Signal or Threema or how about both?

I have been a fan and person encouraging the use of signal over the likes of whatsapp. Its been good to me but like every piece of software there are things I would change about them. For example the whole pin code thing is not only concerning but also a real challenge for casual users.

The pin code thing and phone number thing is not that much of a concern for most but I’ve been keeping an eye on others coming into the space. Threema is one such messaging app which seems to have all the privacy and security needed backed with its strong European base in Switzerland.

I wrote it off in my mind because it didn’t have a open code base for security  experts to view openly. However that recently changed with them opensourcing the code base.

Because of this change I’m relooking at the Threema, although I don’t think I’ll be dumping Signal as a result but rather using both?

The Asus C434 Chromebook

Asus Chromebook Flip C434 review image 1

I recently bought myself a new Chromebook. I considered getting a Dell XPS13 (which is my work machine) or Lenovo X1 carbon but decided I wanted to replace my old Asus Chromebook which I was giving to my parents to replace their very old Samsung Chromebook.

Its been good to have my own laptop as a backup when my work laptop goes wrong for what ever reason (i’m currently running it off a external SSD). I have enjoyed the Android integration in the past but when I learned about the Linux integration and I was sold.

I opted for the i5 version with 128gig of storage and 8 gig of memory. Why? Well I decided it needed to be slightly more powerful and act a bit more like a full laptop if it was going to run Linux apps. I see this Chromebook as a laptop I can use for most things including audio/image editing. Originally I got a good deal on a refurbished version which was great except Bluetooth was broken and it had to go back. I then bought this laptop brand new and it was shopped and delivered in all of 18 hours!

So far I have only installed htop, inkscape, Joplin, audacity, barrier, cheese and firefox in the linux terminal (love that its ian@penguin in the terminal and I have firefox installed!) then decided to install Flatpak on ChromeOS, I considered installing Snap but it sounds problematic currently.

Just checking out a bunch of ChromeOS blogs and I found this reddit faq useful to fix my linux install when it broke after I installed it and shutdown my chromebook too early.

Generally I’m very happy with this Asus Chromebook and its a good size, weight and I still love the tablet mode.

I finally bought the Oura smart ring

Oura  vs Motiv smart rings

I decided its about time I upgraded my smart ring. I originally bought the Motiv ring because it supported Android, had a better price tag and was interested in the 2 factor authentication.

It was good but then I hit a problem about 6 months down the line and although Motiv did the right thing of refunding me completely and letting me keep the ring. It certainly felt like it was on its way to unsupported space with the new owners.

Oura vs Motiv smart rings

So with the new Oura being a bit cheaper and finally some proper Android support, I decided its time.

First impressions are very good, the app is better than Motiv’s and the ring feels a lot more robust. It has 3 different contact points while the Motiv has one. I took the risk of skipping the ring sizing as I knew my size from the Motiv ring. Luckily they were very close but the Oura is a bit bigger giving me more options of fingers to use.

The app now finally syncs with Google fit (one of the biggest complaints for Android owners). I also noticed there is the ability to download the raw data in Json format. I do find the app a little messy but its got all what is needed and if not you can login on the web and see/manage your data.

Oura's charger

If I was going to say one bad thing about it, it would be simply the charger is quite big compared to the Motiv one, which I was able to carry around on my keychain. But its not like I’m going away for a long while, and I noticed the airplane mode which is great.

Currently everyone is using Oura and its the right decision if you need the best tracker on the market. Just glad I didn’t get it when it was mainly iOS as it would have been extremely annoying.

Looking forward to seeing its sleep tracking as the Motiv was pretty awful. Thankfully I use Sleep as Android.

Checking for Spy Cameras everywhere…

I recently been tracking a lot of Spycams in hotels and airbnb’s. Yes its currently mainly happening in the east a lot more it seems, but like most technological trends its on the way westward.

It very much reminds me of my experience in the Airbnb in Barcelona. Yes its was a listening device and they did declare it once we were in the flat but its not good enough. Airbnb is the wild west for this.

The spycameras are getting super small and higher quality all the time. For the last year I have been checking my hotel rooms (pre-covid19 when I could travel) with my camera phone and light. I’m not using an app but rather the camera light as my camera sees IR no problem. Theres some quite good tips in this travel site.

By the way, don’t search for “spycameras” on the web, as you will get some questionable results!

Epic games serves up some 1984 on the app stores

 

Epic battle unfolds

Its been a Epic (Pun intended) battle going back and forth for Epic games and the app stores (Apple & Google).

