigated me into a major traffic jam or has taken me 20 minutes in the wrong direction. Apple doesn't like competition and would rather offer a sub-par experience to its users and maintain control.

On Android Auto, I can use other mapping apps, but on the iPhone, you can only use Apple Maps.

On Android Auto, you can choose which music app is your default and voice control it. On Apple, you can only voice control Apple Music.

And this is an example of the user-hostile behavior exhibited by Apple. Not only does it block competition, forcing you into inferior apps, but it isn't even improving the core interaction mechanisms of Car Play: the visual interface and SIRI.

SIRI the terrible

Most iPhone users from teenagers to CEOs use Siri a couple of times at first, then give up. I had hoped that Apple would update Siri's capabilities with IOS 11 (particularly with the expected December release of the Siri powered home speaker system, the HomePod). Surely Apple would impress us with massive gains in understanding and capabilities. Nope. Nothing.

While the Amazon Echo and Google Assistant improve every month, Apple hasn't developed Siri in years. It feels like Amazon and Google are working in internet time while Apple is working ... To be honest, I don't even think they are working on Siri. I say that facetious. I know they are working on Siri, but until users benefit from that work, it is useless.

The big data problem

I work in security and understand that absolute security is the enemy of usability. An absolutely secure system is not usable.
In the enterprise space, we are continually struggling to find the right balance between security and usability.

It feels Apple has taken a more security-focused approach and is willing to sacrifice modern functionality.

Any modern deep learning expert (aka neural networking that powers smart assistants) will tell you that the key to success is having vast amounts of ingestible data. Apple doesn't have this type of data because of it is privileging user privacy, whereas Google and Amazon do. Where Apple's image search can show you a dog, Google's can find the chihuahua on a beach eating a hotdog.

Siri is a parlour trick you get tired of after a day or two. Google Assistant will become a real time saver and thus will become something you will likely come back to over and over.

The latest and greatest thinking in machine learning from Geoffrey Hinton may eventually be beneficial for Apple. It is called Capsule Theory and is a new way of developing machine learning models that require much less data, but this is still early day research.

Conclusion

As I search for my next daily driver, I am testing a handful of new Android smartphones that I will review shortly on my blog. First-up will be a review of the Samsung Note 8. I won't be discussing the specifications but looking at it from the viewpoint of an iPhone user considering the switch.

I am hoping to also get my hands on a Mate 10 Pro, Pixel 2 XL and the ONePlus 5T.

Android 8 Oreo is the next thing for Android devices and everybody is working hard to bring it to their phones. Now Essential has implemented a special Oreo beta program for owners of its beautiful Essential Phone. Where Samsung allows you to install the Oreo beta (on the S8 and S8 Plus) via OTA update, Essential will force you to use ADB.

Essential does provide clear instructions but this can be seen as a natural filter that disqualifies anyone that doesn't really understand how Android works or understand what a beta is.

You will find, using the above link, a build for NM181C (for Sprint and Telus) and NMJ32F (for the other carriers)

Warning !

Remember this is a beta and you will experience issues and bugs. Known bugs already include: high battery drain, Android Auto issues and app instability.

What is malware

Malware is shorthand for Malicious Software and has been around almost from the start of computing. Its main purpose is to harm the computer or the user. Malware has been known to steal login credentials, monitor the user, tamper with information (breaking integrity), steal information or just making the system unusable. 

Malware can be designed by a nefarious teenager in his mother's basement looking to make a name for himself or by a state-sponsored threat actor against activists or journalists.

How can I tell if my computer is infected

The first rule of thumb is to use the Antivirus product that came with your operating system. As an example, all modern Windows systems are shipped with a self-updating antivirus supported by Microsoft. Third party products have been known to cause issues (here, here, etc).

To be transparent, antivirus will detect standard run of the mill type of malware but anything more sophisticated will easily get through. Larger companies with well-funded security teams typically eschew antivirus for more advanced malware detection tools based on a series of technologies like application behaviour monitoring, machine learning, artificial intelligence and system baselining. Unfortunately, these are not yet available for small operations but expect them to eventually make their way there.

So the question of detecting malware on your computer is a difficult one and often requires a highly skilled technician with precise tools that knows what he/she is looking for.  At the very least, use the tools available to you now:

• Sign up for services that offer 2-factor authentication (so malware can't log into your account by simply stealing a password) and that will notify you of unusual behaviour (Google, LastPass, etc). 
• Notice subtle indicators. Pay attention to your computer and look for subtle inconsistencies. Does your webcam light turn on when you are not using it? Does it look like you sent an email you don't remember sending? Does an online service show a login time you know you weren't working?  Pay attention to subtle cues.

How did I get infected?