For mobile developers the 30% cut has been a talking point for a long while but the fact you can’t use other payment systems really put the foxes in the hen house. I won’t get into details as there are others which do a much better job. I love this timeline

But I found the Fortnite 1984 trailer absolutely spot on. Pointing directly at Apple and their classic 1984 advert.  Although to be fair like most big companies, Epic isn’t clean in this area but the monopoly & closed doors of the app stores is a big deal. Its very clear Epic games planned the lawsuit, the 1984 and the trigger event in a perfectly planned check move (chess).

Shall we get the popcorn ready for this clash of the titans?

Regardless of what happens, I’m sure mobile developers will massively benefit from Epic pulling the trigger. Of course many other big names have also jumped in behind Epic.

Google silently puts a knife into the Pixel 4

The view of the red moon through my window
Shot on a Google Pixel4 through my living room glass with nothing special

The Google pixel 4A looks like a really good phone and reminds me of the Nexus 5x in price and style. I won’t lie, the battery size and onboard storage certainly impressive compared to the Pixel4.

I’m still impressed with the Pixel4’s camera and its still good for me so far. But I noticed its currently leaving me with 50% battery at the end of the day. Its ok but remember I’m not really going out much at the moment. No idea what it would be like when I’m out and about again?

Its clear to me, that although I like the Pixel range, I would go for something like the One plus phone next time around. I mean look at the Pixel4a vs the Oneplus Nord?

One decision I have made is I will most likely this time around fit a new battery in the next 9 months. No idea why I didn’t do it for the Pixel2.

 

Why NHS’s world-beating app was always a going to be awful but 10+ million!

Contact tracing api
Photo by Mika Baumeister on Unsplash

Even if you forget the thoughts are coming from a ex-googler who has interests elsewhere this blog is pretty damming and I  can imagine how the NHS really bought their own nonsense about it being world beating. Of course in the end they had to back pedal and use the Google & Apple decentralised contact tracing api.

But there are parts even I was shocked at…

It worked 4% of the time.

Thats not even funny, its not just unreliable but a total waste of time. Even if thats exaggerated, double would still be a bad joke at 8%

The British effort did find workarounds that most other developers could not: They used “keepalives” (messages sent by one device to another) to circumvent restrictions on having apps in the background on iOS. Notifications were sent between two Apple devices running the app to keep the connection between the devices alive and therefore having the ability to detect each other’s keys. The NHS tried to develop with a hacker’s mentality and shared its progress through its GitHub page.

There is a reason why keepalives are a bad idea, battery is one of the number one reasons why people find their smartphones deeply frustrating. Having a app keeping the system awake is just a terrible news. Although I assume as most people are staying at home, they will be closer to a charger at least

in May it was reported by the Financial Times that the British government was simultaneously exploring a solution with Apple and Google’s decentralized system as a backup, indicating that, even within the government, there were doubts that the centralized effort could work.

And this is when I heard they were testing both systems, leading to the fact they were going to drop the centralised app soon. This would be fine but…

The development of the app has taken months and cost millions of pounds from taxpayers…

…around $15 million spent…

I have no words to sum how I feel about the UK government throwing this money down the drain in the middle of a pandemic where people are losing their jobs and dying. Its not just wasteful, its incredibly disgraceful and pretty much sums up the UK government right now.

Signal what are you up to?

I love Signal and never used Whatsapp because of many reasons included in this great opinion piece. Its gotten better and better but the recent pin number is a worry. I’m not the only one.

“Notably, things we don’t have stored include anything about a user’s contacts (such as the contacts themselves, a hash of the contacts, any other derivative contact information), anything about a user’s groups (such as how many groups a user is in, which groups a user is in, the membership lists of a user’s groups), or any records of who a user has been communicating with,” Signal wrote in 2016.

That, according to critics, has now changed.

“They should have a dumb network that knows nothing because it can’t be compromised then,” The Grugq told Motherboard. “[Having contacts] is a lot. It isn’t messages, sure. But I don’t like it. I don’t want them to have anything. Make the networks dumb and the clients smart.”

I do understand why they have done it, but I don’t know where its going next. Marlnspike (head dev of Signal) replies.

Marlinspike defended the decision to enable PINs and give users a way to migrate to a new device and keep certain data, and will increase the security of users’ metadata, “new features Signal users have been asking for.”

“The purpose of PINs is to enable upcoming features like communicating without sharing your phone number. When that is released, your Signal contacts won’t be able to live in the address book on your phone anymore, since they may not have phone numbers associated with them,” Marlinspike told Motherboard. “For most users, this also increases the security of their metadata. Most people’s address book is syncing with Google or Apple, so this change will prevent Google and Apple from having access to your Signal contacts.”