The most common technique used by threat actors is to trick the user into installing malware pretending to be something else. It can pretend to be a system update. It can pretend to be a holiday card from a family member. It can pretend to be a work file from your boss. It can be a drive-by download where your system is exploited simply by being vulnerable and you visiting a carefully crafted webpage. 

• Link to a malware site can be disguised as a link to a popular internet site (Apple, Amazon, Microsoft), shared content (a document, holiday card, music file, etc) or a fake system update (flash update, etc).
• You may be targetted via email. It is common for highly skilled threat actors to compromise the systems of people you trust and use that trust to trick you into running malware, visiting a malware site or performing an action you otherwise would not. Remeber that these are often highly skilled practitioners that understand human psychology and will exploit it as needed. This includes chat apps, email, messages on forums, web pages, etc.
• You can get infected by connecting purpose-built attack hardware to your computer. We have devices that look normal (like the USB Rubber Ducky from Hak5) but that can run attack code without your knowledge as soon as they are connected to your computer. 
• Someone can gain physical access to your computer and plant malware without your knowledge. In security we consider it game over if anyone has access to your equipment, This is why companies spend large sums of money physically protecting their servers in isolated access controlled cages inside heavily guarded and secured datacenters. 

The more valuable you are as a target the less likely you are to notice the attack. 

How can I protect myself from malware?

• Make sure you are running legally registered versions of all the products you use daily. Using legal versions entitles you to the latest updates and every security person will recommend keeping all of your software and operating systems updates regularly. Threat actors will often exploit vulnerabilities that have been patched (aka if you update you are protected). 
• Only install the software you absolutely need. Remember that every software is a potential attack vector. Install only what you need and only download it from the manufacturer never from a download site like CNET, Download.com, etc (to prevent supply chain attacks like CCleaner.) Many of these download sites make money by bundling garbage apps that get silently installed and these can also be used to attack you.
• Remember that anything you open or click on can compromise your security. Call a sender before opening a file. Download and scan it first with something like VirusTotal before opening it. Never click on links in email or instant messaging. Always go to the URL yourself (obfuscating a malicious link to look 'good' is easy). If you use Gmail, open questionable attachments in Google docs or sheets as this will often strip the malicious content.
• Remember that one second of forgetfulness is all it takes. Be extra vigilant when browsing the web. Never run anything on the web. Always know that the web can be faked. Even known sites can be compromised and used to inject malware.
• When travelling to high-risk areas, I usually travel with a Google Chromebook. It auto updates itself. There are very few known attacks against it. Chromebooks have a feature called Powerwash that factory resets the device image to "like new" within 2 minutes. Often times I will powerwash my device before performing sensitive tasks. Also, data is stored in the Google cloud. Regardless of how you feel about their privacy policies, they have proven to be excellent at protecting their users from targeted attacks. Make sure you turn on 2-factor authentication.
• Turn off your computer and unplug it from a physical network when not in use.

What can I do if I am infected?

• The first rule is that if you are infected or even suspect that you are infected, forget about cleaning your device and have it completely reinstalled from scratch using known clean installation media. 
• If you are infected, immediately unplug your computer from the internet (ethernet or WIFI) and shut down your computer.
• Use a known clean computer to log into your web services and change all your passwords immediately.  
• If one of your devices is compromised, and you are a high target, assume all your other devices could be compromised and reinstall everything from scratch including your smartphone.
• If you have support from a government agency, reach out to them and ask them for support. If you are a journalist or activist, reach out to one of the public security support organizations like the Toronto Citizen Lab. 
• If you know when you were infected, make sure you restore files from a date prior to the infection. It is critically important to use a backup service that provides version control (e.g. blackblaze version control). 

TL;DR : Go here and download this app (while it's available).

Earlier this week, we saw FileGo leak on the Google Play Store but it was quickly taken down. FileGo is specifically built to help users (even novices) manage and clean files from their devices (duplicate photos, application cache files, etc).

FileGo also contains a function (similar to Apple's AirDrop) that allows Android users within close proximity to transfer files to each other. 

FilesGo is still beta software (aka it could still have bugs) but in my testing has been reasonably reliable and hasn't crashed yet (tested on a Nexus 6P and Note 8). 

Keep in mind that Google can change user eligibility once the app is officially released (may be limited to Android One users or restricted to certain regions) but right now it seems to be available to all users globally.

I wrote a short article about the merits and issues with the Essential phone here. I wrote that review because dozens of readers wanted to know if the phone was worth it at its newly reduce $499 price. 

Another day and another discount for the struggling Essential phone. Now BestBuy is kicking in another $50 off (bringing the price to $449.99).

For $449, you can buy a beautiful unlocked Android smartphone with the latest specs including:

• Snapdragon 835
• 4GB of RAM
• 128GB of storage
• Dual cameras

If you read my review, there are some shortcomings but at $449, it is hard to complain. You are getting alot of phone for very little money.