Smartphone use
Photo by Gilles Lambert on Unsplash

The changes Signal has made show how there can be a tension between messenger usability and feature set and security. It’s too early to say whether you should stop using the messenger. For most users’ threat models, it’s still one of the best options. But one of the key things that set Signal apart—that it collects almost no information about its users, appears to be changing.

Convenience is the enemy of security and I would say privacy. I wouldn’t be surprised if signal gets forked.

It was always clear to me Twitter direct messages was never secure in anyway, hence why I tried to move private conversations over to another medium. If thats not email or signal what else? Recently I have been looking at a couple others…

Session which is decentralised messaging and Criptext, which is actually secure email. Both need work but have decent security.

Curve cards are temporarily suspended

The Curve Card

Bad news, with all the joy I have had using my curve card. I was slightly shocked to see this email from Curve yesterday. To be fair I thought it was a phishing email till I checked the site myself and looked at the twitter account.

YOUR CURVE CARD IS TEMPORARILY SUSPENDED – PLEASE CARRY A BACK-UP

Dear Curve Customers,

Your Curve card and all associated Curve transaction and money transfer services will be temporarily suspended with immediate effect. Please be assured, we expect to be up and running again shortly but it may take a few days. Your money and card details held at Curve are safe and secure.

This has happened because the Financial Conduct Authority* has this morning suspended its permission for Wirecard Card Solutions Limited (the company who currently issues Curve Cards) to operate, without prior notice. This action is not related to Curve – but Curve currently depends on Wirecard for operation of the Curve card.

We are already well on the way to migrating away from Wirecard but have not fully completed this process. We are now working round the clock to achieve the migration as quickly as possible and therefore expect this disruption to last for only a limited period of time.

We will continue to communicate the details of what this means for you during this interim period.

For now, please carry a backup card.

We’ll be back,
Team Curve

*Curve currently relies on Wirecard Card Solutions Limited for all its financial transactions. Until we fully migrate, we are impacted by this suspension (as are all Wirecard’s other clients to whom they provide financial transaction services).

Hopefully they can get it up and going soon, as I couldn’t remember my pin for my old card.

The Houseparty is over, time for the GDPR to kick in the front door?

houseparty gdpr request email

I requested my GDPR personal data from Houseparty/Epic games over a 2 months ago when I signed up under my spam email and slight social pressure from friends. I read the privacy policy and almost spat out my tea.

However I found I could use houseparty in a clean browser (chromium) – app.houseparty.com. as there was absolutely no way I was going to install the app on my pixel phone. After trying to play a game with friend I found the video worked but not the actual game.

As we moved on to using boardgamearena.com. I decided I wanted to delete my account and got interested to know how much data they had collected about me in my short time in houseparty.

Outcomes my GDPR request, I send it to data-requests@lifeonair.com and nothing. I resend it to support@houseparty.com and get my response. Back and forth then finally…

Houseparty Support

May 08, 2020, 20:46 +0100

Hello Ian,

Thank you for your response.

I’m glad that you’ve reached us regarding your request. We received your data request. Our team is working on pulling the data, and you will receive your data within 30 days.

Please feel free to contact us if you need any further assistance.

Regards,
Romeo Tango

As you see can see the date of May 8th was 34 days ago and yes I get Covid19 but I’m not expecting the much data back. Unless there is a ton coming my way?

Either way I’m annoyed at being messed around at the start and also them not taking it seriously. I’m still not convinced Romeo Tango is real to be honest.

ICO submission

So enough, I’ll let the ICO deal with it all.

 

Immediate Action Required! Your SpiderOak One account will be canceled?

Spideroak logo

I received an email the other day. It looked like a classic phishing attack, except there was no link to fix the problem…

Your account is in violation of our terms of service

Hello. This is ************* from SpiderOak’s support team. I’m writing to inform you that your account is in violation of our Terms of Service immediate action is needed on your part.

Because of the amount of data stored in your account or the type of data you are storing, your account is negatively affecting the accounts of other SpiderOak users. Because of this it will be necessary to close your current account.

We realize this is sudden and we want to do what we can to help you.
We have two options to offer to help you move forward:

1. A 5 TB account at the same price as your existing account. If you choose this option a member of our support team will help you set up a new account, transfer your billing information, and place the new account on a 5 TB plan at the correct price.

2. Cancellation and a full refund of your most recent payment. If you choose this option our support team will set up a refund as soon as we hear from you.

If we don’t hear from you by the end of this week we will lock your account while retaining your data for a grace period of 14 days. At the end of the grace period if we still have not heard back from you your account will be canceled.

You can contact us by replying to this email, or by writing to support@spideroak.com. Please contact us as soon as possible so we can help you move to one of the options I mentioned.

Thanks,
**************
Customer Success

The first thing I did was check my account directly and then replied with this…

Hello ************* and support

To check this isn’t a phishing attack can you tell me the name of the device and how much data is currently stored?

I’m keen to resolve this but it strikes as a phishing attack.

It felt like a phishing attack and since I have seen a bunch of new data dumps, you could hardly blame me.

But once I could verify everything I suggested removing some of my older computer backups after seeing this. This fell on deaf ears.

Unfortunately that isn’t an option. Your account has been using excessive resources, which has caused issues for a number of other users on the same server cluster as you. Because of the No Knowledge nature of our product we can’t tell you exactly what is causing the issue. I’m sorry that I don’t have more details for you.

The two options I can offer you are moving to a new 5 TB account (at your current payment price, normally it is a $320 / year plan) or cancellation and a refund. You won’t be able to keep your current account.

Spideroak account

Note in option 1,  if I pay more money I could still upload the same files to Spideroak!!! Something is fishy here. Either theres a problem with my files or not. I get the zero-knowledge issue but something doesn’t add up.

Frankly I’m pretty peed off about this all. I’m not the only one either, a few searches later I found others who have had similar emails.

Spideroak a while ago stopped their unlimited option and it feels like this the nail in the coffin by removing all the unlimited users?!

I guess its been a good but I have been thinking about switching since Spideroak is American based, the change to the warranty canary and finally something which has always bugged me – No two factor auth!

Suggestions for places to store my backup data which is also zero-knowledge or I could client side encrypt it before uploading if needed.

Motiv ring sold to the corporate world

My Motiv ring on my hand

This was a surprise…Motiv smart ring gets bought – and will stop selling to consumers

It seems the world of consumer wearables has lost Motiv – the smart ring company that’s been an underdog hit in the world of wearable technology.

The company isn’t dead – but it’s being bought by Proxy – a digital authentication start-up that sees potential in using Motiv’s technology in enterprise. As a result of the buyout, Motiv will cease selling its smart ring device through consumer channels, and there’s no word of how long devices will be supported.

Motiv started life back in 2017 as an activity tracking smart ring that put its focus on active minutes rather than simple step counting, with a heart rate sensor on board.

But its feature set widened over the years. In 2018 a second generation landed that put its focus on biometric security – and these are the features that will have interested Proxy.

Likely explains why they returned the full price of my ring a while?

I lost all trust for Zoom yesterday…

British PM on Zoom
Wonder how many people have tried to dial into that zoom id?

Yesterday I was on a zoom call which was hijacked or zoombombed with something not just horrible but totally illegal. Because of this I have pretty much lost all trust in zoom.

This is of course very difficult as its what we use at work and of course being in the middle of the covid19 lockdown, makes things tricky. Because of this, I’m going to still use it but with much more caution and I’m going to be a lot more forceful about the hosting side of it.

Its clear war-dialers for public Zoom meetings is so easy and well used by inscrutable groups of people. Zoom could make sharable links much more difficult to war dial, similar to the way Google docs uses combinations of characters and numbers to make a much longer url, a lot harder to war-dial.

The defaults of Zoom, is setup for a semi trusted corporate environment. I understand the covid-19 pandemic changed everything but there has been many updates and only now is the defaults only just safe. Their share prices have rocketed but they are only now focused on security ahead of more features?

Their idea of end to end encryption is a total dump on top of the security findings saying some calls are being routed via China.. Today they announce you can choose your routing but you need to pay for it. More governments and companies are blocking zoom because they just don’t trust it.

Likewise neither do I… but I will use it… with caution.

I have been thinking about an equivalent, and thought about two.

  1. I lost trust in Facebook a long while ago but still use it for volleyball events and the occasional post about something I feel could be important for friends, family and the public who don’t read my blog (as its posted on the internet already, I post publicly adopting the indieweb Posse approach, much to the surprise of some friends). For example I posted what happened on zoom yesterday there today.
    Facebook was hardly trustworthy to start with and over and over again they took the living daylights with our data.
  2. There was a point when Windows Vista pushed as the step/edition of Windows XP and I didn’t like what Microsoft had done to it. To be fair I didn’t trust them and saw shadows of where things were heading. So I switched to Ubuntu.I know the new Microsoft is quite different of course but the damage was done.

If you are hosting a Zoom call, please do lock it down theres a number of guides to help including this one.

Only 5 months later and face unlock is fixed

Its one of those things which I wasn’t happy about with my Pixel4. Who on earth over looked the fact you could use the face unlock without your eyes open! It doesn’t take a lot to think about the abuses including spouses with trust issues.

Finally over the last few days Google rolled out a fix which requires your eyes open if you enable it! Only 5 moths later

It was the first thing I did when I installed the update. Till that point I’ve been enabling lockdown mode when going through sensitive areas like airport security